Multiple burglaries using keyless entry with keypad code

[ECharge729]

Car: Mach-E AWD Premium Extended Range (2023)

I had my car opened and searched for valuables twice within a single week without any damage done to it, living in an apartment complex with an underground parking.
The culprit definitely knows my factory code which I know I can't change or delete. It's also not possible to disable the keypad completely. Contacted Ford's customer support and was told something like: "if they guessed your factory code, the joke is on you - please contact the police because you won't hear anything else from our end".

This keypad only has 5 buttons, so there is only 3125 unique combinations which is insane given that you can make 7 attempts with just a fixed 1-minute lockdown interval - you only need about 8 hours to go through ALL the potential combinations with the car not notifying the owner about scanning attempts, having additional personal codes will greatly cut down the time needed to guess one of the codes.

That's why I was wondering if anyone tried physically disconnecting/removing the keypad at maybe a Ford's service center? Or would it be possible for Mach-E owners to get Ford to address the issues with the keypad?

UPDATE from 2024/08/05 for people who do not want to read the full thread:

• The car is 10 floors of concrete and steel apart from the apartment with walls being so thick that just one completely kills off all BT connections. You can think that the car is in the nuclear war bunker, completely off the grid - no mobile network, no Wi-Fi, no anything.
• I have never used my car's keypad, so the chances of somebody seeing me do that are at ZERO.
• I didn't have my factory code card to begin with, it has been lost by the dealership when they were transferring this car from one location to another, it was roughly a year ago, on purchase. I have only learned my factory code after the burglaries by using the two key fob trick.
• I am that paranoid freak who double-verifies my "walk away" lock actually triggered before losing sight of my vehicle, so no, the car is definitely locked when those burglaries happen.
• Just in case, I am not saying it was a professional thief who punched codes for 8 hours in a row in my case, I am only saying that going through all the potential combinations would take just 8 hours which I am not comfortable with for a code that gives somebody access to my car for the lifetime.
• I am assuming that the culprit knows my factory code because I tried accessing my vehicle without my key fob and the keypad is the only thing that actually works, at least in theory.
• If the perpetuator had a technology that allows to copy, analyze and imitate key fob signals, then I doubt they would search the vehicle regularly, taking some shitty sunglasses and gum. In that case, they would probably take the vehicle instead.

Sponsored

 

[phil]

I would not spend 8 hours punching numbers on a car owner's keypad for the chance to search a few times for stealable valuables that might or might not be inside.

2 hours? OK, maybe I would...

 

[ECharge729]

I would not spend 8 hours punching numbers on a car owner's keypad for the chance to search a few times for stealable valuables that might or might not be inside.

2 hours? OK, maybe I would...

I honestly don't believe it's the right argument to make here as it does not solve the problem or answer questions in the post ?

8 hours is only needed if you want to go through literally ALL available combinations. If you only wanted to spend 2 hours, you could still go through 25% of those which has a pretty good chance of guessing someone's factory code in my book.

Moreover, you are not trying to guess the code for a chance to search the car a few times. You are guessing this code for a chance to have unlimited access to the car without the owner ever knowing about scanning or accessing the car in future because the factory code cannot be changed or disabled and because the car would not give owners any notifications or store any access logs.

 

[phil]

I honestly don't believe it's the right argument to make here as it does not solve the problem or answer questions in the post ?

Honestly, I am not a car thief, so my post was facetious. But I do think it's a helpful argument. If I were a professional car thief, I would certainly not spend two hours committing a crime, gambling that it might get me into the car but knowing my chances were only one in four. Good thieves are smarter than that. They might peek and get your code that way, but they will never spend hours punching numbers. The larger point is that few Ford owners would bother to disable the keypads.

As to your question about car owners - let alone just Mach-E owners! - could get Ford to address your keypad concerns, well, I kind of assumed you were kidding with that one. The direct answer is no, that will not be happening any time soon.

 

[Wallie]

It has to have a fuse somewhere..

 

[JohnFoxeSheets]

How close do you live to the parking garage in your apartment building? My guess is that your phone RF signal is bouncing around such that the perp is simply opening the door or that you'r the victim of a Bluetooth relay attack. If you've not already done so, I suggest you leave you phone where it likely would have been during the time when the perp accessed your car and see if you can open the car door. On the other hand, it is possible to make Bluetooth relay devices that capture the BT signal from your phone and relay it to the car. While there are methods to minimize this risk that could have been built into the car, it is my understanding that for whatever reason Ford hasn't done that.

(Yes it's theoretically possible that someone might try to exhaustively search for the factory code, but for the reasons mentioned by @phil realistically the likelihood of that is very, very low.) In contrast a Bluetooth relay attack would be essentially instantaneous.

How can one protect against either of the above issues? Do any of the following while at home: kill FordPass, turn off Bluetooth on your phone, put your phone into a faraday bag.

Lastly, though maybe less likely in this case, key fob relay attacks are also possible. Luckily those can be easily thwarted by putting your fob in a faraday bad while at home. But sure to seal the bag as you need it to block all RF.

 

[Sikkun]

I would not spend 8 hours punching numbers on a car owner's keypad for the chance to search a few times for stealable valuables that might or might not be inside.

2 hours? OK, maybe I would...

Think I’d just use a brick before I hit 2 hours.

 

[Kamuelaflyer]

If you only wanted to spend 2 hours, you could still go through 25% of those which has a pretty good chance of guessing someone's factory code in my book.

The car locks you out after 7 failed attempts. You’re locked out for 1 minute. Wash, rinse repeat. Random number entry will take a fair bit of time.

It’s much more likely to be a relay attack or a case of the fob or PAAK phone being too close to the car.

 

[Valkyrie]

Faraday Box away from front door or front facing walls...

 

[Space_Pony]

I knew a guy that lived in town without a garage and he said that he kept nothing in the car and left it unlocked so he didn't wind up with a broken window. I don't know of a way to keep a mme unlocked but make sure that nothing is visible to a thief.

 

[Mach1E]

This isn’t how thieves break into nor steal cars.

You are trying to prevent something that isn’t going to happen.

Much better to focus on real threats.

An equivalent (unnecessary) fear would be asking how to secure your roofline so thieves cannot cut a hole through it and climb from your attic into your house. (Yes anyone with tools could do this).

But why would they? There are so many easier ways to break in to a house.

The same is true for your car.

They don’t know your factory code. They likely used a repeater.
https://www.macheforum.com/site/thr...time-since-8th-april.36317/page-4#post-805079

 

[Tom L]

Car: Mach-E AWD Premium Extended Range (2023)

I had my car opened and searched for valuables twice within a single week without any damage done to it, living in an apartment complex with an underground parking.
The culprit definitely knows my factory code which I know I can't change or delete. It's also not possible to disable the keypad completely. Contacted Ford's customer support and was told something like: "if they guessed your factory code, the joke is on you - please contact the police because you won't hear anything else from our end".

This keypad only has 5 buttons, so there is only 3125 unique combinations which is insane given that you can make 7 attempts with just a fixed 1-minute lockdown interval - you only need about 8 hours to go through ALL the potential combinations with the car not notifying the owner about scanning attempts, having additional personal codes will greatly cut down the time needed to guess one of the codes.

That's why I was wondering if anyone tried physically disconnecting/removing the keypad at maybe a Ford's service center? Or would it be possible for Mach-E owners to get Ford to address the issues with the keypad?

Thinking like a police officer, I would check to see if other vehicles in this parking area were unlocked. If yes, that would indicate they have a device. If no—and this Mach E was the only one and it was unlocked multiple times—that suggests the perp knows the owner‘s code or this car is easily compromised. The frequency and number of cars unlocked is an important factor.

 

[OH2AZ2OH]

I don't know of a way to keep a mme unlocked

Wait, what? Disable walk away lock, don't lock it manually.

 

[Mach-Lee]

The culprit definitely knows my factory code which I know I can't change or delete. It's also not possible to disable the keypad completely.

How did you arrive at this conclusion? Did you leave the card with the code on it in your glovebox? More likely your car is within Bluetooth range of your phone, or he is possibly unlocking it remotely with your FordPass credentials.

 

[Schmedlack]

I would like to use a "list" of keypad codes. Example - 16 sequential unlocking codes with each used one at a time. (Thus, each 5 digit code will be used every 16th time). All we would have to do is remember the codes and also remember the one we used last. This wouldn't be any more time consuming than using a single code over and over. After this is set up, PAAK and keyfob entry could be disabled. If we wanted the keyfob to be used for entry again, a special code using 10 (or more) digits could reactivate the keyfob.

Sponsored