ALERT – Key Fob Duplication & CAN Injection Hack
Currently, the trend of duplicating vehicle key fobs via electronic scanning devices is continuing to date.
Residents are advised to purchase commercially available RFID blockers for the safekeeping of those fobs.
The “blockers” are available for purchase via online marketplaces and protect from unauthorized duplication.
In addition, on August 9th, the NYC Police Department and officers from Public Safety responded to two reports of vehicle thefts within the confines of Big Six Towers. BST residents reported two 2020 Toyota RAV4’s were stolen from parking lots.
It is believed the vehicles were hacked by utilizing “CAN Injection” technology.
We are increasing surveillance of the parking lots and advising our staff of this trend.
Please note, although Toyota RAV4’s were stolen, this trend is not limited to that particular manufacturer.
Please see the below article, which details the nuts and bolts of the hack.
PLEASE REPORT SUSPICIOUS BEHAVIOR AND SUSPICIOUS INDIVIDUALS WITHIN THE BUILDINGS, WALKING THROUGHOUT THE PROPERTY & PARKING LOTS TO THE EMERGENCY LINE AT
718.335.8715.
ALL CALLS WILL BE HELD IN STRICT CONFIDENCE
Reprinted – Security Week
Thieves Use CAN Injection Hack to Steal Cars
An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.
By
April 6, 2023
A hacking device can allow thieves to steal a wide range of car models using an attack method named CAN injection, researchers have revealed.
Automotive cybersecurity experts Ian Tabor of the EDAG Group and Ken Tindell, CTO of Canis Automotive Labs, started analyzing these attacks after Tabor had his 2021 Toyota RAV4 stolen last year.
The car was stolen after on two occasions Tabor found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism turned out to be part of an attempt to steal the vehicle.
Specifically, the thieves pulled off the bumper and unplugged the headlight cables in an attempt to reach wires connected to an electronic control unit (ECU) responsible for the vehicle’s smart key.
An investigation conducted by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away.
Such hacking devices can be acquired on dark web sites for up to €5,000 ($5,500), and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.
The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by thieves. At least one theft was caught by CCTV cameras in London.
The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device in an effort to see how they work.
Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through controller area network (CAN) buses.
The attacker does not need to directly connect to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight, as long as the headlight and the smart key ECU are on the same CAN bus.
The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away.
The attack can be carried out by connecting the hacking device to other CAN wires as well, but the ones in the headlight are often the most accessible and connecting to them does not involve causing too much damage to the car, which would lower its value.
While in this case the stolen vehicle was a Toyota and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota.
Similar hacking devices offered for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.
The researchers did report their findings to Toyota, but without much success due to the fact that it’s not an actual vulnerability disclosure. On the other hand, they believe all vehicle makers should read their report and take action to prevent CAN injection attacks. The report made public this week contains some recommendations that can be applied by manufacturers to prevent these types of attacks.
The security experts did manage to have a CVE identifier, CVE-2023-29389, assigned to the Toyota RAV4 hack.
