This Headlight Hack Makes Toyotas Easy Pickings For Thieves

Auto theft has been a problem almost as long as cars have been around, but it's been a particular blight in the U.S. over the last few decades. The National Insurance Crime Bureau reports that car theft peaked in 1991 and has declined significantly since then, but thieves have evolved beyond their old low-tech tactics. Anti-theft features like electronic immobilizers made lock-picking tools and wire coat hangers ineffective on many cars, and this continued as vehicles became more tech and software-dependent.

Unfortunately, loading cars with computers has made some models even more vulnerable to theft. The "Kia Boys" made news by using USB drives and cables to steal cars, and another method is evolving that doesn't even require access to the passenger cabin. The Toyota RAV4 is the most popular SUV in the United States, and thieves can use its headlight connectors to access the Controlled Area Network (CAN) bus to spoof keys and fobs. The CAN bus is responsible for everything from lights and driver-assist systems to vehicle security and diagnostics; let's take a look at how CAN injector theft happens and what's being done to stop it.

The CAN bus vulnerability became widely known back in 2022 thanks to cybersecurity expert Ian Tabor and Dr. Ken Tindell, the CTO of CANIS Automotive Labs. Tabor found his RAV4 parked on the street one day with body panels removed and a headlight exposed, and the car was stolen a few weeks later. Suspicious that the headlight wiring had something to do with the theft, Tabor and his friend began an investigation that included a deep dive into his RAV4's CAN bus network.

This path eventually led them to the dark web, where they found Bluetooth speakers and old mobile phones that had been turned into CAN bus injectors via chip transplants. These devices could be used to unlock and start cars, although they cost up to $5,000 from vendors of suspicious origin. For a committed car thief or organized ring, that's an investment that could pay for itself quickly and vendor ethics are likely not an issue. An efficient thief with a CAN injector can steal a car in as little as 15 seconds, and CAN injectors are available for cars made by Ford, Honda, Volkswagen, and the several of the Stellantis group's brands. "The hacking device sends a message to the car's front network ... pretending to be the key," Tindell told Business Insider. "That gets sent across to the engine management system on another network by a gateway device that just believes it. And the engine management network just believes it and it unlocks the car."

The video above from Viper security systems demonstrates how a thief with a CAN injector disguised as a smartphone can steal a Ford F-150 pickup in a matter of seconds. This model appears to allow even easier access to the headlight wiring than the RAV4, with the mock thief quickly linking the headlight connector to his device with a cable. For many vehicles like the RAV4 and F-150, tapping the headlight wiring is the easiest way to get into a car's vulnerable CAN system. 

Fortunately, automakers are beginning to take measures not just to prevent CAN Injector thefts, but other electronic weak points. In 2024, Toyota hosted Hack Festa events in Japan, Ireland, and the United States. White-hat hackers were pitted against Toyota's vehicles to help the automaker improve its security systems, but these changes will take a while to implement. Car owners who want to take their own measures can use aftermarket alarm systems, CAN bus disablers, or even physical shields that block access to wiring connectors.The Kia Boys eventually provoked an alert from Rome, NY police, but the best way to prevent thieves from stealing your car is to park it in a locked garage or other secure area. Car owners without access to such a spot might want to use cameras, motion detector lights, or one of the aforementioned devices to deter CAN injector theft.