The Unexpected Way Thieves Are Using The Headlights To Get Inside Your Car
Automotive design has gotten much more complex in recent years. Autonomous driving systems are now commonplace, as are sophisticated in-dash infotainment and navigational systems. Along with these systems has come an increase in the computing power hidden beneath the dashboards of our cars, and those computers are used to do everything from warn us of impending collisions to turn on the windshield wipers when it starts to rain.
Hyundai and Kia even relied on a software patch to make their vehicles harder to steal. Still, another automaker has an issue where a computerized system makes vehicles vulnerable to theft through a very accessible spot.
Last April, British cybersecurity consultant Ian Tabor posted a picture to Twitter showing that thieves had stolen the driver's side headlight from his new Toyota RAV4 and pulled the headlight wire out from the area under the RAV4's hood. He replaced the headlight, but three months later, the thieves returned and stole it again.
Two nights later, Tabor's RAV4 and a neighbor's Toyota were taken.
The thieves used the headlight wiring harness to access Tabor's RAV4's CAN (Controller Area Network) bus system. The CAN manages the complex electronic communications that modern cars require for systems like airbags, self-diagnostics, and parking assist. In the case of Tabor's RAV4, the connector the thieves accessed is used for headlight leveling and aiming.
Tabor and a colleague bought a CAN injector on the dark web
Tabor enlisted the help of another cybersecurity expert, Dr. Ken Tindell, and the two scoured the dark web and purchased an emergency start device for locksmiths for Toyota and Lexus vehicles for €5,000 ($5,419).
In a post on his Github blog, Tindell explained how the exploit works. "The thieves can use their CAN Injector device to send a fake CAN message [to] the door ECU that in essence says 'Key is valid, unlock the doors.' So they don't even need to damage the car to break into it: they can simply open the door, get in, and drive the car away – all without needing the key."
He further explained that Toyota could block the exploit with a software fix, but thieves could find a way around the fix, leading to a circular cat-and-mouse game between thieves and automakers.
Kelley Blue Book advises car owners to rely on old-school anti-theft techniques to safeguard their vehicles. "Park it indoors or in a well-lighted area with regular foot traffic. Move it regularly, and notify local police if you find any trim pieces missing or dislodged."