Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


IoT Security

Thieves Use CAN Injection Hack to Steal Cars

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

CAN injection hack used to steal cars

A hacking device can allow thieves to steal a wide range of car models using an attack method named CAN injection, researchers have revealed.

Automotive cybersecurity experts Ian Tabor of the EDAG Group and Ken Tindell, CTO of Canis Automotive Labs, started analyzing these attacks after Tabor had his 2021 Toyota RAV4 stolen last year.

The car was stolen after on two occasions Tabor found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism turned out to be part of an attempt to steal the vehicle. 

Specifically, the thieves pulled off the bumper and unplugged the headlight cables in an attempt to reach wires connected to an electronic control unit (ECU) responsible for the vehicle’s smart key.

An investigation conducted by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away. 

Such hacking devices can be acquired on dark web sites for up to €5,000 ($5,500), and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.

The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by thieves. At least one theft was caught by CCTV cameras in London: 

Advertisement. Scroll to continue reading.

The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device in an effort to see how they work. 

Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through controller area network (CAN) buses. 

The attacker does not need to directly connect to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight, as long as the headlight and the smart key ECU are on the same CAN bus. 

The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away.

The attack can be carried out by connecting the hacking device to other CAN wires as well, but the ones in the headlight are often the most accessible and connecting to them does not involve causing too much damage to the car, which would lower its value. 

While in this case the stolen vehicle was a Toyota and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota. 

Similar hacking devices offered for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen. 

The researchers did report their findings to Toyota, but without much success due to the fact that it’s not an actual vulnerability disclosure. On the other hand, they believe all vehicle makers should read their report and take action to prevent CAN injection attacks. The report made public this week contains some recommendations that can be applied by manufacturers to prevent these types of attacks.

The security experts did manage to have a CVE identifier, CVE-2023-29389, assigned to the Toyota RAV4 hack. 

Related: Tesla Hacked Twice at Pwn2Own Exploit Contest

Related: 16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

Related: Unpatched Micodus GPS Tracker Vulnerabilities Allow Hackers to Remotely Disable Cars

Related: Honda Admits Hackers Could Unlock Car Doors, Start Engines

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...

IoT Security

Australia's Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.