Security

Sons of IoT: Bikers hack Jeeps in auto theft spree

Gang used lifted codes, stolen logins to bypass onboard security

By Shaun Nichols in San Francisco

55 SHARE

A Tijuana-based biker gang is accused of hacking hundreds of trucks over two and a half years as part of a multi-million-dollar auto theft ring.

The San Diego offices of the US Department of Justice and the FBI said that nine members of the Hooligans Motorcycle Club used stolen dealer credentials and handheld diagnostic machines to cut and program duplicate keys for a targeted set of Jeep Wrangler trucks, which they later stole and stripped down for parts.

According to the DoJ's indictment, the group worked in small teams to identify specific models of Jeep Wranglers throughout the San Diego area. Once a target vehicle was identified, a member obtained the truck's vehicle identification number (VIN), which is usually printed on the dashboard.

The VIN was then passed to another member, who used database login credentials taken from a Jeep dealer in Cabo San Lucas, Mexico. The database, used by dealerships to perform repairs on the cars, contained the information needed to cut and program duplicate keys.

The DoJ believes that, armed with the duplicate key, a thief popped the hood of the car to disable most of the alarm system and open the door. Then they used a handheld diagnostic tool and a code from the database to pair the duplicate key with the truck and turn off any remaining security features.

A transporter then allegedly drove the stolen trucks, now paired with a valid key, across the US border to Mexico, where they were stripped down for parts to be resold.

This scheme is believed to have netted members of the Hooligans gang around $4.5m in profits from more than 150 vehicles.

The thefts ran for over two and a half years; from January, 2014 through September, 2016 when the group was indicted. The DoJ unsealed and announced the charges this week.

The DoJ has indicted nine members for the scheme, six of whom remain at large as fugitives believed to be hiding out in Mexico. Each of them faces charges of Conspiracy to Commit Transportation of Stolen Vehicles in Foreign Commerce, a crime carrying a maximum of five years in prison per charge. ®

Sign up to our NewsletterGet IT in your inbox daily

55 Comments

More from The Register

Chinese web giant finds Windows zero-day, stays schtum on specifics

Quihoo 360 plays the responsible disclosure game

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

'It may be possible for an attacker to intercept your router'

So you’ve got a zero-day – do you sell to black, grey or white markets?

Bsides SF Bug bounty sales are getting very complicated, financially and morally

Zero-day vulnerability count up by, er, zero in 2015

Mind the app, says Secunia as bug count remains stable

FREE zero-day for every reader: AT&T's DirecTV kit has a root hole – and no one wants to patch it

echo "Bot herders will love"; cat /etc/passwd #

NSO Group bloke charged with $50m theft of government malware

Alleged unethical behavior from a grey hat? Who'd a thunk it?

Brit police forces spend peanuts on cybercrime training

£1.3m over three years? Get with the times, plod

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Vanilla Forums has a plain-flavoured zero-day

Updated PHPMailer bug leads to remote code execution via HTTP