{"id":626944,"date":"2023-04-08T09:49:18","date_gmt":"2023-04-08T14:49:18","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/08\/theres-a-new-form-of-keyless-car-theft-that-works-in-under-2-minutes\/"},"modified":"2023-04-08T09:49:18","modified_gmt":"2023-04-08T14:49:18","slug":"theres-a-new-form-of-keyless-car-theft-that-works-in-under-2-minutes","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/08\/theres-a-new-form-of-keyless-car-theft-that-works-in-under-2-minutes\/","title":{"rendered":"There\u2019s a new form of keyless car theft that works in under 2 minutes"},"content":{"rendered":"<div itemprop=\"articleBody\">\n<figure>\n  <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/04\/vehicle-theft-800x600.jpg\" alt=\"Infrared image of a person jimmying open a vehicle.\"><figcaption>\n<p><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/04\/vehicle-theft.jpg\" data-height=\"750\" data-width=\"1000\">Enlarge<\/a> <span>\/<\/span> Infrared image of a person jimmying open a vehicle.<\/p>\n<p>Getty Images<\/p>\n<\/figcaption><\/figure>\n<p>When a London man discovered the front left-side bumper of his Toyota RAV4 torn off and the headlight partially dismantled not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle went missing a few days after the second incident, and a neighbor found their Toyota Land Cruiser gone shortly afterward, he discovered they were part of a new and sophisticated technique for performing keyless thefts.<\/p>\n<p>It just so happened that the owner, Ian Tabor, is a cybersecurity researcher specializing in automobiles. While investigating how his RAV4 was taken, he stumbled on a new technique called CAN injection attacks.<\/p>\n<h2>The case of the malfunctioning CAN<\/h2>\n<p>Tabor began by poring over the \u201cMyT\u201d telematics system that Toyota uses to track vehicle anomalies known as DTCs (Diagnostic Trouble Codes). It turned out his vehicle had recorded many DTCs around the time of the theft.<\/p>\n<p>The error codes showed that communication had been lost between the RAV4\u2019s CAN\u2014short for <a href=\"https:\/\/en.wikipedia.org\/wiki\/CAN_bus\">Controller Area Network<\/a>\u2014and the headlight\u2019s Electronic Control Unit. These ECUs, as they\u2019re abbreviated, are found in virtually all modern vehicles and are used to control a myriad of functions, including wipers, brakes, individual lights, and engine. Besides controlling the components, ECUs send status messages over the CAN to keep other ECUs apprised of current conditions.<\/p>\n<p>This diagram maps out the CAN topology for the RAV4:<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" alt=\"Diagram showing the CAN topology of the RAV4.\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/04\/rav4-ecu-diagram.png\" width=\"1781\" height=\"810\"><figcaption>\n<p>Diagram showing the CAN topology of the RAV4.<\/p>\n<p>Ken Tindell<\/p>\n<\/figcaption><\/figure>\n<p>The DTCs showing that the RAV4\u2019s left headlight lost contact with the CAN wasn\u2019t particularly surprising, considering that the crooks had torn off the cables that connected it. More telling was the failure at the same time of many other ECUs, including those for the front cameras and the hybrid engine control. Taken together, these failures suggested not that the ECUs had failed but rather that the CAN bus had malfunctioned. That sent Taber searching for an explanation.<\/p>\n<p>The researcher and theft victim next turned to crime forums on the dark web and YouTube videos discussing how to steal cars. He eventually found ads for what were labeled \u201cemergency start\u201d devices. Ostensibly, these devices were designed for use by owners or locksmiths to use when no key is available, but nothing was preventing their use by anyone else, including thieves. Taber bought a device advertised for starting various vehicles from Lexus and Toyota, including the RAV4. He then proceeded to reverse engineer it and, with help from friend and fellow automotive security expert Ken Tindell, figure out how it worked on the CAN of the RAV4.<\/p>\n<h2>Inside this JBL speaker lies a new form of attack<\/h2>\n<p>The research uncovered a form of keyless vehicle theft neither researcher had seen before. In the past, thieves found success using what\u2019s known as a <a href=\"https:\/\/arstechnica.com\/cars\/2015\/04\/new-york-times-columnist-falls-prey-to-signal-repeater-car-burglary\/\">relay attack<\/a>. These hacks amplify the signal between the car and the keyless entry fob used to unlock and start it. Keyless fobs typically only communicate over distances of a few feet. By placing a simple handheld radio device near the vehicle, thieves amplify the normally faint message that cars send. With enough amplification, the messages reach the nearby home or office where the key fob is located. When the fob responds with the cryptographic message that unlocks and starts the vehicle, the crook&#8217;s repeater relays it to the car. With that, the crook drives off.\n<\/p>\n<p>\u201cNow that people know how a relay attack works \u2026 car owners keep their keys in a metal box (blocking the radio message from the car) and some car makers now supply keys that go to sleep if motionless for a few minutes (and so won\u2019t receive the radio message from the car),\u201d Tindell wrote in a recent <a href=\"https:\/\/kentindell.github.io\/2023\/04\/03\/can-injection\/\">post<\/a>. \u201cFaced with this defeat but being unwilling to give up a lucrative activity, thieves moved to a new way around the security: bypassing the entire smart key system. They do this with a new attack: CAN Injection.\u201d<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/arstechnica.com\/?p=1930147\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Dan Goodin<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enlarge \/ Infrared image of a person jimmying open a vehicle.Getty Images When a London man discovered the front left-side bumper of his Toyota RAV4 torn off and the headlight partially dismantled not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle went missing a few<\/p>\n","protected":false},"author":1,"featured_media":626945,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39260,46,63],"tags":[],"class_list":{"0":"post-626944","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-keyless","8":"category-technology","9":"category-theres"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/626944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=626944"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/626944\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/626945"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=626944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=626944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=626944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}