Automotive security experts say they have discovered a method of car theft that relies on direct access to the vehicle’s system bus through the wiring of a smart headlight.
It all started when a Toyota RAV4 belonging to one of the tech gurus suffered suspicious damage to the front wing and headlight housing, and was finally successfully stolen. A bit of digging and reverse engineering revealed how the engine ultimately nicked.
Ken Tindell, CTO of Canis Automotive Labs, said the evidence pointed to the successful execution of the so-called CAN injection by the thieves.
A Controller Area Network (CAN) bus is present in almost all modern cars, and is used by microcontrollers and other devices to communicate with each other inside the vehicle and do the work they are supposed to do.
In a CAN injection attack, thieves access the network and input fake messages as if they were from the car’s smart key receiver. These messages cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, thieves can, for example, break a beacon and use its connection to the bus to send messages. From then on, they can simply manipulate other devices to steal the vehicle.
“In most cars on the road today, these internal messages are not protected: the receivers just trust them,” Tindell said. in a technical report this week.
The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group.
It was prompted by the theft of Tabor’s RAV4. Prior to the crime, Tabor noted that someone had ripped off the front bumper and arch trim, and that the headlight wiring plug had been removed. The surrounding area was streaked with screwdriver marks, which, coupled with the fact that the damage was on the sidewalk, seemed to rule out damage from a passing vehicle. More vandalism was later committed to the car: paint chips, trim clips removed, and malfunctioning headlights.
A few days later, the Toyota was stolen.
Tabor refused to accept the theft and used his experience to try to find out how the thieves had done the job. Toyota’s MyT app, which among other things allows you to inspect your vehicle’s data records, helped. He provided evidence that the Electronic Control Units (ECUs) in the RAV4 had detected faults, recorded as Diagnostic Trouble Codes (DTCs), prior to the theft.
According to Tindell, “Ian’s car dropped a lot of DTCs.”
Several systems had apparently failed or suffered failures, including the front-facing cameras and the hybrid engine control system. Upon further analysis, it became clear that the ECUs had probably not failed, but communication between them had been lost or interrupted. The common factor was the CAN bus.
The faults actually arose when thieves broke into a headlight and ripped out the wiring, and used those exposed connections to electrically access the CAN bus and send messages telling other parts of the system to basically give the car to the thieves. wrongdoers. The disconnection of the beacon caused the aforementioned wave of network communications failures. But how were the crucial unlock messages actually injected?
Tabor turned to the dark web to search for equipment that may have been involved in the theft of his car and found a number of devices targeting the CAN bus. She worked with Noel Lowdon of vehicle forensics company Harper Shaw to investigate reverse-engineering a competitor: a device capable of communicating with a connected CAN bus cleverly concealed inside an ordinary-looking Bluetooth smart speaker. The fake speaker comes with wires that you plug into an exposed bus connector, push a button on the box, and send out the necessary messages to unlock the car.
Since Tindell had helped develop Volvo’s first CAN-based car platform, he was brought in to help understand the device’s role in the theft of the car. More technical details are provided in the previous article.
As the auto industry develops ever more sophisticated technological systems for its vehicles, scumbags find more ingenious ways to abuse these systems for their own ends.
Last year, a keyless entry exploit was demonstrated against Honda Civics manufactured between 2016 and 2020. The weak cryptography used in the keyless entry system in the Tesla Model S was blamed for the ease with which researchers they could enter. In 2016, security researchers demonstrated how thieves could break into cars at will using wireless signals that could unlock millions of vulnerable VWs. ®