Mercedes theft sparks discussion on X on fob cloning

mercedes_chatgpt — Image by Mercedes-Benz

Thieves are increasingly targeting keyless cars by exploiting entry system vulnerabilities.

“My car was stolen from my driveway last night,” wrote tech journalist Eleanor Dallaway in an X post on February 6th.

“I still have both keys (they were stored safely a long way from the car), no smashed glass. The alarm didn't go off (we were sleeping with the window open above & heard nothing),” adds Dallaway.

twitter

The post sparked discussion among X users about what technique might be used to steal the Mercedes. Rik Ferguson, a cybersecurity researcher and a Special Advisor to Europol's cybercrime unit, responded to Dallaway’s tweet, saying fob cloning might have been used to steal her Mercedes.

twitter

The discussion arose if FlipperZero might have been used. FlipperZero, a small device that started out as a Kickstarter project, can read, record, and manipulate over-the-air signals such as radio frequency (RF), near-field communication (NFC), infrared, and radio-frequency identification (RFID).

The device has been successfully used to read and clone the card’s NFC, entrance cards, ACs, TV controls, or gates. FlipperZero can also read and record signals from car key fobs.

However, the cars have an extra level of security feature called "rolling codes" that changes code after each use to prevent a simple form of replay attack. Unlocking a car using FlipperZero would require the exploitation of additional vulnerabilities.

According to another Ferguson post, FlipperZero can't make rolljam attacks, but it can unlock older cars that lack a simple replay feature or record rolling codes from a distance for instant use.

twitter

Keyless cars targeted by thieves

With luxurious cars going keyless, so-called relay thefts are on the rise. Thieves are exploiting vulnerabilities in keyless entry systems to gain unauthorized access to vehicles.

Keyless car systems operate using a fob that the car communicates with to lock and unlock, rather than a physical key. Thieves no longer need to steal a key or break into a property – instead, they simply need to intercept the signal from the fob.

There is a range of electronic devices that can be easily obtained on the internet to target the vehicle and steal it within minutes.

Steal a car challenge

Last year, Hyundai and KIA released software updates for millions of car owners in an effort to combat a viral TikTok challenge linked to a rash of stolen cars, fender benders, and more than a dozen fatalities in the US.

The "KIA challenge," initiated in Milwaukee, Wisconsin, by a teenage gang known as the "KIA Boyz," gained attention in 2021. These young thieves started sharing instructional videos demonstrating how to bypass vehicle security systems and hotwire cars using only a screwdriver and a USB cable.

This exploit impacted all cars manufactured by Hyundai and KIA between 2015 and 2019, which lacked push-button ignitions and immobilizing anti-theft mechanisms, amounting to a total of 8.3 million vehicles.

The automakers were sued for failing to install anti-theft devices in most models before 2021, creating an environment ripe for car thieves.