Slashdot Mirror
'New Way of Stealing Cars': Hacking Them With A Laptop (marketwatch.com)
retroworks writes: The Wall Street Journal (Warning: source may be paywalled), CBS and Marketwatch all lead the morning with stories about the newest method of stealing (late model) cars. No need for hacking off the ignition switch and touching the wires to create a spark (controversial during broadcasts in 1970s television crime criticized for "teaching people to steal cars"). Thieves now use the laptop to access the automobile's computer system, and voila. "Police and car insurers say thieves are using laptop computers to hack into late-model cars' electronic ignitions to steal the vehicles, raising alarms about the auto industry's greater use of computer controls. The discovery follows a recent incident in Houston in which a pair of car thieves were caught on camera using a laptop to start a 2010 Jeep Wrangler and steal it from the owner's driveway. Police say the same method may have been used in the theft of four other late-model Wranglers and Cherokees in the city. None of the vehicles have been recovered." The article concludes with the example filmed of a break-in in Houston. The thief, says the NICB's Mr. Morris, likely used the laptop to manipulate the car's computer to recognize a signal sent from an electronic key the thief then used to turn on the ignition. The computer reads the signal and allows the key to turn. "We have no idea how many cars have been broken into using this method," Mr. Morris said. "We think it is minuscule in the overall car thefts but it does show these hackers will do anything to stay one step ahead." No details on modifying the program to run on Android or iPhone -- there's not yet "an app for that."
That you know of.
Mr. Morris said. "We think it is minuscule in the overall car thefts but it does show these hackers will do anything to stay one step ahead."
Well Mr. Morris... it's not like the auto industry is even making a serious attempt at vehicle security to begin with. It really is not hard to stay "one step ahead"... in fact the industry is really just refusing to step ahead themselves. A toddler will get farther down the road as long as they refuse to move.
Seriously, given how easy it is to get to the car's ECM, the lack of security, availability of information, and the technology, it is not surprising. A half-decent coder could probably put together the software that runs adequately on a raspberry pi, let alone a laptop -- and it would be much less conspicuous.
You can see in the video that the thief triggers the vehicle alarm, and then proceeds to work on it as the alarm is going off. That means that even old-school hot wiring would have worked. Once the thief has access to the car and plenty of time, there's nothing to prevent him from taking the car.
Sometimes I actually miss the old days.
I've spent a lot of time lately thinking about how cars are over-engineered.
I've spent a lot of time pining for the days when you could fix them with a screwdriver. Hell, when you could fix them at all.
Although I don't miss dicking around with points.
"We think it is minuscule in the overall car thefts but it does show these hackers will do anything to stay one step ahead."
And as long as you continue to identify this as a "minuscule" problem, it will earn a "minuscule" amount of attention to fix and secure.
By comparison, assault rifles account for a "minuscule" fraction of lives taken every year, and yet we have lawmakers staging sit-ins and demanding assault weapons bans in order to "make an impact". It's weird how we prioritize problems in society these days.
If someone is that good at deciphering automotive electronic systems and codes they should be selling software to allow independent shops to do that, as well as rekey keys so people don't have to spend $400 at the dealer for a new key...
I'm a consultant - I convert gibberish into cash-flow.
Will TPP restrict my ability as a vehicle owner to research my car's security systems and possibly prevent someone from wifi-jacking my car?
As I understand it, TPP makes it illegal for me to futz with the electronic ignition system.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
How long before a car can be remotely hacked and told to self-drive itself to the chop-shop? By someone in another country?
So I drive a 1996 Dodge Ram 2500 Diesel Truck with 450,000+ km that runs reliably and gets good mileage without a computer. If I park it in an area that does not seem safe I attach a club to the steering wheel. This is old school but no one is going to hack it with a laptop. Maybe get in with a bar along the window to unlock the door but not much to take. or steal.
What did I miss? How is this 'a new way'?
When the owner sets up their vehicle.... have them define a passcode; much like you do for a phone. The vehicle should have sensors to detect unauthorized entry and unauthorized attempts to access diagnostic ports to plug-in a laptop.
If an unauthorized access attempt is detected when the vehicle is in secure mode, Or the user is ultra-paranoid and pushes a special "Lock" button before turning off their engine..... it should put all the vehicle computers in a "Passcode" lock status which can only be released by entering the password; Each intelligent component in the vehicle locking itself and not allowing an unlock without the correct passcode-derived hash being broadcast.
The passcode lock status should take actions to make sure the power systems cannot be taken out of Park/Neutral, Engine control and motors or fuel injection systems set themself into limp mode and not allow high speed operation.
There should be regular phone-home messages for tracking purposes.
Put security covers on each diagnostic access point with a lock which require a traditional physical key that the car owner has to access to; either to open the port or to enable the port.....
Motherboard's "How to hack a car" from a couple years ago. https://www.youtube.com/watch?...
Police and car insurers say thieves are using laptop computers to hack into late-model cars' electronic ignitions to steal the vehicles, raising alarms
If they were raising alarms they wouldn't be getting away with it so much.
systemd is Roko's Basilisk.
Once you save that one, is it really a suicide bombing anymore?
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Yeah they're stealing all these Jeeps, but jokes on them when they think they're in park and get run over by the car they just stole.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
I want to see you try to hack my '95 Escort Wagon.
You are welcome on my lawn.
That means if you try to steal the car, you will need to tear out the ECU and replace it with a completely brand new factory fresh one, or a used one that comes with the original keys. Rather more complicated and quite expensive.
This implies that losing your existing keys would also be complicated and quite expensive to recover from as well. If that's the case, I would actively avoid such a system. I've never had my car stolen, but I've had to replace keys a few times in my life.
They started with a vehicle that is often mocked for changing only the very least allowed by the law (the Jeep Wrangler) and then they added all these electronics to it? Yeah, we all knew they were in trouble but this seems like an odd course for them to follow to try to right their own ship.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Go fuck yourself. Making it possible for the owner of the vehicle to maintain and/or modify it himself is never a mistake, and indeed should be made mandatory!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
It's good to know that general purpose computers are good for something, and that there's something new beyond appy smartphone appy app apps.
Technically, yes, since you don't need a driver anymore to get the car full of C4 to the target area, so it's not a SUICIDE bombing anymore...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
What public/private key security? If you think car manufacturers bothered to implement asynchronous security, you're deluding yourself. Replay attacks work on virtually any kind of car.
Seriously, what they tout as the "new kind of electronic lock" is the electronic equivalent of the lock on your sister's diary.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
At first, there was CAN bus. Those that know it know well that this bus know that "security" was not even an afterthought in its design. It came into existence when "board computers" were something that was carefully hidden from the car's user. Chips that controlled injection, traction, braking behaviour that needed no input from the driver. And of course security was a non-issue back then. Because, hey, anyone who could get access to those areas, hidden deeply within the car's heart and soul, could much easier fuck it up or steal it. Seriously, getting access to those early "board computer" parts meant you literally ripped the whole car apart just to gain a GLIMPSE at it.
Time went on and that "board computer" stuff got more and more pervasive. First with displays that were disconnected from the physical things they displayed, with speedometers that didn't just passively count revolutions on a wheel but a LCD that got the speed information from various sensors, same for the RPM gauge of your engine and various other tidbits, and it didn't take long until buttons on your steering wheel were added that let you control radio, air condition and mirrors.
Still not a security issue, because so far you could not affect the car from the outside. You still had to gain access to the inside of the car first before you could mess with it electronically.
Now, though, security IS an issue because the car accepts input from the outside. And that will become an even greater headache than we know now. The buses are in most implementations not separated between "mission critical" and "user leisure", or if, at a logical level only. Meaning that yes, that bus that takes your steering-wheel-button input and even handles your bluetooth is physically the same that deals with your ABS, your injection and your traction control.
I guess I'm not the only one who thinks that this MIGHT become an issue, given time. Especially considering that security that can't be tested in a crash test has not been any kind of issue with car manufacturers so far, not at all.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why even bother with a bomb, if you can take remote control of thousands of already occupied vehicles anyway?
I wish this was just some sort of distasteful joke, but unfortunately the combination of increasing reliance on computers and horrific lack of awareness of (and/or caring about) security by auto manufacturers is starting to make that kind of attack look like a credible threat.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Sounds like a RollJam variant. https://www.wired.com/2015/08/...
Should be filed under the category "DUH!"
Have gnu, will travel.
Fine we will lock them down and lock in dealer only repairs and maintenance
Some newer cars (and even some older cars dating back to 2003) require that the ECU and ICM be replaced if you lose all keys for the vehicle - so you're looking at $150 per key, plus about $1900 to $1500 worth of computers to replace plus the labor to tear down the dashboard when those modules are installed behind the dash rather than under the hood.
Now, I appreciate a LOT of advancements in auto technology. Performance and economy have both improved (hell, some sedans can spank the hell out of my mildly-tuned ZR-1 off the line - and they are totally stock without any aftermarket tunes), safety has improved, as has pretty much everything else - except serviceability. Lots of thought has gone into cramming lots of stuff into tiny spaces, and very little regard is given to level of effort involved in replacing any of it when servicing is required. Hell, lamp replacement in some vehicles requires removal of the front bumper cover, which in turn requires removal of spoilers, inner fenders, belly pans, and so on. Replacement of heater/AC blower requires removal of about 1/4 of the dashboard, and the ECU, BCM/BCU, and other modules sometimes require total removal of the dashboard and center console. Wtf?
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
> If I park it in an area that does not seem safe I attach a club to the steering wheel. This is old school but no one is going to hack it with a laptop.
http://www.makitatools.com/en-...
Even the hardest steels might take a minute to get through. A hacksaw will also eat through it, although more slowly.
From what I've read, the hardened steel used in The Club takes a max of 15 seconds for a cordless angle grinder to take out.
No laptop required.
Then, your "old school" Dodge Ram likely requires simple manipulation of the switches on the column, which avoids the need to cut wires. The "ignition switch" key in many modern vehicles isn't a switch but operates levers which in turn manipulate the switches mounted lower on the steering column. This makes hotwiring easier as there is no guessing as to which wires turn on the pump and ECU, which turns on the starter relay, etc. - just break or remove the dashboard cover, pry up the levers the keyswitch drive, and play with the switch positions.
Having multi-factor authentication in the chain (chip in key, ICM, ECU/ECM all having the correct tokens, key code knowledge, etc.) is far better security. As this article points out it isn't perfect, but it a good deal better than your old school truck's shitty idea of security.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
This is not so new as a few years ago a Russian syndicate had been found to be using notebooks with a radio card installed to blast BMWs and presumably other cars with remote start to get the car unlocked and started long enough to load them onto a truck.
So I drive a 1996 Dodge Ram 2500 Diesel Truck with 450,000+ km that runs reliably and gets good mileage without a computer.
So your Cummins requires 1 wire for run and 1 wire for start... It's not rocket surgery.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Three of my buddies had Dodge Lasers in the 90's. Two of them could open each others locks and start the car with their own keys. It also worked on other peopel Dodge Lasers. Dodge trucks and cars were easy to steal. Pup the night glow ring, punch the tumbler as a certain spot to pop it out and use the same screwdrive to turn the ignition on. Took about a minute.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Combine this with always-on (Tesla?) self-driving cars, and I could just summon one to my mom's basement!
The stairs might be a tad problematic.
On related news, this'd help reduce the number of victims in suicide bombings (by one, each time).
I expect it's cheaper and easier for Daesh to find gullible young Muslim men tormented by their homosexuality or addiction to porn than it'd cost to buy a fleet of self-driving Teslas.
#DeleteChrome
Replacement of heater/AC blower requires removal of about 1/4 of the dashboard, and the ECU, BCM/BCU, and other modules sometimes require total removal of the dashboard and center console. Wtf?
These things don't happen that often and they don't care about owners after the first one very much, and owners after the second one not at all. I've never seen a vehicle where you had to remove the bumper cover to replace a lamp.
I've got an A8 which is a rolling PITA, but it's interesting what is and what isn't easy to work on. The blower motor is trivial to replace as it's done from beneath the hood. I believe the heater cores require dash removal... it's either that or engine removal, I'd have to look it up. You can officially get at almost all of the climate control servos without dash removal, and unofficially get at all of them. But the heater core control valve is in a horrible location and you're supposed to remove the brake servo. If you are crafty, you don't have to do that, but the alternative is not fun either. All of the major hidden modules are trivial to access; the ABS is behind the driver's kick panel, and the PCM, TCM, and CCM are in an "e-Box" under the hood. The stereo comes out easily with fairly typical removal tools, but in order to get out the climate control module which lives right next to it out, you need to take out the floor mats and center console trim panels from both sides, remove the center vent, remove the stereo, and pull the whole center stack out of the dash including all of the big switches.
Anyway, everything continues in this vein... the intake manifold is trivial to remove but the oil cooler is a nightmare. I think the truth is that you're just running into basic limitations of what people expect and what it is reasonable to produce and assemble in the factory. There's only so much space in the car to make convenient maintenance access. On the other hand, some of it really is just bad design. I can get right at the blower motor in my F250, in my 300SD, and in my A8...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I would be hard for them to find any that _aren't_. It's baked into muslim culture. Only the bottoms are gay, the tops are just normal muslims.
Maybe 10% of muslims are purely straight, about the same % that are gay in western culture. The ones where nature outweighs nurture...
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
good luck cracking Tesla. With some 100,000 Tesla on the road, only 6 have been stolen and in every case, it required that our fobs be stolen. And if you steal one, it is not worth that much on the black market. Only tesla does the parts and they do not buy stolen parts.
I prefer the "u" in honour as it seems to be missing these days.
You know, just thinking about it, you bring up an interesting point.
Right now, AP is actually semi-autonomous, and you have to have a certain speed to turn it on. In addition, you have to have hands on the wheel. So no, not a problem, AT THIS TIME.
BUT, the goal is level 4 autonomy. That means that get in (or put in a weight), and then order it to where you want to go, which could be as little as 1-2 miles away and it goes.
BUT, what stops them from loading explosives in the back (or even in that front seat weight)?
Nothing that I can think of.
I prefer the "u" in honour as it seems to be missing these days.
If someone wants your car they get a key, a lock cylinder and an ECU from a junkyard and bring it all with them.
Of course the '2004' part makes your car immune from professional car thieves.
Real professional car thieves just use flatbed tow trucks anyhow. Nothing can stop that.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
On newer VWs the first thing you have to do to service anything near the firewall, is move the accessory tray to the 'service position'. To do that you have to remove the front bumper cover, then pull the tray forward.
VW/Porsche/Audi seems to have settled on VW performance, Audi parts availability and Porsche cost. Reminiscent of European heaven/hell jokes.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
On newer VWs the first thing you have to do to service anything near the firewall, is move the accessory tray to the 'service position'. To do that you have to remove the front bumper cover, then pull the tray forward.
On my D2 A8 there is a similar thing called putting it in the service position. Because it has an unboltable core support and sliders for the bumper cover, when you do anything to the front of the engine it's by far easiest to remove everything (all the lines which aren't radiator hoses are on one side) so that you can work right on it, especially if you're doing a major job like the timing belt. It's technically possible to do without doing this, but it's frankly trivial and so it's the way it's done.
VW/Porsche/Audi seems to have settled on VW performance, Audi parts availability and Porsche cost. Reminiscent of European heaven/hell jokes.
At least it's not Mercedes-Benz parts and service. That really would be hell. I can actually get most of the parts for my car. Big stuff I have to get used, but all the fiddly special fasteners and seals I can get from VAG.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I expect it's cheaper and easier for Daesh to find gullible young Muslim men tormented by their homosexuality or addiction to porn than it'd cost to buy a fleet of self-driving Teslas.
Even if somebody gave them the self-driving cars, they would probably still include some suicide bombers for social reasons, and just in case the targets figure out some trick to reset it them to manual mode.
You don't consider a vastly reduced chance of being seen at the sight of the bombing by either witness or camera to be a positive for the bomber?
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
.. or summon twenty to block someone else's basement accessway.
Other bombers would see it as a serious disadvantage. If your aim is to be SEEN to be performing a mass killing, than this would not be desirable.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
In fact it is a complicated and expensive thing if you lose all your keys to the car.
That's a serious problem. Those keys with embedded transponders already make it difficult and expensive to even make a copy of your key for storage. It seems crazy to make that situation even worse.
I like to think of it as a good value in that if it costs me that much, it costs the criminals that much as well.
Fair enough. Obviously, I take the opposite point of view. It dramatically reduces the value of the vehicle to me, and is a strong reason to avoid purchasing such vehicles.