Car theft using a mobile loudspeaker
The thief used a disguised device like a mobile speaker to infiltrate the control system of many cars, unlock them, and steal the vehicles.
Ian Tabor, a cybersecurity and hacking expert, has been targeted multiple times by car thieves. His Toyota RAV4 has repeatedly had its hood pried open and headlight area accessed. Eventually, the vehicle was stolen at the end of 2022. The thief used a specialized tool, “modified” from a JBL speaker, that could unlock many models of the Japanese brand’s cars.
After losing his car, Tabor researched and discovered a serious vulnerability in many cars that could make them quickly susceptible to being unlocked. Specifically, the Toyota RAV4 model automatically trusts signal connections from other electronic control units (ECUs).
The thief only needs to open the hood, access the headlight control ECU to infiltrate the CAN network. They send a fake key authentication message. After the process, the criminals can unlock, start and drive away without any obstacles. The entire operation process takes less than 2 minutes.
CAN (Controller Area Network) is a standard designed to connect control ECUs in cars. It was invented over 30 years ago and is used in many types of vehicles, agricultural equipment, and even spacecraft.
When analyzing the data and communication behavior on the CAN model of the Toyota RAV4, Ian Tabor discovered that other ECUs also had similar vulnerabilities. He then purchased an emergency start-up device online, which car owners or locksmiths can use when the smart key of the car is unfortunately lost.
Priced at 5,000 EUR, this product includes versions specifically designed for many popular car brands such as Jeep, Maserati, Renault, Jaguar, Fiat, Peugeot, Nissan, Ford, and BMW. Advertised as an emergency car starter, the device is packaged to look like a JBL Go 3 portable speaker, a cheap model currently sold in Vietnam for under 1 million dong.
Upon disassembly, a specialist discovered that only the speaker component had been removed. A dedicated chip was directly connected to the circuit board of the JBL device. The fake button on the body of the speaker was connected to a PIC18F code chip. When pressed, a series of fake messages would be sent over the CAN network, controlling the car’s ECU to unlock the doors.
Using a few simple techniques, criminals can turn this cheap JBL speaker into a device worth over 100 million dong for committing theft.
Due to the widespread use of the CAN protocol, security experts warn that many cars on the market are at risk of being stolen through this vulnerability. The solution is for manufacturers to update the system software to address the issue and prevent intrusion.
Source: Zing.