Mastodawn

A while back @mintynet had his car stolen in a keyless theft. He called me in as a #canbus guru to help work out how exactly the car was stolen, and now we know exactly how they did it and also how to stop them. We call it "CAN Injection 🚘💉" and I've written the whole story up in a blog post: https://kentindell.github.io/2023/04/03/can-injection/

CAN Injection: keyless car theft

This is a detective story about how a car was stolen - and how it uncovered an epidemic of high-tech car theft. It begins with a tweet. In April 2022, my friend Ian Tabor tweeted that vandals had been at his car, pulling apart the headlight and unplugging the cables.

Ken Tindell’s blog

Tomasz Ondrusz Apr 5, 2023

@kentindell @mintynet that was some story.

Gus Apr 6, 2023

@kentindell @mintynet dunno how I missed this when you posted it, it's a great write-up!

I think you hit a good level of explaining complex CAN concepts to the uninitiated as well (speaking as semi-initiated, myself!)

You have to admire the idea behind behind forcing the recessive bus state, have you come across that before?

I'm curious if it's basically a P-channel FET on the H line, or something more sophisticated? (If you left that detail out to avoid providing too much of a HOWTO for folks then feel free to decline to answer, of course! 😁 )

AlisonW ♿🏳️‍🌈♾️Apr 6, 2023

@kentindell @mintynet
This is, to put it mildly, very disturbing. In software we're used to SQL injection attacks, in networking Denial of Service (overloading a network node by rapid requests) and this canbus attack has elements of both.

My car has multiple ECUs and, as I added one myself when I installed the towbar electronics, it's clear it doesn't have any security features against accessing the vehicle's network.

This needs pushing to the auto media if it hasn't been already so they can push at the manufacturers.

Daniel Gibson Apr 7, 2023

@kentindell @mintynet
Very interesting, thanks for the article!

Is my assumption correct that a hardware-fix (probably more interesting for future cars) would be to connect the smart key directly to the gateway, with its own (possibly encrypted) CAN bus, instead of using the one that also connects the headlights and thus is pretty exposed?

QueerCat_Bisexual

@kentindell
That's pretty interesting. I worked with smart headlight designs, though further up the signal chain than the headlight ECU. For the OEM we worked with, they were very concerned about the security implications of our device (which was related to the illumination). I've seen more OEMs and Tier 1s asking the right questions which is good in the long run, but still leaves millions of vehicles on the road today vulnerable.
@mintynet

Axel 🚴😷🐧🐪⌨ | #WeAreNatenom Apr 7, 2023

@kentindell: Issues like this and the Tesla peeping story currently making the round are some of the reasons why I (as an IT security guy) am happy to only own cars with neither #CANbus nor internet connectivity nor cameras. Even my #EV has no CAN bus—it's a #CityEL from the '90s. 😇 And my daily driver (or rather fortnightly driver) even has no electronics at all, at least ex works. And I can tell you the purpose of every part of it. (Do that with your car! 😉) It's a Citroën #2CV.

mintynet Apr 7, 2023

@xtaran @kentindell
My other car is almost as basic as possible. It has 3 ECUs, 2 I built but includes CAN (no control, just monitoring)

Axel 🚴😷🐧🐪⌨ | #WeAreNatenom Apr 7, 2023

@mintynet: Nice! *slightenvy* 😉 #Lotus or #Caterham? 🙂 "Zetec" points towards a Ford engine, right?

mintynet Apr 7, 2023

@xtaran @kentindell 2.0 Blacktop zetec on gsxr600 throttle bodies, megasquirt 2.0 ECU, long 1st gear, full Sierra cosworth rear end, Scorpio cosworth front hubs and brakes. About 150bhp in 700kg

mintynet Apr 7, 2023

@xtaran @kentindell Tiger racing Supercat, was originally silvertop 1.8 zetec on dcoe 40 Weber's

Axel 🚴😷🐧🐪⌨ | #WeAreNatenom Apr 7, 2023

@mintynet: Oh, ok. Saw that name on the bonnet label, but it didn't ring a bell, so I thought it was more a personal label or so. Looked it up now, thanks!

mintynet Apr 7, 2023

@xtaran @kentindell
https://tigerracing.com/ Model is no longer produced.

Tiger Racing - A Family Company (1989)

Petrichor ᚄᚔᚅᚐᚁᚆᚃᚒᚔᚂ Apr 8, 2023

@kentindell @mintynet This is why dashcams should look both ways; you could have a picture of the thief

Tom Apr 8, 2023

@kentindell @mintynet thanks for sharing this, very interesting!

four0four May 31, 2023

@mintynet @kentindell PIC18F readout protection shouldn’t require anything more destructive than (at most!) desoldering the target. do you have an full part number you can share? :)

mintynet May 31, 2023

@four0four @kentindell PIC18F25K80

four0four May 31, 2023

@mintynet @kentindell interesting - that's the same one used in those cheapo "ELM327" serial-and-or-bluetooth <-> CAN adapters all over ebay.

Khalid Bashagha Jul 18, 2023

@kentindell @mintynet
My car rav4 xle premium hybrid 2022,
The main problem is the theft of the smart key computer. Should I buy a new one and program it, or buy an old one and program it? I want what to do to solve my car problem, or the steps I work on, for example, buying a complete used system. Should it be the same model as my 2022 car, or a smaller model, for example 21 or 20.
Thanks

Riny Sep 4, 2023

@kentindell @mintynet

Life just got easier with the T-CAN485 module. https://www.lilygo.cc/products/t-can485
although I think I prefer the https://store.mrdiy.ca/p/esp32-can-bus-shield/

T-CAN485

blackinbrampton Nov 29, 2023

@kentindell @mintynet

Question: my heated seat completely stops working every time a remote controlled hack is activated. Pulling the fuses for each system one by one does not eliminate the hack. I figure a device is connected to a power line coming into the fuse box or directly off the battery cable somewhere. Thoughts?