Scam of the day – November 5, 2015 – Jaguar automobile stolen through hacking

I have been warning of you of the dangers of the Internet of things for a long time.  The Internet of Things is the name for the technology by which devices are connected and controlled over the Internet.  This includes cars, refrigerators, coffee makers, televisions and even medical devices. Here is a link to a column I wrote for USA Today about the dangers presented by the Internet of Things.  http://www.usatoday.com/story/money/columnist/2015/04/04/weisman-internet-of-things-cyber-security/70742000/

Of particular concern is the vulnerability of cars to being hacked. Last summer the media was filled with stories about two white hat hackers, Charlie Miller and Chris Valasek who hacked into a Jeep Cherokee through its UConnect entertainment system and were able to remotely take control of the car’s speed, brakes, radio, windshield wipers and other features.  Largely in response to this story which heightened awareness of the ability of hackers to take control of our increasingly computerized cars, Fiat Chrysler issued a recall yesterday of 1.4 million vehicles to make corrections to prevent this type of problem.

Now from New Zealand comes the story of a the theft of a Jaguar automobile valued at more than $123,000 right from a Jaguar dealership in Auckland, New Zealand.  The thief apparently walked right into the dealership and drove the car off the lot although no key was in the car and the car was locked.  The reason the thief was able to do this was that this Jaguar, like many cars uses a wireless key fob to both lock and unlock the car as well as start the engine.  The device used by the thief to accomplish this is readily available for purchase online.  Although this story may seem unusual to you, in fact, 6,000 cars were stolen in London alone  last year using this technology. in fact, in 2006, David Beckham’s BMW X5 was stolen using this technology.

One of the ways that cyber car thieves manage to steal cars is by using a power amplifier which they can buy for as little as $17 which can pick up the signal from your key fob from as far away as three hundred feet.  They then capture the information and use it to unlock your car and start the engine.

This security problem should have come as no surprise to Jaguar, as researchers Roel Verdult, Baris Ege and Flavio D. Garcia have published a paper entitled, “Dismantling Megamos Crypto:  Wirelessly Lockpicking a Vehicle Immobilizer” and notified responsibly notified manufacturers of this problem three years ago.  The Megamos Crypto system is commonly used key fob security system.    Here is a link to slides used by these researchers at a presentation of their paper  https://www.usenix.org/sites/default/files/conference/protected-files/verdult_sec13_slides.pdf

You will note that one of the early slides of the presentation reads “Due to a recent injunction by the High Court of London this talk cannot cover the technical core of the accepted paper” so certainly these slides will not provide the precise information necessary for a cybercriminal to steal a car, but the slides do provide details of how it can be done.

TIPS

So how safe is your car if you use a wireless key fob?  Since there are actually a number of different ways by which your key fob may be vulnerable it is hard to tell.   For such a high tech crime, one of the best solutions is to wrap your key fob in aluminum foil which will block the signal from your key fob from being picked up by a cyber car thief.  Then unwrap the key fob when you use it to open your car.