CARS.COM — Hearing auto-theft analysts describe so-called mystery devices for hacking into cars in recent years has been a little like watching characters in a Cold War spy movie chase down a stolen top-secret weapon, uttering some version of the line, “If this thing falls into the wrong hands…” Only now, according to a just-released report on these advanced remote car-theft gadgets by the Illinois-based National Insurance Crime Bureau, that’s precisely what has happened.
Purportedly developed and sold by legitimate European manufacturers (unnamed in the report) to allow automakers to test the security vulnerabilities of their own vehicles, these “relay attack units” evidently have been acquired — and used — by American car thieves. NICB investigators recently got their hands on one of the devices through a third-party security expert and reportedly were able to unlock, start and drive away in more than half the vehicles on which they made attempts.
NICB investigators were able to unlock 19 of the 35 different makes and models they tested, and start and drive away in 18 of them. Moreover, after turning off the engine in the cars investigators were able to drive away in, they were able to use the device to later restart a dozen of them without the original key fob present.
The only commonality among all the vehicles successfully hacked into during testing was that they were equipped with keyless entry and push-button start. Researchers conducted the tests over a recent two-week period after acquiring the device.
Types of vehicles tested included cars, minivans, SUVs and a pickup truck from varied makes, models, model years and automakers both American and foreign, and were conducted at new-car dealerships, an independent used-car lot, an auto auction and on NICB employee vehicles and privately owned ones. NICB chief communications officer Roger Morris told Cars.com that among vehicles tested, for example, efforts to hack into model-year 2017 versions of the Chevrolet Camaro, Cruze, Impala and Malibu all failed, while researchers were able to infiltrate two 2016 Impalas. Chevrolet did not immediately respond to a request for comment.
For the device to work, the targeted vehicle’s key fob must pass within about 10 feet of the relay component of the two-device theft mechanism, NICB explained. That device captures the signal and sends it automatically to a second device positioned up to roughly 90 yards away. The second device is then positioned near the car door to unlock it, and then positioned near the ignition switch to start it and drive away. A pair of thieves could pull the scam easily in a motel parking lot as an unsuspecting car owner pulls in and exits their vehicle, Morris offered as an example.
Although NICB officials aren’t putting it this way, it’s a bit of an I-told-ya-so moment for the bureau, which tracks and investigates insurance crimes. They’ve been issuing public warnings about these car-theft “mystery devices” for the past couple of years, but until now the only compelling evidence for their existence was mysterious theft incidents caught on surveillance cameras — giving the discussion an almost folkloric dimension.
“After seeing it work,” Morris told Cars.com, “I think the skepticism is gone.”
Now, Morris said, “we’re trying to help law enforcement around the country learn about it, make them more aware of it.”
The report also follows a recent uptick in auto theft nationwide, which comes amid decades of plummeting crime statistics in general and auto theft in particular. For years, anti-theft advancements in car technology have made vehicles all-but-impossible to steal. But NICB has maintained that as cars get harder to swipe, thieves inevitably get cleverer.
“While there’s no real way to stop this right now that we’re aware of, it’s the ongoing tug-of-war between the manufacturers and the hackers,” Morris said.
In the meantime, he said, “Hopefully they’ll be aware of it and are working constantly to improve their systems.”