Good pictures
When a London man found the front left bumper of his Toyota RAV4 ripped off and the headlight partially removed not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle disappeared a few days after the second incident, and a neighbor’s Toyota Land Cruiser was found missing shortly after, he discovered they were part of a new and sophisticated technique for committing keyless thefts.
Its owner, Ian Tabor, is a cybersecurity researcher specializing in automobiles. While researching how his RAV4 was taken, CAN stumbled upon a new technique called injection attacks.
A case of a malfunctioning CAN
Tabor started with the “MyT” telematics system used by Toyota to track vehicle anomalies known as DTCs (Diagnostic Trouble Codes). It was found that several DTCs were registered on his vehicle at the time of theft.
Error codes show that communication between the RAV4’s CAN is lost Control Area Network– and the electronic control unit of the headlight. These ECUs, as they are abbreviated, are found in almost all modern vehicles and are used to control a myriad of functions including wipers, brakes, individual lights and the engine. In addition to controlling components, ECUs send status messages via CAN to inform other ECUs of current conditions.
This diagram maps the CAN topology for the RAV4:
Diagram showing the RAV4’s CAN topology.
Ken Tindell
The DTCs showing the RAV4’s left headlight lost communication with the CAN aren’t particularly surprising, considering the crooks ripped the cables connecting it. More telling was the failure of several ECUs at the same time, including the front cameras and hybrid engine control. Taken together, these failures do not indicate that the ECUs have failed, but rather that the CAN bus has failed. He sent Taber for an explanation.
The researcher and the theft victim next turned to crime forums discussing stealing cars on the dark web and YouTube videos. He eventually found ads for “quick start” devices. Ostensibly, these devices are designed to be used by owners or locksmiths when the keys are unavailable, but nothing prevents anyone else from using them, including thieves. Taber purchased a device advertised to launch various vehicles from Lexus and Toyota, including the RAV4. Then he set about reverse engineering it, and with the help of friend and fellow auto safety expert Ken Tindell, figured out how it worked in the RAV4’s CAN.
Inside this JBL speaker is a new form of attack
The research uncovered a pattern of keyless vehicle theft that no researcher had seen before. In the past, thieves have found success using what is known as a relay attack. These hacks amplify the signal between the car and the keyless entry fob used to unlock and start it. Keyless fobs typically only communicate within a few feet. By placing a simple hand-held radio device near the vehicle, thieves amplify the normally faint message that cars transmit. With sufficient amplification, messages can reach the nearest home or office where the key fob is located. When the fob responds with a cryptographic message that unlocks and starts the vehicle, Crook’s repeater relays it to the car. With that, the crook drives off.
“People now know how the relay attack works … car owners keep their keys in a metal box (blocking the radio message from the car) and some car makers now offer keys that go to sleep without moving for a few minutes (so the hit car doesn’t get the radio message),” Tyndall said. wrote recently Mail. “Faced with this failure, but unwilling to give up a profitable function, thieves have moved to a new way around security: bypassing the entire smart key system. They do this with a new attack: CAN injection.
Tyndale is attached This videoThis catches CAN-injection theft in the act, he says.
Toyota RAV4 2021—Stolen in less than two minutes.
Tabor bought a CAN-injector disguised as a Bluetooth JBL speaker. Protects thieves when police or others become suspicious. Instead of carrying an obvious hacking device, the crook appears to be carrying an innocuous speaker.
A CAN injector disguised as a JBL speaker.
A closer analysis reveals that there is much more. More specifically, there were CAN injector chips glued to the circuit board.
CAN injector chips attached to a resin globe glued to the JBL circuit board.
Ken Tindell
Tyndale explained:
It’s about $10 in components: a PIC18F chip that contains the CAN hardware, plus preprogrammed software (known as firmware) on the chip, a CAN transceiver (a standard CAN chip that converts digital signals from the CAN hardware in the PIC18F into analog voltages sent over the CAN wires), and additional circuitry connected to the CAN transceiver. (More on this soon). The device draws its power from the speaker battery and connects to the CAN bus. A CAN bus is basically a pair of wires twisted together, and a car has multiple CAN buses connected together, either directly to connectors or digitally wired through a gateway computer to copy certain CAN messages back and forth. has been connected.
The theft device is designed to connect to the control CAN bus (red bus in the wiring diagram) to impersonate the Smart Key ECU. There are many ways to go for the wires of this CAN bus, the only requirement is that the wires come to the edge of the car so they can be reached (wires buried deep inside the car are impossible for thieves to reach to steal a car parked on the street). The easiest way to get to that CAN bus on the RAV4 is through the headlights: remove the bumper and access the CAN bus from the headlight connector. Other approaches are possible: punching a hole in the panel where the twisted pair CAN wires pass, cutting two wires and splicing in the CAN injector will also work, but the value of a car with a hole decreases. It means thieves take the easy way out (Ian Sleuthing found that these cars are often destined for export, shipped by shipping container to destinations in Africa).
When first turned on, the CAN injector does nothing: it listens for a specific CAN message to let the car know it’s ready. When it receives this CAN message it does two things: it starts sending CAN messages (about 20 times per second), and it activates an additional circuit connected to its CAN transceiver. A burst of CAN messages contains a ‘Smart Key Valid’ signal, and the gateway sends this to the engine management ECU on the other bus. In general, this can cause confusion on the control CAN bus: CAN messages from the real smart key controller can collide with the fake messages from the CAN injector, and this can prevent the gateway from sending the injected message. This is where that extra circuit comes in: it changes the way the CAN bus works so that other ECUs on that bus can’t talk. The gateway can still listen for messages, and the powertrain can send messages over the CAN bus. The burst repeats 20 times per second because the system is fragile, and sometimes the gateway doesn’t listen because its CAN hardware resets itself (because it thinks that not being able to talk is a sign of a fault – which it is, in a way).
The JBL Bluetooth speaker case has a ‘play’ button which is connected to the PIC18F chip. When this button is pressed, the burst of CAN messages changes slightly and instructs the door ECU to open the doors (as if pressing the ‘unlock’ button on the wireless key). Thieves can then unscrew the CAN injector, get into the car, and drive away.
Taber and Tyndall have designed two defenses that they say will defeat CAN injection attacks. Tyndall said they notified Toyota about the safety but have yet to hear back.
