Yes, You CAN Steal This Car — by Opening the Fender

Toyota RAV4 and many others vulnerable to CAN bus injection attack. Cars need zero-trust too.

Thieves are prising open the front fenders of cars, just below the headlight. The idea is to get at the car’s data bus, known as CAN.

Then the scrotes can spoof the keyless ignition. In today’s SB Blogwatch, we bemoan lousy vehicle security design.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Uncensored footage of President Roosevelt walking with a stick.

Car Makers: CAN You Not?

What’s the craic? Rob Stumpf reports—“Stealing Cars by Injecting Code Into Headlight Wiring”:

Ordinary portable speaker
Shadetree hackers … have found a new way to steal cars. [The] thieves are performing a modern take on hot-wiring without ever ripping apart the steering column. Crafty criminals … simply plug into the wiring harness … unlock, start, and drive away.

[On] the dark web [they buy] tools claiming to work for various automakers and models, including BMW, Cadillac, Chrysler, Fiat, Ford, GMC, Honda, Jeep, Jaguar, Lexus, Maserati, Nissan, Toyota [and] Volkswagen. [They’re] set up to inject fake CAN messages into the car’s actual CAN Bus network. The messages essentially tricked the car into thinking a trusted key was present, which convinced … the car to disable its immobilizer, unlock the doors, and … allow the thieves to drive away.

What’s more, is that the device simply looked like an ordinary portable speaker. The guts were stuffed inside the shell of a JBL-branded Bluetooth speaker. [It] emulates a hardware error which tricks other ECUs on the CAN network to stop sending messages so that the attacking device has priority to send its spoofed messages to CAN devices. … It then sends the spoofed “valid key present” messages to the gateway which makes the car think that an actual valid key is being used to control the vehicle.

But how do scrotes get at the CAN bus? Lindsay Clark has a “CAN do attitude”: [You’re fired—Ed.]

Scumbags
In a CAN injection attack, thieves access the network, and introduce bogus messages. … To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages.

The thieves broke into a front headlamp and tore out the wiring, and used those exposed connections to electrically access the CAN bus and send messages telling other parts of the system to basically give the miscreants the car. … As the automotive industry develops ever more sophisticated tech systems for their vehicles, scumbags find more inventive ways to abuse these systems for their own ends.

Horse’s mouth? Ian Tabor and Ken Tindell—“Keyless car theft”:

Zero Trust
This is a detective story about how a car was stolen — and how it uncovered an epidemic of high-tech car theft. … In April 2022, my friend Ian Tabor tweeted that vandals had been at his car, pulling apart the headlight and unplugging the cables. … A couple of days later … the car was gone. And it looks like the headlight was how it was stolen.

In the front of the RAV4 there is … an Electronic Control Unit (or ECU) … that controls the lights … (the days of there being a simple switch to turn on lights are long gone). … This is not something specific to Toyota … other manufacturers have car models that can be stolen in a similar way. … In most cars on the road today, these [CAN bus] messages aren’t protected: The receivers simply trust them.

The good news: A CAN Injector can be defeated … with a pure software fix [in] existing cars. … The proper solution to a CAN Injection attack is to adopt a Zero Trust approach … and the automotive industry have defined a standard … called Secure Hardware Extensions, or SHE.

That’s ridiculous! What was Toyota thinking Yeah, but no, recalls Tony Isaac:

This is kind of like how, in the early internet, every device simply trusted every other device. You know, like how until recently, SMTP simply relayed emails without so much as authentication. Or like how SSL used to be thought of as optional.

That explanation doesn’t wash with 43300:

Which really shouldn’t have happened. With early network pioneers it’s understandable as there was no precedent for what they were creating, but in this case it’s just a new type of network.

Experience shows that networks will always get targeted for nefarious purposes, so security should have been a core consideration of the design. It doesn’t take a great deal of imagination to think up scenarios which might get attempted, and attempt to block [or] mitigate them at the design stage.

Why the heck do headlights need CAN bus? PragmaticPulp explains:

The value in CAN bus control is that you can significantly reduce the wiring. … Old school blinkers and headlights … require separate power wires for every function: Blinker, low beams, high beams. Those separate wires would each be snaked through long wiring harnesses back to relays somewhere else. … With CAN, you can run a single large gauge power and ground pair and use the CAN bus to tell the remote module what to do with tiny signal wires.

Cars have a lot of electronic pieces all over. Simplifying wiring can add up to a significant weight and cost reduction. You now also have the ability to add more monitoring, such as simple sensors to detect when a bulb has failed. Vehicle manufacturing is ruthlessly optimized. Vehicle manufacturers wouldn’t add complexity to common systems if it didn’t pay off.

As does Xenocrates:

Adaptive headlights that track with steering enhance visibility and reduce blinding. Self leveling and matrix systems ensure light gets on the road, not in the eyes of other drivers.

A fair amount of the advances in car design were made for a good reason—including electronically controlled lights—so you neo-luddites who want to drop every feature you don’t understand can stick with your old cars, and the rest of us can enjoy the fruits of technological advance.

However, darthspartan117 sees the oint in the flyment:

If every device needs to check in with the controller first, the speeds get severely compromised. … In operating a 4000+lbs vehicle, getting close to real time data is crucial.

Meanwhile, Iain Cunningham is fed up of reading ignorant hot takes, so adds his own:

This wouldn’t happen if cars used blockchain.

And Finally:

FDR walking (skip to 2:09 if in a hurry)

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: harry_nl (cc:by-nc-sa; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 677 posts and counting.See all posts by richi