On Tuesday, federal authorities announced that several members of the Tijuana-based Hooligans Motorcycle Club had been indicted for some stealing $4.5 million worth of Jeeps in San Diego County. How’d they do it? Stolen keys? Smash and grab operation? Nah, according to police, these bikers just gained access to a secure key database and then hacked the vehicles’ onboard computers so that they could drive back to Mexico undetected.
Except the Hooligans eventually were detected by a home security camera, hence the indictment. But that was after they allegedly stole an estimated 150 Jeep Wranglers using methods seemingly pulled from Gone in 60 Seconds.
Based on the findings of a three-year-long police investigation dubbed “Operation Last Ride,” the thieves started by patrolling San Diego neighborhoods and recording vehicle identification numbers (VINs) visible through target vehicles’ windshields. This enabled them to fetch key duplication codes from a secure online database containing the proper key patterns. It’s unclear if the bikers hacked the database or had a man on the inside, but authorities say that the key code queries were connected to a Jeep dealership in Cabo San Lucas.
After the thieves cut the duplicate keys, the real fun began. Here’s the San Diego Union Tribune’s account of the thefts themselves:
The Jeep Wrangler has two latches on the outside of its hood, which allows access to the engine. The thieves exploited that unique design, popping the hood and quickly cutting the wires for the horn and the front flashing lights. They would unlock the door with the duplicate key, put the key into the ignition and then use a handheld computer key programmer to connect to the car’s computer.
In other words, the Hooligans allegedly hacked into the cars’ computers. The paper continues:
Using the second code obtained from the database, the thieves would program the chip in the duplicate key, allowing them to operate the car.
The actual theft took only a few minutes.
Once stolen, the Hooligans returned the Jeeps to Mexico where they either sold them as complete vehicles or chopped them up for parts, according to police. Again, authorities think the biker gang had been doing this for at least three years before they were caught. And so far, only three out of the nine men indicted have been arrested. Seven of the nine are United States citizens.
Now, we can all agree that crime is bad, and getting your car stolen sucks. However, this is some DEFCON-level hacking shit, the kind of thing that exposes real flaws in automotive security. Just a couple years ago, a pair of hackers won a standing ovation at the Black Hat security conference in Las Vegas (as well as international media attention) after they figured out how to remotely gain control of a Jeep Grand Cherokee. Chrysler later recalled 1.4 million of the SUVs due to the hacking threat.
It’s unclear how Jeep or its parent companies plan to deal with the apparent security vulnerability in these Wranglers. Now that the Hooligans’ methods have been exposed, one would hope that they’d review the security of that online database and possibly issue a software update to the cars themselves. We’ve reached out to the company to learn more information on what happens next and will update this post if we hear back.
In the meantime, don’t underestimate the capabilities of Tijuana-based biker-slash-hacker gangs. They’re unpredictable as hell.
Update 12:45pm EST - Fiat Chrysler Automobiles sent us the following statement:
FCA US is committed to the safety and security of our vehicles, including cybersecurity. We continue to take proactive steps to address cyber risks including improved product security techniques and active participation in the Auto-ISAC as a secure platform to share and analyze intelligence across the industry.
As the investigation is ongoing, FCA US has no further comment.