Remember the movie Gone in 60 seconds? Car thieves insert a slim jim into the car’s door, unlock it, and then hotwire the car and slip away into the night.These methods are obsolete. As cars have become more computerized they now have engine immobilizers, tracking solutions, security software & security hardware as well as other anti-theft mechanisms. But car theft has exploded, with new keyless hacking tactics. Car companies began shipping keyless entry features back in 2015. The UK based vehicle recovery company, Tracker, collects monthly car theft data, they showed that in July 2023, keyless car theft reached an all-time high (in the U.K), accounting for 98% of all stolen vehicles the company helped recover in that one-month period.
Signal Relay Attacks
By far the most common and the simplest, are relay attacks. The UK based vehicle recovery company Tracker stated that in 94% of all the vehicles it recovered in 2022 were stolen using relay attacks. These are pretty simple. Most modern cars come with keyless entry and electronic immobilizers. The immobilizer is essentially meant to prevent hotwiring, which is basically just rewiring the car to circumvent the key ignition switch that connects a circuit.
Keyless entry/ignition systems use key fobs that constantly transmit a RFID signal which has a range of up to 20 meters. So when the key gets within range, a sensor in the car picks it up, and it unlocks the car and switches off the engine immobilizer. To be more specific, they usually use RFID signals, typically operating around the Federal Communications Commission Prescribed 315 MHz.
So car thieves get within the keyfob’s range, they use a software defined radio device that picks up the signal and relays it to the car, usually first by relaying it to another software defined radio device that is right next to the car, which then broadcasts the signal to the car
Once the Car is started it won't stop once it no longer detects the keyfob… this is for practical safety reasons, if the battery in the keyfob dies it could create huge problems. Also the thieves usually record the fob’s signal while relaying it, and then use reprogrammable keyfobs, and reprogram them with the signal…essentially cloning the key fob. Or they can use a mechanic diagnostics device (usually an iPad) to reprogram the car with new key fobs later.
Remote Key - Click to Unlock?
But what if the keyfob has click to unlock AKA a remote? This can add another layer of security. In this case the fob’s spoofed signal that we just covered will only disable the engine immobilizer if there is a remote unlock. Every time you click the remote key, a new one time rolling code is broadcasted. This works similar to TOTP apps for MFA….Rolling OTPs or one time passwords are a better example. The car and the remote key are synced with the same algorithm so you must have the correct code.
But there are vulnerabilities; the code must be received by the vehicle’s computer or it will not be added to the list of spent codes. So the criminals place small devices somewhere near the car. Every time the owner clicks the remote key, the device jams the signal for the car and while also recording it. Since the unlock fails, the owner needs to click one more time. Since there is a specific order required. The device records the second code and sends the first intercepted code to the car. If necessary, more than one code can be blocked and recorded. Stored codes can be used later to unlock the car, and if the car has remote start capability, to start it. This takes a lot of work, and is usually reserved for thieves stealing more expensive high end cars.
So the most conventional protection from this are Faraday cages/pouches that block the keyfobs signals. A handful of manufacturers are introducing motion tags, which put key fobs into sleep mode when its left sitting for a while. Another interesting protection; some manufacturers are replacing the standard RFID with Ultra-Wideband (UWB) in their keyfobs. UWB is known for its high accuracy in measuring distance. So this can make it difficult to conduct relay attacks to trick the system. But the higher end software defined radios with amplification capabilities still seem capable of beating this protection.
Hacking the Car’s Internal Network
Now here comes the more sophisticated hacks.Thieves have hacked a vehicle's internal computer network, called the CAN bus. CAN bus was invented more than 30 years ago, and is used today in more than cars. "CAN" stands for "Controller Area Network," and the "CAN bus" is the auto industry term used to describe the message-based electronic system that allows various computerized parts of the vehicle to communicate with each other. CAN messages can also do things like disable alarms, unlock doors, and even start the engine.
In April 2022 Toyota RAV4s were stolen by hacking the CAN bus. It began at the car’s headlight module, thieves chose this point because it was the easiest way to get hooked into a vehicle’s CAN bus system. Part of the ‘on-board diagnostics’ monitors the lights and when the lights Electronic Control Unit detects a fault, it records a code and sends a message via the CAN bus.
A Sophisticated Injection Exploit
So thieves connected a device to the headlight CAN port, then injected fake messages into a car's CAN bus; they sent override messages that blocked other CAN messages and blocked the security mechanism’s logic that detects and stops spoofed messages. Then they sent messages spoofing the message that comes from the car’s RFID Sensor which it sends when it detects the key fob’s signal; allowing thieves to unlock the doors and disable the engine immobilizer without the actual key.
Insider Attack?
This attack is a particularly sophisticated injection exploit that likely took in depth knowledge of the car to create, it doesn’t seem very economical to spend a lot of time and money on an exploit for a low end car. This makes me think ...maybe this was from organized crime that obtained info obtained from a data breach or maybe it's from a toyota insider…possibly selling exploits on the dark web.
In 2023 a similar CAN bus exploit was used to steal a Charger SRT Hellcat in the suburbs of Detroit, Michigan. This one seems more economical…and coincidentally close to where all the major American car manufacturers are headquartered.
Once inside the car, thieves can connect a diagnostics device to the onboard diagnostics port in a car, to reprogram a blank key fob. This is usually an ipad like the ones you see mechanics use at the dealership. There's really no authentication or access controls on this port thats inside the car.
CAN security is very similar to traditional network security, with the exception of limited memory, storage, and compute due to physical space restrictions, and usually physical access is required to hack a car, but not always as you’ll see shortly. But like traditional networks security Authentication and access management, segmentation, firewalls, and other security controls are used to harden security.
^This is a picture after a failed CAN bus injection exploit. Thieves eventually came back and stole this vehicle.
Stealing Teslas and EVs
Tesla’s rarely got stolen thanks to their native always-on advanced GPS tracking functionality and native internet connectivity. Typically after thieves steal cars they quickly remove the independent but battery connected GPS tracking device, which are usually in the same places. With Teslas and newer vehicles, especially EVs, it's more complicated since GPS isn’t a device but a function of the computer. Kind of like location services on your iPhone or Android.
Although thieves have found ways to circumvent this too, As we’ve seen teslas stolen that were never recovered. After a relay attack to gain entry car thieves likely removed the Sim card, used a GPS blocker to prevent tracking, and/or spoofed it with inaccurate GPS signals, as GPS low power signal that is unencrypted and without digital signatures, so it's very vulnerable to spoofing and interference. It's also possible to exploit a software or hardware vulnerability to disable GPS. Teslas are still a tough target, which is why stolen teslas are typically chopped up for parts instead of shipped away and sold in other countries like most car theft.
New Remote Car Theft Exploits on the Horizon
A Massive Attack Surface
More and more vehicles, especially electric vehicles like Teslas, are very much computerized IoT Devices that have their own sim card, so the CAN buses are accessible through a cellular or sat com connection. This allows for mobile app integration and EV manufacturers use telematics systems to provide remote services, collect data and monitor vehicle performance. Some EV manufacturers even provide over the air updates to their software. And some automakers are even weighing a phone based key. All of these factors make for a massive attack surface. And CAN messages can also do things like disable alarms, unlock doors, and even start the engine, and tesla apps can even remotely drive the car.
In 2022, a 19-year-old security researcher used TeslaMate, a third-party software app, to successfully hack into 25 Tesla vehicles in more than a dozen countries. It was the first reported incident of a third-party app being used to hack and obtain controls…no he didn’t drive it remotely.
So car mobile devices of car owners will likely be targeted to steal cars individually, and application vulnerabilities in production or in the supply chain will likely be exploited to steal cars in a systematic fashion.
We will likely start seeing more advanced exploits similar to traditional cyber attacks but for car theft. Once the cars are stolen we’ll likely see them being jailbroken to disable GPS,native tracking and recovery functions before swapping sim cards. This is obviously much more sophisticated and will likely be done by more capable organized cyber criminal organizations that use local mules to facilitate the theft.
Need to test your security?
Hire our penetration testing team! We test all security!