Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Security Android IOS Iphone Operating Systems Privacy Software Hardware News Build Technology

'New Way of Stealing Cars': Hacking Them With A Laptop (marketwatch.com) 159

retroworks writes: The Wall Street Journal (Warning: source may be paywalled), CBS and Marketwatch all lead the morning with stories about the newest method of stealing (late model) cars. No need for hacking off the ignition switch and touching the wires to create a spark (controversial during broadcasts in 1970s television crime criticized for "teaching people to steal cars"). Thieves now use the laptop to access the automobile's computer system, and voila. "Police and car insurers say thieves are using laptop computers to hack into late-model cars' electronic ignitions to steal the vehicles, raising alarms about the auto industry's greater use of computer controls. The discovery follows a recent incident in Houston in which a pair of car thieves were caught on camera using a laptop to start a 2010 Jeep Wrangler and steal it from the owner's driveway. Police say the same method may have been used in the theft of four other late-model Wranglers and Cherokees in the city. None of the vehicles have been recovered." The article concludes with the example filmed of a break-in in Houston. The thief, says the NICB's Mr. Morris, likely used the laptop to manipulate the car's computer to recognize a signal sent from an electronic key the thief then used to turn on the ignition. The computer reads the signal and allows the key to turn. "We have no idea how many cars have been broken into using this method," Mr. Morris said. "We think it is minuscule in the overall car thefts but it does show these hackers will do anything to stay one step ahead." No details on modifying the program to run on Android or iPhone -- there's not yet "an app for that."
This discussion has been archived. No new comments can be posted.

'New Way of Stealing Cars': Hacking Them With A Laptop

Comments Filter:
  • Making it easy... (Score:5, Insightful)

    by SirAstral ( 1349985 ) on Wednesday July 06, 2016 @08:10AM (#52455575)

    Mr. Morris said. "We think it is minuscule in the overall car thefts but it does show these hackers will do anything to stay one step ahead."

    Well Mr. Morris... it's not like the auto industry is even making a serious attempt at vehicle security to begin with. It really is not hard to stay "one step ahead"... in fact the industry is really just refusing to step ahead themselves. A toddler will get farther down the road as long as they refuse to move.

    • Well Mr. Morris... it's not like the auto industry is even making a serious attempt at vehicle security to begin with. It really is not hard to stay "one step ahead"... in fact the industry is really just refusing to step ahead themselves. A toddler will get farther down the road as long as they refuse to move.

      If you know anything about the automotive manufacturing you know how much precision goes into making cars safe and reliable. You could even argue that the processes used to manage engineering, purchasing and manufacturing are as tough as the ones used by the plane manufacturers. The difference being that the quality / safety standards are obviously different but the precision in parts management is just as good as highly engineered planes.

      At the moment only a hand full of vehicles have shown weaknesses in r

      • The main difference is the car makers put the effort in to make sure none of the parts are too good and last too long. Precision scheduled wear out.

        • The main difference is the car makers put the effort in to make sure none of the parts are too good and last too long. Precision scheduled wear out.

          You're basically using your perception of the situation instead of looking at the facts. Unfortunately for your argument, the numbers speak otherwise. The reliability and safety of vehicles has increased significantly since the beginning of the automotive industry. The data comes from one of the more reputable sources of data of this kind: Consumer Reports. Here's the last 10 years.
          http://www.consumerreports.org... [consumerreports.org]

          In case you didn't notice here are some major maintenance price reductions brought to you by t

  • Physical access (Score:3, Informative)

    by Anonymous Coward on Wednesday July 06, 2016 @08:11AM (#52455581)

    You can see in the video that the thief triggers the vehicle alarm, and then proceeds to work on it as the alarm is going off. That means that even old-school hot wiring would have worked. Once the thief has access to the car and plenty of time, there's nothing to prevent him from taking the car.

    • Re:Physical access (Score:5, Informative)

      by beelsebob ( 529313 ) on Wednesday July 06, 2016 @09:07AM (#52455865)

      The "old school" of hotwiring where you simply connect the right wires in the cab and spark away does not work on any modern vehicle, no matter how much time you have. In fact, hot wiring at all pretty much doesn't work on those vehicles. The reason is that modern engines don't really work unless they have a computer giving them all kinds of information about fuel flow, air mixtures, valve timing, etc. They just need an ECU working in order for them to work. Getting the ECU to work involves convincing it that there actually is an ignition key present, which is not just a matter of connecting some wires. Hence the need for a more complex hack here (note, that doesn't mean the hack was actually complex, just more complex than connecting some wires). You do actually need to convince the ECU firmware that a key is present.

    • by Aaden42 ( 198257 )

      Old school hot wiring wouldn't get around a computer-enforced starter or ignition inhibitor. That's the bit that's supposed to be super ultra secure on newer cars.

      There's a challenge/response between the ECM in the car and the fob or a chip in the metal key itself. Without successfully completing that authentication, even the real metal key won't start keyed cars, and the Start button does nothing in keyless cars. You can't hot wire your way around that.

      The laptop tricks the ECM in skipping the challenge

      • Old school hot wiring wouldn't get around a computer-enforced starter or ignition inhibitor. That's the bit that's supposed to be super ultra secure on newer cars.

        On the newest cars, it usually is pretty secure. Not always, but usually. On the older cars, it's usually been busted wide open. If someone broke into my A8 (why?) they could just plug a MPPS cable into the OBD-II port, maybe jump one connection in the box under the hood (a bit more hassle) and then simply reflash the immobilizer away. You can also plug a VCDS cable into the same port (or the other OBD-II port... it's got two, and they're both in the legally mandated area in my region) and pull a ROM dump f

    • You can see in the video that the thief triggers the vehicle alarm, and then proceeds to work on it as the alarm is going off. That means that even old-school hot wiring would have worked. Once the thief has access to the car and plenty of time, there's nothing to prevent him from taking the car.

      Once you have access to the vehicle and a tow truck, you can tow the vehicle away to a shop where you can spend however long is required to either reprogram the ECM, or part it out as required.

      Key immobilizers just keep away casual thieves (people looking for a quick getaway car for a crime, or kids looking for a joyride). Forget hotwiring. Some (many?) older pre-immobilizer cars could be stolen with little more than a hammer and a screw driver. Break the lock cylinder, turn it with a screw driver, and away

  • "We think it is minuscule in the overall car thefts but it does show these hackers will do anything to stay one step ahead."

    And as long as you continue to identify this as a "minuscule" problem, it will earn a "minuscule" amount of attention to fix and secure.

    By comparison, assault rifles account for a "minuscule" fraction of lives taken every year, and yet we have lawmakers staging sit-ins and demanding assault weapons bans in order to "make an impact". It's weird how we prioritize problems in society these days.

    • by mysidia ( 191772 )

      By comparison, assault rifles account for a "minuscule" fraction of lives taken every year

      That's the difference between property and the value of a human life. Even a "miniscule" number of lives being taken in violence is considered not acceptable. The number has to be gotten down to Zero, that's their goal, and that is what the public demands.

      Until their demands are met, they are going to ask for more countermeasures and stricter and stricter laws in (possibly vain) effort to get that number down to

      • By comparison, assault rifles account for a "minuscule" fraction of lives taken every year

        That's the difference between property and the value of a human life. Even a "miniscule" number of lives being taken in violence is considered not acceptable. The number has to be gotten down to Zero, that's their goal, and that is what the public demands.

        Until their demands are met, they are going to ask for more countermeasures and stricter and stricter laws in (possibly vain) effort to get that number down to zeor.

        In the meantime, tobacco companies are legally allowed to sell a product that kills hundreds of thousands of humans every year.

        Yeah, tell me again how "they" give a shit about saving lives...

    • by CrimsonAvenger ( 580665 ) on Wednesday July 06, 2016 @08:58AM (#52455815)

      By comparison, assault rifles account for a "minuscule" fraction of lives taken every year

      In the USA, at least, "assault rifles" (selective fire weapons like the M4) aren't even a blip.

      Now, if you're talking "assault weapons" (scary looking semi-automatic rifles), then it's true that they account for a "miniscule" fraction of lives taken every year. And it's also true that stupid lawmakers stage sit-ins, etc....

    • by Holi ( 250190 )
      Since assault rifles are an actual classification of weapon with a select fire switch and automatic capability and are highly regulated to the point it would cost over $10000 to purchase one (as long as you can get an FFL) and assault weapon is a media created term describing a hunting rifle that is shaped like a military weapon, then I would say that the civilian deaths by assault rifles in America are statistically close to 0.
  • If someone is that good at deciphering automotive electronic systems and codes they should be selling software to allow independent shops to do that, as well as rekey keys so people don't have to spend $400 at the dealer for a new key...
    • If someone is that good at deciphering automotive electronic systems and codes they should be selling software to allow independent shops to do that, as well as rekey keys so people don't have to spend $400 at the dealer for a new key...

      Actually, a number of people do create solutions for doing this sort of thing. I don't have access to that set of bookmarks right now, but I bookmarked some of the guys who sell immo code retrieval tools for VWs newer than mine, where it becomes complicated. Some of them work over and over again, and some of them require an internet connection and involve their servers... I wanted the information for a discussion just like this one, but that machine is down until my video card RMA is complete, or thereabout

      • If someone is that good at deciphering automotive electronic systems and codes they should be selling software to allow independent shops to do that, as well as rekey keys so people don't have to spend $400 at the dealer for a new key...

        Actually, a number of people do create solutions for doing this sort of thing. I don't have access to that set of bookmarks right now, but I bookmarked some of the guys who sell immo code retrieval tools for VWs newer than mine, where it becomes complicated. Some of them work over and over again, and some of them require an internet connection and involve their servers... I wanted the information for a discussion just like this one, but that machine is down until my video card RMA is complete, or thereabouts

        You are correct. There are a number of companies that sell there own versions of the manufacturer's diagnostic tools as well, so there is definitely a market. Most of them start around 200$ and go up from there.

        • You are correct. There are a number of companies that sell there own versions of the manufacturer's diagnostic tools as well, so there is definitely a market. Most of them start around 200$ and go up from there.

          Yes, I have the Ross-Tech VAG-KKL cable for older OBD-II VW/Audi products with the dual K line. Without it, or a similar tool, there's no maintaining these vehicles.

  • Will TPP restrict my ability as a vehicle owner to research my car's security systems and possibly prevent someone from wifi-jacking my car?

    As I understand it, TPP makes it illegal for me to futz with the electronic ignition system.
    • No the TPP will lockout 3rd party repairs / DIY oil changes (you can do it but the change oil light will stick on and some cars may enter limp home mode)

  • by pr0nbot ( 313417 ) on Wednesday July 06, 2016 @08:32AM (#52455689)

    How long before a car can be remotely hacked and told to self-drive itself to the chop-shop? By someone in another country?

  • When the owner sets up their vehicle.... have them define a passcode; much like you do for a phone. The vehicle should have sensors to detect unauthorized entry and unauthorized attempts to access diagnostic ports to plug-in a laptop.

    If an unauthorized access attempt is detected when the vehicle is in secure mode, Or the user is ultra-paranoid and pushes a special "Lock" button before turning off their engine..... it should put all the vehicle computers in a "Passcode" lock status which can only be r

    • by swb ( 14022 )

      30 years ago my dad's business had something like this in a few of the company vehicles. It was an electronic keypad where you had to enter a digit code to get the car to start.

      These were older cars (early 80's vintage pickups and two Diesel VW Rabbits) so they didn't have extensive (or any?) computers to lock down subsystems, but nothing electrical would work in the car unless the code was entered.

      I don't know how it was wired up, my guess is some kind of relay in front of the fusebox.

    • by caseih ( 160668 )

      Israeli vehicles are all equipped with a numeric keypad that enables the ignition and fuel systems. You have to enter in the code before starting the vehicle. Otherwise you can crank and crank and it won't ever run. Now I'm sure this is just as hackable as hot-wiring. But passcode systems for ignition do exist in parts of the world and are heavily used. I'm not really sure if they prevent vehicle theft or not, though.

      As for a lock on the diagnostic port, that's a good idea, but a physical key to block acc

      • by mysidia ( 191772 )

        Physical locks can be compromised, so we'll protect them with digital locks

        No..... this is not really the reason cars are getting digital locks. Physical locks can be made more secure too. Take a look at the Abloy disk locks.

        (1) They are nicer for the customers. They look fancy, appealing. They have an appearance of technical sophistication
        (2) The digital locks often provide additional convenience features, for example, opening your door with your keys in your pocket. Automatic openi

  • Motherboard's "How to hack a car" from a couple years ago. https://www.youtube.com/watch?... [youtube.com]
  • Police and car insurers say thieves are using laptop computers to hack into late-model cars' electronic ignitions to steal the vehicles, raising alarms

    If they were raising alarms they wouldn't be getting away with it so much.

  • by lazlo ( 15906 ) on Wednesday July 06, 2016 @09:05AM (#52455845) Homepage

    Yeah they're stealing all these Jeeps, but jokes on them when they think they're in park and get run over by the car they just stole.

  • I want to see you try to hack my '95 Escort Wagon.

    • Youngster. I still drive my 1986 4Runner. And no, I don't want to sell it.

    • Pretty much this.

      I wish my car couldn't be remotely unlocked. But at least you still need the physical key in the physical lock and physically turn it around to start the engine.

    • I want to see you try to hack my '95 Escort Wagon.

      Poser.

      • Naw man, for real. I got the '95 in that Aqua blue/green color. Bought it from the family of a WWII vet who passed away. It's got 43k miles on it. The radio just crapped out though. Drove it from Chicago to Hartford, CT last August, and I'm planning on taking it to Houston in a few weeks.

        • Sometimes it seems like that's the only color they come in! It's the same as mine, in any case - and the only other one I've seen around here is also that color.

  • They started with a vehicle that is often mocked for changing only the very least allowed by the law (the Jeep Wrangler) and then they added all these electronics to it? Yeah, we all knew they were in trouble but this seems like an odd course for them to follow to try to right their own ship.
    • by guruevi ( 827432 )

      Many manufacturers use the same frame which includes electronics support for pretty much all their car models. That way you only make one base model, just put a different chassis over it. Additionally, electronics are much cheaper and easier to repair that running wiring everywhere. I once replaced the wiring in a 1940's VW (you know, the original beetle) - there is a bundle of wires about 2 inches thick going through the chassis for that simple of a car (nothing electronic, just lights, ignition etc). Imag

  • It's good to know that general purpose computers are good for something, and that there's something new beyond appy smartphone appy app apps.
  • by Opportunist ( 166417 ) on Wednesday July 06, 2016 @10:02AM (#52456209)

    At first, there was CAN bus. Those that know it know well that this bus know that "security" was not even an afterthought in its design. It came into existence when "board computers" were something that was carefully hidden from the car's user. Chips that controlled injection, traction, braking behaviour that needed no input from the driver. And of course security was a non-issue back then. Because, hey, anyone who could get access to those areas, hidden deeply within the car's heart and soul, could much easier fuck it up or steal it. Seriously, getting access to those early "board computer" parts meant you literally ripped the whole car apart just to gain a GLIMPSE at it.

    Time went on and that "board computer" stuff got more and more pervasive. First with displays that were disconnected from the physical things they displayed, with speedometers that didn't just passively count revolutions on a wheel but a LCD that got the speed information from various sensors, same for the RPM gauge of your engine and various other tidbits, and it didn't take long until buttons on your steering wheel were added that let you control radio, air condition and mirrors.

    Still not a security issue, because so far you could not affect the car from the outside. You still had to gain access to the inside of the car first before you could mess with it electronically.

    Now, though, security IS an issue because the car accepts input from the outside. And that will become an even greater headache than we know now. The buses are in most implementations not separated between "mission critical" and "user leisure", or if, at a logical level only. Meaning that yes, that bus that takes your steering-wheel-button input and even handles your bluetooth is physically the same that deals with your ABS, your injection and your traction control.

    I guess I'm not the only one who thinks that this MIGHT become an issue, given time. Especially considering that security that can't be tested in a crash test has not been any kind of issue with car manufacturers so far, not at all.

  • Should be filed under the category "DUH!"

  • by PPH ( 736903 ) on Wednesday July 06, 2016 @10:13AM (#52456281)

    ... you see under my dash isn't really the maintenance port. The real one was unscrewed and stuffed up into the wiring harness. The one you are plugging your laptop into is a modified USB killer [independent.co.uk].

  • Fine we will lock them down and lock in dealer only repairs and maintenance

  • Three of my buddies had Dodge Lasers in the 90's. Two of them could open each others locks and start the car with their own keys. It also worked on other peopel Dodge Lasers. Dodge trucks and cars were easy to steal. Pup the night glow ring, punch the tumbler as a certain spot to pop it out and use the same screwdrive to turn the ignition on. Took about a minute.

    • by dargaud ( 518470 )
      I had a VW golf in the late 80s. Once in a parking lot I unlocked it, sat in, started it and went... he, this is not my car !

You know you've landed gear-up when it takes full power to taxi.

Working...