The headlight is not a car part we ever thought would be a security weakness.
Modern vehicles are, for the most part, rather difficult to steal. Modern anti-theft devices and technology make them tougher to take, but that hasn't stopped thieves from dreaming up new ways of appropriating your prized wheels. According to Dr. Ken Tindell of Canis Automotive Labs, criminals are now accessing a vehicle's CAN bus system through the headlights.
In his latest blog post, Tindell explains how thieves access headlight modules to steal new cars. It all started when his friend, himself a cybersecurity expert, had his Toyota RAV4 stolen. After some sleuthing, the owner discovered a website that sells questionable tools that can act as a key fob when connected to the vehicle's CAN bus.
These items are sold on websites that purport to support car owners or locksmiths, but it's clear to see that's not the case. The tool, disguised as a JBL speaker, costs as much as $5,500 and can work on an array of cars, including Toyota, BMW, Volkswagen, Ford, and a host of GM and Stellantis vehicles.
Toyota
At that price, it's clear that this product isn't aimed at owners but rather at criminals who see it as an investment. Thieves damage the bumper and trim pieces around the headlight, giving them access to the CAN bus in the headlight cluster. Once the device is connected to the vehicle, it takes over most of the hard work.
By pressing “play” on the faux JBL speaker case, the ECU is instructed to unlock the doors, giving the thief access to your car. They can then get in and drive away. The video below shows that the entire process is over in just a few minutes.
This is undoubtedly a worrying development, but, as Tindell writes, this issue can be resolved in two ways. The first, described as “quick and dirty,” centers around a software update allowing the engine immobilizer to monitor the CAN controller for errors.
“The gateway could be re-programmed to only forward a smart key CAN frame if it has recently transmitted a CAN frame without problems, and in the recent past, there have been no bit errors of this type on the CAN bus,” writes Tindell.
This is only partially proof, with the author noting that changing the CAN injector can overcome the fix. However, this could take criminal types a while to figure out and give the world's automakers time to develop a full-proof solution. Tindell believes that a “Zero Trust” approach is the best and would mean a vehicle's ECU doesn't simply trust messages from other ECUs and instead requires validation that it is, in fact, a genuine request.
It would require new chips and hardware, making a retrofit option impossible, but Tindell says a software emulation of the Hardware Security Module is possible. For now, we'd recommend parking in secure areas where thieves can't access your vehicle.
I know what they were doing, the car is gone! My @ToyotaUK app shows it's in motion. I only filled the tank last night. FCUK! https://t.co/SWl8PcmfZJ
— Ian Tabor (@mintynet) July 21, 2022
Ian Tabor/Twitter
Of course, not everyone has access to a locked garage, and many owners are forced to park their vehicles on the street. It's a small crumb of comfort, but this process requires thieves to work slowly in order to gain access to the headlights. This means they cannot be interrupted, and need constant access to your vehicle.
With the RAV4 used in this example, the thieves were forced to return, with the Toyota's owner discovering the damage to the bumper and front trim. If you return to your car in the morning and find similar signs of fettling, it's best to contact your local law enforcement and make provisions to secure the car.
Sadly, car thefts are a common occurrence in the United States, with brazen criminals even breaking into dealerships to get their hands on new vehicles. Elsewhere, Hyundai and Kia have been targeted by a bizarre social media trend that encourages people to steal these vehicles.
Toyota
Keyword: This Is How Thieves Are Using Headlights To Steal Cars