On Tuesday, federal authorities announced that several members of the Tijuana-based Hooligans Motorcycle Club had been indicted for some stealing $4.5 million worth of Jeeps in San Diego County.
How’d they do it? Stolen keys? Smash and grab operation? Nah, according to police, these bikers just gained access to a secure key database and then hacked the vehicles’ onboard computers so that they could drive back to Mexico undetected.
Except the Hooligans eventually were detected by a home security camera, hence the indictment. But that was after they allegedly stole an estimated 150 Jeep Wranglers using methods seemingly pulled from Gone in 60 Seconds. Based on the findings of a three-year-long police investigation dubbed “Operation Last Ride,” the thieves started by patrolling San Diego neighborhoods and recording vehicle identification numbers (VINs) visible through target vehicles’ windshields.
This enabled them to fetch key duplication codes from a secure online database containing the proper key patterns. It’s unclear if the bikers hacked the database or had a man on the inside, but authorities say that the key code queries were connected to a Jeep dealership in Cabo San Lucas.
After the thieves cut the duplicate keys, the real fun began. Here’s the San Diego Union Tribune’s account of the thefts themselves:
In other words, the Hooligans allegedly hacked into the cars’ computers. The paper continues:
Once stolen, the Hooligans returned the Jeeps to Mexico where they either sold them as complete vehicles or chopped them up for parts, according to police. Again, authorities think the biker gang had been doing this for at least three years before they were caught. And so far, only three out of the nine men indicted have been arrested. Seven of the nine are United States citizens.
Now, we can all agree that crime is bad, and getting your car stolen. However, this is some DEFCON-level hacking shit, the kind of thing that exposes real flaws in automotive security. Just a couple years ago, a pair of hackers won a standing ovation at the Black Hat security conference in Las Vegas (as well as international media attention) after they figured out how to remotely gain control of a Jeep Grand Cherokee. Chrysler later recalled 1.4 million of the SUVs due to the hacking threat.
It’s unclear how Jeep or its parent companies plan to deal with the apparent security vulnerability in these Wranglers. Now that the Hooligans’ methods have been exposed, one would hope that they’d review the security of that online database and possibly issue a software update to the cars themselves. We’ve reached out to the company to learn more information on what happens next and will update this post if we hear back. In the meantime, don’t underestimate the capabilities of Tijuana-based biker-slash-hacker gangs. They’re unpredictable as hell.
Fiat Chrysler Automobiles sent us the following statement:
As the investigation is ongoing, FCA US has no further comment.
Download SafeUM — communicate privately, without advertising and spam.
Axarhöfði 14,
110 Reykjavik, Iceland