The method is likely to send shivers down Toyota owners’ spines. After finding a Toyota to hack, cybercriminals approach the vehicles and pull away the front bumper. Sure enough, a failed hack would make some drivers believe they were the victim of a hit-and-run.
In fact, such damage could be the result of a hack attack, only that the bad actor either didn’t have the time to complete the exploit or failed to hijack the vehicle.
Together with Ken Tindell, the CTO of Canis Automotive Labs, Tabor discovered that some Toyota models, including the RAV4, trust messages from other electronic control units. This is precisely how hackers attempt to take control of the vehicle.
By exposing the headlight connector and being able to connect to the CAN bus, an attacker attempts to trick the ECU by sending a forged key validation message. This way, the hackers would eventually be able to unlock the vehicle doors and disable the engine immobilizer without a key. Once the exploit is successful, a hacker can jump into the vehicle and drive away.
Needless to say, the method is a no-brainer given Toyota’s vehicles don’t seem to employ any security mechanism to ignore messages from other ECUs. As such, hackers can turn to specially crafted devices to send forged messages and launch the CAN injection exploit. In one case, the attack was launched with a JBL Bluetooth speaker that no longer had the speaker components. With the crafted CAN Injector embedded into the JBL circuit board, the attack would eventually launch from a device whose price comes down to only a few bucks.
The security researcher explains he has already reached out to Toyota. The Japanese carmaker apparently ignored the warnings, so the vulnerability was eventually made public. Toyota does not have a vulnerability disclosure program, but given attacks are already happening in the wild, the carmaker should prioritize hardening the way the ECU handles messages from outside.
A video demonstration of the hack taking place on a 2021 Toyota RAV4 is worrying, to say the least. The whole exploit takes only two minutes, showing just how vulnerable Toyota vehicles are once the necessary hardware for the attack is put together.
The security researchers say they are willing to test their exploit on any car from a different brand, so carmakers are encouraged to reach out to them for such tests.