Q&A: Surveillance Operations

How do you start a car that you stole? I mean bc you see it in movies but I’d like to understand what’s going on there. Also, how do you track a car on your own knowing the license of said car without going to the police, and in the case of a cellphone? Is it posible that, if someone inserted a GPS tracker in someone’s phone but this phone ends up severely broken (so the GPS doesn’t work), the tracker would be able to know where was the last time the GPS worked?

So, a bunch of different questions, so let’s just take them all in a row.

Hotwiring a car refers to bypassing the key lock, and starting the ignition by manually connecting the circuit using the pulled wires. This would might have worked 40-50 years ago, however there’s a couple problems. Even on older cars, the ignition is better protected than most films would suggest, meaning getting access to that wiring is a lot more involved than just popping off the steering column’s shroud, and pulling a couple wires free. The second issue is that modern cars actually have ignition lockout systems. There are a wide variety of these, but the result is you can’t manually bypass the key with the ignition. In many cases, the ignition won’t even power up without the key present, meaning this entire approach to hotwiring is no longer valid.

On the other side of this, modern cars with keyless entry and ignition systems are vulnerable to wireless spoofing. With modern cars, the most common variant is “relay spoofing,” where a team of two will split up, one has a piece of hardware designed to pick up the signal from the wireless key fob, the other has a relay. The result will convince the car that it’s fob is in close proximity, and then unlock the car and allow it to start. Older cars (from the mid 2000s) are vulnerable to fob cloning, where the keyless entry and remote start broadcasts are captured, and then can be replicated later. This is no longer possible (in most cases), because newer vehicles use rolling, semi-random authentication codes. Though it may be possible to circumvent these with sufficient technical skill.

Tracking a plate requires going through the police or local government. Note, I said through, not to. Vehicle licenses and registrations are kept on file by your government. In the US, the police have access to that, as will state and federal databases. In theory, this stuff is kept confidential, and general civilians shouldn’t be able to gain access to it. In practice, that’s not entirely accurate. There are a number of civilian occupations that require access to these systems to do their jobs. Companies that perform background checks, and bail bondsmen would be examples. Additionally, someone with police connections may be able to get access to information they shouldn’t. The cliche example would be a dirty cop, but the reality can be far more benign. Someone who owns and operates a security company will interact with local law enforcement agencies on a regular basis and will seek to generate a rapport with officers they interact with regularly, often becoming friends. In situations like this it’s entirely possible for such an individual to go to their friend and ask for licensing information that, legally, they shouldn’t be privy to, but “given the circumstances…”

I’m ignoring the hacking route here, because it’s not particularly applicable most of the time. That said, many outside contractors who work with law enforcement, particularly companies that sell surveillance or IT hardware are going to have a better grasp of how the software and network systems function than you might expect. The idea of getting access to a Federal database may sound like the work of elite hackers, but the reality is, if you’ve got a piece of software which has to interact with thousands of agencies, nationwide, there’s going to be considerable security lapses if you know how the system works. If you know where to connect, and who you need to claim to be at login, reality is as mundane as ever.

When you’re pulled over in a traffic stop, one of the things the officer does, when they return to their patrol car after asking for your license and registration is to call their dispatcher and ask them to run your name and vehicle through the National Crime Information Center. The NCIC is a database maintained by the FBI, which tracks people who are wanted on warrants and checks to see if the vehicle has been reported stolen. Additionally the National Highway Safety Administration maintains the National Driver Register, which keeps track of issued licenses nation wide. In the case of the NCIC, data is only added if you’re wanted for some crime, or if your vehicle has been reported stolen, however the NDR tries to keep records of everyone. In both cases, you’re talking about software that needs to be accessible to a wide range of agencies, nationwide, including a number of technical Luddites who can barely sign up for their own email address. Again, knowing how to authenticate to the network is access.

There’s a number of ways you can track someone. With a modern smartphone, the simplest one is simply malware. Most cellphones produced in the last 20 years have some form of onboard GPS system. There are a lot of ways you can load malware onto a phone, but the short version is: If you’ve compromised their phone, then you don’t even need a GPS transponder; you can get their phone to tell you where it is. At that point, you might be able to configure monitoring software to tell you where the phone is and where it’s been, but that’s really the tip of the iceberg. On a compromised phone, you can have full system access, see what their camera is pointed at (without starting the ap), listen to everything said in the immediate vicinity, access any texts sent or received from the phone and listen in to any calls (along with full call metadata, such as who they’re calling). In fact, malware used by law enforcement allows remote activation of the phone, so even if you turn it off, it can still be rebooted, to function as a traveling surveillance device. To be clear, none of this is even custom, it’s all off-the-shelf software designed for, and sold to, intelligence and law enforcement agencies.

Let’s add another scary thought on here. Most of the time we talk about our phones being broken when the screen fails. The system’s been abused, the screen’s cracked, and the LCD won’t power up anymore. Thing is, that phone isn’t destroyed. You can’t use it, because the interface is damaged, but so long as the phone can still be powered on, a lot of the functionality I described earlier will still work. Now, if the battery was destroyed, or the CPU is fried, then the phone is completely dead, but any data it already transmitted is still safe, remotely, at the other end.

Also worth noting about your phone, GPS data can be stored. Your surveillance team wouldn’t just know where your phone is, they’d know everywhere it had been, with some additional hints as to where the phone had been before they picked it up. Beyond that, if you’re dealing with intelligence or law enforcement agencies, historical data regarding the GPS tracking will be accessible to them without even needing to compromise the phone at all.

To be clear, compromising a phone like this is fairly technical. It would require direct access to the phone for a couple minutes to complete the install, (though there are a number of ways you can get access covertly). The technical aptitude necessary means you’re talking about private security or intelligence agencies, as this goes well beyond what your average gangster or corrupt beat cop could pull off. Also, if you’re characters are up against intelligence agencies, then it’s entirely possible the compromising update could be pushed remotely by the telecom company.

I don’t usually cite my sources here, but given the nature of this, it’d probably be helpful for you to see a few, so you understand this isn’t just deranged conspiracy theories.

Here’s an Ars Technica article from last month documenting smartphone malware found in the wild. Also, the TechDirt article from 2013 that served as my crash course on the subject may be relevant.

On the subject of remote vehicle access, reports of people having their cars stolen start back in 2008, though those early reports aren’t particularly credible, to the point that Snopes rates it as mixed. However, jump to 2017, and you can watch security footage of thieves employing the relay technique in the UK.

I didn’t cover this earlier, but because of the interconnection on modern vehicles, it’s now possible to hack, and hijack control of vehicles via their onboard computers. The Uconnect exploit got some press attention back in 2015, and, Ars Technica has some nice specifications on that issue.

There’s a lot more to discuss on these subjects, but, that’s the very abbreviated version.


This blog is supported through Patreon. If you enjoy our content, please consider becoming a Patron. Every contribution helps keep us online, and writing. If you already are a Patron, thank you.