Cybercriminals CAN Steal Your Car, Using Novel IoT Hack

  /     /     /  
Publicated : 23/11/2024   Category : security


Cybercriminals CAN Steal Your Car, Using Novel IoT Hack


Your familys SUV could be gone in the night thanks to a headlight crack and hack attack.



Automotive security experts have uncovered a novel method for
stealing cars
by breaking into their control systems through a headlight.
The key (so to speak) is the controller area network (CAN) bus, the Internet of Things (IoT) protocol through which devices and microcontrollers in a vehicle communicate with one another. It’s basically the cars onboard, local communications network that cyberattackers can subvert to potentially stop and start the car, open doors and windows, play around with the radio, and much more.
While
car hacking is hardly new
, in a
blog post published April 3
, Ken Tindell, CTO of Canis Automotive Labs, described how attackers manipulated an electronic control unit (ECU) in a
Toyota RAV4s
headlight to gain access to its CAN bus, through which they were able to, ultimately, steal the vehicle. Thats an approach that hasnt been seen before. Once connected via the headlight, they hacked their way into the CAN bus — responsible for functions like the parking brakes, headlights, and smart key — through a gateway and then into the powertrain panel, wherein lies the engine control.
This type of CAN injection will require manufacturers to rethink control network security in their vehicles, he warns.
When youre a car engineer, Tindell tells Dark Reading, youre trying to solve all sorts of problems: minimizing the wiring, reliability, cost. Youre not thinking cyber, cyber, cyber all the time.
Were not wired that way, he says. Forgive the pun.
On April 24 last year, Ian Tabor woke up to find that his Toyota RAV4s front bumper and left headlight had been manhandled, while it was parked out on the street in London.
One month later, those same areas of the car were again obviously tampered with. Tabor didnt realize the full scope of the sabotage until it was too late.
One day, the vehicle was gone.
Tabor, it should be noted, is an automotive security consultant. The irony was not lost on Tabors friend, Tindell. When I first read his tweet, I thought: Someones making a point, he says. But no, not at all.
Tindell, it turned out, was in a unique position to help. Hed helped develop the first CAN-based platform for Volvo vehicles — an experience applicable to the situation given that the CAN proved to be the RAV4s key weakness.
To break into a modern vehicle, the key is usually … the key.
The car is defended with the key, Tindell explains. The wireless key is a perimeter defense. It talks to an engine control unit (ECU), which asks: Are you the real key? The key responds: Yeah. Then the message goes to the engine immobilizer: OK, the owners here with the key.
To breach this line of communication, thieves have historically opted for so-called relay attacks. Using a handheld radio relay station, attackers can beam a cars authentication request to its associated smart key, presumably lying in a nearby home. The key responds, and the car accepts the message because it is, in the end, valid.
Attuned to this, manufacturers now commonly design keys to go to sleep after a few minutes of inaction. Owners with keys that dont go to sleep can store them inside of a radio-impenetrable metal box
Other attack types include subverting mobile apps, and making use of flaws in the infotainment systems of cars — the latter of which became a lightning rod for reform after the famed
hack of the 2014 Jeep Cherokee by Charlie Miller and Chris Valasek
in 2015. In that case, the discovery of a wide open cellular communications port 6667 ultimately led to their ability to control the Jeeps steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cybercriminals CAN Steal Your Car, Using Novel IoT Hack