Automotive security experts have uncovered a novel method for stealing cars by breaking into their control systems through a headlight.
The key (so to speak) is the controller area network (CAN) bus, the Internet of Things (IoT) protocol through which devices and microcontrollers in a vehicle communicate with one another. It’s basically the car's onboard, local communications network that cyberattackers can subvert to potentially stop and start the car, open doors and windows, play around with the radio, and much more.
While car hacking is hardly new, in a blog post published April 3, Ken Tindell, CTO of Canis Automotive Labs, described how attackers manipulated an electronic control unit (ECU) in a Toyota RAV4's headlight to gain access to its CAN bus, through which they were able to, ultimately, steal the vehicle. That's an approach that hasn't been seen before. Once connected via the headlight, they hacked their way into the CAN bus — responsible for functions like the parking brakes, headlights, and smart key — through a gateway and then into the powertrain panel, wherein lies the engine control.
This type of CAN injection will require manufacturers to rethink control network security in their vehicles, he warns.
"When you're a car engineer," Tindell tells Dark Reading, "you're trying to solve all sorts of problems: minimizing the wiring, reliability, cost. You're not thinking 'cyber, cyber, cyber' all the time."
"We're not wired that way," he says. "Forgive the pun."
Cyber Theft Auto
On April 24 last year, Ian Tabor woke up to find that his Toyota RAV4's front bumper and left headlight had been manhandled, while it was parked out on the street in London.
No fcuking point having a nice car these days, came out early to find the front bumper and arch trim pulled off and even worse the headlight wiring plug had been yanked out, if definitely wasn't an accident, kerb side and massive screwdriver mark. Breaks in the clips etc. Cts pic.twitter.com/7JaF6blWq9— Ian Tabor (@mintynet) April 24, 2022
One month later, those same areas of the car were again obviously tampered with. Tabor didn't realize the full scope of the sabotage until it was too late.
One day, the vehicle was gone.
I know what they were doing, the car is gone! My @ToyotaUK app shows it's in motion. I only filled the tank last night. FCUK! https://t.co/SWl8PcmfZJ— Ian Tabor (@mintynet) July 21, 2022
Tabor, it should be noted, is an automotive security consultant. The irony was not lost on Tabor's friend, Tindell. "When I first read his tweet, I thought: Someone's making a point," he says. "But no, not at all."
Tindell, it turned out, was in a unique position to help. He'd helped develop the first CAN-based platform for Volvo vehicles — an experience applicable to the situation given that the CAN proved to be the RAV4's key weakness.
How Hackers Typically Steal Cars
To break into a modern vehicle, the key is usually … the key.
"The car is defended with the key," Tindell explains. "The wireless key is a perimeter defense. It talks to an engine control unit (ECU), which asks: 'Are you the real key?' The key responds: 'Yeah.' Then the message goes to the engine immobilizer: 'OK, the owner's here with the key.'"
To breach this line of communication, thieves have historically opted for so-called "relay attacks." Using a handheld radio relay station, attackers can beam a car's authentication request to its associated smart key, presumably lying in a nearby home. The key responds, and the car accepts the message because it is, in the end, valid.
Attuned to this, manufacturers now commonly design keys to go to sleep after a few minutes of inaction. Owners with keys that don't go to sleep can store them inside of a radio-impenetrable metal box
Other attack types include subverting mobile apps, and making use of flaws in the infotainment systems of cars — the latter of which became a lightning rod for reform after the famed hack of the 2014 Jeep Cherokee by Charlie Miller and Chris Valasek in 2015. In that case, the discovery of a wide open cellular communications port 6667 ultimately led to their ability to control the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.