Slightly "alarming" if true?

[dry run]

Saw this just now.

MSN

Made me laugh that they talk about high-end cars, then the guy says they stole his Rav-4

 

[KennyN]

Sounds like it was compiled by a reporter that doesnt know the difference between a cam shaft and a calm day and a couple of bearded gentlemen that wear jumpers with elbow pads that are working from inside a wooden shed as i dont see "automotive experts" coming away with technical statements like the ones used in the article.

“Plug the thing in. The engine starts making whirring noises as it disarms the immobiliser"

Plugged into a socket typically concealed underneath a car’s headlights or bumpers.

Prices ranging between three and four figures.

I wont let it keep me awake at night , keyless theft and break-ins for the keys will though.

K

 

[dry run]

I kind of thought that. Hence the caveat “if true “

 

[brandwooddixon]

It's a real possibility.
Everything on a car works using a CANBUS these days. It's a well known standard and if you have the equipment then you can conceivably control any system on the car by accessing the CANBUS from an point on the bus network.
If a manufacturer has concentrated on the EIS as the primary means of protecting the car and not thought of a physical attack on the CANBUS then it's likely vulnerable to this type of attack.
As CANBUS is used for real time communication between systems then any delay caused by encryption is problematic.
I guess in the instance demonstrated, the light control module CANBUS wiring was used.

 

[alexanderfoti]

Reading through the tech side of this, its basically a DOS on the canbus system, then in the brief period whilst the canbus system is resetting itself, injecting a "car is ok to start" message.

This was always going to be a possibility until the can system is encrypted. This is going to be very manufacturer specific

 

[supernoodle]

It's a real possibility.
Everything on a car works using a CANBUS these days. It's a well known standard and if you have the equipment then you can conceivably control any system on the car by accessing the CANBUS from an point on the bus network.
If a manufacturer has concentrated on the EIS as the primary means of protecting the car and not thought of a physical attack on the CANBUS then it's likely vulnerable to this type of attack.
As CANBUS is used for real time communication between systems then any delay caused by encryption is problematic.
I guess in the instance demonstrated, the light control module CANBUS wiring was used.

Vehicles don't just have a single CAN bus, there will be multiple. A gateway is used to allow messages to pass from one network to another, but the messages that are passed across is pre-defined. You can't just connect up to bus for say the parking system and send a start request CAN message to the ECU.

CAN isn't a real time system, the fastest messages you'll see will usually be on a 10ms raster, but could be just 1000ms.

CAN message authentication (encryption) is already here in some of latest vehicles, thanks to the CAN FD protocol that allows much higher baud rates and data payloads.
Even before this encryption came in though it's not uncommon to have to checksum and counters on critical messages as a safety feature.

 

[dry run]

Wow! Some great knowledge here.

 

[supernoodle]

Found the techy details. Seems some sloppy design to have a bus with access control messages so accessible.

CAN Injection: keyless car theft

This is a detective story about how a car was stolen - and how it uncovered an epidemic of high-tech car theft. It begins with a tweet. In April 2022, my friend Ian Tabor tweeted that vandals had been at his car, pulling apart the headlight and unplugging the cables.

kentindell.github.io

CAN message authentication will stop this kind of attack at least

Toyota have a history of bad design though

http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf

 

[Chris-net]

CAN bus was development started in 1983 and followed that of early data networks. Security, authentication & authorisation where not as High up the agenda as they became in the 2000’s.

CAN bus - Wikipedia

en.wikipedia.org

the first production vehicle to use CAN bus was the W140 back in 1991 and it had 5 CAN bus nodes, a assume a node means a device on the CAN bus & not individual bus’s.

as a shared access medium CAN bus comms would be subject to transmission collisions, each node must listen for a gap before transmitting (half duplex) and every device on the bus gets the transmission, same as early data networks when things where connected to hubs and shared a collision domain. Data networks moved to switches which made every connection its own collision domain meaning no need to check if another device is transmitting which speeds up communication, also (under normal circumstance) only devices the messages are destined for get the transmission. Using multiple CAN bus’s achieves a similar improvement as a switch as just 2 devices can be on the bus and they can communicate faster.

a headlight may be on a bus connected to perhaps the ecu which perhaps can be spoofed into starting the car, the multimedia system is likely on a different bus.

most cars can only remove headlamps from inside the engine bay, most modern headlamps cust many hundreds to replace and code onto the car.

not sure how practical this exploit is, but then again im not into stealing cars.

this Hyundai vulnerability seems far easier.

Hyundai, Kia patch bug allowing car thefts with a USB cable

Automakers Hyundai and KIA are rolling out an emergency software update on several of their car models impacted by an easy hack that makes it possible to steal them.

www.bleepingcomputer.com

 

[brandwooddixon]

CAN isn't a real time system, the fastest messages you'll see will usually be on a 10ms raster, but could be just 1000ms.

Realtime systems often run on program cycles far slower than 10ms, and in this case CAN bus is more than fast enough.
The term is typically used to define electronic systems running embedded software to differentiate them from the likes of PCs, web servers and the like.
When electronic fuel injection first appeared you were looking at injector cycles being set every 250ms and that was considered real time control.
Now you'll have messages from several systems being used to determine engine fuelling.

CAN message authentication (encryption) is already here in some of latest vehicles, thanks to the CAN FD protocol that allows much higher baud rates and data payloads.
Even before this encryption came in though it's not uncommon to have to checksum and counters on critical messages as a safety feature.

I didn't know that encryption has added, but I doubt that its to the same level that you would find on computer systems. I don't take checksums nor counters to be any form of security they are easily spoofed if you know what you are doing and are really there for message integrity testing.

Found the techy details. Seems some sloppy design to have a bus with access control messages so accessible.

CAN Injection: keyless car theft

This is a detective story about how a car was stolen - and how it uncovered an epidemic of high-tech car theft. It begins with a tweet. In April 2022, my friend Ian Tabor tweeted that vandals had been at his car, pulling apart the headlight and unplugging the cables.

kentindell.github.io

CAN message authentication will stop this kind of attack at least

Toyota have a history of bad design though

http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf

As I said, its a possibility.
You can count on sloppy design in all consumer products, whether cars or televisions.
This type of "cyber" security is always a last consideration. Engineers will nearly always leave security disabled (even if included) until such time they have a working system.

Inevitably there will be project overruns, the boss will demand a release and someone will forget to enable the security.

Here's some links to related articles:
Forbes - Top Twenty Unspoken Automotive Cybersecurity Questions

You tube video showing remote hacking of a Jeep

 

[Chris-net]

Realtime systems often run on program cycles far slower than 10ms, and in this case CAN bus is more than fast enough.
The term is typically used to define electronic systems running embedded software to differentiate them from the likes of PCs, web servers and the like.
When electronic fuel injection first appeared you were looking at injector cycles being set every 250ms and that was considered real time control.
Now you'll have messages from several systems being used to determine engine fuelling.

Realtime systems are actually systems that complete tasks within known time limits, the limit could be 10 minutes or 10 years and it could still be a realtime system.

Real-time computing - Wikipedia

en.wikipedia.org

fuel injection is a great example as it’s no good the fuel being injected after or before its needed plus the correct amount needs injecting for the specific requirements at that time which may change from injection to injection and timing depends on engine speed Therefore the system needs to know what to do at the time the next injection is due which fits in nicely with the real time computing definition.