By on July 12, 2016

2016 Jeep Wrangler Unlimited, Image: Fiat Chrysler Automobiles

Jeep and Ram vehicles are being snatched out of driveways in Houston, but the thieves aren’t hacking their way to a free ride, according to the automaker’s U.S. head of security architecture.

A rash of thefts over the past few months in the Houston area had owners of Jeep and Ram vehicles scratching their heads until a garage surveillance video posted by police showed two men making off with a Wrangler. One of the men appears to use a laptop to start up the vehicle, raising fears that tech-minded thieves have developed a program to override security features and commandeer certain vehicles.

Fiat Chrysler Automobiles is working with the Houston Police Department on the case, but claims the video is misleading.

“We don’t see anything that would be a security hack — there’s no new software or new tool used in any of these thefts,” Titus Melnyk, FCA’s senior manager of security architecture, told TTAC.

Opening the hood of a vehicle with tie-down latches and disabling a horn to prevent an audible alarm is a easy job for a thief, he said, and there are many ways of unlocking a vehicle. Once FCA staff watched the video, it became reasonably clear how the thief was able to drive off.

“Once they’re inside, they’re connecting a laptop which is running the software necessary to marry or join a key fob to the vehicle,” said Melnyk. “Not just anyone can do that — you need to have access to our systems in order to get the information necessary from each vehicle to marry a key fob. We’re working with law enforcement about how these thieves are getting their hands on those. This isn’t just a problem for us, it’s an auto industry issue. Dealers and locksmiths now, they’re all authorized to get this information. Based on what we’re seeing, it appears that they’re getting those PINs or vehicle-specific information for the vehicles they’re stealing in order to do this theft.”

For Melnyk and his team, the thefts aren’t due to a flaw in FCA hardware, but by “people abusing their privileges.” For the sake of the investigation, he couldn’t comment further on how the thieves gained access to the dealer information, but he stressed the vehicle’s systems are working as intended.

“When people see a laptop, I think they’re assuming something new is going on.”

FCA has reason to be sensitive to claims of its vehicles being hackable. Last year, it recalled 1.4 million vehicles over hacking concerns after it was demonstrated that the key driving functions of a Jeep Grand Cherokee test vehicle could be commandeered remotely. In that test, hackers exploited a weakness in the vehicle’s Uconnect infotainment software to gain access to more important functions.

FCA installed a software patch to prevent any remote tampering.

[Image: FCA US]

Get the latest TTAC e-Newsletter!

31 Comments on “Houston Jeep and Ram Thieves Aren’t Hackers: FCA...”


  • avatar
    sportyaccordy

    This is a bit of a relief.

  • avatar
    dukeisduke

    So will The Club make a comeback now?

    • 0 avatar
      Scoutdude

      No need for a club a simple sheet of paper will stop these thieves. Place said paper over the bar code and VIN on the dash and they are out of luck. With no VIN they can’t do anything.

      • 0 avatar
        dukeisduke

        What about the certification / tire pressure label on the door jamb or B-pillar? That has the VIN. Or are they looking for a barcode?

        • 0 avatar
          Scoutdude

          Well the sticker on the jamb has a bar code too and of course that will give them the info they need as well. However to get to that you have to open the door, at least if the doors are on in the case of a Wrangler.

      • 0 avatar
        DenverMike

        I’m thinking they have the VIN before they show up. Enter the corrupt Quickie Lube. Or dealer. Or car wash. They have your address, so the rest is cake. Much less key strokes and no waiting for codes to download.

        • 0 avatar
          Scoutdude

          Yes they have to have the VIN before they show up to take the car. They are not logging into the Chrysler system from the driveway waiting for the PIN to be retrieved.

          I think that the monkey-lube, or car wash are highly unlikely, too random to have much luck at getting exactly what they want. Sure a Jeep comes in and you’ve got the address but you have no idea if the vehicle is parked inside a locked garage, or in the driveway, or if it is a gated community or if there is community security.

          The most likely scenario is that a couple of guys go look for vehicles on “the list” that are parked in driveways. One hops out and does a quick scan of the VIN and they note the address. They then either pass that info off or keep it in their back pocket until they get to work at the dealer, or possibly locksmith. Enter the VIN and add that code to the list with the address. They then go back another night and get the vehicle.

          That way they know that the vehicle will likely be found when they want it and since they have already been there they “know” that messing around in the driveway won’t likely cause problems like a barking dog.

      • 0 avatar
        White Shadow

        Many cars have their VINs located on many exterior posts of the car. Look at the bottom sides of body panels and you can often find multiple VINs

  • avatar
    PeriSoft

    “the video is misleading”

    A misleading video? On the Internet? Say it isn’t so!

    But yeah, as usual, social engineering is mostly reported as l337 h4x0r1ng. Kudos to TTAC for not taking the bait.

  • avatar
    Scoutdude

    Which is what I originally said. The people who are doing this work at a FCA dealership or they have something on someone they know that works at a dealership. All they should have to do if their system is set up worth a damn is to enter the VINs of the vehicles that were stolen and find out when and where they last popped up in the system. If the system is set up right so that each employee that has authorized access has an individual sign in they can even pinpoint the person. Of course that is assuming that they aren’t waiting until their logged in co-worker heads to the bathroom w/o logging out/locking the computer.

    • 0 avatar
      vww12

      Or, as FCA said, the locksmiths.

      Am I the only one here who remembers VW got sued a decade ago to let the locksmiths make keys, and not just the car dealers?

      VW lost and now locksmiths can make VW keys.

      • 0 avatar
        Scoutdude

        Yes a locksmith could be the culprit as well but I’m betting on a dealer employee.

      • 0 avatar
        rudiger

        Maybe if the car dealers (in general, not just VW) weren’t so g-damn greedy and gleefully willing to anally rape customers who want or need another key, this might not be so much of an issue. The price difference between getting a new key fob from a car dealer and another, aftermarket source, be it a local locksmith or ordering off the internet, is pretty wide. It might at least cut down on the number of people who have access to the software necessary to accomplish the theft.

        It’s also worth noting that the Jeep in the video is a Wrangler, which has external hood latches. I wouldn’t be surprised in the least to learn that the architecture for the ignition system is similarly archaic and one of the easier ones to defeat (not to mention the lack of security with the soft top versions). Combined with the general popularity (and high price) of the Wrangler, well, it seems like a no-brainer as to why thieves chose that particular vehicle.

  • avatar
    sirwired

    I don’t see how FCA can come to that conclusion based solely on a video. Certainly that is how a dealership employee would marry a key to a car, but a hacker suffers no such restrictions, and is not necessarily using a stolen official FCA code.

    Immo systems have been around for a long time, and this wouldn’t be the first one that has been defeated by 3rd-parties.

    • 0 avatar
      Scoutdude

      Who knows for certain but it is much more likely that someone is finding a vehicle that is parked in an accessible place, and one that they can likely find the vehicle again later late at night, like someone’s driveway, scans the bar code and then looks up the PIN for the vehicle in the FCA computer system the next chance they get.

  • avatar
    05lgt

    If you’re looking at a car, it’s pretty easy to tell if it’s garaged or parked outside based on the type of dirt, weathering etc. I don’t rule out the screening being done at the dealership and pickup being when there’s somewhere for it to go.

  • avatar
    LS1Fan

    An alternative plan;

    FCA employee downloads massive VIN number & PIN ID database of vehicles produced in X number of years.

    The compromised data finds its way to connected car theives with the know how and money and bam- no more Jeep in driveway.

    I wish the authorities luck .Anyone smart enough to compromise vehicle VIN data is smart enough to cover their tracks .

    • 0 avatar
      Scoutdude

      If it is someone that has hacked into the data base then yeah they are probably smart enough to cover their tracks. However based on the fact that this is at least currently geographically contained, I’m still betting on a local person doing it one by one that will get tracked down.

  • avatar
    DenverMike

    If you expect better, use a kill switch. It’s impossible make a car theft proof to well connected hackers, and that’s more than good enough. You want the independent locksmith to have full rights/access to get you back on road fast/cheap. And you want financial lenders to repo fast/cheap.

    • 0 avatar
      redmondjp

      Yup. On the fuel pump power or starter solenoid circuit. Easy-peasy.

      I did this 25 years ago on a friend’s car, with a relay in the starter circuit, and a pushbutton hidden underneath the carpet on the left floor where the dead pedal is in some cars (and where the floor-mounted high beam switch used to be). You had to press the right spot on the floor while cranking – it was invisible to even the passengers in the vehicle.

      There was also a hidden ‘valet’ bypass switch deep inside the dash for when the car was at the mechanic or similar situation.

      • 0 avatar
        Testacles Megalos

        Route battery ground through a high amp solenoid placed so as not to be easily accessible. Put a 5 amp bypass fuse around the solenoid. Power the solenoid control through a low amp switch drawing power after the 5 amp fuse, installed somewhere non-obvious.
        With the solenoid de-activated, the car is “alive” until the starter (or other high-draw device) is activated, then car is electrically dead.
        Just make sure the fuse is not too difficult to access for you in case you forget to activate the solenoid before driving to work….

  • avatar
    Lack Thereof

    As any IT professional could tell you, “security by obscurity” DOES NOT WORK. If there’s a master list somewhere, ANYWHERE, that allows you to pair arbitrary key fobs to arbitrary vehicles, then the locking system is fundamentally broken and insecure.

    • 0 avatar
      Scoutdude

      Well the reality is that if a security computer needs that PIN to program a new remote then you will need to store that info somewhere. Some cars don’t require a PIN only the proper computer and the willingness to set there at wait the system out until it will enter the programming mode. From the time stamp on the video that was posted the other day it looks like the thief did have to wait for a timer before he was able to do the programming.

      • 0 avatar
        Lack Thereof

        Maybe don’t require a PIN. Maybe require a second, already-paired fob, or a physical metal key, in order to pair.

        • 0 avatar
          Scoutdude

          The problem with needing an actual metal key is that the trend is going to eliminating them. Many older cars did need the ignition switch to be turned on to initiate the programing sequence. So guess what happens when the customer looses their only key? The dealer or locksmith looks up the key code with the VIN, cuts the key and then uses that to start the programing process.

          The only real solution is to make the security module unable to be field programmed unless two valid keys/fobs are present. Then when the customer looses their only key you force them to buy a new security module and its pre-paired keys/fobs. The plus side is that now they can charge way more when a customer looses their key.

          • 0 avatar
            RHD

            Charging more for replacement keys is likely the prime motivation for “keyless” ignition. A simple system that worked fine for decades has been replaced by a more complicated one with built-in flaws.
            It’s enough to make me never want to buy a new vehicle… or maybe it’s just a natural part of getting a little older.

          • 0 avatar
            dal20402

            For me, at least, the motivation is that I can leave the fob in my pocket.

          • 0 avatar
            JimZ

            “Charging more for replacement keys is likely the prime motivation for “keyless” ignition. ”

            no, it’s to get high-current circuits out of the steering column. how many times in the (increasingly distant) past did we hear about cars which were known for ignition switches with melted connectors and/or outright fires?

            Ever since cars went to “tip start,” it doesn’t matter whether you have a physical metal key or not. If you do, all that sticking the key in the slot and turning it does is send messages to wake up the bus and all modules, then send a message to the PCM to energize the starter solenoid until the engine is running. it doesn’t matter in the slightest if that signal comes from a key in the lock cylinder, a button on the dash, or wirelessly via your fob or smartphone.

          • 0 avatar
            Scoutdude

            You do not have to eliminate the key to “get high current circuits out of the steering column. As you mentioned with the systems that the computer controls the starter that is still possible with a metal key stuck in the steering column.

  • avatar
    CoreyDL

    “These aren’t hackers. They’re just stealing information via computer, then using the computer to steal the car. That’s not hacking.”

    Errrrr.

  • avatar
    NeilM

    Our two older BMWs (1996 and 2003) have keys with chips in them that are exclusively paired to the ECU. With each new car the owner received 4 keys: 2 normal, 1 valet and one emergency (all plastic) key. Each car has a 10 key lifetime allocation, counting the originals. Replacements are available through your BMW dealer, but have to be ordered in from the BMW mothership, and ID checks and proof of ownership are required. Other than the original 10 key allocation no new keys can be made to work with the ECU.

    A fairly secure system, although if your 10 keys are all gone you’ll be in a world of hurt.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • ToolGuy: @Dan, The GMT400 vs. GMT800 question has always been interesting to me. I recently did some work on my...
  • sayahh: I used to buy Defenders but I haven’t been driving much, so I might get a set of Michelin’s Pilot...
  • Scoutdude: Be sure to look at the tirerack testing numbers too, at least for the tires that they have tested. That is...
  • Scoutdude: There are two basic kinds of analog gauges. One that return to 0 when power is removed and those that hold...
  • dal20402: These seem to be touring all-seasons, and the DWS06 is in the high-performance all-season category....

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber