Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Network

Crooks Are Using CAN Injection Attacks To Steal Cars (theregister.com) 47

"Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus," writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car's smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

This discussion has been archived. No new comments can be posted.

Crooks Are Using CAN Injection Attacks To Steal Cars

Comments Filter:
  • by Shag ( 3737 ) on Friday April 07, 2023 @08:10PM (#63434132) Journal

    Last year (I believe it was), there was a campaign in Massachusetts to pass a "right to repair" bill pertaining to cars, because manufacturers wouldn't give third-party repair shops information on the computerized parts that might need repairing. The manufacturers ran ads in the media saying that if that information were more available, bad actors could use it to steal your car. Which everyone pretty much knew was pulled right out of their collective ass. And when the campaign succeeded, some of them started selling their cars in Massachusetts with smart features disabled. (Subaru EyeSight is one I think I heard about.)

    So now it turns out that car thieves don't even need that repair information because these networks have such mind-bogglingly poor physical security... surprise, surprise.

    • Re: (Score:3, Interesting)

      by NFN_NLN ( 633283 )

      Some less than reputable news aggregation sites were even posting stories such as "Right to Repair Benefits 'Sexual Predators'"

      https://hardware.slashdot.org/... [slashdot.org]

      • So they stopped this time at it causing cancer and terrorism?

        Are they getting soft or are people getting smarter and know that they're talking out of a dark, smelly place?

    • by Luckyo ( 1726890 ) on Friday April 07, 2023 @09:49PM (#63434282)

      This isn't just a one state thing. These sort of ads and arguments are universal for almost all complex devices and right to repair. This was argued in front of many legislatives, including on different continents (EU parliament for example).

      Essentially these are canned talking points developed by a few PR experts for lobbying purposes. We have the same talking points in right to repair phones for example. All the "safety, security" nonsense, because somehow being able to change your battery or camera unit would totally compromise your data. Remember the curious case of iphone where taking OEM camera from one iphone and putting it in another iphone of exact same model would result in intermittent camera failures?

      These sort of things are intentional, so you go for repairs to a licensed dealer. And soon enough, repairs become so expensive that you'd rather just get a new one.

      • by tlhIngan ( 30335 )

        We have the same talking points in right to repair phones for example. All the "safety, security" nonsense, because somehow being able to change your battery or camera unit would totally compromise your data. Remember the curious case of iphone where taking OEM camera from one iphone and putting it in another iphone of exact same model would result in intermittent camera failures?

        Because the Right to Repair people don't have secure supply chains.

        iFixit and the like, do good work. But how sure are you that t

        • by Luckyo ( 1726890 )

          >Apple is evil, but they have a point that if they want to stop this, making the parts basically junk is the way to do it.

          The actual way to do it is of course letting OEMs sell spare parts to others than Apple, which would remove the need for black markets entirely. Because there would be no market for those things if you could just go to original manufacturer like Texas Instruments and buy necessary spare parts.

          You can't, because Apple like a lot of other manufacturers that followed in its foot steps pu

    • by dargaud ( 518470 )
      I don't really see how to improve security much when you have physical access to the communication bus. It's not like you can distribute encryption keys for all subparts of the vehicle. What if you need to change a light ? And the CANBUS is pretty simple as a protocol.
      • What if you need to change a light?

        I'll admit that I'm not any sort of security expert, but isn't this exactly what a certificate signing authority is for? It's like how you can replace your website and still have every browser in the world trust their HTTPS connection to it.

        That said, I'm skeptical of the idea that every device in a car needs to be a smart device in the first place. But that just makes me old, I guess.

        • People steal dumb cars all the time so regression will not change thieving. Making it harder for those that take the easy way out (crimes of opportunity) is the way to go, and insurance for the rest. But still a hard problem for what's basically a high-end rolling computer (Tesla).

      • Are we replacing just the lamp or the circuit/assembly just upstream providing it power, wiring, lensing and logic? Asking because I just did the latter when fam cracked a taillight. Bulbs may not need canbus functionality.

        And a lot of these (accepting new signed devices) could behave like Bluetooth: pop a notification on a hardened part of the system (center console, while car is running; or to owner(s) via wifi).

        a crux problem in each of these use cases is the need to keep device cost down (crypto com

      • by Entrope ( 68843 )

        It is not necessary to secure everything, only things that are important enough -- like starting and stopping the engine and unlocking doors. Yes, that would mean an attacker could inject other commands or data, but most attackers are interested in stealing a vehicle rather than changing the volume while the authorized owner is driving, or other prank-like actions.

    • From the wiki page: CAN is a low-level protocol and does not support any security features intrinsically.
      There is also no encryption in standard CAN implementations, which leaves these networks open to man-in-the-middle frame interception.

      It is up to the manufacturers to implement something like security. It is just an open serial bus for the transfer of data of any kind.

      I would argue it is similar to using Ethernet frames to communicate in a network, but not choosing to use security features that wer
    • by sinij ( 911942 )
      CAN bus is real-time, so authentication of components is a technical challenge.However, general access to CAN bus from OBD port is the issue behind these hacks.
  • Wait, what? (Score:2, Insightful)

    by quonset ( 4839537 )

    Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

    You see significant damage to you

    • Re:Wait, what? (Score:5, Informative)

      by AmiMoJo ( 196126 ) on Saturday April 08, 2023 @05:20AM (#63434636) Homepage Journal

      The video shows the car parked outside a house on a public road. That is normal for the UK, many houses don't have driveways or even front gardens. It's a legacy of a million+ crap houses being built as cheaply as possible, and because they are terraces nobody can do anything about it.

      It's also not uncommon for thieves to strip cars of parts here. Rather than stealing the whole car, they just remove parts and sell them. Bumpers, headlights, catalytic converts, and trim are often targeted.

      So really he had very few options. He could have moved it to a different road, but that probably wouldn't have made much difference as thieves are wise to that. A secure car park is a temporary, expensive fix at best. He had CCTV already.

      That's just how life is here in the UK. There is very little owners can do about it. Manufacturers can make their vehicles more secure, and the police can make it harder to sell the stolen goods.

  • It's a song by the Radiators, YouTube it yourself
    • by Anonymous Coward

      These Ch-Ch-ChhatGPT posts are getting b-b-b-better all the tiiiiiime!
      Sincerely,
      M-m-m-max Headroom

  • Ok.



    Face Palm.



    Yes I realize they just plugged into the network from the headlight termination but this still just sounds like dumb security after going through all that trouble of having an engine imobilizer and encrypted key fob. Hey is this just Kia/Hyundai doing security again?
    • Yes, it is dumb|no security. It is why some vendors are looking at going to ethernet and powerline communications within the vehicle. Ultimately though I am not sure how many of these low-power functions (like a headlight controller) can support encryption and command signing.

      • Doesn't matter. The auto manufacturers would just use the VIN as the security token. Because yah for some reason you need to have that printed on full display.
      • by tragedy ( 27079 ) on Friday April 07, 2023 @10:52PM (#63434338)

        Yes, it is dumb|no security. It is why some vendors are looking at going to ethernet and powerline communications within the vehicle. Ultimately though I am not sure how many of these low-power functions (like a headlight controller) can support encryption and command signing.

        They shouldn't need to support those things. All that should be needed is for the important parts of the car to support those things and to only accept certain kinds of traffic from other devices that do not have encryption or signing.

      • You can run encryption over CAN or whatever just the same, doesn't have to be Ethernet. But the main thing is that there is no good reason for immobilizer to be on the same physical bus and directly addressable by headlamps.
    • This is how security by obscurity fails.
    • This is kind of like how, in the early internet, every device simply trusted every other device. You know, like how until recently, SMTP simply relayed emails without so much as authentication. Or like how SSL used to be thought of as optional for web sites.

      When new technologies are developed, security is rarely present in the first iteration. Early cars didn't have door or ignition locks at all. It's only when crime becomes an issue, that locks are needed. Many people today who live in rural areas, still d

  • by PPH ( 736903 ) on Friday April 07, 2023 @09:42PM (#63434270)

    the Toyota was stolen.

    A RAV4? Thieves worked on a RAV4 for a few days to steal it?

    Perhaps this was practice for a few newbies.

    • by Canberra1 ( 3475749 ) on Friday April 07, 2023 @11:13PM (#63434350)
      I studied ways to avoid paying a so called locksmith $500 for one key to open a 2008 Honda.Car thief networks are buying late model car ECU's (car writeoffs), dumping the ECU memory, even so called secure eeproms (which can be shaved) and info sold on the darkweb.Some cars like Euro VW's now have to have codes on paper at VW HQ, as this is the only way to be secure. Dealers have to ring Germany, basically, and in some models $2000 or more for replacement keys for the owner!. First lesson is that cars often have different ECU's across model years , models and factories. Mr Thief may not have found the ECU firmware revision that was an exact match. One car diagnostic reader brand cannot often read all models of ECU's. Secondly a common bus does not know it was a headlight - all it cares about is the the protocol, You hook into the headlight, and emulate that you are the car key fob, or the dealer diagnostics, you get a memory dump - to crack. Make no mistake, nothing is safe, although Mercedes is hiding codes in gearboxes and other components, to make life really hard (that also means you cannot use parts from writeoff's). Or plan to steal by hooking in another ECU (ECU hot-wiring). Like rats and rattraps - it is competitive.
  • I mean, this is a known threat type. I had discussions with fellow researchers about this type of attacks more than 15 years ago. Seems nobody designing these systems listened. The usual incompetence.

    I am starting to think most people do IT security as pathetically inept as lock makers: https://www.youtube.com/channe... [youtube.com]

  • Seems that there's prior art [youtu.be] from the eighties...

  • by quetwo ( 1203948 ) on Saturday April 08, 2023 @11:09AM (#63435062) Homepage

    I have a car that is over 10 years old, but still has 'modern' electronics. It has a RFID enabled secure key, code swapping unlocker, etc. But the second I have access to the CAN-BUS terminal, everything is over. Code readers which you can buy for about $100 can be loaded with the codes to specific model cars. In my case, I need to enter in the VIN number (which can also be sniffed via the bus), and I can unlock the doors, open the sunroof, disable the immobilizer and even turn on the engine. Heck, I can even program new keys against it. Break the window, plug in the device, about 2-3 minutes of going through the menus and I can drive away with the car.

    There were even cases where manufactures (GM) exposed the full CAN-BUS to the internet via a full-time connected service (OnStar) without any encryption and very limited authentication. There were a few demonstrations where they were able to drive a car remotely, over the internet.

    I guess the novel thing here is that they are accessing it via the headlamp -- which would make getting access to the bus less intrusive.

  • why I need to upgrade my 23 year old car which is still in fine working order.
  • by RonTheHurler ( 933160 ) on Sunday April 09, 2023 @12:19PM (#63436832)

    "smart" headlights?
    Whatever happened to Keep It Simple Stupid?

    Yet another good reason to convert older classic cars to EV. (smiling as I drive off in my '62 Beetle EV.)

A physicist is an atom's way of knowing about atoms. -- George Wald

Working...