Just a m'Headlight Hackers' Are Stealing Cars Via CAN Interferenceoment...
'Headlight Hackers' Are Stealing Cars Via CAN Interference
Using an open headlight and a tool sold on the dark web, thieves can access a vehicle's entire communication system.
By Adrianna Nine April 12, 2023
Car thieves have found a sophisticated new way to snatch vehicles off the streets, and it’s called “headlight hacking.” The method involves accessing a car’s Controller Area Network (CAN) bus, a system that allows multiple devices within a vehicle build to communicate with each other in real time.
Ian Tabor, an automotive cybersecurity researcher, first began tracking the trend last spring. Tabor woke up to find the front bumper missing from his Toyota RAV4 and the headlight wiring plug yanked out. A screwdriver mark indicated that the vandalism had been intentional. Three months later, Tabor found that someone had pulled the bumper away in the middle of the night to unplug the driver’s side headlight. Then, after three days, whoever had been playing the long game with Tabor’s car finished the deed: The RAV4 disappeared from the curb in front of Tabor’s home.
Tweet(opens in a new tab)
Through the Toyota mobile app, Tabor could see that his vehicle was in motion. Shortly after, the same thing happened to his neighbor’s Land Cruiser, prompting the security researcher to dig into how both thefts could’ve occurred. Ideally, both vehicles’ security mechanisms would have stopped a thief in their tracks, but clearly, whoever had stolen the Toyotas knew how to circumvent each one.
In a lengthy technical blog post last week, CAN bus security expert Dr. Ken Tindell documented Tabor’s investigation of the dual theft. As it turns out, thieves have identified the headlight module as an easy entry point into a vehicle’s CAN bus system. By wiring in a tool disguised as a Bluetooth speaker and sold on the dark web, thieves can mimic the vehicle’s key fob. Pressing “play” instructs the vehicle’s door electronic control unit (ECU) to unlock. Since many newer cars offer a remote start function, the fake speaker can also start the ignition. Because the CAN bus interprets each command as one from a key fob, the vehicle’s security systems are none the wiser.
“Headlight hacking” isn’t just a Toyota vulnerability. Most vehicles’ headlights have their own ECUs these days, which is what allows thieves to wire into the entire vehicle’s CAN bus system via relatively minor vandalism. Luckily, the method’s sophistication is also its weak spot; accessing a person’s vehicle this way takes time and involves a special tool, neither of which most thieves have. If you park your vehicle in a secured area or one with heavy traffic, your vehicle will probably still be there in the morning.
Dr. Tindell is advocating for automakers to implement a “zero trust” CAN bus system approach, which would require every inter-ECU message to be encrypted and carry authentication codes. In the meantime, he says automakers could roll out a software update that recognizes the fake speaker and stops its interference.
Using an open headlight and a tool sold on the dark web, thieves can access a vehicle's entire communication system.
By Adrianna Nine April 12, 2023
Car thieves have found a sophisticated new way to snatch vehicles off the streets, and it’s called “headlight hacking.” The method involves accessing a car’s Controller Area Network (CAN) bus, a system that allows multiple devices within a vehicle build to communicate with each other in real time.
Ian Tabor, an automotive cybersecurity researcher, first began tracking the trend last spring. Tabor woke up to find the front bumper missing from his Toyota RAV4 and the headlight wiring plug yanked out. A screwdriver mark indicated that the vandalism had been intentional. Three months later, Tabor found that someone had pulled the bumper away in the middle of the night to unplug the driver’s side headlight. Then, after three days, whoever had been playing the long game with Tabor’s car finished the deed: The RAV4 disappeared from the curb in front of Tabor’s home.
Tweet(opens in a new tab)
Through the Toyota mobile app, Tabor could see that his vehicle was in motion. Shortly after, the same thing happened to his neighbor’s Land Cruiser, prompting the security researcher to dig into how both thefts could’ve occurred. Ideally, both vehicles’ security mechanisms would have stopped a thief in their tracks, but clearly, whoever had stolen the Toyotas knew how to circumvent each one.
In a lengthy technical blog post last week, CAN bus security expert Dr. Ken Tindell documented Tabor’s investigation of the dual theft. As it turns out, thieves have identified the headlight module as an easy entry point into a vehicle’s CAN bus system. By wiring in a tool disguised as a Bluetooth speaker and sold on the dark web, thieves can mimic the vehicle’s key fob. Pressing “play” instructs the vehicle’s door electronic control unit (ECU) to unlock. Since many newer cars offer a remote start function, the fake speaker can also start the ignition. Because the CAN bus interprets each command as one from a key fob, the vehicle’s security systems are none the wiser.
“Headlight hacking” isn’t just a Toyota vulnerability. Most vehicles’ headlights have their own ECUs these days, which is what allows thieves to wire into the entire vehicle’s CAN bus system via relatively minor vandalism. Luckily, the method’s sophistication is also its weak spot; accessing a person’s vehicle this way takes time and involves a special tool, neither of which most thieves have. If you park your vehicle in a secured area or one with heavy traffic, your vehicle will probably still be there in the morning.
Dr. Tindell is advocating for automakers to implement a “zero trust” CAN bus system approach, which would require every inter-ECU message to be encrypted and carry authentication codes. In the meantime, he says automakers could roll out a software update that recognizes the fake speaker and stops its interference.
