As automotive security has become more sophisticated, so have attempts to steal cars. The latest method involved a device shaped like a Bluetooth speaker, access to a headlight, and the trust of an unsuspecting electronic control unit (ECU).
Dr. Ken Tindell, chief technical officer of U.K.-based Canis Automotive Labs who has worked on vehicle electronics for automakers like Volvo, provided an explanation on his site as to how such thefts can occur, based on his experience with a similar incident that happened to his friend Ian Tabor.
What started out as apparent vandalism – someone pulled the front bumper of Tabor’s Toyota RAV4 out of its clips – eventually led to a vehicle disappearing entirely. The first hint of what actually happened was that Tabor’s MyT telematics system had logged a number of errors after his bumper had been pulled out of place.
Tindell and his friend Ian Tabor investigated the issue and discovered that the latest form of car theft involves plugging a device into the vehicle to circumvent its security systems.
Read: Relay Attacks Make Keyless Entry Cars Shockingly Easy To Steal
As Tindell explains, modern keys are secure enough to deter car thieves. Recently, that has led to a rise in the popularity of relay attacks (which use a device to expand the effective range of a key, allowing a vehicle to be unlocked), but some solutions to that are being developed – including keys that go to sleep after a period of motionlessness.
That has led to something called CAN Injection. This uses a device to hijack the vehicle’s internal communications system where defenses are lowered. The disadvantage of this system, is that it needs to be hardwired into the vehicle, hence the pulling on Tabor’s bumper. In the case of a Toyota RAV4 (Tindell is clear to say that devices like these exist for other vehicles from other manufacturers), the easiest point of physical access is through the headlight.
Using a device that looks like a JBL Bluetooth speaker (so as not to arouse suspicion), thieves can splice their way into the headlight wiring, which is connected to the rest of the car. From there, the device says that the key is present, and since it is already behind the vehicle’s strongest wall of defense (as it were), it can easily fool the car into believing that it should unlock and then start.
The process actually requires a few more steps than that, but the good news is that there are simple solutions to this kind of hack that can actually be implemented with an over-the-air software update.
Tindell says that automakers can either respond to the particular kind of mayhem that the Can Injector tool uses to fool a vehicle into opening, by refusing to open the vehicle under those circumstances. That’s more of a band-aid than a real solution, though. The second method would be to adopt what Tindell calls a “Zero Trust” approach, in which even messages shared on a vehicle’s internal network must be encrypted. This isn’t without its downsides, but would be a reasonably permanent solution to the problem.