Try plugging the Nokia 3310 into the car and the ending makes many people surprised: It’s a “legend”, anything can be done!

Holding Nokia 3310 in hand, the car starts up by itself

In the clip posted on Youtube, a man sitting in the driver’s seat of a Toyota repeatedly presses the button next to the steering wheel. The red light was flashing, it seemed he was unlucky that the engine wouldn’t start.

The driver does not have a key. To solve the problem, the man pulled out a tool that surprised everyone: a Nokia 3310 phone.

Man plugging phone into car with black cable. Then he flipped through several options on the 3310’s small LCD screen. “CONNECT. RECEIVE DATA”, the display shows.

Then he tried to start the car again. The light turns green, and the engine roars.

The less than 30-second clip shows a new type of auto theft spreading across the United States. Criminals use small devices, inside the casings of innocuous bluetooth speakers or cell phones, to connect to the vehicle’s control system.

This allows thieves with little technical experience to still steal cars without keys, sometimes in as little as 15 seconds or so. With such devices easily purchased online for several thousand dollars, the barrier to theft of high-end cars is greatly reduced.

“JBL Unlock + Start,” an ad for a device hidden inside a JBL-branded bluetooth speaker. “No key needed!” The ad says the device works on a wide range of Toyota and Lexus vehicles: “Our device has an interesting camouflage pattern.”

Ken Tindell, CTO of in-vehicle cybersecurity company Canis Labs, told Motherboard: “This device does all the work for thieves. All they have to do is get two wires from the device, remove the lights. phase and plug the power cord into the correct hole on the connector side of the vehicle”.

Talking about whether vehicle owners can protect themselves from this threat, the expert said that “consumers simply cannot do anything”.

Is the error in the Nokia 3310?

Earlier this month, Tindell published research with Ian Tabor, a friend in the automotive cybersecurity field, on the aforementioned stolen devices.

Tabor purchased a device for reverse engineering after car thieves apparently used it to steal his Toyota RAV4 last year.

After some digging, Tabor found devices for sale targeting Jeep, Maseratis and other car brands.

The video showing the man using a Nokia 3310 to start a Toyota is just one of many YouTube videos flaunting the theft technique.

Other videos show equipment used on Maserati, Land Cruiser and Lexus-branded vehicles. Many websites and Telegram channels advertise the technology for between $2,700 and $19,600.

One person offered a Nokia 3310 device for $3,800, calling it an “emergency starter” device for locksmiths.

According to research by Tindell and Tabor, the attack, known as CAN (area network controller), works by sending spoofed signals that look as if they’re coming from a car’s smart key.

The problem is that the locks on the vehicles accept rogue signals without verification. After the crooks get hold of the cables by removing the headlights, they can use the device to send a signal.

Despite selling for several thousand dollars, the device contains only $10 worth of components. These include one chip with CAN hardware and firmware and another that deals with CAN.

Tindell says that once you’ve mastered the recipe, creating each device should take just a few minutes: “It doesn’t take much effort: solder some wires, wrap everything in a lump of turpentine.”

Currently, the only fix is ​​to introduce cryptographic protections for CAN signals, which can be done via a software update.

Vice has contacted many automakers at risk of being hacked by the device, including BMW and Toyota. BMW did not respond, while Toyota said it was working with the parties to prevent the problem.