The CAN Injection Method: How Thieves Use Headlights to Steal Cars
Cybersecurity threats have skyrocketed in the past years, with the automotive industry counting among the primary targets of cybercriminals. This is caused by the continuous evolution of modern cars triggered by electrification, connectivity, and autonomous driving. In other words, the more automated the car, the higher the risk of a cyber attack being planned on it. Opposite to what some car owners might believe, car thieves continue to keep up with the changes and come up with fresh ways to break into cars and steal them without attracting a lot of attention.
One of the newest threats that are contributing to the rising number of stolen cars is related to the Controller Area Network or CAN bus systems. If you would like to learn about how CAN injection attacks work, what are the main vulnerabilities of today’s keyless cars, and how automotive thieves can use a seemingly harmless portable speaker to break into a car and steal it, keep reading.
Our professional locksmiths are up-to-date with the freshest types of attacks and security threats aimed at modern cars and they have created a brief and comprehensive guide for preventing CAN injection keyless car theft.
What Is the CAN Injection Attack on Keyless Cars?
Also referred to as headlight hacking, CAN injection car theft is mostly aimed at a keyless car’s headlight area. This is because this usually represents the easiest way of entering the CAN bus system of the car, which intertwines all the Electronic Control Units (ECUs) of the vehicle and helps them communicate. The respective ECUs are directly related to different types of systems, such as telematics, engine control, climate control, headlight control, and smart key controls used for locking and unlocking the doors or getting the engine to start. All of these ECUs are therefore connected to one another with the help of these so-called CAN buses.
When using the CAN injection method, thieves do not need to find ways of directly connecting to the corresponding ECU connected to the vehicle’s smart key system. This is because reaching the respective ECU can be easily done by reaching the wires leading to the headlight, as long as the headlight and the smart key ECU belong to the CAN bus.
In order for such a CAN injection attack to be put into practice, thieves must rely on a tool that is normally disguised under the appearance of an innocent Bluetooth speaker. The respective tool has to be wired into the CAN bus system. There, thieves will get to freely access the network and introduce the type of necessary messages (“key validated, unlock immobilizer”) that the smart key receiver of the vehicle would send. As a result, the respective messages will trigger the security system to unlock the car and disable the engine’s immobilizer.
While the procedure in itself requires thieves to put some effort into disassembling the headlight to reach the CAN bus, the method is usually done at night, on cars that are parked in dark areas without any surveillance cameras, headlamps, or manned protection.
The devices used by these CAN injection keyless car thieves are usually found on the black market and they cost around $5,000. They are normally sold as emergency start kits or locksmith devices that car owners with missing keys and professional locksmiths can add to their toolboxes.
Which Cars Are More Vulnerable to CAN Injection Theft?
All modern-day car makers and models with smart headlights can easily fall victim to the CAN injection car theft method. Thieves who specialize in this theft method will usually have no problem pulling the bumper and trimming away the unnecessary pieces from a vehicle to get to the CAN bus located next to the headlight connector.
Since most of the CAN bus system is located inside the car, most car owners wrongfully believe that the risk of someone applying this theft technique to their vehicle is very low. Unfortunately, since most of today’s headlights on keyless cars are smart headlights, this means they also require an ECU in order to work. In other words, they need to also be connected to the car’s CAN bus system with the help of wires.
Once a thief finds the correct wires to tap into, they can use the fake Bluetooth speaker to send a signal to the door ECU, causing the doors to unlock. In order to turn on the engine, thieves can use the same button on the injection tool. This means that the answer to “Can a keyless car be stolen?” is, unfortunately, yes.
Why the Recorded Rise in Keyless Car Thefts?
Since keyless entry cars are more vulnerable to theft attempts as they are easier to access via different relay attacks including CAN injection, they are twice as likely to get stolen compared to standard cars that use regular lock mechanisms. At the same time, keyless entries are the preferred access way for almost 40% of all car thieves.
The latest car models use ultra-wideband technology to establish the distance that a signal will travel from the key fob to the car. This makes them less vulnerable to this type of relay attack as they prevent the doors from unlocking whenever the respective distance is too big.
Also, most owners have stopped using standard protection devices like steering wheel immobilizer or wheel locks, relying on smart protection technologies instead.
How to Stop a Keyless Car from Falling Victim to the CAN Injection Method
While these car security vulnerabilities are still waiting for advanced solutions on behalf of manufacturers, owners can implement a series of measures to lower the risk of falling victim to theft by CAN injection:
-
Use signal blocker boxes and pouches to store car keys when not in use
-
Opt for quality Faraday pouches to accurately block the signal of keys due to the quality protective material they are lined with
-
Rely on wheel immobilizers and steering wheel locks and immobilizers to prevent theft