Security

Sons of IoT: Bikers hack Jeeps in auto theft spree

Gang used lifted codes, stolen logins to bypass onboard security

By Shaun Nichols in San Francisco

55 SHARE

A Tijuana-based biker gang is accused of hacking hundreds of trucks over two and a half years as part of a multi-million-dollar auto theft ring.

The San Diego offices of the US Department of Justice and the FBI said that nine members of the Hooligans Motorcycle Club used stolen dealer credentials and handheld diagnostic machines to cut and program duplicate keys for a targeted set of Jeep Wrangler trucks, which they later stole and stripped down for parts.

According to the DoJ's indictment, the group worked in small teams to identify specific models of Jeep Wranglers throughout the San Diego area. Once a target vehicle was identified, a member obtained the truck's vehicle identification number (VIN), which is usually printed on the dashboard.

The VIN was then passed to another member, who used database login credentials taken from a Jeep dealer in Cabo San Lucas, Mexico. The database, used by dealerships to perform repairs on the cars, contained the information needed to cut and program duplicate keys.

The DoJ believes that, armed with the duplicate key, a thief popped the hood of the car to disable most of the alarm system and open the door. Then they used a handheld diagnostic tool and a code from the database to pair the duplicate key with the truck and turn off any remaining security features.

A transporter then allegedly drove the stolen trucks, now paired with a valid key, across the US border to Mexico, where they were stripped down for parts to be resold.

This scheme is believed to have netted members of the Hooligans gang around $4.5m in profits from more than 150 vehicles.

The thefts ran for over two and a half years; from January, 2014 through September, 2016 when the group was indicted. The DoJ unsealed and announced the charges this week.

The DoJ has indicted nine members for the scheme, six of whom remain at large as fugitives believed to be hiding out in Mexico. Each of them faces charges of Conspiracy to Commit Transportation of Stolen Vehicles in Foreign Commerce, a crime carrying a maximum of five years in prison per charge. ®

Sign up to our NewsletterGet IT in your inbox daily

55 Comments

More from The Register

We don' need no stinkin' bounties: VirtualBox guest-to-host escape zero-day lands at GitHub

Bug hunter rages at wearisome disclosure process

Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc... BINGO!

It's like a greatest hits album of terrible security policies

Microsoft's Jet crash: Zero-day flaw drops after deadline passes

Updated Don't click on that dodgy link, people

Chinese web giant finds Windows zero-day, stays schtum on specifics

Quihoo 360 plays the responsible disclosure game

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

Ignore that FBI. We're the real FBI, says the FBI that's totally the FBI

Don't open that malware mail from the Feds that's not from the Feds, Feds warn

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

'It may be possible for an attacker to intercept your router'

Your two-minute infosec roundup: Drone arrests, Alexa bot hack, Windows zero-day, and more

Roundup Some last-minute wrapping of security-related tips from this week

Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows... Yup, it's day 20 of Trump's govt shutdown

Hackers may be rubbing their hands with glee