Laptop Thieves
High-Tech Thieves Use Laptops to Steal Cars with RFID Chips
By JOHN HOLL

NEW YORK -- Security technology created to protect luxury vehicles may now make it easier for tech-savvy thieves to drive away with them. In April, high-tech criminals made international headlines when they used a laptop and transmitter to open the locks and start the ignition of an armor-plated BMW X5 belonging to soccer player David Beckham, the second X5 stolen from him using this technology within six months.

The most recent theft occurred while Beckham and his two sons were eating at a restaurant in suburban Madrid. Spanish police suspected a Bulgarian gang of car thieves that specialize in stealing luxury cars. At the time of publication, no suspects had yet been apprehended.

This highly publicized theft was not the first indication that keyless systems were vulnerable to wireless break-ins. Back in 2004, when keyless technology was still new and touted as unbreakable and secure, Dr. Aviel D. Rubin, a professor of computer science at Johns Hopkins University, along with several of his graduate students examined this possibility. Within three months they had successfully cracked the code embedded within the ignition keys of newer model cars, theoretically allowing them to steal the autos.

Using a laptop computer, an antenna and specifically designed software, Rubin and his team extracted a code that transmits from a small Radio Frequency Identification (RFID) chip inside the key. From there the team tested more than one trillion possible encryption answers.

"It was a trial-and-error process," Rubin said. "We wanted to see if it could be broken and found out that it could. We were surprised."

Realizing the ramifications of their discovery, Rubin and his team presented their findings to Texas Instruments — the makers of the chip — and automaker representatives and posted their research paper online. On the site, the team does not reveal the specifics of how they broke the code, so as to not enable criminals to harness the technology.

Texas Instruments’ reaction was one of surprise, Rubin said. The chip manufacturer was skeptical at first, but once the engineers received an in-person demonstration, they relented that the technology could be broken. Unfortunately, there wasn't much that TI, the world’s largest integrated maker of RFID tags, smart labels and reader systems, could do about it. A recall would be nearly impossible and very expensive.

Bill Allen, director of business development for Texas Instruments' RFID division, did not dispute what the Johns Hopkins team did, but said it is "a complex thing and not something that can be done easily."

He said that researchers were working on staying one step ahead of criminals. Texas Instruments, he said, had already introduced 128-bit encrypted RFID tags to make it harder for thieves and hackers to manipulate the system.

"In practicality, consumers are as safe today as they were yesterday," Allen said.

Kevin P. McHugh, president of the International Association of Auto Theft Investigators, said RFID thefts "are known and growing" in Europe, especially with expensive cars. However, because the method used to steal a car isn’t always noted in police reports here, the specific number of how many cars had been stolen in the U.S. using laptops is unknown, confirmed Frank Scafidi, director of public affairs for the National Insurance Crime Bureau.

Yet these recent thefts may be no cause for alarm in America. The number of reported car thefts in the U.S. has increased in 2004 there were more than 1.8 million cars stolen in the U.S., up 1.9 percent from 2003, according to the Department of Justice.

"It is getting harder for the amateur to steal cars," McHugh said. "The professional thief with high-tech experience who wants your car for reason ‘x’ is going to come up with a way to get it, and these days that often involves using technology."

RFID chips are used in everything from supermarket scanners to credit cards. Of the hundreds of millions of RFID ignition keys in use in the United States, most operate with a 40-bit frequency that broadcasts their number through the air. In order for thieves to get access to the numbers, they first must get within several inches of the key with a receiver. From there, the signal can be downloaded onto a computer, processed and broken in about 15 minutes. The thieves can then feed the signal to the car and successfully hotwire the vehicle.

Nick Twork, a technology spokesman for Ford Motor Company, said that while no technology is foolproof, RFID has contributed to a drop in thefts over the last several years.

"We are always coming up with new ways to make it harder for people to steal cars," Twork said. "And if a car is stolen, we are making it easier to recover."

Twork said that Ford is also working on next-generation antitheft measures but declined to elaborate when asked for specifics.

Loretta Worters, a spokeswoman for the Insurance Information Institute, said that insurance companies are inclined to offer reduced rates to consumers who drive cars equipped with antitheft devices like RFID, alarm systems and safety devices like airbags.

"We feel that anything that can help reduce the number of thefts is a good thing," Worters said. "It benefits the owner of the vehicle and the insurance companies."

She added that RFID thefts "are not a big problem in the [insurance] industry.”

With millions of these tags in circulation, Rubin says there is not a lot drivers can do to protect themselves. "You can wrap [your keys] in tinfoil, but that's not very practical," he said. "It is best to wait until the second-generation tags come out."

Gone in 60 seconds--the high-tech version

By Robert Vamosi
Special to CNET News.com
Published: May 6, 2006, 6:00 AM PDT

Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system.

After you pull into a Starbucks to celebrate with a grande latte and a scone, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later, you look up to discover your new Mercedes is gone as well.

Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care.

Wireless or contactless devices in cars are not new. Remote keyless entry systems--those black fobs we all have dangling next to our car keys--have been around for years. While the owner is still a few feet away from a car, the fobs can disengage the auto alarm and unlock the doors; they can even activate the car's panic alarm in an emergency.

First introduced in the 1980s, modern remote keyless entry systems use a circuit board, a coded radio-frequency identification (RFID) technology chip, a battery and a small antenna. The last two are designed so that the fob can broadcast to a car while it's still several feet away.

The RFID chip in the key fob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings: With each use, the code changes slightly, creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code, along with an instruction to unlock the car doors. If the synced-up receiver gets the 40-bit code it is expecting, the vehicle performs the instruction. If not, the car does not respond.

A second antitheft use of RFID is for remote vehicle immobilizers. These tiny chips, embedded inside the plastic head of the ignition keys, are used with more than 150 million vehicles today. Improper use prevents the car's fuel pump from operating correctly. Unless the driver has the correct key chip installed, the car will run out of fuel a few blocks from the attempted theft. (That's why valet keys don't have the chips installed; valets need to drive the car only short distances.)

One estimate suggests that since their introduction in the late 1990s, vehicle immobilizers have resulted in a 90 percent decrease in auto thefts nationwide.

But can this system be defeated? Yes.

Keyless ignition systems allow you the convenience of starting your car with the touch of a button, without removing the chip from your pocket or purse or backpack. Like vehicle immobilizers, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, they are passive, don't require a battery and have much shorter ranges (usually six feet or less). And instead of sending a signal, they rely on a signal being emitted from the car itself.

Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall, the authors of a study from Johns Hopkins University and the security company RSA carried out an experiment using a laptop equipped with a microreader. They were able to capture and decrypt the code sequence, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key. They even provided an online video of their "car theft."

But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong.

Real-world examples: Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's alleged to have stolen several expensive cars in and around Prague using a laptop and a reader. Soucek is not new to auto theft--he has been stealing cars since he was 11 years old. But he recently turned high-tech when he realized how easily it could be done.

Ironically, what led to his downfall was his own laptop, which held evidence of all his past encryption attempts. With a database of successful encryption strings already stored on his hard drive, he had the ability to crack cars he'd never seen before in a relatively short amount of time.

And Soucek isn't an isolated example. Recently, soccer player David Beckham had not one, but two, antitheft-engineered BMW S5 SUVs stolen. The most recent theft occurred in Madrid, Spain. Police believe an auto theft gang using software instead of hardware pinched both of Beckham's BMWs.

How a keyless car gets stolen isn't exactly a state secret--much of the required knowledge is Basic Encryption 101. The authors of the Johns Hopkins/RSA study needed only to capture two challenge-and-response pairs from their intended target before cracking the encryption.

In an example from the paper, they wanted to see if they could swipe the passive code off the keyless ignition device itself. To do so, the authors simulated a car's ignition system (the RFID reader) on a laptop. By sitting close to someone with a keyless ignition device in his pocket, the authors were able to perform several scans in less than one second without the victim knowing. They then began decrypting the sampled challenge-response pairs. Using brute-force attack techniques, the researchers had the laptop try different combinations of symbols until they found combinations that matched. Once they had the matching codes, they could then predict the sequence and were soon able to gain entrance to the target car and start it.

In the case of Beckham, police think the criminals waited until he left his car, then proceeded to use a brute-force attack until the car was disarmed, unlocked and stolen.

Hear no evil, speak no evil . . . The authors of the Johns Hopkins/RSA study suggest that the RFID industry move away from the relatively simple 40-bit encryption technology now in use and adopt a more established encryption standard, such as the 128-bit Advanced Encryption Standard (AES). The longer the encryption code, the harder it is to crack.


The authors also suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks, and that automobile manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range and make it harder for someone outside the car to eavesdrop on the code sequence.

Unfortunately, the companies making RFID systems for cars don't think there's a problem. The 17th annual CardTechSecureTech conference took place this past week in San Francisco, and CNET News.com had an opportunity to talk with a handful of RFID vendors. None wanted to be quoted, nor would any talk about 128-bit AES encryption replacing the current 40-bit code anytime soon. Few were familiar with the Johns Hopkins/RSA study we cited, and even fewer knew about keyless ignition cars being stolen in Europe.

Even Consumer Reports acknowledges that keyless ignition systems might not be secure enough for prime time, yet the RFID industry adamantly continues to whistle its happy little tune. Until changes are made in the keyless systems, any car we buy will definitely have an ignition key that can't be copied by a laptop.

 

LOS ANGELES TIMES - February 8, 2006

Thieves outwit high-tech advances

Automobile antitheft systems have gotten smart -- but so have networks of criminals.

By Ralph Vartabedian
Times Staff Writer

February 8, 2006

The recent thefts in Southern California of several Lexus LS 400s, known among security experts for their antitheft systems that tie into the car's central computer system, have created new concerns about the evolving expertise of organized crime rings to defeat the auto industry's most clever engineering.

In the past, the theft of a few vehicles might not have seemed like such a big deal. But the ability of thieves to defeat top-tier automotive technology is another sign of the sophistication of criminal networks. Increasingly, car theft is more like computer hacking than like breaking and entering a home or business protected by physical locks and keys.

For every step taken by engineers to increase the difficulty of stealing a car, criminal networks have responded with schemes to defeat physical and electronic systems.

"It is a cat-and-mouse game between the bad guys on the street and the engineers in the lab," said Kim Hazelbaker, senior vice president of the Highway Loss Data Institute, a Washington, D.C. insurance group.

Though theft rates have been cut in half, insured losses remain unchanged from a decade ago as professional thieves target higher-value vehicles.

Just like any automotive technology, antitheft systems differ widely in both their design and effectiveness, said Forrest Folck, who operates Motor Vehicle Forensic Services in San Diego.

The LS 400s that were stolen are among models that use a smart key to tie into the car's electronic control module, or ECM, the central brain for the engine, transmission and related systems. Unless the smart key sends the proper code to the ECM transponder, the ECM disables the electronic fuel-injection system.

Here's how a criminal ring has defeated it: First, they force the locks on the door and steering column with a custom-made tool, using a socket wrench coupled to a specially machined blank key that fits any Lexus lock and can deform the wafers and tumblers.

Once inside the car, the hood is popped, the steering wheel lock is broken and the ignition electronics can be engaged. Normally, however, the ECM transponder would recognize that the key is not providing the proper security code.

But a second team member goes straight for the ECM, unscrewing the 6-by-8-inch box under the hood and unplugging the 50-pin connector. It is replaced with an altered ECM with a disabled transponder that does not shut down the fuel-injection system, Folck said.

Ken Zion, a collision and theft expert from Auto Collision Consultants, said he inspected two of the Lexus LS 400s and was impressed with how little damage was caused during the thefts.

"This was very ingenious," Zion said. "They can do the entire ECM swap in under five minutes."

The Lexus vehicles were recovered by an inter-agency auto theft task force, one of 16 in the state funded with a portion of vehicle taxes in an attempt to keep a lid on the theft problem.

Southern California is close to the Mexican border and next to the nation's largest port complex, both destinations of choice for thieves who want to export luxury cars to foreign markets, according to Hazelbaker.

In 2004, there were 2.3 theft claims nationwide for every 1,000 insured vehicles. By contrast, Los Angeles has 2.8 theft claims per 1,000 and the claims average $10,240, about 30% above the national average, he said.

Mark Stowell, a theft expert with the National Insurance Crime Bureau who works with the Orange County Auto Theft Task Force, said police recover 86% of stolen vehicles. While some are undamaged, many are stripped, crashed or burned.

Every generation of antitheft technology is good for a while but eventually gets figured out by criminal networks, a cycle Hazelbaker has seen play out before.

"A new technology is good for two or three years before you see the theft statistics creep back up," he said. "By five or six years, if the manufacturer hasn't changed the technology, you see the numbers back to where they were before."

The evolution began with locking steering columns back in the 1970s. They were effective until thieves defeated them with brute force. Now, even teenage thieves know how to defeat a locking steering column.

Among the most sophisticated antitheft systems is the Bosch controller area network system, used on BMW, Mercedes-Benz and other brands, Folck said.

But thieves have increasingly found ways to defeat this system as well, using laptop computers that plug into the OBD II connector under the steering wheel to reprogram the vehicle's software. Who is smart enough to write pirate software to steal cars? Electrical engineers who are familiar with basic computer design, Folck said.

Less sophisticated antitheft systems are widely used, including the General Motors "Pass Key" system. Folck said Pass Key systems are defeated using a simple magnetic tool. Consequently, the Cadillac Escalade has ranked as the most frequently stolen vehicle in the nation.

Folck said homemade antitheft systems that cut off power to a key mechanical system often cause thieves more trouble than a factory device because they are so unpredictable in design. But even if a homemade or factory electronic system does work perfectly, it will not necessarily protect a vehicle.

Some theft teams use casters to elevate a car off its wheels and then roll it onto a flatbed tow truck.

*Ralph Vartabedian can be reached at ralph.vartabedian @latimes.com.
 

HOUSTON CHRONICLE - January 31, 2005