[acdha]

The situation doesn’t need to be as strict as #2: you could have a way for a registered service shop to get a per-device rekey by shifting some liability to them. Making it per device prevents bulk usage and an active communication with the manufacturer would mean the cops could ask the owners of a shady auto shop some questions when 80% of the stolen cars in the area are being rekeyed at a place the owners have never been to. I lost a car key once and the locksmith who showed up checked my drivers license against the title database because he could have been penalized for unlocking a vehicle without doing so - we could make the same model work electronically because while car thieves are anonymous, legitimate repair shops have a business presence and reputation to preserve. Even someone amoral isn’t going to look the other way for something which will cost them their primary revenue stream.

[kube-system]

I don't think that the dealer equipment being used to steal cars today is coming from dealers where management is knowingly engaging in car theft. It is other people who are misusing those tools. There are many hundreds of thousands of people who work at dealerships, and many do not care about their employers reputation. Also, many dealerships are broken into.

[acdha]

Yes, which is why I suggested a combination of measures to change that. An active per-device transaction would make it clear when a dealer’s access is being misused, and if it affects their business viability it would turn out that they could do a better job of controlling access. Hundreds of thousands of people work at banks, too, and many of them do not care about their employers but thefts from customer accounts are rare because the companies are incentivized to set appropriate safeguards. There’s no reason why car repairs couldn’t be the same other than that it costs more than what they’ve been doing, and there aren’t strong enough incentives for them to take on those costs.

[kube-system]

What would that look like in reality? Expecting dealerships to have the same physical security, procedures, and security vetting of a bank? There's already a shortage of workers in these roles, now we want the guys busting their knuckles on vehicle repairs to have a good credit score and good background check and perform elaborate opening and closing procedures with a buddy system? Storing tools in a vault?

I really don't see how any of this is merited or reasonable, especially when the vast majority of the cars being stolen in my neighborhood are either stolen with the keys or with a tow truck.

[jasomill]

Require resets to be initiated and authorized by the F&I department, whose security and KYC processes should already be substantially similar to those of other institutions that regularly approve $50,000+ loans.

[kube-system]

My prediction:

1. As a result, we'll see costs like losing the keys to a rental car go from a $250-500 fee to a $2500-5000 fee, due to the additional costs to process and the additional loss of use.

2. Criminal rings that steal high value cars will go from often using tow trucks, to exclusively using tow trucks.

3. The number of cars stolen via stolen keys will remain unchanged.

Yes, the key itself will be more secure, but I'm not really sure it will actually improve anything. More security is not better if the costs do not create real-world results.

[acdha]

Your second point is leaving out a lot: there’s no way adding a requirement that you have heavy equipment and a skilled operator isn’t going to reduce the number of thefts, and those trucks are in more limited supply and easier to track than a small tablet. They’re also way less stealthy so there’s a lot more time to get caught.

The third point may be true for classic theft but would not be true for the growing category of thefts caused by abusing wireless keys. If you can’t easily get a new key, the resell value for that car is going down dramatically.

[acdha]

Simply requiring the dealers to take seriously ownership validation and track which workers used the reset system (no shared logins, etc.) would do most of it.