As car security has advanced, the world of auto theft has quickly melded with the world of hacking . The advent of high-tech car keys means that hotwiring is out and methods like relay attacks are the new way to gain unauthorized access to a vehicle. Now, however, it seems that attackers have found a new way to entirely bypass the electronic security on modern cars: A method called CAN injection.
The method is detailed in a blog post by Ken Tindell , CTO of automotive cybersecurity company Canis Automotive Labs. Tindell’s friend, Ian Tabor, had a nearly new Toyota Rav4 stolen last year using this novel exploit — now, Tindell has documented exactly how it works. Inline Network Tap
The attack relies on a vehicle’s CAN bus, the internal computer network that keeps everything running. If you’ve ever wondered how your car’s engine, body control module, and all the little controllers scattered around the car all communicate, CAN bus is the answer. The system is universal in modern cars, and even aftermarket ECU manufacturers now build CAN integration into their products .
The attack method Tindell lays out relies on physical access to the car’s CAN bus, meaning an attacker needs to get to the data wires that run through your car. By tapping into these wires, a thief can inject malicious commands into the network — allowing the thief to wake up the car’s computer controllers, falsify the presence of the car key, and drive off. And as Tindell points out , getting access to these data wires can be as simple as yanking out a car’s headlight — since modern high-tech headlights now communicate with all the other electronic controllers in a car.
As Tindell explains, for certain car models, thieves can even turn to the dark web to buy modified Bluetooth speakers filled with hardware that can inject malicious messages into a car’s CAN bus network, instructing the car to unlock the doors even when the key is nowhere nearby. To an outside observer, this device would just look like an ordinary portable speaker. The video below shows just such a theft unfolding.
This attack isn’t the easiest to pull off, given that it requires a thief to partially disassemble the target car, but it’s powerful when done correctly — entirely bypassing the car’s key, unlike relay attacks that simply extend the key’s radio range. Tindell lists multiple solutions that automakers can implement , most notably the “zero trust ” approach — wherein every device, even within a car’s internal CAN bus, needs to verify itself during any communication.
Zero trust would effectively stop these kids of attacks, but it would require a new commitment to security from automakers. As those companies continue to add new tech to cars, we can only hope they’ll start keeping up with securing it.
Virtual Ethernet Tap Check out Tindell’s full explanation of this vehicle vulnerability here . It’s an incredibly technical write-up, but Tindell does a great job of breaking it down so anybody can understand it.