High-Tech Car Crime Is Becoming a Big Problem

A spate of Jeep thefts and a new Volkwagen security breach suggest that automakers must do more to protect cars from hackers.

• by Jamie Condliffe

Stealing a car no longer requires a pry bar and an understanding of how to rewire an ignition. Increasingly, it seems, all a criminal needs is a laptop.

Hackers have shown that they can take remote control of a Jeep Cherokee while someone is driving it. That means they could, in theory at least, cut the engine or brakes while the car was in motion. But there’s now a more fundamental problem for car owners, and a more attractive proposition for criminals: high-tech theft.

Earlier this year, a video was published online that showed a pair of car thieves using a laptop to steal a 2010 Jeep Wrangler. The hack that they used hasn’t been described in detail, though it’s not thought to be related to another hack of a Jeep Cherokee last year. While the technique does appear to require that the criminals break into the car and physically connect a computer to its internal systems (it’s not clear via which kind of interface), once they’re in, thieves can get the car started without a key.

And it’s been working pretty well for them. Autoblog reported that a pair of hackers were arrested in Houston recently for using the approach to steal more than 30 Jeeps over a six-month period. Fiat Chrysler Automobiles, Jeep’s parent company, is believed to be investigating over 100 vehicle thefts that were carried out recently using similar methods.

Those numbers may yet rise further—much further. Computer scientists from the University of Birmingham, U.K., have announced details of a new wireless hack that can be used to unlock almost every Volkswagen group car sold since 1995. Their technique—which can be performed using a laptop and software-defined radio or a $40 handful of off-the-shelf electrical components—can be used to re-create the unlock signals sent by a driver’s key fob.

The team has explained to Wired that it reverse-engineered the code in Volkswagen’s security systems in order to identify cryptographic keys used to encode those unlock signals. To their surprise, the team found that just four different cryptographic keys are used for as many as 100 million vehicles. After capturing another cryptographic key from the signals sent as a driver unlocks the car door, the researchers can combine the two numbers to unlock the target vehicle themselves.

The team points out that some of Volkswagen’s latest vehicles, including the Golf 7, use a more robust security system, where both cryptographic keys are unique to each vehicle.

Criminals also have to be within 300 feet of vehicle they’re seeking to steal. But given that the flaw affects virtually every Volkswagen group car sold in the last 20 years, including those made by Audi and Škoda, it’s still a significant issue.

Details of the reverse-engineering involved in the study haven’t been published, but you can bet that other criminals will be seeking to find out the secrets for themselves.

Cars are increasingly being developed by software engineers as well as mechanical engineers. As vehicles become more computerized and connected, the threat posed by computer flaws could get far worse. While neither of the latest hacks exploit the use of a car’s Internet connections, it’s easy enough to imagine similar, potentially more serious problems also plaguing vehicles (such as the Tesla fleet, for example) that use cellular networks to access data and updates from the Web.

Automakers appear to be taking the issue seriously. GM CEO Mary Barra recently declared automotive cyber incidents “a matter of public safety,” explaining that “whether it is phishing or spyware, malware or ransomware, the attacks are getting more and more sophisticated every day.” The Alliance of Automobile Manufacturers and the Association of Global Automakers have also released new best practices on automotive security, which include recommendations about digital vulnerabilities. But the car industry moves at a very different pace from that of the technology sector, and cars yet to roll off the production line are likely to remain vulnerable to hacks for some time to come.

So far it’s unclear what Fiat Chrysler and Volkswagen will do about the flaws that put their vehicles at risk of theft. Last year’s remote-control hack of a Jeep Cherokee resulted in a recall of 1.4 million vehicles. It won’t be the last.