VIN lookup sites - anything fishy?

Page may contain affiliate links. Please see terms for details.

gr1nch

Active Member
Joined
Oct 15, 2016
Messages
729
Location
Louth, Lincolnshire
Car
2017 W222 S350d AMG Line Premium Plus : Iridium Silver and Black Nappa
Apologies for the long post up front. I tend to do them from time to time. This whole area of preventing bad things happen to my car (and my family by extension) has got me very interested.

I was curious having obtained my new car's VIN before picking it up of looking it up for fun and to check what Mercedes say it was built with. A quick search on the forums and interwebz shows an extraordinary proportion are Russian language (or looking like English language, but a small detail or two shows it really is Russian language underneath). There appears to be at least one official USA site though. Anyone know why so many Russian language?

Odd that there are no German or English websites doing this. If these VIN lookup sites are doing Benz fans a favour purely, despite perhaps not with MB's permission, then ok. But what if some of them have a more sinister motive behind them? Or are themselves hacked. There is a lot of juicy info that owners are handing over with our VIN lookups.

For example, perhaps (and I must admit I'm letting my imagination go for a gallop here!) the official 3rd party access is limited to just lookups and not browsing all VINs. So these sites have a ton of VINs being uploaded. With every VIN uploaded by a user the user's IP address is recorded. *All* website servers do this, all the time, into their logs. It's normal and accepted. How that is then used is totally outside of the user's control. The majority of the lookups will be done from home or work, so the majority of IPs will represent the places the lookup was done from. A single reverse lookup and traceroute promptly done will geolocate certainly the country, possibly the general area and in certain cases down to a town or neighbourhood, depending on the sophistication of the bad actor /software.

Then the bad guys can create a darkweb marketplace like AutoTrader, where these "VIN / location" are effectively car ads with nice stock photos, for which other bad guys can buy the details, add it to their personal list of cars to lookout for and nick.

It would be trivial to set up, I'd be shocked if it's not done yet. Coupled with vulnerabilities of not fully secure wireless and electronic networks in cars, this would make these targeted, fast thefts that we are seeing in the news and on forums, more explainable. The methods employed to crack cars are sophisticated and many. I'm sure the police have collared a bunch of these crooks with their gear, but are, understandably, shy of sharing the details of this kit. It ranges from hobbyist efforts with Raspberry Pi's and Arduinos to full-on black box, slick, professional kit. I was shocked to see a normal looking smart car key online that was able to do the rolljam attack (jam owners signal, save code, jam 2nd signal, Dave code, open/lock car for owner with 1st code, use 2nd saved code later to get in or steal the car).

I digress in this post, sorry about that, but it's a big subject!

For me I'll certainly be disabling my keys (and look for a similar option on the car itself) when outside the home. When inside I'm not so sure, as it's the oft-commented option that with determined crooks: "get car stolen, with or without breaking into your home for the keys - your choice".

Let's go back to the good old days 100 years ago when cars didn't have keys and they were so rare that a thief would be instantly spotted by the townsfolk! Trouble is they could only chase after them on horses
 
As an example of people not noticing crimes, I had the Police knock on my door the other day to ask if I'd seen or heard anything; the house across the road had their front door kicked-in about an hour before.

The only thing I'd noticed was someone turning up with plywood to board the door up.

Back on topic; yes I do worry a little about freely giving some random website my VIN. - I don't think my car is valuable enough to warrant concern about theft though.
 
A reverse look up of your IP address may find the city or town you live in; one site I looked at said it had 50 to 80% accuracy at that level. So they may know I live in West London - although a previous ISP had a batch of American IP addresses it used, and people thought I was in San Diego! So your potential thief now only has to scour a city or part of a county to find your car - easy!

Wouldn't it be easier for these people to hack into a dealer's system, and get the owners names and addresses? Or could they just walk round a car park and read the visible VINs on the cars parked there? Or do you cover your VIN every time you park the car?

Unless you feel it's necessary to walk round in a tin foil hat, I think you're probably worrying too much.
 
The Mercedes ones use EPC for their data and I doubt it is a licensed and paid for version. Even if it was a legit version, not sure about the rights to use it in this way. So, put it on a Russian server which may be safer for the hosts.

They do have a lot of traffic though and I can see your point
 
The Mercedes EPC site can be accessed via a very low subscription circa 20 euros per annum. This is the only fully reliable service outside the dealer network. Those who have factory Xentry can also access Vedoc which is live and accurate. EPC can be a few weeks out of date as changes take a while to get to uploaded to it.

If you look through EPC net you can see a number of parts that are designated as 'theft relevant'. this means you cannot just walk into a dealer and order that part without proof of ownership of that car/VIN. This includes keys unsurprisingly.
 
The Mercedes EPC site can be accessed via a very low subscription circa 20 euros per annum. This is the only fully reliable service outside the dealer network.

But, but, but.....that means if there is ever another world war with Germany (& based on history & Brexit this an absolute statistical certainty) then the Germans will have all that info!
 
The Mercedes EPC site can be accessed via a very low subscription circa 20 euros per annum. This is the only fully reliable service outside the dealer network. Those who have factory Xentry can also access Vedoc which is live and accurate. EPC can be a few weeks out of date as changes take a while to get to uploaded to it.

If you look through EPC net you can see a number of parts that are designated as 'theft relevant'. this means you cannot just walk into a dealer and order that part without proof of ownership of that car/VIN. This includes keys unsurprisingly.

Newbie question here - do you need to be a business to get the Mercedes EPC subscription, or can anybody join?

Also what's the URL for the subscription site?
 
A reverse look up of your IP address may find the city or town you live in; one site I looked at said it had 50 to 80% accuracy at that level. So they may know I live in West London - although a previous ISP had a batch of American IP addresses it used, and people thought I was in San Diego! So your potential thief now only has to scour a city or part of a county to find your car - easy!

Wouldn't it be easier for these people to hack into a dealer's system, and get the owners names and addresses? Or could they just walk round a car park and read the visible VINs on the cars parked there? Or do you cover your VIN every time you park the car?

Unless you feel it's necessary to walk round in a tin foil hat, I think you're probably worrying too much.

I agree on the IP lookup accuracy, but less populated regions may be easier, especially if consulting known IP/location databases.

Good point, if it's possible, I'll cover up the VIN in the window permanently, not every time I want to park the car. What good does it do the owner, being displayed? If the police use it, say, after accident I'll either be in the car (dead or alive) or if it's stolen, they'll have access to the engine bay.

What have you got against tin foil hats? In the right light, mine looks very good!

It certainly looks like private individuals can subscribe too;

Daimler AG - Service & Parts net
Thanks for the site. It costs a few quid, but at least it's official and it does say on there: "The Electronic Parts Catalog for Mercedes-Benz and smart (EPC) is also available to private individuals.". So for a few EUR a year, looks worth it when I'm needing parts, at any rate.
 
I really don't understand why people are so sensitive about their VIN. It's visible on the windscreen by any passer by when you park up.

The bigger issue in my mind is the other unique serial number on the front and back of my car, in BIG CAPITAL LETTERS, visible at considerable distance, by every CCTV camera I drive past, by every motorist and pedestrian I pass.

Yes, the registration plate which can easily be cloned, used to run up congestion charge fines or to commit organised crime.

But do I stay up and worry about this? No. I just drive my car and enjoy it. Life is way too short.
 
Last edited:
if it's possible, I'll cover up the VIN in the window permanently, not every time I want to park the car. What good does it do the owner, being displayed? .

You'd better remove your reg plates every time you leave your vehicle too.:doh:

There is an MB website that gives the Vin# from the reg plate:D
 
Haha, well if that's true, and googling found me a USA site that does that, well, I certainly won't bother covering it up!
 
If you are concerned that your IP Address is giving away your location, take a look at your details on a IP Address look-up site - just Google 'what is my IP Address?'. When I do that it tells me that I'm 25 miles away from where I really am. Also, if you don't have a fixed IP Address from your ISP, just restarting the router will allocate you to a different IP Address.
 
If you are concerned that your IP Address is giving away your location, take a look at your details on a IP Address look-up site - just Google 'what is my IP Address?'. When I do that it tells me that I'm 25 miles away from where I really am. Also, if you don't have a fixed IP Address from your ISP, just restarting the router will allocate you to a different IP Address.
Looks like mine is accurate to ~1/2 mile. - It's not on my house, but it's not far off.
 
The secret is not to have anything worth stealing or at least not as worth stealing as the guy next door! Doesn't always follow of course as there was a London operation a few years back that used to specialise in nicking old W124s. They were stripped for parts which ended up in Africa IRRC . :eek:
 
I suppose it must vary according to which ISP you use. If I do an online check of my IP address what comes back is the IP address and location of my Internet Service provider which is no where near my location. It's also nothing like the IP address of my computer. If you want to check do the internet search and that will give your public IP address. Then open a command prompt by typing CMD. In the command prompt window type ipconfig and that will give you one or more IP address of the network devices in your computer.
 

Users who are viewing this thread

Back
Top Bottom