German and Polish police agencies announced Wednesday they had dismantled a Polish criminal network accused of stealing dozens of cars by breaching the keyless systems used to start the vehicles.
The alleged thieves had racked up at least 34 vehicles worth $1.6 million by the time investigators raided their properties in Poland last week, according to Europol, the European Union’s law enforcement agency. The alleged Polish criminal network appears to be reeling. Seven of its suspected members were arrested last year, and two more in recent months, Europol said.
It is unclear exactly how the hacking went down; Europol would only say that the suspects used “technical equipment” to crack the “Keyless Go” systems that allow a driver to unlock and start a car electronically. A Europol spokesperson did not immediately respond to a request for comment.
“This is a known issue that has kept car companies up at night for quite some time,” said Charles Henderson, a global managing partner and head of IBM X-Force Red who has done security penetration tests on cars. Smaller criminal groups, rather than big syndicates, tend to focus on car hacking because it doesn’t require a lot of people and the payout is still good, according to Henderson.
The raid in Poland is the latest evidence of how digitally connected cars open up new pathways for theft. Security researchers have in the last five years drawn attention to those gaps so manufacturers can close them.
In February, McAfee researchers demonstrated how the camera system that Tesla cars previously used for autonomous driving was could be tricked into speeding to 85 miles per hour when the speed limit was 35. The issue was fixed in a more recent version of the camera system.
There are other entry points for attackers that car manufacturers have to keep in mind. In 2015, security researchers Charlie Miller and Chris Valasek showed how to remotely take over the steering and braking of a Jeep. Chrysler responded by recalling 1.4 million vehicles affected by the software vulnerability.
Car makers are now more attuned to the risk and have gradually embraced independent researchers who are trying to improve automotive security. After Fiat-Chrysler became the first major car manufacturer to set up a bug bounty program in 2016, others followed suit.
Regardless of those security improvements, the incentive for thieves to continually target digitally connected cars means that there could be more police raids like the one last week in Poland. In seizing the Polish gang’s assets, German and Polish police found “several thousand car parts,” Europol said. Business was humming.