Law enforcement also seized over 100 million Euros in assets from the car theft ring, which targeted French car manufacturers with keyless entry and start.
Hack Tool Replaced Original Vehicle Software
According to Europol, the crimes were orchestrated specifically on vehicles from two unnamed French car manufacturers whose cars feature keyless start and keyless entry options available via the key fob. Criminals used a “fraudulent tool,” sold on the dark web, that was masked as automotive diagnostic software and replaced the vehicles’ original software. This removed the need for an official key fob which then allowed cybercriminals to unlock the cars and drive off undetected. The exact name of the hack tool, as well as the dark web domain it was hosted on, is unknown. Authorities, however, have confirmed that cybercriminals used clever tactics to evade detection and keep the software running. The domain has since been taken down. “The perpetrators of the scam kept updating and adapting their software, to counteract measures implemented by companies to reinforce the security of their vehicles,” the European Union Agency for Criminal Justice Cooperation (Eurojust) said.
A Range of Criminals With Different Functions
The arrests brought forward an organized car theft ring consisting of a range of criminal profiles with varying functions connected to the incidents, Europol said. The individuals in the group ranged from the manager of the company that produced the hack tool, those marketing and selling the tool on the dark web, to those who were tasked with stealing the vehicles. “Among those arrested were the software developers, its resellers, and the car thieves who used this tool to steal vehicles,” Europol said. Law enforcement agencies cracked down on 22 locations in the three countries involved — France, Spain and Latvia — arresting 31 individuals and recovering over 100 million Euros in criminal assets, 12 bank accounts, several luxury cars, and some real estate, according to a report by Eurojust. The operation was part of the EU’s “Empact” program that tackles key criminal threats affecting the EU, supported by Eurojust, Spanish, and Latvian law enforcement agencies.
Keyless Systems Can Still be Hijacked
The fact that modern cars come equipped with digital systems for the owner to conveniently unlock or start them remotely presents cybersecurity vulnerabilities. As seen in this case, key fob software used to hijack modern cars with keyless systems can be found on cybercriminal dark web forums. This June, we reported on how a Near Field Communications (NFC) key fob vulnerability in Tesla’s vehicles allowed criminals to hijack cars in under 130 seconds, simply by being near the vehicle and silently intercepting low-level Bluetooth signals. With second-hand cars being worth much more than they were before the current economic bubble, car theft is on the rise. According to French car magazine Auto Moto, Citroen’s and Renault’s sporty models, the DS and RS models, respectively, were especially popular targets among car thieves in 2021. To deter criminals from hacking your car’s systems via your key fob, we recommend you invest in a wallet or purse with RFID blocking and ensure suspicious individuals are not lurking in the vicinity of your vehicle. It would also be a good idea to park your vehicle in an enclosed area. To find out more about how safe the tech really is, read our full guide on Bluetooth safety.