As they both walked through a dimly lit parking garage, one of the pair of men peered at a black, laptop-sized device inside his messenger bag. Using buttons on its outer case, he flicked through various options on the device’s bright LED screen before landing on his choice.
With the device armed, the second man walked towards a bright white Jeep parked in the garage. He held his own piece of technology: a small box with an antenna jutting from the top. The man tried to open the car’s door, but it was locked. He pushed a button on the top of his handheld device, a light flickered, and instantly the car was open. He clambered into the driver’s seat, and pushed the button to start the vehicle.
To show the power of the device, the man switched off the box with the antenna and pushed the car’s button again. “Key Fob Not Detected,” the dashboard’s screen read, indicating that the man in the driver’s seat didn’t have the wireless key needed to start the vehicle. “Push Button with Key Fob to Start.”
Ignoring the message, the man turned on the device in his hand, and tried the car once again. Like magic, the engine started with a distinctive growl.
“EvanConnect,” one of the men in the video who goes by a pseudonym online, embodies a bridge between digital and physical crime. These devices he sells for thousands of dollars let other people break into and steal high end vehicles. He claims to have had clients in the U.S., UK, Australia, and a number of South American and European countries.
“Honestly I can tell you that I have not stolen a car with technology,” Evan told Motherboard. “It’s very easy to do but the way I see it: why would I get my hands dirty when I can make money just selling the tools to other people.”
The video doesn’t depict an actual robbery; Evan made the video using a friend’s Jeep to demonstrate the devices’ capabilities for Motherboard, and uploaded another version to his YouTube channel afterwards. And the devices are sometimes used by security researchers to probe the defenses of vehicles. But the threat of digitally-enabled grand theft auto is real.
Police departments around the world over the past few years have reported an increase in the number of vehicle robberies that they suspect were carried out with a variety of electronic tools. In a 2015 press release, the Toronto Police Service warned residents of a spike in the theft of Toyota and Lexus SUVs seemingly carried out with electronic devices. A 2017 video released by the West Midlands Police in the U.K. showed two men approach a Mercedes Benz parked in the owner’s driveway; similar to Evan’s video, one man stood next to the target vehicle with a handheld device, while another positioned a larger piece of tech near the home, hoping to pick up the signal emitting from the car keys stored inside. Police in Tampa, Florida said last year they were investigating a car burglary where the owner locked their vehicle and could have been due to electronic interference.
Not all car robberies with electronic devices are necessarily using the same technology. Some techniques rely on jamming the signal from the owner’s keyfob to the vehicle, so the owner believes they’ve locked their car when in reality it’s ripe for the criminal to open. Evan’s devices, instead, are known as “keyless repeaters” and carry out so-called relay attacks.
Longtime security researcher and hardware hacker Samy Kamkar reviewed Evan’s video and explained the apparent attack in an email. It starts with the car owner locking their vehicle and walking away with the key. One of the people trying to hijack the vehicle then walks up to it, holding one of the devices that listens for the particular low frequency the vehicle sends out to check if the key is nearby, and the device then retransmits it “at a higher frequency, such as 2.4Ghz or anything else that will easily travel much longer distances,” Kamkar wrote. The second device, held by the second hacker, takes that high frequency signal and replays it again at the original low frequency.
Do you know anything else about digital-meets-physical crime? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The keyfob sees this low frequency, and goes through the normal challenge response it would as if it was physically next to the car.
“This happens back and forth a few times for the entire challenge/response between the key and the car, and the two devices are just relaying that communication over a longer distance,” Kamkar wrote.
Using these devices, the criminals create a bridge that stretches from the vehicle all the way to the key in the victim’s pocket, home, or office, tricking each into thinking they’re next to each other, allowing the criminals to open and start the car.
“I can’t validate that the video is legitimate but I can say that it is 100% reasonable (I’ve personally performed the same attack on more than a dozen vehicles with hardware I’ve built and very easy to demonstrate),” Kamkar said.
A photo of the devices sent by EvanConnect. Image: Motherboard
To verify they did possess the technology, Evan sent photos of the gear along with a printed-out message to prove they weren’t just images taken from someone else. Evan also showed Motherboard various pieces of the technology over a live video chat and provided other videos of the devices in action.
A spokesperson for Fiat Chrysler Automobiles, which manages the Jeep brand, acknowledged a request for comment but did not provide a statement.
Evan said their devices would work on all keyless entry cars except those using 22-40 khz frequencies, which include Mercedes, Audi, Porsche, Bentley and Rolls Royce vehicles manufactured after 2014, as that is when those manufacturers switched key systems to a more updated technology called FBS4. But Evan added he sells another model which switches between 125-134khz and an added 20-40khz which would allow attackers to open and start every keyless car as of this month. He sells the standard model for $9,000, and an upgraded version for $12,000, Evan said.
“That all sounds pretty reasonable with a simple implementation,” Kamkar said. “I’ve built some hardware that does this for about $30 (an enterprising person could make it cheaper if they unfortunately are intentionally producing these for sale) so no reason I would suspect this is incorrect.”
Indeed, keyless repeaters aren’t expensive to make. But people who want to use these devices may not have the tech knowledge to build their own, so instead buy ready-to-use-boxes from Evan.
“It’s worth the investment 100%,” Evan said. “Nobody truly sells devices cheap; the only way someone would get it cheap is if they’re familiar with RF [radio frequency] and how PKE [passive keyless entry] works.”
Evan said that he heard about people using the devices locally in his city and decided to research the technology. A year later, he found others who were interested, and started to form a team to build the devices.
“It’s very easy to do but the way I see it: why would I get my hands dirty when I can make money just selling the tools to other people.”
Because the devices themselves are not illegal in the U.S., Evan advertises his wares openly on social media. He said that he communicates with clients over the messaging app Telegram. Some of his videos include a disclaimer that the tool is for security research and shouldn’t be sought out for or used in criminal activity, but naturally some clients are probably going to be interested in using the devices maliciously. Typically Evan will receive full pre-payment, but will meet clients in person if the customer doesn’t want to pay a large amount of money up front or sell them a cheaper device first, he added.
He said he has a criminal record and will be serving jail time for something unrelated to these devices, but when it comes to tech, Evan described himself more as a hobbyist than some sort of hardened crook.
“This technology is truly a hobby to me and something that I’m not worried […] sharing knowledge to the world about,” he told Motherboard.
Subscribe to our cybersecurity podcast, CYBER.