With the ever-increasing popularity of smart cars, adversaries are continuously exploring ways to exploit new functionalities, such as remote keyless systems or GPS monitoring devices, to use them as attack vectors. In the latest incident, attackers have targeted the wiring of headlights to inject malicious code and infect connected smart cars.
Headlight hijacking
A few months ago, a smart car (Toyota RAV4) owned by researcher Ian Tabor was stolen. A deeper investigation revealed that attackers used an interesting method, called headlight hacking to gain access to the car’s interconnected systems via its headlight.
Attackers probably used a simple device (similar to a JBL Bluetooth speaker) that is being promoted on the dark web as an emergency start device for compatible smart vehicles.
This device, when connected to the vehicle’s Controller Area Network (CAN), allows the user to bypass all security protocols and gain direct access to the vehicle’s functions, including ignition, without the key.
Data collected by the car’s telematics system indicate that attackers gained access to the CAN system via the headlight’s Electronic Control Unit (ECU).
This flaw in Toyota RAV4 2021, tracked as CVE-2023-29389, is not limited to the headlights. It is just one of the several possible ways to hook into the car’s CAN systems, allowing attackers to impersonate the vehicle’s key fob to unlock it and drive away.
Almost all CAN-enabled vehicles flawed
Research further revealed that this flaw is not just related to any specific OEM or model, but related to almost all the connected vehicles using the CAN-bus mechanism for interconnectivity.
Usually, connected cars have several CAN buses joined together via connectors or a gateway computer. These are used to exchange messages with various sensors installed across the car via CAN bus protocol.
Attackers can physically tap into these components by pulling away bumpers and other trim pieces and connecting the compatible emergency start device to any of the accessible CAN buses.
Once connected, attackers gain direct access to the car’s central nervous system, which makes them capable of sending their own signals across the vehicle, which is termed CAN injection attack.
The bottom line
According to experts, the favorable factor with these attacks is that it requires physical access to the vehicle and attackers need to rip off the body panels to gain access to the CAN system. Therefore, keeping the vehicle in a private enclosed area or a well-monitored car parking can prevent an attacker from gaining access to the vehicle.
Furthermore, the manufacturers of such connected vehicles are suggested to update their software to identify and restrict the injection tool and apply a zero-trust approach to the CAN system to prevent such spoofing attacks.