Opsec fail: Baltimore teen car thieves paired phones with Jeep UConnect

On November 22, 2015, a group of teenagers broke into the house of a Baltimore man, stealing his bicycle and finding a spare key to his Jeep Renegade. They then took off, stealing the Jeep and taking it for a multiday joyride before abandoning it with an empty gas tank and some minor damage.

In Baltimore (as I can sadly say from personal experience), the story would usually end there with an insurance claim and a shrug. But the group of young men involved in the burglary and theft were all captured on a Nest camera as they rifled through drawers. And some of them left more potential digital evidence when they paired their phones over Bluetooth with the Jeep’s UConnect system.

One of the thieves was identified from a head shot from the camera footage a few weeks later by a school police officer and has already pleaded guilty in juvenile court. But the apprehended youth wouldn’t give police the identities of the others involved in the theft. Because he’s a juvenile, he’ll likely be released soon.

So the victim, a systems administrator known on Twitter by the handle @BaconIsFruit, turned to the Internet to help him track down the rest of the crew. “The insurance took care of me, so I don’t have much to gain other than satisfaction at this point,” he told Ars. BaconIsFruit posted images of the young burglars to Imgur in December, but he didn’t get any additional solid leads until this Tuesday—when he got his Jeep back from the repair shop. It was then that he noticed three new device names on the Jeep’s UConnect system paired device list.

<blockquote class=”twitter-tweet” data-lang=”en”><p lang=”en” dir=”ltr”><a href=”https://twitter.com/baconisfruit”>@baconisfruit</a&gt; gets stolen car back after 90d (in criminal possession for 10d)<br>3 paired BT phones. <a href=”https://twitter.com/hashtag/opsec?src=hash”>#opsec</a&gt; <a href=”https://t.co/j1QLgMaXm4″>pic.twitter.com/j1QLgMaXm4</a></p>&mdash; dre (@tacticalRCE) <a href=”https://twitter.com/tacticalRCE/status/697467605842530307″>February 10, 2016</a></blockquote>

Since he happens to work in IT at a Baltimore-based cyber-security firm, he showed a coworker the list—launching an open source intelligence gathering operation to identify more of the culprits. One of the phones’ names matched the name of an Instagram account belonging to a teen in South Baltimore who appears to match one of the individuals caught in the Nest footage. And that account’s contacts included another individual whose name matches one of the phones on the list.

<blockquote class=”twitter-tweet” data-lang=”en”><p lang=”en” dir=”ltr”>.<a href=”https://twitter.com/baconisfruit”>@baconisfruit</a>'s car gets stolen. Criminal geniuses pair their phones' Bluetooth. <a href=”https://twitter.com/hashtag/OPSECfail?src=hash”>#OPSECfail</a&gt; (OSINT <a href=”https://twitter.com/AmazinMojoStarz”>@AmazinMojoStarz</a&gt; <a href=”https://t.co/tAfzCL6aaz”>pic.twitter.com/tAfzCL6aaz</a></p>&mdash; the grugq (@thegrugq) <a href=”https://twitter.com/thegrugq/status/697772716632383491″>February 11, 2016</a></blockquote>

While all BaconIsFruit’s cybersecurity posse currently has to go on is the phone names, they’re looking at possible ways to pull more data about the phones from the UConnect system—though there’s concern about whether doing so would break the “chain of custody” needed for the data to be used as evidence by the police. But given that the two identified so far have suddenly gained a number of information security-oriented followers on social media, there may be more for them to worry about than an arrest.

BaconIsFruit says that the Baltimore City Police have contacted him about the Bluetooth pairing data and social media hunting, and that it has generated several leads in the case.


SOURCE: Sean Gallagher | Ars Technica


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s