Using Laptops to Steal Cars

Ant writes "Thieves are using laptops/notebooks to steal the most expensive luxury cars. Many of these cars have completely keyless ignitions and door locks, meaning it can all be done wirelessly. Thieves often follow a car until it gets left in a quiet area, and they can steal it in about 20 minutes..."

Related video

[Crussy]

I saw a video [media.ccc.de] from a conference in Germany that has to do with infared hacking. It's quite interesting if you have the time to watch it.

text of article

[Anonymous Coward]

Text of article:

High-tech thieves are becoming increasingly savvy when it comes to stealing automobiles equipped with keyless entry and ignition systems. While many computer-based security systems on automobiles require some type of key -- mechanical or otherwise -- to start the engine, so-called 'keyless' setups require only the presence of a key fob to start the engine.

The expert gang suspected of stealing two of David Beckham's BMW X5 SUVs in the last six months did so by using software programs on a laptop to wirelessly break into the car's computer, open the doors, and start the engine.

"It's difficult to steal cars with complex security, but not impossible. There are weaknesses in any system," Tim Hart of the Auto Locksmith Association told the U.K.'s Auto Express magazine. "At key steps the car's software can halt progress for up to 20 minutes as part of its in-built protection," said Hart.

Because the decryption process can take a while -- up to 20 minutes, according to Hart -- the thieves usually wait to find the car in a secluded area where it will be left for a long period. That is believed to be what happened to Mr. Beckham -- the crooks followed him to the mall where he was to have lunch, and went to work on his X5 after it was parked.

While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands.

According to the Prague Post leaving such information on a laptop is what got Radko Souek caught for stealing several cars. "You could delete all the data from your laptop, but that's not good for you because the more data you have, the bigger your possibilities," he says. He says any car that relies on software to provide security can be circumvented by other software. "Every car has its weak spot," he says. Souek faces up to 12 years in prison.

The Leftlane Perspective: Many modern cars now rely on software entirely for security. Gone are the days where microchips supplemented mechanical locks as an additional security measure. In the case of true 'keyless' systems, software is the only thing between a thief and your car. As computers become more powerful, will stealing cars become even easier? Never mind future cars with better security -- what about today's cars a few years down the road? With cars as inexpensive as the Toyota Camry offering entirely keyless systems, these concerns a relevant to all consumers.

Posted anonymously to avoid karma whoring.

Glad I didn't get a Prius

[mikeisme77]

The keyless feature of the Prius was one of the main reasons I was considering it over the hybrid Honda models, but after considering the higher price of the Prius and reading about the insecurity of RFID I decided against it. Now I'm even more sure I made the right decision.

Re:Related video

[antifoidulus]

Just a heads up to anyone planning to download the video, it is a hefty 330 megs.

Re:Far too long.

[drinkypoo]

Even in your average American "luxury" car, multiple attempts to start the car without the appropriate key will disable the ECU. Furthermore, in most systems, if certain items are damaged, the ECU actually has to go back to the manufacturer for reprogramming because it's part of the anti-theft system. See, there's a communications module with an antenna near the ignition switch, and it has a unique ID. You need the factory scan tool to assign a new radio module to the ECU. (I'm forgetting some details, there's more to it than this, but I figure I can look it up in the shop manual if I ever need to work on a car like that. Einstein said to never memorize what you can look up.)

The point is that unless you have the proper equipment to unlock, the car can lock itself to the point where it can not be driven. See, modern cars have variable valve timing, coil-on-plug ignition, and a whole bunch of other stuff that simply will not work without the cooperation of the computer. And, you can't just change the computer, because the radio module is locked to an ECU as well. You'd have to swap both the ECU and the module. The module is buried in where the ignition switch is and replacement requires partial dashboard or column disassembly. The ECU is sometimes under the hood, but that's very rare; typically it's behind the kick panel on the right side.

I'm sure you were going for humor (that was a joke, right? right?) but there are people asking these questions more seriously and you were most highly moderated. :)

Re:and then what?

[deacon]

These high end luxury cars are exported overseas to markets (North Africa for example) where the origin of the car is easily hidden, and the new owners might not even care.

Crash parts are taken from cars that are very popular, like Toyota Camry, where there is a big demand due to the huge number of cars on the road.

An original Toyota front fender is about $260. Add headlights, front bumper cover, hood, grill, and a stolen Camry is worth almost 2 K in just front end parts.

Tow truck?

[Anonymous Coward]

Why go through the hassle? It's WAY easier to back up to a car with a flatbed or wheel lifts to steal a car. You can lift the drive wheels and be gone in 30 seconds or less. You can then override the rest of the system at your leisure.

Re:Far too long.

[dgatwood]

Problem is that this is relatively weak. Most car alarms automatically shut off if the car gets tilted to a certain angle to avoid alarms while being towed. All you have to do to steal a car, then, is to buy a tow truck and tow it to a private garage, wherein you have sufficient privacy and time to replace those modules....

Seriously, if you're talking about the folks who are most likely to steal luxury cars, nothing short of a LoJack-like device makes sense. All you can really hope to do is deter casual thieves.

There is an easy inexpensive way to do this.

[Anonymous Coward]

This is detailed in the latest Popular Science. Just get one of those prepaid GPS cellphones. You can track the phone online, at about $9 a month. If I find the article I'll link to it, but check the May 2006 issue of PopSci.

Re:and then what?

[sunwukong]

Also keep in mind that the parts market is where dealers and shops make a lot of money -- the margins are huge.

A consumer group once calculated that rebuilding a $30K Honda from "genuine" parts would have a material cost of over $90K!

Why not just use a tow truck?

[ihistand]

I never understood, why bother trying to start the cars at all when you're stealing them for parts? Isn't it a lot easier and quicker to just hook up a tow truck and off you go, 20 mins later it's a pile of parts anyway. Seems like a waste of time and effort to start it.

I can see if you're a teen going for a joyride. but not a "pro"

Re:Far too long.

[drinkypoo]

It doesn't require specialized scan tools to talk to the PCM/ECU. It requires some very inexpensive hardware, coupled with properly written software.

Since it cannot be done through ordinary OBD-II codes, and can even require the use of nonstandard pins (since OBD-II doesn't regulate most of the pins on the connector) this is not necessarily true. You don't need anything special to pull and clear codes but you often do need something special to, say, reprogram the PCM.

Why? Because the dealer obviously has a way to reset the system and program it for new keys, and there are only two things preventing a thief from doing the same thing: lack of information and the inability to do it surreptitiously.

At least in the case of the system GM was using in the late nineties, the dealer did NOT have a way to reset the system under many conditions, and the PCM had to be sent back to GM.

did you read the article?

[SuperBanana]

The point is that unless you have the proper equipment to unlock, the car can lock itself to the point where it can not be driven.

And I can implement a system that locks out ssh from any IP address that tries more than 3 wrong passwords. That won't stop someone from exploiting a vulnerability in Apache or PHP, and rooting the box. It also won't stop someone from trying passwords from the console, if I didn't set that up as well...

If you had bothered to read the article- the whole point is that theives are exploiting weaknesses in the systems and doing so successfully. Some early systems were hilariously bad; GM's first attempt involved a resistor at the base of the key, and the ECU would simply check if the resistance was correct.

You remind me of the Iraqi Ambassador, with buildings getting shelled behind him, declaring that the Americans are being repelled and have not entered Baghdad. Cars are being stolen right now, despite all the lockouts and "rules" car manufacturers have imposed.

See, modern cars have variable valve timing, coil-on-plug ignition, and a whole bunch of other stuff that simply will not work without the cooperation of the computer.

Variable Valve timing and coil-on-plug ignition do not make a car harder to steal; you still need fuel and a spark, and if the ECU won't allow the car to start, it won't allow the car to start; a 2007 A6 with direct-injection, Variable Valve Timing, Variable Intake Geometry, Coil-on-Plug ignition, etc is no harder to "force" to start than my '91 Audi with none of the above; both ECUs will simply not allow fuel or spark. Plus all of these components are 'stupid'; they're just valves and whatnot. It is not cost-effective to make each coil-pack module demand authentication from the ECU. The manufacturer's job is to make it difficult to steal a car; the rest is society's job (ie low motivation to steal, public awareness ie people notice someone doing something they shouldn't, and last but not least, government- ie police, courts, jail, legislation.)

Futhermore, dealerships use computerized scan tools to communicate with the various modules in the cars. When the owner uses the wrong key 6 times in a row to try and unlock his shiny new Mercedes- they don't package the car up, slap a UPS label on it, and send it back to Germany...nor do they do that with any of the computer modules like you implied; it honestly sounds like you had no idea what you were talking about and confusing RADIO lockouts (where MANY radios WOULD permanently lock themselves if too many incorrect keycodes were entered, and had to be sent to "repair" centers.) The dealer tech plugs in a computer, possibly calls a hotline and validates himself to get a code based off the vehicle VIN number or a code the ECU spits out, aka challenge/response - and then unlocks the security system. VW uses a particular system that is almost completely emulated by software packages like VAG-COM and ProDiag, and both can be used to re-associate a dashboard and ECU without any dealer involvement.

Anti-theft is about theft deterrent; as we network people say, "you can't stop a big enough hammer." There are now towing/recovery companies using tow-trucks that have crane, reach over the car, the tow truck operator slips arms under each wheel, and then the crane picks the car directly up and plops it on the back of the tow truck. You can do almost the same thing with a regular flatbed tow truck and a set of wheel dollies (designed for moving cars that can't be started, have been crashed, etc.)

Re:Far too long.

[drinkypoo]

Since it cannot be done through ordinary OBD-II codes, and can even require the use of nonstandard pins (since OBD-II doesn't regulate most of the pins on the connector) this is not necessarily true. You don't need anything special to pull and clear codes but you often do need something special to, say, reprogram the PCM.

Either way, it's still security through obscurity. It a dealer can do it, then all it takes is one person getting their hands on the device, noticing the extra pull-down resistor between pin 13 and ground or whatever, and spreading the word.

First of all, the dealer typically can't do it. It usually requires the unit to be sent back to the manufacturer, to avoid just this kind of problem.

Second of all, these vehicles sometimes have two completely separate data interfaces. For instance, they may have the ISO ODB-II interface for pulling powertrain codes and doing all the usual stuff you can do with the scan tool like snapshots and the like, and an entirely separate communications interface on some of the non-specified pins for reprogramming the ECU. I've heard of at least one vehicle handled in this way.

At least in the case of the system GM was using in the late nineties, the dealer did NOT have a way to reset the system under many conditions, and the PCM had to be sent back to GM.

That does limit the availability of the technology to crack the system, but it's still security through obscurity. At worst, it probably requires an EPROM programmer or a JTAG debugger plugged into a connector on the PCM's main board. They're not going to design one that burns out hardware or something silly, as that would end up costing them money in the long run.

Sure, but in any case, even replacing the PCM in the course of auto theft usually involves too much of an investment in time, not to mention that to remove the kick panel, you usually have to open the door, and frequently have to remove the trim piece on the jamb. All that makes you far more noticable.

As has been pointed out, a tow truck bypasses all of this crap, but if you can park someplace a tow truck can't get you, then you're really in pretty good shape. And, I do agree that a lojack is probably more effective than everything nonlethal that you can do put together.

Re:Far too long.

[Anonymous Coward]

Which is why the proper way to steal a modern luxery car is to wait till the owner returns, and then ask nicely for his
keys at gunpoint.