Say you’re planning to hot-wire a car.
You’d likely bring some tools: maybe a screwdriver, or a drill.
You sure wouldn’t bring your laptop, says Senior Officer James Woods, who’s logged 23 years in the Houston Police Department’s auto antitheft unit. After all, laptops aren’t particularly useful for stripping wire.
But that’s exactly what CCTV footage has picked up in recent car thefts, as the Wall Street Journal reports: a pair of car thieves caught on camera in Houston as they used a laptop to start a 2010 Jeep Wrangler and steal it from the owner’s driveway.
Here’s what Woods told the WSJ:
We don’t know what he is exactly doing with the laptop, but my guess is he is tapping into the car’s computer and marrying it with a key he may already have with him so he can start the car.
As the surveillance footage shows, a man walked up to the Jeep and opened its hood – likely to cut the alarm, Woods said.
Next, the car door was jimmied open. Some 10 minutes into the theft, another man entered the Jeep with a laptop.
After he worked on the laptop for a while, the home security video shows him backing the car out of the driveway.
Roger Morris, Vice President of the National Insurance Crime Bureau (NICB), an insurance-industry group that tracks car thefts across the US, said his organization is beginning to see police reports that tie newer-model auto thefts to what it calls “mystery” electronic devices.
The Houston car thieves “are using dealer tools to marry another key fob to the car,” suggested Titus Melnyk, Fiat Chrysler’s senior manager of security architecture for North America.
For example, somebody with access to a dealer website may have sold information to thieves allowing them to get hold of some sort of “key reset” codes for selected vehicles.
Houston police told the WSJ that this method may have been used in the theft of four other late-model Wranglers and Cherokees in the city.
Expect more of the same, be it this or other techniques, as car technology becomes ever more advanced.
Security researchers have been able to take over cars remotely because automakers don’t always do a good job at limiting how car systems interact with wireless communications.
What’s more, even cars that aren’t internet-enabled can be taken over via third-party devices that introduce connectivity, such as through the diagnostics port.
Remote exploits have included security researchers Chris Valasek and Charlie Miller taking over a 2014 Jeep Cherokee, controlling the car’s brakes, accelerator, steering and more by wireless connection: a demonstration that resulted in more than 1 million Fiat Chrysler vehicles being recalled for patching about a year ago.
We’ve also seen surveillance footage that shows thieves apparently stealing a car by using a signal booster to fool it into thinking its owner was nearby. If the theft had in fact gone the way security researchers had mapped out, the car would have unlocked its door and even started up for the thieves.
And that is why it’s a good idea to stash your wireless key fob behind the pork chops!
Technological advances in car systems have far outstripped the industry’s speed in finding and securing the security holes they usher in.
Last year was the year of hackers taking over newer model cars, sending them careening into ditches.
This is the year that we’re supposed to see automotive cybersecurity issues addressed: at least, that’s what the US’s top auto safety regulator pledged in January.
And according to the WSJ, it is in fact happening, at last: auto industry trade groups are now working on best practices for safely introducing new technologies.
There’s also now a way to share information on cyberthreats and cybercrime prevention technologies: created by the Alliance of Automobile Manufacturers and the Global Automakers Association, it’s called the Auto-Information Sharing and Analysis Center (Auto-ISAC).
And if you want to buttonhole the automaker people who are grappling with cybersecurity in high-tech cars, be aware that a bunch of them will be gathering at the inaugural Global Auto Cybersecurity Summit in Detroit later this month, including Toyota Motor Sales CISO Bently Au and Mary Barra, Chairman and CEO of General Motors Company.
Mahhn
I wonder if they can track who accessed the key code from the MFGs database.
Anonymous
Something’s not worded quite right. Thieves don’t need to buy a VIN for a vehicle they want to steal. It’s printed and visible from outside the vehicle.
Paul Ducklin
Rewritten for clarity, thanks. You’re right: the VIN is not a secret so you wouldn’t need to “buy” it.
W
What bothers me about the authenticity of this video is the lack of light from the suspect’s laptop screen once the vehicle’s interior light goes off. Yes, the brightness could have been lowered but there doesn’t seem to be any light at all coming from the screen.
James
Eerie. I’m also from Houston and also drive a 2010 Jeep Wrangler. Mine’s a green two door rather than this guy’s red four door. That is an upscale part of Houston with expensive townhouses all over the area.
This model Jeep is prior to the all the computerization of today’s vehicles. The only thing that the computer would be needed for would be to override the system that matches the RFID chip embedded in the key to the ignition.
Anon
Suddenly this keyless stuff doesn’t seem worth it.
Anonymous
I’ve never used remote keys, originally because they’re too bulky in the pocket. They’ve always struck me as an unnecessary pinky-in-the-air lazy convenience. Of course in more recent years we’re seeing risks that would boggle the minds of the first people to realize “hey wow–what if we had seat belts?”
Now that vehicles are officially in the IoT category (no turning back now), I hope the Detroit summit gives us more hope for remaining safe and retaining property than higher prices for “nifty neato wowza.”
Anonymous
…and why was this theft in April not posted online until June?
Jim
It seems to me that it should be a simple matter to find where the leak originated:
The request was made using the VIN. It was also made using credentials. All they have to do is find out what credentials were used to get the special code, and then they know all they need to know to shut the thieves down.
Then they could also go to the dealer who leaked the credentials and get their processes fixed.
Conspicuously absent from the manufacturer is mention of these critical details. It implies Chrysler isn’t taking the breaches seriously enough.
Me again
There is a grey market for non-dealer OBD tools that are based on the same access used by the legitimate tools. Due to weaknesses in the designs, there are a range of options to recover some vehicle security codes from the cars themselves rather than needing a network connection to the manufacturer’s database.
I can only guess the car in this story was a ‘keyless start’ type and that is why the door needed forcing open – if they had gone equipped with manufacturer provided information, they could have had a key blade cut to a pattern and then used the security code to marry it to the car in order to disable the immobiliser.
As said above, the VIN is on display from outside the vehicle, write it down and get your unscrupulous dealer to provide the car data, someone on ebay to cut a key to the number and a tool (ebay again) to programme it.
Laurence Marks
No steering column lock?
Steve
Unless it was a mechanical lock (linked physically to the key lock), it wouldn’t matter. A solenoid-actuated steering column lock could be overridden right along with the ignition and whatever else.
redline2180@gmail.com
Yet another reason that my vehicles are a 1990, a 1987, and a 1964.
Clyde Dillon
Something to be said for keeping things low-tech.
Anonymous
If the car has automatic locks and keyless start, it’s pretty easy to attach a antenna to a laptop and relay the signal from the vehicle to the key fob located inside the house. Just walk up to the car, it finds the fob in the house and unlocks the door and starts the car. After the car is started, it doesn’t check for the fob again unless it is a BMW or Mercedes. Then you can always make a new key (in China) after you have the car.