Meet the CAN Invader – How Can Automotive Ethernet Curb Car Theft?
by Steven Leibson July 24 2023 EE Journal
There’s a car-theft gang in Atlanta that’s stealing late model, high-end Toyota and Lexus vehicles by hacking the cars’ CAN (car area network) Bus. Apparently, this type of car theft originated in Japan, where criminal hackers have developed a device called a CAN Invader that can shut off the vehicle’s immobilizer, unlock the car’s doors, and start the car once the thief physically hacks into the vehicle’s CAN Bus. Apparently, gaining physical access is distressingly easy.
Toyota and Lexus vehicles have a vulnerable node near the driver-side front wheel well. By unclipping and peeling back the inner plastic fender liner surrounding the front wheel, thieves can unplug a CAN Bus connector from a headlight ECU (electronic control module) and plug the CAN Invader into the freed cable. Punch a button on the CAN Invader and the car’s yours to drive away.
This sort of access to a vehicle’s CAN Bus network won’t surprise anyone who has or has used an OBD-II (On-Board Diagnostics) scanner, which plugs into a socket under a car’s dashboard and can extract a wealth of diagnostic information about the car from the CAN-connected ECUs. More advanced, bidirectional OBD-II diagnostic tools can also actuate any switch or take control of other vehicle functions. The surprise for me is that the car is equally open to such intrusive probing from an innocuous connector that’s easily accessible from outside of the car. In Toyota and Lexus vehicles, it appears this targeted connector is part of the headlight wiring.
The physically vulnerable ECU controls the high- and low-beam headlights and the turn signals. Once thieves realized that there’s easy external access to all vehicle functions through this connector, development of a one-button tool for stealing a car was inevitable. During an interview on an Altium ONTRACK podcast, CAN expert Ken Tindell, CTO of Canis Automotive Labs, explained:
“So for example, one of the cars we’re looking at, the engine immobilizer ECU’s on the powertrain side. So are the headlights. So you crack open the headlights and you pull the connector off the back of the headlight ECU, plug into that, and now you can directly send commands to the engine immobilizer saying, ‘Hey, I’m the key fob, and I say it’s okay to drive.’ And it’s like, ‘Okay.’”
This article first appeared at EE Journal on July 24 2023.