London-based cybersecurity consultant Ian Tabor bought a new Toyota RAV4 last year. Just weeks later, he tweeted in frustration that vandals had damaged the car, pulling off a piece of trim near the headlights and even pulling out a headlight wire.
Three months later, it happened again. Same headlight.
Two days later, the car was gone. A neighbor’s Toyota SUV disappeared the same night.
It hadn’t been vandals, Tabor realized. Someone was using that specific headlight wire to try to steal the car. Working with friend and fellow cybersecurity expert Ken Tindell, Tabor figured out how thieves did it.
Ars Technica explains, “The research uncovered a form of keyless vehicle theft neither researcher had seen before.”
In a post on his cybersecurity blog, Tindell explains that Tabor began searching the dark web for hints. He “tracked down a web site selling more than a hundred products for by-passing car security, from programming fake key fobs to ‘emergency start’ devices.”
He found one for sale for about 5,000 euros ($5,419) and designed to start Toyota TM, -0.93% and Lexus vehicles. It was ostensibly designed for locksmiths, but it was hidden inside a Bluetooth speaker. The price, Tindell notes, was “eye-watering for an ordinary owner, but for a gang of car thieves,” it’s a small investment.
Called a CAN injector, the device bypasses a car’s security systems and allows thieves to unlock it and start it.
Also see: Americans are becoming more afraid of self-driving cars, study says
Headlight wires provide easy access
There’s nothing special about headlight wires. They’re just easy to reach and networked into the car’s systems.
Modern cars are highly networked devices. Even the simplest, least-expensive new car can contain hundreds of microchips communicating with one another. They also communicate with their own keys — smart keys and key fobs that allow us to unlock (and sometimes start) our cars remotely.
Even headlights today are complex devices. They contain self-leveling systems and can turn their beams with the steering wheel. European law allows automakers to sell smart headlights that can adapt their beams to avoid blinding oncoming traffic. U.S. law is changing, allowing those headlights here this year.
To power it all, the headlights communicate with other control units in the car. That makes them an easy route for thieves to tap into the car’s controls.
Automakers can solve this problem
The good news, Tindell says, is that the method “can be defeated with a pure software fix, so existing cars can be updated.”
In the short term, automakers could use a software update to disable the device Tabor and Tindell discovered. “It won’t be a permanent fix: the criminal who designed the CAN Injector can then respond with changes, and it will likely start working again. But this can buy time for the next fix,” Tindell says.
In the longer term, zero-trust programming techniques may permanently close the loophole. The researchers have notified Toyota of their discoveries. But Tindell cautions the problem isn’t limited to Toyota and Lexus cars. “Other manufacturers have car models that can be stolen in a similar way.”
Also see: The 9 things that are most likely to affect your auto insurance rates
How to protect yourself now
For now, owners have limited ability to protect themselves from this new vulnerability. But the old, common-sense anti-theft techniques still apply.
To steal a car through its headlight wires, thieves need enough privacy and time alone with the car to strip off some external trim, fish out wires, connect their device, and let it do its work.
So, to protect your car, don’t give anyone that much time alone with it. Park it indoors or in a well-lighted area with regular foot traffic. Move it regularly, and notify local police if you find any trim pieces missing or dislodged.
We expect automakers to start issuing software updates now that they know the problem.
Add Comment