Do Not Sell My Personal Information Jump to content


  • Join The Club

    Join the Lexus Owners Club and be part of the Community. It's FREE!

     

Canbus car thefts


Recommended Posts

Catalytic converter thefts from the NX have been discussed previously and the bottom line seems to be that it is highly unlikely to have a CAT stolen from an NX. What about Canbus NX thefts? Has anyone on here experienced that? In addition we of course also have the theft problem via relay.

Link to comment
Share on other sites

CAN bus attack has been "popular" in France in 2022. The RAV4 has the "honor" to grab #1 spot as the vehicle with the highiest theft frequency with 132 cars stolen per 10 000. First generation NX is also on the top five. No data for new gen NX.

They mainly use a device hidden in a portable speaker and connect it to CAN bus (behind the wheel arch or directly in the cockpit (especially for JBL fitted cars). Relay attacks seems to be declining. Rotating codes and other techniques seems to reduce the effectiveness of the technique.

As a future NX owner, I have made arrangements to have

- a tracker installed

- a stoplock mechanical device on the steering wheel as a visual deterrent 

 

  • Like 1
Link to comment
Share on other sites

1 hour ago, Richolf said:

There is a thread on the RX for this as well.  RAV4, RX nightly stolen.  Does anyone know if the new NX has the same vulnerability ?

 

 

 

 

 

Nothing to suggest it isn’t vulnerable and it is essentially a RAV4 underneath which is vulnerable. 

  • Thanks 1
Link to comment
Share on other sites

11 hours ago, NiCoRe said:

Relay attacks seems to be declining. Rotating codes and other techniques seems to reduce the effectiveness of the technique.

Rolling codes don’t help with relay attacks, only replay attacks.
 

Relay attacks aren’t as common now because people are aware to keep their keys save and many modern vehicles have keys that automatically turn off if there is no movement (except Toyota/Lexus who will still sell you a known vulnerable vehicle).

  • Thanks 1
  • Sad 1
Link to comment
Share on other sites

I have read, at least through a translation of a communique from Lexus Japan that they are now implementing some technology (UWB or some funky acronym) to prevent relay attacks 

  • Like 1
Link to comment
Share on other sites


3 hours ago, NiCoRe said:

I have read, at least through a translation of a communique from Lexus Japan that they are now implementing some technology (UWB or some funky acronym) to prevent relay attacks 

Yes, Ultra Wideband uses precise timing to know how far the key is from the vehicle. If the distance is too great (e.g. a relay attack) it would reject it. I'm not sure Toyota will introduce this to current vehicles outside of a full vehicle refresh or half lifetime facelift, but it could do on a normal yearly update.

  • Like 1
Link to comment
Share on other sites

On 3/29/2023 at 9:52 PM, ColinBarber said:

Yes, Ultra Wideband uses precise timing to know how far the key is from the vehicle. If the distance is too great (e.g. a relay attack) it would reject it. I'm not sure Toyota will introduce this to current vehicles outside of a full vehicle refresh or half lifetime facelift, but it could do on a normal yearly update.

It is introduced in MY24. Whatever reach production line after 2nd March 2023 will get it. 

  • Like 2
  • Thanks 1
Link to comment
Share on other sites

3 hours ago, JeffL said:

Are there any cars of any brand not affected by Canbus?

There seem to be two issues with the Toyota/Lexus vehicles.  The first is the physical security to the CANbus wiring is weak, with little vehicle damage necessary to get into the wiring loom in the wheel arch, and this process being very quick.  This is the part they may fix with this protection plate they are trailing.  The second is that once physical access to the wiring has been obtained, sending the correct sequence of CAN frames allows the thief to tell the ECU to open the doors.  I am not sure why the messages on the CAN network that controls the head lights even has messages requesting door unlocking sent to the ECU.  These frames should simply be dropped if they are not messages that should emanate from that particular CAN segment.  I do not understand why the software cannot be upgraded to stop the "open door" command from being relayed from the headlight CANbus segment (unless of course the door control stuff happens to be on the same CAN segment as the lights....)

All modern vehicles use CAN for some features (and have for a long time, although some are moving to ethernet and Flexray, particularly for low latency comms as more and more sensors get added), so it really depends on the level of physical security of the wiring and the security of firewalling between the different CAN segments on those vehicles.

I believe a similar attack exists on Range Rovers (from what I have seen on this forum and on the web) but it involves cutting the body work to locate a suitable wiring loom.  This is obviously harder, more noisy and more destructive than pulling the wheel arch lining.

Paul

Link to comment
Share on other sites

4 hours ago, RONNIE W HODGEKINSON said:

Would it Not be possible to Deal With This Canbus Security problem With A Software Upgrade or Does this require additional Work done to the car at the Dealership If This indeed Possible..!!

If it can be fixed with a software update (and the ease of developing this will depend on lots of factors including the hardware architecture) then it will not be one that can be performed over the air. It will be one that requires a dealer visit for the update.

There has been no mention from Lexus that they are going to update any software: only that they are trialing a physical barrier.  I believe they should do both....

Paul

  • Like 1
Link to comment
Share on other sites


5 hours ago, RONNIE W HODGEKINSON said:

Would it Not be possible to Deal With This Canbus Security problem With A Software Upgrade or Does this require additional Work done to the car at the Dealership If This indeed Possible..!!

In theory yes this could be dealt with by a CAN software upgrade to include CAN BUS message challenge-response authentication,  however there is very little appetite in the automotive industry for manufacturers to do this :

  1. As mentioned else where in this thread,  CAN BUS will be replaced by ethernet based wiring which includes much stronger software security options. 
  2. A CAN Bus software update would need to be applied to all Electronic Control Units (ECU) in the vehicle  and this would need to be validated by hundreds of different ECU manufacturers.  A daunting task to get every one to work 100% with every one else and one that would take years to qualify.
  3. As the Ethernet solutions are developed and deployed into vehicles, the lessons learned with CAN Bus will be included. 
  4. These new ethernet solutions will happen over the next ten years further negating any appetite of the manhufacturers to invest in legacy CAN Bus Security.   Better physical security on the next generation of CAN BUS based vehicles is IMO the only option we can expect.

Comment

Manufacturers could still consider deploying GHOST II or Scorpion X or other CAN BUS immobilisers as a first fit at factory option,  rather than leaving it to the owners to purchase as aftermarket options.

 

  • Like 2
Link to comment
Share on other sites

8 hours ago, PDM said:

 I am not sure why the messages on the CAN network that controls the head lights even has messages requesting door unlocking sent to the ECU.  These frames should simply be dropped if they are not messages that should emanate from that particular CAN segment.  I do not understand why the software cannot be upgraded to stop the "open door" command from being relayed from the headlight CANbus segment (unless of course the door control stuff happens to be on the same CAN segment as the lights....).

Paul

It may have to do with the technical architecture of a CAN Network. IIIRC its topology is a bus one, meaning that all ECU share the same line of communication.
The communication protocol is also asynchronous with a priority system between ECUs, meaning that simultaneous messages from different ECUs will be transmitted  following a pre-determined order.
Morover, CAN messages have an embedded id which allows ECUs to identify the messages they have to process.
Seems to be a rather complicated to improve it via software update only 

 

  • Like 1
Link to comment
Share on other sites

35 minutes ago, NiCoRe said:

It may have to do with the technical architecture of a CAN Network. IIIRC its topology is a bus one, meaning that all ECU share the same line of communication.
The communication protocol is also asynchronous with a priority system between ECUs, meaning that simultaneous messages from different ECUs will be transmitted  following a pre-determined order.
Morover, CAN messages have an embedded id which allows ECUs to identify the messages they have to process.
Seems to be a rather complicated to improve it via software update only 

 

There are, I believe, 6 separate CANbus networks in the vehicles. How they are segregated is anyone's guess.  Dropping frames based on ID is trivial. It surprised me a software fix is not a trivial thing for them to do, so there must be something more detailed I am not aware of, perhaps something limiting in the hardware that came about when the went from 5 to 6 CANbus networks?

Priority is easily handled with CAN and set at message level. Bus arbitration is handled by the transceiver and controller loopback.

Paul

  • Thanks 1
Link to comment
Share on other sites

1 hour ago, Hillie said:

In theory yes this could be dealt with by a CAN software upgrade to include CAN BUS message challenge-response authentication,  however there is very little appetite in the automotive industry for manufacturers to do this :

  1. As mentioned else where in this thread,  CAN BUS will be replaced by ethernet based wiring which includes much stronger software security options. 
  2. A CAN Bus software update would need to be applied to all Electronic Control Units (ECU) in the vehicle  and this would need to be validated by hundreds of different ECU manufacturers.  A daunting task to get every one to work 100% with every one else and one that would take years to qualify.
  3. As the Ethernet solutions are developed and deployed into vehicles, the lessons learned with CAN Bus will be included. 
  4. These new ethernet solutions will happen over the next ten years further negating any appetite of the manhufacturers to invest in legacy CAN Bus Security.   Better physical security on the next generation of CAN BUS based vehicles is IMO the only option we can expect.

Comment

Manufacturers could still consider deploying GHOST II or Scorpion X or other CAN BUS immobilisers as a first fit at factory option,  rather than leaving it to the owners to purchase as aftermarket options.

 

I agree that qualification would be a significant task. I was thinking some simple firewalling from the physically vulnerable wiring loom could be straightforward.  Of course it depends on a lot of factors.

It would indeed be nice for manufacturers to offer CAN immobilizers at this point.

Paul

  • Like 1
Link to comment
Share on other sites

1 hour ago, PDM said:

 

It would indeed be nice for manufacturers to offer CAN immobilizers at this point.

Paul

For sure, this will be a nice stop gap mesure 

Link to comment
Share on other sites

For some general background ... the CAN bus (Controller Area Network) was introduced in 1986 for in-vehicle networks. It's aim was to reduce wiring and allow different microcontrollers to communicate over a simple bus. Laudable aims and effective more than 35 years ago, before the explosion in computers, sensors etc. Today's vehicles have multiple CAN bus networks that are linked through a common gateway that can be accessed through the OBD-II port. I believe a common standard for this was mandated by the EU several years back. Again, laudable at the time, but it has made it easier for thieves to exploit this bus across many vehicle types.

Link to comment
Share on other sites

If you want to see what the thieves are tapping into, open your bonnet and look under the relay box on the near-side. You can see the wiring going to the left hand headlamp and below that you can see the black wheel-arch liner. All looks very vulnerable to me. You can also imagine that placing a plate over this area (there are even a couple of bolts securing other components readily available that could be utilised for securing the plate) would frustrate thieves access to the wiring. I have photos but I don't think it a good idea to post them here; I don't want to make the thieves job any easier.

I think this is a simple solution that could be implemented very quickly and would provide some comfort. However, Lexus will want to make sure the materials are suitable and that the plate doesn't introduce a rattle to our lovely quiet cars. They will also need to consider the thieves next steps, a plate could lead to more destructive damage, either in this area or elsewhere. The pictures of holes cut in Range Rover tailgates to access wiring show that if the thieves really want your car, they will get it, given enough time.

Link to comment
Share on other sites

https://kentindell.github.io/2023/04/03/can-injection/

there is a "quick and dirty" software fix suggested here, till they figure out a more permanent fix. A plate will as you say delay, but if they are willing to cut into bodywork, then that plate won't present much of a challenge. Razorblades angled to cut a thief's hand to shreds when accessing the area sound more satisfying.

  • Like 2
  • Thanks 1
Link to comment
Share on other sites

14 minutes ago, peniole said:

https://kentindell.github.io/2023/04/03/can-injection/

there is a "quick and dirty" software fix suggested here, till they figure out a more permanent fix. A plate will as you say delay, but if they are willing to cut into bodywork, then that plate won't present much of a challenge. Razorblades angled to cut a thief's hand to shreds when accessing the area sound more satisfying.

@penioleGreat article.  Thanks.

You can counter these hacks given enough time and money but the crime syndicates will  look for new options. Conflict and war has been instrumental in driving technology throughout history. Today Crime is equally driving technology forward.

You claim to make something hack proof,  the world will make a better hacker....

 

Link to comment
Share on other sites

37 minutes ago, peniole said:

https://kentindell.github.io/2023/04/03/can-injection/

there is a "quick and dirty" software fix suggested here, till they figure out a more permanent fix. A plate will as you say delay, but if they are willing to cut into bodywork, then that plate won't present much of a challenge. Razorblades angled to cut a thief's hand to shreds when accessing the area sound more satisfying.

Very interesting article indeed.  I had not realised the device used by the thieves also hacks the CAN physical layer by overwriting the dominant bus low with a recessive bus high.  Interesting indeed.

Link to comment
Share on other sites

5 hours ago, Hillie said:

Manufacturers could still consider deploying GHOST II or Scorpion X or other CAN BUS immobilisers as a first fit at factory option,  rather than leaving it to the owners to purchase as aftermarket options.

But they could offer to fit them retrospectively at a discounted price.

No doubt the Lexus / Toyota senior management are considering their options which range from doing nothing upwards, but cost will no doubt be a significant factor in that decision. It could well be cheaper for them to do a bulk deal with a 3rd party rather than spending significant R&D budget on a fix. They will be weighing up the cost of providing a fix vs reputational damage, lost business etc (just like Ford did for the Pinto).

  • Like 1
Link to comment
Share on other sites

40 minutes ago, PDM said:

Very interesting article indeed.  I had not realised the device used by the thieves also hacks the CAN physical layer by overwriting the dominant bus low with a recessive bus high.  Interesting indeed.

Thanks Paul For that Technical Information...It does seem that The complexity of the Canbus system Is in itself a Major weakness To protect Our Cars .The ethernet cable system seems better and more secure albeit somewhat..The problem delves into Ad-En- Finitum in Ways to counter approach This Major Weakness In My opinion.. Hope lexus takes on Board our real concerns for Future Models..Ghost Immobiliser seems the only logical and scientific road to Go Down....

 

Link to comment
Share on other sites

Latest Deals

Lexus Official Store for genuine Lexus parts & accessories

Disclaimer: As the club is an eBay Partner, The club may be compensated if you make a purchase via eBay links

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share








Lexus Owners Club Powered by Invision Community


eBay Disclosure: As the club is an eBay Partner, the club may earn commision if you make a purchase via the clubs eBay links.

DISCLAIMER: Lexusownersclub.co.uk is an independent Lexus forum for owners of Lexus vehicles. The club is not part of Lexus UK nor affiliated with or endorsed by Lexus UK in any way. The material contained in the forums is submitted by the general public and is NOT endorsed by Lexus Owners Club, ACI LTD, Lexus UK or Toyota Motor Corporation. The official Lexus website can be found at http://www.lexus.co.uk
×
  • Create New...