How Cybercriminals Use Vehicle Identification Numbers (VINs) to Hack Cars

Oscar Collins
Editor-in-Chief   Modded

During the COVID-19 pandemic, cyber theft increased dramatically. Cybercriminals use malware and ransomware attacks to exploit vulnerable people on the internet. These thieves have become more intelligent and can go past computers and cell phones by taking advantage of people’s cars through the Vehicle Identification Number (VIN). So, how are these cybercriminals using VINs to attack cars?

Why Do Cars Have VINs?

All modern vehicles have a VIN, whether a car, truck, or trailer. This 17-digit number gives every machine an identity, making it easily traceable. Manufacturers started assigning VINs in 1980 under the guidelines of the National Highway Traffic Safety Administration (NHTSA). Before that, automakers set identifying numbers dating back to 1954, typically labeling the number on the engine or body.

Manufacturers had their own ways of creating VINs, so in 1978, the NHTSA standardized the practice for all automakers. By 1987, the Department of Transportation created the Motor Vehicle Theft Prevention Standard. This rule required automakers to put the VIN on the hood, fenders, and engine if the car was vulnerable to theft. Most vehicles today have their VIN on the dashboard in front of the steering wheel.

VINs are essential for car owners because they streamline many vital processes. Manufacturer recalls are an excellent example. Once in a while, an automaker has to recall a set of vehicles because of a faulty part. Car owners can use the recall tool from the NHTSA to see if their vehicle falls under the umbrella. Potential buyers can also see the individual car’s history to see if it’s been in an accident or if someone has stolen it.

How Are Thieves Using VINs to Hack Cars?

A VIN is crucial for car owners, but it can be a liability if it ends up in the wrong hands. This identifier tells a criminal what plant assembled the car, the manufacturer’s security code, the serial number and more. Cybercriminals have become savvier with their hacking and can use the VIN to access a vehicle, even if they’re thousands of miles away.

In November 2022, a researcher showed vulnerabilities in cars from Hyundai, Nissan, Honda and other vehicles. Sam Curry — a bug bounty hunter — used the Hyundai app to infiltrate cars remotely and only needed the owner’s email address. Curry manipulated vulnerabilities in the app, circumvented authorization checks and unlocked another person’s vehicle, thus giving him a complete takeover of the account.

Curry also found problems with Nissan and Honda vehicles by knowing the VIN. He discovered cybercriminals with a VIN could send commands to cars from those manufacturers and unlock the car, honk the horn, and flash the headlights. At worst, Curry found he could start and stop the car remotely because these vehicles have a push-to-start function. Curry found his way in using cars with a SiriusXM feature in its telematics platform.

What Is VIN Cloning?

Another concern for car owners is VIN cloning. As the name suggests, this practice entails taking a VIN from one vehicle and cloning it for another car. Thieves will use the VIN from legally registered vehicles for a stolen car, thus hiding the illegitimacy.

The criminals often use the cloned car and sell it quickly without a way to trace it back to them. So, if law enforcement ever finds out, they’ll question the person who bought the car and the buyer will have to prove they weren’t part of the crime, thus costing them time and money with legal fees.

How Can Car Owners Protect Their VIN and Their Car?

VINs are essential information for car owners and can be helpful. However, they become a liability if they end up in the wrong hands. A compromised VIN is almost as bad as a criminal stealing their car because police could question the rightful owner despite no involvement. These three ways show how owners can protect their vehicles.

1. Covering the VIN

Most cars have the VIN around the dashboard and on other parts, so it’s easy for the driver to see when they need it. Unfortunately, it’s also easy for thieves to spot. One effective way drivers protect themselves is to hide it from people walking by. Paper items like a map can block the view from anyone looking in the window. Attempting to cover the VIN permanently is illegal, so car owners should be wary of the laws.

2. Telling Trusted Associates

VINs are sensitive information and car owners should treat them like social security numbers. People shouldn’t give out their VIN unless they deal with a trusted associate like a family member or friend. Exceptions apply if, for example, they’re trying to sell their vehicle. The VIN is crucial for proving the car’s history.

3. Buying From Reputable Sources

VIN cloning is challenging, but cybercriminals nowadays are smart enough to accomplish it. People wanting a car should buy only from reputable sources, such as a dealership. Online marketplaces may have tempting offers on used cars, but if the deals seem too good to be true, they likely are. VIN cloning is one possibility.

Cybersecurity With Vehicles

The idea of remotely hacking into cars seems like the plot of an action movie; however, with today’s technology, it’s a reality. Cybercriminals have found ways to use a VIN to turn a car on and off, honk the horn and flash the lights.

These thieves get smarter yearly, so people can only imagine what’s next. VINs are essential for selling cars and manufacturer recalls, but car owners should be careful with their numbers.


Oscar Collins

Tags: , ,