Schneier on Security
A blog covering security and security technology.
« Recently Declassified NSA History Document |
| Malware as Job Security »
March 8, 2011
Criminals Stealing Cars by Calling Tow Trucks
It's a clever hack, but an old problem: the authentication in these sorts of normal operations isn't good enough to prevent abuse.
Posted on March 8, 2011 at 6:35 AM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This link repeatedly crashes my Firefox browser - Version 3.6.15
Link works without issue on Firefox 3.6.13
Plus, the tow truck business itself is unremittingly sleazy.
In Holland the trick that was very popular among thiefs was to have doors opened by locksmiths.
Same issue: weak authentication of requester and strong [monitairy] motivation to execute by locksmith. The issue has been largely solved by making the locksmith responsible for his actions -and- give them easy access to the police for verification.
Why do they have different rules according to the age of the vehicle? That sounds crazy. Here in Britain, nobody legitimate will take a vehicle, *whatever its age* without its V5 certificate ("log book").
I think more responsibility should be given to the scrap yards. Towing a car is much more common and I don't carry my car's title all the time. Besides, when your car is broken down, how are you getting home to get the title, so you can have your car towed? Personally, I have my cars towed a few times a year but have only scrapped a car once in my life.
It's my understanding that they don't require any proof that you own the property being scrapped. For big ticket items like cars, a title should be required. For all other items, like copper and street signs, they should require an ID and maybe even take a photo of the person.
Well if you made the scrap yards wait 36 hours before crushing the car, and then check the vin versus the list of stolen cars, this wouldn't work. Most cars would be reported stolen in that period. 'Cause after they' been burned out of their $200 dollar scrap value, you can be sure they'd really start to try and recognize the car thieves.
@ Toby Speight,
"Here in age of the vehicle? That sounds crazy. Here in Britain, nobody legitimate will take a vehicle*whatever its age* without its V5 certificate ("log book")"
Saddly it's not exactly difficult to get a new log book.
In the same way it is not exactly difficult to get a replacment birth certificate.
Like all "registration documents" all it realy is, is a serial number into a database.
It is not reliably tied to the vehical.
And even if it was it would not be unforgable, nor would the DB be safe from unauthorised entries.
The simple fact is Identity and Ownership are concepts of the human mind not "physical actuality"
The more people try to "enforce" these unenforcable concepts the weaker and more vulnerable as a society we become.
The human mind has a perfectly acceptable method of dealing with these problems it's called "trust" the more stupid "mandated" methods we add the more feeble or ability to judge "risk" and "trust" and the more hurt as individuals and a society we will suffer.
Part of the problem is the car value. An 12 year old Infinity, with over 100,000 miles, blue book value can be as low as 800 dollars.
Although it still counts a motor vehicle theft I'm not sure it counts as a felony.
This might be why the law is written for varying ages (and it's LA where they have bigger fish to fry)
The problem with the tow companies is that there can't be a report of auto theft until they steal it. But if the law requires a bill of sale isn't that normally done on the back of a title with a witnessed signature?
My last wrecker call was through my insurance company and they asked all kinds of qualifying questions to prove my ID to their satisfaction (now makes me wonder how much fraud and attempted fraud they are seeing). THEN they asked me if I was okay. I was touched.
I am totally not surprised by this article. Individual citizens own cars. Who owns a manhole cover? Yet people stealing manholes for the $10 in scrap steel is enough of an issue that some cities are locking or looking into non-metal ones. And... scrap yards aren't helping at all. A homeless man can show up with a shopping cart full of copper pipe or a manhole cover with no questions asked.
Between many and most tow (and as above, at least many scrap) companies are sleazy at best. Immoral and dickish I tend to say. I suspect quite willing to at least support illegal activities if not actively engaging in them at a low level.
Dealing with a towed vehicle, or watching people drive into a hole in the street is the sort of thing that makes me want more government regulation. That, or we have to go anarchistic enough I can go to the tow lot with a pile of armed friends, and hang anyone with unsourced scrap metal like cattle rustlers of legend.
In Rhode Island the rule is that you must have a license that matches the registration for the car to get it towed. This does get checked and since you must have your registration in the car to have it on the road there's no reason you shouldn't be able to produce it. Unless, of course, you're buying a non-functional vehicle for restoration. Then it's a mess.
In Michigan if you want to scrap a car you need a title to do so. I have a friend who has a non-running van on their property and we aren't able to take it to the scrap yard without a title.
I have seen the manhole cover trick, but they started requiring Drivers License and Job information before you are able to scrap in the Metro-Detroit area. So if you bring plumbing in too many times in x period and you aren't a plumber that throws a red flag you may be stealing copper.
I've seen parking lots in some areas posted with a sign reading "unauthorized vehicles will be towed at owners' expense by XYZ towing company with phone number 123-456-7890"
Such towing companies appear to tow vehicles to their own towing yards, and won't release the car until the owner (as known to the State agency that tracks records) shows up.
However, that doesn't cover cases like this, where a person claims to need their own car towed to the scrap-yard to be scrapped.
Here is where my knowledge may be different than the situation reported in the article. All vehicles that I've seen delivered for scrap (in my home State of Michigan) were delivered with a title.
I've been told by a person in the know that local scrap-yards won't accept a complete vehicle without a title. (Again, this depends on the validity of the title presented and ID used to verify him as owner...)
The same person did tell me that local scrap yards will accept a partial vehicle without a title. But this process requires the person delivering the scrap vehicle to do some work with heavy-duty metal-cutting saws, to produce at least two 'partial vehicles' from a single vehicle.
I assume that this process is a little too involved to make for easy theft-for-scrap.
It would be nice if the content of the article could be summarized in a few brief sentences, so we don't have to click on arbitrary links just to see what you're talking about.
In Germany we have two separate documents for a car.. one small paper (certificate of registration) which lists the basic technical data, serial numbers, allowed tires and current registered owner, which is to be kept locked inside the car and will be checked against your passport by police or towing companies, and one larger document (ownership title) which contains the same technical data but also lists previous owners etc, and which is required if you try to sell or scrap a car. The later document is to be kept at home, obviously, as it grants full ownership of the vehicle. (If your car is leased or bought on credit, the bank will keep this document and only give you a xerox.)
So, to have a car towed, you need at least to break into it to retrieve the registration document, and to get any scrapping company to buy the car, you would also have to break into the owner's home (or be good at forging..)
+1 on photo and ID; no tow truck operator works without a cellphone these days, just like they don't work without GPS and radio dispatch. There's no excuse for not checking ID and I love photo records for this.
In my limited experience with police checks, they didn't really care about mismatches between the name on your ID and the "Fahrzeugschein" you show them. (This is only anecdotal evidence, of course.)
There are so many legitimate reasons for driving another person's car.
A professional thief by-passes the middle man and buys his own tow truck.
A CHEAP professional thief by-passes the middle man and RENTS or STEALS his own tow truck.
I doubt 'professional' thieves would even bother with this. This seems more like a 'professional' crack(pot|head) scheme to net a few quick bucks for __________.
@Clive - agreed vis-a-vis trust. Mandated protocols for trust verification are akin (IMHO) to CCTV: they erode our natural vigilance with mundanity, signal-to-noise ratios, and/or false positives. The fundamental 'kick in the pants' though is the fact that, to verify someone's level of trustworthiness with regards to oneself, one generally has to trust them first ;-)
I'm thrilled to be living in Tennessee where car owners can cancel auto insurance immediately after registering their vehicles, tow truck drivers will haul away vehicles without getting keys or seeing a registration, and scrap yards will destroy a car based on a "bill of sale" written on a napkin. Our scrap yards also accept copper pipes, tubing, and wiring from anyone, but thefts from construction sites and businesses became so common that a new law requires them to wait one week before crushing and shredding copper items.
"The fundamental 'kick in the pants' though is the fact with regards to oneself, one generally has to trust them first ;-)"
And if all the government paperwork has stoped you getting those little kicks early in life that teach you the waryness of good risk assesment of others, then that first 'kick in the pants' is likley to be hard enough to take your teeth out as well...
One of the things I have real trouble with is peoples need for vicarious risk that is safe...
An example is the roller coaster, it makes you feel like you are about to die, but in reality you would be less safe sitting in the pasenger seat of a car parked at the side of a road...
If you want to be scared go do real risk like climb a mountain or jump out of aircraft.
Further I have a problem with how others evaluate risk to others...
For example we don't allow pre-teen children on roller coasters even if they are within the height restriction etc, yet we alow them to ride their bikes down the sidewalk/pavment or road 'because excercise is good for them'...
This is where I say,
"Hummens don't talk to me about Hummens, doz eyjits don't a know whats good for em, thats for sure".
I guess the logical thing to do would be to regulate scrap yards to have procedures in place when specific stuff is being brought in. In the case of motor vehicles: get a photocopy of the ID of the person bringing it in, as well as a copy of the towing document issued by the towing company. Submit standard form containing all vehicle specifications (mark, model, colour, chassis etc.) to local police or on-line database. Wait for at least 5 working days between submission of document and scrapping vehicle. Impose penalties for not following procedure, revoke business license of repeat offenders.
On a related sidenote, some really stupid gang regularly used a truck to steal bicycles and motor bikes outside the skating venue when I was younger. It ended in a bit of an akward way when they were caught red handed one evening and had themselves nearly lynched by the local ice hockey team. The cops that were called in did nothing but send for an ambulance. They were offered coffee and biscuits at the bar. Crime does not always pay off when messing with the wrong people.
If a merchant accepts a stolen credit card even if they had no way of knowing there will be a chargeback and they are out the goods/money. This lets them manage their own risk.
The solution here is the same - the tow truck/scrapping company are liable should they incorrectly tow/scrap a vehicle. This way they have an incentive to do the right thing, can get insurance and come up with their own solutions to the problem.
"The solution here is the same - the tow truck/scrapping company are liable should they incorrectly tow/scrap a vehicle. This way they have an incentive to do the right thing, can get insurance and come up with their own solutions to the problem."
Or every incentive to cover their misdeed.
Market based solutions aren't a panacea, particularly when malfeasance on the part of at least one actor is already presumed.
@Shane, yeah but if you don't trust them, you could be the cause of them not trusting you.
Take for example suposable mutli hit and runs from the same source, if you don't trust them(as they might not trust you), do you
1)Remove half the vechile quickly,
2) find more proof
3)Trust them(don't worry about it)
If you remove trust, you setup the situation were people need to steel copper and manhole covers, so you can't trust them, because of you not trusting them
Humans don't measure risk properly because they're afraid of death.
It's true. Think about it.
One of the biggest advantages of learning martial arts (including the attitudes involved, not just the physical moves) is that it tends to teach one to fear less and measure risk better.
You also learn not to trust, because, as I've often said, there is no security. One of my earliest mottos from way back in my youth that I picked up was: "Trust no one."
The samurai were required to keep their sword at hand even when sleeping with their wife - because they might be attacked at any time - and also they didn't trust their wives.
There's also another good reason not to trust: people perform lousy. They might be "trustworthy" from the point of view of betrayal - but not from the point of view of competence.
@Dirk Praet @Richard Steven Hack
There's a long-standing tale (true or false, doesn't matter much, I guess) in Perth, Western Australia of a couple of ne'er-do-wells who chose to abduct a young woman in the central-business-district and drag her down a dark alley way to "have their way" with her.
The (tiny) mistake they made was to select an alley which ran beside a martial arts academy.
Despite the 'lads' requiring an extended hospital stay, the local constabulary were entirely unable to determine the cause of their very extensive injuries.
Sometimes, justice is both fair AND blind.
Late response @Clive
"Sadly it's not exactly difficult to get a new log book."
I meant to say that producing the log-book is no guarantee that it's legit, but at least it reduces the problem to one we're already defending against. And it does likely add fraud to the offences committed, so could increase a thief's risk.
I'm also saying nothing about complicit scrap yards - as discussed here, that seems to be a problem the world over.
I told a friend about this "new" find and he jumped up saying "that happened to my baby's momma' like two months ago!" Well, at least we know Bruce's article didnt inspire this hit.
Along the same lines as "Trust No One", is more sage advice that I heard in the BBS days of the mid- to late-80s from a character by the name of "Crustaceo Mutoid". He told folks to "admit nothing", which hopefully saved a few of the little hackers of the day from serious consequences.
Older Than I Look: Oh, absolutely!
Remember "Guide for the Married Man"? "Deny! Deny! Deny!"
Long ago I read that the proper response to any law enforcement officer question is merely to repeat: "On advice of attorney I have nothing to say." Then shut up. (You might also inquire as to whether you are under detention. If the answer is no, ask "Am I free to leave?". If the answer is yes, do so, shut the door, whatever.)
This is especially true when speaking to the FBI as their entire MO is to build a case against someone from deliberately misinterpreted fragments of facts they've extracted from people who didn't do the above. Don't even answer an FBI question like, "Does the sun rise in the east?" They'll use it to indict you.
When I was arrested, they handed me a Miranda rights form which contained the Miranda warning, then after some white space beneath it said that I waived my rights to an attorney during questioning, then a signature block. They said I had to sign it to show I was Mirandized.
I said, "I'm not signing that. It says I waive my right to an attorney."
They said, "No, it doesn't mean that."
I said, "I can read English and there is nothing between the Miranda warning and the statement that I waive my right to attorney except white space and then a signature block. I'm not signing anything."
They terminated the interrogation.
I'll bet that trick has worked on countless suspects who then had to endure endless questioning without an attorney present.
Wow, that's a scary close call!
It sure pays to be observant and vigilant in times like that. Hooray for you for not being tricked.
And all of us who are regular readers here have seen the links to YouTube videos, and other web links that warn us to only answer the questions asked of us, being as brief as possible, then to stop talking.
They give us similar advice during the QSR audits that happen annually where I work.
@Richard Steven Hack ,I would think the samurai/ninja would trust more. If they are perfecting the art of warfare and take honer in it, they wouldn't attack a target that they precised to be weaker than they were. If you fight better using repetition you don't want the conscious taking control of the situation(to work out why).
Could explain why martial arts teacher s are more mallow than students,and solder/cop. They can trust, and there power is over someone weaker, less corruptions(less view of corruption in others)
Just some rambles
Reminds me (not entirely offtopic) of a moment in Chicago, walking down a very busy 4-lane street in mid-day. One man had a coat hanger pushed through a car window and was clearly trying to unlock it. Another car pulled up, the driver leaned out, and offered "twenty bucks and I'll have that open in less than five minutes."
I kept walking, but I spent a fair bit of time wondering how anyone would ever know if the first guy actually owned the car, and also how the second guy came by his skills?
This is both comic and tragic. This could never happen in my country and the reason is simple - we don't have towing companies in Albania!
You don't have manhole covers in Albania either. Add in the fact that no one there cares about travel lanes or even whether they keep their wheels on the road, the guys traveling at high rates of speed in the big cars with no license plates, and the cop cars sitting on the side of the roads with grass growing up around them, and the fact that the maps and GPS we brought with us didn't match anything we found in Tirane, and it was certainly one of the most, um... exciting places I have ever driven.
A real professional thief would be working for a US bank, on Wall Street, or would be a government contractor.
Car keys for most brands of cars can be made by dealerships using the VIN number. If the algorithm/codebook is exposed, or there is a nearby unscrupulous or inattentive dealer, the entire system is compromised. They are supposed to ask for the license and registration.
Electronic immobilizers work in different ways. Toyota/Lexus ECMs require an existing master key to add new keys. Mercedes vehicles have a limited number of pre-configured keys. Volvo keys are authorized (signed or downloaded) by a central system in Sweden, which should allow for access recovery without original keys, and key replacement denial in the case of stolen cars.
Just a thought.
Oh, and I've read that BMWs have (have had?) tilt protection alarms to deter tow-away theft. It's apparently been a problem.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.