Shadetree hackers—or, as they’re more commonly called, tech-savvy thieves—have found a new way to steal cars. No, it’s not a relay attack, Bluetooth exploit, key fob replay, or even a USB cable. Instead, these thieves are performing a modern take on hot-wiring without ever ripping apart the steering column.
Crafty criminals have resorted to using specially crafted devices that simply plug into the wiring harness behind the headlight of a victim’s car. Once they’re plugged in, they’re able to unlock, start, and drive away before the owner even catches wind of what’s going on.
Last year, Ian Tabor, who runs the UK chapter of Car Hacking Village, had his Toyota RAV4 stolen from outside of his home near London. Days prior to the theft, he found that thieves had damaged his car without successfully taking it. It wasn’t quite clear if it was a case of vandalism, or if the thieves had tried to make off with the car’s front bumper, but he did notice that the headlight harness had been yanked out.
Ultimately, his car wound up missing when thieves successfully made away with it. And after Tabor’s car was stolen, so was his neighbor’s Toyota Land Cruiser. But, folks, this is 2023. It’s not like you can just hotwire a car and drive away as the movies suggest. This got Tabor curious—after all, hacking cars is something he does for fun. How exactly did the thieves make off with his car?
Tabor got to work with Toyota’s “MyT” app. This is Toyota’s telematics system which pumps Diagnostic Trouble Codes up to the automaker’s servers rather than forcing you to plug in a code reader to the car’s OBD2 port. Upon investigation, Tabor noticed that his Rav4 kicked off a ton of DTCs just prior to being stolen—one of which was for the computer that controls the car’s exterior lighting.
This led Tabor to wonder if the thieves somehow made use of the vehicle CAN Bus network to drive away with his car. After scouring the dark web, Tabor was able to locate expensive tools claiming to work for various automakers and models, including BMW, Cadillac, Chrysler, Fiat, Ford, GMC, Honda, Jeep, Jaguar, Lexus, Maserati, Nissan, Toyota, as well as Volkswagen. The cost? As much as $5,400, but that’s a drop in the bucket if they can actually deliver on the promise of enabling vehicle theft.
Tabor decided to order one of these devices to try out himself. Together with Ken Tindell, the CTO of Canis Automotive Labs, the duo tore down a device to find out what made it tick and publish a writeup of their findings.
As it turns out, the expensive device was comprised of just $10 in components. The real magic is in the programming, which was set up to inject fake CAN messages into the car’s actual CAN Bus network. The messages essentially tricked the car into thinking a trusted key was present, which convinced the CAN Gateway (the component that filters out CAN messages into their appropriate segmented networks) into passing along messages instructing the car to disable its immobilizer, unlocking the doors, and essentially allowed the thieves to just away.
What’s more, is that the device simply looked like an ordinary portable speaker. The guts were stuffed inside the shell of a JBL-branded Bluetooth speaker, and all the thief needs to do is simply power the device on.
Once the device is on and plugged in, it wakes up the CAN network by sending a frame—similar to if you were to pull on a door handle, approach with a passive entry key, or hit a button on your fob. It then listens for a specific CAN message to begin its attack. The device then emulates a hardware error which tricks other ECUs on the CAN network to stop sending messages so that the attacking device has priority to send its spoofed messages to CAN devices.
The pause of valid messages is when the device is able to go into attack mode. It then sends the spoofed “valid key present” messages to the gateway which makes the car think that an actual valid key is being used to control the vehicle. Next, the attacker simply presses the speaker’s “play” button, and the car’s doors are unlocked.
Given that the manufacturer of these CAN injection devices claims that the devices are so effective against a myriad of makes and models, it would seem that this could be an industry-wide problem that may take some brainstorming to fix.
The good news is that this type of attack can be thwarted. While there are quick-and-dirty methods that could potentially be re-defeated in the long run, an automaker looking to prevent this type of attack by encrypting its CAN Bus network. According to Tindell, Canis is working on a similar project to retrofit U.S. military vehicles with a similar encryption scheme, similar to what he suggests as the fix for commercial vehicles experiencing this issue.
If thieves are already exploiting this in the wild (which they are), it means that it’s already a problem. And if it continues to grow in popularity, perhaps it could lead to a repeat of what Hyundai and Kia are currently experiencing on a significantly more low-tech level.