smart car thieves use CAN injection

[madires]

Media:
  CAN do attitude: How thieves steal cars using network bus (https://www.theregister.com/2023/04/06/can_injection_attack_car_theft)

The whole story:
  CAN Injection: keyless car theft (https://kentindell.github.io/2023/04/03/can-injection/)

[Ed.Kloonk]

In the 1980's, after-market car security products peaked and they worked on the principle of immobilisation since the factory 'security' proved inadequate.

It seems that we are back to square one in terms of relying on the car manufactures inbuilt anti-theft technology.

Whilst it's been well-documented how a 0.40c defective part can force the car to refuse to start, after-market immobilisation should be a cinch.

Bonus points awarded if you can also present to the thief a message on the dash, such as the cryptic "Faulty Gigafub sensor. Contact dealer."

[BradC]

My current vehicle is 16 years old, has 19 ECUs on 3 different CAN busses. It's hard enough keeping the bloody thing running without talking about how it might be further secured by making the technology more complex.

I do know the current immobilisation system requires the cooperation of 3 separate ECUs, can't be bypassed with message spoofing, and absolutely requires the use of a correct key with its transponder. I do know however that there is a vulnerability that allows a new transponder to be enrolled via CAN, so it's not foolproof. It just takes a better equipped fool.

Of course the switch in series with the high pressure fuel pump control valve power source guarantees a no-start, but that's certainly "after-market".

[Stray Electron]

   It amazes me as to how the auto manufacturers can get away with charging thousands of dollars for ECUs, transponders and computers in modern vehicles but they're EASY to steal.  A simple old fashioned ignition system NO computers but with a physical key was 100 times more theft proof.  I'm surprised that the FTC or some other agency and/or the major auto insurance carriers, hasn't filed class action lawsuit against the auto manufacturers with regard to today's extremely POOR security systems.  There's no excuse for the auto companies to take YEARS to modify their security systems after the vulnerabilities of that system become well known.

  IMO the auto insurance companies need to test auto security systems and rate them just like they do crash worthiness.

   The auto security systems need to be removed from the CAN bus and have it's own set of sensors and immobilizers.

[langwadt]

   It amazes me as to how the auto manufacturers can get away with charging thousands of dollars for ECUs, transponders and computers in modern vehicles but they're EASY to steal.  A simple old fashioned ignition system NO computers but with a physical key was 100 times more theft proof.

bollocks, an old fashioned ignition system just need a screwdriver or shorting the right wires

[madires]

Hidden switch for the fuel pump?

[themadhippy]

Hidden switch for the fuel pump

hidden in plain view,little  chance of yer car thief turning on the heated mirrors whilst searching for the hidden immobiliser switch

[langwadt]

Hidden switch for the fuel pump

hidden in plain view,little  chance of yer car thief turning on the heated mirrors whilst searching for the hidden immobiliser switch

I know a guy that added that car wouldn't start unless you did a certain sequence of switches and opening an closing the door

[ejeffrey]

Hidden switch for the fuel pump?

Sure you can do that to your vehicle.  But ford can't since it won't be hidden after the first person buys one.

They way this is going to be solved it with TPMs and encrypted / signed can bus messages so that unauthorized devices can't communicate. Of course this is going to make aftermarket parts unusable, so when your headlamp goes out you will need to buy a manufacture authorized replacement. 

[langwadt]

Hidden switch for the fuel pump?

Sure you can do that too your vehicle.  But ford can't since it won't be hidden after the first person buys one.

They way this is going to be solved it with TPMs and encrypted / signed can bus messages so that unauthorized devices can't communicate. Of course this is going to make aftermarket parts unusable, so when your headlamp goes out you will need to buy a manufacture authorized replacement.

already parts that will only work when blessed by the right tools and sometimes it is a onetime process so the part is useless except in that specific car

[SiliconWizard]

The fact that CAN messages themselves aren't protected is a key security issue. Possibly even a safety issue if there is any way of "spoofing" CAN communication while the vehicle is on the road.

Use SSH for your CAN communications.
(But not a buggy implementation with backdoors.)

[JPortici]

Media:
  CAN do attitude: How thieves steal cars using network bus (https://www.theregister.com/2023/04/06/can_injection_attack_car_theft)

The whole story:
  CAN Injection: keyless car theft (https://kentindell.github.io/2023/04/03/can-injection/)

So it's finally in the media?
Those "in the know" have been aware of this toyota peculiarity for years  in south africa it takes about ten to fifteen seconds to steal one of these. If i look on my history i can probably find the russian/belarusian/whatever website that seel the tools that let you unlock "your own car" that you can use "for science" 
The problem is not in canbus, the problem is that toyota put an ECU with access to the main safety bus behind a wheel cover that you can remove without tools

  IMO the auto insurance companies need to test auto security systems and rate them just like they do crash worthiness.

and what makes you think that they don't do that already?

They way this is going to be solved it with TPMs and encrypted / signed can bus messages so that unauthorized devices can't communicate. Of course this is going to make aftermarket parts unusable, so when your headlamp goes out you will need to buy a manufacture authorized replacement.

and what makes you think that they don't do that already? Ever had to replace a LED headlight? soon you won't even be able to change a digital sensor because it sends a different serial number over the bus (this, i speculate because we haven't had to replace one yet, and you don't really replaces sensors these days, but i wouldn't be surprised). That still doesn't prevent stupid mistakes like being able to access the main canbus line from the outside of the vehichle

[Halcyon]

I've seen some pretty ingenious designs for hidden compartments used to store firearms and other illegal items/substances in vehicles.

Some of the more comprehensive ones involved setting certain switches/dials to particular positions and also used a combination of a magnetic reed sensor to open compartments. The same could be wired up to some vital component of the vehicle to prevent starting/running (such as the fuel pump as others have suggested).

[james_s]

I've never owned a car that had a CAN bus and I've never liked keyless ignition. A friend of mine dropped off his wife somewhere with her driving initially, he drove off and stopped somewhere else, then realized his wife had the fob and he couldn't restart the car. It always seemed to me like a solution in search of a problem, putting a physical key in the ignition never seemed like that much of a burden.

With all the fancy electronics in cars these days you'd think something like an airtag or GPS tracker built into the computer would be standard. Also it would be nice if car theft were sufficiently punished to make it a deterrent. In the old West they used to hang horse thieves, when you steal someone's transportation you're stealing their livelihood and their freedom. It's a serious crime that can have an enormous cost on the victim and yet we have people arrested numerous times for it that are back out right away stealing more cars. It's no wonder it's becoming more and more common when there are no consequences to speak of.

[ejeffrey]

and what makes you think that they don't do that already?

Chill out, your whole post is unnecessarily confrontational without adding much.  And yes, I'm aware of how you need to do coding changes when replacing many parts on modern cars.  My point was that this sort of attack is going to accelerate that process, not cause it to reverse and lead to less electronic / more mechanical cars.  If for no other reason than mechanical ignition is trivial to hotwire.

Ever had to replace a LED headlight? soon you won't even be able to change a digital sensor because it sends a different serial number over the bus (this, i speculate because we haven't had to replace one yet, and you don't really replaces sensors these days, but i wouldn't be surprised). That still doesn't prevent stupid mistakes like being able to access the main canbus line from the outside of the vehichle

Sure it does.  I'm not talking about serial number coding, as you point out that happens already.  I'm saying that in a matter of years the CAN bus will be encrypted, every CAN module will be required to have a root-of-trust system and secure key storage.  If your probe doesn't use a valid key recognized by the system it won't be able to send or receive CAN messages.  This won't prevent all attacks, but attacks will be about compromising a specific module rather than attacking the network.  Even then, if you compromise the headlamp module, that won't necessarily let you send key fob messages.

It will take some time, but it's already in progress.  It's a bit complicated by the shared bus nature of CAN and the reliability needed, especially for low speed CAN, so it will probably happen in stages.

[ejeffrey]

With all the fancy electronics in cars these days you'd think something like an airtag or GPS tracker built into the computer would be standard.

Definitely a lot of cars have that -- basically anything with a cellular connection can send tracking data.  I'm assuming that at least this level of professional thieves either know how to disable them or block the GPS until they are done with it.

[JPortici]

and what makes you think that they don't do that already?

Chill out, your whole post is unnecessarily confrontational without adding much.  And yes, I'm aware of how you need to do coding changes when replacing many parts on modern cars.  My point was that this sort of attack is going to accelerate that process, not cause it to reverse and lead to less electronic / more mechanical cars.  If for no other reason than mechanical ignition is trivial to hotwire.

Ever had to replace a LED headlight? soon you won't even be able to change a digital sensor because it sends a different serial number over the bus (this, i speculate because we haven't had to replace one yet, and you don't really replaces sensors these days, but i wouldn't be surprised). That still doesn't prevent stupid mistakes like being able to access the main canbus line from the outside of the vehichle

Sure it does.  I'm not talking about serial number coding, as you point out that happens already.  I'm saying that in a matter of years the CAN bus will be encrypted, every CAN module will be required to have a root-of-trust system and secure key storage.  If your probe doesn't use a valid key recognized by the system it won't be able to send or receive CAN messages.  This won't prevent all attacks, but attacks will be about compromising a specific module rather than attacking the network.  Even then, if you compromise the headlamp module, that won't necessarily let you send key fob messages.

It will take some time, but it's already in progress.  It's a bit complicated by the shared bus nature of CAN and the reliability needed, especially for low speed CAN, so it will probably happen in stages.

Sorry, didn't want to come out as aggressive.
The other day I was actually discussing the same subject with some folks that do a lot of PLC work, they lament that modbus, like canbus, doesn't have encryption builtin and a malign actor can ruin your day without much effort once they have access to the network. True. But in both cases the real problem is not in the bus used for transmission, but in leaving the door open for attacks.

Really, what was toyota thinking when they decided that the network could be accessed easily from the extern of the vehichle? And to put the safety components on that specific network, instead of a separate one? We do a lot of work with cars in south africa, we heard about the first cars being highjacked with this method in about 2018. Of course, prices of insurances for those cars have skyrocketed since then.

The problem is that the manufacturer made it convenient for a burglar to steal a car, because if the network of the keyfob was not accessible from the outside it wouldn't have been a problem. You can encrypt all you want, update all you want (you don't even have to go to the dealer to update the firmware of the ECU) but you're still giving physical access.

Before they discovered this way in they would instead destroy the lock, enter inside with a replacement ECU for which they have the key and change it on the spot (the ECU was very conveniently placed near the pedals)  that still took three to five minutes

[ejeffrey]

[they lament that modbus, like canbus, doesn't have encryption builtin and a malign actor can ruin your day without much effort once they have access to the network. True. But in both cases the real problem is not in the bus used for transmission, but in leaving the door open for attacks.

In moat cases it's much harder to physically secure a communications network than an endpoint.  A network is useful because it can go everywhere. It's also very common that more and less trusted nodes need to talk to each other.  You can partially implement that with multiple segments and gateways between them but you can't practically have many physical trust domains.  It's also an issue that trust isn't always transitive and sometimes you want different access for read vs write.

The solution that is adopted basically every time is to declare the network itself untrusted and build trust via encrypted and signed messages.  Its not foolproof but it tends to be a lot more workable than trying to keep the entire network physically secure.

[HwAoRrDk]

I don't know why many car manufacturers seem to make the same mistakes over and over again when it comes to security vulnerabilities caused by critical electronic systems being accessible from outside the car.

I seem to recall reading about a similar vulnerability with Land Rover Discovery (or maybe Evoque, I forget) over a decade ago where thieves would simply smash a rear light and tap into the CAN bus to unlock the vehicle.

Going back even further (>20 years) I recall there was some model of car that had some well-publicised vulnerability where you could defeat the immobiliser and start the engine by pulling away the plastic cowling under the windscreen wipers and tampering with exposed wiring therein.

And even when they have identified vulnerabilities and applied mitigations, sometimes they only apply them in certain markets.

For example, the model of car I own has a potential vulnerability where, because the trunk key cylinder is situated within and passes through the right-hand rear light, thieves could smash a hole in the light housing and poke a hook through and release the lock latch mechanism. For the European market, they added an extra metal plate behind that rear light, so access to the lock mechanism is blocked, but for the North American and Far Eastern markets there is nothing! Same for engine ECU enclosure; EU models got security bolts (the kind where the head breaks off after tightening) that you have to drill out if you even want to unplug the ECU, but other markets didn't get that.

[RJSV]

Regarding strayelectron's comment, about the FTC should be pushing car makers, to increase security against car theft.
   Federal Trade Commission (FTC) showing 'the usual' modern agency slant.  That is, according to their own fiscal goals document:
   'Enforce standards through excellence in standards enforcement...'.   was approx. what I got out of it, after spending maybe 10 minutes on skimming the 2022 fiscal document.

   Another 'goal' seemed to be to 'improve' customer's experience, through improved enforcement...of agency goals...    - - Something like that boilerplate word salad.
Word salads.
   Judges these days, more and more, aren't inclined to use the punishment thing...
Have to confess; I was originally determined to do brief scan, for FTC goals on diversity within the agency, after downloading the fiscal report.

[pdenisowski]

Great post - thanks!

Note that unlike "classic" CAN, CAN FD and (particularly) CAN XL allow the implementation of authentication and cryptography.

[JPortici]

Great post - thanks!

Note that unlike "classic" CAN, CAN FD and (particularly) CAN XL allow the implementation of authentication and cryptography.

Sorry, but that sounds like marketing wank to me. You can absolutely autenticate/encrypt the data on CAN and CAN FD, and you SHOULD in certain cases, such as if you're using the bus to pass sensitive data. Infact you can't simply reprogram an ECU over UDS, you need to autenticate yourself first (for many ECUs the keys are known and can't be changed, but for most of the recent ones it's another story..)

Every case of car thievery due to abuse of the CAN bus was because of abuse of the CAN bus and other fundamental deficiencies in the system's design.
For example, in BMWs you can start the engine and monitor the bus at all times. This is a great feature for mechanics as they can automate some procedures. Also a great features for thieves as they can trivially pick the door locks and start the car and go away without ever needing the key. Even better, if a bus line is accessible from the outside and you can talk OBD on that bus. This was ultimately corrected in the latest series (later F, G models) in which the OBD port bus is dedicated and if you try to put an extra active transceiver on the bus (doesn't need to communicate) without having the key around... you have 30 seconds to get the key!

Problem was not in CAN bus per se, but in the lack of authentication that was later added in software.

All those hyundai, mazda, etc that have the radio connected to the main canbus line, and said radio provide an in-car wifi, and said wifi is advertising and unprotected? Seems to me the problem is not in the use of CANbus for the radio

The Toyota issue described here, toyota decided it was a good idea to put the authentication on the same bus as other services, in this case the headlight. They also made the connector accessible from the outside with no physical protection other than a flimsy plastic cover you can detatch in less than 10 seconds (instead of say, having to remove the headlight because a solid piece of metal prevents you from detaching the connector when the light is in place. And as far as i know, they didn't even change the authentication code to let the ECU accept virgin keys (which is more or less how they steal those, they have a keyfob, plug in the programmer which put the ECU in keyfob acquisition and poof! their key is the new key)
Here i don't see how CAN XL and other layers of encryption would have prevented the problem from happening.

By the way, not too long ago you could steal Land Rovers the same way, only from the read lights (thief would smash the light, access the canbus, open the car)

I personally prefer the bus to be open, with data in plaintext and possibly encoded by following standards, with exceptions for security/privacy reasons (so encrypt the location, video stream, firmware during update at will)

[pdenisowski]

Note that unlike "classic" CAN, CAN FD and (particularly) CAN XL allow the implementation of authentication and cryptography.

Sorry, but that sounds like marketing wank to me.

(laughs)  Maybe it is   But the longer data length field and/or higher bit rates make it more practical compared to classical CAN.  CAN-XL has an explicit SEC bit in the frame header that indicates use of the CADsec protocol, so security and authentication are an explicit part of the protocol (vs. a bolt-on approach in CAN and CAN-FD)

[pdenisowski]

I personally prefer the bus to be open, with data in plaintext

So do I - encryption would make it really hard for me to use my car as a source of CAN data for presentations

[magic]

Same for engine ECU enclosure; EU models got security bolts (the kind where the head breaks off after tightening) that you have to drill out if you even want to unplug the ECU, but other markets didn't get that.

What a brilliant idea, so much repair friendly and thieves certainly couldn't equip themselves with portable drills

[JPortici]

Note that unlike "classic" CAN, CAN FD and (particularly) CAN XL allow the implementation of authentication and cryptography.

Sorry, but that sounds like marketing wank to me.

(laughs)  Maybe it is   But the longer data length field and/or higher bit rates make it more practical compared to classical CAN.  CAN-XL has an explicit SEC bit in the frame header that indicates use of the CADsec protocol, so security and authentication are an explicit part of the protocol (vs. a bolt-on approach in CAN and CAN-FD)

Not commenting on the large payloads a problem more or less solved by automotive ethernet already, and i find that to be necessary only when uploading a new firmware (cameras and the like already use dedicated, more suitable buses) though i can appreciate if CAN/CAN-FD/CAN-XL can live on the same bus

[Zucca]

I am working since 2006 in a big german car company....
I left development and become a test (driver) because it was almost impossible to implement nice idea...
The security department was always turning them down or making them impossible to implement.

The result? You buy today a black box that not even the dealers can fix...

I will never buy something produced after in the last five years.... totally a encrypted and not reparable black box.

[Jeroen3]

Let me predict the future on this.

Say in a few years they do implement some security features in cars to prevent this kind of injection attack.
There will come online a video on youtube from a certain Louis lashing out to [car manufactuerer] that it is ridiculous that when a small car repair shop wants to replace a headlight they need to rent the expensive [car brand] software and adapter and pay membership to get enrolled into a [car brand]-repair program to simply swap the headlight to the ECU. Repairing the headlight unit is already impossible because it's welded shut. "It's like they don't want us to repair things!" he then complains, there should be laws against this!

[magic]

Usually there are two solutions to computer security problems: stop doing stupid things in the first place, or throw more stupid things at the problem to make practical attacks harder.

The latter typically happens not because it's unavoidable, but because somebody (maybe at marketing, design, etc) doesn't want to hear about the former...

This is also the reason why smart appliances (those on four wheels included) will never become secure, no matter the effort. They only get more stupid.

[Ed.Kloonk]

My local TV news reports on random crime involving a stolen car. Every time, it seems, that the get away car(s) involved are BMWs. Not every time, but noticing it very often.

?