Current:Home > InvestCould you get "carhacked"? The growing risk of keyless vehicle thefts and how to protect yourself -Secure Growth Solutions
Could you get "carhacked"? The growing risk of keyless vehicle thefts and how to protect yourself
View
Date:2025-04-11 17:36:25
You arrive home and toss your car keys on a table near your front door. It's an ordinary habit that is all today's thieves need to launch a "relay attack" to capture the signal from your key fob, unlock your car and drive it away. And it's just one of the high-tech methods more criminals are adopting to steal cars.
Experts say in recent years, car thieves have increasingly targeted keyless entry vehicles by breaching the computer systems that are built into the cars' communication network.
Less than a minute to reprogram a key fob
The latest method capturing the attention of car security experts is the "CAN bus attack." "CAN" stands for "controller area network," and the "CAN bus" is the auto industry term used to describe the message-based electronic system that allows various parts of the vehicle to communicate with each other.
"Probably the most common one that I do see is actual key programmers that you can just plug into the vehicle's diagnostic port or onto the CAN bus network," said Steve Lobello, owner of S&A Security in the Chicago suburb of River Grove, Illinois.
Related: Theft via text: Cars vulnerable to hack attacks
"It's basically the nervous center in the vehicle where everything has to process," said Lobello. "You can pretty much do things such as delete keys, program, new keys, and just basically speak to the vehicle."
Lobello says the tablets that locksmiths and security specialists use to reprogram key fobs have been stolen or can be bought online legally by thieves looking for a way to hack into targeted cars.
We won't reveal exactly how he did it, but Lobello used one of these tablets to demonstrate how quickly he could gain access to a vehicle's main frame and reprogram a key.
It took him less than a minute.
High value target
Ivy Stryker of Farmington, Michigan, became a victim of the CAN bus attack not once but twice. The first time, his car was parked against a brick wall at an apartment complex.
"It's about 1 a.m., my phone goes off, my iPads are going off, alarm sounds everywhere," said Stryker. He ran outside to find another vehicle next to his and a stranger inside his car. "A guy's popping out the top of the moonroof."
Stryker had no illusions about how tempting his Dodge Charger Hellcat would be to thieves and had a security system installed to protect it.
"When I was looking at the thing, I already knew that it was one of the most, if not the most stolen car," said Stryker.
According to a recent report from the Highway Loss Data Institute, the Charger SRT Hellcat ranked as the No. 1 targeted car built between 2020 and 2022. It's 60 times more likely to be stolen than any other car built in that same time period.
"If you own a Hellcat, you better check your driveway," Matt Moore, the organization's senior vice president, said in a statement on the institute's website. "These numbers are unbelievable."
Car thefts in general are up across makes and models nationwide. More than one million cars were stolen in 2022, the highest number since 2008, according to the National Insurance Crime Bureau (NICB), the insurance industry association that tracks annual vehicle thefts.
That's about two vehicles stolen every minute.
Trying to stay one step ahead
"The criminal organizations and the suspects are always looking for what the security protocols are and how to defeat them," said NICB President & CEO David Glawe.
"We work with the insurance industry and the manufacturers to identify these vulnerabilities and to try to slim this gap," said Glawe. "But we're always having to stay one step ahead of the criminals, and they're always trying to stay one step ahead of us."
For years the bureau has publicized the number cars stolen due to keys being left inside vehicles — 287,024 between 2019 and 2021. But that represents just a fraction — 11% — of the total number of cars — more than 2.6 million — that were stolen during the same time.
Related: Security experts, police offer advice on how to prevent keyless car thefts
"We have the real raw information of stolen vehicles. But how they're stolen, it comes down to the local law enforcement," said Glawe. "When you document and report, you have to put that in a police report. If that's not captured by an algorithm or report, it's hard necessarily to track."
NICB told us they don't break down exactly how the vehicles were stolen, and we learned the auto industry doesn't track this data either.
Automakers provide few answers
Concerned that keyless entry systems "may be contributing to rising rates of vehicle theft," in July 2022 U.S. Senator Ed Markey, a Democrat from Massachusetts, sent letters to 17 carmakers urging them to "…take all necessary steps to ensure that keyless entry systems, once a security innovation that deterred thieves, do not become a security liability for them to exploit."
In the dozen responses that came back, while automakers all stated a commitment to theft prevention, none could provide the exact number of their vehicles that had been stolen or details on the method car thieves used to steal them.
Some industry experts suggest automakers should be tracking this data to help combat the rise in vehicle thefts.
"I think it's incredibly important because unless the industry has a knowledge of how vehicles are being compromised, then, you know, nothing's going to be done about it," said former detective Clive Wain, who now works as head of police liaison for Tracker UK, a company that specializes in recovering stolen cars in the United Kingdom.
Wain says a spike in hot-wiring thefts during the 1980s put pressure on auto manufacturers to enhance vehicle security. That led to the modernization of vehicle locking mechanisms, and the introduction of "smarter" key systems and vehicle immobilizer technology.
Since then, Wain says, organized criminal groups have developed capabilities to download data from these key transponder fobs, and by downloading data via the vehicles' onboard diagnostic device, they could clone and upload that data onto a "donor" key for that specific make and model of vehicle.
Related: Car owners warned that key fobs could be vulnerable to hackers
"Circa 2015, in the U.K., as some manufacturers were introducing 'keyless entry' vehicles, instances of electronic compromise started to surface where this technology had been compromised. The most prevalent method progressively has become the 'relay attack,'" said Wain. "More recently, we have seen the significant emergence of 'CAN bus' compromise attacks."
Tracker UK makes a practice of collecting monthly high-tech car theft data.
Their numbers show that in July 2023, keyless car theft reached an all-time high in the U.K., accounting for 98% of all stolen vehicles the company helped recover in that one-month period.
"As quickly as manufacturers start to [update vehicle locking] technology for security purposes, that technology is being reverse-engineered — almost within a matter of days or weeks," said Wain. "I think manufacturers have known about the vulnerability for some years, but it takes many, many years to develop technology on a production line and it's a costly process."
Wain says while keyless entry technology was initially developed and introduced in more high-end makes and models, it has now been extended to most mainstream vehicles, making them much more vulnerable to this kind of attack and compromise.
Steve Lobello agrees.
"A little more than 90% of vehicles are vulnerable," he said. "All this information [on breaching a car's technology] is already out there. It's readily available on YouTube and social media."
"It's not like [thieves] need to go to school to learn how to use this thing," he added. "YouTube is their school."
Related: As car thefts spike, many thieves slip through U.S. border unchecked
After-market solutions
The growing threat of high-tech car theft is why Lobello suggests his clients install an after-market security system (he recommends one called IGLA). These systems, which can cost as much as $1,200, create a firewall to fend off CAN bus attacks, and require the driver to enter a pre-programmed code using a combination of existing factory buttons in sequence to start the car. Even if a thief manages to plug into a vehicle's CAN bus, without the secondary button code authentication, the car will shut down and be immobilized.
Lobell installed one of the systems in Ivy Stryker's Dodge Charger, and the investment paid off:
thieves who attempted to steal it were thwarted – two times. In one of those cases, when the car wouldn't start, the criminals resorted to using a second car to push the Dodge. They made it 17 miles before giving up and ditching the car on the side of the road. Stryker later tracked it down via GPS.
Stryker believes automakers should be the ones stepping up to solve the problem.
"It's too easy now. The onus should be on the manufacturer," said Stryker. "It should be their responsibility to tighten up their security as much as possible."
In a statement, Stellantis, which makes the Dodge Charger, told CBS News that their vehicles "…meet or exceed all applicable federal standards for safety and security. …Notwithstanding, we urge all motorists to take due care in securing their vehicles."
Experts say consumers don't have to install expensive after-market security systems to minimize the risk of being "carhacked." Other precautions can include storing keys in a metal container, signal-blocking pouch or "Faraday Box," to prevent relay attacks.
The National Insurance Crime Bureau recommends a "layered approach," adding on physical protection like steering column locks, alarms and tracking devices. Ironically, high-tech thieves may be deterred when confronting low-tech protection measures.
- In:
- Cybercrime
- Car Theft
veryGood! (219)
Related
- Are Instagram, Facebook and WhatsApp down? Meta says most issues resolved after outages
- Police say use of racial slur clearly audible as they investigate racist incidents toward Utah team
- North Carolina State in the women's Final Four: Here's their national championship history
- Chance the Rapper and Kirsten Corley announce split after 5 years of marriage
- Romantasy reigns on spicy BookTok: Recommendations from the internet’s favorite genre
- A bullet train to Sin City? What to know about Brightline West project between LA and Vegas
- Kansas City fans claim power back by rejecting Chiefs and Royals stadium tax
- Experienced climber found dead in Mount St. Helens volcano crater 1,200 feet below summit
- Bodycam footage shows high
- Black Residents Want This Company Gone, but Will Alabama’s Environmental Agency Grant It a New Permit?
Ranking
- Israel lets Palestinians go back to northern Gaza for first time in over a year as cease
- Courageous K-9 killed while protecting officer from MS-13 gang members during Virginia prison attack, officials say
- Body found on Lake Ontario shore in 1992 identified as man who went over Niagara Falls, drifted over 140 miles
- Shohei Ohtani homers for the first time as a Dodger, gets ball back from fan
- 'Vanderpump Rules' star DJ James Kennedy arrested on domestic violence charges
- Victoria Justice Shares Coachella Essentials and Plans for New Music
- New Jersey’s 3 nuclear power plants seek to extend licenses for another 20 years
- '9-1-1' stars Angela Bassett, Jennifer Love Hewitt can't believe the 'crazy' 100th episode
Recommendation
Finally, good retirement news! Southwest pilots' plan is a bright spot, experts say
Tish Cyrus' Husband Dominic Purcell Shares Message About Nonsense Amid Rumored Drama
Police say JK Rowling committed no crime with tweets slamming Scotland’s new hate speech law
Rebel Wilson on the sobering secrets revealed in her memoir, Rebel Rising
Intellectuals vs. The Internet
When voters say ‘no’ to new stadiums, what do professional sports teams do next?
Jay-Z's Made in America festival canceled for second consecutive year
Police say JK Rowling committed no crime with tweets slamming Scotland’s new hate speech law