As technology advances, so do the methods of malicious individuals seeking to exploit it. A concerning trend in the automotive industry is the injection of code into the Electronic Control Unit (ECU) of vehicles, including the wiring for essential components such as headlights.
These subtle and stealthy actions grant hackers unauthorized access to keyless entry systems, putting vehicle owners at risk of theft and other crimes.
While this vulnerability has been tracked as “CVE-2023-29389” by the security experts, and this vulnerability is currently awaiting analysis.
The discovery of a new Controller Area Network (CAN) injection attack technique was recently made by Ian Tabor in the automotive industry.
Ian Tabor’s investigation into the theft of his Toyota RAV4 led him to uncover this stealthy technique, which could potentially compromise the security of countless vehicles worldwide.
The theft of Ian Tabor’s car is an alarming reminder of the vulnerabilities in the automotive industry’s increasingly interconnected systems.
In his case, hackers gained access to the interconnected system of his vehicle by using a device plugged into a wiring system behind the headlights.
This enabled the hackers to bypass all the security protocols of the car to gain unauthorized control over the vehicle’s functions and steal it without a key.
Following the theft of his vehicle, Ian Tabor utilized the “MyT” telematics system provided by Toyota to investigate the cause of the incident.
MyT telematics system is mainly designed to track Diagnostic Trouble Codes (DTCs) in a vehicle’s system, which can indicate uncertain malfunctions. Tabor unveiled that before the theft; his vehicle had recorded multiple DTCs.
Upon analyzing the Diagnostic Trouble Codes (DTCs) recorded by the “MyT” telematics system, it was found that communication had been lost between the headlight’s ECU and the Controller Area Network (CAN) around the time of the theft.
Unlike traditional wiring systems, which require a separate wire for each device, the CAN bus uses wires twisted together to carry messages between different car parts.
Typically, a car will have several CAN buses joined directly with connectors or through a gateway computer.
The gateway computer copies the CAN messages back and forth between the CAN buses it is connected to, ensuring that all devices on the network can communicate effectively.
ECUs play a critical role in the operation of modern vehicles, controlling a wide range of essential functions.
These sophisticated systems communicate with each other via the CAN bus protocol, exchanging status messages to keep all of the ECUs updated on the ongoing conditions of the vehicle.
However, the use of ECUs and their interconnected nature also creates a potential avenue for cyber attacks, as demonstrated by the theft of Ian Tabor’s vehicle.
The investigation into the theft of Ian Tabor’s vehicle revealed a concerning pattern of multiple system failures within the car.
Diagnostic Trouble Codes (DTCs) recorded by the “MyT” telematics system indicated that other critical systems had also experienced issues besides the headlights.
These alarming findings led Ian Tabor to conclude that there was likely a serious issue with the CAN bus in his vehicle.
Using CAN Injectors to Steal Vehicles
During his online research, Tabor also found ads for “emergency start” vehicle devices and methods for stealing cars.
However, cybersecurity expert Tindell warns that these devices are often marketed with false claims that they are intended for vehicle owners who have lost their keys or for reputable locksmiths.
In his pursuit of understanding how his Toyota RAV4 was stolen, Ian Tabor discovered an “emergency start” device that claimed compatibility with his vehicle. This analysis revealed “CAN injection,” a new form of keyless vehicle theft.
Tabor’s investigation revealed that the CAN injector device he purchased for testing purposes was shockingly simple and inexpensive, consisting of components worth just $10.
The device was even delivered inside a JBL Bluetooth speaker, further underscoring the lack of sophistication required to carry out this cyber attack.
The device consisted of a simple circuit board grafted onto the JBL board and encased in a large blob of resin.
To examine the wiring and chips underneath, Tabor used a heat gun to melt away the resin.
His meticulous analysis determined how the CAN injector was connected to the JBL board and even identified the specific chips used in its construction.
The headlights of the Toyota RAV4 represent a vulnerable point of entry for hackers seeking to gain access to the car’s CAN bus.
Pulling out the bumper allows a person to easily reach the headlight connector and access the vehicle’s internal systems.
The JBL Bluetooth speaker containing the CAN injector features a ‘Play’ button that, when pressed, sends a burst of CAN messages that alters slightly and triggers the door ECU to unlock the car doors.
As a result, the hackers can take advantage of this vulnerability and drive away with the car.
Defeating the CAN Injector
Although a problematic threat to car security, a simple software fix can neutralize the CAN Injector.
With this solution, we can avoid the hassle of installing mechanical steering wheel locks every time we park our cars. Furthermore, this fix applies to existing cars, protecting them from the CAN injection attack technique.
It is important to note that there are two levels of fix, and here they are mentioned below:-
- Quick and dirty
A temporary solution to prevent the CAN Injector attack involves minor adjustments to its current operation.
However, the most important thing to note is that this fix is not “permanent.” The criminals responsible for the CAN Injector attack can quickly modify their device in response to the software fix, rendering it ineffective again.
- Cryptographic messaging
The solution to this issue is to employ encryption and authentication codes to safeguard CAN frames from being tampered with, rendering the CAN Injector incapable of creating valid spoof frames.
If executed appropriately, this would serve as a long-term solution, eliminating the need for a mechanical steering wheel lock at the end of every journey.
All vehicles susceptible to CAN Injection attacks can benefit from these solutions, regardless of the make or model.
Why do Organizations need Unified endpoint management – Download Free E-books & Whitepapers