How Hackers Can Grab Your Car

A new breed of crooks can loot your car electronically.

Aug. 31, 2013— -- With AAA predicting the biggest Labor Day travel weekend since the recession hit, many Americans will be stealing away for that final summer trip. Unfortunately, they won't be the only ones stealing.

There's a new type of crime happening on America's highways and byways. A nationwide crime spree in the making, if you will, whereby high-tech thieves can unlock vehicles easier than you'd like to think possible.

We're way beyond rocks, cobblestones, baseball bats, shims and crowbars now. Using improvised electronic devices that recreate the same signals as the key fobs many of us carry, thieves can pop the lock on your car from afar, then rifle through your belongings and steal whatever they like, all without the noise and trouble of breaking a window or jimmying a lock.

Once the stuff of urban legend, this kind of crime is now on the rise, according to police. "We believe that this code-grabbing technology was utilized and we are looking into it," Sgt. Andrew Schoeff of the Chicago Police Department told ABC News after thieves there broke into multiple cars in one neighborhood.

Technology experts have warned for years that key fob crimes were possible. In 2011 Swiss researchers announced they had cracked the encrypted remote entry systems of ten car models by eight different manufacturers, using equipment that cost as little as $100. That research has now become reality, as crime rings from Chicago to Long Beach have figured it out.

The way this crime works is still somewhat of a mystery in crime-fighting circles. And while there are doubtless ways to avoid becoming a victim, I'm not sure what they might be beyond owning a car that doesn't use the fob system.

A Terrifying Turn

While it's unsettling to have your car invaded or stolen while you're on a Labor Day trip with your family, it's not life threatening. What scares me is when a car hacker evolves from messing with your doors to invading your car's computer system.

The possibility of this even stranger and more dangerous crime is lurking on the horizon. Most modern cars use computers to control everything from engine compression to cruise control, airbags and brakes. Those computers communicate with each other on open networks. Using an $80,000 grant from the Defense Advanced Research Projects Agency (DARPA), two researchers recently hacked the onboard computers of a Toyota Prius and a Ford Escape SUV.

They made the Prius accelerate and brake, as well as jerk the wheel while traveling at high speeds. They managed to turn the Ford's steering wheel at low speeds and disable the brakes, which caused researcher Charlie Miller to drive the SUV into his garage and totally destroy his own lawnmower. This is the stuff of nightmares.

"Once you are through that initial barrier, you can and will be able to do almost anything you want to," security researcher Don Bailey recently told NPR.

Beyond Account Takeovers

It gets worse. At last month's Def Con, an annual convention for hackers, Miller and his co-researcher Chris Valasek showed a packed audience how they could drive a brand-new Prius using a Nintendo video game controller from the 1980s. They did it by plugging a laptop into the car's On-board Diagnostics (OBD) jack, which mechanics use to diagnose mechanical problems. Experts believe that soon it will be possible to accomplish this by way of a wireless hack.

How did the car companies react to this new and terrifying threat? With the same studied nonchalance that some exhibited decades ago when they continued to manufacture and sell vehicles that exploded into fireballs upon impact. Both companies told NPR they believe their cars are safe despite the federal government's own research to the contrary.

"I've actually been very disappointed with the reaction from these companies," Bailey said.

Well Don, you're not alone. In the face of tens of thousands of successful cyber intrusions, we can no longer underestimate the sophistication or creativity of folks who want to exploit us or simply demonstrate that they do what they do because they can.

It took some enterprising thieves just two years to convert research from a few highly sophisticated Swiss scientists into a handheld device they can use to prowl the streets of Chicago and pop the locks of any car of interest. How long before hackers pull the same trick with a video game controller, taking full control of our cars while we're behind the wheel? Two years? Three? Then what? There are those who will do it to scare people, or possibly even kill someone. Others might use it to blackmail unsuspecting victims. Sure, they'll return control of your car, after they've propelled you down some highway or winding road at breakneck speed, and only after you've given them access to your bank account. (Go ahead and use your phone to send them the information, since you won't be using your hands to drive anyway.)

While this sounds like science fiction, the fact is the technology exists. The potential for damage is real. The time to tackle this is now. Automobile manufacturers have an opportunity to get out ahead of the next crime wave, protect consumers and show other industries how to do computer security correctly. If they fail to seize the day, they could be the recipients of press headlines far more toxic to their reputations and their bottom lines than a Labor Day weekend of price gouging at gas stations.

Adam Levin is chairman and cofounder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.