Car Thieves Arrested After Using Laptop and Malware To Steal More Than 30 Jeeps (abc13.com) 215
New submitter altnuc writes: Two thieves in Houston stole more than 30 Jeeps by using a laptop and a stolen database. The thieves simply looked up the vehicles' VIN numbers in a stolen database, reprogramed a generic key fob, started the cars, and drove away. Chrysler has confirmed that more than 100 of their vehicles have been stolen in the Houston area since November. Chrysler/Jeep owners should always make sure their vehicles are locked! The Wall Street Journal issued a report in July with more details about how hackers are able to steal cars with a laptop. The whole process takes roughly 6 minutes. CrimeStopHouston has posted a video on YouTube of one of the thieves in action.
I'm not a car guy (Score:3)
Re: (Score:2)
And those are probably just as easy to skim and duplicate.
Also, wasn't this done in an NCIS episode about 5 years ago? I mean, come on Jeep!
Re: (Score:3)
Neither of you have a clue what you're talking about. They started doing rolling codes now but the list isn't that great so you can still brute force things with an HackRF. And no those keyfobs aren't easy to program or clone. Do you know the most popular stolen car is still 90s Hondas? Rarely do newer cars get stolen anymore. Now its all about factory wheels that cost $2k each to replace.
Re: (Score:2)
90's Hondas weren't the most popular car to steal in the 90's. You're confusing the stolen car market (parts) with ease of theft. New cars aren't stolen at the same rate as older cars not because they are harder to steal, but because there demand isn't there for their parts.
Honda always tops the list not because Hondas are easier to steal, but because they are ubiquitous (thus probability is in their favo
Re: (Score:2)
90's Hondas weren't the most popular car to steal in the 90's.
Earlier Hondas have always been popular targets for theft, and yes, they are easy to steal. They don't have immobilizers or really any other anti-theft equipment and they're very easy to get into physically. [dmv.org]
Re: (Score:2)
If you'll kindly notice, from your own link, the model years being stolen always lag by a decade or more what' current. Exactly as I said.
Re: (Score:2)
They just have it back to front. The thieves are reprogramming the car to accept the fob they have, not the other way around.
Re: (Score:2)
It's called Peer Firewalling, it's the latest trend in cybersecurity. One adds the firewall rules, the other handles the "firewall-cmd --reload" calls.
Re: (Score:3)
Mocking valid points will not alter the reality of America's almost third-world status of it's infrastructure.
We lag in bandwidth, repair of our roads, bridges, rail systems, water management, most of our ISP's have data caps now despite 'net neutrality' etc.
Though we do lead the world in military spending and the number of people in jail by several orders of magnitude.
The real shitter? We have the power to change it, but instead allow ourselves to be distracted and led around by the entertainment industry.
Re:I'm not a car guy (Score:5, Funny)
Re: (Score:3)
but is there a reason it's so easy to reprogram the key fobs to start a car? I mean, my bloody credit card has a chip in it for Pete's sake and I got it free with my account. Heck my crummy bank card has one.
Usually they aren't. What they're doing here is essentially cloning key fob's from a master.
If you lose all your keys, the only way to replace them is to replace the entire locking system as you cant clone keys from the system in the car. It's a bit like PKI, the car contains the public key, the fob contains the private key.
Of course this is Fiat-Chrysler we're talking about here, so the security is likely to be designed by drunken monkeys.
Re: (Score:3)
I wouldn't be surprised if current systems are using techniques like HMAC, where both the car and the key use a pre-shared key. In this case, the factory keeps a copy of the database matching VINs to private keys. This allows a dealer or authorized locksmith to either order a new pre-programmed key from the factory, or possibly request the key for
Re: (Score:3)
It's actually very different. Most car thieves can't physically carry around the $10k+ worth of specialized equipment needed to cut a mechanical key (and I'm assuming that it is even possible to get a single cutter that will cut them all, such that you don't need one of those $10k cutters plus five or six different kinds of $5k cutters).
Re: (Score:3)
To make dealerships more money.
BMW makes 10 keys for your car when it's made. when you lose all 10 keys, the dealership is required to point and laugh at you while live streaming to youtube.
It takes a few days for the key to arrive for your car, It's part of the punishment for being a dimwit and losing all your sets of keys.... because your car was sold with 3 freaking sets.
Note: if you buy a used bmw and they dont hand you all 3 sets, the previous owners are scumbags, or the dealership is a scumbag. T
Re: (Score:2)
but is there a reason it's so easy to reprogram the key fobs to start a car?
People lose keys, keys break, and non-replaceable batteries die.
Re: (Score:3)
Yes, there is a reason: It costs money to make them more secure! And since management bonuses are more important than having a good product, you can imagine how that decision went. It is something you run into time and again in the security-space: Management deciding on cheaper-than-possible solutions that do not get the job done anymore in order to safe money that then goes to them. Just think of the Takata Airbag Recalls, the problems with car doors opening, the problems with borked ignition, etc. All of
Re: (Score:2)
The reason it's easy, is that they make it easy for dealers and service technicians to reprogram the fobs. Had you RTFA, you wouldn't have had to ask.
Re: (Score:3)
The reality is that people rarely have zero sets of keys. Usually, they lose one and need to replace that one set. As a result, in the more common case, the design where you add the set of keys to the car is much simpler for dealers than one that involves reprogramming the keys with specialized hardware. The process is something like: put the old key in, turn the car on with it, push a button on the new fob, turn it back off and back on, push a button on the new fob, repeat n times. No hardware needed,
Re: (Score:3)
Why lock the car? (Score:5, Interesting)
The thieves simply looked up the vehicles' VIN numbers in a stolen database, reprogramed a generic key fob, started the cars, and drove away. Chrysler has confirmed that more than 100 of their vehicles have been stolen in the Houston area since November. Chrysler/Jeep owners should always make sure their vehicles are locked!
They're duplicating the key fob. If it's good enough to start the car it's good enough to unlock the damned thing.
Even better, the VIN is easily readable from outside the car. This whole thing smacks of TSA level security. That is, look like you're doing something while creating a bottleneck, when in reality all you're doing is creating a bottleneck.
Re: (Score:2)
Re: (Score:3)
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:3)
the club
Re: (Score:2)
If you REALLY want an effective deterrent, then get a lockable wheel clamp that you install on the front right or front left tire (Or Both), and stops the vehicle from being driven.
Also, if a thief is trying to defeat your wheel clamp, they will be in plain sight in the parking lot or public street....
Re: (Score:3)
the purpose of the club is not to prevent theft, it's to make other cars that have no clubs more enticing for potential joyride-type thieves. Ot's like having a rottweiler in your backyard; people who badly want your Faberge eggs collection will deal with it, but junkies looking for pawnable items will skip your house.
Re: (Score:2)
Re:Why lock the car? (Score:5, Insightful)
Old shit cars get stolen all the time. Not because the thieves wil get a fortune out of it or because they're on special order from foreign billionaires. They get stolen because they're easy to steal and/or can be useful in the commission of other crimes.
There's this guy who specializes in insurance scams. Lets say you're stuck with a lease on a Prius that you'd love to get rid of, and you just can't find a moron to take it. For $250 that guy will steal an old Pontiac Sunbird or some other piece of garbage, and will ram it in your Prius in a way that ensures it's totaled. Problem solved. If there's two Sunbirds side by side, and one of them has a club, guess which one he's going to steal.
Re: (Score:2)
I went to a friend's house, the friend had some friends of, shall we say, ill repute.
My friend told me not to bother with the club, it was not effective. I disputed, he said, "Ok...".
We went into the house, then back out a short time later. My friend "I told you so...".
There was the club, sitting on the seat, no damage to the steering wheel, none to the club.
The club was still locked, and, as far as I could tell, just as it was wh
Re: (Score:2)
The steering wheel is by design not a secure location to attach to, it is by intent supposed to fold so you don't die by getting impaled. A better security point is the break petal. It is by design supposed to stand up to a severe crash.
Re:Why lock the car? (Score:5, Funny)
Re:Why lock the car? (Score:4, Funny)
The improbable sight of a big bearded guy in a black leather jacket getting out of his car with a heavy chain in his hand, made them change their minds very swiftly.
I guess they were not into the bear and cub thing
Re:Why lock the car? (Score:4, Insightful)
Even better, the VIN is easily readable from outside the car.
Damned if I don't 'accidentally' always throw a roadmap* up on the dashboard, right on top of the VIN plate.
*Get off my lawn!
Re: (Score:2)
Re: (Score:2)
The last time I was in the States, I bought a Rand McNally road atlas for $15.
Out on America's glorious Interstate Highways, it can be a long way between cheap coffee/free wifi stations (I think you lot call them "McDonalds", yes?), and when you're hiring a car those on-dash GPS things cost extra--about $15/day.
Re: (Score:2)
Damned if I don't 'accidentally' always throw a roadmap* up on the dashboard, right on top of the VIN plate.
*Get off my lawn!
Cool! Another idiot tourist! Tourists always leave valuables in their car. Let's break the window.
Re: Why lock the car? (Score:2)
Visible from the OUTSIDE? Or are you suggesting car thieves will get underneath and find the VIN on the rear axle?
Re: (Score:2)
oops, I dropped my wallet, I'll just be a second down here to pick it up. *wink*
Re: (Score:2)
Visible from the OUTSIDE? Or are you suggesting car thieves will get underneath and find the VIN on the rear axle?
What? Guess you're new to this. Since ~2005 the vehicles VIN is on everything from windows to door panels to rims and rocker panels. Some of them even have the vin on taillights and headlamp housings. If you know the vehicle you can etch the vin out in 5 seconds using paper and a chunk of charcoal and no one would be the wiser.
Smart key for ignition, not access. (Score:3)
The programming on the key has nothing to do with the door locks, but everything to do with starting the car. You have to insert the key into the door to unlock it, while mere possession of the smart key allows the car to be started. Admittedly basing the smart key code on the readily visible VIN is short-sighted and foolish, the act of locking your car up will at least prevent the casual access.
Re:Smart key for ignition, not access. (Score:5, Informative)
My mom's 2015 jeep cherokee latitude doesn't have key locks.
If you have the fob, you can just open the door.
and before you accuse me of living in a basement, make sure to note my account number.
Two extra things that suck about her jeep? 9 recalls to update the transmission software, and the third party radio won't let her get the latest maps for the gps - and it's the second radio.
Stay away from Jeep tech, it's crappy and buggy.
Re:Smart key for ignition, not access. (Score:4, Funny)
"and before you accuse me of living in a basement, make sure to note my account number."
How cute, 6 digit UID and you think you are an "old timer here"
Re: (Score:2)
Vehicles without wireless starting, wireless key-entry, and non-mechanical driver controls are best, But
engine immobilizer with chip in the key is a good idea, As long as the programming procedure is physically secured.
No reason you shouldn't be able to require an actual key exchange during programming requiring physical access: instead of having keys programmable based on information in some database.
UID number isn't everything. I've been on Slashdot since 1997.
There hasn't always been this new-fangle
Re: (Score:3)
Re: (Score:3)
Stay away from Jeep tech, it's crappy and buggy.
It's Fiat tech. Marchionne is running FCA like it was Fiat, which means he's running it into the ground. He's responsible for retarded shifters that kill people. He's responsible for Dodge selling a full-size van with front wheel drive. Guess what? It's called the Fiat Ducato in other markets and nobody wants them.* They are unremitting pieces of garbage. He's responsible for Jeep going keyless. It's all meant to modernize it and bring the brand into this century. The problem is, what people liked about it
Re: (Score:2)
Assuming the car has power. Earlier this year I had to replace a corroded battery cable, and a lack of key locks would have made that a bit more challenging.
Re: (Score:2)
My Jeep has a smart fob for an ignition key and remote access but the key is still cut for manual door locks. I didn't get auto locks or windows or such. I agree that their security is less than great but I love the performance in the desert and with the soft top I've never really depended on the locks to keep folks out, that is what the garage and insurance is for. :)
Comparing account numbers is a silly exercise in a place like this
Re:Smart key for ignition, not access. (Score:5, Funny)
Re: (Score:2)
This is patently false on many new Jeeps, and probably false on most new cars. What car manufactured in the last 10 years doesn't have remote door unlocks? How many of those don't have an option for remote starting? Jeep even has an app for remote starting. Seriously, inserting a key into the door to unlock it? That's 1990s technology.
Jeep Grand Cherokees have "smart key" like you describe which will allow for unlocking the door based on proximity alone, all you need is to have a key within x distance and p
Re: (Score:2)
Re: (Score:2)
Depends on the car.
My Fords did this great. BMW's have a pull twice thing ( first pull unlocks, second pull opens )
GM, I have not owned any recent ones, but my recollection is that they dont open unless you unlock using the inside thingy to unlock.
Re: (Score:2)
Admittedly basing the smart key code on the readily visible VIN is short-sighted and foolish, the act of locking your car up will at least prevent the casual access.
I had the keys in my car start to fail. It was a 40 year old sports car. The keys were worn, and they were copies of copies. They were failing sometimes. I called the dealer. They said they couldn't give original keys for the car. I found a place in Australia that cuts keys to
Re: (Score:2)
But once they have stolen it they then have - a Jeep.
What are they going to do with it? Surely nobody sane actually buys those things?
No, wait. There are apparently people in that country that actually plan to vote for a orange flavoured lunatic.
Forget what I said.
Re: (Score:2)
But once they have stolen it they then have - a Jeep.
I didn't know that Slashdot has the Ferd vs Chivvy crowd!
What are they going to do with it? Surely nobody sane actually buys those things?
Only in my area. Seems that Jeeps are maybe 1 out of every 4 vehicles. There's a reason for that. They have a marked tendency to simply go. Our weather is unpredictable, and as the typical weather changes, we have gone from snowstorms to ice storms. They are sure footed enough that they even got my wife to drive in the nasty weather, when at one time a threat of snow got me called out to pick her up. If you don't like one, don't buy one. I'm on my t
Re:Why lock the car? (Score:4, Insightful)
My experience of jeeps is that they're usually the cars beached or rolled on the side of the road during snowstorms, or stranded at the side of the road on steep hills whilst I drive past in my lightweight french FWD rustbucket with chains fitted.
People seem to think that 4WD means that the steering or braking works better than other cars.
Re: (Score:2)
Even better, the VIN is easily readable from outside the car.
So lock your car, put a piece of paper on top of the dash so it covers the VIN completely, paint/tape over VIN number on underside,
and conceal VIN number in all locations where it's visible without opening the car first.
Put in LoJack and a car alarm with a long-distance notification and control features.
Re: (Score:2)
Chrysler/Jeep owners should always make sure their vehicles are locked!
This sounds like the response of first level support person.
"Hello, my car was stolen. It looks like they had the key to get in and start the car."
"I'm so sorry to hear that. In the future, Chrysler recommends that you lock your car."
"But my car was locked, that's my point! I am not the only one. You guys need to do a recall to fix this security issue. Or reimburse the cost of people's car. "
"I understand you're upset. But Chrysler/Jeep can not be responsible when owners don't lock up their car."
Re: (Score:2)
My 2015 Jeep Renegade is completely operated by the FOB. You just walk up to the door with the FOB in your pocket, put your hand on the door handle (there is a tiny button there) and it unlocks.
One thing to note, it makes it impossible to lock your key in the car, since it will sense it nearby and allow you to unlock it just by pressing that button again.
Re: (Score:2)
Welcome to the future (Score:2)
Next year, the thieves will start up the car and drive it by remote and autonomous drive from their laptop. Good thing its a bit trickier to remotely refuel.
Re: (Score:2)
Re:Welcome to the future (Score:4, Interesting)
There will be no way to avoid this by sticking with "real hardware" technology like mechanical locks and keys. In the same way that that all credit cards will be chipped along with all passports, you will ultimately be required to have your house/apartment hooked to the internet to get insurance. This will be justified due to fire sensors that automatically call the fire department. Part of the installation will also unlock all doors and windows to insure that anyone trapped inside will be able to escape.
It sounds reasonable up to a point, but it's obvious that the police and government are already drooling over the possibility that no one will be able to secure their physical space. It will be justified in terms of "terrorists" and "home invasion", but the real motivation is so they can infiltrate anybody at any time. The lack of constitutional protections for communications will be extended into real life.
When Orwell wrote 1984 he was being optimistic.
Black Ops by TMBG [youtube.com]
Guess you've never been broken into (Score:2)
Re: (Score:2)
Next year, the thieves will start up the car and drive it by remote and autonomous drive from their laptop.
Just park it near a white semi trailer - the car will never make it to the thieves.
How will locking the car help? (Score:5, Interesting)
Re: (Score:3)
I'm not sure locking the car will make any difference. My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.
I'm still looking forward to the day when I'll be able to pull this prank:
http://xkcd.com/1559/ [xkcd.com]
With self driving cars one would not have to hack the ignition or even need a rock. If you can hack the autopilot in these things you don't even have to drive the car to the chop shop or even come close enough to drop a rock in the driver's seat. You just have to hack the car's autopilot from a safe distance, disable the trackers and tell the thing where to go. I'm sure there will be a complete malware packa
Re: (Score:2)
Re: (Score:2)
I'm not sure locking the car will make any difference. My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.
Sure as heck won't make a bit of difference with my soft top JK Wrangler.
Re:How will locking the car help? (Score:4, Funny)
And if not, there aren't many cars that a brick won't unlock.
The obvious flaw in their plan (Score:2)
Trying to make a getaway driving 15 cars each.
What good does locking the door do? (Score:3)
Besides, if they are stealing Wranglers the parts are so easily obtainable that a broken window is trivially easy to replace. Maybe Grand Cherokees are slightly more difficult to obtain quickly but likely not by much.
Re:What good does locking the door do? (Score:5, Insightful)
So the new keyfob can't be paired until after the thief is inside the vehicle.
There're a lot of ways the manufacturer could've made this harder. But I've been arguing for two decades now that there should be a physical jumper or toggle switch on computers which you should have to flip in order to be able to change files in the system folder/partition. With it flipped to the default state, system files should be read-only (write logfiles somewhere else). That hasn't happened yet and systems are still getting rooted left and right, so I really don't think computer folks have much grounds for criticism.
Re: (Score:3)
Open the door and get in (either the car is unlocked, or they break in triggering the alarm).
Plug the laptop into the OBD port. Command the alarm to turn off (if it was triggered).
Can you get to the onboard bus by popping off a mirror and plugging into its remote-tilt wiring?
How about cracking in via bugs in the radio stack for the tire pressure sensors?
Re: (Score:3)
There was a similar flaw in BMWs a few years ago. You could break the drivers side corner window, reach in and connect to the OBD-II port without triggering the alarm.
Brake pedal lock (Score:2)
Re: (Score:2)
I sure hope (Score:2)
My 1991 Cadillac DeVille isn't susceptible to this sophisticated hack!
Re: I sure hope (Score:2)
Re: (Score:2)
I think that one you can start using a screwdriver and turning really hard.
Re: (Score:2)
Seems like a good way to create a lot of witnesses.
The scariest words - "Stolen Database." (Score:2)
Serving griefers paying customer fodder (Score:2)
Reminds me of Ultima Online where locks on your house were useless against thief characters.
Isn't this a solved problem? (Score:2)
Re: (Score:2)
Is it really? [tumblr.com]
Re: (Score:2)
Remove the rotor from the distributor... or you can always put a banana in the tailpipe
How many cars do you think still have mechanical distributors now?
Re: To secure your car... (Score:4, Informative)
Re: To secure your car... (Score:5, Funny)
WTF did I just read?
You wouldn't understand. It's a Jeep thing.
Re: (Score:3)
I never leave my car.
Re: (Score:2)
I never leave my car.
Yes, the good old standby unemployed homeless hermit strategy.
Re: (Score:3)
I've often been tempted, rather than fitting a locking gas cap to my pickup that gas thieves have several times stolen from, to replumb it so that I fuel it from behind the plastic paneling in the bed, while the normal fueling port leads to something that will ruin their engine.
I recently did the next best thing. I discovered that they like to nab gas cans after they stole three of them (and my toolbox) out of the back of my pickup when I stepped out to pick up my father while preparing for a trip. So I o
Re: (Score:2)
Uhh have you ever heard of this thing called ignition coils on plug? Basically the ignition coil is on top of the spark plug itself, with low voltage wires going to the coil.
I'm not sure there has been a car made with a mechanical distributor made in the past 25+ years?
I will now remove myself from your lawn.
Re: (Score:2)
I'm not sure there has been a car made with a mechanical distributor made in the past 25+ years?
I assure you that they have. While coil-on-plug has been around since the late eighties, it didn't really become mainstream until about 2000. In between the eighties (when everything had a distributor) and now (when COP is fairly common) most vehicles had a "waste spark" system, with one remote ignition coil shared between each pair of "opposing" (in the firing order, not necessarily physically opposed) cylinders. They're called waste spark because both spark plugs are always connected to the coil, so the e
Re: To secure your car... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Good idea. It'll be perfectly secure as long as you never drive anywhere.
Re: (Score:2)
or, you know, park it in your garage if you have one instead of filling it with junk.
And when you need to get back and forth to work, just use Uber/Lyft. Thankfully, Houston is not in some third world country where those aren't an option.
Re: (Score:2)
The best solution is a manual transmission. So few people know how to drive them now they're practically magic.
I haven't been in an automatic one in my life, so your estimate is off. Poland.
Re: (Score:2)
You wouldn't download a baby!
Re: (Score:2)
[my car will have ] a homemade switch in one of the ignition wires, hidden somewhere discreet.
My car does. The switch does two things, disables the ignition and also the starter motor. Very discouraging to a thief if the starter will not even turn. My switch is not "home made" of course and is in fact a multi-pole key switch and even if the thief realises there is such a switch he is unlikely to be bothered to find it. Even if he did, he is not going to be able to hot-wire it without seeing my circuit diagram or alternatively being familiar with the fuse box area and handy with a soldering iron.
T
Re: (Score:2)
even if the thief realises there is such a switch he is unlikely to be bothered to find it. Even if he did, he is not going to be able to hot-wire it without seeing my circuit diagram or alternatively being familiar with the fuse box area and handy with a soldering iron.
Everything is color-coded behind the fuse box, and most professional car thieves have at least basic automotive electrical knowledge, which is not hard to come by.
Re: (Score:2)
With a level of knowlege of the car model, and undisturbed time, and additional batteries and cable, any car security can be defeated. However my thief will probably look for something easier. I did not mention that I sold that particular car recently and removed the feature, restoring the wiring to standard. It took me most of an afternoon, with the aid of my own and the manufacturer's circuit diagrams.
Don't forget I still have all the standard anti-theft features of the car as well.