Wheels of Steal: The True Consequences of a Car Hack

If you thought cars were only hacked by security researchers for white hat purposes, then the topic of today’s blog may come as a surprise to you. Just recently, members of a notorious Mexican motorcycle gang accused of hacking and hijacking at least 100 Jeeps over the last two years have been arrested. Unlike common car hijacking schemes, however, the crimes perpetrated by the group made heavy use of sophisticated hacking tools to exploit cyber security flaws in the Jeeps.

Explored in great detail both by Bleeping Computer and Gizmodo, the key to the successful hacks was the gangsters’ exploitation of an unguarded computer system. While “old school” tricks such as disabling the vehicles’ lights and alarm through the hood were also used, an instrumental step in the hijacks was the manufacturing and programming of replacement keys for the cars.

By gaining access to an unsecured database of vehicle identification numbers (VIN) hackers were able to access OEM provided instructions on how to generate physical replacement keys, as well as a software code with which to program those keys to pair with the compromised vehicle.

The degree of efficiency to which these heists were carried out is astonishing – the entire hack took less than two minutes. Once the thieves had the code needed to reprogram the Jeep with a computer, the car was helpless to resist the counterfeit key.

After hackers gained full control of the vehicle, it was taken from the US to Mexico where it was either sold or scrapped for spare parts. The gang was able to perform this stunt over 100 times in the span of two years before its members were caught. That these crimes continued for so long is clear evidence of how far behind manufacturers and law enforcement are when it comes to automotive cyber-crime.

Stories like these emphasize precisely why the work Trillium does is so important. With the publicity now being given to these gangsters, the chance of copycat crimes springing up around the world is exceedingly high. Hacking cars in order to steal or otherwise exploit them is no longer a work of science fiction; on the contrary, it is real and happening right now. Thus, the longer this issue is denied its due attention, the worse the consequences will be for consumers, their automobiles and the entire transportation industry alike. Accordingly, until multilayered cyber security systems are widely deployed, hacks like these will not only continue without impediment, they will likely also become increasingly prevalent.