First, it was specific Kia and Hyundai models facing increased thefts due to social media videos revealing ways to exploit the vehicles' safeguards. Now, Toyota owners are sleeping with one eye open and locked on their cars.
According to Ken Tindell, the CTO of Canis Automotive Labs, an automotive cybersecurity company, thieves have developed a keyless car theft method that attacks a vehicle's Controller Area Network, or CAN bus.
Tindell explained that the thieves are physically accessing a car's CAN bus to introduce malicious faults. Once accomplished, they can mimic a car key and steal the vehicle.
The thieves are reaching the CAN bus data wires by going through an automobile's headlight. In Tindell’s blog post, he details the theft of a Toyota RAV4, which like many modern vehicles, includes an electronic control unit (ECU) that controls the lights.
Tindell said the thieves used a handheld radio relay station to transmit a message sent from a car to a key and back to the car.
A diagram shows how the thieves broke into the wiring for the red CAN bus, which is connected to the key receiver ECU. They used a device to send CAN frames on to the red CAN bus to send fake messages indicating that a key is validated. A gateway ECU copies the phony message to the green CAN bus, and the engine control system accepts the message and deactivates the immobilizer function.
The owner of the RAV4 in Tindell's story is named Ian Tabor, a cybersecurity researcher who has worked with bug bounties and vehicle vulnerabilities.
After his car was stolen, Tabor browsed the internet and found some websites that sell various products that can help bypass car security. It turns out the product that likely helped steal his Toyota is a portion of electronics in a JBL Bluetooth speaker case.
Tindell did, however, offer a way to combat the CAN injector and it’s called a “Zero Trust” approach. The approach is a cryptographic messaging fix that would require proof that messages from ECUs are genuine.
But Tindell also said large corporations like Toyota find it hard to respond to security issues. He added that the CAN injection problem is not a vulnerability disclosure, which makes Toyota’s processes of having an ethical hacker find issues not appropriate.