Car thieves have come up with another way to steal your car, and this one is pretty creative. We’ll refer to this as “headlight hacking,” but as Dr. Ken Tindell of Canis Automotive Labs describes in his extensive and technical blog post, it’s a bit more complicated than that.
This keyless car theft method starts in your car’s headlight module, but the only reason thieves have chosen this entry point is because it gives them the easiest way to hack into your car’s ignition system. CAN bus of a vehicle. For those unfamiliar, a vehicle’s CAN bus system is the method by which the many ECUs in a modern vehicle communicate with each other. Thieves are using this central nervous system to their advantage by running an attack called “CAN injection”.
Someone has developed a tool (disguised as a JBL Bluetooth speaker and sold on the dark web) that, when connected to a vehicle’s control CAN bus, can impersonate the vehicle’s key fob. The vehicle used as an example is a current generation Toyota RAV4, but it is vital to note that this vulnerability is not specific to any particular OEM or model – this is an industry-wide problem at this time. Thieves are removing bumpers and trim from a vehicle, allowing them access to the CAN bus near the headlight connector. Much of a vehicle’s CAN bus systems will be hidden inside a car, but because modern headlights are so smart these days, they require their own ECUs, meaning they’ll be connected to the whole car’s CAN bus system.
Once thieves find the right wires to tap, the theft device does the work for them. A simple “play” button on the fake JBL speaker injection tool is programmed to tell the door ECU to unlock the doors, as if you had the actual car key in your hand. Start the vehicle in the same way and a thief can simply drive off with your car without ever coming into contact with the vehicle’s actual key fob.
What can a car owner do?
As of the publication of this article, there is no great defense against this type of theft. As for the good news, a thief trying to steal a car this way will have to do some real work to get it. Ripping off the body panels takes time, and so does the wiring in the car. Basically, a thief would have to have uninterrupted access to your vehicle in a private area for it to work. In addition, Lindell suggests that there are possible solutions to the problem.
The initial solution he suggests automakers develop would be a software update that recognizes the type of activity on the CAN bus systems that this injection tool is sending. That could frustrate the tool in the short term, but Lindell believes thieves will find a way around it in the long run. As for a permanent solution, Lindell believes a “zero trust” approach to CAN bus systems is the only way forward. Each message from one ECU to another should be encrypted and carry authentication codes that cannot be forged. Also, each ECU should be equipped with secret keys and each car should carry its own secret keys to prevent a universal key extractor from being created. The development of such a safety system would require considerable time and effort on the part of a vehicle manufacturer.
We spoke to some security experts at VOXX Electronics, which is both an OEM supplier and an aftermarket option for vehicle security systems, to get some perspective on this issue and what might work to defend against it. Both VP of Marketing Jonathan Frank and Security Product Manager Chris Libardi tell us that CAN bus-style attacks are nothing new in the automotive space.
“Whatever they’re called outside, hacks aren’t new,” Libardi tells us. “They’ve been around for a dozen years. As long as CAN has been around, there have been ways to hack it.”
The problem that experts and the public see today is that CAN bus hacking is becoming easier because the CAN bus now extends to more accessible parts of the car, such as the headlight modules used in this vulnerability. Years ago, it was not so easy.
“To do CAN bus-style things, you needed to access the cables, which were internal, so you’d have to physically get into the vehicle to access them, get under the dash, get to a CAN network assembly . wires,” says Libardi. “It wasn’t that easy. Now it’s becoming more common because normally to do that you had to be very, very, very well educated and have a lot of expensive equipment, and have the actual CAN bus messaging and all that, which it would take to do something like this. It’s getting easier.”
Canis Automotive Labs’ Tindell suggests that people try to park their vehicle in places that don’t allow easy, uninterrupted access to their headlights. However, VOXX Electronics recommends one of its replacement systems (the Viper DS4) as a theft deterrent, as it says thieves won’t be able to start the car with its system in place. CAN injection allows thieves to bypass an OEM system, and VOXX says a thief could still unlock the car’s doors with its system installed, but they’d have to find a way to hack the Viper system on top of that for the vehicle to shoot
Of course, installing an aftermarket security system in your new car isn’t something most people want to do, but when it comes to OE solutions, the answers are short at the moment. We’ve reached out to a few different automakers for comment and to see what they might have to say about this new way to steal cars, and we’ll update this post when we hear back.
But finally, if you notice that someone has been tampering with the body panels near or around your headlights, you may want to contact the police, because a thief could be preparing to steal the CAN bus injection.
Frequently asked questions
How can I protect my keyless car from theft?
Thieves are likely to use relay theft to try to steal your keyless entry/push start car. Relay stealing involves amplifying a key’s signal using a wireless transmitter to capture the signal and then transmit it to the vehicle. You can unlock and start a car this way even if the physical key is nowhere near the car.
The best way to protect yourself here is to put your keys in a signal blocking box or bag when not in use. The Faraday bag is the best known blocker and will block the signal from your key because of the material it is lined with.
A less technologically advanced way to stop a thief is to use a steering wheel lock. Of course, a thief could hack such a device with the right tools, but it’s a great deterrent.
Can thieves unlock cars without a key?
If they use the relay attack described above on a vulnerable car, yes, a thief could unlock a car without a key. The CAN injection method described in this story is another way for a thief to unlock a car without the key or forced entry.
Are keyless cars harder to steal?
This is not a one-size-fits-all answer. Some cars with keyless entry could be easier to steal, because you can gain access and start the car using a keystroke attack. However, some new cars use Ultra Wide Band (UWB) technology which is able to recognize the distance of the distance a signal travels from the key to the car. In this case, a relay attack would fail, because the car would realize how far away the key is and refuse to unlock the car.
Why is it called CAN injection?
It is called CAN injection because the individual trying to steal the car does so through the network of the vehicle’s CAN bus system. Modern vehicles have many CAN bus systems that link the many ECUs within a vehicle. By connecting your own theft device to the CAN bus network, the thieves, in a word, inject themselves into the CAN network. This allows them to send signals from one ECU to another and execute commands on the car as they wish.
What are CAN messages?
CAN messages, at a basic level, are signals sent from one ECU to another in a car via the CAN bus system.
Is there a workaround to avoid CAN injection?
There is no workaround to stop CAN injection on the OEM side. However, there are aftermarket solutions, like the one proposed in this story that comes via the Viper Security System. A thief could still open a car’s doors using the system, but Viper says he wouldn’t be able to start the car because of its security protocols.