Crooks Are Using CAN Injection Attacks To Steal Cars (theregister.com) 47
"Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus," writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car's smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.
"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.
Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.
"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.
Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.
Well, so much for security. (Score:4, Interesting)
Last year (I believe it was), there was a campaign in Massachusetts to pass a "right to repair" bill pertaining to cars, because manufacturers wouldn't give third-party repair shops information on the computerized parts that might need repairing. The manufacturers ran ads in the media saying that if that information were more available, bad actors could use it to steal your car. Which everyone pretty much knew was pulled right out of their collective ass. And when the campaign succeeded, some of them started selling their cars in Massachusetts with smart features disabled. (Subaru EyeSight is one I think I heard about.)
So now it turns out that car thieves don't even need that repair information because these networks have such mind-bogglingly poor physical security... surprise, surprise.
Re: (Score:3, Interesting)
Some less than reputable news aggregation sites were even posting stories such as "Right to Repair Benefits 'Sexual Predators'"
https://hardware.slashdot.org/... [slashdot.org]
Re: (Score:1)
So they stopped this time at it causing cancer and terrorism?
Are they getting soft or are people getting smarter and know that they're talking out of a dark, smelly place?
Re:Well, so much for security. (Score:4, Insightful)
This isn't just a one state thing. These sort of ads and arguments are universal for almost all complex devices and right to repair. This was argued in front of many legislatives, including on different continents (EU parliament for example).
Essentially these are canned talking points developed by a few PR experts for lobbying purposes. We have the same talking points in right to repair phones for example. All the "safety, security" nonsense, because somehow being able to change your battery or camera unit would totally compromise your data. Remember the curious case of iphone where taking OEM camera from one iphone and putting it in another iphone of exact same model would result in intermittent camera failures?
These sort of things are intentional, so you go for repairs to a licensed dealer. And soon enough, repairs become so expensive that you'd rather just get a new one.
Re: (Score:1)
Because the Right to Repair people don't have secure supply chains.
iFixit and the like, do good work. But how sure are you that t
Re: (Score:1)
>Apple is evil, but they have a point that if they want to stop this, making the parts basically junk is the way to do it.
The actual way to do it is of course letting OEMs sell spare parts to others than Apple, which would remove the need for black markets entirely. Because there would be no market for those things if you could just go to original manufacturer like Texas Instruments and buy necessary spare parts.
You can't, because Apple like a lot of other manufacturers that followed in its foot steps pu
Re: (Score:2)
Re: (Score:2)
What if you need to change a light?
I'll admit that I'm not any sort of security expert, but isn't this exactly what a certificate signing authority is for? It's like how you can replace your website and still have every browser in the world trust their HTTPS connection to it.
That said, I'm skeptical of the idea that every device in a car needs to be a smart device in the first place. But that just makes me old, I guess.
Re: (Score:2)
People steal dumb cars all the time so regression will not change thieving. Making it harder for those that take the easy way out (crimes of opportunity) is the way to go, and insurance for the rest. But still a hard problem for what's basically a high-end rolling computer (Tesla).
Re: Well, so much for security. (Score:1)
Are we replacing just the lamp or the circuit/assembly just upstream providing it power, wiring, lensing and logic? Asking because I just did the latter when fam cracked a taillight. Bulbs may not need canbus functionality.
And a lot of these (accepting new signed devices) could behave like Bluetooth: pop a notification on a hardened part of the system (center console, while car is running; or to owner(s) via wifi).
a crux problem in each of these use cases is the need to keep device cost down (crypto com
Re: (Score:3)
It is not necessary to secure everything, only things that are important enough -- like starting and stopping the engine and unlocking doors. Yes, that would mean an attacker could inject other commands or data, but most attackers are interested in stealing a vehicle rather than changing the volume while the authorized owner is driving, or other prank-like actions.
Re: (Score:2)
There is also no encryption in standard CAN implementations, which leaves these networks open to man-in-the-middle frame interception.
It is up to the manufacturers to implement something like security. It is just an open serial bus for the transfer of data of any kind.
I would argue it is similar to using Ethernet frames to communicate in a network, but not choosing to use security features that wer
Re: (Score:1)
Re: (Score:2)
I usually pull the "smart" headlights out of EVs and then unlock the doors. I don't need to start it, because I leave a large human turd on the driver's seat. It's great to watch with a zoom lens as the car owner opens the door and sees the steaming pile on the seat.
Thank you for leaving behind some incriminating evidence.
Wait, what? (Score:2, Insightful)
Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.
You see significant damage to you
Re: (Score:2)
Granted, it's a relatively new approach to stealing cars that people might not recognize as such. But if you see such things going on (and they don't get the car right away), just pull a fuse or two on some critical controllers.
Re: (Score:2)
What can you do?
Oh, I dunno... set up a 15 dollar wifi-enabled web cam with a motion sensor [amazon.com] to record what's going on, maybe?
Re:Wait, what? (Score:5, Informative)
The video shows the car parked outside a house on a public road. That is normal for the UK, many houses don't have driveways or even front gardens. It's a legacy of a million+ crap houses being built as cheaply as possible, and because they are terraces nobody can do anything about it.
It's also not uncommon for thieves to strip cars of parts here. Rather than stealing the whole car, they just remove parts and sell them. Bumpers, headlights, catalytic converts, and trim are often targeted.
So really he had very few options. He could have moved it to a different road, but that probably wouldn't have made much difference as thieves are wise to that. A secure car park is a temporary, expensive fix at best. He had CCTV already.
That's just how life is here in the UK. There is very little owners can do about it. Manufacturers can make their vehicles more secure, and the police can make it harder to sell the stolen goods.
I was that I was 17 again (Score:1)
Re: (Score:1)
These Ch-Ch-ChhatGPT posts are getting b-b-b-better all the tiiiiiime!
Sincerely,
M-m-m-max Headroom
The headlight is telling me to unlock the car. (Score:3)
Face Palm.
Yes I realize they just plugged into the network from the headlight termination but this still just sounds like dumb security after going through all that trouble of having an engine imobilizer and encrypted key fob. Hey is this just Kia/Hyundai doing security again?
Re: (Score:3)
Yes, it is dumb|no security. It is why some vendors are looking at going to ethernet and powerline communications within the vehicle. Ultimately though I am not sure how many of these low-power functions (like a headlight controller) can support encryption and command signing.
Re: The headlight is telling me to unlock the car. (Score:1)
Re:The headlight is telling me to unlock the car. (Score:4, Informative)
Yes, it is dumb|no security. It is why some vendors are looking at going to ethernet and powerline communications within the vehicle. Ultimately though I am not sure how many of these low-power functions (like a headlight controller) can support encryption and command signing.
They shouldn't need to support those things. All that should be needed is for the important parts of the car to support those things and to only accept certain kinds of traffic from other devices that do not have encryption or signing.
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
This is kind of like how, in the early internet, every device simply trusted every other device. You know, like how until recently, SMTP simply relayed emails without so much as authentication. Or like how SSL used to be thought of as optional for web sites.
When new technologies are developed, security is rarely present in the first iteration. Early cars didn't have door or ignition locks at all. It's only when crime becomes an issue, that locks are needed. Many people today who live in rural areas, still d
A few days later, the Toyota was stolen. (Score:4, Interesting)
the Toyota was stolen.
A RAV4? Thieves worked on a RAV4 for a few days to steal it?
Perhaps this was practice for a few newbies.
Re:A few days later, the Toyota was stolen. (Score:5, Informative)
Dumb morons at work (Score:2)
I mean, this is a known threat type. I had discussions with fellow researchers about this type of attacks more than 15 years ago. Seems nobody designing these systems listened. The usual incompetence.
I am starting to think most people do IT security as pathetically inept as lock makers: https://www.youtube.com/channe... [youtube.com]
Is that similar to the banana injection attack? (Score:2)
Seems that there's prior art [youtu.be] from the eighties...
The CAN-BUS is incredibly insecure... (Score:4, Interesting)
I have a car that is over 10 years old, but still has 'modern' electronics. It has a RFID enabled secure key, code swapping unlocker, etc. But the second I have access to the CAN-BUS terminal, everything is over. Code readers which you can buy for about $100 can be loaded with the codes to specific model cars. In my case, I need to enter in the VIN number (which can also be sniffed via the bus), and I can unlock the doors, open the sunroof, disable the immobilizer and even turn on the engine. Heck, I can even program new keys against it. Break the window, plug in the device, about 2-3 minutes of going through the menus and I can drive away with the car.
There were even cases where manufactures (GM) exposed the full CAN-BUS to the internet via a full-time connected service (OnStar) without any encryption and very limited authentication. There were a few demonstrations where they were able to drive a car remotely, over the internet.
I guess the novel thing here is that they are accessing it via the headlamp -- which would make getting access to the bus less intrusive.
Re: (Score:1)
I would add to the "novel" part: using a replay attack on the immobilizer.
Explain once more (Score:2)
KISS it. (Score:3)
"smart" headlights?
Whatever happened to Keep It Simple Stupid?
Yet another good reason to convert older classic cars to EV. (smiling as I drive off in my '62 Beetle EV.)