You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Now that car manufacturers have developed sleeping keyless ignition "keys"/stick it in the microwave/Faraday shield bag, thieves have another way to steal your car by attacking the CANbus system externally. It takes under 2 mins
https://arstechnica.com/information-technology/2023/04/crooks-are-stealing-cars-using-previously-unknown-keyless-can-injection-attacks/
What's really annoying is that they can access the headlight far quicker than any other person wanting to change a bulb 🙂
Been a thing for a while now. Pistonheads has been full of stories of cars being taken via thieves removing lights, trim panels, sensors and even cutting specific holes in panels to access the main Canbus cable. What makes it worse is that a lot of cars use a modified common system from the same manufacturers so once the exploit is found it quickly spreads around a lot of different models. It's the reason the popularity of mechanical security like Discloks that were the main deterrent in the 90's has surged. Any Land Rover product in London without something mechanical fitted is a sitting target right now.
Still got my disclock from the 90's. Don't use it as our cars are old and have a key and transponder.
I've been following this for a little while. Ken's page is here:
https://kentindell.github.io/2023/04/03/can-injection/
It's something of an understatement by Ars to refer to either Ken or Ian as cybersecurity professionals; they're at the top of their game. When Ian Tabor has his pants pulled down by car thieves, we have a Problem. I wouldn't be surprised if it was a targeted attack.
Transits have been stolen for years by accessing the ODB port and CAN hacking. Mine was broken into and the port trim removed before they noticed the massive bright yellow pedal lock.
I stayed in london a while back and someone had taken the fog light out and cut the cables of our car overnight. Guess this is why?? It was a 15 year old Octavia vrs tho. Maybe too old for that attack??
Had a couple of test cars delivered with no keys, unlocking and starting them with a laptop was far quicker than the oem sending us the keys from India!
What gets me, is how vehicle manufacturer's regularly miss these simple things.
Common sense would suggest you don't put a key security ECU onto an easily accessible communication bus.
Transits have been stolen for years by accessing the ODB port and CAN hacking. Mine was broken into and the port trim removed before they noticed the massive bright yellow pedal lock.
That's not CAN hacking. That's simply programming a new key using the OBD port.
Common sense would suggest you don’t put a key security ECU onto an easily accessible communication bus
I've always wondered if the key security stuff on a CAN bus was encrypted/locked in some way and it appears that it isn't. Saw that Ars Technica report and was more than a little shocked that in 2023 that was still considered ok 🙁
That’s not CAN hacking. That’s simply programming a new key using the OBD port.
Ah yes - that was it, thankfully I kept my pedal lock from my Defender. Tibbe keys were a thing as well but my scroats screwdriver'd the lock then put the window through.
I’ve always wondered if the key security stuff on a CAN bus was encrypted/locked in some way and it appears that it isn’t. Saw that Ars Technica report and was more than a little shocked that in 2023 that was still considered ok 🙁
Due to the nature of the commonly used communication buses, there is little security on them, and there doesn't really need to be. However having a security device on one that is accessible without triggering an alarm, is pure idiocy.
It's been a while since I've had to do much in the way of CAN bus diagnostics, but from memory, the ones I did deal with, the security devices were wired via looms you couldn't access without either being in the passenger compartment, or opening the bonnet.
But then you have the likes of Ford who put lots of effort into securing the Transit 2000, but then with the current Transit/Custom, didn't reinforce the drivers door lock as much so you could just spin the whole lot with a big pair of pliers, but worse, left the turn the lock twice to unlock the whole van feature. They had to recall them for a software update to disable that, and also reduce the countdown for the alarm activating.
However there is the simple fact that criminals will always find a way around security systems.
It interests me that my 2009 avensis took a decent car locksmith about 20 minutes to start (I could unlock but the electronics in the key were shredded so couldnt start, disable alarm etc). THis was after a couple of locksmiths refused to look at it at all, and one had tried for an hour and failed.
Once started he could duplicate the key in about 2 minutes though.
This must be one of the earliest versions of keyless entry/start on cars, so if that was so secure, why arent later ones?
However there is the simple fact that criminals will always find a way around security systems.
We-ell... there's a degree of truth in this, but security is more of an arms race than outright defeatist. Both sides are continually improving, the question is which one is doing it faster. In the automotive industry right now it's the criminals, at least in part because it takes several years to take something as complex as a car from inception to production. Security of embedded systems is pretty shocking generally.
But yes, this is just one reason why the 'online safety act' currently being thrown around Parliament is problematic. Weak security is weak for everyone. "Back doors" can be exploited by anyone, not just the good guys. Doing this intentionally is utterly, utterly retarded. The police might need to gain access to your house so... we ban locks? Give every copper a master key?
This must be one of the earliest versions of keyless entry/start on cars, so if that was so secure, why arent later ones?
Was that down to security or the lack of tools / skill to bypass it? Maybe what you needed there wasn't a locksmith but a car thief. 😁
Google “Emergency car start module” and you can find things like this very easily
https://autodecoders.com/product/jlr-fast-emergency-start-module-via-obd-2019/
Doing this intentionally is utterly, utterly retarded.
https://www.spreadtheword.global/resource-archive/r-word-effects
It's the antonym of "advanced." Setting up the ignition on an old car, you can advance or retard it. Is "backwards" preferable?
I would never use that word to describe a person. Apologies for any offence inferred.