They steal cars with simple phones and Bluetooth speakers

A man sitting in the driver’s seat of a Japanese-made car repeatedly presses a button next to the steering wheel. A red light is flashing. The engine won’t start. The man has no key. He takes a Nokia 3310 phone out of his pocket. He plugs the phone into the car with a black cable. Then he scrolled through some options on the 3310’s small LCD screen. “Connect. Get the data,” it says on the screen. The man then presses the button again. The light turns green and the engine starts to growl.

The script is part of a short, 30-second clip that shows a new way to steal cars that is spreading across the US. Criminals use small devices, sometimes hidden in innocuous-looking Bluetooth speakers or vintage cell phones, to connect to the car’s control system.

This allows car thieves with very little technical experience to steal cars without needing a key. Sometimes the procedure only takes them about 15 seconds. The devices are available for purchase online. They cost several thousand euros or dollars, which dramatically lowers the barrier to entry into the car theft business.

A device does the work of the thief

“JBL Unlock + Start,” reads one ad for a device hidden inside a JBL-branded Bluetooth speaker, Motherbord reported. “You don’t need keys!” The ad states that this particular device works with a variety of Toyota and Lexus vehicles: “Our device has a great stealth design and appearance,” the message says.

“The device does all the work for the thief,” says Ken Tyndall, CTO at vehicle cybersecurity firm Canis Labs. “All they have to do is take two wires from the device, disconnect the flashlight and insert the wires into the correct holes on the side of the vehicle.” When it comes to protecting the vehicle owner from this type of threat, “ordinary users can’t do anything.”

Earlier this month, Tyndall published a series of studies of these devices developed by him and his colleague Ian Tabor, also a specialist in automotive cybersecurity. Tabor bought a device to reverse engineer after car thieves appear to have used just such a gadget to boot into his own Toyota RAV4 last year. After some digging, the two came across devices for sale that targeted SUVs, luxury cars or specific brands of vehicles, the post said.

“Emergency Start Technique”

The video showing the man using a Nokia 3310 to start a Toyota is just one of many YouTube videos demonstrating the technique. Other videos show devices used to start luxury cars like the Maserati. Multiple websites and Telegram channels advertise the technology for an amount in the range of €2,500-€18,000. One seller is offering the Nokia 3310 device for €3,500. Another is advertising it for €4,000.

Often sellers euphemistically call this type of gadget “emergency start technique”, theoretically intended for locksmiths. Some of the sites offer tools that can be useful to locksmiths, but legitimate companies would not be looking for a tool that is hidden in a phone or other similar “case”.

Some of the sites even claim to offer software updates for devices that customers have already purchased. And this suggests that the development of the “emergency start technique” is an ongoing process.

Business without borders

A Motherboard reporter posed as an interested customer to one of the online sellers of such theft devices. From the report it is clear that this business works without borders – the gadgets can be delivered anywhere. Payments are accepted via Western Union, MoneyGram or bank transfers and cryptocurrency. According to the dealers, “the process of starting the engine takes about 10-15 seconds”.

According to Tyndall and Tabor’s research, the attack, called CAN (Controller Area Network) injection, works by sending fake messages that appear to the on-board computer to come from the car’s smart key. The main problem is that vehicles “blindly trust” these messages without verifying them. Once thieves gain access to the necessary cables, they can use their device to send those messages to on-board computers, Tyndall adds.

The hardware for the “emergency start technique” itself is inexpensive. The components hidden in phones and Bluetooth speakers usually contain a chip with CAN hardware and firmware, as well as another CAN chip. These components cost a few euros. The trick of the “device maker” is to reverse engineer the messages to a specific vehicle. When he knows how, creating each new device only takes a few minutes, Tyndall says. “It’s not a lot of work: you solder a few wires, wrap everything in resin, and you’re done,” he writes.

The only solution – cryptography

Currently, affected vehicles are usually wide open to such attacks. The only proper solution would be to introduce cryptographic protection of CAN messages, Tindell says in an email to Motherboard. This can be done through a software update, he adds.

The solution? “The software is straightforward, and the only complicated part is implementing the cryptographic key management infrastructure,” Tyndall and Tabor explain. This will require changes to be made by car manufacturers. However, whether they are ready for such a move is not yet clear.