Two men jailed in Houston, accused of using pirated computer software to steal more than 100 vehicles, may have exploited an electronic vulnerability to advance vehicle theft into high-tech crime.
Michael Arce, 24, and Jesse Zelaya, 22, focused on new Jeep and Dodge vehicles, which attract big money on the black market in Mexico, authorities said. The men allegedly used a laptop computer to reprogram the targeted vehicles’ electronic security so their own key worked.
The stolen vehicles had a common software used by car technicians and dealers, Houston police officer Jim Woods said.
“As you get more and more computers installed in vehicles — if somebody has that knowledge and that ability, they can turn around and figure out a way to manipulate the system,” he said.
Police are investigating how the thieves were able to get access to a computerised database of codes used by dealers, locksmiths and independent car repair shops to replace lost key fobs, said Berj Alexanian, a spokesman at the company’s US headquarters in Auburn Hills, Michigan.
He said the code database was national and included vehicles in areas outside Houston, although he wasn’t aware of similar thefts elsewhere.
“We’re looking at all solutions to make sure our customers can safely park their vehicles,” Alexanian said.
With more automotive tasks becoming computerised and more cars being linked to the internet, such thefts are likely to increase across the globe, computer security expert Yoni Heilbronn said.
The car industry had worked hard in the past year to develop protections, but hackers with multiple motivations will always be looking for ways to get in, said Heilbronn, vice-president of marketing for Argus Cyber Security, an Israeli company that works with carmakers.
Though increased computerisation brings safety benefits, Heilbronn foresees more thefts, malicious software being installed that shuts down cars until a ransom is paid, and even attacks that disable many cars at a time. He said the industry would have to install multiple layers of defence.
Carmakers have been working to develop best practices and to share information on cybersecurity threats. Companies, including Fiat Chrysler, have their own hacking teams and have offered bounties to outside hackers if they find vulnerabilities.
The Houston investigation began in late May with the theft of a Jeep Wrangler near downtown. Leads in that case had been exhausted when investigators received information from federal Homeland Security and Immigration and Customs Enforcement officers about vehicles being stolen using a laptop. Arce and Zelaya then were identified as suspects.
The men, who each have criminal records, were arrested this month driving a stolen Jeep Grand Cherokee after police had been concentrating on an area of Houston that had been hit previously by car thieves. They also recovered electronic devices, keys and other tools believed used in the thefts, along with drugs, firearms and body armour.
In the Jeep Wrangler case caught on a surveillance video, the suspect got under the hood, cut wires to the horn to disable an alarm and then got inside the SUV.
Once inside, he used the database and the vehicle identification number to program a new key fob for the Jeep.