Hackers Stealing Cars

We're seeing car thefts in the wild accomplished through hacking:

Houston police have arrested two men for a string of high-tech thefts of trucks and SUVs in the Houston area. The Houston Chronicle reports that Michael Armando Arce and Jesse Irvin Zelaya were charged on August 4th, and are believed to be responsible for more than 100 auto thefts. Police said Arce and Zelaya were shuttling the stolen vehicles across the Mexican border.


The July video shows the thief connecting a laptop to the Jeep before driving away in it. A Fiat-Chrysler spokesman told ABC News that the thieves used software intended to be used by dealers and locksmiths to reprogram the vehicle's keyless entry and ignition system.

Posted on August 11, 2016 at 6:32 AM • 33 Comments


PeterAugust 11, 2016 6:54 AM

A ring like this was broken up in Toronto a few weeks ago. It was apparently quite a sophisticated group.

The first member worked in the rail yard north of the city, where cars are unloaded before being delivered to dealers. In the course of moving cars to holding areas, he would select targets and record details

Then a person in the government license office would track the VINs, and get the addresses of buyers.

Finally a couple of thieves would drive to the addresses and steal the cars, using the same method as in the post. They would be hidden in shipping containers, ready for transport, within a couple of hours.

BirchAugust 11, 2016 7:10 AM


This was similar to part of the plot of the Danish drama "Follow the money" broadcast [in the UK at least] earlier this year.

Thieves use laptop and diagnostic software to steal car; gang members then 'buy' the car from the thieves and load it straight into a shipping container for onward sale. The drama series involved (in part) what was in the car when it was stolen - I won't give away any spoilers as it was a good series.

Tim#3August 11, 2016 7:23 AM

A lot of this is happening in the UK too, the term "Keyless car theft" returns many articles such as the one below. It affects BMWs badly, Range Rovers also, many other makes too, and has made some cars uninsurable in some areas. Drivers have meanwhile resorted to old style mechanical steering wheel locks, or (like me) just not buying cars with keyless entry. There are Met Police statistics being quoted (which I can't spot the source for) that all car theft is now at its highest for 20 years just as a result of keyless theft.


K.S.August 11, 2016 8:30 AM

My car came standard with keyless, I had no ability to even order it without. Consequently, I had to make a Faraday cage to store the key. Surprisingly, my initial attempt at it with electrostatic bag inside a metal box was not successful - it was still possible to detect signal and re-broadcast it.

What I find surprising is that these keys don't implement authentication - they will talk to anyone. So as long as you know the address (where the spare key is) you can use that to open and start the car anywhere (such as office).

Ron MurrayAugust 11, 2016 8:34 AM

The parallel between this and intentional backdoors in crypto is pretty obvious. Once the backdoor exists, even if it's only intended for "dealers and locksmiths" (or, for that matter, the government), it *will* get out.

JaysonAugust 11, 2016 8:58 AM

What's the world coming to when we can't trust car dealers and locksmiths?!

The lesson here is not to own a car worth stealing. A dented minivan sits safely among the shattered passenger side windows in the inner city. Nobody wants to rummage through innumerable compartments filled with cheerios, empty water bottles and sticky stains looking for loot.

ianfAugust 11, 2016 10:49 AM

      I come, as usual, with a dissenting opinion. Or, rather, questions of the plural variety. ALL NOISE ALL THE TIME.

@ Peter
               it surprises me that, knowing that such heists of high-value cars tied to a given address might happen, there is no system in place at the dealers' level, where the lock/key are paired first AFTER THE SALE, and the details safely sent back to the manufacturer (or the dealers' HQ in other location), without it becoming a part of publicly accessible car records. Of course, adding another security layer merely shifts the crime closer back to the method employed by Tony Soprano: have a pair of black thugs carjack a brand new SUV, kick the family out, then drive it straight to the docks. So in the end, M.A.Y.B.E. the present "impersonal" thieving method is less traumatizing for the cars' owners on the whole?

@ Birch

Re: A subthread in the "Follow the Money" drama series involved what was in the stolen car…

Judging by the description, the what must've been something of highly incriminating nature, perhaps some papers reeking of illegal dealings. To that I only can say that anyone who uses a theft-desirable car as temporary storage box for any kind of irreplaceable stuff deserves the outcome (I once carried a hard-drive with me on vacation because I could not afford a second one for backup, and didn't dare leaving it behind as too easy to "appropriate" in my then shared accommodation. No incriminating content, merely irreplaceable. Still here, only now have no SCSI Mac to read it ;-)) Don't tell me, does this series also have a borderline autistic female cop in the lead, or, for a change, just a unthinking sexy perp who speaks as if she choked on her own words?

@ K.S.,
            what sort of keyless authentication would you have in mind? The keyfobs obviously already are paired with car door locks and/or ignition, they don't unlock any/all cars. Perhaps you envision simultaneous BT-presence of some 3rd device that explicitly IS that authentication, sort of 2FA; and the keyfob, moreover, could be programmed to request reauthorization, input of some pincode, after certain time delay, and/or time of day?

    A digression: I recall a TV program of some 15? years ago, in which a pair of London-based industrial designers/ creators was challenged to improve a range of household products, such that were immediately recognizable, and the changes understandable, to viewers. One of their ideas, prototype executed unbeknownst to the manufacturer of home security systems to whom they intended to pitch it, was to have all doors and windows of a house lock at once as were this a car with (then still a novelty, RF-sequence-operated) keyfob. Mechanically it wasn't quite as easy as they first imagined it, and in the end they compromised on that a manual tug of the front door from outside also electronically locked other doors and windows; while pressing the key merely beeped if all ingress points were secure, and unlocked only the front door on request. A lot of time was spent on selecting the right kind of paint shade for the 'fob to go with the company boss's dress—and I mean A LOT. I kept watching it with staggering surprise that no security aspects whatsoever were mentioned… like that so "protected" home owner need not ever think of illicitly copied keys – the color-coordinated dongle as some Holy Relic. OF COURSE THE BOSS LURVED IT. That said, it took maybe another 10 years before I saw what could have been this product in the shops. I haven't looked closely, but it would surprise me if that round-brass-knob-with-top-button remotely operable lock would also act as a "spider" in a net of cross-connected locking devices for other doors and windows.

Lastly, anyone who, for whatever reason, and in whatever non-explosive fashion, physically and permanently removes Hummer etc like abominations from the streets, should be applauded, rather than punished. But that's just me, a cycling non-driver (and loving it).

{}August 11, 2016 12:42 PM

I don't like the current trend towards excessive complexity and automation in the design of user interfaces. It only introduces additional points of potential failure. An unnecessarily large "attack surface", if you will.

Cars where most controls are manual are (usually) the greatest pleasure to drive. Automate controls only where automation is actually useful.

What's wrong with using a well-designed, old-fashioned mechanical key?
(Plenty, actually. But keyless entry doesn't sound like an improvement over the mechanical keys of 30 years ago – keyless entry is harder for most owners to use, but no harder for thieves to bypass)

What happens if someone is inside the car when the electronics fail? I remember an incident locally where someone drowned because they couldn't get out of their car during a flood.

PeterAugust 11, 2016 12:54 PM

@ianf: one reason your solution doesn't work, at least in the simplest form, is that there is a need to drive cars before they are sold. That's what the guy at the rail yard was doing. He had private access to the cars, the wireless fobs, and papers for plenty of time. There are no doubt ways to fix it, but they all cost money, generally for people who don't have to pay for the problem.

N.N.August 11, 2016 1:17 PM

@Jayson: "The lesson here is not to own a car worth stealing"

Once I got this car stolen - in 2002! It was a 1995 model, quite rusty already and untidy inside. It had a car alarm and gear stick lock for extra security - to no avail. Stolen from a busy street near the center of a major city on Friday afternoon, not from some dark corner past midnight. The police did not find anything of course, I guess they haven't even tried.

So no, you can't own a car bad enough as to be completely unattractive to thieves - and at some point of your life you'll want a comfortable, practical, safe, dependable and nice-looking car instead of a piece of scrap waiting to fall apart. So insure, do not make stupid mistakes, and pray for the better. Or go carless if you can - in a big city it might be even better, cheaper and less frustrating for you, but not everyone lives in New York, London, Paris etc. etc.

ianfAugust 11, 2016 2:06 PM

@ Peter, there always will be shortcuts around obstacles, but what I meant was a system where "delivery-stage" car keys [factory to dealer] ARE intended/ designed from the start/ to be re-encoded/ by the buyer to ensure their "virgin" status. Because a car that gets nicked from a dealership is a whole different thing than one that is lifted from its "end-node" private owner. One guy told me he always replaces door locks on his—same make—cars with such bought legally from wreckers' yard, just as he would (and I do!) in a new apartment's door – to prevent the car being lifted with copies of manufacturer's original keys of his particular serially numbered model that may be "out there." He guards his reserve keys carefully.

@ N.N. – sounds like your "unattractive/ rusty" car was stolen for the motor, if not for scavenging even smaller parts from it, which in this scheme would be "finders keepers," rather than any ever so cheap used/ copycat ditto. I am told that one can assemble any standard sedan model with just bare chassis (from e.g. a crashed unit), and 2nd-hand parts from well-stocked wreckers' yards.

TatütataAugust 11, 2016 2:19 PM

he July video shows the thief connecting a laptop to the Jeep before driving away in it.

Next development: a tiny Bluetooth dongle that plugs straight into the diagnostic port, and software that runs on your favourite fondleslab. That should make it less conspicuous.

An idea just crossed my mind. If the diagnostic port is connected on the same bus as the door locks, then couldn't it be possible to monitor the exchanges with the keyfobs in the clear? Would it bring anything. A mechanic or a parking lot attendant might be able to plug and record details.

How about ransomware? Have there already been cases of "If you want your car to run again, send 10 bitcoins to this site"?

T.O. SalamancaAugust 11, 2016 4:43 PM

Peter: "There are no doubt ways to fix it, but they all cost money, generally for people who don't have to pay for the problem."

Corporate ethics in a nutshell.

K.S.August 11, 2016 8:53 PM


Some kind of:

fob hello
car hello + auth
fob auth + key

would make it marginally harder to re-broadcast.

Jonathan WilsonAugust 11, 2016 10:55 PM

The simple solution here is to make cars use a challenge-response mechanism. Key has a unique code burnt into it at manufacturer. Car is programmed with the unique codes of all keys that are valid to open/start the car (with some extra protection so the car ECU wont accept new keys being programmed in unless one of the existing valid keys is used to activate programming mode). When you open the car, key says "hello". Car sends key a random value. Key hashes this with stored unique code and responds back with the result. If it doesn't match the car's own computation of the same value, car wont open/start.

Prevents any kind of replay attack since the challenge value will be different every time (assuming the used hashing/mixing algorithm is strong enough you cant get the code back from the captured data). Unique key codes are never stored in any database that could ever be used to link them to a particular vehicle (preventing someone hacking a database somewhere and creating a new key for a given car). Cars wont accept any new keys programmed into them without an old key being present (preventing someone from hacking the car itself to get it to recognize a new key unless they have the old one available to activate the programming mode)

It does mean if you lose all your keys you are screwed and need a totally new ECU module but hey, for the manufacturer/dealer that would be an added bonus (extra profit for the dealer :)

AnuraAugust 12, 2016 6:06 AM

I think most of them already use challenge response systems; it all does nothing if the thieves can just reprogram the car directly. I'm not sure there is a really great solution - if you are 1000 miles from home, and a car runs over your key fob, someone needs to be able to rekey it. I mean, I guess you can force a process that takes 15 minutes to complete or something to make it risky for thieves.

ianfAugust 12, 2016 8:58 AM

@ herman

Old cars never get stolen, sometimes you just wish they would...

Don't be so sure, insurance fraud isn't dead, and "evolves" in tact with the insurers getting wiser, and crime adapting itself to new circumstances.

While googling for corroboration to my assertion of clean underwear every day, I find this BINGO! woman attempts to cure her diarrhoea by shoplifting underwear news story in clear proximity to this almost French banlieus-like wave of car burnings in Malmö, Sweden.

Judging by sheer extent, it may well hide one or more intentional destructions of cars that are worth more as checks from insurance companies, than as objects for sale on the open market. And the more cars that burn "along," the less time the investigators will have to study, and potentially challenge, the owners' claims.

Do Swedish car owners in those areas care so little about their "steads" that they're unable to organize nighttime watch-posses after 2 nights' burnings? As far as I know, there has been no reports of any "young unemployeds summer riots" in Sweden of late, so I can't find any other plausible explanation for that arson with no apparent connection to anything of larger public disorderly "nature."

TatütataAugust 12, 2016 11:38 AM

It does mean if you lose all your keys you are screwed and need a totally new ECU module but hey, for the manufacturer/dealer that would be an added bonus (extra profit for the dealer :)

The manufacturers certainly earn much more selling new cars than with areplacement ECUs, so they have an incentive AGAINST solving the problem. In any case, this is the kind of explanation suggested by the German media in their recurring pieces on car theft, which generally include the high speed car chase towards the border and its occasional ensuing casualties.

Pressure for a solution should/would rather come from insurers, as they are the ones who are most immediately concerned. (The car owners are actually the ones who ultimately foot the bill, but they don't really the leverage to influence their premium). This would be a situation comparable to the period when Underwriters Laboratories were founded.

A band-aid solution could be to have the ECU wait a few hours before recognising a newly programmed key. If a longish delay is objectionable (I don't think it is), and that the car is equipped with satnav, then a policy could be implemented where the delay gets much longer if the new key is programmed after dark and/or after business hours. (The last known time+position would be recorded at the moment the engine is shut off, and time kept on a RTC, in order defeat eventual GPS simulators).

Another approach would be to involve a third party (e.g. the manufacturer) in the fob programming, to record and verify that blank fob XXX was programmed by operator YYY to work with ECU serial ZZZ.

But car theft isn't the only automotive IT-related issue. In addition to the emissions scandal (which lays bare the recklessness of car manufacturers and the complacency of public authorities), there is the relative ease with which electronic odometers can be tampered with.

If you go to that shady guy behind the barn and hand him over a just a couple of bank notes, he will "rejuvenate" your clunker and easily increase its resale value by a few grands. The problem is apparently widespread.

The common element is the ECU and the diagnostic connector.

How about keeping a navsat-based summary journal of the car's operating history? Flash memory is reliable enough to maintain the ECU programming over the lifetime of the vehicle. The service life of the typical car is rarely more than a few thousand hours, and the cost of the required storage vanishingly cheap. The information would be limited to speed and RPM profiles, cumulative journey lengths, changes of gears, temperature, and would be tallied in overlapping blocks of weeks, in order to privacy. The maintenance record could also be maintained on board, instead of that easily lost and falsified booklet. The history could be timestamped and signed at each maintenance visit, in order to prevent someone attempting to reprogram the ECU wholesale. If the history is missing, the seller would have some 'splaining to do.

That would allow for a more objective assessment of a fair value for the vehicle than methods like kicking the tires, plucking a value out of the Blue Book, or allowing you to be sweet talked by Frank Fasttalker, the used car salesman.

This would be less intrusive IMO than some of the stuff which is actually done out there, where some insurers offer you lower premiums by having you relinquish total access to your driving history.

ianfAugust 12, 2016 2:11 PM

@ K.S., you're very terse today, so I couldn't figure out what kind of "auth" you had in "mind."

fob hello
car hello + auth
fob auth + key

I understood as much that it was some kind of wireless challenge/ (preset?) validating kosher response exchange, but how did you envision the latter to be submitted…? Without the key becoming more of a multifunction remote control, complete with a numerical keyboard. As Walter White EMPIRICALLY taught us, a single long-press function on a modified keyfob to unlock the boot of a primed car is ALL THAT IT TAKES to mission accomplished.

PeterAugust 12, 2016 8:38 PM

@T.O. Salamanca: I'd say human ethics in a nutshell.

@ianf: it sounds to me that your approach has problems analogous to encryption back doors. If you can change the key system once, you can change it more than once.

ianfAugust 13, 2016 2:23 AM

@ Peter,
             it's very easy to find wholes in the hole and/or vice-versa (versa-vice?) So what are you proposing instead as a 100% tight security setup that wouldn't involve blanket abandonment of cars (which, incidentally, I might be in favour of)?

PeterAugust 13, 2016 7:25 AM

@ianf: I'm not saying solutions aren't worth doing, or that your suggestions aren't worthwhile. However improvements have to be functional, even if they aren't perfect.

My preference would be to get rid of the fobs, and go back to keys. Keys aren't perfect, but physical security tends to be simpler than wireless, and breaches are more obvious. Is it really that much easier to push a button than to turn a key?

TatütataAugust 13, 2016 8:50 AM

Peter: My preference would be to get rid of the fobs, and go back to keys.

Impossible. A metal key wouldn't allow Jacky Moron to get his furry-diced penile extension to chirp while he sits at the terrace of the bar.

ianf: You only hate cars 10% as much as I do. In any case, you are proposing a standard challenge-response system, which would be difficuyltto implement in the automotive context as it implies a bilateral link, so you are essentially passing the problem to the RF guy. (But on the other hand, when these fobs were invented 20 years ago, BlueTooth, ZigBee et al weren't around; there are more so many more options available nowadays.)

The "hello" message would already have to carry some kind of identification message, in order to avoid dozens of overlapping and garbled responses, as would be the case on a parking lot. Then your fob would have to cycle between Tx and Rx modes, and the receiver on the fob would need to be about as sensitive as the one on the vehicle, whilst constrained by the available space and power. The fob would need more processing power and overall interaction delay would probably be similar as when you run a chip card over a public transit turnstile. The timing difference between a monthly card, a single fare, or a transfer ticket is quite noticeable to this user, and I'm not sure that the average car owner would accept a 1-2 second transaction time to open the door.

So this would explain IMO the "why" of Rolling-code algorithms. My hunch is that basic patents in that area probably contributed to slow pace of progress, but these have now lapsed (e.g. KeeLoq), or will lapse shortly.

MarkHAugust 14, 2016 1:27 AM

à propos de beat-up old vehicles as a deterrent to theft:

In the late 70s, I guy I knew in Boston was surprised by the theft of his rusty old Detroit relic. It was about 15 years old, and in those days most cars of such age deteriorated quite badly, especially in regions where salt is sprayed onto wintry roads.

When he reported the theft, the police explained the paradox: the engine block of his particular car was the same one used in a popular inboard motor for boats (boats being a Big Thing in the Boston area). So although the vehicle was nearly worthless as a car, it was valuable as a resource for engine recycling.

Of course, the thieves knew about this, and the police were aware because of a rash of thefts of similar old cars.

TatütataAugust 14, 2016 8:17 AM

@MarkH: Maybe all what the thieves wanted was a getaway car for a very 1970's bank robbery.

AlexAugust 17, 2016 12:05 PM

Simple solution -- PIN codes!

Keyfob can wirelessly interact with the car to unlock the doors & such like it always has... to start the engine, you key in a code, so now you have a token + PIN. Easy fix.

TRXAugust 17, 2016 3:16 PM

> wireless ... fob

I'm perfectly happy with my old-school metal key that I have to stick in the lock and turn. I fail to understand why I would want a bulkier key or a matchbox-sized fob, or why I would want to add more complexity and expense to an automobile.

This reminds me of the Fed's burning need for passports that broadcast private information to anyone who cared to pick up the signal. Somehow that was going to make everything *more* secure...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.