Sons of IoT: Bikers hack Jeeps in auto theft spree

Gang used lifted codes, stolen logins to bypass onboard security

By Shaun Nichols in San Francisco

Posted in Security, 31st May 2017 17:45 GMT

A Tijuana-based biker gang is accused of hacking hundreds of trucks over two and a half years as part of a multi-million-dollar auto theft ring.

The San Diego offices of the US Department of Justice and the FBI said that nine members of the Hooligans Motorcycle Club used stolen dealer credentials and handheld diagnostic machines to cut and program duplicate keys for a targeted set of Jeep Wrangler trucks, which they later stole and stripped down for parts.

According to the DoJ's indictment, the group worked in small teams to identify specific models of Jeep Wranglers throughout the San Diego area. Once a target vehicle was identified, a member obtained the truck's vehicle identification number (VIN), which is usually printed on the dashboard.

The VIN was then passed to another member, who used database login credentials taken from a Jeep dealer in Cabo San Lucas, Mexico. The database, used by dealerships to perform repairs on the cars, contained the information needed to cut and program duplicate keys.

The DoJ believes that, armed with the duplicate key, a thief popped the hood of the car to disable most of the alarm system and open the door. Then they used a handheld diagnostic tool and a code from the database to pair the duplicate key with the truck and turn off any remaining security features.

A transporter then allegedly drove the stolen trucks, now paired with a valid key, across the US border to Mexico, where they were stripped down for parts to be resold.

This scheme is believed to have netted members of the Hooligans gang around $4.5m in profits from more than 150 vehicles.

The thefts ran for over two and a half years; from January, 2014 through September, 2016 when the group was indicted. The DoJ unsealed and announced the charges this week.

The DoJ has indicted nine members for the scheme, six of whom remain at large as fugitives believed to be hiding out in Mexico. Each of them faces charges of Conspiracy to Commit Transportation of Stolen Vehicles in Foreign Commerce, a crime carrying a maximum of five years in prison per charge. ®

Sign up to our NewsletterGet IT in your inbox daily

55 Comments

More from The Register

FREE zero-day for every reader: AT&T's DirecTV kit has a root hole – and no one wants to patch it

echo "Bot herders will love"; cat /etc/passwd #

Zero-day vulnerability count up by, er, zero in 2015

Mind the app, says Secunia as bug count remains stable

Yahoo! retires! bleeding! ImageMagick! to! kill! 0-day! vulnerability!

Purple Palace pays researcher US$778 bounty per byte

Vanilla Forums has a plain-flavoured zero-day

Updated PHPMailer bug leads to remote code execution via HTTP

Shadow Brokers lay out pitch – and name price – for monthly zero-day subscription service

$21k lucky dip for exploits

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Criminals exploit zero day Flash vulnerability

Adobe readies patch cannons. Yet again

Attackers use ancient zero-day to pop Asian banks, govts

Flawed desktop publishing tool for readers of Urdu and Arabic phlayed with phishing

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

Google drops a zero-day on Microsoft: Web giant goes public with bug exploited by hackers

Even Adobe pushed its patch faster than Windows giant