Slashdot Mirror

← Back to Stories (view on slashdot.org)

Car Thieves Arrested After Using Laptop and Malware To Steal More Than 30 Jeeps (abc13.com)

Posted by BeauHD on from the modern-day-hot-wiring dept.

New submitter altnuc writes: Two thieves in Houston stole more than 30 Jeeps by using a laptop and a stolen database. The thieves simply looked up the vehicles' VIN numbers in a stolen database, reprogramed a generic key fob, started the cars, and drove away. Chrysler has confirmed that more than 100 of their vehicles have been stolen in the Houston area since November. Chrysler/Jeep owners should always make sure their vehicles are locked! The Wall Street Journal issued a report in July with more details about how hackers are able to steal cars with a laptop. The whole process takes roughly 6 minutes. CrimeStopHouston has posted a video on YouTube of one of the thieves in action.

40 of 215 comments (clear)

  1. I'm not a car guy by rsilvergun · · Score: 2

    but is there a reason it's so easy to reprogram the key fobs to start a car? I mean, my bloody credit card has a chip in it for Pete's sake and I got it free with my account. Heck my crummy bank card has one.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:I'm not a car guy by flyingfsck · · Score: 5, Funny

      When key broke, it took the dealer a week to update their Windows PC, get the proper software and program a new key, so I guess a thief could really do it in about 5 seconds...

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:I'm not a car guy by ArchieBunker · · Score: 2

      Neither of you have a clue what you're talking about. They started doing rolling codes now but the list isn't that great so you can still brute force things with an HackRF. And no those keyfobs aren't easy to program or clone. Do you know the most popular stolen car is still 90s Hondas? Rarely do newer cars get stolen anymore. Now its all about factory wheels that cost $2k each to replace.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    3. Re:I'm not a car guy by mjwx · · Score: 2

      but is there a reason it's so easy to reprogram the key fobs to start a car? I mean, my bloody credit card has a chip in it for Pete's sake and I got it free with my account. Heck my crummy bank card has one.

      Usually they aren't. What they're doing here is essentially cloning key fob's from a master.

      If you lose all your keys, the only way to replace them is to replace the entire locking system as you cant clone keys from the system in the car. It's a bit like PKI, the car contains the public key, the fob contains the private key.

      Of course this is Fiat-Chrysler we're talking about here, so the security is likely to be designed by drunken monkeys.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    4. Re:I'm not a car guy by ChumpusRex2003 · · Score: 2

      I don't know what the current auto security tech is, but proper PKI was shunned for a long time. Possibly for reasons of key battery life, or silicon IP costs.

      I wouldn't be surprised if current systems are using techniques like HMAC, where both the car and the key use a pre-shared key. In this case, the factory keeps a copy of the database matching VINs to private keys. This allows a dealer or authorized locksmith to either order a new pre-programmed key from the factory, or possibly request the key for field programming a new key. Of course, if that database gets compromised....

      If a proper PKI system was used, then it would be possible to program the car to a new fob, by having the fob transmit its public key to the car, and having the car add it to the authorization database.

    5. Re:I'm not a car guy by Lumpy · · Score: 2

      To make dealerships more money.

      BMW makes 10 keys for your car when it's made. when you lose all 10 keys, the dealership is required to point and laugh at you while live streaming to youtube.

      It takes a few days for the key to arrive for your car, It's part of the punishment for being a dimwit and losing all your sets of keys.... because your car was sold with 3 freaking sets.

      Note: if you buy a used bmw and they dont hand you all 3 sets, the previous owners are scumbags, or the dealership is a scumbag. They "found" my extra 2 sets when I said.. "nope, no deal. I dont want to buy a car that someone else has a key to."

      Suddenly the dealer found the other set and the valet key.

      --
      Do not look at laser with remaining good eye.
    6. Re:I'm not a car guy by gweihir · · Score: 2

      Yes, there is a reason: It costs money to make them more secure! And since management bonuses are more important than having a good product, you can imagine how that decision went. It is something you run into time and again in the security-space: Management deciding on cheaper-than-possible solutions that do not get the job done anymore in order to safe money that then goes to them. Just think of the Takata Airbag Recalls, the problems with car doors opening, the problems with borked ignition, etc. All of these are minor savings, but the non-engineer idiots in charge want these as they improve the quarterly results.

      Unless we get personal civil and criminal accountability for such bad management decisions, nothing is going to change. Of course, a small part of these decisions are honest mistakes. In this case it is necessary to establish whether due diligence was followed (e.g. were independent experts consulted if the situation was not clear and the item was obviously safety/security-critical). But most will be due to decisions made to save a penny where it was pretty obviously not a good idea to do so or cases were non-expert management made a technical decision that should have been made by an expert.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:I'm not a car guy by BarbaraHudson · · Score: 2

      This is neither new, nor restricted to jeeps. Even premium brands such as BMW are just as vulnerable.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    8. Re: I'm not a car guy by dgatwood · · Score: 2

      It's actually very different. Most car thieves can't physically carry around the $10k+ worth of specialized equipment needed to cut a mechanical key (and I'm assuming that it is even possible to get a single cutter that will cut them all, such that you don't need one of those $10k cutters plus five or six different kinds of $5k cutters).

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    9. Re:I'm not a car guy by dgatwood · · Score: 2

      The reality is that people rarely have zero sets of keys. Usually, they lose one and need to replace that one set. As a result, in the more common case, the design where you add the set of keys to the car is much simpler for dealers than one that involves reprogramming the keys with specialized hardware. The process is something like: put the old key in, turn the car on with it, push a button on the new fob, turn it back off and back on, push a button on the new fob, repeat n times. No hardware needed, no knowledge of how to program the key, no special database. The fobs are just standard, off-the-shelf devices, and any random person in the garage can do the work with five minutes of training and no need for any sort of security clearance.

      That's why most systems that are designed by sane people work the other way. The fob has a fixed digital key, and you turn the physical key several times in a row to put the ECU in a programming mode, after which time it will accept codes from the next fob that tries to talk to it. To steal those cars, you would have to have a key cutter and know how to put the ECU into programming mode (and on newer vehicles, you would also need one functioning fob to put it into reprogramming mode, without which the car would fail to detect the chip in the key and would either refuse to start the car or would refuse to put the ECU into programming mode even if it did decide to start and run for a short period of time).

      Granted, with those designs, in the rare situation where you have no keys, you usually have to physically replace the ECU, though in some cases it is possible to force the ECU into programming mode using vehicle-specific OBD-II magic. Either way, this is the right approach, because it minimizes the risk of theft, is easier to reprogram in the common case, and is only marginally more painful in one rare edge case.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    10. Re: I'm not a car guy by Hylandr · · Score: 2

      Mocking valid points will not alter the reality of America's almost third-world status of it's infrastructure.

      We lag in bandwidth, repair of our roads, bridges, rail systems, water management, most of our ISP's have data caps now despite 'net neutrality' etc.

      Though we do lead the world in military spending and the number of people in jail by several orders of magnitude.

      The real shitter? We have the power to change it, but instead allow ourselves to be distracted and led around by the entertainment industry.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  2. Why lock the car? by Snotnose · · Score: 5, Interesting

    The thieves simply looked up the vehicles' VIN numbers in a stolen database, reprogramed a generic key fob, started the cars, and drove away. Chrysler has confirmed that more than 100 of their vehicles have been stolen in the Houston area since November. Chrysler/Jeep owners should always make sure their vehicles are locked!

    They're duplicating the key fob. If it's good enough to start the car it's good enough to unlock the damned thing.
    Even better, the VIN is easily readable from outside the car. This whole thing smacks of TSA level security. That is, look like you're doing something while creating a bottleneck, when in reality all you're doing is creating a bottleneck.

    1. Re:Why lock the car? by Yvan256 · · Score: 2

      https://www.youtube.com/watch?...

    2. Re:Why lock the car? by PPH · · Score: 3, Insightful

      Even better, the VIN is easily readable from outside the car.

      Damned if I don't 'accidentally' always throw a roadmap* up on the dashboard, right on top of the VIN plate.

      *Get off my lawn!

      --
      Have gnu, will travel.
    3. Re:Why lock the car? by Joe_Dragon · · Score: 2

      the club

    4. Re:Why lock the car? by flyingfsck · · Score: 4, Funny

      A chain also has other uses, apart from properly securing the steering wheel to the seat of a car. I once chased off five youths with it. The improbable sight of a big bearded guy in a black leather jacket getting out of his car with a heavy chain in his hand, made them change their minds very swiftly.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    5. Re:Why lock the car? by lucm · · Score: 2

      the purpose of the club is not to prevent theft, it's to make other cars that have no clubs more enticing for potential joyride-type thieves. Ot's like having a rottweiler in your backyard; people who badly want your Faberge eggs collection will deal with it, but junkies looking for pawnable items will skip your house.

      --
      lucm, indeed.
    6. Re:Why lock the car? by lucm · · Score: 3, Funny

      The improbable sight of a big bearded guy in a black leather jacket getting out of his car with a heavy chain in his hand, made them change their minds very swiftly.

      I guess they were not into the bear and cub thing

      --
      lucm, indeed.
    7. Re:Why lock the car? by lucm · · Score: 4, Insightful

      Old shit cars get stolen all the time. Not because the thieves wil get a fortune out of it or because they're on special order from foreign billionaires. They get stolen because they're easy to steal and/or can be useful in the commission of other crimes.

      There's this guy who specializes in insurance scams. Lets say you're stuck with a lease on a Prius that you'd love to get rid of, and you just can't find a moron to take it. For $250 that guy will steal an old Pontiac Sunbird or some other piece of garbage, and will ram it in your Prius in a way that ensures it's totaled. Problem solved. If there's two Sunbirds side by side, and one of them has a club, guess which one he's going to steal.

      --
      lucm, indeed.
    8. Re:Why lock the car? by stoatwblr · · Score: 3, Insightful

      My experience of jeeps is that they're usually the cars beached or rolled on the side of the road during snowstorms, or stranded at the side of the road on steep hills whilst I drive past in my lightweight french FWD rustbucket with chains fitted.

      People seem to think that 4WD means that the steering or braking works better than other cars.

  3. How will locking the car help? by Streetlight · · Score: 5, Interesting

    I'm not sure locking the car will make any difference. My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
    1. Re:How will locking the car help? by Feral+Nerd · · Score: 2

      I'm not sure locking the car will make any difference. My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.

      I'm still looking forward to the day when I'll be able to pull this prank:

      http://xkcd.com/1559/

      With self driving cars one would not have to hack the ignition or even need a rock. If you can hack the autopilot in these things you don't even have to drive the car to the chop shop or even come close enough to drop a rock in the driver's seat. You just have to hack the car's autopilot from a safe distance, disable the trackers and tell the thing where to go. I'm sure there will be a complete malware package for this compete with side-loaded Android app. Joining the classic car club and buying an old completely analog car is beginning to have a certain appeal.

    2. Re:How will locking the car help? by NormalVisual · · Score: 3, Funny

      My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.

      And if not, there aren't many cars that a brick won't unlock.

      --
      Please stand clear of the doors, por favor mantenganse alejado de las puertas
  4. Smart key for ignition, not access. by Archfeld · · Score: 2

    The programming on the key has nothing to do with the door locks, but everything to do with starting the car. You have to insert the key into the door to unlock it, while mere possession of the smart key allows the car to be started. Admittedly basing the smart key code on the readily visible VIN is short-sighted and foolish, the act of locking your car up will at least prevent the casual access.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:Smart key for ignition, not access. by the_Bionic_lemming · · Score: 5, Informative

      My mom's 2015 jeep cherokee latitude doesn't have key locks.

      If you have the fob, you can just open the door.

      and before you accuse me of living in a basement, make sure to note my account number.

      Two extra things that suck about her jeep? 9 recalls to update the transmission software, and the third party radio won't let her get the latest maps for the gps - and it's the second radio.

      Stay away from Jeep tech, it's crappy and buggy.

      --
      _ _ _ Go for the eyes Boo! GO FOR THE EYES!
    2. Re:Smart key for ignition, not access. by flyingfsck · · Score: 4, Funny

      Oh, I thought you'll just program a key fob for another Jeep...

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    3. Re:Smart key for ignition, not access. by Lumpy · · Score: 3, Funny

      "and before you accuse me of living in a basement, make sure to note my account number."

      How cute, 6 digit UID and you think you are an "old timer here"

      --
      Do not look at laser with remaining good eye.
    4. Re:Smart key for ignition, not access. by drinkypoo · · Score: 2

      Stay away from Jeep tech, it's crappy and buggy.

      It's Fiat tech. Marchionne is running FCA like it was Fiat, which means he's running it into the ground. He's responsible for retarded shifters that kill people. He's responsible for Dodge selling a full-size van with front wheel drive. Guess what? It's called the Fiat Ducato in other markets and nobody wants them.* They are unremitting pieces of garbage. He's responsible for Jeep going keyless. It's all meant to modernize it and bring the brand into this century. The problem is, what people liked about it was that it wasn't. They expected reliability and he's giving them tinsel and trash.

      * Dodge vans only a year old are going for $15k. As it turns out, we actually use our rear wheel drive going up hills and towing in this country, and the Ducato will do neither. A ten-year-old sprinter is literally worth more than a one-year-old Ducato.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Smart key for ignition, not access. by washort · · Score: 2

      There's a lot of cute people around here. ;-)

  5. What good does locking the door do? by damn_registrars · · Score: 2

    Doesn't the fob unlock the door as well? The standard place for a VIN is under the wind shield; hence any car parked in the open could be a target as someone could easily walk by and snap a picture of the vin through the wind shield with their phone while walking by and nobody would think of it as odd. You won't be doing yourself any good to lock your car if that is the case.

    Besides, if they are stealing Wranglers the parts are so easily obtainable that a broken window is trivially easy to replace. Maybe Grand Cherokees are slightly more difficult to obtain quickly but likely not by much.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:What good does locking the door do? by Solandri · · Score: 4, Insightful
      If you watch the video, the procedure is to:
      • Open the door and get in (either the car is unlocked, or they break in triggering the alarm).
      • Plug the laptop into the OBD port. Command the alarm to turn off (if it was triggered).
      • Reprogram the car to accept a new keyfob.
      • Once that's done, the car recognizes your keyfob as its owner, and allows you to start the car and drive off.

      So the new keyfob can't be paired until after the thief is inside the vehicle.

      There're a lot of ways the manufacturer could've made this harder. But I've been arguing for two decades now that there should be a physical jumper or toggle switch on computers which you should have to flip in order to be able to change files in the system folder/partition. With it flipped to the default state, system files should be read-only (write logfiles somewhere else). That hasn't happened yet and systems are still getting rooted left and right, so I really don't think computer folks have much grounds for criticism.

    2. Re:What good does locking the door do? by Ungrounded+Lightning · · Score: 2

      Open the door and get in (either the car is unlocked, or they break in triggering the alarm).
      Plug the laptop into the OBD port. Command the alarm to turn off (if it was triggered).

      Can you get to the onboard bus by popping off a mirror and plugging into its remote-tilt wiring?

      How about cracking in via bugs in the radio stack for the tire pressure sensors?

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    3. Re:What good does locking the door do? by AmiMoJo · · Score: 2

      There was a similar flaw in BMWs a few years ago. You could break the drivers side corner window, reach in and connect to the OBD-II port without triggering the alarm.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. Re: To secure your car... by flyingfsck · · Score: 4, Funny

    You may be onto something. If you fill the car with junk so it looks like a homeless den, then it probably won't get stolen either.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  7. Re:Welcome to the future by Required+Snark · · Score: 3, Interesting
    When IoT fully arrives not only will you loose your car, all the belongings in your house will be up for grabs.

    There will be no way to avoid this by sticking with "real hardware" technology like mechanical locks and keys. In the same way that that all credit cards will be chipped along with all passports, you will ultimately be required to have your house/apartment hooked to the internet to get insurance. This will be justified due to fire sensors that automatically call the fire department. Part of the installation will also unlock all doors and windows to insure that anyone trapped inside will be able to escape.

    It sounds reasonable up to a point, but it's obvious that the police and government are already drooling over the possibility that no one will be able to secure their physical space. It will be justified in terms of "terrorists" and "home invasion", but the real motivation is so they can infiltrate anybody at any time. The lack of constitutional protections for communications will be extended into real life.

    When Orwell wrote 1984 he was being optimistic.

    Black Ops by TMBG

    Black ops, Black ops

    A holiday for secret cops

    Black ops, Black ops

    Dropping presents from the helicopter

    It's been a long year

    We've been so far from home

    Too many people here

    Here come the drones

    We take the best of it

    And make a mess of it

    Ripping up some lawn

    And then we're gone

    --
    Why is Snark Required?
  8. Re: To secure your car... by Type44Q · · Score: 3, Informative

    Potato. Tailpipes are generally too large for bananas; it'd be like Danny Devito trying to give anal pleasure to Andre the Giant...

  9. Re:To secure your car... by OrangeTide · · Score: 2

    I never leave my car.

    --
    “Common sense is not so common.” — Voltaire
  10. Re:To secure your car... by Rei · · Score: 2

    I've often been tempted, rather than fitting a locking gas cap to my pickup that gas thieves have several times stolen from, to replumb it so that I fuel it from behind the plastic paneling in the bed, while the normal fueling port leads to something that will ruin their engine.

    I recently did the next best thing. I discovered that they like to nab gas cans after they stole three of them (and my toolbox) out of the back of my pickup when I stepped out to pick up my father while preparing for a trip. So I offered them a "bait" can (they took it the same evening I put it out). Oh, sure, the *top* two liters in the can were gasoline.... but the bottom two liters were hydrochloric acid. I considered sodium silicate instead of HCl, but I figured this would do the job even better, since even the fumes will aggressively rust steel. ;) Maybe I should have tried adding some surfactants to try to make the two liquids miscible, so that the engine would never flood and they'd run the whole acid load through the engine. But meh, this is probably good enough even if it does flood ;)

    --
    No, she's fine. My associate is vomiting for a totally unrelated reason.
  11. Re: To secure your car... by TimeTraveler1884 · · Score: 5, Funny

    WTF did I just read?

    You wouldn't understand. It's a Jeep thing.

  12. Re: To secure your car... by ELCouz · · Score: 2

    Like this ? ---> http://3.bp.blogspot.com/_8n5K... http://www.autoblog.com/2007/0...