- Emergency start devices sold online starting at $1,600 can hack into a car through its wire network.
- The easiest access to car wires is through the headlights, car security experts say.
- Over 1 million vehicles were stolen in the US in 2022, marking a 7% increase over 2021.
If you find someone has been tinkering with the headlights of your car, in what seems to be a pointless, if annoying, act of vandalism, be alarmed. Someone might be trying to steal it.
That’s what automotive cybersecurity consultant Ian Tabor found out the hard way when his Toyota RAV4 got stolen shortly after he found its left headlight unplugged and the bumper around it pulled away. Toyota did not respond to a request for comment.
Tabor, who is the leader of the UK branch of the car security web community Car Hacking Village, got together with car security expert Ken Tindell to find out how the theft happened, as Tindell recounts in a recent blog post.
The pair thinks that thieves gained control of the car’s computer system by finding the internal wires easiest to access — in this case, the ones connecting the headlights to the system — and plugging a hacking device that can be easily bought online into it.
Once it’s connected to the car’s wires, the hacking device sends a signal to the engine control unit via the controller area network — or CAN — bus and the signal activates the car.
“What they do is they ‘wake up’ the car,” Ken Tindell told Insider. “Normally, the wake-up message happens when you’ve pressed your car key. Here they just pretend to be the key system. The hacking device sends a message to the car’s front network — a car has many networks for logistic reasons — pretending to be the key. That gets sent across to the engine management system on another network by a gateway device that just believes it. And the engine management network just believes it and it unlocks the car.”
The whole thing can happen in as little as 30 seconds, according to Tindell.
To inject the hacking message into the controller area network, any accessible wire could do, but headlights present an easy in because they allow the potential thieves to unplug the connector and plug their hacking device in.
“I have also seen a similar method being used in other high-end vehicles,” Colin Urquhart, a security analyst at technology company Raytheon, told Insider. “Range Rovers, for example, had a small patch cut out the rear bumper to access the controller area network bus.”
Land Rover did not immediately respond to a request for comment.
To study the hacking system, Tindell and Tabor purchased a similar hacking device online and reverse-engineered it. Advertised as “emergency start devices” to help owners that have been locked out of their cars get back in, they range from 1500 euros, or $1600, to 15,000 euros, or $16,000, according to the car they’re customized for, since every brand has a different internal system.
A European website Insider has viewed sells devices for countless car brands, including Ferrari, BMWs, and Range Rovers. In Japan, where the devices have been linked to a surge in Lexus thefts, they’re called “CAN invaders.”
“It may be possible for manufacturers to code the engine control unit to not accept any messages if no key is present,” Urquhart at Raytheon said. “However with most options, there is an alternative method for theft: relay attack.”
In relay attacks, thieves use signal amplifiers to trick cars into thinking they have the keys.
According to the National Insurance Crime Bureau, more than 1 million vehicles were stolen in the US in 2022, marking a 7% increase over 2021.
“It’s really difficult because thieves have completely bypassed the key,” Tindell said. “They’re just telling the car there’s a key there and the rest of the car trusts the message.”
But there is a way owners can defend themselves and thwart potential thieves.
“Put a steering wheel lock on,” Tindell suggested. “You know, the old style.”