Car Thieves Everywhere Rejoice as Unsecured Database Exposes 10 Million Car VINs

This car is systematic, hyyydromatic...why it's greased lightning!
Post Reply
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Car Thieves Everywhere Rejoice as Unsecured Database Exposes 10 Million Car VINs

Post by FlyingPenguin »

VINs could be used in mass car cloning operation

Believe it or not, the most sought-after information exposed in the database is the VINs, a serial number unique to each vehicle.

For the last decade, car thieves have been using stolen VIN numbers to pass stolen cars as legitimate...

...VINs could be used to create replica keys

Besides car cloning, VINs can also be used for other criminal operations. For example, last week, a motorcycle gang from Mexico known as the Hooligans have shown the world another way of using stolen VINs.

The group operated by initially obtaining the VIN of a car they wanted to steal. The group focused only on Jeep Wranglers.

After getting his VIN, the gang would illegally access a car dealership's proprietary database from where they'd steal two codes necessary to create replacement keys.

The gang would then use these secondary keys to open cars and drive off with people's cars in the middle of the night.

Compared to car cloning, this method is more complex, as it requires access to proprietary car key codes databases, but if an attacker finds 10 million VINs on the Internet than he's already halfway there.
https://www.bleepingcomputer.com/news/s ... -car-vins/
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: Car Thieves Everywhere Rejoice as Unsecured Database Exposes 10 Million Car VINs

Post by Losbot »

What baffles me is that if the VIN is so sacred, why are we still placing it on the dash in plain sight? Why not only place it in areas where you'd need a key to access it & read it?
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Car Thieves Everywhere Rejoice as Unsecured Database Exposes 10 Million Car VINs

Post by FlyingPenguin »

I'm guessing what's valuable is not only the VIN but the owner's information? I guess that would make it easier to forge a stolen car's VIN?
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Err
Life Member
Posts: 5842
Joined: Thu Nov 22, 2007 11:54 am

Re: Car Thieves Everywhere Rejoice as Unsecured Database Exposes 10 Million Car VINs

Post by Err »

While it would stick for owners, the only way I see around this is to not tie keys to the VIN and require a dealer to marry them to the vehicle. Another way may be to have a code encrypted in the car's computer that can only be read by a dealer. Neither method is going to stop all thieves.

Honestly, having to punch in a PIN to start your car would probably be more secure in this day and age.
User avatar
Pugsley
Posts: 7454
Joined: Mon Aug 19, 2002 11:54 pm
Location: NW Indiana
Contact:

Re: Car Thieves Everywhere Rejoice as Unsecured Database Exposes 10 Million Car VINs

Post by Pugsley »

Depends how its integrated. If its just a module that sends a signal to the ECU saying OK to run then that can be faked.
Post Reply