Thieves using laptops to hack into and steal cars

carlaptop

Say you’re planning to hot-wire a car.

You’d likely bring some tools: maybe a screwdriver, or a drill.

You sure wouldn’t bring your laptop, says Senior Officer James Woods, who’s logged 23 years in the Houston Police Department’s auto antitheft unit. After all, laptops aren’t particularly useful for stripping wire.

But that’s exactly what CCTV footage has picked up in recent car thefts, as the Wall Street Journal reports: a pair of car thieves caught on camera in Houston as they used a laptop to start a 2010 Jeep Wrangler and steal it from the owner’s driveway.

Here’s what Woods told the WSJ:

We don’t know what he is exactly doing with the laptop, but my guess is he is tapping into the car’s computer and marrying it with a key he may already have with him so he can start the car.

As the surveillance footage shows, a man walked up to the Jeep and opened its hood – likely to cut the alarm, Woods said.

Next, the car door was jimmied open. Some 10 minutes into the theft, another man entered the Jeep with a laptop.

After he worked on the laptop for a while, the home security video shows him backing the car out of the driveway.

Roger Morris, Vice President of the National Insurance Crime Bureau (NICB), an insurance-industry group that tracks car thefts across the US, said his organization is beginning to see police reports that tie newer-model auto thefts to what it calls “mystery” electronic devices.

The Houston car thieves “are using dealer tools to marry another key fob to the car,” suggested Titus Melnyk, Fiat Chrysler’s senior manager of security architecture for North America.

For example, somebody with access to a dealer website may have sold information to thieves allowing them to get hold of some sort of “key reset” codes for selected vehicles.

Houston police told the WSJ that this method may have been used in the theft of four other late-model Wranglers and Cherokees in the city.

Expect more of the same, be it this or other techniques, as car technology becomes ever more advanced.

Security researchers have been able to take over cars remotely because automakers don’t always do a good job at limiting how car systems interact with wireless communications.

What’s more, even cars that aren’t internet-enabled can be taken over via third-party devices that introduce connectivity, such as through the diagnostics port.

Remote exploits have included security researchers Chris Valasek and Charlie Miller taking over a 2014 Jeep Cherokee, controlling the car’s brakes, accelerator, steering and more by wireless connection: a demonstration that resulted in more than 1 million Fiat Chrysler vehicles being recalled for patching about a year ago.

We’ve also seen surveillance footage that shows thieves apparently stealing a car by using a signal booster to fool it into thinking its owner was nearby. If the theft had in fact gone the way security researchers had mapped out, the car would have unlocked its door and even started up for the thieves.

And that is why it’s a good idea to stash your wireless key fob behind the pork chops!

Technological advances in car systems have far outstripped the industry’s speed in finding and securing the security holes they usher in.

Last year was the year of hackers taking over newer model cars, sending them careening into ditches.

This is the year that we’re supposed to see automotive cybersecurity issues addressed: at least, that’s what the US’s top auto safety regulator pledged in January.

And according to the WSJ, it is in fact happening, at last: auto industry trade groups are now working on best practices for safely introducing new technologies.

There’s also now a way to share information on cyberthreats and cybercrime prevention technologies: created by the Alliance of Automobile Manufacturers and the Global Automakers Association, it’s called the Auto-Information Sharing and Analysis Center (Auto-ISAC).

And if you want to buttonhole the automaker people who are grappling with cybersecurity in high-tech cars, be aware that a bunch of them will be gathering at the inaugural Global Auto Cybersecurity Summit in Detroit later this month, including Toyota Motor Sales CISO Bently Au and Mary Barra, Chairman and CEO of General Motors Company.