Researchers have recently revealed that a hacking device can allow thieves to steal a wide range of car models using an attack method named Controller Area Network (CAN) injection. Automotive cybersecurity experts at the EDAG Group and Canis Automotive Labs started analyzing these attacks after one of the researchers had his 2021 Toyota RAV4 stolen last year. The car was actually stolen on two occasions. He found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism was part of an attempt to steal the popular SUV.
Specifically, the thieves pulled off the bumper and unplugged the headlight cables to reach wires connected to an Electronic Control Unit (ECU) responsible for the vehicle’s smart key. An investigation by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away.
Such hacking devices can be acquired on dark web sites for up to US$ 5,500, and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.
The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by auto thieves. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to another system. Injection involves four prevalent attack types: OGNL injection, Expression Language Injection, command injection, and SQL injection. During an injection attack, untrusted inputs or unauthorized code are “injected” into a program and interpreted as part of a query or command. The result is a program alteration, redirecting it for a nefarious purpose.
Injection attacks can include calls to the operating system via system calls, external programs via shell commands, or calls to backend databases using SQL (i.e., SQL injection). Whenever an application uses an interpreter, there is the risk of introducing an injection vulnerability. Whole scripts written in Perl, Python, and other languages can be injected into a poorly designed application and then executed, giving the attacker control over its behavior.
The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device to see how they work. Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through CAN buses.
The attacker does not need to connect directly to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight if the headlight and the smart key ECU are on the same CAN bus.
The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away. The attack can be made by connecting the hacking device to other CAN wires. Still, the ones in the headlight are often the most accessible, and connecting to them does not involve causing too much damage to the car, which would lower its value.
While in this case, the stolen vehicle was a Toyota, and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota. Similar hacking devices for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.
The researchers reported their findings to Toyota without much success since it is not a vulnerability disclosure. On the other hand, they believe all vehicle makers should read their reports and take action to prevent CAN injection attacks. The recent report contains some recommendations manufacturers can apply to prevent these attacks.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments