Cybercriminals CAN Steal Your Car, Using Novel IoT Hack

Your familys SUV could be gone in the night thanks to a headlight crack and hack attack.

Automotive security experts have uncovered a novel method for
stealing cars
by breaking into their control systems through a headlight.
The key (so to speak) is the controller area network (CAN) bus, the Internet of Things (IoT) protocol through which devices and microcontrollers in a vehicle communicate with one another. It’s basically the cars onboard, local communications network that cyberattackers can subvert to potentially stop and start the car, open doors and windows, play around with the radio, and much more.
While
car hacking is hardly new
, in a
blog post published April 3
, Ken Tindell, CTO of Canis Automotive Labs, described how attackers manipulated an electronic control unit (ECU) in a
Toyota RAV4s
headlight to gain access to its CAN bus, through which they were able to, ultimately, steal the vehicle. Thats an approach that hasnt been seen before. Once connected via the headlight, they hacked their way into the CAN bus — responsible for functions like the parking brakes, headlights, and smart key — through a gateway and then into the powertrain panel, wherein lies the engine control.
This type of CAN injection will require manufacturers to rethink control network security in their vehicles, he warns.
When youre a car engineer, Tindell tells Dark Reading, youre trying to solve all sorts of problems: minimizing the wiring, reliability, cost. Youre not thinking cyber, cyber, cyber all the time.
Were not wired that way, he says. Forgive the pun.
On April 24 last year, Ian Tabor woke up to find that his Toyota RAV4s front bumper and left headlight had been manhandled, while it was parked out on the street in London.
One month later, those same areas of the car were again obviously tampered with. Tabor didnt realize the full scope of the sabotage until it was too late.
One day, the vehicle was gone.
Tabor, it should be noted, is an automotive security consultant. The irony was not lost on Tabors friend, Tindell. When I first read his tweet, I thought: Someones making a point, he says. But no, not at all.
Tindell, it turned out, was in a unique position to help. Hed helped develop the first CAN-based platform for Volvo vehicles — an experience applicable to the situation given that the CAN proved to be the RAV4s key weakness.
To break into a modern vehicle, the key is usually … the key.
The car is defended with the key, Tindell explains. The wireless key is a perimeter defense. It talks to an engine control unit (ECU), which asks: Are you the real key? The key responds: Yeah. Then the message goes to the engine immobilizer: OK, the owners here with the key.
To breach this line of communication, thieves have historically opted for so-called relay attacks. Using a handheld radio relay station, attackers can beam a cars authentication request to its associated smart key, presumably lying in a nearby home. The key responds, and the car accepts the message because it is, in the end, valid.
Attuned to this, manufacturers now commonly design keys to go to sleep after a few minutes of inaction. Owners with keys that dont go to sleep can store them inside of a radio-impenetrable metal box
Other attack types include subverting mobile apps, and making use of flaws in the infotainment systems of cars — the latter of which became a lightning rod for reform after the famed
hack of the 2014 Jeep Cherokee by Charlie Miller and Chris Valasek
in 2015. In that case, the discovery of a wide open cellular communications port 6667 ultimately led to their ability to control the Jeeps steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cybercriminals CAN Steal Your Car, Using Novel IoT Hack