-1

Why do car makers rely on physical start keys, which can be stolen by home burglars and then used to start the vehicle? Why don't they use more secure methods such as a personal PIN, or a pin code to unlock the private key which could be stored as a token in the car key?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Christian
  • 265
  • 1
  • 3
  • 7
    Car security is actually very good. A key is much more secure than a pin, so I think your question may be misguided. – Rory Alsop Jul 18 '13 at 19:09
  • 1
    @RoryAlsop is exactly right. Physical security mechanisms are typically significantly more secure than electronic mechanisms. Home burglaries turned to car theft is actually a pretty remote threat, but Google the keyless thefts of BMWs to see that purely electronic countermeasures often aren't sufficient. – Xander Jul 18 '13 at 19:20
  • 2
    This question appears to be off-topic because it is about general security, not IT security. – AJ Henderson Jul 18 '13 at 19:23
  • 1
    This has been discussed a lot, and as far as I can tell it's on topic: http://meta.security.stackexchange.com/questions/1312/it-security-or-security-only – John Deters Jul 18 '13 at 20:00
  • @JohnDeters - The conclusion I got out of that meta post you're linking to is that this is an Information Security site, not security in general. Question regarding what weapons are suggested guards carry are certainly off-topic, but it would be a question about security, and I believe the same goes for this one. – TildalWave Jul 18 '13 at 20:15
  • How about an user optional pin lock/unlock then in addition to the key? Ie you are going on vacation but are leaving the car behind, you do additional lock down? – Christian Jul 19 '13 at 06:24

5 Answers5

7

There are cars with PIN codes (which must usually be entered in addition to using the car key). I have seen several. However, users forget PIN codes, then become irate; that's bad for business. Users also keep forgetting where they last put their car keys, but, for some psychological reason (probably related to the fact that keys are tangible objects), users believe that mislaying their car keys is their fault, so they become less irate, and business is not impacted.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Or the fine Oregon Weather penetrates the keypad leaving the customer ticked. It's been done before, nothing new and didn't enhance the customer experience once the novelty faded. (never lose your key again vs oh crud, what's the new number I changed it to). And for any wisenheimer objections to the external keypad. It's to stop the person from entering the car, physical entry is like physical server access, game over once accomplished. – Fiasco Labs Jul 19 '13 at 04:15
4

A key is a key, whether it's mechanical or electronic. Think of it as a token that represents the authority to operate the car. It's something you have. A PIN is another way of saying password. It's something you know.

So you're really asking "why don't we use two-factor authentication in cars?"

The answer is part history, part convenience, and part value.

Historically, it's only been fairly recent that car electronics have become cheap, ubiquitous enough, and reliable enough to enable password entry. We're obviously there now, but for the previous hundred years, keys alone have secured our vehicles. It never made much sense to add a password. Door locks on luxury cars have long used PINs to permit keyless access to the vehicle, enabling a driver to hide a key inside the locked vehicle. But the key remained the only means of starting it.

As a matter of convenience, keys are easy to use, easy to understand, easy to share, and quick to operate. In most vehicles, the key does double duty, rotating the lock and serving as the handle to operate the ignition switch. Keys nicely fit the model of humans. PINs, on the other hand, are slow to enter. They remind people of frustrations at ATMs and computers. People fear they can be forgotten. And they can't easily be shared with people you don't trust. That's a big one - even if the car lets you create a valet PIN, it's not every day you would use it, so on the rare occasion you need it you might fear forgetting how to do it.

Value-wise, the real question is what incentive would people have to even want a PIN in their car? Keys seem to work very well for people today. Cars with keys alone are insurable, so keys alone are good enough security for the insurance companies who bear the risk of loss by theft.

John Deters
  • 33,650
  • 3
  • 57
  • 110
2

Ease of Use

The more secure something is the more difficult it is to use. Entering a unique 12 digit code to start a car is less convenient than turning a key. If you want to make your car difficult to be used by anyone else you have to make it difficult for yourself as well.

Theoretics

Yes, a home burglar could take your keys and steal your car. However, a burglar won't break into your house just to steal your keys.

Existant Security Systems

My car has a removable device under the steering wheel. When removed the car won't even try to start regardless if turning the ignition or hot wiring.

eazimmerman
  • 121
  • 3
  • 6
    I can assure you that some people would definitely break into a house **just** to steal car keys. – Simon Jul 18 '13 at 19:29
  • 1
    @Simon I agree, but the incidence is exceedingly rare, which has to factor into the risk calculation. – Xander Jul 18 '13 at 19:35
  • @Xander, what about the incidence of people who break into houses to steal anything they can find, but then find car keys? –  May 22 '14 at 14:28
2

Simple, it doesn't add any practical security. People keep their keys with them, therefore, if someone wants to steal the car, it just becomes a violent crime with the addition of a PIN. If you are out of the house, the car and keys are with you, if they steal the key off your person, they won't know which car it goes to unless they watched you get out of it. If they break in to your house while you are home, they can threaten you for the PIN.

So we don't get much of a meaningful security gain, but we do have a significant added cost of usability. Now every time you want to start your car, you have to enter a code instead of just turning it on and going. This is why wireless keys are becoming popular where you just push a button and don't have to even do anything with the key.

Also, many (maybe even most now) car keys do use more than just physical coding. They often transmit electronic information to the car that is critical to the ignition starting. This prevents a simple copy of the key from working and requires that the actual key be taken.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
1

Most simply because cars are generic devices designed to be driven by whatever human is appropriate and available, without account setup being necessary.

You will note that some areas of access control do exist. Valet keys are the most obvious; a key that permits driving without granting access to the trunk. No one really wants to be setting up Valet pins, though. Alternately any pin-based vehicle is easily stolen using 1234. And I would be interested to know if any of the newer complex dashboard computers accept "login" for personalization purposes.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198