Automotive security experts have uncovered a novel method for stealing cars by breaking into their control systems through a headlight. 

The key (so to speak) is the Controller Area Network (CAN) bus, the Internet of Things (IoT) protocol through which devices and microcontrollers in a vehicle communicate with one another. It’s basically the car’s on-board, local communications network that cyberattackers can subvert to potentially stop and start the car, open doors and windows, play around with the radio, and much more.

While car hacking is hardly new, in a blog post published April 3, Ken Tindell, CTO of Canis Automotive Labs, described how attackers manipulated an Electronic Control Unit (ECU) in a Toyota RAV4’s headlight to gain access to its CAN bus, through which they were able to, ultimately, steal the vehicle. That’s an approach that hasn’t been seen before. Once connected via the headlight, they hacked their way into the CAN bus — responsible for functions like the parking brakes, headlights, and smart key — through a gateway and then into the powertrain panel, wherein lies the engine control.

This type of CAN injection will require manufacturers to rethink control network security in their vehicles, he warns.

“When you’re a car engineer,” Tindell tells Dark Reading, “you’re trying to solve all sorts of problems: minimizing the wiring, reliability, cost. You’re not thinking ‘cyber, cyber, cyber’ all the time.”

“We’re not wired that way,” he says. “Forgive the pun.”

Cyber Theft Auto

On April 24 last year, Ian Tabor woke up to find that his Toyota RAV4’s front bumper and left headlight had been manhandled, while it was parked out on the street in London.

One month later, those same areas of the car were again obviously tampered with. Tabor didn’t realize the full scope of the sabotage until it was too late.

One day, the vehicle was gone.

Tabor, it should be noted, is an automotive security consultant. The irony was not lost on Tabor’s friend, Tindell. “When I first read his tweet, I thought: someone’s making a point,” he says. “But no, not at all.”

Tindell, it turned out, was in a unique position to help. He’d helped develop the first CAN-based platform for Volvo vehicles — an experience applicable to the situation given that the CAN proved to be the RAV4’s key weakness.

How Hackers Typically Steal Cars

To break into a modern vehicle, the key is usually … the key.

“The car is defended with the key,” Tindell explains. “The wireless key is a perimeter defense. It talks to an engine control unit (ECU), which asks: ‘Are you the real key?’ The key responds: ‘Yeah.’ Then the message goes to the engine immobilizer: ‘Okay, the owner’s here with the key.'”

To breach this line of communication, thieves have historically opted for so-called “relay attacks.” Using a handheld radio relay station, attackers can beam a car’s authentication request to its associated smart key, presumably lying in a nearby home. The key responds, and the car accepts the message because it is, in the end, valid.

Attuned to this, manufacturers now commonly design keys to go to sleep after a few minutes of inaction. Owners with keys that don’t go to sleep can store them inside of a radio-impenetrable metal box.

Other attack types include subverting mobile apps, and making use of flaws in the infotainment systems of cars — the latter of which became a lightning rod for reform after the famed hack of the 2014 Jeep Cherokee by Charlie Miller and Chris Valasek back in 2015. In that case, the discovery of a wide open cellular comms port 6667 ultimately led to their ability to control the Jeep’s steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

Most of these attack paths are now known and beginning to be accounted for in car design – so, criminals need a new method for breaching the vehicle’s control system, Tindell says.

How CAN Injection Attack Works

Sometimes, the least technical solution yields the best results.

Tabor’s attackers, rather than toying with the communications system, physically breached the CAN bus. They tore out the wiring connecting the left headlight to the bus, and inserted a specialized device in its place.

CAN injector devices can be quite simple, actually. Tabor was able to purchase one on the Dark Web that looks like a JBL speaker, made up of components costing around $10.

Picture of a CAN injector
A CAN injector. Source: CANIS CTO blog.

With their CAN injector, the attackers moved laterally between the RAV4’s control. Then, they drove off.

Automakers Need to Address CAN Injection

CAN injection is made simpler by the fact that, as Tindell notes, “there are no defenses inside once you’ve got through the perimeter.” Unlike the communications between key and car — which are heavily encrypted, due to the obvious risk of interception — messages relayed through the wiring harness are unguarded.

Part of the issue is when these control systems were designed. “The platform takes about four years to develop, and then the platform lives for about 10,” he explains, “so these cars were conceived in, like, 2015, even 2012, long before this kind of stuff was at the top of the agenda. Even relay attacks hadn’t been done then.”

Software upgrades can help address modern attack methods in the short term, but “they’re not perfect, because if you crack a vulnerability in the ECU firmware, you could then get to the keys and such.”

Already, though, emerging platforms are promising more comprehensive security. “New car projects I’m familiar with have got encryption inside the canvas to deal with this,” Tindell says. “And there’s hardware coming along with security modules on-chip.”

Enhanced CAN bus security will help car owners feel safer, though they’ll have arrived too late for Tabor.

“The mighty Toyota tracking system lost touch with his car after some time,” Tindell reports, “and then it was never seen again.”

Source: www.darkreading.com