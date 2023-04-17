Car thieves will probably persist until the end of time (or the end of the automobile, whichever comes first). They’ll try anything from smashing a window and manually unlocking a door to high-tech hacking devices from the dark web that digitally unlock a car.

The latest in that latter method is really quite ingenious, if it wasn’t inherently awful. It involves a JBL speaker look-a-like and ripping away the front bumper and headlights of a vehicle. In the case of Ian Tabor, a UK-based cybersecurity and car hacking expert, it was his Toyota RAV4 under siege. Given his background, it didn’t take much convincing to get involved and figure out what was going on.

He found an existing vulnerability affecting 2021 Toyota RAV4s that lets them automatically trust messages from other electronic control units (ECUs), ultimately allowing physically proximate attackers to drive a vehicle by accessing the control controller area network (CAN) bus after pulling the bumper away and reaching the headlight connector, and then sending forged "key is validated" messages. These messages are normally sent from the remote key fob to unlock and turn on the vehicle.

Stuff There are far more subtle ways of stealing a car than smashing a window.

After more research, Tabor discovered that other ECUs within the RAV4 were failing at the same time as the CAN bus errors. One of these was the headlight ECU, which crooks were using as the gateway to the CAN bus.

Further probing led Tabor through a rabbit hole of YouTube, the dark web and more sources before he landed on buying an “emergency start device”, intended for use by owners, workshops or locksmiths when a key is lost or stolen. However, as you might suspect, these devices were instead being used to steal vehicles.

Tabor bought one disguised as a JBL speaker advertised as being able to start myriad Toyota and Lexus vehicles and, with help from friend and fellow automotive security expert Ken Tindell, managed to reverse engineer it and figure out how it worked.

Previous relay attack methods worked by amplifying the faint radio signals cars send as they search for a key fob. Thieves would use a device to boost these signals beyond the usual metre or two to find the car fob in a nearby house. Thinking it’s near the car, the fob would respond, unlock and switch on the vehicle.

As this technique became known, people began hiding their keys in metal boxes to stop the radio messages. Carmakers also began putting the keys to sleep after a few minutes of being motionless to stop receiving radio messages.

SUPPLIED A modern car is always "looking" for the key fob signal - which means cyber-thieves can copy the code.

Now though, in a bid to keep stealing cars, thieves have figured out how to essentially bypass the entire smart key system. Tindell calls it “CAN injection.”

According to Tindell’s blog post on the whole thing, the theft device is designed to physically connect to the vehicle’s CAN bus. The easiest place on a RAV4 – and, presumably, other vehicles – is through the headlight where that ECU connection lies.

“Other access would be possible: even punching a hole in a panel where the twisted pair of CAN wires goes past, cutting the two wires, and splicing in the CAN Injector would also work, but the diminished value of a car with a hole in it means thieves take the easiest route (Ian’s sleuthing found that mostly these cars are destined for export, sent via shipping container to places in Africa).”

Ken Tindell via github The seemingly innocuous 'speaker' hiding the CAN injector.

When the injector is connected and switched on, it listens for a particular message from the vehicle, then sends a burst of 'smart key is valid’ messages (about 20 per second).

Interestingly, Tindell says the CAN bus would normally be confused by this, as “messages from the real smart key controller would clash with the imposter messages from the CAN Injector, and this could prevent the gateway from forwarding the injected message.”

An extra circuit in the device kicks in and changes the way a CAN bus operates so that other ECUs in the system cannot talk, but the gateway computer can still listen and send messages on to start the car. The whole thing takes under two minutes.

“The burst repeats 20 times a second because the setup is fragile, and sometimes the gateway is not listening because its CAN hardware is resetting itself (because it thinks that being unable to talk is an indication of a fault - which in a way it is).”

Tabor and Tindell have designed two defenses for CAN injection attacks and notified Toyota, but are still yet to receive a response.

Toyota New Zealand reached out to Stuff confirming that it is not aware of any customers being affected by this in our market.