This is a detective story about how a car was stolen – and how it uncovered an epidemic of high-tech car theft. It begins with a
tweet. In April 2022, my friend Ian Tabor tweeted that vandals had
been at his car, pulling apart the headlight and unplugging the cables.
It seemed like pointless vandalism, the kind of thing that makes it impossible to have nice things. Then three months later it happened again.
This time the bumper was pulled away and the headlight unplugged. But it turned out neither incident was vandalism, because a couple of days later:
The car was gone. And it looks like the headlight was how it was stolen. Ian is a cybersecurity researcher in the automotive space and has
previously been awarded bug bounties for finding vehicle vulnerabilities, and I
initially thought from reading his tweet that this might be a trophy hack. But it turns out not: Ian’s neighbour had their Toyota Land Cruiser stolen shortly after. For Ian this is personal and he wanted to know just how they stole the car. After
all, it’s got sophisticated car security systems, including an engine immobilizer. How did they drive these cars away?
Ian did some more sleuthing, starting with the ‘MyT’ telematics system that’s included in a lot of Toyota cars. The automotive
industry has been adding built-in diagnostic systems to cars for decades. It’s called ‘on-board diagnostics’ (or OBD for short) and
when an Electronic Control Unit (or ECU) detects a fault, it records a code. In the industry, it’s called ‘dropping
a DTC’ (or Diagnostic Trouble Code). The MyT system will send DTCs up to Toyota servers, and the MyT app
can show them.
These are codes that indicate what the detected fault is and when it occurred. Some DTCs
include a ‘freeze frame’ – a collection of sensor data around the time of the fault, to help a workshop mechanic try to diagnose
the fault (it might be the speed of the vehicle, the temperature outside, the battery voltage, that kind of thing). In modern cars,
ECUs are connected together with a communications link, running a protocol called CAN bus (CAN stands for Controller Area Network). It was invented more than 30 years ago, and is used today in more than cars: it’s built in to boats, farm equipment, aircraft, construction equipment,
and even spacecraft (there’s a CAN bus orbiting Mars right now). One of the ways an ECU will diagnose a fault is if it doesn’t hear
from another ECU it needs to talk to, and this is often done with a timeout: if a CAN message isn’t received regularly then after
some time without hearing anything the listener assumes there’s a fault with the CAN bus or the other ECU. And sometimes it’s obvious the
CAN bus has failed: if an ECU’s own messages are not sent, for example, or the CAN bus interface hardware says that communication
has been lost.
It turns out that around the theft of the car, Ian’s car dropped a lot of DTCs.
In the front of the RAV4 there is an ECU that controls the lights (the high and low beam headlights and the turn indicators). In most cars
there is such an ECU because the days of there being a simple switch to turn on lights are long gone: lights are smart, and include things
like motors to level the headlights (so when the car is loaded with heavy luggage, the lights are turned to compensate), steering headlights
to illuminate the corners, to automatically detect if the lights have failed, to turn on pumps to spray water on the lights, and so on. And on the
RAV4, it’s to also choose which LEDs in a grid are lit up to not dazzle oncoming drivers but still light the rest of the road.
The DTCs showed that communication with the lighting control ECU was lost. This isn’t surprising
since the thieves had ripped the cables out of it. But the DTCs also showed that lots of systems had failed: the control of the front cameras,
the hybrid engine control system, and so on. How could that be? This was the next clue: the ECUs probably hadn’t failed, but rather the
communication to them had been lost, and the diagnostics had flagged this as a fault. The common factor: CAN bus.
Ian did some more sleuthing around the dark web, sites that talked about how to steal cars, hunted around forums, and found YouTube videos on car thefts. He tracked down a web site selling more than a hundred products for by-passing car security, from programming fake key fobs
to ‘emergency start’ devices (a fiction that these products are for owners who have lost their keys or somehow reputable locksmiths will
use these).
The prices are eye-watering (up to €5000) for an ordinary owner, but for a gang of car thieves this is an investment.
There are products targeting many car models, including from Jeep, Maserati, Honda, Renault, Jaguar, Fiat, Peugeot, Nissan, Ford, BMW, Volkswagen,
Chrysler, Cadillac, GMC – and Toyota.
For Toyota, the ‘emergency start’ system is a bit of electronics hidden inside a JBL Bluetooth speaker case. This
gives thieves plausible deniability: if stopped by the police, they aren’t at first sight carrying obvious car theft tools, but what looks like an
innocent music device. The web site lists the models of cars ‘supported’ by the theft device:
Lexus models including the ES, LC, LS, NX, RX and Toyota models including the GR Supra, Prius, Highlander, Land Cruiser – and RAV4. Ian
had discussions with Noel Lowdon of vehicle
forensics company Harper Shaw about this device and decided to buy one
to reverse engineer it. At this point I was called in to help with how the device works on the CAN bus.
Ian calls me a CAN guru: I worked with Volvo on their first CAN-based car platform and architected the
first low-cost CAN hardware for small chips used in cars, my start-up company produced the CAN networking
software used by Volvo in all their cars, and I was part of the team that won the Volvo Technology Award for the CAN networking
system (my start-up was later sold to Bosch and today is a thriving part of Bosch’s ETAS group for in-car software technology). Together,
we started to tear apart the theft device to see how it worked.
Before I go any further, I must make a disclaimer: this story will not disclose details that make it easier for someone
to build a copy of the theft device. The
creator is a criminal and neither I nor Ian will ever help these people. The purpose of telling this story is to help law enforcement and
car makers to do something about these devices (at the end I will give some ways that car makers and their suppliers can update their ECU software
to defeat thieves). I also want to emphasize that this is not something specific to Toyota: Ian investigated the RAV4 because his stolen
car was a RAV4, and other manufacturers have car models that can be stolen in a similar way.
A new theft technique: CAN Injection
Modern cars are protected against thefts by using a smart key that talks to the car and exchanges cryptographic messages so that
the key proves to the car that it’s genuine. This messaging scheme is generally reckoned to be secure and can’t be broken without
huge resources (of the type
only a nation state has). But thieves don’t attack the hard part: they find a weakness and work around it. In the past, this was done
with a Relay Attack. Normally, the car asks the key by radio to prove itself, and then when it receives
a valid message back by radio it unlocks the car and disables the engine immobilizer. The thieves found a simple way around this:
they used a hand-held radio relay station that beams the car’s message into the home to where the keys are kept, and then relays
the message from the keys back to the car. The car accepts the relayed message as valid because it is – the real keys were used to unlock the car.
Now that people know how a relay attack works generally possible to defeat it: car owners keep their keys in a
metal box (blocking the radio message from
the car) and some car makers now supply keys that go to sleep if motionless for a few minutes (and so won’t receive the radio message from the car).
Faced with this defeat but being unwilling to give up a lucrative activity, thieves moved to a new way around the security: by-passing the entire
smart key system. They do this with a new attack: CAN Injection.
The diagram below shows how ECUs in a RAV4 are wired togethe
