What if it's a software bug?
Most automobiles these days have their wiring harnesses drastically simplified by replacing enormous numbers of point-to-point wires with a digital bus, conforming to one of a small handfull of standards. These control everything from the engine to the seat adjustments to the outside rear-view mirror angles, to the door locks.
If you can inject your own packets on such a bus, you can command the car to open the doors and start the engine.
Now it may be possible to inject commands directly by using strong electromagnetic fields near where the bus, or a component on it, is not well shielded.
But there are a number of devices on the bus that are also radio receivers, with control computers which both parse radio inputs and interact with other parts of the car's electronics over this digital bus. If you can compromise them you can get them to inject commands for you.
Of course the key radio-fob receiver is the most obvious target. A protocol stack escape might get you directly into the code that unlocks the door. Another obvious target is a remote accident-assistance/monitoring system, such as OnStar. This is essentially a cellphone that deliberately issues such commands. (One thing they do as a service is open your car doors if you lock your keys inside.)
But there are a number of others where it may be possible to inject malformed packets and exploit a flaw in the radio-side network stack to take over enough control to issue automotive bus commands and achieve the same effect, even if the device wasn't intended to unlock the door. Candidates include:
- Entertainment systems.
- Bluetooth "hands free phone" features.
- GPS navigation systems.
- Tire-pressure monitoring systems.
and I could go on.
You can find such flaws by purely software-driven probes, using stock techniques like "fuzzing" to find a bug that crashes the device, then working up from the known flaw (and perhaps a general knowledge of the processor involved in the component and its typical development environments) into an exploit.
I have seen a proof-of-concept where one of the above HAS been exploited in this way by a security research team.
I have also heard news reports of security-camera recordings of carjackers using a box that causes the passenger side door lock of the victim car to unlock itself. So SOME such exploit is already in the wild.
Any bets on whether Garcia, or the carjackers, got in this way, rather than by electron microscopy?
Any bets on whether, even if they both DID "do it the hard(ware) way", there is, or will be within the year, an exploit that didn't involve either such pricey techniques (or a data leak from a manufacturer)?