Cops swoop after crooks use wireless keyfob hack to steal cars

Europol this week said it has arrested 31 people in a crackdown on a car-theft ring that developed and used a technique to steal keyless vehicles.

The alleged crooks preyed on motors from two French automakers, we're told. The thieves were apparently able to update or manipulate the cars' software so that the doors could be opened and engine started without needing the owner's wireless keyfob. Just turn up, get in, drive off.

The European cops didn't provide much detail about the "fraudulent tool" used to pull off these thefts, other than it was marketed as an automotive diagnostic product and was typically used by independent repair shops to reprogram a car's key system without requiring a trip to the dealer. 

It sounds as though there was a way to force these vulnerable vehicles to accept another wireless keyfob, allowing a thief in. It's not entirely clear how it worked – whether it was all wireless or if a physical connection was needed. Officially, the cops said the tool was able to "replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob."

"It was a portable solution that the criminals would connect to the car they wish to steal to open the doors and drive off," a Europol spokesperson told The Register, adding that the car-heist-enabling software was sold on the open web — but "to an informed audience (criminals)."

Europol isn't releasing the names of the suspects nor the software at this stage in the investigation. "Investigations are ongoing in a number of European countries to arrest all the car thieves using this tool," the spokesperson added.

Those arrested apparently include the software developers, its resellers, and the car thieves who used the tool. In addition to cuffing the 31 suspects, the police searched 22 locations and seized more than EUR 1.1 million ($1.1 million) in assets. It appears a website was also seized and shutdown.

The French Gendarmerie's Cybercrime Centre (C3N) opened the investigation with support from Europol starting in March. In September, French authorities opened the case at the European Union Agency for Criminal Justice Cooperation (Eurojust).

French police, working with Spanish and Latvian officers, made the arrests on October 10. Also on that day, Europol open a mobile office in France to assist that country's police and military authorities with their investigation.

The European Multidisciplinary Platform Against Criminal Threats (EMPACT) and the Internal Security Fund (ISF) SWORD also provided financial support.

• Hackers remotely start, unlock Honda Civics with $300 tech
• 2-bit punks' weak 40-bit crypto didn't help Tesla keyless fobs one bit
• Veedub flub hubbub stubs car-jack hack flap
• 'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim

The French car heist follows the emergence earlier this year of a keyfob hijack technique affecting Honda Civics.

This security weakness, tagged CVE-2022-27254, was discovered by Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, and someone with the handle HackingIntoYourHeart. Their research indicated that Honda Civic LX, EX, EX-L, Touring, Si, and Type R vehicles manufactured between 2016 and 2020 all have this over-the-air vulnerability.

According to the duo, "various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack."

An unrelated but similar problem in 2012 Honda Civics allows for a similar attack, but with a different cause: a non-expiring rolling code and counter resync. 

Additionally, in 2016, The Register reported on an experiment in which researchers cloned a Volkswagen keyfob and were able to use it to potentially unlock 100 million vehicles. There's probably plenty more examples in the archives. ®