Cybercriminals ‘CAN’ steal your car, using novel IoT hack

Automotive security experts have uncovered a novel method for stealing cars by breaking into their control systems through a headlight.

The key (so to speak) is the controller area network (CAN) bus, the Internet of Things (IoT) protocol through which devices and microcontrollers in a vehicle communicate with one another. It’s basically the car’s onboard, local communications network that cyberattackers can subvert to potentially stop and start the car, open doors and windows, play around with the radio, and much more.

While car hacking is hardly new, in a blog post published April 3, Ken Tindell, CTO of Canis Automotive Labs, described how attackers manipulated an electronic control unit (ECU) in a Toyota RAV4’s headlight to gain access to its CAN bus, through which they were able to, ultimately, steal the vehicle. That’s an approach that hasn’t been seen before. Once connected via the headlight, they hacked their way into the CAN bus — responsible for functions like the parking brakes, headlights, and smart key — through a gateway and then into the powertrain panel, wherein lies the engine control.

This type of CAN injection will require manufacturers to rethink control network security in their vehicles, he warns.

“When you’re a car engineer,” Tindell tells Dark Reading, “you’re trying to solve all sorts of problems: minimizing the wiring, reliability, cost. You’re not thinking ‘cyber, cyber, cyber’ all the time.”

“We’re not wired that way,” he says. “Forgive the pun.”

Cyber Theft Auto

On April 24 last year, Ian Tabor woke up to find that his Toyota RAV4’s front bumper and left headlight had been manhandled, while it was parked out on the street in London.

One month later, those same areas of the car were again obviously tampered with. Tabor didn’t realize the full scope of the sabotage until it was too late.

To read the complete article, visit Dark Reading.