Car thieves found using handheld fobs to hack automatic car locks

A surveillance video from Long Beach, Calif., captured the device in action, showing two thieves as they approached cars parked in driveways and proceeded to gain access to them with an antilock device of some kind that appears to function just like a standard key fob. Then they rifle through the car and take everything of value.

"This is bad in the sense we're stumped," Long Beach Deputy Police Chief David Hendricks told the Today Show. “We are stumped and we don't know what this technology is."

He added that even the car manufacturers have no idea what’s happening. Typically, the “unlock” button on a key fob sends a one-time encrypted code to the car telling it to open up – by virtue of the dynamically generated code, it should be impossible to clone a key fob. Also, the hack appears to work only on some makes and models. Security video shows the devices failing, for instance, when it comes to Ford SUVs and Cadillacs.

"We've reached out to the car manufacturers, the manufacturers of the vehicle alarm systems: Nobody seems to know what this technology is," Hendricks added. "When you look at the video and you see how easy it is, it's pretty unnerving."

The hack is spreading, too. Home security cameras in Illinois have caught the exact same behavior.

Car security is not a newcomer to the cyberthreat scene, it should be noted. Researchers at the University of Washington and the University of San Diego in 2010 created CarShark, a laptop-based program that can hack into telematics software to control engines, brakes, locks, alerts and more. Meanwhile, at the 2011 BlackHat security conference, iSec Partners unlocked and started a Subaru Outback using only their Android smartphones. By setting up their own GSM network, the researchers snagged authentication passwords by way of text messages. This gained them entry to the vehicle, and also allowed them to fire up the engine.

"It's interesting to see that the researchers have identified that most cars built since the late 1990s have a computer diagnostic port, since this port needs direct physical access to operate and therefore hack", said Barmak Meftah, Fortify Software's chief products officer, speaking to Infosecurity about CarShark. "But now these systems are being wirelessly enabled and held together with several tens of megabytes of code; it's a relatively small step to modify the code and allow hackers an easy and wireless back door into a car's computer system", he added.

As cars get smarter, and more connected, the threats simply increase. That's why last year, McAfee, Ford, Intel and others said that they were working on a way to “protect the dozens of tiny computers and electronic communications systems that are built into every modern car” by uncovering and locking up vulnerabilities.

"It used to be that drivers only had to worry about driving safely, following the rules of the road and maintaining their vehicle, but now vehicle owners have a new issue to worry about: IT security," said Neil DuPaul, a security researcher for Veracode, in a blog post. "Automotive companies are competing for our business, and are looking for ways to set their vehicles apart from all the other options consumers have. Enter connected cars. First introduced in luxury vehicles, these cars offer features that make driving more enjoyable and convenient. These features are becoming more common in cars at all price points, meaning consumers should be aware of the security issues they introduce."

What’s hot on Infosecurity Magazine?