About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CAN Injection: keyless car theft- 1139

Ken TindellPosted 2 Years Ago
  • The author of this post noted a weird issue on Twitter: thieves were wrecking a mans cars to eventually steal it. Why and how? They wanted direct access to the Controller Area Network (CAN) bus. The Toyota has telemetry on it which is conveniently logs all errors on the CAN bus. On the RAV4, the headlights connect to the CAN bus directly, which is why the attackers removed the headlights.
  • The telemetry showed that the headlights had a communication failure. Not just for the lights though... many other things as well. Ian, the car owner, went on the dark web to find devices used to steal all sorts of cars. Eventually, he decided to buy one of these devices in order to reverse engineer it. This is where the author of the post comes into the situation: he's an expert on CAN buses.
  • When most people think about stealing cars, they think about issues with the smart key or key fob, from relay attacks to replay attacks. Since these issues are getting fixed, the attackers discussed a new technique: CAN bus injection. By sending data directly on the CAN bus, we can force it to perform actions. This is possible because the CAN bus is considered a trusted environment; there is no validation on who sends it.
  • The device is a JBL music speaker with CAN transceiver attached to it. The device gets connected to the CAN bus (commonly through the headlight) to impersonate a smart key Electronic Control Unit (ECU). In particular, it connects and sends back the "Smart Key is valid" signal to the car 20 times per second. This isn't enough though! Since the bus already has other devices on it, it disables other devices from writing to the bus with the dominant-override wire. By doing this over and over again, we can trick the car to turn on.
  • The author dives into the anatomy of the CAN bus protocol more throughout the article. From this, we can really understand how the injector works. To fix this problem, the author suggests using cryptographic primitives to prevent random devices from jumping onto the bus. Additionally, a more brittle fix would be to program the smart key CAN frame to only be accepted if no bit errors were found on the bus recently.
  • Overall, interesting article into the dark web and how people are actually stealing cars.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed