Shadetree hackers – or, as they are more commonly known, tech-savvy thieves – have found a new way to steal cars. No, it’s not one relay attack, Bluetooth utilize, key fob repeator even one USB cable. Instead, these thieves perform a modern version of hot wiring without ever ripping the steering column apart.
Smart criminals have resorted to using custom-made devices that simply plug into the wiring harness behind the headlight of a victim’s car. Once plugged in, they can unlock, start and drive away before the owner even knows what’s going on.
Last year, Ian Tabor, who runs the UK division of Car Hacking Villagehad his Toyota RAV4 stolen from outside his home near London. In the days before the theft, he discovered that thieves had damaged his car without managing to take it. It was not entirely clear if it was vandalism or if the thieves had tried to get away with the car’s front bumper, but he noticed that the headlight harness had been pulled out.
In the end, his car was lost when thieves managed to get away with it. And after Tabor’s car was stolen, so was his neighbor’s Toyota Land Cruiser. But, folks, this is 2023. It’s not like you can just hook up a car and drive away like the movies suggest. This made Tabor curious – after all, hacking cars is something he does for fun. Exactly how did the thieves get away with his car?
Tabor got to work with Toyota’s “MyT” app. This is Toyota’s telematics system that pumps up diagnostic fault codes to the automaker’s servers instead of forcing you to plug a code reader into the car’s OBD2 port. Upon investigation, Tabor noticed that his Rav4 ran a ton of DTCs right before it was stolen – one of which was for the computer that controls the car’s exterior lighting.
This made Tabor wonder if the thieves somehow used the vehicle’s CAN Bus network to make off with their car. After scouring the dark web, Tabor was able to find expensive tools that claimed to work for various car makes and models, including BMW, Cadillac, Chrysler, Fiat, Ford, GMC, Honda, Jeep, Jaguar, Lexus, Maserati, Nissan, Toyota, which as well as Volkswagen. The cost? As much as $5,400, but that’s a drop in the bucket if they can actually deliver on the promise of enabling vehicle theft.
Tabor decided to order one of these units to try for himself. Along with Ken Tindell, CTO of Canis Automotive Labs, the duo tore down a unit to find out what made it tick and publish a summary of their findings.
As it turns out, the expensive device consisted of just $10 in components. The real magic is in the programming, which was set up to inject fake CAN messages into the car’s actual CAN Bus network. The messages essentially tricked the car into thinking there was a trusted key, which convinced the CAN Gateway (the component that filters out CAN messages to their appropriate segmented network) to send messages instructing the car to disable its immobilizer, unlock the doors, and essentially allow the thieves to just get away.
What’s more, the device simply looked like a regular portable speaker. The guts were stuffed inside the shell of a JBL-branded Bluetooth speaker, and all the thief has to do is simply turn on the device.
The device is tucked inside the shell of a JBL Go 3 portable speaker.
Once the device is on and connected, it wakes up the CAN network by sending a frame – similar to pulling a door handle, approaching with a passive entry key or pressing a button on your remote control. It then listens for a specific CAN message to begin its attack. The device then emulates a hardware bug that tricks other ECUs in the CAN network into stopping sending messages so that the attacking device has priority in sending its fake messages to CAN devices.
The pause for valid messages is when the device can go into attack mode. It then sends the fake “valid key present” messages to the gateway which makes the car believe that a real valid key is being used to control the vehicle. The attacker then simply presses the speaker’s “play” button, and the car’s doors unlock.
Given that the manufacturer of these CAN injectors claims that the devices are so effective against a myriad of makes and models, it seems that this may be an industry-wide problem that may take some brainstorming to fix.
The good news is that this type of attack can be countered. While there are quick and dirty methods that could potentially be defeated in the long run, one car manufacturer wants to prevent this type of attack by encrypting its CAN Bus network. According to Tindell, Canis is working on a similar project to retrofit US military vehicles with a similar encryption scheme, similar to what he proposes as the solution for commercial vehicles experiencing this problem.
Do you have a tip or a question for the author? Contact them directly: rob@thedrive.co
#Hackers #steal #cars #injecting #code #headlight #wiring