Land Rover recalls 65,000 cars because of software bug that could lead to theft [Updated]

BBC News is reporting that more than 65,000 Range Rover and Range Rover Sport cars are being recalled because of a software bug in their central locking system that can allow thieves to steal vehicles.

Range Rover car

The flaw is said to exist in Range Rover and Range Rover Sport vehicles sold in the last two years, according to the BBC report.

The recall follows reports last year that car thieves were targeting some models of Range Rovers and BMW X5s because they found it easy to unlock the vehicles. Adverts have been placed in newspapers informing owners about the recall.

It is believed that a handheld "black box" was being used by some gangs to unlock and start cars that had keyless ignition systems.

Some newspapers reported that insurers were unwilling to extend cover to Range Rover owners unless they could park in secure, off-street car parks. Other insurance firms insisted on the use of tracking systems that could help find a car if it was stolen.

Pat yourself on the back if stories of thieves breaking wirelessly into luxury cars rings a bell with you. This is far from the first time that the problem has been reported.

Back in February, for instance, I described how researchers discovered it was possible for hackers to open the doors of 2.2 million BMW, Mini and Rolls Royce cars, after a security hole was found in the vehicles' "ConnectedDrive" technology.

In that example, it was shown that a fake cellphone base station could be created that would intercept the car's network traffic when searching for an internet update, and use that data to send malicious commands to the car telling it to lower its windows or unlock its doors.

In other words, the way BMW had implemented internet updates for its cars had itself introduced a serious security vulnerability. D'oh!

And in 2013, Volkswagen found itself in controversy after it silenced a talk by security researcher and computer science university lecturer Flavio Garcia when he attempted to present his findings into defeating vehicle security.

From the sound of things, Land Rover cannot update the tens of thousands of vulnerable Range Rover vehicles over the net, and so owners will have to take them into dealerships instead. Although many owners will find that a nuisance, it's probably for the best security-wise.

Senator's reportThe problems introduced by greater technology being built into motor cars isn't going away.

Earlier this year, Massachusetts Senator Ed Markey released a report entitled "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk", in which he quizzed 16 major automobile manufacturers (including Jaguar Land Rover) about what they were doing to better protect the safety and privacy of drivers.

As Senator Markey summed up, "you no longer do you need a crowbar in order to break into a car, now you can do it with an iPad."

Stay safe folks. And if you're lucky enough to own a luxury car, maybe try to find somewhere you can park it securely.

Update (16 July 2015):

In a service bulletin - dated June 16 2015 - about the safety recall, the defect is described as follows:

A concern has been identified on 2014-2016 model year Range Rover Sport (L494) and 2013-2016 model year Range Rover (L405) vehicles where customers have reported the door is unlatched when in the closed position and no indication provided of an unlatched condition. Some customers have reported that one door has opened while the vehicle was in motion.

Land Rover has said that its recall is not related to the spate of car thefts involving abuse of keyless ignition systems found on luxury cars.

Thanks to @sharkcmiller for providing a link to the service bulletin.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. Spennick

    July 14, 2015 at 4:51 pm #

    BMW has convinced me that internet updates for cars is a bad idea. Some things are better left uncomplicated. Here's my prescription for vehicle security:

    1. Leave nothing valuable in your car, or keep valuables out of sight. Give the crooks as little reason as possible to break in.
    2. Use a steering wheel lock. (I use The Club® because it's made by its inventor.) An experienced thief won't waste time trying to break into a car he knows he can't steal.

    You might include "Install a car alarm" on the list if your exposure is such that its deterrent effect is useful. In my case, it's not.

    Disclosure: I have no connection to any steering wheel lock manufacturer.

Leave a Reply