Roll Jamming / Replays and Tales from the Crypt
This year has been a hectic one at bits&digits. We have been through a test of spirit like no other. From near death experiences to a complete full on assault against our institution and my person. That said, this is what I, J. Tate, signed up for when I chose this career path. Fixing problems, hacking things, spinning alchemy for those who don’t live in this fray is the path I chose.
Having spent my life in this corner of reality, it’s actually a very enjoyable lifestyle. The occasional bumps and bruises (both physical and emotional) are simply part of the job. I love It, personally. Call me crazy, but my chaos is spiritual for me. This is not the life for everyone. It takes a certain blend of batshit crazy and sheepdog spirit to actually enjoy this lifestyle. There are far more people out to hustle unsuspecting people than there are people protecting against them.
Which is how my day started today.
My brother reached out to me this morning in somewhat of a down mood, which sent my senses for a loop. He is the sun to my moon when it comes to cheer and appreciation for life as it is. There’s not a situation I have seen him encounter that couldn’t be perspectively spun into an abundance of positivity. On my not so centered days, this Prozacian approach to happiness is aggravating to me. (Which is why it shook me to hear the news come across my @Wire feed from him.)
In summary, minus my expletives and his somber positive outlook laden messages, our Germany office car was stolen. To be perfectly honest, when he told me the news, I didn’t flinch. I actually laughed, because I couldn’t believe the irony of some to my initial thought. “Two-bit, German thieves” had the audacity to steal a car from us. In my mind, the sophomorish bunch had lucked up on a whole heap of problems that they had not anticipated. I mean really, Universal Law does dictate that if you live by a path, the path will most certainly inject itself into your life from time to time. So having a bits&digits car stolen was shocking, but also laden with a bit of comical irony.
After ensuring that all was ok and my business partner and the loved ones with him at the time were ok, the Alchemist decided to reveal himself. (My alter ego, one of many.) I immediately had a barrage of questions:
- When the incident took place?
- Who did he think did it?
- Where did the theft occur?
- What artifacts were in the car?
- And keeping a tight control of my inner paranoia, why someone may have targeted the car?
- The most important to me of the 5W line of questioning was the HOW.
How did a 2017 Q7 get stolen 5 hours ago and remain unrecovered as of yet? My mind raced back and forth about the various methods of exploitation leveraged to steal the car. I had to sit back with my brother and go over some particulars.
Needed to make sure. Did he have both of his FOBs for the vehicle?
Yes, he did.
Did he hear the alarm go off?
No, he didn’t.
Then across my @Wire feed a barrage of photos start pumping down my message board.
One after another, these photos are telling a completely different story than the one I was paining in my head. of how this group (of which I assume because of the remote location where our satellite office is in relation to a easily accessed location— you know you need a drop off buddy. And in my day, it was typically a team of 3 that I would read about doing high profile car intercepts. You could almost match the type of car stolen the most by whichever was the hottest in Hip Hop songs at the time. But when I took a gander at the photos he sent. I was in shock. Naturally, if you put on your hacker lens, you will see why I was baffled as well.
So, you have access to the vehicle still? I asked completely perplexed, because in my mind – if we can still touch the vehicle remotely, then the car isn’t “Stolen.” These matures are in my wheelhouse and still on my playground. “This is going to be simple,” I thought. “I can access the status of the vehicle means the vehicle is still reporting to Audi and allowing access to the APP.”
Easy Peasy, right?
Not only do we have access to the portal. It shows there’s a communication line between the me, the thieves, and Audi… But it seems like we have an indication of what may have happened. From the looks of things, an hour ago a foreign FOB triggered an event that spun off the Key Identifier. Notice the instrument warning cluster message. This is funky, but I’ll explain later. We also have an idea of the method of entry or entry location of the car thieves (Notice I’m being very careful how I describe them. This may all be a test of the emergency broadcast system — American PBS Joke Attempt.) Seemed they tripped one of the 13 different sensor contacts in the passenger side doors.
Smart, very smart.
(For the Hollywood Addicts, that are probably saying, “why not just cut down on time, jump in the Driver A seat, and just drive off?” It’s not that simple or easy for that matter.)
This was / is by far the most interesting photo he sent me. So, a device, a solution, or exploitation kit somehow triggered that the original car FOB either: 1) was no longer in the car, or 2) the detection (or feature) was interrupted to cause the car to alert something was introducing itself to the vehicle. (More on this later.)
After I received these images, you can only imagine how much time it took me to yell (if you can do that via secure messenger lol) for the credentials and let me do my thang. My thing had no definition by way of sequence or rhythm. But, I did want to get into the control app and see what mechanisms were in place to tell me there would be a point of isolation for Audi to either collect data and provide it to the local law enforcement, or to whomever I needed that data to go to for what we call triage. Collecting and fusing important points of data for the proper intelligence distillation.
So, here is what I had:
- Access to a portal that had access to the stolen vehicle.
- Indication that the portal and App connected to the vehicle only 1 hour ago
- The GPS Monitor (transceiver) was no longer transcending to the GPS receiver through traditional means. But wait! There will be more.
- The method of entry to the vehicle and perhaps an IOC (indicator of compromise) on how the criminals surgically took out the components to the transponder.
But what we don’t have, is the answer to a quarter million Litecoin question is? How on earth did whatever flavor of roll jam or SDR Superkit they used trip over a 2017 Q7 Immobilizer? I mean seriously. I’ve heard of a lot of things, but doing that takes some good skill (I mean like, meta human), an insider connection with the dealership of purchase of the vehicle, or my favorite a 0-day that we have yet to have discovered.
The latter of which is what I inferred to my brother. “Bro, I’m going to do my research, get on the line with high people in low places, low people in high places and talk some heat into the hole on this.
After my first conversation with Audi, I knew this would be a good story for the masses to take.
Hope you enjoy it.
PS: I’ve already shown you the McGuyver way of rigging your car with a tracking device in case your kids borrow it or a thief simply forgets to return your car after a moral awakening. Hopefully, you won’t have to thank us later.