Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A man sitting in the driver’s seat of a Toyota is repeatedly tapping a button next to the steering wheel. A red light flashes—no luck, the engine won’t start. He doesn’t have the key. In response, the man pulls up an usual tool: a Nokia 3310 phone.
The man plugs the phone into the car using a black cable. He then flicks through some options on the 3310’s tiny LCD screen. “CONNECT. GET DATA,” the screen says.
He then tries to start the car again. The light turns green, and the engine roars.
This under 30 second clip shows a new breed of car theft that is spreading across the U.S. Criminals use tiny devices, sometimes hidden inside innocuous looking bluetooth speakers or mobile phones, to interface with the vehicle’s control system. This allows thieves with very little technical experience to steal cars without needing the key, sometimes in just 15 seconds or so. With the devices available to buy online for a few thousand dollars, the barrier of entry for stealing even high-end luxury cars is dramatically reduced.
“JBL Unlock + Start,” one ad for a device hidden inside a JBL-branded bluetooth speaker states. “No key needed!” The ad states that this specific device works on a variety of Toyota and Lexus cars: “Our device has a cool stealthy style and look,” it says.
“The device does all the work for them,” Ken Tindell, CTO at vehicle cybersecurity firm Canis Labs, told Motherboard in an email. “All they have to do is take two wires from the device, detach the headlight, and stuff the wires into the right holes in the vehicle side of the connector.” When it comes to vehicle owner’s protecting themselves from this sort of threat, “there’s nothing simple consumers can do.”
Do you know anything else about these devices? Have you fallen victim to one? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].
Earlier this month Tindell published his and Ian Tabor’s, a friend in automotive cybersecurity, research into these devices. Tabor bought a device to reverse engineer after car thieves appear to have used one to steal his own Toyota RAV4 last year, the write-up says. After some digging, Tabor came across devices for sale that target Jeeps, Maseratis, and other vehicle brands, the post reads.
The video showing the man using a Nokia 3310 to start a Toyota is just one of many YouTube videos Motherboard found demonstrating the technique. Others show devices used on Maserati, Land Cruiser, and Lexus-branded vehicles. Multiple websites and Telegram channels advertise the tech for between 2,500 Euro and 18,000 Euro ($2,700 and $19,600). One seller is offering the Nokia 3310 device for 3,500 Euro ($3,800); another advertises it for 4000 Euro ($4,300). Often sellers euphemistically refer to the tech as “emergency start” devices nominally intended for locksmiths. Some of the sites offer tools that may be of use to locksmiths, but legitimate businesses likely have no use for a tool that is hidden inside a phone or other casing.
Some of the sites even claim to offer updates for devices customers have already purchased, suggesting that development of the devices and their capabilities is an ongoing process.
Motherboard posed as an interested customer to one person offering to sell engine starters online. That person said they would ship a device to the U.S. via DHL.
“Yes, Nokia works with USA cars,” they wrote, referring to the engine starter hidden inside a Nokia phone. The seller said they take Western Union, MoneyGram, or bank transfers, and cryptocurrency.
They added that “the process of starting [the] engine takes around 10-15 seconds.”
Motherboard has previously spoken to people who sell another type of car theft device called a keyless repeater. These work by relaying messages from a victim’s car key, perhaps sitting in their home, to their vehicle in the driveway or nearby. But with these new devices, thieves don’t need the car key to be present at all.
According to Tindell and Tabor’s research, the attack, called CAN (controller area network) injection, works by sending fake messages that look as if they come from the car’s smart key receiver, the research continues. The underlying issue is that vehicles trust these messages without verifying them. Once the thieves have accessed the necessary cables by removing the headlights, they can use their device to send these messages, it adds.
Despite the devices’ high prices, the one Tabor bought contained just $10 worth of components, the write-up says. These include a chip with CAN hardware and firmware, and another CAN-related chip.
Once a device manufacturer has reverse engineered a particular vehicle’s messaging, creating each device would only take around a few minutes, Tindell told Motherboard. “It’s not a lot of work: solder some wires down, encase everything in a blob of resin,” he wrote.
At the moment, impacted vehicles are generally wide open to these sorts of attacks. The only proper fix would be to introduce cryptographic protections to CAN messages, Tindell told Motherboard in an email. This could be done via a software update, he added.
“The software is straightforward, and the only complex part is introducing the cryptographic key management infrastructure. But since new vehicle platforms are already deploying cryptographic solutions, that infrastructure is either in place or has to be built anyway,” he said.
Motherboard contacted multiple car manufacturers named by people selling these devices, including BMW and Toyota. BMW did not respond.
Corey Proffitt, senior manager of connected communications at Toyota Motor North America told Motherboard in an email that “Vehicle theft is an industry-wide challenge that Toyota takes seriously. Even with advances in technology, thieves reportedly are devising ways to circumvent existing anti-theft systems. We are committed to continuing to work on this issue with theft prevention experts, law enforcement, and other key stakeholders.”