Gone in a Minute or So: How a Headlight Leads to a CAN Bus Injection Attack and a Stolen Vehicle

Dr. Ken Tindell, chief technology officer of Canis Automotive Labs, has written up some detective work on why exactly a friend's car had its headlights tampered with — and how that led to it being stolen in the night using a CAN bus injection attack.

"In April 2022, my friend Ian Tabor tweeted that vandals had been at his car, pulling apart the headlight and unplugging the cables," Tindell explains by way of background. "It seemed like pointless vandalism, the kind of thing that makes it impossible to have nice things. Then three months later it happened again. This time the bumper was pulled away and the headlight unplugged. But it turned out neither incident was vandalism, because a couple of days later the car was gone. And it looks like the headlight was how it was stolen."

Stealing a car via its headlight might seem ridiculous, but Tabor and Tindell worked together to discover exactly what was going on — starting with error alerts in the telematics system. "It turns out that around the theft of the car, Ian's car dropped a lot of DTCs [Diagnostic Trouble Codes]," Tindell says — a key clue on exactly how the car, factory-fitted with an immobilizer which should prevent it moving without a valid key fob, was stolen.

"In the front of the [Toyota] RAV4 there is an ECU [Engine Control Unit] that controls the lights," Tindell explains. "The DTCs showed that communication with the lighting control ECU was lost. This isn’t surprising since the thieves had ripped the cables out of it. But the DTCs also showed that lots of systems had failed: the control of the front cameras, the hybrid engine control system, and so on. How could that be? This was the next clue: the ECUs probably hadn't failed, but rather the communication to them had been lost, and the diagnostics had flagged this as a fault. The common factor: CAN bus."

Removing the headlight from the front of the vehicle, it turns out, provides handy access to wiring which links in to the CAN bus. Further snooping revealed that unnamed sites on the dark web will happily take a few thousand dollars in exchange for a device which looks like a Bluetooth speaker but which can actually be wired into the CAN bus through these relatively easily-accessible wires in order to carry out an attack which unlocks the vehicle and starts the engine — no key fob required.

"[The device] looks just like a JBL Bluetooth speaker," Tindell found, after purchasing one for experimentation. "And inside it mostly still is (it’s missing the speaker). The CAN Injector is grafted on to the JBL circuit board, enclosed in a big blob of resin. It turns out it’s about $10 of components: a [Microchip] PIC18F chip that contains CAN hardware, plus software pre-programmed into the chip (known as firmware), a CAN transceiver (a standard CAN chip that turns digital signals from the CAN hardware on the PIC18F into the analog voltages sent on CAN wires), and an extra circuit connected to the CAN transceiver."

Once wired into the CAN bus via the wires previously hidden behind the headlight, the injector overrides genuine signals in order to fool the vehicle into thinking a genuine key fob has been presented. A press of the play button on the "speaker" alters the messaging to unlock the door, and then it's just a case of getting inside the vehicle and pressing a button to start the engine and drive off. It's an ugly, noisy approach, Tindell found, hence the DTC messages on the telematics log — but it's certainly effective, with the entire theft taking just a few minutes to complete.

Tindell has described two possible fixes for what is, on the face of it, a pretty major security flaw. The first is simple, and could be carried out via a software update: disabling the vehicle's smart key unlock system if there have been recent errors on the CAN bus. A proper fix, meanwhile, would require what Tindell describes as a "zero trust approach to CAN" — the addition of a hardware security module which could cryptographically guarantee messages received on the CAN bus are genuine.

Tindell's full write-up is available on the Canis Automotive Labs website, along with a call for assistance from anyone willing to allow the pair to experiment on a real Toyota RAV4 or who could help dump the protected firmware from the PIC18F microcontroller in the attack device.

Toyota was contacted for comment on the vulnerability, but had not responded by the time of publication.