Saturday, 3 June 2017

Washington Post/Hamza Shaban: How hacked computer code allegedly helped a biker gang steal 150 Jeeps

The Washington Post
Democracy Dies in Darkness

The Switch

How hacked computer code allegedly helped a biker gang steal 150 Jeeps

By Hamza Shaban June 1

Jeep vehicles are seen on a sales lot on May 23 in Miami. (Joe Raedle/Getty Images)

In a cross-border auto heist that resembles a scrapped plot from the “Fast and the Furious” franchise, nine members of a Tijuana-based biker club have been charged with stealing 150 Jeep Wranglers using stolen computer code and key designs, the Justice Department announced earlier this week.

Known as the Hooligans, the biker gang allegedly stole the Jeeps in the San Diego area over the past several years, selling the vehicles or stripping them for parts across the border in Mexico, U.S. Attorney Mark Conover said during a news conference recorded by the San Diego Union-Tribune. The value of the stolen Jeeps was $4.5 million.

According to the indictment, the Hooligans staked out vehicles days before the thefts to obtain their vehicle identification numbers. With these numbers in hand, the suspects were able to get details to create duplicate car keys, as well as the codes needed to program the keys, linking them to the Jeep Wranglers. The key designs and codes were stored in a proprietary database. But law enforcement officials don’t know how the Hooligans were able to access it.

In the course of the investigation, authorities said they learned that nearly 20 requests for duplicate keys were made by a Jeep dealership in Cabo San Lucas, Mexico.

Conover said the thefts took only minutes. After using the duplicate key to get inside the car, the Hooligan members used a handheld electronic device to pair the key with the car's computer to turn the engine on and drive off.

While Conover did not name the exact device used in the thefts, Kathleen Fisher, a Tufts University computer science professor and security researcher, said that such key programmers are relatively cheap, with some costing less than $100, and readily available online.

That auto companies or their partners maintain databases to store key and programming codes is not in itself unusual. After all, rightful car owners would need that information to create new keys if they were locked out, Fisher said. But in this case, it appears the security vulnerability may have been the integrity of the database. One way for criminals to extract stored information is to hack into a network that has access to it, she said. Another way is to get authorized users to obtain the information themselves and then pass it on, or to share active credentials with someone who shouldn't have them.

Experts say that widespread hacks of cars may soon become a reality. In an alarming demonstration captured by a widely read Wired article from 2015, researchers Charlie Miller and Chris Valasek showed that they could wirelessly hijack a 2014 Jeep Cherokee. The researchers could disengage the Jeep's brakes, cause the transmission to malfunction and, at lower speeds, kill the engine altogether.

Hacking tools are easily spread online, and pervasive software threats are costly to patch up. Car companies also face the challenge of justifying increased security costs to customers, Fisher said. A car's cybersecurity isn't the easiest thing to advertise, compared to say, horsepower or leg room. Outside of industry-wide pressure from regulators or insurers, individual companies may hesitate to spend more on security, despite the massive risks that hijacked and hacked cars pose. “We don’t do a very good job accounting for the cost of bad security," Fisher said.

Hamza Shaban covers tech news for The Washington Post. Prior to joining The Post, he worked at Buzzfeed, where he covered tech policy for the past two years, writing about antitrust, free speech, surveillance, cybersecurity and the tension between privacy and security interests.
Follow @hshaban

 Most read


    1
    Walmart is asking employees to deliver packages on their way home from work
    2
    Like ‘champagne bottles being opened’: Scientists document an ancient Arctic methane explosion
    3
    These titans of industry just broke with Trump’s decision to exit the Paris accords
    4
    The big missteps that brought an American retail icon to the edge of collapse
    5
    How a Supreme Court ruling on printer cartridges changes what it means to buy almost anything

subscribe
The story must be told.
Subscribe to The Washington Post.
Subscribe
Market Watch
DJIA 0.29%
NASDAQ 0.94%
Get quote
Last Update: 4:44 PM 06/02/2017(DJIA&NASDAQ)

    washingtonpost.com
    © 1996-2017 The Washington Post
    
   
Post a Comment