A vulnerability disclosed earlier this month and affecting Toyota vehicles is gaining traction in the United States. Bad actors expose the glitch and create crafted devices that can start a car's engine in a matter of seconds. What’s worse is that many of these hacking devices end up online, where anyone can purchase them for a few thousand dollars.
Cybersecurity experts Ken Tindell and Ian Tabor discovered and reported the vulnerability. It allows a hacker to connect to the vehicle’s CAN bus by exposing the wires, most often from the headlight.
Because of the glitch, the hackers can send a forged key validation message to the ECU. For some reason, certain Toyota models, including RAV4, accept messages from other ECUs. As such, what hackers must do is build a device that mimics a secondary ECU, eventually being able to send a crafted message to launch the CAN injection exploit.
When this happens, they get full access to vehicle functions, including unlocking the doors and starting the engine.
The security researchers managed to build a custom device to take advantage of the vulnerability using $10 components integrated into a JBL Bluetooth speaker. Since their disclosure, hackers pushed the concept even further by integrating similar exploits into other devices, such as the old-school Nokia 3310.
A bad actor only has to connect the smartphone to the vehicle using a standard cable, as demonstrated in a video (also embedded below). By activating the exploit from the phone’s screen, hackers can then trigger the vulnerability and unlock vehicle systems. They can then start the engine and drive away in the car.
The vulnerability allegedly affects Toyota, Lexus, and Maserati vehicles. Devices to exploit the vulnerability start at 2,500 Euros (approximately $2,700) and go all the way up to 18,000 Euros (close to $20,000). In some cases, they’re listed online as tools to unlock a car or for emergency starting an immobilized vehicle.
Security researchers explain that carmakers must add cryptographic security for CAN messages, essentially blocking messages from sources other than the authorized ECU. So far, however, Toyota seems to ignore all calls for a patch, despite the hacks becoming more common.
The company recently said in a statement that it’s taking vehicle thefts seriously but said nothing about a potential patch for the vulnerability. The security researchers who discovered the flaw said the Japanese carmaker ignored their reports. This is why the flaw was eventually published online, as security researchers typically disclose their findings to force parent companies to issue patches.
At this point, it’s still not clear if Toyota is at least looking into reports and whether an update to resolve the vulnerability is at least in the works right now.
Because of the glitch, the hackers can send a forged key validation message to the ECU. For some reason, certain Toyota models, including RAV4, accept messages from other ECUs. As such, what hackers must do is build a device that mimics a secondary ECU, eventually being able to send a crafted message to launch the CAN injection exploit.
When this happens, they get full access to vehicle functions, including unlocking the doors and starting the engine.
The security researchers managed to build a custom device to take advantage of the vulnerability using $10 components integrated into a JBL Bluetooth speaker. Since their disclosure, hackers pushed the concept even further by integrating similar exploits into other devices, such as the old-school Nokia 3310.
A bad actor only has to connect the smartphone to the vehicle using a standard cable, as demonstrated in a video (also embedded below). By activating the exploit from the phone’s screen, hackers can then trigger the vulnerability and unlock vehicle systems. They can then start the engine and drive away in the car.
The vulnerability allegedly affects Toyota, Lexus, and Maserati vehicles. Devices to exploit the vulnerability start at 2,500 Euros (approximately $2,700) and go all the way up to 18,000 Euros (close to $20,000). In some cases, they’re listed online as tools to unlock a car or for emergency starting an immobilized vehicle.
Security researchers explain that carmakers must add cryptographic security for CAN messages, essentially blocking messages from sources other than the authorized ECU. So far, however, Toyota seems to ignore all calls for a patch, despite the hacks becoming more common.
The company recently said in a statement that it’s taking vehicle thefts seriously but said nothing about a potential patch for the vulnerability. The security researchers who discovered the flaw said the Japanese carmaker ignored their reports. This is why the flaw was eventually published online, as security researchers typically disclose their findings to force parent companies to issue patches.
At this point, it’s still not clear if Toyota is at least looking into reports and whether an update to resolve the vulnerability is at least in the works right now.