Tech expert demonstrates ease of R.F.I.D. car-hacking
05/26/2016 3:39 pm PDT
Vehicle-sharing services like Zipcar are popping up all over the U.S. They can certainly be cost-effective and definitely convenient. But as our Ana Garcia found out, the service is also very attractive to criminals.
In the past year, car-hacking has been a huge story. In one case, hackers even got into a car's computer system, killing the vehicle's transmission.
But today we're looking into a different kind of car-hack. One that's after your identity.
Zipcars are changing the way we rent cars. Reserve by the hour, skip the rental office and go directly to cars parked on the street in designated spots in nearly every major city around the country.
It unlocks with a Zip access card embedded with a radio chip that connects to a transponder on the windshield of Zipcars.
Click -- you're in! The keys are inside.
The company's motto is "Wheels When You Want Them," a slogan which has apparently inspired some car thieves.
In New York, 20 luxury cars were stolen; in San Francisco, almost a parking lot full: 76 Zipcars swiped in just six weeks.
Cops say they suspect many of the San Francisco cars may have been stolen by one Zipcar thief with two identities: Ray Charles Dipo, who also goes by the name "Nicole." After Dipo was arrested, cops say Zipcars stopped disappearing.
All these Zipcar thefts got us thinking: How easy is it to hack and clone these access cards?
So we turned to a security expert who specializes in the technology Zipcar uses: RFID, which stands for radio-frequency identification.
"We make badge-holders for the executive office of the president, the U.S. Senate, FBI, DHS, on and on and on. You name the abbreviation and we make badge-holders for them," said Walt Augustinowicz, who owns Identity Stronghold. He likes to break into things to figure out how to make them safer.
Today, he's testing Zipcar's wireless access system for Crime Watch Daily.
"It's really simple to clone," said Augustinowicz.
In all fairness to Zipcar, most companies that use cards with RFID are vulnerable, says Augustinowicz.
"Unfortunately a lot of the cards you use to check in at hotels, we can copy as well," said Augustinowicz.
Walt Augustinowicz says that the radio chip that makes Zipcars a zip to use also make them zip to steal.
"It's not encrypted and responds to any reader," said Augustinowicz.
Crime Watch Daily rented a zip car in Hollywood in the shadow of the iconic sign, and challenged Augustinowicz to hack our Zipcar.
Security expert Mike Mazza, a former New York cop, is our "victim." We don't tell him when or how we we're going to do it.
Walt Augustinowicz walks by him and passes his briefcase close to Mazza's wallet in his back pocket -- the account's been stolen, and Mazza doesn't have a clue.
"I had no idea that I just was robbed," said Mazza.
Walt Augustinowicz is now around the corner on his laptop using the data he just ripped off, where he quickly makes a clone a card.
"With this device here I can wirelessly transfer that same card number right to this blank card, and then I have a duplicate," said Augustinowicz.
And it works on the Zipcar.
"I've completely copied it," said Augustinowicz. "The system knows no difference between this and the original at this point. I could make 20 of them if I wanted to."
Wait until you see what's in Augustinowicz's briefcase. You're probably thinking it's something really high-tech. Wrong. All the items Walt Augustinowicz used today are common items available just about anywhere. And the other stuff was free.
The software to be able to clone cards is free on the Internet?
"Absolutely," said Augustinowicz.
"If you go shopping, you leave your stuff in the car, and you go to another store -- boom, they're in, they're out," said Mike Mazza.
Zipcar has not commented about the rash of car thefts, saying they are still under investigation.
As for our notorious Zipcar thief, Ray Charles Dipo, police say they found numerous access cards in her apartment. She made a plea deal and will be spending the next five years behind bars.
"As a matter of policy, Zipcar does not comment on the details of its security measures. Access to our vehicles is only allowed for valid members. Any other method of entry is prohibited by law," the company said in a statement.