Members of a Tijuana motorcycle club have spent the last few years stealing 150 Jeep Wranglers in and around the San Diego, California, area. But it’s only just this week that federal and state authorities have shed light on the particularly high-tech methods the bikers used to thieve all those cars.
The thefts date back to 2014, and each one involved a multiple-step process. First, the bikers would scout for the Vehicle Identification Number (VIN) of Jeeps they wanted to steal. Then, they turned to a database maintained by the manufacturer.
It’s unclear how they gained access to the database, according to the San Diego Union Tribune, which mentions that a dealership in Cabo San Lucas “appears to be involved.” However they got it, though, it’s that access that made the thefts possible. Armed with a car’s VIN number, the thieves were able match both the pattern of the physical key as well as a code used to access (and program) the chip inside the key that talks to the car’s computer.
At this point, the thieves would return to each Jeep with a duplicate key in hand. Once the key was in the ignition, they were able to program the key’s chip using the code from the database in order to turn the Jeeps on.
The Jeeps were then brought back — whole, or in stripped parts — to Mexico to be sold. All told, $4.5 million worth of Jeep Wranglers were stolen by the group. Three of the nine members of the biker club who were indicted have been arrested, while the rest are still on the run in Mexico. Seven of the nine are US citizens.
The chips that automakers use in car keys have been the subject of a number of attacks in recent years. In 2015, researchers from Radboud University in the Netherlands and the University of Birmingham in the UK found that the “keyless entry” key fobs for certain cars made by Volkswagen, Fiat, Honda, Volvo, Porsche, and even Bentley were vulnerable to being hacked.