The CAN Injection Hack is used by thieves to steal cars
Following the theft of Ian Tabor’s 2021 Toyota RAV4 last year, two automotive cybersecurity specialists, Ken Tindell, CTO of Canis Automotive Labs, and Ian Tabor, of the EDAG Group, began researching these assaults.
Following Tabor’s discovery on two separate occasions that someone had disconnected the cords from his headlamp and disassembled it, the automobile was taken. It was later discovered that what at first glance appeared to be vandalism was actually a part of an attempt to steal the car.
To be more precise, the thieves removed the bumper and unplugged the headlight cables in an effort to get to wires related to the electronic control unit (ECU) in charge of the car’s smart key.
Such hacking tools are sometimes marketed as “emergency start” tools that car owners who have misplaced their keys or automotive locksmiths can use. They can be purchased on dark web sites for up to €5,000 ($5,500) each. The electronics for hacking the vehicle are concealed inside a Bluetooth speaker cover in the case of the device made for Toyota automobiles.
To understand how such a CAN injection device functions, the researchers examined diagnostics data from Tabor’s stolen RAV4.
There are multiple ECUs in modern cars, each in charge of a distinct function, including the smart key that unlocks and starts the car, climate control, telematics, cameras, and headlights. Through controller area network (CAN) buses, ECUs are linked one to another.
The smart key ECU does not require direct connection from the attacker. As long as the headlight and the smart key ECU are on the same CAN bus, they can instead access the smart key ECU through cables attached to other devices, such the headlight.
In order to inform the smart key receiver ECU that the key has been validated, the attacker attaches the hacking device to the headlight wiring.
Similar hacking tools targeted by auto thieves are available for purchase from a variety of manufacturers, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.
Although it’s not a true vulnerability disclosure, the researchers did report their results to Toyota, but they didn’t have much success. They contend, however, that all automakers should read their study and take precautions to guard against CAN injection attacks. Some recommendations that manufacturers might use to stop these kinds of assaults are included in the paper that was made public this week.
The hack of the Toyota RAV4 was eventually given a CVE number by the security experts, CVE-2023-29389.
Author: Sanghamitra Sethy