Car thieves use 'mystery device' to break into vehicles

Device used to break into electronic locking system of new-model vehicles

PEMBROKE PARK, Fla. – A car manufacturer recalled more than a million cars following security concerns about car hacking, as the National Insurance Crime Bureau issued an alert about a "mystery device" being used to break into vehicles by defeating the electronic locking system of later-model cars.

So-called connected car "convenience technology" could put consumers at risk.

"Right now, what has happened is the digital key fob has become a way for someone to steal your car," NICB investigator James "Herb" Price said.

NICB has crooks caught on camera using a device to lock and unlock cars. In one clip, thieves are caught on surveillance video stealing a laptop and custom bike.

WATCH: NICB Fraud Files: They Mystery Device

"With this device (they) walk by a car, look in it, to see if it is one of the cars you can start with a push button on the dash. The nickname for this device is a digital repeater," Price said. "What it is doing is it is picking up the signal, it is picking up the signal of this key fob, and they get by your car and it repeats the code back to the car, which allows them to enter the car and start the car and drive off with the car, and you will never know it happened."

"The only way to defeat that is, if you have a key fob and a car of that nature, get a copper bag, a faraday cage. By sealing it up, it blocks any transmission outside that bag so nobody can read that code," Price said.

Security researchers Charlie Miller and Chris Valasek made a splash in a Wired article by senior writer Andy Greenberg when they demonstrated that a Jeep Cherokee could be remotely hacked, stopping it in its tracks and attacking the system from miles away.

WATCH: Wired video

In response, Fiat Chrysler announced it would be recalling 1.4 million cars and offering drivers a software update to prevent hackers from infiltrating cars via the internet connection.

In a FCA blog post, Gualberto Ranieri writes, "To FCA's knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle.

After becoming aware of the vulnerabilities in some 2013 and 2014 vehicles equipped with the 8.4 inch touchscreen systems, FCA US and several suppliers worked to fix the vulnerabilities in model year 2015 vehicles. FCA also created a software update that eliminates the vulnerabilities uncovered by Miller and Valasek in their laboratory tests. This software update is available to customers right now and can be downloaded to a USB drive from and installed in a vehicle."

"They had been in contact with Chrysler for months," an elite white hat hacker Samy Kamkar said via Skype with Local 10 News Consumer Advocate Christina Vazquez. "It was only resolved within two or three days since it hit the press."

Kamkar lead a presentation about car hacking at last month's Defcon hacker conference in Las Vegas.

Entitled: "Drive it Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars," Kamkar revealed new research and real attacks in the area of wirelessly controlled gates, garages and cars.

"Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy)," he said.

At the conference, Kamkar unveiled his $32 device called a "RollJam," which defeats the rolling codes security feature in keyless entry systems.

"We are racing to get technology out without understanding the security implications first," Kamkar said. "It's only when you can get a wide audience, public pressure that I think change happens."

Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time.

Kamkar's Twitter account description reads, "think bad, do good."  The security researcher tells Local 10 News that by deliberately exposing security weaknesses he hopes his research will help you, the consumer, by forcing companies to make fixes to security holes before they become a crime trend.

"We can't fully trust that these companies have a good lock on security yet, so that's where I, and hopefully other researchers, come in," he said.

WEB EXTRA: Call Christina conversation with Samy Kamkar on car hacking

Local 10 News checked with several South Florida law enforcement agencies in advance of the publication of this story, but all said they didn't have any active cases involving digital car thieves.

Al Berman, president of Disaster Recovery Institute (DRI) International said he believes it is possible that "we have created awareness for the auto industry."

Berman has more than 25 years' worth of cybersecurity experience.

In his opinion, the bigger security threat of the "connected car" is Wi-Fi, "which makes it much easier to hack into the system.  If you buy one, I think you have to a lot more vigilance then if you bought one without it because it now allows you to have access to your cell phone which is connected to it, and therefore you could actually be hacked while sitting in your own car."

Berman thinks anti-virus software for mobile devices will become a preventative step.

WEB LINK: Information on Disaster Recovery Institute

Hacking, said Berman, has become big business; an industry of crooks navigating cyber security vulnerabilities. You can hear more about what he had to say about car hacking and what you can do if you have been hacked at this clip:

WEB EXTRA: A Call Christina conversation with DRI's Al Berman about the big business of hacking.

In July, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced new legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to protect drivers from these sorts of pending cyber security risks. They would like to see a "Cyber Dashboard" rating system in place.

WEB LINK: Cyber dashboard legislation

Click here to visit the Unconnect software update site.

•             2013-2015 MY Dodge Viper specialty vehicles

•             2013-2015 Ram 1500, 2500 and 3500 pickups

•             2013-2015 Ram 3500, 4500, 5500 Chassis Cabs

•             2014-2015 Jeep Grand Cherokee and Cherokee SUVs

•             2014-2015 Dodge Durango SUVs

•             2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans

•             2015 Dodge Challenger sports coupes

•             Customers that own vehicles involved in the recall will receive a USB drive in the mail with the software update preloaded on the device.

•             Customers can enter a vehicle identification number (VIN) and find out if their vehicle needs the software update. If the vehicle needs the update, owners can download the software update to a USB drive and install themselves.

•             If owners do not wish to install themselves, they can visit their local CDJR dealer to have a dealer technician install the software.