An anonymous reader quotes a report from Motherboard:

A man sitting in the driver’s seat of a Toyota is repeatedly tapping a button next to the steering wheel. A red light flashes — no luck, the engine won’t start. He doesn’t have the key. In response, the man pulls up an usual tool: a Nokia 3310 phone. The man plugs the phone into the car using a black cable. He then flicks through some options on the 3310’s tiny LCD screen. “CONNECT. GET DATA,” the screen says. He then tries to start the car again. The light turns green, and the engine roars. This under 30 second clip shows a new breed of car theft that is spreading across the U.S. Criminals use tiny devices, sometimes hidden inside innocuous looking bluetooth speakers or mobile phones, to interface with the vehicle’s control system. This allows thieves with very little technical experience to steal cars without needing the key, sometimes in just 15 seconds or so. With the devices available to buy online for a few thousand dollars, the barrier of entry for stealing even high-end luxury cars is dramatically reduced.

The video showing the man using a Nokia 3310 to start a Toyota is just one of many YouTube videos Motherboard found demonstrating the technique. Others show devices used on Maserati, Land Cruiser, and Lexus-branded vehicles. Multiple websites and Telegram channels advertise the tech for between 2,500 Euro and 18,000 Euro ($2,700 and $19,600). One seller is offering the Nokia 3310 device for 3,500 Euro ($3,800); another advertises it for 4000 Euro ($4,300). Often sellers euphemistically refer to the tech as “emergency start” devices nominally intended for locksmiths. Some of the sites offer tools that may be of use to locksmiths, but legitimate businesses likely have no use for a tool that is hidden inside a phone or other casing. Some of the sites even claim to offer updates for devices customers have already purchased, suggesting that development of the devices and their capabilities is an ongoing process.

“At the moment, impacted vehicles are generally wide open to these sorts of attacks,” says Motherboard. “The only proper fix would be to introduce cryptographic protections to CAN messages […] via a software update.”