Car thieves use mystery device to break into vehicles
Car thieves use ‘mystery device’ to break into vehicles
PEMBROKE PARK, Fla. – A car manufacturer recalled more than a million cars following security concerns about car hacking, as the National Insurance Crime Bureau issued an alert about a “mystery device” being used to break into vehicles by defeating the electronic locking system of later-model cars.
So-called connected car “convenience technology” could put consumers at risk.
“Right now, what has happened is the digital key fob has become a way for someone to steal your car,” NICB investigator James “Herb” Price said.
NICB has crooks caught on camera using a device to lock and unlock cars. In one clip, thieves are caught on surveillance movie stealing a laptop and custom-made bike.
“With this device (they) walk by a car, look in it, to see if it is one of the cars you can begin with a thrust button on the dash. The nickname for this device is a digital repeater,” Price said. “What it is doing is it is picking up the signal, it is picking up the signal of this key fob, and they get by your car and it repeats the code back to the car, which permits them to inject the car and embark the car and drive off with the car, and you will never know it happened.”
“The only way to defeat that is, if you have a key fob and a car of that nature, get a copper bag, a faraday box. By sealing it up, it blocks any transmission outside that bag so nobody can read that code,” Price said.
Security researchers Charlie Miller and Chris Valasek made a splash in a Wired article by senior writer Andy Greenberg when they demonstrated that a Jeep Cherokee could be remotely hacked, stopping it in its tracks and attacking the system from miles away.
In response, Fiat Chrysler announced it would be recalling 1.Four million cars and suggesting drivers a software update to prevent hackers from infiltrating cars via the internet connection.
In a FCA blog post, Gualberto Ranieri writes, “To FCA’s skill, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle.
After becoming aware of the vulnerabilities in some two thousand thirteen and two thousand fourteen vehicles tooled with the 8.Four inch touchscreen systems, FCA US and several suppliers worked to fix the vulnerabilities in model year two thousand fifteen vehicles. FCA also created a software update that eliminates the vulnerabilities uncovered by Miller and Valasek in their laboratory tests. This software update is available to customers right now and can be downloaded to a USB drive from www.driveuconnect.com and installed in a vehicle.”
“They had been in contact with Chrysler for months,” an elite white hat hacker Samy Kamkar said via Skype with Local ten News Consumer Advocate Christina Vazquez. “It was only resolved within two or three days since it hit the press.”
Kamkar lead a presentation about car hacking at last month’s Defcon hacker conference in Las Vegas.
Entitled: “Drive it Like You Hacked It: Fresh Attacks and Instruments to Wirelessly Steal Cars,” Kamkar exposed fresh research and real attacks in the area of wirelessly managed gates, garages and cars.
“Many cars are now managed from mobile devices over GSM, while even more can be unlocked and ignitions embarked from wireless keyfobs over RF. All of these are subject to attack with low-cost instruments (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel fucktoy),” he said.
At the conference, Kamkar unveiled his $32 device called a “RollJam,” which defeats the rolling codes security feature in keyless entry systems.
“We are racing to get technology out without understanding the security implications very first,” Kamkar said. “It’s only when you can get a broad audience, public pressure that I think switch happens.”
Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time.
Kamkar’s Twitter account description reads, “think bad, do good.” The security researcher tells Local ten News that by deliberately exposing security weaknesses he hopes his research will help you, the consumer, by forcing companies to make fixes to security slots before they become a crime trend.
“We can’t fully trust that these companies have a good lock on security yet, so that’s where I, and hopefully other researchers, come in,” he said.
Local ten News checked with several South Florida law enforcement agencies in advance of the publication of this story, but all said they didn’t have any active cases involving digital car thieves.
Al Berman, president of Disaster Recovery Institute (DRI) International said he believes it is possible that “we have created awareness for the auto industry.”
Berman has more than twenty five years’ worth of cybersecurity practice.
In his opinion, the fatter security threat of the “connected car” is Wi-Fi, “which makes it much lighter to hack into the system. If you buy one, I think you have to a lot more vigilance then if you bought one without it because it now permits you to have access to your cell phone which is connected to it, and therefore you could actually be hacked while sitting in your own car.”
Berman thinks anti-virus software for mobile devices will become a preventative step.
Hacking, said Berman, has become big business; an industry of crooks navigating cyber security vulnerabilities. You can hear more about what he had to say about car hacking and what you can do if you have been hacked at this clip:
In July, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced fresh legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to protect drivers from these sorts of pending cyber security risks. They would like to see a “Cyber Dashboard” rating system in place.
• 2013-2015 MY Dodge Viper specialty vehicles
• 2013-2015 Ram 1500, two thousand five hundred and three thousand five hundred pickups
• 2013-2015 Ram 3500, 4500, five thousand five hundred Chassis Cabs
• 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
• 2014-2015 Dodge Durango SUVs
• two thousand fifteen MY Chrysler 200, Chrysler three hundred and Dodge Charger sedans
• two thousand fifteen Dodge Challenger sports coupes
• Customers that own vehicles involved in the recall will receive a USB drive in the mail with the software update preloaded on the device.
• Customers can come in a vehicle identification number (VIN) and find out if their vehicle needs the software update. If the vehicle needs the update, owners can download the software update to a USB drive and install themselves.
• If owners do not wish to install themselves, they can visit their local CDJR dealer to have a dealer technician install the software.
Copyright two thousand fifteen by Local10.com. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.