Police in Europe Arrest 31 for Hacking and Stealing AutosKeyless Auto Theft Is a Mounting Threat for Car Owners
Police in three European countries arrested 31 individuals involved in the keyless theft of automobiles. Included in the roundup were suspects in France, Spain and Latvia. They include developers of software enabling the theft, its resellers and car thieves who used it to make off with vehicles made by two unnamed French manufacturers.
The arrest operation was coordinated by Europol, which announced that national authorities raided 22 locations and seized more than 1 million euros.
The operation was helmed by the French Gendarmerie’s Cybercrime Center. The case has been active at least since March. The software was marketed online as a diagnostic tool, and Europol say thieves used it to "replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob." The full package cost 4,000 euros, a Europol spokesperson says. The pan-European law enforcement coordination agency anticipates the arrest of more thieves who used the software.
Keyless theft of cars has become a mounting problem as automobiles become ever more dominated by internal sensors paired with wireless connections and physical keys are replaced by fobs.
A common way to execute keyless auto theft is a relay attack, which involves intercepting a car's scan for a signal from a fob with authorization to start the engine. The European car theft ring rolled up by Europol appears more sophisticated, says Sam Beaumont, a principal security consultant with IOActive.
Based on publicly available data, it looks as if the thieves found a vulnerability in the electronic control unit governing the authorization of new key fobs. Either they found a way to skip a check that the new fob is properly authorized or they simply reprogrammed the entire electronic control unit, she tells Information Security Media Group.
How the thieves gained access to the ECU in question "is the interesting part," she says. That's less clear, but it likely requires physical access to a car.
"They're not stealing someone's legitimate key and reprogramming it to open the door," says Beaumont.
An ECU made by a single company can feed the supply chain of more than one auto manufacturer and become present in tens of thousands or hundreds of thousands of cars.
The auto industry is more concerned with cybersecurity than it once was, but the fleet of active vehicles has a long way to go to catch up with best practices such as security by design. The average age of cars and light trucks in operation inside the United States now stands at slightly more than 12 years, reflecting an upward trend that especially took off during the last decade.
"Normally, the vehicle you're driving now was thought of a decade ago," Beaumont says.
With reporting by ISMG's David Perera in Washington, D.C.