Auto theft in the age of cybersecurity
Easy-to-use electronic hacking tools available over the internet make vehicle theft easier
In the days of “American Graffiti,” thieves could steal a car by using a Slim Jim to open the door, then touching the ignition wires together. With the move to electronic key fobs and computers, theft dropped dramatically. But the thieves have caught up – and with keyless ignitions it’s a simple matter for a tech-savvy thief to block the door lock signal or hack a vehicle's key fob.
This new technology is dangerous for a couple of reasons; drivers believing that modern cars are more secure may become complacent, and with easy-to-use electronic hacking tools available over the internet for a few dollars, less “talent” is needed to steal a vehicle. In fact, your own agency’s vehicles could be at risk while the driver is picking up dinner.
In a recent case, two car thieves used a tablet to capture the passive signal from a Tesla owner’s key fob and then used the data to open the vehicle.
What does this mean for officers? It means that vehicle knowledge is no longer sufficient, but investigators also need cybersecurity skills and training. Gone in 60 seconds changes to gone in 30 seconds – or less.
To meet this emerging threat to motor vehicle security, the National Highway Transportation and Safety Administration (NHTSA) is collaborating with other government agencies, vehicle manufacturers, suppliers and the public to further industry’s efforts in addressing vehicle cybersecurity challenges.
The objective of this strategy is to promote the impact of the various safety applications employed in current vehicles, as well as those envisioned for future vehicles that may feature more advanced forms of automation and connectivity.
Let’s start with the basics.
There are dozens of attack methods, many of which are introduced at the yearly Black Hat and Defcon hacking conferences. I will cover a couple of the many hacks here so that detectives have a starting point for their investigation when a car goes missing.
Want more information on any of these? Reach out to your local FBI Regional Computer Forensics Lab (RCFL) if you have an active case.
1. Signal amplification relay attack (SARA)
This is one of the simplest attacks because all it does is take the signal from the car and send it to the key fob, and then echoes the key fob’s response to the car. This can be compared to a radio repeater system. In its simplest form, when you press the transmit button on your handheld, it sends a low-power signal to a repeater on a mountain top using a radio frequency (channel). The repeater then amplifies the signal and sends it back out on a different frequency so that it is received by all of the other radios on the system.
SARA works in a very similar manner. It uses two devices, one of which is placed near the car, and another which is placed near the key fob. To use it, a pair of criminals first watch someone get out of a targeted car. One criminal stands next to the car and the other follows the victim, up to 1,000 feet away.
As soon as the device near the car is activated, it amplifies and sends the signal from the car to the second device, which sends the signal to the key fob. The key fob answers the signal which is sent back to the first device and the door unlocks. Once the box is inside the car, the keyless ignition is started. After picking up the partner, the car is driven away.
The reason that this is so simple is that the signal doesn’t need to be decoded or altered in any way; it is just repeated from one device to another. Like some of the other hacks in this article, this one can be defeated if the owner wraps the key fob in foil or puts it into a radio-blocking pouch when it is not in use.
Why doesn’t the car stop when the key is no longer detected? This is done for safety reasons. Imagine if the car stopped whenever the key fob wasn't detected. Now imagine driving on the highway and the key fob battery dies.
2. The universal remote
Like most automatic garage doors, every time the remote is used, a new “rolling code” is generated, so that a criminal cannot just record and play back the radio signal. This is like changing your password every time you login to your bank account online. But there is one loophole; the code must be received by the vehicle’s computer or it will not be added to the list of spent codes. This hack only works on cars (and garage doors) where the owner needs to press a key to unlock the car. It also cannot start a car unless it has remote start capability.
In this hack, the criminal places a small device somewhere on or near the car, say at the owner’s driveway. Every time the owner’s remote is triggered, the device jams the signal and records it. Since the unlock fails, the owner needs to try one more time. This time, the device records the second code and sends the first code to the car. If necessary, more than one code can be blocked and recorded.
Once the driver leaves the area, the stored code can be used to unlock the car, and if the car has remote start capability, a second stored code can be used to start it.
3. Signal jamming
In this hack, covered in a Police1 article, the device jams the lock signal. The driver walks away from the car thinking that it is locked, when it is not. Since more people are listening for the beep when they press the remote, I am sure a device like this could be modified to make the appropriate “beep” sound that the owner expects to hear when locking the doors. While it is harder to steal a car using this method, it does disable the alarm and makes the contents vulnerable.
How to mitigate pursuit dangers
While hacking vehicle electronics is evil, there is a silver lining. Imagine a secure way for cops to mitigate the dangers of pursuits by slowing down the suspect’s vehicle.
This technology already exists in GM OnStar’s Stolen Vehicle Slowdown system.
OnStar worked closely with law enforcement in the U.S. and Canada to develop and modify their Stolen Vehicle Slowdown to ensure best practices would be followed.
OnStar’s Stolen Vehicle Slowdown is one of three tools OnStar offers subscribers. A Remote Ignition Block makes it impossible to start a stolen vehicle once turned off. And a GPS location can be provided to authorities once a vehicle is confirmed stolen.
A signal to an OnStar-equipped stolen vehicle can stop a car thief in the act, gradually and safely slowing the vehicle to avoid a high-speed pursuit.
The lack of vehicle cybersecurity can make cars easier to steal using tools that aren’t obvious to law enforcement. You know what a Slim Jim looks like, but cyber hacking hardware can look as innocent as a smartphone.
Officers need to know what these new tools look like; investigators need to understand how they work; and police leaders need to evaluate how to protect their own agency’s vehicles from cybertheft.