Tech-savvy thieves have resorted to a new method of stealing cars without having to physically break into them that involves injecting malicious code into a car’s electronic network via headlight or taillight wires.

More specifically, criminals are using specially crafted devices that plug into the wiring behind the headlight or taillight to bypass the electronic security on modern cars, allowing them to unlock, start, and drive away victims’ cars.

This method was discovered last year in the UK when Ian Tabor, who runs the UK chapter of Car Hacking Village, had his Toyota RAV4 stolen from outside of his home near London.

After finding that the wiring behind his headlight had been yanked out, Tabor turned to Toyota’s “MyT” app to investigate.

He noticed that his RAV4 kicked off a lot of Diagnostic Trouble Codes (DTCs) just prior to being stolen, one of which was for the computer that controls the car’s exterior lighting.

Upon further investigation, Tabor, together with Ken Tindell, the CTO of Canis Automotive Labs, found out that the thieves were able to infiltrate the vehicles’ Controller Area Network (CAN) Bus network, Tindell wrote in a recent blog post.

The duo also managed to find some expensive tools claiming to work for this purpose on the dark web.

Crafted Devices Inject Fake Messages into CAN Network

The CAN injection tools, which cost up to $5,400 on the dark web, are set up to inject fake messages into the vehicles’ Controller Area Network (CAN) Bus network.

The devices trick the car into thinking a trusted key was present, which convinces the CAN Gateway to pass along messages instructing the car to disable its immobilizer, unlock the doors, and allow the thieves to drive away with it.

The device is simple to use, only requiring the thief to power it on with a battery pack.

Once it is on and plugged in, it wakes up the CAN network by sending a frame to trick the car into thinking a key is present. It then listens for a specific CAN message to begin its attack.

The device emulates a hardware error, which tricks other electronic control units on the CAN network to stop sending messages so that the attacking device has priority to send its spoofed messages to CAN devices.

When the device goes into attack mode, it sends fake messages to the gateway that make the car think that a valid key is being used to control the vehicle. All the thief then needs to do is press the “play” button on the speaker, and the car’s doors are unlocked.

How to Protect Cars from CAN Injection Devices

The manufacturer of these CAN injection devices claims that they are effective against a myriad of makes and models, which makes it an industry-wide problem that requires a solution.

However, there are some ways to prevent this type of attack. For one, automakers can prevent this type of attack by encrypting their CAN Bus network.

Another short-term solution is to gather some information about how the CAN Injector currently works and make a small change that stops it from working.

“It won’t be a permanent fix: the criminal who designed the CAN Injector can then respond with changes, and it will likely start working again. But this can buy time for the next fix,” Tindell said.

As cars become increasingly connected and computerized, car theft is also evolving alongside.

As reported, researchers from French cybersecurity firm Synacktiv were able to “fully compromise” a new Tesla Model 3 during the Pwn2Own 2023 hacking conference, gaining control of its safety systems and breaking into its infotainment system.

Last year, researchers also revealed that hackers can exploit a feature that allows drivers to turn on their vehicles more easily after opening the car’s door with a near-field communication (NFC) key card to unlock a car and potentially steal it.

