In “Thieves outwit high-tech advances“, the Los Angeles Times details the ongoing evolution of car theft.

I’d already guessed how the attack was going to work (replace the security module with a compromised one) before I ever read the description, and that was before I even had any information to work off of.

Just like any automotive technology, antitheft systems differ widely in both their design and effectiveness, said Forrest Folck, who operates Motor Vehicle Forensic Services in San Diego.

The LS 400s that were stolen are among models that use a smart key to tie into the car’s electronic control module, or ECM, the central brain for the engine, transmission and related systems. Unless the smart key sends the proper code to the ECM transponder, the ECM disables the electronic fuel-injection system.

Here’s how a criminal ring has defeated it: First, they force the locks on the door and steering column with a custom-made tool, using a socket wrench coupled to a specially machined blank key that fits any Lexus lock and can deform the wafers and tumblers.

Once inside the car, the hood is popped, the steering wheel lock is broken and the ignition electronics can be engaged. Normally, however, the ECM transponder would recognize that the key is not providing the proper security code.

But a second team member goes straight for the ECM, unscrewing the 6-by-8-inch box under the hood and unplugging the 50-pin connector. It is replaced with an altered ECM with a disabled transponder that does not shut down the fuel-injection system, Folck said.

…

Every generation of antitheft technology is good for a while but eventually gets figured out by criminal networks, a cycle Hazelbaker has seen play out before.

“A new technology is good for two or three years before you see the theft statistics creep back up,” he said. “By five or six years, if the manufacturer hasn’t changed the technology, you see the numbers back to where they were before.”

The attack detailed here is a fairly low-tech response to a high-tech countermeasure. The effective countermeasure would need to be low-tech as well. In this case, it would mean placing the computer so that it can only be removed as part of, say, major engine disassembly.

In that case, though, the tradeoff would be dramatically increased maintenance costs for the car’s owner, since all maintenance would require an hour or two of engine work. This would almost certainly exceed the incremental cost of transferring the theft risk with insurance. That excludes the costs of not deterring theft (catching, prosecuting, and imprisoning car thieves) as an externality to the insurance companies and the victims, however.

It’s also interesting to me is how the organization of car theft is sounds like it’s becoming more and more similar to computer crime. I strongly suspect that a small number of true experts identify vulnerabilities, develop exploits and bypasses, then build tools which they sell or rent to the people who actually steal the cars.

That’s not to say that it’s all going high-tech in the world of car theft, though. As the article also points out,

Some theft teams use casters to elevate a car off its wheels and then roll it onto a flatbed tow truck.

At least nobody is losing a finger this time.

Assessing your risks? Check.
Choosing the right tool for the job? Check.
Staying in business because you learn on mistakes and advances of others? Check.

How long before some bright spark in the car industry comes up with another high-tech “solution”?