Tuesday, December 3, 2024
HomeCyber AttackHackers Using Old Nokia 3310 Phone to Start Car Without Key

Hackers Using Old Nokia 3310 Phone to Start Car Without Key

Published on

SIEM as a Service

Recent car thefts have involved technology concealed inside outdated Nokia 3310 Phone and Bluetooth speakers. This brand-new type of car theft is becoming more prevalent in the US.

Criminals use tiny gadgets to interface with the car’s control system, sometimes hidden within innocent-looking Bluetooth speakers or cell phones.

This makes it possible for thieves with little technological expertise to steal cars without a key, sometimes in as little as 15 seconds.

- Advertisement - SIEM as a Service

With the gadgets available online for a few thousand dollars, the barrier to stealing even high-end luxury cars is significantly decreased.

How Thieves Steal Cars Using Outdated Cell Phones?

According to YouTube videos exhibiting the technique, identified by Motherboard is the one where a man uses a Nokia 3310 to start a Toyota.

A man is repeatedly tapping a button next to the steering wheel while seated in the driver’s seat of a Toyota.

The engine fails to start, and a red light flashes. Because he lacks the key, the man pulls out an everyday object: a Nokia 3310 phone.

Using a black cable, the man connects his phone to his vehicle. He selects a few options on the tiny LCD screen of the 3310. The display reads, “CONNECT. GET DATA.” He then tries starting his car once more. The engine roars while the light turns green.

Reports say the technology is sold for between $2,700 and $19,600 on numerous websites and Telegram channels. One vendor sells the Nokia 3310 phone for 3,500 Euros ($3,800), while another advertises it for 4,300 Euros ($4,300).

When one person offered to sell engine starters online, Motherboard pretended to be an interested buyer. That person stated they would use DHL to send a device to the United States.

“Yes, Nokia works with USA cars,” they wrote, referring to the engine starter hidden inside a Nokia phone. The seller said they take Western Union, MoneyGram, bank transfers, and cryptocurrency.

One advertisement for a device concealed inside a Bluetooth speaker bearing the JBL logo reads, “JBL Unlock + Start.” “No key is required!”

According to the advertisement, a range of Toyota and Lexus vehicles can use this particular device: “Our device has a cool stealthy style and look,” it claims.

Ken Tindell, CTO at vehicle cybersecurity company Canis Labs, wrote in an email to Motherboard, “The device does all the work for them, all they have to do is take two wires from the device, detach the headlight, and stuff the wires into the right holes in the vehicle side of the connector.”

Tindell and Ian Tabor, a colleague in automotive cybersecurity where Tabor purchased a device for reverse engineering after it appeared that auto thieves used one to steal his own Toyota RAV4 last year.

Tabor researched and discovered devices for sale that target Jeeps, Maseratis, and other car models.

Keyless repeaters are a different kind of vehicle theft deterrent that Motherboard has previously spoken with vendors about.

These send signals from a victim’s car key, which may be in their home, to their automobile, either in the driveway or nearby. But thieves don’t need the car key to operate with these modern gadgets.

 Despite the devices’ high cost, the one Tabor purchased only had parts worth $10. These comprise another CAN-related chip and a chip containing CAN hardware and firmware.

The assault, known as CAN (controller area network) injection, operates, by Tindell and Tabor’s study, by delivering fake messages that seem to originate from the car’s smart key receiver, the research adds.

The Effective Solution

The only efficient remedy, according to Tindell, would be to add cryptographic protections to CAN messages. He stated that a software update may accomplish this.

“The software is straightforward, and the only complex part is introducing the cryptographic key management infrastructure. But since new vehicle platforms are already deploying cryptographic solutions, that infrastructure is either in place or has to be built anyway,” Tindell said.

“Vehicle theft is an industry-wide challenge that Toyota takes seriously. Even with technological advances, thieves reportedly are devising ways to circumvent existing anti-theft systems.

We are committed to continuing to work on this issue with theft prevention experts, law enforcement, and other key stakeholders”, Corey Proffitt, senior manager of connected communications at Toyota Motor North America, told Motherboard in an email.

Also Read:

The Relatively Unknown Car Hacking Threat

PASTA – A New Car Hacking Tool Developed by Toyota to Test The Security Vulnerabilities

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...