
Car Thieves Arrested After Using Laptop and Malware to Steal More Than 30 Jeeps - Jerry2
http://abc13.com/automotive/hpd-crooks-armed-with-laptop-stole-30-cars/1457015/
======
my_first_acct
More details from this article:

[http://www.houstonchronicle.com/news/houston-
texas/houston/a...](http://www.houstonchronicle.com/news/houston-
texas/houston/article/Police-Suspects-used-laptops-to-steal-cars-
in-9123735.php)

Quote:

Berj Alexanian, a spokesman with Fiat Chrysler Automobiles, said officials
know how the Jeep Wrangler was stolen. According to Alexanian, the thief broke
into the vehicle and used a laptop to enter its VIN number in order to access
the Chrysler database. Dealerships, repair facilities and locksmiths are
usually the only ones allowed access to the database, which provides the code
for key fob access. Once the thief enters the VIN number, he can re-program
the car's computer so it will accept a generic key fob. The car will then
start, and the thief is able to drive off.

~~~
TwoBit
So they had unauthorized access to the Chrysler servers. Possibly via a stolen
laptop. Seems too easy.

~~~
jakubp
Do they not have equivalent of 2FA? What if these were nukes?

"We are terribly sorry, Mister President. We did not expect them to steal the
launch codes from the database. We will provide asylum for what's left of your
country."

~~~
coryl
Why would Chrysler have nukes?

~~~
dmos62
My first laugh of the day.

~~~
csours
[https://en.wikipedia.org/wiki/Ford_Nucleon](https://en.wikipedia.org/wiki/Ford_Nucleon)
\- Not SOO far fetched

------
LeonM
Every once in awhile one of these articles pop up on a news site. People
(read: non-technical audience) seem to enjoy reading about a mysterious method
of stealing a car, detecting your laptop/ipad in the trunk, tricking an ATM to
give free money, hacking your phone, etc, etc.

Reality is that this kind of theft never is as straightforward as the article
tells you. In this case it required the thieves to break into the car first,
then reprogram the key. The thief can't just walk up to the car and type some
magic commands on a laptop and drive of. It requires him to break the
lock/door/glass to get in first. That's about the same as how car theft was
done in the early years: break in, hotwire the ignition, (bump)start the car.
This "new" method even requires more time than hotwiring, so car manufacturers
did actually make their cars harder to steal in some sense...

~~~
jacquesm
> It requires him to break the lock/door/glass to get in first.

They pop the hood, apparently.

[http://www.khou.com/news/crime/high-tech-thieves-crooks-
usin...](http://www.khou.com/news/crime/high-tech-thieves-crooks-using-
computers-to-steal-cars/251871053)

The rest is all 'digital', no further use of force required.

~~~
cdubzzz
Did you watch the video in that article? It doesn't seem to line up at all
with the text of the article, oddly. You see the guy for a moment and then the
video skips forward and he's sitting in the Jeep with the alarm going off. The
alarm appears to have been going for a good couple of minutes.

Wouldn't popping the hood also require breaking a window or otherwise getting
in the car to pull the release?

~~~
jacquesm
I think they have to have the key already, but still 'blank' That will likely
open the door but it would normally raise the alarm, that's why they start
under the hood first, to disable that.

After that the procedure would be fairly easy: open the door with the still
unlearned key, learn the new key ID to the ECU (takes < 1 minute) using the
laptop, after that you can start the car.

One handy tip I got from the police after my own car got stolen (a VW
transporter camper) was that you should mask off a chunk of the VIN so thieves
can't use the VIN to order keys that will fit the car (but that still need to
be programmed in the ECU in order to allow a start).

~~~
deleted_soon
Isn't it illegal to remove the VIN?

~~~
jacquesm
Here apparently it isn't if you mask it. That's not the same as removing it,
but your local police might have a different opinion.

Whether or not it is effective is another matter (and that's hoping there is
only _one_ instance of the VIN on your car, there may be other, less obvious
ones for instance bar-codes).

------
duskwuff
"And _malware_ "? Sounds like the only piece of software involved was the one
the thieves were using, and it was doing exactly what it was supposed to.

~~~
adrianN
Malware also does exactly what's it supposed to do.

~~~
hacksonx
Yep. It just has malicious intent, but that's the intent.

~~~
dagurp
I decided to look for the definition of malware and found several. I think I
like Webster's the most. "software designed to interfere with a computer's
normal functioning".

------
icantdrive55
If your poor, like myself, and want to slow down a car thief, put in a kill
switch.

Run the proper gague wire from the primary on the coil to a switch in the cab.
The primary wires are the small wires on the coil. (I can't think of any
reason the ECU would throw a trouble code.)

It gets more complicated if you have a separate distributor running to each
cylinder, but there's always a point in the electrical system you can splice
into, like the starting system.

When completed, just get onto the habit of turning the switch on off, and on.

(I have noticed a lot of old Japanese vehicles being stolen in the Bay Area.
Go figure?)

~~~
chrissnell
There's a cleaner way. You can use a battery terminal disconnect directly on
the battery:

[https://www.amazon.com/dp/B001N729FS/ref=cm_sw_r_cp_api_p1xP...](https://www.amazon.com/dp/B001N729FS/ref=cm_sw_r_cp_api_p1xPxbTFM927E)

Personally, I drive an old diesel truck and it's as simple as disconnecting
the fuel cut-off solenoid wire from the solenoid. Old diesels like mine are
terrifically simple and really only have two wires: the starter positive lead
and the fuel cut-off lead. The cut-off lead opens a solenoid that lets fuel
flow to the motor. Remove power and it shuts the flow and stops the engine.
The easiest way stop a completely mechanically injected diesel.

~~~
ibarrajo
Please don't do this if your car has oxygen sensors, a catalytic converter or
fuel injectors (basically all cars 1980+)

Why? Besides polluting more you're going to reset the car's ECU and it takes a
few drive cycles in different conditions to properly tune the engine.

There are so many things that can affect the tuning, engine wear, fuel quality
even the barometric pressure. If the car can't learn that (because it's
designed to reset on power loss) you will probably be running a rich A/F
mixture that can foul your O2 sensors and 3-way cat.

Install an alarm or get a car immobilizer. There is a RFID immobilizer on ebay
for less than 10 bucks..

~~~
morganvachon
Yeah, I'm in favor of a fuel pump disable switch instead. Any passenger car
with fuel injection will have an electric or electronic fuel pump, and
splicing in a switch is fairly simple. Hide the switch where it's out of sight
but easy to access by the owner and Bob's your uncle.

------
SNvD7vEJ
"used pirated software"

So they did not pay for the crack tools they used? Bastards!

~~~
coleca
Poor thrives didn't k is what they got themselves into. They thought if caught
they'd go away for simple auto theft. Now they will probably get charged with
hacking (unauthorized use of a computer) under the CFAA and go away for a lot
longer.

When I started writing this I was joking but the more you think about it
there's a good chance they do get charged under the CFAA.

------
NKCSS
Untill the key generation scheme is cracked and it turns out to be md5 of the
vin and use the last 10 keys (a la how wpa keys are generated for modems); now
all you need is a smartphone, blank key and programmer and all cars of that
brand can be easily stolen.

But it could be worse; BMW had a alarm systeem that would not go off if one of
the front Windows were smashed; programmer hooked to the cambus allowed you to
create a working key and drive off in under a minute...

------
syphilis2
I would love to be able to do this on my own car to reprogram spare keys
myself without having to visit the dealership.

------
scottcanoni
"Pirated software" is not the right term to use in this case.

------
JumpCrisscross
We presume manufacturers of self-driving cars, or at least their fleet
operators, will be liable for their coding mistakes. Why isn't Fiat-Chrysler
responsible for the cost of this car?

~~~
krapht
This mentality is so weird to me. The thief is liable. And I'm happy it is
this way, otherwise 3rd party locksmiths and garages wouldn't be able to work
on your car.

~~~
zaroth
Interestingly the law strikes a decent balance here. For example, the FTC can
sue a company for 'unfair and deceptive business practices'. Exposing cars to
insta-theft because you didn't secure your backend database could fall in that
category.

Companies do have a _duty of care_ if they are holding the keys to the castle,
be it the keys to your car, or keys to your email or financials; they have to
take reasonable precautions to protect the data, commensurate with the
quantity and sensitivity of the data, and the cost and availability of
technology to protect that data.

------
ComodoHacker
>That was the same story HPD heard over and over from several Jeep owners _in
the Houston area_.

Looks like this was their main mistake.

~~~
ComodoHacker
Not sure why downvotes. I just pointed out that it was stupid for the thieves
to perform their series in one small area, with distinct hand, again and
again, drawing police attention. Especially stupid for a hi-tech thieves.

~~~
alexmaras
I think people thought you meant owning a Jeep in the Houston area was a
mistake

