The National Insurance Crime Bureau (NICB) has warned drivers against a mystery device currently being circulated around the dark web. According to Roger Morris from NICB, a device that is currently being sold on darknet marketplaces enables hackers and criminals to steal cars by relaying a smart key’s signal to a secondary device.
Essentially, with two data relaying devices, criminals can hack into a car’s smart-lock system to open its doors and initiate its engine without its system ever being alert. The entire process requires two devices; one is used to intercept the original key’s fab signal and the second device is used to obtain the signal intercepted and relayed by the first device to gain access to the car.
In an extensive investigation, Morris tested the newly circulating car-hacking method on 35 different cars from various brands or car makers. Morris and his team of investigators discovered that the method was able to intercept car key signals of 19 cars out of the 35. More importantly, Morris and his team were able to initiate the engines of 18 cars out of the 19 and drive off.
“Nineteen of them, we were able to open and get into. Eighteen of them, we were able to start with the device and drive off.”
While the crackdown on the dealers of the abovementinoed devices by the law enforcement is necessary and important, Cape Coral cyber security expert Sharon Harkison explained that the issue is more complicated that it seems. Although already-built devices can be acquired and obtained from the dark web, the software supporting these devices are made readily available to anyone.
Therefore, young adults or teenagers with some knowledge in computer engineering and programming can simply find the source code and design a completely new device which carries the same functions. By doing so, it makes it that much more difficult for law enforcement agencies to differentiate car-stealing devices from actual car keys.
“A teenager can go on the internet and find the source code and the programming code to make these devices very easily. When it comes down to it, if you want security, you’re going to have to go back to the old-fashioned key to open and close the car,” said Harkisoon.
Most importantly, because the entire process does not leave any sort of trace for the law enforcement and investigators, it is not possible to prove anyone guilty of using the method without hard evidence. For instance, the only evidence that could potentially be accepted and acknowledged would be a black box footage of the theft of the car. Other than that, because the data-relaying car-hacking method does not leave any digital trace, it is more difficult for law enforcement agencies to trackdown.
Stan Potter, general manager at Koons Locksmiths stated:
“It’s not something there’s a great deal of understanding about. I’m not aware of any specific way to prevent this type of crime. I mean obviously be aware of your surroundings, and just good general practices.”
Although radio frequency-blocking (RFID-blocking) key fob protectors can prevent such hacking attacks, it would be impractical to leave the protectors on at all times to potentially avoid the abovementinoed situation. Also, commercially available RFID-blocking protectors only work if the key is actually placed inside them, which usually are manufactured in the forms of bags. Thus, if a key is taken out of the bag to either lock the door of the car or initiate the engine, it can become vulnerable to the attack.