It is written that we should “Know thy enemy!”. It might also be important to know the “tools of thy enemy”. Thieves are not as stupid as many vehicle owners might believe – and they have innovative tools and devices to steel modern day vehicles.
In an earlier Blog post we focused on the question “How do thieves steal modern day vehicles?”. We also shared an interesting post on how criminals use immobilizer jamming devices –“Caution is required to protect from “immobilizer” and “signal jamming” thieves.”
In this Blog post we would like to focus on the tools that modern day thieves use to steal cars.
The tools that thieves are using to conduct electronic attacks can be divided into two main groups:
- Theft Tools
These are tools that have been designed specifically to target and exploit the weaknesses in the vehicle‘s security systems in order to steal cars. They are often produced by the thieves themselves either by adapting replacement parts of the vehicle electronics to allow them to perform the functions that they require, or as an independent stand-alone system.
- Legitimate Tools
These are tools that are designed for automotive locksmiths and security professionals to be used for diagnostic and maintenance applications. They are produced as an OEM tool by the vehicle manufacturer themselves, or as an aftermarket tool produced by a legitimate supplier.
Despite some measures being taken to try to prevent the unauthorised use of these legitimate tools, it is apparent that thieves are still able to obtain and use them for criminal gain. Further precautions need to be taken to ensure that their use is limited to the professionals that require them during service operations. This can be achieved by making the tools more difficult to use, or by creating a more diverse and adaptable system that would reduce the number of vehicles that the tools were compatible with.
The electronic theft tools being used by thieves host a variety of different functions. SBD have identified the main functions that can be harnessed by criminals during the process of stealing a vehicle:
- Key Programming
This gives the user the ability to programme new Transponder, RF controls or Smart Keys to the vehicle immobiliser, locking and alarm systems. Connection to the vehicle can be achieved either through the OBD port or directly through the CAN-BUS or K-Line harness. Methods have been publicised for accessing CAN harness connections from outside the vehicle. This enables manipulation of the locking and alarm systems meaning that thieves do not have to force entry to the vehicle‘s interior before starting their procedure.
- Transponder Cloning
Transponder cloning devices allow the user to identify, prepare, read, copy and write a range of transponders. The transponder holds the unique identity which is communicated with the immobiliser unit in the vehicle. It confirms that the correct key has been inserted into the ignition and allows the vehicle to be operated. Cloning of this device would allow a thief to replicate this communication with an alternative key and in the absence of the original key.
- Immobiliser Programming
Software protection for immobiliser systems can be relatively low. Tools are available which allow for direct manipulation of the software to disable the immobiliser function or to allow replacement of an ECU with a pre-matched or ‗virgin‘ ECU and transponder set.
- EEPROM programming
Some manufacturer‘s systems are vulnerable to reading or re-writing of the EEPROM and some stored data. Using this method, PIN-code security protocols used for verification prior to programming can be overcome. The devices that perform these functions are connected either through the CAN-BUS or directly to the ECU, or to the memory IC itself and allow a thief to bypass the security checks needed by some maintenance devices.
- Relay Attack
Relay attack tools have been designed to target the increasing number of vehicles that use Smart Key technology. A pair of devices is used to capture the signals emitted by the vehicle and Smart Key, and extend their range so that the key and vehicle believe that they are within the authorised operation range. In doing so, a thief is able to enter the vehicle and start the engine without having the original key and without alerting the owner of the vehicle. Relay attacks can typically operate over a range of 100 to 1,000 metres, depending on environmental conditions and the equipment used.
For more information on relay attack, please refer to SBD report 2266: Relay Attacks – A Real Threat to Smart Key Security?
- RF Code Grabbing
Code grabbing tools also target the signal sent from the key fob to the vehicle. They enable the thief to record the signals sent from an RF key fob when the owner wishes to lock and unlock their vehicle. In doing so, these signals can be retransmitted at a later time in order to gain access to the vehicle, without the need for the original key. This is a covert method which allows the thief to gain access to the vehicle without arousing any suspicion. The effectiveness of this tool is not limited to fixed code systems. Some rolling code and crypto code systems can also be compromised by grabbing tools.
- RF Blocking
RF blocking is the deliberate interference of the communication between the RF key fob and the vehicle usually without the driver being aware that the vehicle has not responded in the normal way. This can be achieved by using equipment that generates an RF signal, such as an electronic doorbell or garage door opener, or a specially designed tool that emits a continuous transmission to target a signal of a specific frequency. This is a highly effective method of preventing a driver from locking their vehicle and setting the alarm and is used all over the world. Legal restrictions exist which identify the frequency that a vehicle key fob must operate under and so thieves can target this frequency and ensure that the signal is blocked.
For more information on RF code grabbing and RF blocking, please refer to SBD report 2263: RF Interference and the Future for Vehicle Entry.
Despite the equipment described in this section being fairly advanced in its functionality, it would be a mistake to assume that the operation of these devices requires a high level of skill or expertise. Most of these devices require very little input from the user, with some requiring only to be connected to initiate the attack. They are simple to use and are highly effective, which makes them attractive to thieves.
[Information with recognition to SBD (Secured by Design Ltd) – SBD is an independent, technical consultancy specialising in the design and development of vehicle security, low speed crash, telematics and ITS systems.]