Thieves are now stealing cars via a headlight 'CAN injection'
Car thieves have come up with yet another way to steal your car, and this one is rather creative. We’ll refer to it as "headlight hacking," but as Dr. Ken Tindell of Canis Automotive Labs describes in his extensive and technical blog post, it's a bit more complicated than that.
This method of keyless car theft begins at your car's headlight module, but the only reason thieves have chosen this point of entry is because it offers them the easiest way to get hooked into a vehicle's CAN bus system. For those unfamiliar, the CAN bus system of a vehicle is the method by which the numerous ECUs throughout a modern vehicle communicate with each other. Thieves are using this central nervous system to their advantage by executing an attack referred to as "CAN injection."
Someone has developed a tool (disguised as a JBL Bluetooth speaker and sold on the dark web) that when wired into a vehicle's control CAN bus, can impersonate the vehicle's key fob. The vehicle used as an example is a current-generation Toyota RAV4, but it's vital to note that this vulnerability is not specific to any particular OEM or model — this is an industry-wide problem at the moment. Thieves are pulling bumpers and trim pieces away from a vehicle, which allows them access to the CAN bus near the headlight connector. Much of a vehicle's CAN bus systems will be found hidden deep inside a car, but since modern headlights are so smart these days, they require their own ECUs, which means they’re going to be wired into the whole car's CAN bus system.
Once thieves find the correct wires to tap into, the theft device does the work for them. A simple "play" button on the fake JBL speaker injection tool is programmed to instruct the door ECU to unlock the doors, as though you have the actual key to the car in your hand. You turn the vehicle on in a similar fashion, and a thief can simply drive away with your car without ever coming into contact with the vehicle's actual key fob.
As of this article's publishing, there isn't a great defense against this sort of theft. On the good news front, a thief trying to steal a car this way will need to do some real work to get it. Ripping off body panels takes time, and so does wiring into the car. Basically, a thief would need to have uninterrupted access to your vehicle in a private area to make it work. Additionally, Lindell suggests that fixes for the problem are possible.
The initial fix he suggests automakers roll out would be a software update that recognizes the sort of activity on the CAN bus systems that this injection tool sends out. This could thwart the tool in the short term, but Lindell believes that thieves will find a way around it in the long term. As for a permanent fix, Lindell believes that a "Zero Trust" approach to CAN bus systems is the only way to go. Every message from one ECU to another would need to be encrypted and carry authentication codes that can't be spoofed. Additionally, every ECU would need to be equipped with secret keys, and every car would need to carry its own secret keys to prevent a universal key extractor from being created. Developing such a security system would take considerable time and effort from a vehicle manufacturer.
We talked with some security experts at VOXX Electronics, which is both an OEM supplier and aftermarket option for vehicle security systems, to get some perspective on this issue and what might work to defend against it. Both VP of marketing Jonathan Frank and security product manager Chris Libardi tells us that CAN bus-style attacks are hardly a new thing in the automotive space.
"Whatever they're being referred to as they are out there, the hacks are not new," Libardi tells us. "They've been going on for a dozen years. As long as there's been CAN, there's been ways to hack around it."
The problem experts and the public is seeing today is that CAN bus hacking is getting easier because the CAN bus now stretches to more accessible parts of the car, such as the headlight modules used in this vulnerability. Years ago, it wasn't so easy.
"In order to do CAN bus-style stuff, you had to gain access to the wires, which were interior, so you'd have to physically break into the vehicle gain access, get under the dash, get to a CAN network set of wires," Libardi says. "It wasn't as easy. It's becoming more prevalent now because typically to do this you had to be very, very, very well educated and have a lot of expensive equipment, and have the actual CAN bus messaging and all that, that would be required to do something like this. It's just becoming easier."
Tindell at Canis Automotive Labs suggests that folks try and park their vehicle in places that don't allow easy and uninterrupted access to its headlights. VOXX Electronics recommends one of its aftermarket systems (the Viper DS4) as a theft deterrent, though, as it says thieves won't be able to start the car up with its system in place. The CAN injection allows thieves to bypass an OEM system, and VOXX says that a thief could still even unlock the car doors with its system installed, but they'd need to find a way to hack the Viper system on top of that for the vehicle to fire up.
Of course, installing an aftermarket security system on your brand new car isn't something most folks want to do, but in terms of OE solutions, answers are short for the time being. We've reached out to a few different automakers for comment and to see what they might have to say about this new way of stealing cars, and will update this post upon hearing back.
But lastly, if you notice that someone has been tampering with the trim or body panels near/around your headlights, you may want to contact the police, because a thief could be readying their CAN bus injection theft.
How do I protect my keyless car from theft?
Thieves will likely use relay theft to try and steal your car with keyless entry/push-button start. Relay theft involves boosting the signal of a key by way of a wireless transmitter to capture the signal and then relay it to the vehicle. You can unlock and start a car this way even though the physical key is nowhere near the car.
The best way to protect yourself here is to put your keys in a signal blocker box or pouch when not in use. The Faraday pouch is the most well-known blocker and will block the signal of your key due to the material it's lined with.
A less technologically advanced way of stopping a thief is to utilize a steering wheel lock. Of course, a thief could cut through such a device given the right tools, but it's a great deterrent.
Can thieves unlock keyless cars?
If they use the relay attack described above on a vulnerable car, yes, a thief could unlock a keyless car. The CAN injection method described in this story is another way for a thief to unlock a car without the key or forced entry.
Are keyless cars harder to steal?
This isn't a one-size-fits-all answer. Certain cars with keyless entry could very well be easier to steal, because you can gain access to it and start the car via a relay attack. However, some new cars use ultra-wideband (UWB) technology that is able to recognize the distance of how far a signal is traveling from the key to the car. In this case, a relay attack would fail, because the car would realize how far away the key is and refuse to unlock the car.
Why is it called CAN injection?
It's called CAN injection because the individual trying to steal the car is doing so via the vehicle's CAN bus system network. Modern vehicles have many CAN bus systems that link together the many ECUs inside a vehicle. By wiring in your own theft device into the CAN bus network, thieves are, in a word, injecting themselves into the CAN network. This allows them to send signals from one ECU to another and execute commands to the car as they please.
What are CAN messages?
CAN messages, on a basic level, are signals sent from one ECU to another in a car over the CAN bus system.
Is there a fix to prevent CAN injection?
There's no fix to stop CAN injection on the OEM side of matters. However, aftermarket solutions exist, such as the one proposed in this story that comes via the Viper security system. A thief could still open the doors of a car using the system, but Viper says it wouldn't be able to turn the car on due to its security protocols.
FAQs How do I protect my keyless car from theft? Can thieves unlock keyless cars? Are keyless cars harder to steal? Why is it called CAN injection? What are CAN messages? Is there a fix to prevent CAN injection?