A Lesson in Security

A few days ago, my truck was broken into. Fortunately, nothing was stolen. I don’t leave anything in my vehicle for this very reason, and unfortunately, this wasn’t my first experience with someone breaking into my vehicle. With nothing visible, what motive could someone have to break into my truck? It seemed to me like a high-risk/low-reward opportunity. After discussing the incident with the detective, I was wrong. It was not high risk.

Ford has built an inherently insecure vehicle. Or maybe, to be fair, attackers have discovered flaws and can now quickly and easily exploit them. Ford may have improved on the design features in later models. I just dont know, and if anyone from Ford would like to discuss it, please contact me. However, it does not appear to be the case. A 2019 F150 was stolen with ease right out of an owner’s driveway. The entire incident takes less than 30 seconds. Hardware vulnerabilities are difficult to fix, especially in a vehicle. It would require a mass recall, so it seems in the best interest of the car manufacturer to just leave it because it is not a life safety issue.

The culprits were professionals. They were able to disconnect the horn and then pry open the door handle in a way that allowed them to rotate the lock. This forced the lock from the mount and destroyed the entire locking mechanism, giving them full access to the vehicle. And with the horn disconnected, they were able to remain undetected (they subverted the intrusion detection and prevention systems). There was no visible damage to the steering column, indicating they were not looking to steal the vehicle, and nothing was taken. There was evidence that they looked through the glove compartment, other storage areas, and under the seats. So what were they looking for? What was the motive for them to break in? They were looking for firearms.

In many ways, I am sure the people who did this took a lot of the same steps that we take when conducting a penetration test. Information gathering, OSINT, enumeration, evasion, and then in this instance, a physical break-in. I have to admit I was impressed by the ingenuity of the attack and baffled that Ford had designed something with such poor security. Then again, I know I shouldn’t be surprised; unfortunately, a lot of hardware is inherently vulnerable. And there are no updates to download to “patch the system.”

In the end, this served as a great life lesson for me to share with my son, who is just starting his journey in cyber. We discussed the similarities between how these attackers could get into my truck and how someone might use the same techniques to break into a computer system. I doubt the people who did this will ever be caught, but I guess that is just the game we play.