By on August 27, 2016

2016 Jeep® Wrangler Unlimited 75th Anniversary edition

A Houston-area vehicle-theft ring that used laptops to enter, then steal, over 100 Jeep and Ram vehicles exposed a serious internal security breach at Fiat Chrysler Automobiles.

Now that two arrests have been made in the case, FCA is talking tough and threatening criminal proceedings against anyone who provides outsiders with key vehicle data, Automotive News reports.

Earlier this year, Houston police noticed a trend in vehicle thefts. Certain Ram and Jeep models disappeared from driveways and garages more than any other model, and a private security camera eventually captured one thief using a laptop to enter a Jeep Wrangler, disable its security system, then drive off.

Suspicion fell on hackers, but FCA’s security head told us last month that the thefts aren’t the result of a purpose-built gadget or device.

“Not just anyone can do that — you need to have access to our systems in order to get the information necessary from each vehicle to marry a key fob,” Titus Melnyk, FCA’s senior manager of security architecture, told TTAC, adding that the thefts were the result of someone “abusing their privileges.”

On Thursday, the automaker updated the terms of use for its internal DealerCONNECT software. FCA now threatens “civil and criminal proceedings” against those who provide outsiders with “key codes, radio codes and other anti-theft or security measures.”

Houston police say the thieves used a laptop, OBD-II plug and software to make off with the vehicles, most of which had crossed the Mexican border by the time their owners noticed them missing.

A FCA spokesperson told the Houston Chronicle that thieves entered the vehicle identification number of a target vehicle into a FCA database to access the code for that vehicle’s key fob. After programming the vehicle’s security system to accept a generic key fob, the Jeep or Ram was theirs for the taking.

The vehicle-theft ring is still active in the Houston area, according to police, and more arrests are likely. Neither the police nor FCA have stated exactly how thieves accessed the automaker’s VIN database.

[Image: Fiat Chrysler Automobiles]

Get the latest TTAC e-Newsletter!

Recommended

15 Comments on “Fiat Chrysler Cracks Down on Data Violators After Ram/Jeep Theft Ring Bust...”


  • avatar
    Scoutdude

    Hmmm…I remember when the original article ran someone in the comments noted that they were doing it by getting the VIN of a vehicle they wanted and then used that to get the code to marry the fob to the vehicle.

    It is interesting that they are claiming that they don’t know how the data base was accessed. I’m betting it was at a dealership and that FCA’s system is that messed up that they can’t enter the VIN of the stolen vehicles and figure out the time and place that VIN was used to retrieve a key code. I would also think that they should be able to look at the data of when and how many times a dealer looked up a key code and find the dealer that has been getting more key codes than the average.

    • 0 avatar
      Lorenzo

      What they say they don’t know and what they actually know might be two different things, especially with a criminal investigation still under way. As for their database being messed up, this is a company whose programming of their ZF-licensed 8-speed and 9-speed transmissions is still ongoing, even with ZF help.

  • avatar
    FOG

    “I would also think that they should be able to look at the data of when and how many times a dealer looked up a key code and find the dealer that has been getting more key codes than the average.”

    You would be wrong. Why would any manufacturer waste resources keeping track of data that could never possibly yield actionable evidence? Defining average is no small feat. For example dealer A accesses the system 100 times a week for key code data. Dealer B access the same system 1000 times. Finally Dealer C accesses the system 1 time, but uses software to download all their needed key code data for the week. Which one is the crook?

    I am trying really hard not to make fun of this response. The flippant remark that FCA systems are messed up implies ignorance about large SOX compliant systems and large networks in general. The dealer has their systems that may or may not use the manufacturers software to capture data. Suppliers of these types of parts for vehicles have their systems. FCA may store the data for the dealer at a VIN level, but they have to , by law, make it extremely difficult for anyone other than an authorized dealer or service provider to capture this data. They are required to pay an auditing firm to guarantee that this data is encrypted and access to it is restricted.

    • 0 avatar
      Scoutdude

      The code to marry a fob or cut a key is a security issue so they should make an effort to track what accounts access the system and what VINs they enter. Just because it now takes a lap top to marry a fob to a car does not mean that looking up codes based on the VIN to steal cars is a new thing. I heard of a ring that stole Mercedes that hinged on the one guy at the dealership that would look up codes, cut keys and hand them off to the guys that would pick up the car.

  • avatar
    Kenmore

    That Jeeps a lovely green but I’m still bored.

    • 0 avatar
      05lgt

      It is a very nice color. Look nice on a Lotus or something else hard to get into. Oops, google tricked me into looking at Sophia Vergara from the 2008 Oscars after party. It’s not even the right shade of green.

  • avatar
    JohnTaurus_3.0_AX4N

    I remember hearing about high-end F-Series disappearing around Atlanta and it eventually getting traced back to employee(s?) at the (now-gone) Hapeville assembly plant.

    I’m assuming they used their knowledge to bypass PATS or whatever.

  • avatar
    thelastdriver

    Uhh, if someone did hack (or abuse privleges in) FCA’s systems they probably copied the whole database if they were smart enough to do this on-the-fly in an about-to-be-stolen vehicle.

    Really think the thieves are dumb enough to use a traceable LTE connection to FCA?

    • 0 avatar
      Scoutdude

      Highly unlikely they downloaded the entire data base. For one I highly doubt that the system is set up to allow that and even if it did that would be millions of records to cover even the last couple of years of vehicles.

      As I mentioned in the original article the most likely scenario is that they spot a vehicle that they want capture that particular vehicles VIN. That number is then passed off to the accomplice with access to the Chrysler system. That person then gives the code to the people who actually take the cars and collects his $$ or bag of drugs.

  • avatar
    PrincipalDan

    Dealership employees. Somebody found the “keys to the kingdom” and the temptation was too great.

  • avatar
    GoHuskers

    FCA makes nice Jeeps!

  • avatar
    pragmatist

    This highlights a problem in security systems in general. For automobiles, where the owner may indeed need access to a car (lost keys etc) some kind of a back door is necessary. And as demonstrates here the back door ultimately is a fatal weakness. But the losses were individual vehicles

    Yet this is what some in government are trying to push on data encryption. The FBI feels they are entitled to read any communication on demand, but creating a universal back door like that WILL (not ‘probably’ but definitely) be leaked. Then everyone’s communication becomes exposed to hackers, thieves, hostile governments (which could include the US).

  • avatar
    1998redwagon

    excuse me but this issue can be solved by putting a portion of a 3×5 card over the vin. correct?

    low tech solution to a high tech problem.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • Garak: I’m all for having an extra camera for those blind spots, but I wouldn’t buy a vehicle without...
  • bd2: The Telluride did around 6,500 last month whereas the Palisade did 5,600. In Canada, the Hyundai far outsold the...
  • bd2: The Palisade has he same camera system but w/ the cooler/higher end display (driver’s side blind-spot...
  • bd2: Again, looks little like RR; same can’t be said for the Aviator, Ford Flex, etc.
  • bd2: By any account, it’s the Palisade that’s more “flashy” (more busy styling elements) and...

New Car Research

Get a Free Dealer Quote

Staff

  • Contributors

  • Timothy Cain, Canada
  • Matthew Guy, Canada
  • Ronnie Schreiber, United States
  • Bozi Tatarevic, United States
  • Chris Tonn, United States
  • Corey Lewis, United States
  • Mark Baruth, United States