How thieves steal cars using network bus

[erek]

CANbus hacked

"Tabor took to the dark web to look for equipment that may have been involved in the theft of his car and found a number of devices targeting the CAN bus. He worked with Noel Lowdon of vehicle forensics company Harper Shaw to look into reverse engineering a contender – a gadget capable of talking to a connected CAN bus and cunningly concealed within a normal-looking Bluetooth smart speaker. The fake speaker comes with cables you insert into an exposed bus connector, you press a button on the box, and it sends the required messages to unlock the car.

Since Tindell had helped develop Volvo's first CAN-based car platform, he was brought in to help understand the gadget's involvement in the car theft. More technical details are provided in the above write-up.

As the automotive industry develops ever more sophisticated tech systems for their vehicles, scumbags find more inventive ways to abuse these systems for their own ends.

Last year, a keyless entry exploit was demonstrated against Honda Civics manufactured between 2016 and 2020. Weak crypto used in the keyless entry system in Tesla's Model S was blamed for the ease with which researchers could gain entry. Back in 2016, security researchers demonstrated how crooks could break into cars at will using wireless signals that could unlock millions of vulnerable VWs. ®"

Source: https://www.theregister.com/2023/04/06/can_injection_attack_car_theft

 

[dogDAbone]

As the automotive industry develops ever more sophisticated tech systems for their vehicles, scumbags find more inventive ways to abuse these systems for their own ends

^^THIS^^

This is just a continuation/expansion of hacking computers in general...and will hopefully lead to some REAL security protocols being invented, not only for cars, but all electronics too..

Nah, that would be TOO easy of a solution

 

[sfsuphysics]

and will hopefully lead to some REAL security protocols being invented,

I would be content with security protocols being used at all. As it stands the auto industry is a difficult one as they very often have a "well it's your problem now" approach as soon as you buy the car unless it's an issue that could potentially get them sued big time in which case they may have some level of recall, but something like the Honda issue I'm sure could have been patched and even if it wasn't big enough to demand a recall having a mechanism for the end user to fix the problem may have been helpful. Except maybe Tesla no cars do firmware updates

 

[Krenum]

Thieves should have their hands smashed with hammers.

 

[dogDAbone]

Thieves should have their hands smashed with hammers.

But first, pull out their fingernails with pliers, one by one, and pour some acetone or some other toxic chemical on them until they beg for relief, THEN start slowly smashing their hands, one bone at a time

"Lock them up, let their pain argue with them" - Patterns of Force, ST-TOS, S2-E21

 

[Absalom]

CAN is pretty much the automotive equivalent of Ethernet. It only defines Layers 1 & 2 (physical & data) of the OSI model (in actuality it follows ISO standards). So in vast majority of scenarios you need physical access to "hack" CAN.

That said, CAN isn't the root cause of the problem. These so called hackers did the equivalent of breaking into your office/home and installing a trojan device on your wired network. Since physical access to CAN is to find a twisted pair of wires already connected to the bus, that's exactly what the hackers did. They poked and prodded at various car orifices until they found one. Prior observations of tool marks should have been red flags for the car owner.

Anyway, once they hackers got a trojan horse in the car it seems it was easy from there. CAN is too low level and wasn't designed with security in mind. So it's fairly easy to connect a Raspberry Pi or Arduino device and pretend it's just another device on the bus. It's the higher protocols that should be responsible for establishing security. So typically something like ISO 15765 (OBD-2 port diagnostic devices talk using this) sits on top of CAN at the transport layer (Layer 4 in the OSI model). Most cars have multiple busses, typically one for public data (OBD-2 port) and separate busses for private data (i.e. engine talking to the transmission). In this case, it's highly probable the hackers tapped into the private bus using a reverse engineered Toyota protocol.

So to be more accurate, these so-called-hackers were probably just standard car thieves who bought an off-the-shelf device modified to talk Toyota's proprietary protocol (which is probably easily purchasable on the black market). The important thing gathered here is the simplicity and ease of access to such nefarious devices through various means. Probably less than $100 in parts.

TLDR;

There's nothing inherently wrong with CAN. Give me a crowbar, some tools, and some time and even I can probably hack your car.

 

[NamelessPFG]

CAN is pretty much the automotive equivalent of Ethernet. It only defines Layers 1 & 2 (physical & data) of the OSI model (in actuality it follows ISO standards). So in vast majority of scenarios you need physical access to "hack" CAN.

That said, CAN isn't the root cause of the problem. These so called hackers did the equivalent of breaking into your office/home and installing a trojan device on your wired network. Since physical access to CAN is to find a twisted pair of wires already connected to the bus, that's exactly what the hackers did. They poked and prodded at various car orifices until they found one. Prior observations of tool marks should have been red flags for the car owner.

Anyway, once they hackers got a trojan horse in the car it seems it was easy from there. CAN is too low level and wasn't designed with security in mind. So it's fairly easy to connect a Raspberry Pi or Arduino device and pretend it's just another device on the bus. It's the higher protocols that should be responsible for establishing security. So typically something like ISO 15765 (OBD-2 port diagnostic devices talk using this) sits on top of CAN at the transport layer (Layer 4 in the OSI model). Most cars have multiple busses, typically one for public data (OBD-2 port) and separate busses for private data (i.e. engine talking to the transmission). In this case, it's highly probable the hackers tapped into the private bus using a reverse engineered Toyota protocol.

So to be more accurate, these so-called-hackers were probably just standard car thieves who bought an off-the-shelf device modified to talk Toyota's proprietary protocol (which is probably easily purchasable on the black market). The important thing gathered here is the simplicity and ease of access to such nefarious devices through various means. Probably less than $100 in parts.

TLDR;

There's nothing inherently wrong with CAN. Give me a crowbar, some tools, and some time and even I can probably hack your car.

So this attack required physically tapping into the car's network, as opposed to a wireless hack? As the old saying goes, "Physical access is game over for security."

I'm admittedly of mixed feelings regarding security implementations in the vehicle's own wired networks, in that it could create vendor lock-in situations and screw the customer out of being able to upgrade from painfully outdated navigation systems and other such features, to say nothing of things like certain cars having ABS modules, battery charge controllers and active suspension systems that require dealer-level scan tools to diagnose and service.

However, keeping scumbags out of someone else's vehicle is also important. Even if they weren't hellbent on stealing the whole vehicle, being able to tap into relatively accessible wiring from the outside to unlock the doors and get inside would already be a serious problem when that permits stealing valuables, planting trackers, or anything else subtly insidious.

 

[Absalom]

So this attack required physically tapping into the car's network, as opposed to a wireless hack?

It's possible it was made into a wireless hack after the fact. But the thieves would still have had to install a device with wireless capability. Even if the car normally has wireless devices, that's probably harder to hack. So by installing a trojan horse, they could effectively give a car a wireless attack vector.

I could see this being useful if a thief didn't want to draw too much attention. They could be reading and writing CAN messages from their laptop or cellphone nearby.

I'm still curious as to the details of the attack. Like whether it requires the CAN bus to be powered on. That's going to depend on the attack and even the car model. Most cars are setup to not power on anything until a key cycle event. Only very specific devices are allowed to always draw power for obvious reasons. And you need at least two powered devices to make an active CAN bus.

 

[exiled350]

I'm still curious as to the details of the attack. Like whether it requires the CAN bus to be powered on. That's going to depend on the attack and even the car model. Most cars are setup to not power on anything until a key cycle event. Only very specific devices are allowed to always draw power for obvious reasons. And you need at least two powered devices to make an active CAN bus.

As long as +12v is available, someone is listening. All you gotta do is blast out the correct packets and everyone will respond accordingly.

 

[Johnx64]

It's possible it was made into a wireless hack after the fact. But the thieves would still have had to install a device with wireless capability. Even if the car normally has wireless devices, that's probably harder to hack. So by installing a trojan horse, they could effectively give a car a wireless attack vector.

I could see this being useful if a thief didn't want to draw too much attention. They could be reading and writing CAN messages from their laptop or cellphone nearby.

I'm still curious as to the details of the attack. Like whether it requires the CAN bus to be powered on. That's going to depend on the attack and even the car model. Most cars are setup to not power on anything until a key cycle event. Only very specific devices are allowed to always draw power for obvious reasons. And you need at least two powered devices to make an active CAN bus.

I'll just make up an answer for you. Lights are tied into the alarm\driving system. It's not just 12v of electricity going through the wire. Think of PoE adapters. I knock on your car\pull the handle while locked and the lights flash as a warning which gives a short window to send electrical command(s) back to the ecu.



The easier method is to amplify the signal from the car to where it can reach the keyfob inside. When the keyfob responds with the "It's me you can unlock\start now" they catch that signal and can program it to another key fob\device. Of course now some key fobs fall asleep if motionless and then you have to go hands on.

 

[Camberwell]

https://www.vice.com/en/article/7kz48x/guy-selling-relay-attack-keyless-repeaters-to-steal-cars

Sort of old news, a big problem in the UK in recent years

 

[Johnx64]

https://www.vice.com/en/article/7kz48x/guy-selling-relay-attack-keyless-repeaters-to-steal-cars

Sort of old news, a big problem in the UK in recent years

Bro, you have to read. The article the op posted even talks about the older exploit you linked.

 

[Camberwell]

Bro, you have to read. The article the op posted even talks about the older exploit you linked.

Fair comment, shouldn't post after whisky's

 

[Johnx64]

Fair comment, shouldn't post after whisky's

Oh don't I know it

 

[djstarfox]

This is old news. Hackers have been working on the CAN bus for years and presenting their findings at Black Hat.

 

[kirbyrj]

So this attack required physically tapping into the car's network, as opposed to a wireless hack? As the old saying goes, "Physical access is game over for security."

Well, stealing a car generally implies that you are going to physically access the vehicle in order to take physical possession of it.

 

[Nimisys]

As long as +12v is available, someone is listening. All you gotta do is blast out the correct packets and everyone will respond accordingly.

blast +12V into a CAN bus and you run a real risk of nothing being able to listen again. it is a 5v communication bus. seen modules survive when exposed to 12v, but only at trace current amounts. IE a 12v circuit shorting into the communication lines across corrosion in a connector.

But you are correct, in vehicles with a CAN backbone, wake-up signals are sent from a power master out to others via that BUS.

What's not being mentioned is what direction the industry is going, and how they have responded to investigation like this. Most MFG are moving away from CAN as a backbone communication bus anyways. It doesn't have the bandwidth or speed to support the amount of data needed for advanced ADAS functions. Flex Ray is even getting to be too limited. Ethernet is becoming more common

As-is anyone with Wireshark and access to pins 6 & 14 of the OBD port can see a diagnostic CAN bus at the minimum. Depending on the vehicle complexity you may get to see the whole CAN bus. It's an open and mandated standard, so at least part of it is very very open by intent. Simply accessing what was laid out for access isn't hacking anything.

Now given that CAN "research" has been going for close to 20yrs now, for about the last 10, new designs have been incorporating gateway modules and security off the "internal" CAN busses and only the Diagnostic one to that gateway module is left wide open. Gaining access to those other busses, even if CAN, is going to require physical harness access downstream of that Gateway Module, or breaking the encryption of the actual of the actual module(s).

Further a lot of this information is actually distributed as training materials for technicians. It's not difficult to find the topology, the pin out and physical locations of modules for any specific vehicle.

When they can demonstrate a hack that is viable via wireless entry point, doesn't require physical access to wiring or OBD port AND can issue control commands to ADAS systems, then they have something. Otherwise you haven't even been able to duplicate what is given to a technician by the MFG.

 

[exiled350]

blast +12V into a CAN bus and you run a real risk of nothing being able to listen again. it is a 5v communication bus. seen modules survive when exposed to 12v, but only at trace current amounts. IE a 12v circuit shorting into the communication lines across corrosion in a connector.

I meant the battery is hooked up and the system has power and ground, not hitting the canbus with +12v.

 

[Unperson]

This is old news. Hackers have been working on the CAN bus for years and presenting their findings at Black Hat.

The difference here is that many more devices are now connected to the CAN bus. In the past, your headlights would have a simple on/off power signal controlled by the BCM. The CAN bus lines would generally only be accessible with the doors and/or hood open. Now the headlights and other things have a general power supply and CAN connection so the lights effectively control themselves, but it opens up a relatively easy entry point. No need to break the hood or doors open when you can pop a headlight out more inconspicuously.

 

[Darunion]

The difference here is that many more devices are now connected to the CAN bus. In the past, your headlights would have a simple on/off power signal controlled by the BCM. The CAN bus lines would generally only be accessible with the doors and/or hood open. Now the headlights and other things have a general power supply and CAN connection so the lights effectively control themselves, but it opens up a relatively easy entry point. No need to break the hood or doors open when you can pop a headlight out more inconspicuously.

I have yet to own a vehicle that doesnt need you damn near to drop the engine to remove the headlamp lol.

 

[Unperson]

I have yet to own a vehicle that doesnt need you damn near to drop the engine to remove the headlamp lol.

If you just want the car for parts, and don't mind having one broken headlight and/or some minor body damage, then a prybar should be more than adequate to remove it from the outside.

For instance about 20 years ago I had an aftermarket radio in my car. Someone got into the car and literally ripped half of the dash off to get to the radio. They did it in the middle of the night without waking anyone up.

 

[Darunion]

If you just want the car for parts, and don't mind having one broken headlight and/or some minor body damage, then a prybar should be more than adequate to remove it from the outside.

That's fair. Though in that regard, cars have always been easy to steal. Security has never been a a design goal for them.

 

[Nimisys]

The difference here is that many more devices are now connected to the CAN bus. In the past, your headlights would have a simple on/off power signal controlled by the BCM. The CAN bus lines would generally only be accessible with the doors and/or hood open. Now the headlights and other things have a general power supply and CAN connection so the lights effectively control themselves, but it opens up a relatively easy entry point. No need to break the hood or doors open when you can pop a headlight out more inconspicuously.

You are not popping a headlight out inconspicuously. Especially without opening a hood, and possibly removing a bumper.

Secondly while I might expect to find a CAN connection on an active matrix headlight (European in general) everyone one else, if there is a databus connection, it'll be LIN bus or similar lower speed protocol connection that requires minimal wiring.

 

[Unperson]

You are not popping a headlight out inconspicuously. Especially without opening a hood, and possibly removing a bumper.

Secondly while I might expect to find a CAN connection on an active matrix headlight (European in general) everyone one else, if there is a databus connection, it'll be LIN bus or similar lower speed protocol connection that requires minimal wiring.

If you read the article, they were able to get into a Toyota RAV4 SUV CAN bus through the headlight. Admittedly I'm not an automotive engineer but I would tend to think LIN would be reserved for non-safety-critical features. I have only limited experience interfacing with CAN bus for things like steering wheel buttons.

Breaking a plastic headlight assembly would certainly be quieter than breaking a glass window. From the sound of it, at least from the article, it seems that the thieves probably did this quietly over a couple of nights (first loosen up the assembly then come back, pop it out, and interface).

 

[TheBuzzer]

I think cars hardware needs to be made like game console hardware.

Even with hacking, to get to the low level access it takes tons of work.

 

[Randall Stephens]

I think cars hardware needs to be made like game console hardware.

Even with hacking, to get to the low level access it takes tons of work.

Makes it harder for me to repair it. I'm not sure why all this stuff had to go electronic in the first place...oh right, because people want fart noises

 

[Nimisys]

If you read the article, they were able to get into a Toyota RAV4 SUV CAN bus through the headlight. Admittedly I'm not an automotive engineer but I would tend to think LIN would be reserved for non-safety-critical features. I have only limited experience interfacing with CAN bus for things like steering wheel buttons.

Breaking a plastic headlight assembly would certainly be quieter than breaking a glass window. From the sound of it, at least from the article, it seems that the thieves probably did this quietly over a couple of nights (first loosen up the assembly then come back, pop it out, and interface).

More likely they are accessing via a wheel well, then the connector for the head light module.

But honestly this is more of lazy ass engineering on Toyota's part than anything else. There is no reason why you need to have the head lights on a backbone CAN network.