Cars are lucrative yet fast-moving targets for hackers. As they transform from combustion engines into sophisticated computers-on-wheels, threat actors have a larger attack surface to exploit. However, the automotive industry has also invested considerably in securing cars, seeking to lock attackers out, both physically and virtually.
On several dedicated underground forums, threat actors share information and tools related to automobile hacking and theft. They also sell stolen cars, equipment for auto theft, fake driver's licenses, and bank certificates for car loans.
Improved tools and techniques may have contributed to the significant recent rise in US vehicle theft, which rose from ~888,000 in 2020 to over 1 million in 2022.
This article will examine activity on underground automotive forums, including sales of various tools, stolen cars, and fraud services.
Master Keys: A master car key can open the doors and start the ignition on multiple vehicles. While these keys are reserved for auto industry professionals and locksmiths only, thieves can obtain them to steal cars.
An image of keys for sale. Photo: CyberSixgill
Code grabbers: Many new and late-model cars are equipped with keyless entry/start fobs, which enable motorists to start the car without removing the devices from their pockets. Thieves use devices called code grabbers to intercept signals between key fobs and the car. They can then use code grabbers to repeat the signal to the car, spoofing the key fob and activating the automobile. Code grabbers are readily available online and on underground forums.
Threat actors advertise a variety of automobile fraud services, enabling others to carry out more sophisticated thefts.
Registration fraud: Threat actors carry out fraudulent sales and re-register a car in the name of a new owner through the Department of Motor Vehicles (DMV). One actor offering this service explains (figure 8) that once a car’s registration changes, the new “owner” can sell the car, tow it, or report it as stolen in order to convert it into cash.
Fake documents: Fraudsters also sell fake documents that enable actors to purchase and operate vehicles. These include fake driver's licenses, bank loan documents, and car insurance forms.
Fake driver's licenses and vehicle registration documents offered for sale on the underground. Photo: CyberSixgill
Stolen Cars: Several actors even sell vehicles on underground hacking forums. While they do not generally mention if they are in legal possession of these cars for sale, several indicators signal that they are illicit (beyond the obvious fact that anything sold on the dark web is inherently suspicious). First, in the example below the price is suspiciously lower than the vehicle’s recommended value on the second-hand market.
Second, sellers of stolen vehicles generally only list the price and mileage. They omit essential information, such as the number of previous owners, insurance details, and registration/test data. Finally, these transactions are cash-only, preventing a paper trail that law enforcement can follow. Furthermore, prospective buyers look for cars without documents or “unnecessary questions”
A presumably stolen vehicle offered for sale on an underground automotive hacking forum. Photo: CyberSixgill
Over the last decade, automobiles have transformed into complex computer platforms. While these provide considerable convenience to drivers, they have also added many options for threat actors to exploit.
Our analysis of underground automotive hacking forums has shown that car hackers use a combination of innovative technologies--such as signals interception--as well as time-worn methods, such as social engineering and forgery, in order to illegally obtain and operate vehicles. Car manufacturers must ensure that new features do not become new opportunities for attackers by implementing security and by tracking chatter amongst hackers.
Written by Adi Bleih, Threat Intelligence Researcher, CyberSixgill