The Technology to Steal Cars
By Josh Cahill
Countering the dogged determination and operational expertise of law enforcement is a full-time job for criminals. As police departments and other agencies work overtime to make the lives of car thieves harder and harder, criminals are forced to find new ways to make a score. Recently, NICB released two intelligence reports that detail technology that thieves may be pursuing: the Flipper Zero and radio-frequency identification (RFID) cloning kiosks.
The Flipper Zero Device
While none of the technology housed within the Flipper Zero is new exactly, it does combine multiple functions into one unassuming, handheld device. As detailed in the NICB report, with the ability to read, record, and manipulate over the air signals such as radio frequency (RF), near-field communication (NFC), infrared, and the previously mentioned RFID, the potential criminal uses for the Flipper Zero are concerning. Conceptually, the device could not only obtain valuable personal information from NFC signals, such as a person’s banking information, it could also be used to initiate vehicle theft.
A Flipper Zero user may be able to intercept, record, and possibly mimic the signal of a vehicle’s key fob. If intercepted, the signal could be used by the device to open and start a vehicle. Perhaps an even scarier possibility is the use of the Flipper Zero to record and emulate a garage door signal. This would not only give a thief access to a person’s vehicle, but also their home.
Though the Flipper Zero is not illegal to possess, Amazon has removed it from their marketplace due to security concerns. While it is available through the company that makes the device and on other online stores, the ban enacted by Amazon could mean other marketplaces may take similar steps.
Manufacturers have taken steps to help safeguard vehicles from the type of hacking attacks the Flipper Zero is capable of. Currently, the possible threats posed by the device appear to apply to older model year vehicles, for the most part, that use fixed numeric codes for their fobs. A fixed code is a numeric code that doesn’t change whereas newer vehicles employ rolling codes. Rolling codes change the numeric code transmitted from a key fob with each use. Presently, rolling codes limit the use of devices like the Flipper Zero, as a user of the device would likely have to account for too many variables to successfully scan and use a code, but with technology advancing faster than ever, this might not be the case for long.
RFID Cloning Kiosks
The other NICB report released in 2023 concerns kiosks with the ability to copy/clone the RFID signals of key fobs and key cards. RFID uses radio frequencies wirelessly to initiate an interaction between an RFID tag and a receiving device. This interaction is usually done within a limited distance and is most widely utilized by organizations and entities to control access to their facilities. Kiosks that replicate the RFID signals of key fobs and key cards physically scan a fob or card and produce a new one. Some kiosks can create a new key or fob within a 15-minute window, but some can take anywhere between 3 to 5 days or more to make and send via mail delivery. Additionally, some kiosks have the ability to house RFID scans for future use and make these scans available to share with others via a propriety application.
RFID scanning technology is not illegal, but as these kiosks start to appear more often in retail stores, gas stations, and grocery or convenience stores across the country, it is possible that individuals may abuse their services in pursuit of criminal activities. Criminals could potentially use these kiosks to copy key fobs that were stolen from vehicle owners or taken from a rental in order to steal a targeted vehicle at a later date. The key cards of private businesses or government agencies may be copied to access sensitive items and information. Furthermore, some kiosks allow for users to create RFID copies in various shapes and sizes, including stickers. These stickers could then possibly be affixed on a cell phone or other item to conceal it while in use.
Other Device Threats
NICB is also aware of two other devices that may be used by criminals to steal vehicles: Apple AirTags and key programming devices meant for use by automotive industry professionals.
Apple AirTags are intended to give users the ability to track various items that may go missing, such as a set of keys or a mobile phone. However, there is some concern that this technology may allow car thieves to track a vehicle they are targeting for theft. A possible scenario is that a thief places an AirTag on a vehicle in a public parking lot or even at a dealership. They then track that vehicle via an app on their phone to a location that is more advantageous for theft, such as a vehicle owner’s home.
Key programming devices present possible logistical issues for criminals, such as the cost of the devices and the ability to obtain one without arousing suspicion, but once acquired, these devices are powerful tools. Intended for use by locksmiths, dealership employees, and others in the automotive industry, these devices can house the data necessary to create new keys for vehicles. Criminals using these devices have been known to target dealerships in order to take newer, more in-demand vehicles off the lot after business hours.
While these potential threats may seem alarming, NICB and our partners in law enforcement and various government agencies are not only aware of their existence but are working together on ways to counter their use. NICB will continue to use its position as the industry leader in the fight against fraud in order to keep our stakeholders and the public aware of new schemes. Only together can we stop emerging vehicle crime before it starts.