Experts have warned that criminals have been exploiting a vulnerability to use the CAN injection method for stealing connected cars.
Automotive cybersecurity experts have uncovered a security vulnerability that allows criminals to steal vehicles using the CAN injection method.
The investigation was initiated by Ian Tabor, an automotive cybersecurity expert from EDAG Group, and Ken Tindell, CTO of Canis Automotive Labs after Tabor’s own Toyota RAV4 was stolen in 2021 and suffered suspicious damage to its headlight housing and front wing.
The security experts assigned a CVE identifier (CVE-2023-29389) to the Toyota RAV4 hack. Tabor observed that the arch rim and front bumper of his stolen car were pulled off, and the headlight wiring plug was removed. There were screwdriver marks and damage on the car’s paint, malfunctioning headlamps, and missing moulding cups. A few days later, the car was stolen.
Tabor analyzed the data logs from Toyota’s MyT app and discovered that the electronic control units (ECUs) in his RAV4 had detected malfunctioning and were logged as diagnostic trouble codes (DTCs) before the theft occurred. Tindell noted that Tabor’s car had “dropped a lot of DTCs.”
Further investigation revealed that the thieves gained access to the car’s system bus through the smart headlamp’s wiring. Tindell discovered the theft was carried out using a Controller Area Network (CAN) injection hack. The CAN bus is present in almost all modern vehicles and is used by microcontrollers to communicate between different systems and perform their functions.
In this type of attack, cybercriminals gain network access and send bogus messages on behalf of the smart key receiver in the car. These messages trick the car’s security system into unlocking the vehicle and disengaging the engine immobilizer, allowing the thieves to steal the car. This vulnerability exists because internal messages in most car models are not protected by any security mechanism, and the receivers trust them blindly.
The hackers gain network access through various methods, such as breaking open a headlamp and sending messages using its connection to the CAN bus, and then manipulating other systems to steal the car.
Watch as crooks steal a Toyota RAV4 in two minutes:
The attackers cannot directly connect to the smart key ECU but must reach it via the wires connected to the headlight only when both are on the same CAN bus. The hacking device is connected to the wires and validates the key by sending a bogus CAN message to the ECU and another message to the door ECU to unlock it and steal the car.
This discovery highlights the need for enhanced security measures to protect against CAN injection attacks and prevent vehicle theft through this method. Automotive manufacturers and cybersecurity experts are urged to address this vulnerability and implement necessary safeguards to secure communication networks and systems in modern vehicles.