
Thieves Are Using Bluetooth to Target Vehicle Break-Ins - cowsandmilk
https://www.outsideonline.com/2406433/thieves-bluetooth-scanner-vehicle-break-in
======
gxon
This seems like a trivial problem for law enforcement to honeypot. You
wouldn't even need to actively monitor. Just get an alert when the devices
start moving and dispatch officers to track them down.

If thieves start getting clever and putting the stolen goods in a Faraday
cage, then add a camera to monitor and capture faces/plates. Hell, add hidden
cameras to all major trailheads and don't even bother with the honeypot.

Obviously, there's funding and expertise issues with a solution like this. But
is it really that significant or just law enforcement complacency?

~~~
mikefallen
Yeah cuz what we need is more cameras installed by the gov invading our
privacy. You think they should implement facial recognition on them too? Don't
leave values in your car easy as that ....

~~~
hermitdev
I had security cameras installed at my home last week. We already had a
security system. I dont like having the cameraa, but the final straw was when
someone tried to break into my home while I was at work and my wife was home
the Friday before Thanksgiving in the US. With no cameras, had nothing to give
the police.

Id like to get a 12 gauge shotgun and teach my wife to use it, but she's gun
shy. (I am licensed by the state, but dont own any firearms). There is
something about the aound of a 12 gauge round being chambered that puts the
fear of God in everyone (and I'm an atheist).

~~~
gambiting
>>Id like to get a 12 gauge shotgun and teach my wife to use it, but she's gun
shy.

That sounds like a great way to get your wife shot to be honest. Either by
criminals or by police coming to "help" you. You might as well advise people
to carry a knife to avoid a mugging.

~~~
bobbyd3
Not necessarily. Assuming his wife was comfortable learning more about how to
safely handle a firearm it _could_ be a great asset for protecting their
household...

------
gruez
>So what can you do to keep your stuff safe? Putting a device in airplane mode
or entirely powering it off will both work [...] For additional protection,
you can place those devices in a Faraday fabric sleeve

...or you know, turn off bluetooth.

~~~
tclancy
Right, but that's the asymmetry of theft: all I have to do is mess up one
time. It's the unfairness in Full Metal Jacket when Private Pyle is told if it
wasn't for people like him (who forget to lock stuff) there would be no theft
in the world.

~~~
georgeplusplus
You can disable Bluetooth by default and enable it only when used.

~~~
lsofzz
> You can disable Bluetooth by default and enable it only when used.

You are _missing_ the point.

Ever heard of secure by default?

~~~
lsofzz
Expanding on it further, what I mean is that our BT stack should be built from
ground up with security in mind. We cannot fight every attack surface but we
probably can get to all the low hanging ones that the crims can exploit.

One day in some utopia probably.

I as a user of BT stack do not have to worry about whether it is switched on
or off. This is what I mean by _secure by default_.

Downvoter - thank you. I took time to explain what I mean this time :)

------
bdamm
Fearmongering; this is a legal issue, not a technical one. Does anyone really
think they're going to save themselves from thieves by turning off bluetooth?
I hope nobody is that naive. This kind of thing also popped up when people
realized that thieves could scan and replay early remote commands to unlock
cars (and still can for some models!) Was the answer to not use car remotes?
Maybe, but for most of us the answer was to make sure your car insurance is up
to date and covers theft.

Having a car without dents or scratches is attractive. Having visible chargers
in your car is attractive. What thieves will find attractive will change over
time.

Get insurance, do the basic stuff you can to avoid having valuables in your
car or advertising yourself as a mark, and don't worry about the rest. When
the inevitable happens let your friends take you out for a drink and move on.

~~~
endorphone
"this is a legal issue, not a technical one"

What does this even mean? If you get stabbed while withdrawing money from the
skid row ATM at 2am, are your final words _" This is a legal issue, not a
ғɪɴᴀɴᴄɪᴀʟ ᴏɴᴇ"?_

Yes, people aren't supposed to break into your car, and they're bad, bad
people if they do. For the sorts of people that do there is clearly a
cost/benefit analysis, where the cost is the risk. Smashing into a dozen cars
just hoping to find something valuable is quite a degree removed from knowing
that certain vehicles have valuables, and even what those valuables are.

And saying "get insurance" is weak sauce. Yeah, most of us have insurance. All
of us, I suspect, never want the hassle and annoyance of claiming on it, or
dealing with the BS involved with having one's car broken into.

~~~
greggman2
This is one of those crimes I'm curious why the police in certain areas don't
do more to stop. SF is the worst place I've been for this. You can literally
walk down Folsom street or around Dolores Park and see that every 2nd or 3rd
car window was smashed the night before. Leave anything showing and your car
_will_ be broken into. It's so common it's hard not to notice the glass
everywhere from previously broken windows. Given it's so common it seems like
the police could just put a few honey pot cars out and the problem would be
solved but they don't care to solve it.

LA is also bad though not as bad as SF. I've had my car broken into 6 times
and stolen once. One I installed a removable stereo, forgot to remove it first
day, windows smashed, stereo gone. Got a new one, it lasted 2-3 months. After
that had to use a cheap portable boombox (no money for new car stereo). That
lasted a few months until someone bust into car in my apartment's garage and
apparently tried to steal the car. The steering column was jacked up and the
car repair said that was from trying to steal the car. Those were in West LA.
My car itself was stolen in Costa Mesa. The replacement was a used Samurai
Suzuki (all I could afford). It had a $10 cheapo radio that was stolen in
Huntington Beach (no need to break into the car for that). The 2 times, one
time I think I forgot to take down the dash cam. Another I forgot to lock it,
there was nothing showing but apparently someone was just checking for
unlocked cars.

Then again maybe I'm just used to living in a country like Japan where
breaking into cars is mostly not a thing and so you can leave stuff in your
car and you can have nice non-removable car stereos and not have to worry
about your car getting broken into and getting stolen.

It's funny/sad to me how having grown up in the USA I just took it for granted
than having your car broken into and/or stolen was just a normal part of life
in the world. Luckily I learned it's not though it can be also be sad to have
your eyes opened just how messed up your country of origin really is.

~~~
ALittleLight
I would not impute this level of criminality to the whole of the USA.

~~~
greggman2
Good point. I would love to know why it's not a solvable issue. Not saying
it's easy and I'm sure there's multiple reasons, some maybe unsolvable.

~~~
Jamwinner
Nobody wants to hear it, but crime and population density seem very linked.
Where I live, we dont even lock our doors, while an hour away in the city, I
cant even take one of my crs because it is too easy to steal even when locked.
When you know your neighbors, you can't steal without everyone knowing. The
psudeoanonmity offered by overpopulation makes crime pay.

~~~
ssivark
Well, from an aggregate population level it naively seems cheaper (more
efficient) to insure people against car break-ins rather than subsidize low-
density housing infrastructure (roads, water, electricity, internet, etc.).
That's apart from the productivity increase resulting from higher density (eg:
see Geoffrey West's work on the nature of cities), and the loss of
forest/agricultural land in rural areas. So, while low-density suburban
housing avoids break-ins, it leads to bigger unanswered questions.

------
godshatter
Has anyone had any luck with faraday bags? I bought one a few years ago, which
worked fine for my galaxy s6. I tried it not long ago with my galaxy s9, and I
was able to call it from my land line even though it was covered by the
faraday bag. Maybe changes in frequencies are to blame? Or maybe I didn't have
it as sealed in as well as I thought.

------
ropiwqefjnpoa
That's simple and clever, knowing for sure what cars are worth breaking into.
I imagine based on the BD_ADDR you can even surmise what type of device it is.

~~~
saalweachter
I wonder how hard it is to masquerade your expensive device as a cheap device.

~~~
oliveshell
Probably much more difficult than just turning off Bluetooth.

~~~
sideshowb
Yes but good idea as you only have to do it once...

------
waltbosz
I stayed at a hostel in Montreal 7 years ago and the owners warned me about
something like this. They said local thieves used scanners to tell which cars
in their car park had electronics inside and were worth breaking into.

------
nihonium
This was inevitable. I suppose Apple's new "Find My Device even if it's
offline" mode, which uses bluetooth to emit devices location, will help
thieves to find these devices as well.

------
microcolonel
People have already been lying [0] to the public about vehicle to vehicle
communication protocols for a while now, saying that the radio signals will
not propagate over long distances. Everyone who knows anything about radios
knows that you can make the antenna more sensitive or directional on either
side of a transmission.

If this stuff ever makes it into vehicles, it _will_ be used by criminals
(public and private sector) to track victims.

~~~
lawnchair_larry
[0]?

~~~
microcolonel
Lost the original link I had earlier today, but this one seems to make the
same sorts of claims about the supposed limitations on the range of receiving
the V2V signals.

[https://youtu.be/3z09fCqmILU](https://youtu.be/3z09fCqmILU)

------
diego_moita
> tablets, laptops, cameras, speakers, and phones—basically, most things a
> thief may want to steal, except for your keys and cold hard cash. (Although
> if you use a Tile or similar locater dongle on your key chain or in your
> wallet, then those are discoverable using a Bluetooth scanner, too.)

As in most security-related articles there's a lot of speculation and an
overall fear-mongering tone here. Laptops don't propagate Bluetooth
advertisements while closed and hibernating. The author's friend MacBook was
stolen because it was close to the iPad that wasn't hibernating and had its
Bluetooth on.

Also, almost all cameras don't advertise Bluetooth (it is too slow to transmit
video and images), most BtLe speakers are too cheap to interest thieves and
most people keep their cellphones with them.

Also, Tile trackers are mostly kept in things that people want to keep with
them, one of their functionalities is precisely to warn the user when they're
left behind.

At the end, all the author has is just a theory and a suspicion from a police
officer.

~~~
brettnak
My bluetooth headphones connect to my macbook pro when come home from work and
my laptop is sitting on the kitchen table. My headphones tell me "two devices
connected" when I walk in the door.

Although it seems like bluetooth _should_ be shut off by devices when not in
use, I doubt most devices actually do that.

~~~
diego_moita
I'd really like to understand this deeper: are you sure your macbook was
hibernating, even if it was closed? Are you sure the proximity advertisement
came from the laptop? Usually it is the iPhone doing it.

I've seen that in airports and malls, more than 90% of the advertisements
around are iPhones (Android doesn't do BtLe advertisement) and Windows
computers (from the shops and stores). A small minority are beacons and
wearables (iWatch, Fitbit, etc.) In libraries sometimes I can see Macbooks,
but they all are non-hibernating.

~~~
brettnak
My headphones are only paired with my macbook and my android phone. I always
am walking with the headphones paired with my phone, so that's one of the two
devices. The only other device is my macbook pro, that is often sitting on the
kitchen table with it's lid closed, and unused for several days, and yet this
happens every day. I obviously don't know what exactly is going on, but if
they can "connect" then presumably something about the bluetooth is still
functioning.

~~~
diego_moita
Interesting. Thanks for the info.

If you left the MacBook connected to the power supply and it is a 2016 model
or later then it likely isn't really hibernating, even with the lid closed. By
default, most of them remain active when connected to power.

However, you can disable the Bluetooth connection. Go to System Preferences >
Bluetooth > Advanced Button and deselect "Allow Bluetooth devices to wake this
computer."

I wonder who does the advertisements here. In BtLe the standard is to have the
Peripheral (i.e: the headphones) doing proximity advertising and the Central
doing the scanning. But, in principle, anything is possible.

------
jaclaz
Semi-random idea of the day.

Would there be a market for something _like_ a dye pack

[https://en.wikipedia.org/wiki/Dye_pack](https://en.wikipedia.org/wiki/Dye_pack)

emitting fake MacBook-like Bluetooth signals?

(and would they be legal?)

You'll still have your car window broken, but someone will need a lot of time
to get clean ...

~~~
curiouscats
Police departments could do this as they have done with "bait cars" to catch
those who engage in this behavior.
[https://en.wikipedia.org/wiki/Bait_car](https://en.wikipedia.org/wiki/Bait_car)

~~~
logfromblammo
Bait cars are a police-state tactic. Just normal, Peelian-principled policing
for me, thanks. Hunting and tracking, not fishing and trapping.

Which is to say make better efforts to actually solve property crimes that
occur naturally, rather than manufacturing crimes for the purpose of resolving
them more easily.

~~~
UnFleshedOne
Bait cars are not manufacturing crimes. Those are natural and organic crimes.

Unless undercover officers actively entice somebody to steal them or
something? That would be entrapment it is already not allowed I think.

~~~
ballenf
You’re probably right, but we can probably all agree there is a line somewhere
that we don’t want police crossing with regard to baiting criminal activity.

I’d just rather us not have to debate where the line should be and be ever
vigilant as police push the boundaries.

~~~
logfromblammo
In the traditional crime triangle of motive, method, and opportunity, baiting
and trapping artificially supplies the opportunity, and in some cases also the
method, such that crimes that would not normally occur take place in such a
way that it is easier to prosecute them than the naturally occurring crimes.

It replaces the pursuit and prosecution of people who have committed crimes in
the community with jamming up all the usual suspects.

It's _lazy_ , and it takes resources away from victims waiting for
satisfaction. "Sorry, we aren't going to look for the person who robbed you,
but we arrested 30 folks who are criminally predisposed to do exactly the same
crime against cars similar to yours, if they're parked nearby, with unlocked
doors, and pawnable valuables easily detectable inside. One of them might even
be the person who robbed you! We're not going to check, of course, but you can
maybe pretend that we caught them, to make yourself feel better."

Instead of setting a bait car, and watching just that one while it's out,
watch over as many cars as possible to detect and prevent break-ins, all the
time--as the community expects its police to do, to earn their pay.

It may be effective in the short term, but it also undermines community trust
in the justice system, which is critical for policing to be effective in the
long term. If you round up and persecute all the usual suspects at regular
intervals, their friends and family will stop helping you, and start shunning
you whenever you come 'round to "help".

~~~
UnFleshedOne
Another word for "lazy" is "efficient".

I'd think people stealing bait cars are often the same people who would be
stealing regular cars. So a successful bait car protects one or more regular
cars. It is important to solve crimes that happened, but it is even more
important to prevent future crimes. In fact, for property crimes, the
overwhelming benefit of solving them is preventing future crimes. Except in
backward countries with retributive justice system, like US, I suppose. (I
want the guy who robbed me to suffer!)

Otherwise we, as a society, would simply get collective insurance to make
victims whole and simply ignore property crimes.

Bait cars protect other cars as well, police is advertising their presence
often, so everybody knows they are there. That has a chilling effect on crimes
of opportunity.

In fact you don't even need to have any bait cars at a given location to
reduce crimes, just say you do.

Would you be ok with private citizens, en masse, installing GPS trackers in
their belongings, turning _all_ cars into bait cars btw? Would that also be
considered entrapment?

~~~
logfromblammo
I don't agree with some of your premises, there.

Efficient is often lazy, but lazy is not always efficient. If the specific
implementation of lazy is doing a different-but-similar job, rather than a
different method for getting the same results, that isn't efficiency, it's
substitution.

Preventing future crimes is important, but that is not the public mandate for
police. Police are there to investigate crimes that occurred, collect the
evidence, locate and arrest the suspects, and then turn everything over to the
courts for further resolution. Future crime prevention is the responsibility
of everyone living in civilization, in part by implementing security
infrastructure under the control of those most directly impacted by the crimes
in question. People want to feel safe, but not _watched_. It's not security,
if the implementation makes you nervous about how it will be used.

Yes, I would be okay with private citizens, en masse, installing anti-theft
devices in their belongings, provided that the tracking is under the control
of the device owner. That's not bait, it's just another security measure. If
it doesn't have a hook in it, it's just fish food; some worms get eaten, and
others do not. You can't save them by taking a dozen fish out of the lake.
They save themselves by developing camouflage, or a bitter toxin, or sharp
spines, or slippery slime--whatever it takes to ward off the fish. Meanwhile,
the anglers continue to use the bait that catches the most fish. They aren't
out to protect worms; they just want to catch fish.

Another problem, of course, is that people already do that, with services such
as LoJack, Prey, and Find My iPhone. When the owners take the location
evidence to police, they do not always do anything with it. Someone can give a
cop exact GPS coordinates, including elevation, with video recorded from their
laptop with a clear image of the thief's face, and see no action. A television
journalist can go to the thief's house, with cameras rolling, get a complete
confession, air it on a national news program, and still not recover the
property or see an indictment. Cops do not have a legal obligation to do
_anything_ for any particular person, as affirmed by several federal circuits
independently, and then the Supreme Court. And private citizens and
journalists do not produce a clean chain of evidence custody. The cops who
don't pursue real property crimes that are trivially easy to resolve are being
non-efficiently lazy, by doing an easier job.

As long as the priority is on bait vehicles and drug-related civil forfeitures
and parallel constructions and other bastardizations of Peelian policing, the
cops are not making the public feel secure in their liberties and possessions.
They are not being what we wish them to be, and not doing what we would
willingly pay them to do.

~~~
UnFleshedOne
I agree with most of your post, except police mandate part (at least on paper,
implementations vary). Prevention is explicitly in public mandate of Edmonton
police (first thing I found). If you look at other programs police departments
sometimes have (like public outreach about securing belongings and so on), it
is mainly about reducing crimes of opportunity before they happen, and only
partially PR.

And that bait cars are in the same category with civil forfeitures and other
things you listed.

We have police exactly so we don't have to grow slimy toxic spines ourselves.
Places with weak rule of law can get by with Honor culture for example, but
that has a cost.

Anglers might not be out to protect worms, but they can destroy fish
populations just fine nevertheless, most lakes need to be stoked in fact.

As for not pursuing real property crimes with digital evidence, that is often
a question of not having a process and infrastructure for that and balancing
time spent with likelihood of getting enough for convicting. Standards for
admissible evidence are there for a reason, and relaxing them would give much
more power to police than to private citizens. This is going to be much worse
soon, when deepfakes become popular.

------
viggity
Ok, so I have an alexa in near every room in my house. My kids lose their fire
tablets all the time. It would be awesome if there was an alexa skill saying
"where is Johnny's Tablet" and it could tell me which alexa it was closet to
based on the bluetooth.

Alternatively, I'd prefer it if I could just set off the alarm on the tablet
like I can via the "manage devices" section in amazon. But I'm not always at
my computer and it is unwieldly as hell. But the bluetooth thing could help me
find non-amazon devices like my ipad.

------
mataug
Conversely can I use Bluetooth signal strength to find devices within my home
?

~~~
ObsoleteNerd
FTA:

> Using signal strength as a distance meter, I found the phone my fiancée
> misplaced before she went to work.

~~~
ghaff
I played around with Bluetooth Low Energy beacons a couple years ago and it
seemed really tricky to locate things. Reflections, walls, etc. just
introduced too many random variables.

I'd love it to be better. (And maybe newer versions of at least full Bluetooth
are.) Something I imagine to be useful if it were sufficiently reliable is
some sort of "digital tether" between an Apple Watch and iPhone that buzzes
you if you get too far separated. (Obviously not something to use all the time
but could be useful in some circumstances.)

~~~
vorpalhex
This is the idea of tile trackers, except they also emit noise so you can use
that once you get pretty close.

I'd imagine intentionally directional antennas would be helpful here, much
like is used for ham radio foxhunts.

~~~
ghaff
I keep thinking of trying a tile tracker except that seriously misplacing my
keys or wallet is such an unusual event that it seems like sort of an
expensive insurance policy given that (I think?) they all have a finite life
with embedded battery.

~~~
vorpalhex
They do have a finite life, but it's about a year. There are tiles with
replaceable batteries (finally) but they're a bit thicker. I usually buy packs
when they go on sale.

------
bduerst
How exactly do they triangulate the Bluetooth signal to an individual car?

Yes you can see the Bluetooth radio signal nearby but unless it's the only car
in 40 meters you're not going to be able to tell which vehicle it's in.

You would need some pretty complicated equipment and experience for these
basic "smash and grab" thefts.

~~~
hamandcheese
Measure the signal strength near each car. When the signal strength peeks,
that's the car you want.

~~~
2rsf
Based on the fact that Bluetooth signal is weak and short ranged by design

------
hnburnsy
How does Bluetooth leak the device manufacture, make, and model? Is there some
sort of Mac?

~~~
2rsf
> Bluetooth device has a unique address called BD_ADDR. It contains two parts:
> company ID which is unique across the world, and device ID which is unique
> within the products of the company

Link:
[http://progtutorials.tripod.com/Bluetooth_Technology.htm](http://progtutorials.tripod.com/Bluetooth_Technology.htm)

List of Manufacturer IDs:

[https://www.bluetooth.com/specifications/assigned-
numbers/co...](https://www.bluetooth.com/specifications/assigned-
numbers/company-identifiers/)

------
toyg
Pretty sure this has been a problem at Disneyland for a long time already. I’m
sure I read reports of thieves targeting the original Macbook Air back in the
day.

------
ChuckMcM
Faraday cage for the trunk I guess.

------
scohesc
So the summary of the article is:

"Don't leave valuables in your car that you don't want to risk getting stolen"

I guess the author is bringing this to light in the blog post, but don't
people see this in parking lots of shopping malls or community centers to
apply this everywhere?

It would be even more relevant, since you're going on a trail and aren't near
your car for potentially days at a time depending on route you take... but
still! :\

~~~
altec3
I'd say it's more about how thieves have started to use bluetooth scanners to
determine if something very valuable is in your car. If they can tell a
macbook is in your car, but your glovebox, center console or trunk are locked,
they'll go to extra lengths to break into them.

~~~
barbecue_sauce
Can you get a bluetooth signal from a MacBook when its sleeping?

~~~
gnicholas
I believe you can, but not when it’s off. It may depend on your sleep settings
(“wake for network activity” or “power nap”). I’m not an expert though — just
my recollection.

~~~
president
Also "Allow Bluetooth devices to wake this computer" in Bluetooth settings.

~~~
MrQuincle
Then, would the computer not need to listen rather than broadcast?

PS: I know quite a lot about Bluetooth, although mostly about BLE. I don't see
a reason why the device should be broadcasting anything. If it is scanning for
BLE devices it can do "passive scanning". Is this about ordinary Bluetooth and
is that different?

PS 2: Why is this different for Wifi? When a device is not connected to Wifi
it sends probe requests for access points. My intuition would blame Wifi
rather than Bluetooth. However, perhaps I don't know enough about old-
fashioned Bluetooth. Or the device manufacturers have implementations that do
not make sense from a privacy/security perspective.

~~~
vorpalhex
Bluetooth hosts aren't entirely passive as I understand it.

