Thursday, June 20, 2024

Hackers Using Old Nokia 3310 Phone to Start Car Without Key

Recent car thefts have involved technology concealed inside outdated Nokia 3310 Phone and Bluetooth speakers. This brand-new type of car theft is becoming more prevalent in the US.

Criminals use tiny gadgets to interface with the car’s control system, sometimes hidden within innocent-looking Bluetooth speakers or cell phones.

This makes it possible for thieves with little technological expertise to steal cars without a key, sometimes in as little as 15 seconds.

With the gadgets available online for a few thousand dollars, the barrier to stealing even high-end luxury cars is significantly decreased.

How Thieves Steal Cars Using Outdated Cell Phones?

According to YouTube videos exhibiting the technique, identified by Motherboard is the one where a man uses a Nokia 3310 to start a Toyota.

A man is repeatedly tapping a button next to the steering wheel while seated in the driver’s seat of a Toyota.

The engine fails to start, and a red light flashes. Because he lacks the key, the man pulls out an everyday object: a Nokia 3310 phone.

Using a black cable, the man connects his phone to his vehicle. He selects a few options on the tiny LCD screen of the 3310. The display reads, “CONNECT. GET DATA.” He then tries starting his car once more. The engine roars while the light turns green.

Reports say the technology is sold for between $2,700 and $19,600 on numerous websites and Telegram channels. One vendor sells the Nokia 3310 phone for 3,500 Euros ($3,800), while another advertises it for 4,300 Euros ($4,300).

When one person offered to sell engine starters online, Motherboard pretended to be an interested buyer. That person stated they would use DHL to send a device to the United States.

“Yes, Nokia works with USA cars,” they wrote, referring to the engine starter hidden inside a Nokia phone. The seller said they take Western Union, MoneyGram, bank transfers, and cryptocurrency.

One advertisement for a device concealed inside a Bluetooth speaker bearing the JBL logo reads, “JBL Unlock + Start.” “No key is required!”

According to the advertisement, a range of Toyota and Lexus vehicles can use this particular device: “Our device has a cool stealthy style and look,” it claims.

Ken Tindell, CTO at vehicle cybersecurity company Canis Labs, wrote in an email to Motherboard, “The device does all the work for them, all they have to do is take two wires from the device, detach the headlight, and stuff the wires into the right holes in the vehicle side of the connector.”

Tindell and Ian Tabor, a colleague in automotive cybersecurity where Tabor purchased a device for reverse engineering after it appeared that auto thieves used one to steal his own Toyota RAV4 last year.

Tabor researched and discovered devices for sale that target Jeeps, Maseratis, and other car models.

Keyless repeaters are a different kind of vehicle theft deterrent that Motherboard has previously spoken with vendors about.

These send signals from a victim’s car key, which may be in their home, to their automobile, either in the driveway or nearby. But thieves don’t need the car key to operate with these modern gadgets.

 Despite the devices’ high cost, the one Tabor purchased only had parts worth $10. These comprise another CAN-related chip and a chip containing CAN hardware and firmware.

The assault, known as CAN (controller area network) injection, operates, by Tindell and Tabor’s study, by delivering fake messages that seem to originate from the car’s smart key receiver, the research adds.

The Effective Solution

The only efficient remedy, according to Tindell, would be to add cryptographic protections to CAN messages. He stated that a software update may accomplish this.

“The software is straightforward, and the only complex part is introducing the cryptographic key management infrastructure. But since new vehicle platforms are already deploying cryptographic solutions, that infrastructure is either in place or has to be built anyway,” Tindell said.

“Vehicle theft is an industry-wide challenge that Toyota takes seriously. Even with technological advances, thieves reportedly are devising ways to circumvent existing anti-theft systems.

We are committed to continuing to work on this issue with theft prevention experts, law enforcement, and other key stakeholders”, Corey Proffitt, senior manager of connected communications at Toyota Motor North America, told Motherboard in an email.

Also Read:

The Relatively Unknown Car Hacking Threat

PASTA – A New Car Hacking Tool Developed by Toyota to Test The Security Vulnerabilities


Latest articles

1inch partners with Blockaid to enhance Web3 security through the 1inch Shield

1inch, a leading DeFi aggregator that provides advanced security solutions to users across the...

Hackers Exploit Progressive Web Apps to Steal Passwords

In a concerning development for cybersecurity, hackers are increasingly leveraging Progressive Web Apps (PWAs)...

INE Security: Optimizing Teams for AI and Cybersecurity

2024 is rapidly shaping up to be a defining year in generative AI. While...

Threat Actor Claims Breach of Jollibee Fast-Food Gaint

A threat actor has claimed responsibility for breaching the systems of Jollibee Foods Corporation,...

Threat Actors Claiming Breach of Accenture Employee Data

Threat actors have claimed responsibility for a significant data breach involving Accenture, one of...

Diamorphine Rootkit Exploiting Linux Systems In The Wild

Threat actors exploit Linux systems because they are prevalent in organizations that host servers,...

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles