Hackers are now injecting code into the Electronic Control Unit (ECU) of cars, including headlight wiring, enabling criminals to gain keyless vehicle access.
After his vehicle was stolen, Tabor checked the “MyT” telematics system used by Toyota to track vehicle abnormalities called Diagnostic Trouble Codes (DTC). He found that his vehicle had recorded several DTCs before the theft.
The error codes indicated that communication had been lost between the headlight’s ECU and the CAN around this time. In modern cars, ECUs are connected via a communications link and run a CAN bus protocol.
“A CAN bus is basically a pair of wires twisted together, and in a car, there are several CAN buses joined together, either directly with connectors or wired digitally via a gateway computer that copies some CAN messages back and forth between the CAN buses it is connected to,” Tindell said in the post.
ECUs are used to control a variety of functions in a car, including lights, brakes, wipers, and the engine. ECUs also send status messages via the CAN to update other ECUs about ongoing conditions.
Stealing Vehicles Using CAN Injectors
After researching online, Tabor found content discussing stealing cars on the dark web. He also found ads for “emergency start” vehicle devices, which Tindell says is a “fiction that these products are for owners who have lost their keys or somehow reputable locksmiths will use these.”Tabor found an “emergency start” device that claimed to apply to RAV4 to understand how it could have been used to steal his car. An analysis of the device uncovered a new form of keyless vehicle theft—CAN injection. The CAN injector device Tabor bought contained components worth $10 and was delivered inside a JBL Bluetooth speaker.
“The way CAN Injection works is to get into the car’s internal communication (i.e., the CAN bus) and inject fake messages as if from the smart key receiver, essentially messages saying ‘Key validated, unlock immobilizer.’ In most cars on the road today, these internal messages aren’t protected: the receivers simply trust them,” Tindell writes.
The headlights are the easiest way to access a CAN bus on the Toyota RAV4. Pulling out the bumper allows a person to access the CAN bus from the headlight connector.
Defeating CAN Hacks
According to Tindell, a software fix can defeat CAN injection hacking attempts. The “quick and dirty” method is to reprogram the car system in a way that the ECU gateway “only forward a smart key CAN frame if it has recently transmitted a CAN frame without problems, and in the recent past, there have been no bit errors of this type on the CAN bus.”Tindell points out that this is not a permanent fix, and criminals can respond with CAN injectors capable of dealing with the situation.
The “proper solution” is to adopt a “Zero Trust” approach to CAN, meaning that an ECU does not automatically trust messages from other ECUs but would require some proof to validate the genuineness of these messages.
