The Washington PostDemocracy Dies in Darkness

How hacked computer code allegedly helped a biker gang steal 150 Jeeps

Jeep vehicles are seen on a sales lot on May 23 in Miami. (Joe Raedle/Getty Images)
Placeholder while article actions load

In a cross-border auto heist that resembles a scrapped plot from the “Fast and the Furious” franchise, nine members of a Tijuana-based biker club have been charged with stealing 150 Jeep Wranglers using stolen computer code and key designs, the Justice Department announced earlier this week.

Known as the Hooligans, the biker gang allegedly stole the Jeeps in the San Diego area over the past several years, selling the vehicles or stripping them for parts across the border in Mexico, U.S. Attorney Mark Conover said during a news conference recorded by the San Diego Union-Tribune. The value of the stolen Jeeps was $4.5 million.

According to the indictment, the Hooligans staked out vehicles days before the thefts to obtain their vehicle identification numbers. With these numbers in hand, the suspects were able to get details to create duplicate car keys, as well as the codes needed to program the keys, linking them to the Jeep Wranglers. The key designs and codes were stored in a proprietary database. But law enforcement officials don’t know how the Hooligans were able to access it.

In the course of the investigation, authorities said they learned that nearly 20 requests for duplicate keys were made by a Jeep dealership in Cabo San Lucas, Mexico.

Conover said the thefts took only minutes. After using the duplicate key to get inside the car, the Hooligan members used a handheld electronic device to pair the key with the car's computer to turn the engine on and drive off.

While Conover did not name the exact device used in the thefts, Kathleen Fisher, a Tufts University computer science professor and security researcher, said that such key programmers are relatively cheap, with some costing less than $100, and readily available online.

That auto companies or their partners maintain databases to store key and programming codes is not in itself unusual. After all, rightful car owners would need that information to create new keys if they were locked out, Fisher said. But in this case, it appears the security vulnerability may have been the integrity of the database. One way for criminals to extract stored information is to hack into a network that has access to it, she said. Another way is to get authorized users to obtain the information themselves and then pass it on, or to share active credentials with someone who shouldn't have them.

Experts say that widespread hacks of cars may soon become a reality. In an alarming demonstration captured by a widely read Wired article from 2015, researchers Charlie Miller and Chris Valasek showed that they could wirelessly hijack a 2014 Jeep Cherokee. The researchers could disengage the Jeep's brakes, cause the transmission to malfunction and, at lower speeds, kill the engine altogether.

Hacking tools are easily spread online, and pervasive software threats are costly to patch up. Car companies also face the challenge of justifying increased security costs to customers, Fisher said. A car's cybersecurity isn't the easiest thing to advertise, compared to say, horsepower or leg room. Outside of industry-wide pressure from regulators or insurers, individual companies may hesitate to spend more on security, despite the massive risks that hijacked and hacked cars pose. “We don’t do a very good job accounting for the cost of bad security," Fisher said.