A Toyota RAV 4 hybrid SUV owned by Ian Tabor in the UK was stolen after thieves found a novel way to bypass electronic security systems. Photo / Supplied
Infosec veteran Mikko Hypponen said: “if it’s smart, it’s vulnerable” and worryingly enough, it very much applies to cars which nowadays are riddled with electronic control systems and computers.
They’re there to provide convenience, security, emissions reduction and reduce fuel use among other things, and of course, foil thefilth that wants to boost your hoopty.
Ironically enough, the electronic smarts in cars can actually make it easier and faster for thieves to make off with cars, engine immobilisers and alarms notwithstanding. Remote key fob codes can be spoofed to open and start cars for example.
Thieves might not even need physical car keys. A radio relay that intercepts codes sent by keys inside a house to prove to the car that they’re the right ones works quite well. That attack can be foiled by keeping keys in a metal box to kill the radio signals. Apparently, some car makers have added a sleep mode to keys now, to stop rogue radios from talking to them.
There’s more than one way to skin a cat and in the last couple of years, cars have been found with the front bumper detached - this is simple and quick to do, as they’re usually clipped on - and with the headlight plugs disconnected.
It turns out that what seemed like mindless vandalism is in fact a novel theft technique.
Now, thanks to the perseverance of “car hacker” (okay, automotive cyber security consultant then) Ian Tabor, whose Toyota RAV4 was nicked after four tries, we know quite a bit more than what’s going on.
The story did make The Times but on the very last day of 2022, and now Tabor and Canis Labs chief technology officer Ken Tindell have published more details about the technology the thieves use.
As befits a documented IT vulnerability, the issue was given a Common Vulnerabilities and Exposures (CVE) index of 2023-29389 to track it, earlier this month. When infosec types talk about bugs that attackers can exploit, they often call them CVEs.
Long story short, thieves have discovered that the Controller Area Network or CAN signalling bus in cars isn’t properly secured.
The electronic control units (ECUs) trust internal messages from each other, and they’re not encrypted either.
Access an ECU like the one by the headlights, and as the name implies, you can inject CAN messages that perform an “emergency start” of the engine, allowing thieves to drive off with a vehicle.
Maybe not the most elegant of attacks as the thieves have to be present and pull off the bumper, but it takes just a couple of minutes. And, no car keys are needed.
The economic incentives involved in the CAN injection business look tremendous. Tabor bought a CAN injection device that’s stuffed into a portable JBL speaker, so if the cops arrive, the thieves don’t appear to be carrying any obvious break-in tools.
He reverse engineered the CAN injector, found that it uses about $15 worth of components, yet the devices sell for up to $8800 or so.
Sounds expensive, but think about how much new cars are worth even when sold as stolen, or chopped up in parts, and buying an injector looks like a CAN-ny investment for criminals.
The good news is that because we’re talking IT, the problem can be sorted out. Tindell outlines a temporary fix to make life difficult for the car thieves, one that’d take a while for the thieves to bypass.
A permanent one involves applying what governments around the world are scared witless of, namely encryption, as well as proper authentication so that the dumb ECUs don’t just obey any old command.
The latter method would probably have foiled car hackers Charlie Miller and Chris Valasek who famously remotely ‘sploited a Jeep back in 2014, turning off its engine while moving along with a host of other naughty things, to demonstrate how vulnerable new vehicles are.
The not-so-good news is that any fixes for this problem require car makers’ co-operation. This they’re often not keen on, not without the threat of million or billion-dollar penalties.
As Tindell wrote: “Ian has tried to get in touch with Toyota to discuss the CAN Injection attack, and to offer help, but hasn’t had much success.”
Insurance companies would probably be even more keen than hapless car owners to get this sorted out, without resorting to telling customers to use inconvenient mechanical wheel and pedal locks (which aren’t portable angle grinder resistant anyway).
Giving up and going back to “dumb” cars isn’t the answer of course, or even possible since we’re all meant to shift to electric vehicles which need electronic smarts to actually work.
Instead, vehicle standards should probably be expanded to include penetration testing of their control systems, and car makers be forced to set up vulnerability disclosure programmes to manage security researchers’ reports.
Did I just suggest a very interesting career choice for security-minded engineer types? Why yes, I did. Become an automotive cyber security consultant, and the world will beat a path to your door, especially if you can come up with solutions that can be retrofitted to older cars.