Slashdot Mirror
Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers (bleepingcomputer.com)
An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a duplicate replacement key. Gang members used one code to cut the key, while they used the second code while stealing the car, connecting a handheld programming computer to the car, and programming the replacement key's chip, synchronizing it to the car's dashboard. All of this took under 2 minutes and was also possible because Jeep Wranglers allow thieves to pop the hood from the outside of the car and disable the alarm even before using their non-authenticated replacement key. Officials say that all the database queries for the stolen VIN codes came from a Jeep dealer in Cabo San Lucas, Mexico. Court documents don't say if the dealer cooperated or gang members hacked its system. The motorcycle gang's name was Hooligans and the sub-unit that stole the Jeeps was named Dirty 30.
I doubt the gang did the hacking. There is probably a person or group who figured out how to do this hack, then sold the info and devices with instructions to the gang who used it. It's a lot like hackers of old versus script kiddies today. A couple decades ago to hack a system normally meant the hacker had the skills and understanding, but today it is often just a person who knows how to run a program that someone else wrote.
There's your main problem right there.
If you look you will find that a lot of car hoods can be opened by inserting the right tool through the grill to access the locking mechanism. It's a lot like how a slim jim can get you in through the door.
What I mean is opening the hood while the vehicle is locked should trigger the alarm, just as opening the door with a slim jim would. Or the horn/alarm circuitry should be located behind the firewall so it can't be disabled so easily.
Unlike porn, which yada yada rimshot hey-ooh!
It's time that you should be able to program your car with your own codes because obviously dealerships cannot be trusted to secure them.
Anons need not reply. Questions end with a question mark.
That can be done for any car - how do you think dealers make a new key when you misplace your original keys?
It may make sense to have that capability. But there's no reason for the whole database to be replicated anywhere outside of some secure vault within Jeep's corporate headquarters in Italy. Dealers should send authenticated individual queries to the central system as needed.
Since they could track it down to a specific dealer, it sounds like that is exactly how it works.