If they did, you can bet people would stir up trouble by just wandering through a parking lot locking everyone out of their cars.

The better fix would be a substantial cooldown (maybe a minute's worth) after inputting a failed code, which would be sufficient to ward off a brute-force attacker while still allowing the owner access even if they miskey it a few times.

The trouble is they're working with a very limited UI.

Lockout after X attempts (as another comment mentioned) is a terrible idea, because that makes it a simple DoS mechanism.

But forcing a delay, for example, is tricky -- how do you notify the user that they're in a delay period? Or when the delay period has ended and they can try again after a mis-key?

There don't even seem to be LEDs to work with.... If they keys light up, that's easier (e.g., flash the key lights for 10 seconds if they enter a wrong code before they can start over).

Sounds like it doesn't only let you try again, it actually only checks if last [password length] numbers match the password (that's why he can compress it into one long number)

Right, even removing that flaw would make it closer to two hours than 20 minutes (although half that to get in on average). Significantly less if you leave finger smudges on the keys though.

That said, agreed with the above: anywhere someone fiddling with the lock for 20 minutes would go unnoticed, a brick would go unnoticed too. I highly doubt a car has even been stolen through hacking the keypad lock in this manner.

"Significantly less if you leave finger smudges on the keys ..."

Those that I have seen have this plastic covering that allows some tactical feedback (a small pop under the finger.) And people are lazy and don't change codes. So the plastic wears and even comes off, leaving the silicone exposed on the numbers that are used. Well beyond smudges, and much shorter than this 20 minute code.