Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Databases Security Software Technology

Car Thieves Arrested After Using Laptop and Malware To Steal More Than 30 Jeeps (abc13.com) 215

New submitter altnuc writes: Two thieves in Houston stole more than 30 Jeeps by using a laptop and a stolen database. The thieves simply looked up the vehicles' VIN numbers in a stolen database, reprogramed a generic key fob, started the cars, and drove away. Chrysler has confirmed that more than 100 of their vehicles have been stolen in the Houston area since November. Chrysler/Jeep owners should always make sure their vehicles are locked! The Wall Street Journal issued a report in July with more details about how hackers are able to steal cars with a laptop. The whole process takes roughly 6 minutes. CrimeStopHouston has posted a video on YouTube of one of the thieves in action.
This discussion has been archived. No new comments can be posted.

Car Thieves Arrested After Using Laptop and Malware To Steal More Than 30 Jeeps

Comments Filter:
  • by rsilvergun ( 571051 ) on Friday August 05, 2016 @10:39PM (#52654395)
    but is there a reason it's so easy to reprogram the key fobs to start a car? I mean, my bloody credit card has a chip in it for Pete's sake and I got it free with my account. Heck my crummy bank card has one.
    • by Barny ( 103770 )

      And those are probably just as easy to skim and duplicate.

      Also, wasn't this done in an NCIS episode about 5 years ago? I mean, come on Jeep!

      • Neither of you have a clue what you're talking about. They started doing rolling codes now but the list isn't that great so you can still brute force things with an HackRF. And no those keyfobs aren't easy to program or clone. Do you know the most popular stolen car is still 90s Hondas? Rarely do newer cars get stolen anymore. Now its all about factory wheels that cost $2k each to replace.

    • by flyingfsck ( 986395 ) on Friday August 05, 2016 @11:56PM (#52654577)
      When key broke, it took the dealer a week to update their Windows PC, get the proper software and program a new key, so I guess a thief could really do it in about 5 seconds...
    • by mjwx ( 966435 )

      but is there a reason it's so easy to reprogram the key fobs to start a car? I mean, my bloody credit card has a chip in it for Pete's sake and I got it free with my account. Heck my crummy bank card has one.

      Usually they aren't. What they're doing here is essentially cloning key fob's from a master.

      If you lose all your keys, the only way to replace them is to replace the entire locking system as you cant clone keys from the system in the car. It's a bit like PKI, the car contains the public key, the fob contains the private key.

      Of course this is Fiat-Chrysler we're talking about here, so the security is likely to be designed by drunken monkeys.

      • I don't know what the current auto security tech is, but proper PKI was shunned for a long time. Possibly for reasons of key battery life, or silicon IP costs.

        I wouldn't be surprised if current systems are using techniques like HMAC, where both the car and the key use a pre-shared key. In this case, the factory keeps a copy of the database matching VINs to private keys. This allows a dealer or authorized locksmith to either order a new pre-programmed key from the factory, or possibly request the key for
    • by Lumpy ( 12016 )

      To make dealerships more money.

      BMW makes 10 keys for your car when it's made. when you lose all 10 keys, the dealership is required to point and laugh at you while live streaming to youtube.

      It takes a few days for the key to arrive for your car, It's part of the punishment for being a dimwit and losing all your sets of keys.... because your car was sold with 3 freaking sets.

      Note: if you buy a used bmw and they dont hand you all 3 sets, the previous owners are scumbags, or the dealership is a scumbag. T

    • but is there a reason it's so easy to reprogram the key fobs to start a car?

      People lose keys, keys break, and non-replaceable batteries die.

    • by gweihir ( 88907 )

      Yes, there is a reason: It costs money to make them more secure! And since management bonuses are more important than having a good product, you can imagine how that decision went. It is something you run into time and again in the security-space: Management deciding on cheaper-than-possible solutions that do not get the job done anymore in order to safe money that then goes to them. Just think of the Takata Airbag Recalls, the problems with car doors opening, the problems with borked ignition, etc. All of

    • by sudon't ( 580652 )

      The reason it's easy, is that they make it easy for dealers and service technicians to reprogram the fobs. Had you RTFA, you wouldn't have had to ask.

      • by dgatwood ( 11270 )

        The reality is that people rarely have zero sets of keys. Usually, they lose one and need to replace that one set. As a result, in the more common case, the design where you add the set of keys to the car is much simpler for dealers than one that involves reprogramming the keys with specialized hardware. The process is something like: put the old key in, turn the car on with it, push a button on the new fob, turn it back off and back on, push a button on the new fob, repeat n times. No hardware needed,

    • This is neither new, nor restricted to jeeps. Even premium brands such as BMW are just as vulnerable.
  • Why lock the car? (Score:5, Interesting)

    by Snotnose ( 212196 ) on Friday August 05, 2016 @10:45PM (#52654409)

    The thieves simply looked up the vehicles' VIN numbers in a stolen database, reprogramed a generic key fob, started the cars, and drove away. Chrysler has confirmed that more than 100 of their vehicles have been stolen in the Houston area since November. Chrysler/Jeep owners should always make sure their vehicles are locked!

    They're duplicating the key fob. If it's good enough to start the car it's good enough to unlock the damned thing.
    Even better, the VIN is easily readable from outside the car. This whole thing smacks of TSA level security. That is, look like you're doing something while creating a bottleneck, when in reality all you're doing is creating a bottleneck.

    • Back to the good old chain and padlock .
      • the club

        • by mysidia ( 191772 )

          If you REALLY want an effective deterrent, then get a lockable wheel clamp that you install on the front right or front left tire (Or Both), and stops the vehicle from being driven.

          Also, if a thief is trying to defeat your wheel clamp, they will be in plain sight in the parking lot or public street....

      • by flyingfsck ( 986395 ) on Friday August 05, 2016 @11:44PM (#52654553)
        A chain also has other uses, apart from properly securing the steering wheel to the seat of a car. I once chased off five youths with it. The improbable sight of a big bearded guy in a black leather jacket getting out of his car with a heavy chain in his hand, made them change their minds very swiftly.
    • by PPH ( 736903 ) on Friday August 05, 2016 @11:08PM (#52654473)

      Even better, the VIN is easily readable from outside the car.

      Damned if I don't 'accidentally' always throw a roadmap* up on the dashboard, right on top of the VIN plate.

      *Get off my lawn!

      • Good idea, but who these days has a road map?
        • The last time I was in the States, I bought a Rand McNally road atlas for $15.

          Out on America's glorious Interstate Highways, it can be a long way between cheap coffee/free wifi stations (I think you lot call them "McDonalds", yes?), and when you're hiring a car those on-dash GPS things cost extra--about $15/day.

      • Damned if I don't 'accidentally' always throw a roadmap* up on the dashboard, right on top of the VIN plate.

        *Get off my lawn!

        Cool! Another idiot tourist! Tourists always leave valuables in their car. Let's break the window.

    • The programming on the key has nothing to do with the door locks, but everything to do with starting the car. You have to insert the key into the door to unlock it, while mere possession of the smart key allows the car to be started. Admittedly basing the smart key code on the readily visible VIN is short-sighted and foolish, the act of locking your car up will at least prevent the casual access.

      • by the_Bionic_lemming ( 446569 ) on Saturday August 06, 2016 @12:13AM (#52654601)

        My mom's 2015 jeep cherokee latitude doesn't have key locks.

        If you have the fob, you can just open the door.

        and before you accuse me of living in a basement, make sure to note my account number.

        Two extra things that suck about her jeep? 9 recalls to update the transmission software, and the third party radio won't let her get the latest maps for the gps - and it's the second radio.

        Stay away from Jeep tech, it's crappy and buggy.

        • by Lumpy ( 12016 ) on Saturday August 06, 2016 @07:23AM (#52655247) Homepage

          "and before you accuse me of living in a basement, make sure to note my account number."

          How cute, 6 digit UID and you think you are an "old timer here"

          • by mysidia ( 191772 )

            Vehicles without wireless starting, wireless key-entry, and non-mechanical driver controls are best, But
            engine immobilizer with chip in the key is a good idea, As long as the programming procedure is physically secured.
            No reason you shouldn't be able to require an actual key exchange during programming requiring physical access: instead of having keys programmable based on information in some database.

            UID number isn't everything. I've been on Slashdot since 1997.
            There hasn't always been this new-fangle

          • by washort ( 6555 )
            There's a lot of cute people around here. ;-)
        • Stay away from Jeep tech, it's crappy and buggy.

          It's Fiat tech. Marchionne is running FCA like it was Fiat, which means he's running it into the ground. He's responsible for retarded shifters that kill people. He's responsible for Dodge selling a full-size van with front wheel drive. Guess what? It's called the Fiat Ducato in other markets and nobody wants them.* They are unremitting pieces of garbage. He's responsible for Jeep going keyless. It's all meant to modernize it and bring the brand into this century. The problem is, what people liked about it

        • My mom's 2015 jeep cherokee latitude doesn't have key locks. If you have the fob, you can just open the door.

          Assuming the car has power. Earlier this year I had to replace a corroded battery cable, and a lack of key locks would have made that a bit more challenging.
        • by Archfeld ( 6757 )

          My Jeep has a smart fob for an ignition key and remote access but the key is still cut for manual door locks. I didn't get auto locks or windows or such. I agree that their security is less than great but I love the performance in the desert and with the soft top I've never really depended on the locks to keep folks out, that is what the garage and insurance is for.
          Comparing account numbers is a silly exercise in a place like this :)

      • by Lakitu ( 136170 )

        This is patently false on many new Jeeps, and probably false on most new cars. What car manufactured in the last 10 years doesn't have remote door unlocks? How many of those don't have an option for remote starting? Jeep even has an app for remote starting. Seriously, inserting a key into the door to unlock it? That's 1990s technology.

        Jeep Grand Cherokees have "smart key" like you describe which will allow for unlocking the door based on proximity alone, all you need is to have a key within x distance and p

      • by AK Marc ( 707885 )
        My car and the wife's car both use the smart key for unlocking, as well as starting. There are backup physical keys, but so long as the battery in the car and the battery in the key are good, you don't ever use the physical key.

        Admittedly basing the smart key code on the readily visible VIN is short-sighted and foolish, the act of locking your car up will at least prevent the casual access.

        I had the keys in my car start to fail. It was a 40 year old sports car. The keys were worn, and they were copies of copies. They were failing sometimes. I called the dealer. They said they couldn't give original keys for the car. I found a place in Australia that cuts keys to

    • But once they have stolen it they then have - a Jeep.

      What are they going to do with it? Surely nobody sane actually buys those things?

      No, wait. There are apparently people in that country that actually plan to vote for a orange flavoured lunatic.
      Forget what I said.

      • But once they have stolen it they then have - a Jeep.

        I didn't know that Slashdot has the Ferd vs Chivvy crowd!

        What are they going to do with it? Surely nobody sane actually buys those things?

        Only in my area. Seems that Jeeps are maybe 1 out of every 4 vehicles. There's a reason for that. They have a marked tendency to simply go. Our weather is unpredictable, and as the typical weather changes, we have gone from snowstorms to ice storms. They are sure footed enough that they even got my wife to drive in the nasty weather, when at one time a threat of snow got me called out to pick her up. If you don't like one, don't buy one. I'm on my t

        • by stoatwblr ( 2650359 ) on Monday August 08, 2016 @04:10AM (#52663487)

          My experience of jeeps is that they're usually the cars beached or rolled on the side of the road during snowstorms, or stranded at the side of the road on steep hills whilst I drive past in my lightweight french FWD rustbucket with chains fitted.

          People seem to think that 4WD means that the steering or braking works better than other cars.

    • by mysidia ( 191772 )

      Even better, the VIN is easily readable from outside the car.

      So lock your car, put a piece of paper on top of the dash so it covers the VIN completely, paint/tape over VIN number on underside,
      and conceal VIN number in all locations where it's visible without opening the car first.

      Put in LoJack and a car alarm with a long-distance notification and control features.

    • Chrysler/Jeep owners should always make sure their vehicles are locked!

      This sounds like the response of first level support person.

      "Hello, my car was stolen. It looks like they had the key to get in and start the car."

      "I'm so sorry to hear that. In the future, Chrysler recommends that you lock your car."

      "But my car was locked, that's my point! I am not the only one. You guys need to do a recall to fix this security issue. Or reimburse the cost of people's car. "

      "I understand you're upset. But Chrysler/Jeep can not be responsible when owners don't lock up their car."

  • Next year, the thieves will start up the car and drive it by remote and autonomous drive from their laptop. Good thing its a bit trickier to remotely refuel.

    • Tesla already has an auto plug in charger, so your future has arrived already.
    • by Required Snark ( 1702878 ) on Saturday August 06, 2016 @12:33AM (#52654649)
      When IoT fully arrives not only will you loose your car, all the belongings in your house will be up for grabs.

      There will be no way to avoid this by sticking with "real hardware" technology like mechanical locks and keys. In the same way that that all credit cards will be chipped along with all passports, you will ultimately be required to have your house/apartment hooked to the internet to get insurance. This will be justified due to fire sensors that automatically call the fire department. Part of the installation will also unlock all doors and windows to insure that anyone trapped inside will be able to escape.

      It sounds reasonable up to a point, but it's obvious that the police and government are already drooling over the possibility that no one will be able to secure their physical space. It will be justified in terms of "terrorists" and "home invasion", but the real motivation is so they can infiltrate anybody at any time. The lack of constitutional protections for communications will be extended into real life.

      When Orwell wrote 1984 he was being optimistic.

      Black Ops by TMBG [youtube.com]

      Black ops, Black ops

      A holiday for secret cops

      Black ops, Black ops

      Dropping presents from the helicopter

      It's been a long year

      We've been so far from home

      Too many people here

      Here come the drones

      We take the best of it

      And make a mess of it

      Ripping up some lawn

      And then we're gone

      • No one needs you to unlock anything. I've had doors kicked open and windows broken to get in. It just is not that hard to break into a house. In fact, when I suggested to the officer I should beef up the frame of the door so it cannot be kicked in, he laughed, he said they'll just break a window instead.
    • Next year, the thieves will start up the car and drive it by remote and autonomous drive from their laptop.

      Just park it near a white semi trailer - the car will never make it to the thieves.

  • by Streetlight ( 1102081 ) on Friday August 05, 2016 @10:47PM (#52654419) Journal
    I'm not sure locking the car will make any difference. My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.
    • I'm not sure locking the car will make any difference. My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.

      I'm still looking forward to the day when I'll be able to pull this prank:

      http://xkcd.com/1559/ [xkcd.com]

      With self driving cars one would not have to hack the ignition or even need a rock. If you can hack the autopilot in these things you don't even have to drive the car to the chop shop or even come close enough to drop a rock in the driver's seat. You just have to hack the car's autopilot from a safe distance, disable the trackers and tell the thing where to go. I'm sure there will be a complete malware packa

      • You mentioned chop shop. I was wondering if the parts of a new Jeep would be saleable soon after stealing unless they work on old Jeeps because new ones shouldn't need new parts. Then again, these are Jeeps. Someone once said that you need two Jeeps: one to drive while the other is in the shop for repairs. Of course the stolen cars could be shipped whole to someplace like Cuba where VINs are not too important.
    • I'm not sure locking the car will make any difference. My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.

      Sure as heck won't make a bit of difference with my soft top JK Wrangler.

    • by NormalVisual ( 565491 ) on Saturday August 06, 2016 @08:16AM (#52655373)
      My guess is they can hack into the electronic ignition they can hack into the electronic door locks as well.

      And if not, there aren't many cars that a brick won't unlock.
  • Trying to make a getaway driving 15 cars each.

  • Doesn't the fob unlock the door as well? The standard place for a VIN is under the wind shield; hence any car parked in the open could be a target as someone could easily walk by and snap a picture of the vin through the wind shield with their phone while walking by and nobody would think of it as odd. You won't be doing yourself any good to lock your car if that is the case.

    Besides, if they are stealing Wranglers the parts are so easily obtainable that a broken window is trivially easy to replace. Maybe Grand Cherokees are slightly more difficult to obtain quickly but likely not by much.
    • by Solandri ( 704621 ) on Saturday August 06, 2016 @12:22AM (#52654617)
      If you watch the video, the procedure is to:
      • Open the door and get in (either the car is unlocked, or they break in triggering the alarm).
      • Plug the laptop into the OBD port. Command the alarm to turn off (if it was triggered).
      • Reprogram the car to accept a new keyfob.
      • Once that's done, the car recognizes your keyfob as its owner, and allows you to start the car and drive off.

      So the new keyfob can't be paired until after the thief is inside the vehicle.

      There're a lot of ways the manufacturer could've made this harder. But I've been arguing for two decades now that there should be a physical jumper or toggle switch on computers which you should have to flip in order to be able to change files in the system folder/partition. With it flipped to the default state, system files should be read-only (write logfiles somewhere else). That hasn't happened yet and systems are still getting rooted left and right, so I really don't think computer folks have much grounds for criticism.

      • Open the door and get in (either the car is unlocked, or they break in triggering the alarm).
        Plug the laptop into the OBD port. Command the alarm to turn off (if it was triggered).

        Can you get to the onboard bus by popping off a mirror and plugging into its remote-tilt wiring?

        How about cracking in via bugs in the radio stack for the tire pressure sensors?

      • by AmiMoJo ( 196126 )

        There was a similar flaw in BMWs a few years ago. You could break the drivers side corner window, reach in and connect to the OBD-II port without triggering the alarm.

  • Old school. But effective.
  • My 1991 Cadillac DeVille isn't susceptible to this sophisticated hack!

  • Data doesn't ever get 'un-stolen'. That database is out there, maybe for a price, or maybe posted for anyone with access to the right dark website. Basically, this should mean that G.M. should now be recalling their entire fleet to reencrypt all their vehicle's remote locking equipment, unless they can prove that some of their vehicles cannot have been in that database.
  • Reminds me of Ultima Online where locks on your house were useless against thief characters.

  • What I mean is with public/private key pairs the hard part (and why you can't totally be sure on a web site) is getting a valid certificate on your PC in the first place. (Which means it comes with the OS and then there's a chain of certs going back to the original one.) But in this case you'd think they'd just leave a port on the car and the fob, generate a pair of certificates one for the car and one for the fob and then download them over a wire to each one. (Then all the wireless communication could be

You know you've landed gear-up when it takes full power to taxi.

Working...