gr1nch
Active Member
- Joined
- Oct 15, 2016
- Messages
- 729
- Location
- Louth, Lincolnshire
- Car
- 2017 W222 S350d AMG Line Premium Plus : Iridium Silver and Black Nappa
Apologies for the long post up front. I tend to do them from time to time. This whole area of preventing bad things happen to my car (and my family by extension) has got me very interested.
I was curious having obtained my new car's VIN before picking it up of looking it up for fun and to check what Mercedes say it was built with. A quick search on the forums and interwebz shows an extraordinary proportion are Russian language (or looking like English language, but a small detail or two shows it really is Russian language underneath). There appears to be at least one official USA site though. Anyone know why so many Russian language?
Odd that there are no German or English websites doing this. If these VIN lookup sites are doing Benz fans a favour purely, despite perhaps not with MB's permission, then ok. But what if some of them have a more sinister motive behind them? Or are themselves hacked. There is a lot of juicy info that owners are handing over with our VIN lookups.
For example, perhaps (and I must admit I'm letting my imagination go for a gallop here!) the official 3rd party access is limited to just lookups and not browsing all VINs. So these sites have a ton of VINs being uploaded. With every VIN uploaded by a user the user's IP address is recorded. *All* website servers do this, all the time, into their logs. It's normal and accepted. How that is then used is totally outside of the user's control. The majority of the lookups will be done from home or work, so the majority of IPs will represent the places the lookup was done from. A single reverse lookup and traceroute promptly done will geolocate certainly the country, possibly the general area and in certain cases down to a town or neighbourhood, depending on the sophistication of the bad actor /software.
Then the bad guys can create a darkweb marketplace like AutoTrader, where these "VIN / location" are effectively car ads with nice stock photos, for which other bad guys can buy the details, add it to their personal list of cars to lookout for and nick.
It would be trivial to set up, I'd be shocked if it's not done yet. Coupled with vulnerabilities of not fully secure wireless and electronic networks in cars, this would make these targeted, fast thefts that we are seeing in the news and on forums, more explainable. The methods employed to crack cars are sophisticated and many. I'm sure the police have collared a bunch of these crooks with their gear, but are, understandably, shy of sharing the details of this kit. It ranges from hobbyist efforts with Raspberry Pi's and Arduinos to full-on black box, slick, professional kit. I was shocked to see a normal looking smart car key online that was able to do the rolljam attack (jam owners signal, save code, jam 2nd signal, Dave code, open/lock car for owner with 1st code, use 2nd saved code later to get in or steal the car).
I digress in this post, sorry about that, but it's a big subject!
For me I'll certainly be disabling my keys (and look for a similar option on the car itself) when outside the home. When inside I'm not so sure, as it's the oft-commented option that with determined crooks: "get car stolen, with or without breaking into your home for the keys - your choice".
Let's go back to the good old days 100 years ago when cars didn't have keys and they were so rare that a thief would be instantly spotted by the townsfolk! Trouble is they could only chase after them on horses
I was curious having obtained my new car's VIN before picking it up of looking it up for fun and to check what Mercedes say it was built with. A quick search on the forums and interwebz shows an extraordinary proportion are Russian language (or looking like English language, but a small detail or two shows it really is Russian language underneath). There appears to be at least one official USA site though. Anyone know why so many Russian language?
Odd that there are no German or English websites doing this. If these VIN lookup sites are doing Benz fans a favour purely, despite perhaps not with MB's permission, then ok. But what if some of them have a more sinister motive behind them? Or are themselves hacked. There is a lot of juicy info that owners are handing over with our VIN lookups.
For example, perhaps (and I must admit I'm letting my imagination go for a gallop here!) the official 3rd party access is limited to just lookups and not browsing all VINs. So these sites have a ton of VINs being uploaded. With every VIN uploaded by a user the user's IP address is recorded. *All* website servers do this, all the time, into their logs. It's normal and accepted. How that is then used is totally outside of the user's control. The majority of the lookups will be done from home or work, so the majority of IPs will represent the places the lookup was done from. A single reverse lookup and traceroute promptly done will geolocate certainly the country, possibly the general area and in certain cases down to a town or neighbourhood, depending on the sophistication of the bad actor /software.
Then the bad guys can create a darkweb marketplace like AutoTrader, where these "VIN / location" are effectively car ads with nice stock photos, for which other bad guys can buy the details, add it to their personal list of cars to lookout for and nick.
It would be trivial to set up, I'd be shocked if it's not done yet. Coupled with vulnerabilities of not fully secure wireless and electronic networks in cars, this would make these targeted, fast thefts that we are seeing in the news and on forums, more explainable. The methods employed to crack cars are sophisticated and many. I'm sure the police have collared a bunch of these crooks with their gear, but are, understandably, shy of sharing the details of this kit. It ranges from hobbyist efforts with Raspberry Pi's and Arduinos to full-on black box, slick, professional kit. I was shocked to see a normal looking smart car key online that was able to do the rolljam attack (jam owners signal, save code, jam 2nd signal, Dave code, open/lock car for owner with 1st code, use 2nd saved code later to get in or steal the car).
I digress in this post, sorry about that, but it's a big subject!
For me I'll certainly be disabling my keys (and look for a similar option on the car itself) when outside the home. When inside I'm not so sure, as it's the oft-commented option that with determined crooks: "get car stolen, with or without breaking into your home for the keys - your choice".
Let's go back to the good old days 100 years ago when cars didn't have keys and they were so rare that a thief would be instantly spotted by the townsfolk! Trouble is they could only chase after them on horses