Skip to content
KICKING THE CAN

There’s a new form of keyless car theft that works in under 2 minutes

As car owners grow hip to one form of theft, crooks are turning to new ones.

Dan Goodin | 214
Infrared image of a person jimmying open a vehicle. Credit: Getty Images
Infrared image of a person jimmying open a vehicle. Credit: Getty Images

When a London man discovered the front left-side bumper of his Toyota RAV4 torn off and the headlight partially dismantled not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle went missing a few days after the second incident, and a neighbor found their Toyota Land Cruiser gone shortly afterward, he discovered they were part of a new and sophisticated technique for performing keyless thefts.

It just so happened that the owner, Ian Tabor, is a cybersecurity researcher specializing in automobiles. While investigating how his RAV4 was taken, he stumbled on a new technique called CAN injection attacks.

The case of the malfunctioning CAN

Tabor began by poring over the “MyT” telematics system that Toyota uses to track vehicle anomalies known as DTCs (Diagnostic Trouble Codes). It turned out his vehicle had recorded many DTCs around the time of the theft.

The error codes showed that communication had been lost between the RAV4’s CAN—short for Controller Area Network—and the headlight’s Electronic Control Unit. These ECUs, as they’re abbreviated, are found in virtually all modern vehicles and are used to control a myriad of functions, including wipers, brakes, individual lights, and the engine. Besides controlling the components, ECUs send status messages over the CAN to keep other ECUs apprised of current conditions.

This diagram maps out the CAN topology for the RAV4:

Diagram showing the CAN topology of the RAV4. Credit: Ken Tindell

The DTCs showing that the RAV4’s left headlight lost contact with the CAN wasn’t particularly surprising, considering that the crooks had torn off the cables that connected it. More telling was the failure at the same time of many other ECUs, including those for the front cameras and the hybrid engine control. Taken together, these failures suggested not that the ECUs had failed but rather that the CAN bus had malfunctioned. That sent Tabor searching for an explanation.

The researcher and theft victim next turned to crime forums on the dark web and YouTube videos discussing how to steal cars. He eventually found ads for what were labeled “emergency start” devices. Ostensibly, these devices were designed for use by owners or locksmiths to use when no key is available, but nothing was preventing their use by anyone else, including thieves. Tabor bought a device advertised for starting various vehicles from Lexus and Toyota, including the RAV4. He then proceeded to reverse engineer it and, with help from friend and fellow automotive security expert Ken Tindell, figure out how it worked on the CAN of the RAV4.

Inside this JBL speaker lies a new form of attack

The research uncovered a form of keyless vehicle theft neither researcher had seen before. In the past, thieves found success using what’s known as a relay attack. These hacks amplify the signal between the car and the keyless entry fob used to unlock and start it. Keyless fobs typically only communicate over distances of a few feet. By placing a simple handheld radio device near the vehicle, thieves amplify the normally faint message that cars send. With enough amplification, the messages reach the nearby home or office where the key fob is located. When the fob responds with the cryptographic message that unlocks and starts the vehicle, the crook's repeater relays it to the car. With that, the crook drives off.

“Now that people know how a relay attack works… car owners keep their keys in a metal box (blocking the radio message from the car) and some car makers now supply keys that go to sleep if motionless for a few minutes (and so won’t receive the radio message from the car),” Tindell wrote in a recent post. “Faced with this defeat but being unwilling to give up a lucrative activity, thieves moved to a new way around the security: bypassing the entire smart key system. They do this with a new attack: CAN Injection.”

Tindell linked to this video, which he says captures a CAN-injection theft in action.

Toyota RAV4 2021—stolen in less than two minutes.

The CAN-injector Tabor bought was disguised as a Bluetooth JBL speaker. That gives thieves cover in the event police or others become suspicious. Instead of carrying an obvious hacking device, the crook appears to possess an innocuous speaker.

The CAN injector disguised as a JBL speaker.

A closer analysis revealed that there was much more to it. More specifically, there were CAN injector chips grafted to the circuit board.

CAN Injector chips enclosed in a glob of resin grafted onto the JBL circuit board. Credit: Ken Tindell

Tindell explained:

It turns out it’s about $10 of components: a PIC18F chip that contains CAN hardware, plus software pre-programmed into the chip (known as firmware), a CAN transceiver (a standard CAN chip that turns digital signals from the CAN hardware on the PIC18F into the analog voltages sent on CAN wires), and an extra circuit connected to the CAN transceiver (more on this shortly). The device takes its power from the speaker battery, and connects to a CAN bus. A CAN bus is basically a pair of wires twisted together, and in a car there are several CAN buses joined together, either directly with connectors, or wired digitally via a gateway computer that copies some CAN messages back and forth between the CAN buses it is connected to.

The theft device is designed to be connected to the control CAN bus (the red bus in the wiring diagram) to impersonate the smart key ECU. There are several ways to get to the wires for this CAN bus, the only requirement being that the wires need to come to the edge of the car so that they can be reached (wires buried deep in the car are impractical to reach by thieves trying to steal a parked car on the street). By far the easiest route in to that CAN bus on the RAV4 is through the headlights: pulling the bumper away and accessing the CAN bus from the headlight connector. Other access would be possible: even punching a hole in a panel where the twisted pair of CAN wires goes past, cutting the two wires, and splicing in the CAN Injector would also work, but the diminished value of a car with a hole in it means thieves take the easiest route (Ian’s sleuthing found that mostly these cars are destined for export, sent via shipping container to places in Africa).

When first powered on, the CAN Injector does nothing: it’s listening for a particular CAN message to know that the car is ready. When it receives this CAN message it does two things: it starts sending a burst of CAN messages (at about 20 times per second) and it activates that extra circuit connected to its CAN transceiver. The burst of CAN messages contains a ‘smart key is valid’ signal, and the gateway will relay this to the engine management ECU on the other bus. Normally, this would cause confusion on the control CAN bus: CAN messages from the real smart key controller would clash with the imposter messages from the CAN Injector, and this could prevent the gateway from forwarding the injected message. This is where that extra circuit comes in: it changes the way a CAN bus operates so that other ECUs on that bus cannot talk. The gateway can still listen to messages, and can of course still send messages on to the powertrain CAN bus. The burst repeats 20 times a second because the setup is fragile, and sometimes the gateway is not listening because its CAN hardware is resetting itself (because it thinks that being unable to talk is an indication of a fault - which in a way it is).

There is a ‘Play’ button on the JBL Bluetooth speaker case, and this is wired into the PIC18F chip. When this button is pressed, the burst of CAN messages changes slightly and they instruct the door ECU to unlock the doors (as if the ‘unlock’ button on the wireless key had been pressed). The thieves can then unhook the CAN Injector, get into the car, and drive it away.

Tabor and Tindell have designed two defenses they say would defeat CAN injection attacks. Tindell said they notified Toyota of the defenses but have yet to receive a response.

Listing image: Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
214 Comments
Staff Picks
c
cellocgw
I'm an engineer who worked for several years at an automotive radar company. I can tell you that mfrs are working fast (ish) to have all CANbus messages encrypted. Granted, encryption may only delay the next CAN injection attack until decryption or sniffing is added in.
netblaz
netblaz
I'm an engineer who worked for several years at an automotive radar company. I can tell you that mfrs are working fast (ish) to have all CANbus messages encrypted. Granted, encryption may only delay the next CAN injection attack until decryption or sniffing is added in.
do you know any engineers who know if they've fixed this on the airplanes yet? i mean... i assume, but

[chalk it up there with, "in the unlikely event there ever is a positive leap second, i don't want to be on an airplane when it's applied" -- like, i know i'm being paranoid here. however, given what i've just read...]
H
Honeybog
Keyless entry and start always seemed to me like a solution in search of a problem. Our Camry has a keyless fob and while it’s nice sometimes to not have to reach into my pocket, it doesn’t immeasurably improve my life compared with a standard key.

In anything, keyless entry is a net drain on my time. I never forget the key to my Miata, but I constantly go to get in the Camry only to realize that I left the key in a different jacket.
Prev story
Next story