Shadetree hackers, or tech-savvy thieves as they are often called, have found a new way to steal cars. No, it’s not a relay attack, a Bluetooth exploit, a key fob replay, or even a USB cable. Instead, these thieves are doing a modern version of hot-wiring that doesn’t involve taking the steering column apart.
Criminals who are smart have come up with devices that just plug into the wiring harness behind the victim’s headlight. Once they are plugged in, they can unlock, start, and drive away from the car before the owner even knows what’s going on.
The tweet below shows the image of a related incident:
No fcuking point having a nice car these days, came out early to find the front bumper and arch trim pulled off and even worse the headlight wiring plug had been yanked out, if definitely wasn't an accident, kerb side and massive screwdriver mark. Breaks in the clips etc. C&#ts pic.twitter.com/7JaF6blWq9
— Ian Tabor (@mintynet) April 24, 2022
Ian Tabor, who is in charge of the UK branch of Car Hacking Village, had his Toyota RAV4 stolen from outside his home near London last year. A few days before his car was stolen, he found that thieves had broken it without taking it. He wasn’t sure if it was vandalism or if someone tried to steal the car’s front bumper, but he did see that the headlight harness had been pulled out.
In the end, thieves were able to get away with his car, so it was gone. After Tabor’s car was stolen, so was the Toyota Land Cruiser of his neighbor. But, people, it’s the year 2023. Movies make it seem like you can just hotwire a car and drive away. This got Tabor interested because he likes to hack cars for fun. What did the thieves do to get away with his car?
CAN Bus Network
Tabor worked with the “MyT” app from Toyota. This is Toyota’s telematics system, which sends Diagnostic Trouble Codes to the company’s servers instead of making you plug a code reader into the car’s OBD2 port. When Tabor looked into it, he found that his Rav4 sent out a lot of DTCs right before it was stolen, including one for the computer that controls the car’s outside lights.
This made Tabor wonder if the thieves stole his car by using the CAN Bus network in the car. Tabor spent a lot of time searching the dark web and was able to find expensive tools that claimed to work for BMW, Cadillac, Chrysler, Fiat, Ford, GMC, Honda, Jeep, Jaguar, Lexus, Maserati, Nissan, Toyota, and Volkswagen, among others. How much? As much as $5,400, but that’s not much if they can really make it easier to steal cars like they said they would.
Tabor decided to order one of these gadgets so he could test it out for himself. Together with Ken Tindell, the CTO of Canis Automotive Labs, they took apart a device to figure out how it worked and then wrote a report about what they found.
It turned out that the expensive device was made up of only $10 worth of parts. The programming was set up to send fake CAN messages into the car’s real CAN Bus network, which is where the real magic happens.
The messages basically tricked the car into thinking it had a trusted key. This made the CAN Gateway (the part that separates CAN messages into their own networks) send messages to the car telling it to turn off its immobilizer, which unlocked the doors and let the thieves get away.
Click on the following links for more news from the California Examiner:
- Black Woman Struck in Face in Hateful Brooklyn Street Attack
- Chicago Firefighters’ Cause of Death Revealed After Fatal North Side Blaze
The Device Looked Like a Simple Portable Speaker
Also, the device looked like a simple portable speaker. The guts were put inside the shell of a Bluetooth speaker made by JBL, so all the thief has to do is turn the device on.
Once the device is turned on and plugged in, it sends a frame to the CAN network, which is like when you pull on a door handle, approach with a passive entry key, or press a button on your fob. Then, it waits for a certain CAN message before starting its attack.
The device then fakes a hardware error, which makes other ECUs on the CAN network stop sending messages so that the attacking device can send its fake messages to CAN devices first.
When there is a pause of valid messages, the device can switch to attack mode. It then sends the fake “valid key present” messages to the gateway, which makes the car think that a real valid key is being used to control the vehicle. Next, the attacker just has to press the “play” button on the speaker, and the car’s doors will open.
Since the company that makes these CAN injection devices say they work on a wide range of makes and models, it seems like this could be an industry-wide problem that may require some creative thinking to solve.
This kind of attack can be stopped, which is good news. Even though there are quick and dirty methods that might fail in the long run, an automaker can stop this kind of attack by encrypting its CAN Bus network. Tindell says that Canis is working on a similar project to add a similar encryption scheme to U.S. military vehicles, which is similar to what he suggests as a fix for commercial vehicles with this problem.
The fact that thieves are already taking advantage of this in the wild shows that it is already a problem. And if it keeps getting more popular, it could lead to something like what Hyundai and Kia are going through right now, but on a much simpler level.
Get ahead of the curve by accessing breaking news and insightful articles on californiaexaminer.net – start exploring today