Forget crowbars, all car thieves need is a laptop to steal a car – Business Insider
Stealing a car no longer requires a pry bar and an understanding
of how to rewire an ignition. Increasingly, it seems, all a
criminal needs is a laptop.
Hackers have shown that they can take remote control of a Jeep Cherokee while
someone is driving it.
That means they could, in theory at least, cut the engine or
brakes while the car was in motion.
But there’s now a more fundamental problem for car owners, and a
more attractive proposition for criminals: high-tech theft.
Earlier this year, a video was published online that showed a
pair of car thieves using a laptop to steal a 2010 Jeep Wrangler.
The hack that they used hasn’t been described in detail, though
it’s not thought to be related to another hack of a Jeep Cherokee
While the technique does appear to require that the criminals
break into the car and physically connect a computer to
its internal systems (it’s not clear via which kind of
interface), once they’re in, thieves can get the car started
without a key.
And it’s been working pretty well for them. Autoblog reported that a pair of hackers
were arrested in Houston recently for using the approach to
steal more than 30 Jeeps over a six-month period. Fiat
Chrysler Automobiles, Jeep’s parent company, is believed to be
investigating over 100 vehicle thefts that were carried out
recently using similar methods.
Those numbers may yet rise further—much further. Computer
scientists from the University of Birmingham, U.K., have
announced details of a new wireless hack that can be used to
unlock almost every Volkswagen group car sold since 1995.
Their technique—which can be performed using a
laptop and software-defined radio or a $40 handful of
off-the-shelf electrical components—can be used to re-create the
unlock signals sent by a driver’s key fob.
via MIT Technology Review
The team has explained to Wired that it
reverse-engineered the code in Volkswagen’s security systems in
order to identify cryptographic keys used to encode those unlock
To their surprise, the team found that just four different
cryptographic keys are used for as many as 100 million
After capturing another cryptographic key from the signals
sent as a driver unlocks the car door, the researchers can
combine the two numbers to unlock the target vehicle themselves.
The team points out that some of Volkswagen’s latest vehicles,
including the Golf 7, use a more robust security system, where
both cryptographic keys are unique to each vehicle.
Criminals also have to be within 300 feet of vehicle they’re
seeking to steal. But given that the flaw affects virtually every
Volkswagen group car sold in the last 20
years, including those made by Audi and Škoda, it’s still a
Details of the reverse-engineering involved in the study haven’t
been published, but you can bet that other criminals will be
seeking to find out the secrets for themselves.
Cars are increasingly being developed by software engineers
as well as mechanical engineers. As vehicles become more
computerized and connected, the threat posed by computer flaws
could get far worse. While neither of the latest hacks exploit
the use of a car’s Internet connections, it’s easy enough to
imagine similar, potentially more serious problems also plaguing
vehicles (such as the Tesla fleet, for example) that
use cellular networks to access data and updates from the Web.
Automakers appear to be taking the issue seriously. GM CEO Mary
Barra recently declared automotive cyber
incidents “a matter of public safety,” explaining that “whether
it is phishing or spyware, malware or ransomware, the attacks are
getting more and more sophisticated every day.”
The Alliance of Automobile Manufacturers and the Association of
Global Automakers have also released new best practices on
automotive security, which include recommendations about digital
vulnerabilities. But the car industry moves at a very different
pace from that of the technology sector, and cars yet to
roll off the production line are likely to remain vulnerable
to hacks for some time to come.
So far it’s unclear what Fiat Chrysler and Volkswagen will do
about the flaws that put their vehicles at risk of theft.
Last year’s remote-control hack of a Jeep Cherokee resulted in a
recall of 1.4 million vehicles. It won’t be the last.