A new car theft system in which keys are not used to open and start cars allows them to be opened in less than a couple of minutes thanks to an attack on their security systems. The technique, which they have called a CAN injection attack, has been discovered by Ian Tabor, a cybersecurity expert researcher specializing in cars, who is also the owner of one of the cars stolen using this system.
Tabor, the owner of a Toyota Rav4 that disappeared after having its interior broken into twice in three months, was intrigued, and began to investigate how his car could have been accessed and started the engine to take it away. According to Ars Technica, he began by carefully examining the telematics system that Toyota uses to track abnormalities known as DTCs (Diagnostic Error Codes). And apparently, his car had registered many of them around the time of the robbery.
The error codes showed that communication had been lost between the car’s Controller Area Network (CAN) and the headlight Electronic Control Unit (ECU). These ECUs are in virtually all modern vehicles, and are used to control multiple functions. These include the brakes, individual lights, engine, and windshield wipers. In addition, the ECUs send status messages via CAN to notify other ECUs of current conditions.
The DTCs that showed the RAV4’s left headlamp had lost contact with the CANs weren’t too surprising, as the thieves had cut the wires connecting them. More revealing was the failure occurring at the same time in other ECUs, including the ones for the cameras and the one for the hybrid motor control. Added together, these faults suggested that the ECUs had not failed, but that the CAN bus had malfunctioned. This gave Tabor food for thought, and she began to expand her research on him.
Then he started digging through crime forums on the dark web and YouTube videos that talk about carjacking. During her search she found advertising for what were known as “emergency start” devices. These devices were designed to be used by vehicle owners or locksmiths when a key is not available, but nothing prevented them from being used by anyone. Car theft criminals included.
Tabor then bought a device advertised as compatible to boot various models of Lexus and Toyota cars, such as the Rav4. He then reverse-engineered it, and with the help of Ken Tindell, a friend of his who is also an expert in vehicle safety, figured out how it worked with the RAV4’s CAN.
The investigation uncovered a keyless vehicle theft system that none of the investigators had seen before. In the past, crooks have had success with what’s known as a streaming attack. This type of attack amplifies the signal emitted between the car and the electronic key fob used to unlock and start it.
Keyless electronic fobs typically communicate over very short distances. By placing a portable radio device near the vehicle, thieves amplify the usually weak message sent by cars. With enough amplification, the messages reach a nearby location, at home or at the office, where the keyless electronic fob is. When the electronic key fob responds with the encrypted message that unlocks and starts the vehicle, the thief’s repeater directs it to the car. With this system, car theft can occur quickly.
As Ken Tindell has stated, “Now that it’s known how a broadcast attack works, car owners keep their keys in a metal box, blocking the car’s radio message, and some manufacturers sell keys that are deactivated if they aren’t moved for a few minutes, which which makes them unable to receive the car radio message. Faced with this, thieves, not wanting to leave their lucrative activities behind, have switched to a new system that bypasses security: bypassing the smart key system altogether. They do it with a new attack: CAN injection«.
The CAN injector Tabor purchased was “disguised” as a JBL Bluetooth speaker. This covered the thieves if the police, or third parties, became suspicious of their activity. Instead of carrying a device that was obviously going to be used to hack into the car’s ignition system, they pass it off as a speaker or other harmless device.
In addition, it had chips for CAN injection integrated into its circuit board. According to Tabor, the injector components of the device cost around $10: a chip with the CAN hardware, software preprogrammed on the chip (ie firmware), a CAN transceiver, and additional circuitry connected to it.
The device was powered by the speaker’s battery, and is connected to a CAN bus, that is, to a pair of cables that are attached. In a car there are several CAN buses working in combination, linked directly with connectors or by digital wiring through a computer that passes some CAN messages between the different CAN buses to which it is connected.
As for the device created for theft, it is designed to connect to the control CAN bus to supplant the smart key ECU. You only need the mentioned CAN bus cables to be close to the edge of the car to reach them. As other CAN buses are much deeper, the easiest one to connect to with this device is the one for the headlights. It is enough to remove the bumper a little to achieve this.
When turned on, the CAN injector does nothing. He listens until he gets a specific message that the car is ready. When it receives this CAN message it does two things: it starts sending a multitude of CAN messages up to 20 times per second, and it activates the additional circuitry connected to its CAN transmitter-receiver. The bunch of CAN messages that are sent contains a signal that the provided smart key is valid, and access control will pass this data to the engine management ECU on another bus.
Normally this would cause confusion on the control CAN bus as they would clash with the actual smart key messages and prevent the car start message from passing through. This is where the extra circuitry in the device comes into play, changing how the CAN bus works so that other ECUs cannot communicate with it. The control can still listen to messages and send them.
The speaker has a Play button on the casing connected to the chip that activates everything. When pressed, the flow of CAN messages that are sent changes slightly, instructing the door ECU to unlock the doors. Thieves can then unhook the system’s CAN injector, break into the car, and drive off with it. Tabor and Tindell have designed two defenses that they claim can stop CAN injection attacks. Tindell has notified Toyota of the creation of it to prevent car theft, but they have not yet received a response.
