Hackers are now injecting code into the Electronic Control Unit (ECU) of cars, including headlight wiring, enabling criminals to gain keyless vehicle access.
Ian Tabor, a cybersecurity researcher specializing in automobiles, discovered the new Controller Area Network (CAN) injection attack technique while investigating how his Toyota RAV4 was stolen. His findings were detailed by Ken Tindell, CTO of Canis Automotive Labs, in an April 3 blog post. Tabor’s car was stolen after criminals hacked into the vehicle’s system using a device plugged into a wiring harness behind the headlights, enabling them to unlock the car and drive it away.
After his vehicle was stolen, Tabor checked the “MyT” telematics system used by Toyota to track vehicle abnormalities called Diagnostic Trouble Codes (DTC). He found that his vehicle had recorded several DTCs before the theft.
The error codes indicated that communication had been lost between the headlight’s ECU and the CAN around this time. In modern cars, ECUs are connected via a communications link and run a CAN bus protocol.
“A CAN bus is basically a pair of wires twisted together, and in a car, there are several CAN buses joined together, either directly with connectors or wired digitally via a gateway computer that copies some CAN messages back and forth between the CAN buses it is connected to,” Tindell said in the post.
ECUs are used to control a variety of functions in a car, including lights, brakes, wipers, and the engine. ECUs also send status messages via the CAN to update other ECUs about ongoing conditions.
In addition to headlights, DTCs also showed that multiple other systems within Tabor’s car had failed. The common factor in all these failures was the CAN bus. This led Tabor to conclude that there was some issue with the CAN bus.
Stealing Vehicles Using CAN Injectors
After researching online, Tabor found content discussing stealing cars on the dark web. He also found ads for “emergency start” vehicle devices, which Tindell says is a “fiction that these products are for owners who have lost their keys or somehow reputable locksmiths will use these.”
Tabor found an “emergency start” device that claimed to apply to RAV4 to understand how it could have been used to steal his car. An analysis of the device uncovered a new form of keyless vehicle theft—CAN injection. The CAN injector device Tabor bought contained components worth $10 and was delivered inside a JBL Bluetooth speaker.
“The way CAN Injection works is to get into the car’s internal communication (i.e., the CAN bus) and inject fake messages as if from the smart key receiver, essentially messages saying ‘Key validated, unlock immobilizer.’ In most cars on the road today, these internal messages aren’t protected: the receivers simply trust them,” Tindell writes.
The headlights are the easiest way to access a CAN bus on the Toyota RAV4. Pulling out the bumper allows a person to access the CAN bus from the headlight connector.
“There is a ‘Play’ button on the JBL Bluetooth speaker case … When this button is pressed, the burst of CAN messages changes slightly, and they instruct the door ECU to unlock the doors (as if the ‘unlock’ button on the wireless key had been pressed). The thieves can then unhook the CAN Injector, get into the car, and drive it away.”
Defeating CAN Hacks
According to Tindell, a software fix can defeat CAN injection hacking attempts. The “quick and dirty” method is to reprogram the car system in a way that the ECU gateway “only forward a smart key CAN frame if it has recently transmitted a CAN frame without problems, and in the recent past, there have been no bit errors of this type on the CAN bus.”
Tindell points out that this is not a permanent fix, and criminals can respond with CAN injectors capable of dealing with the situation.
The “proper solution” is to adopt a “Zero Trust” approach to CAN, meaning that an ECU does not automatically trust messages from other ECUs but would require some proof to validate the genuineness of these messages.