CAN network by its nature is supposed to be a "trusted network" with no external Inputs available (Air Gapped). But yeah, because headlights and blinkers needllessly complicated, cough er, need data uplinks.... totally NOT to check with Toyota if you've subscribed to their monthly "safety package" for $7.99, yeah, we've sort violated the Air Gap principal.
Here's the problem everyone needs to pay attention to: If you demand Encrypted OR Signed CAN Bus, you will ABSOLUTELY get it from the manufacturers in the name of security. They will _gladly_ lock out the CAN bus so no third party accessories or diagnostic tools can work with your car.
So be careful what you scream for. We already have enough un-repairable items.
> But yeah, because headlights and blinkers needllessly complicated, cough er, need data uplinks.... totally NOT to check with Toyota if you've subscribed to their monthly "safety package" for $7.99,
That’s not what’s happening. The value in a CAN bus control is that you can significantly reduce the wiring requirements.
Old school blinkers and headlights would require separate power wires for every function: Blinker, low beams, high beams. Those separate wires would each be snaked through long wiring harnesses back to relays somewhere else in a central location.
With CAN, you can run a single large gauge power and ground pair and use the CAN bus to tell the remote module what to do with tiny signal wires. It may not sound like a big deal, but cars have a lot of electronic pieces all over. Simplifying wiring can add up to a significant weight and cost reduction. You now also have the ability to add more monitoring, such as simple sensors to detect when a bulb has failed
Vehicle manufacturing is ruthlessly optimized. Vehicle manufacturers wouldn’t add complexity to common systems if it didn’t pay off.
> Vehicle manufacturing is ruthlessly optimized. Vehicle manufacturers wouldn’t add complexity to common systems if it didn’t pay off.
You make it sound as though this intended to be a benefit to the consumer or the end product. Having worked on and around cars, and being friends with people who do for a living, I am really unconvinced that the manufacturers do a lot of this for any consumer-friendly reason, rather than simply trying to squeeze a buck out of you.
I can absolutely tell you that Volvo, for example, does what the GP is talking about, and then some. On an old school GM or Toyota, if you break a simple switch or knob, or things that really should just be simple devices, you can just pull it out, go to the junkyard or a parts retailer, and put the new one in and be on your way. Not so for Volvo (and I'm sure this has caught on in other manufacturers): if your switch or control or whatever fails, and its hooked up to the CAN-bus, whatever replacement you find simply won't work until you've gone to the dealership (if they even let you use a part that didn't come from there at all) and gotten them to flash the part and whatever other crap needs flashing like a BCM to get them to be compatible (I think just flashing the serial number of a BCM or whatever it needs to play nice with to the switch), at the tune of a couple hundred or more dollars each time.
So in essence, a stupid simple part, that should have been $5-10 that the manufacturer likely never would have seen a dollar from in the aftermarket, is now a $200+ dollar flash at the dealership, using the manufacturer scan tool, and also increasingly requires only parts the manufacturer can generate. So no, I really am extremely skeptical, given what occurs *today* that 95+% of the junk on CAN bus is there for any reason other than to boost dealership and manufacturer profits for no other reason than the fact they can.
Building with one bus is just easier. It's not some nefarious end goal.
It's like putting everything over IP (VoIP, video over IP, audio over IP, etc.) and then just running Ethernet throughout your building. From an engineering perspective, it's just way easier. Routing wires -- on a circuit board, in a building, in a car, in anything -- is just a real PITA.
Now it's definitely true that having to flash something on the CAN bus to make it work is possibly due to greed, but the original idea of putting things on one bus is not.
> You make it sound as though this intended to be a benefit to the consumer or the end product. Having worked on and around cars, and being friends with people who do for a living, I am really unconvinced that the manufacturers do a lot of this for any consumer-friendly reason, rather than simply trying to squeeze a buck out of you.
The "consumer friendly" part is competing on price; they don't care about repair cost, in fact parts for repair is just recurring revenue on top on (till before pandemic) slim margins on selling the car
Isn't that what's supposed to happen in capitalism? Everyone working is getting paid, supply matching demand, prices reducing and ostensibly zero profit for established sectors.
I never got the impression the previous poster was saying this is a benefit for consumers; he's saying it's for the manufacturer, to cut costs.
Edit: that being said, all your points are completely valid.
I own a vehicle built in 1981. I can absolutely assure you that CAN is better for consumers. People seem to forget the two-inch thick bundles of wires, the hours spent tracing one turn indicator cable, the insulation of the cables in the middle starting to rot and things shorting out, water getting trapped in bundles, failures modes including stuff melting inside the dashboard from high-current stuff all being wired back to a central place... I could go on.
After my recent sample n=1 (2015 Honda), I'm left wondering how much mechanic griping is due to a lack of engagement with digital systems rather than a hard lack of ability.
I bought a $20 OBD2/J2534 cable, downloaded an easily-available ["pirated"] copy of Honda HDS, and seemingly had access to all the functionality a dealer would have. From looking at the Honda website, I could have paid by the day/week/etc for official access to flashing tools or the newer iHDS, which I might have needed for a newer car.
If I had wanted to reflash any of the modules, I probably would have wanted a better cable (though it's hard to know if module manufacturers really have such shoddy update processes that interrupting the flashing can really brick a device, or if that's just persistent superstition like so much in the car world). But I was able to replace the VSA/ABS module and perform the necessary "dealer reset" procedures no problem. I just wish I had obtained this setup before I went about misdiagnosing the problem based on a document that claimed to be the OEM service manual but actually wasn't. Luckily the part I misdiagnosed did end up being the problem!
Of course, I would love for there to be some sort of mandate for manufacturers to document the details of all CAN messages. Because there don't seem to be that many different module manufacturers, they must all be working to some kind of internal standards for their own interchange, and end-user visibility into computing systems is critically necessary for preventing computational disenfranchisement where people see these systems as impenetrable black boxes. But it feels at least in Honda land, much of that capability is practically available to the repair market (at least as of 2015 model years). One just needs to get over the activation energy of setting up the OEM software tool.
Good example. Do you know of anywhere that Volvo parts pairing / programming issue is written up or documented?
I'm working on Right to Repair and we get asked for examples like this from various government agencies all the time. It would be very helpful, thanks!
If you're looking for informal evidence, there's plenty of posts on SwedeSpeed and Volvo Forums (and probably Turbo Bricks, for those masochists that own a post-RWD car) bemoaning needing to constantly reprogram tons of things like door switches, and the various lengths owners and enthusiasts will go to in order to attempt to overcome these issues.
If you're looking for something a little more formal, I think the factory service manual probably calls out that the R&R on a ton of parts will involve reprogramming. I no longer own any post-Ford Volvos nor do I have any interest in European cars, so unfortunately I don't have any newer FSMs. A way you might be able to get at one on the cheap is to pick a popular model/year later Volvo (maybe like a 2016+ XC60?), and get a subscription to the make/model/year on Alldata (which was something like $20 a year for just a single combination), or hunt for an FSM on eBay, if it's old enough to still have a paper FSM.
My friend's 2016ish VW jetta straight up uses proprietary bolts and shit in it. He and I are the type to do all our own car maintenance but his car has pushed my patience beyond anything I've seen prior...
Dad used to rebuild and repair late model Volkswagens, and I got a first hand taste of what it's like servicing those. German cars are the absolute worst, especially in this regard. Everything little plastic piece is hundreds of dollars when it breaks, and it all had to have been installed by German contortionists. Need to do something on the engine? Better get if on the lift, because the whole front cradle needs to be dropped out from the bottom of the car if you want to get it done in anything short of a glacial pace. Vag-Com is an expensive and irritating piece of kit, maybe only second to Vida Dice (Volvo) in terms of level of frustration sometimes.
There's no way I would ever recommend someone who wanted to keep their car past the first 50 or so thousand miles ever buy a VW or a VW with slightly shinier wallpaper (Audi). There's a reason the service techs on those and BMWs get paid well, and why they're often hated by mechanics.
"they can be expensive, but you can buy them" seems to be a very surface-level view here.
Say I only need to replace a $5 switch as the parent poster suggests. My options then are pay $200 to the dealership to flash and install it (if they'll even flash a third party part) one time, or I can pay thousands of dollars for a tool I'll use once and do it myself.
That isn't a real choice, and the auto makers are adhering to the letter of the law but not the spirit of the law. Which is legal for them to do, but it doesn't make it any less scummy.
Ford I believe now requires a subscription for diagnostics but I haven't seen anything about per VIN charges yet. I'm not sure about the British or Japanese brands either. This is AFAIK regardless of dealership or independent shop.
Gm is $40 per VIN 1 year,
Chrysler is $35 for flashing but to do that you need 2 more subscriptions which totals about $120
There are aftermarket tools but the subscriptions are for a year and about $1000-$4000
The problem is as I always point, that people want complexity and technology for everyday but as soon as something breaks they want it to be like 1990.
The article complains about CAN bus not being secure but this sort of attack is very rare, you need special tools, skills, physical access to the network and time. Regular car thieves don’t go and make a key to steal a car, that would be the same as a 1980’s one breaking a window and start trying to decode the cylinder and then cutting a key!
How does a towing company get your car in 10 seconds? That’s how they’re stolen most of the time.
God damn. I swear if they could , they would make you buy a fucking new wrench every time you work on a different car. Such bullshit how they tie their tools to a per-vin registration.
this is much more about insurance companies only paying for cheaper 3rd party parts for repairs than it is anything anti-consumer, though I'm sure there's some of that, too.
the automotive parts industry is massive and if you allow third party parts manufacturers to make parts for your car, you are undercutting your own parts replacement business. how do you counter that? you require that replacement parts come from you. the only way to do that is via electronic means, because anything purely mechanical can (and is) reverse engineered quickly.
insurance companies fight against this in court because 3rd party parts are much cheaper than official parts, and usually come with an associated dip in quality as well, which is another reason auto makers fight for first-party parts businesses.
Honda doesn't want Snake Oil Autoparts stuff installed on cars which are still under warranty after a collision, for example, but the insurance company paying for those repairs definitely does.
> you require that replacement parts come from you. the only way to do that is via electronic means, because anything purely mechanical can (and is) reverse engineered quickly.
They lost the right to require things to do with thr car the
y sold the car.
Electronic lockouts will be cobsidered theft one day
> They lost the right to require things to do with [the] car they sold the car.
not if you want a warranty or any manufacturer support on the vehicle at all, and these are things that consumers value a lot.
> Electronic lockouts will be [considered] theft one day
among the most feverish people, they are considered a problem worth fighting, which I agree with, and I don't think it will ever be considered theft. the law just doesn't support electronic lockouts as theft, and precedent on this would be very difficult to undo without changes to laws defining what ownership actually is.
There are also long-standing legal requirements for automakers to be separate from car dealers, which also translate into making the repair/diagnostics equipment available.
yes. the same law (or, rather, the movement at the time within congress) is what standardized the OBD-II connector and mandated its inclusion in all cars from 1996(?) onwards: the idea that consumers should be able to repair their own big-ticket items should they choose to.
> Vehicle manufacturers wouldn’t add complexity to common systems if it didn’t pay off.
I know this stuff "pays off" for the manufacturers, but I really wish they'd avoid including unnecessary complexity such as those horrific touch screens, call connections, etc. That sort of thing is why I won't buy newer cars.
And yet the obvious thing is for someone to be making and selling a "can bulb" - a tiny 4 pin bulb with 12V, GND, CAN-H/L pins. And all bulbs (led or not) on a car would be that. It would turn on/off commanded by the canbus and report status info back.
Yet car manufacturers don't do this. CAN transceivers are still too expensive to build into every bulb. Instead, a single CAN transceiver and microcontroller will control a whole set of nearby bulbs (eg. brake, indicator, reversing lights). That then makes it vehicle specific, so you don't get the economies of scale of just making a single model of can-bulb which fits lots of places in many cars from many manufacturers.
> And yet the obvious thing is for someone to be making and selling a "can bulb" - a tiny 4 pin bulb with 12V, GND, CAN-H/L pins.
No, that's not obvious at all.
Separating the control board and the bulb is obvious. You wouldn't want to replace your entire control circuit every time you need to replace a bulb, would you? You don't want to have to reprogram your ECU to know which bulb serial number corresponds to your front headlight because all of your bulbs are the same.
Moreover, this is impossible because there isn't a single bulb model that goes into a car. High beams, low beams, blinkers, and interior lights are all different. They also differ from model to model depending on the requirements.
> That then makes it vehicle specific, so you don't get the economies of scale of just making a single model of can-bulb which fits lots of places in many cars from many manufacturers.
Car companies make millions or tens of millions of cars per year.
When you're making 10s of millions of something every year (or 2X that for parts that come in pairs, like headlights), you already have economies of scale.
Automotive equipment manufacturers will also share components between car companies, and further upstream you have companies that make chips for auto makers who share chips across the companies.
Automotive manufacturing is a great example of economies of scale. It's not correct to say that auto manufacturers aren't leveraging economies of scale while producing 10s of millions of common parts per year.
Plenty of vehicles only have production runs of ~10,000. At those scales, you really don't get economies of scale. In fact, there were only 25 car models that sold more than 100,000 units in 2021.
Plenty of particular brands of vehicles have smaller production runs. But "vehicle" to the manufacturer doesn't mean "brand". It means "set of pieces and parts that can be the same or nearly so across many brands". For example, a "Cadillac" to you is a different "vehicle" from a "Chevrolet"; but to GM, the vast majority of the pieces and parts and manufacturing processes are shared. So the economy of scale to GM when building "Cadillacs" is huge even if to you it looks like "Cadillac" has a small production run.
Exactly, and this is one of the reasons modules need programming, because it comes “virgin” with only a bootloader and the features are loaded according to the VIN.
I’m guessing you’ve never worked in customer support. The failure modes of mistakes would be nasty. Even smart people swap bulbs around when diagnosing faults.
Simplicity (good usability) is most always crushingly hard to achieve, doubly so for hardware.
Calling things “simple” is often a sign of shallow thinking in my experience - something a customer or manager might naively say but an engineer cannot (because they have to deal with all of the real requirements).
For example, the engineers that build cars can’t say “you simply push a button to start a car” - as an engineer the complexity behind that simple operation is very very deep.
> For the customer-replacement case, you simply tell the customer to replace just one bulb at a time
Just imagining the customer support for this is gonna give me nightmares.
“Sir, you need to make sure your vehicle’s ignition is turned to accessory mode. Then wait for the light to blink twice, that’s the vehicle’s confirmation that it correctly identified the new light. If it blinks three times, it can’t confirm the light’s location, so you should try removing it and re-inserting it. If it blinks four times, that means you didn’t replace the bulbs in the correct order so you need to initiate a manual reset procedure by going to the driver’s seat and…”
CAN frames only have space for 8 bytes of payload, unless you upgrade to CAN-FD at a significant complexity cost. For the sake of a light bulb, you could make it work by being sufficiently clever. You could even use all 8 bytes for serial number, and then use existence of the message itself to turn on the bulb. Have it turn off after 100ms of timeout.
It's really not a sustainable approach to try to address nodes on a CAN bus by serial number, though. CAN is content addressed rather than receiver addressed. Due to the way arbitration works on the bus, it's invalid for two nodes to transmit to the same CAN identifier. The arbitration mechanism breaks down and results in error frames, at which point the CAN bus is in a degraded state.
That would preclude a CAN enabled bulb from being able to send telemetry back, at least until the bulb was provisioned an identifier. That could be done by an ECU sending a frame with the bulb's serial number and assigned identifier. You still need a zero-conf discovery protocol, though, and so you're back to transmitting before provisioning. You could work around all that, but it's a lot of work.
Stepping back a bit, running a car's CAN bus over a light bulb socket is going to cause some practical reliability problems. Compared to a wire harness going into an ECU, a user serviceable bulb socket is going to be much more prone to intermittent connections from vibration, as well as oxidation and wear. Intermittent connections on CAN_H/CAN_L tend to cause a ton of frame errors, and significantly degrade the overall bus performance often to the point of system failure. When a node encounters enough error frames, it is compelled by the standard to go into a BUS-OFF state where it isolates itself from the bus. Because it's a bus and all the nodes share the same two wires, it's pretty much impossible to diagnose where an intermittent connection is without trial and error.
I appreciate the detailed insight! Great point on something subtle re individual bulbs that is non-ideal. I'm learning CAN now, mainly for use in drones. I have got 2 STM32 FDCAN periphs talking to each other; the basics seem easy, but the protocols that go on top of it seem complicated! I suppose this is due to managing a decentralized network. Ie, at first CAN seemed like to offer a bus that simplifies wiring and offers resistance to noise, but the more subtle and interesting point seems to be a common API where hardware access is handled by individual nodes, and communication is through this API layer on top of the hardware. Ie, if you control the whole network, it can seem like the first case, but the interesting things happen, eg as you describe, arise when the nodes are by different manufacturers and are swappable.
Ie, with CAN, each node only needs to do reg reads/writes/datasheet-spelunking for a narrow part; the other nodes just need to know the API that sits on top of the hardware.
CAN only really works out well in a complex system if you have full control over the addressing scheme. Addressing and prioritization are one in the same. Unintuitively, prioritization isn't about the importance of a message so much as it is about the message's urgency. A pretty common approach is to use "rate monotonic" prioritization. The basic idea is that higher rate messages have higher priority (lower address) than lower rate messages.
There's rules of thumb about never overloading a CAN bus beyond, say, 50% utilization. That's because systems with poor prioritization management tend to start falling over around there. With a well thought out scheme, it's possible to push a CAN bus fairly close to 100% utilization. I built several safety critical systems that pushed 80% utilization on average. At that level, you really need to rely on redundancy rather than simple robustness, though. A CAN bus running at 80% falls over very hard when you have a flaky physical connection somewhere.
I used to work for General Motors. Many of the early luxury cars would have 100+ wirings going into the driver's door. Early versions of what has since evolved into CAN were trying to reduce it to 5 wires.
I owned a Peugeot 306 (not a fancy car by any means) that developed a short somewhere in the driver's door complex pre-CAN wiring harness. Getting it replaced cost me around $500.
Mate have you seen old relay controled car? It has 3 times less wires and is repairable with simple tools. "Simplifying wiring can add up to a significant weight and cost reduction" it's just not there.
I work at Ford on vehicle access and security and I’m quite familiar with CAN security challenges and solutions. (Of course, I don’t speak for my employer here.)
Without speaking specifically to Ford’s plans, authenticated CAN communications are absolutely coming. I don’t see many approaches that actually encrypt the data on the bus - instead a MAC is used for each frame with a shared key on both secure ECUs, and some protections against replay attacks and such.
I wouldn’t expect all CAN data to be protected by this kind of security - it’s a pain in the butt, and expensive. Instead, certain specific sensitive information (like whether there’s a key in the ignition!) is protected as needed.
The industry is also moving toward IP-based communications for a lot of vehicle networking, which comes with many of the benefits of the modern infosec world. Automotive has a lot of unique challenges, though - like another poster mentioned, key provisioning and management is a huge pain; latency and hard timing constraints are way more important in the onboard/embedded world; many automotive ICs have limited support for e.g., asymmetric encryption, and of course there’s a lot of pain generated from the way the industry does software development generally. It’s an interesting space.
> hey will _gladly_ lock out the CAN bus so no third party accessories or diagnostic tools can work with your car.
No they won't. One the law requires them to allow third part diagnostics tool (only for things that are about emissions!). Two, the third party tool maters are paying a good chunk of money to get documentation on how to do diagnostics.
While new car buys won't care, car makers know that nobody can afford to buy a new car except by selling their old car (normally done as a trade in), and the buyers of used cars care that the car can be fixed so if third party tools don't work the car has a lot less value.
Or just make the "smart key" controller a dumb passthrough of the key's messages and do the actual decoding and verification of the key messages in the engine ECU. I'm in fact surprised this isn't the case, but then again most "security" you see on cars is more about trying to lock out the legitimate owner from doing their own repairs or key programming as opposed to true security designed to defeat skilled attackers.
Or just have the smart key ECU and the recipient ECU use a rolling code or even a 1 time shared secret. The other ECUs can learn the rolling code in the factory, or in after-service with the left door open, right blinker on, hood open, and horn tapped 8 times, and then wait 20 minutes.
Without the key to see what the code is, no injector can spoof the frame.
With the after-market procedure making tons of noise and spectacle, and a nice long wait for the police to arrive, the thieves can't replace the key ECU.
With the system being simple, no key provisioning is needed, no non-public information, just an extra page in the manual and a software update.
> But yeah, because headlights and blinkers needllessly complicated, cough er, need data uplinks
I can see how they got there. When you're moving getting rid of miles of cables that link everything and move your car to a CAN bus instead, it makes sense to say that you don't want a central blinker-controller that runs separate wires to every blinker. Instead you just run CAN and power to each blinker and give them their own little controller. Fewer wires, less conceptual complexity, at the cost of putting a little PCB in each blinker.
But because "analog" blinkers had the accidental feature that they blink faster if one blinker is broken, you have to replicate that somehow with your new blinkers. And the easiest way to do that is to have the blinker write that to the CAN bus, since it's already right there.
How on Earth adding computer and a little PCB of demultiplexor logic instead of multivibrator-controlled relay might be considered as less of conceptual complexity?
I do even doubt in length of wires point. You need a full bus plus a thick wire from power source per every lamp instead of just a one thick wire from relay.
Simple PCBs are extremely cheap to manufacture at scale.
Copper wiring is expensive and heavy.
It’s far more efficient to have a simple PCB controlling multiple local functions (headlights, high beams, blinkers, additional sensors) and a single power/ground pair.
Automotive systems are 12V, which results in high currents. High currents require thick wires, especially in automotive environments with high under hood temperatures where you might have to de-rate wires. It absolutely makes sense to reduce high current automotive wiring.
I don't understand how a PCB+MCU can reduce the copper wiring. The bulbs will consume the same amount of power requiring the same thickness of copper wiring, no matter if it's 10 separate thin wires, one for each bulb, or just one wire, but 10 times thicker (by section area and weight/meter, not diameter).
Common power wire will still require one or two extra wires for CAN, so it would make sense only as replacement for bundles of 3 or more wires going to the same place.
you have a single bus in a ring topology instead of a star network of wires coming from a central location. much less wire and with most indicators and even some headlights being LEDs the current carrying capacity of the +12V wire can be much smaller. GND is the metal substructure and the CAN (or LIN) bus is just two small gauge wires.
much cheaper and much less wiring needed if the bulbs (or bulb holders) can receive commands themselves.
Without a board: you need a big power wire for low beams, a big power wire for high beams, a smaller power wire for turn signal. And that's all you can do.
With a board: you need a big power wire for everything. And a two tiny wires for CAN--so you're already ahead. If your beams can move, or be directed, or have LEDs that can be modulated, or have a washer, you start coming out WAY ahead.
Do any cars use higher voltage for power distribution to reduce currents and thus reduce the diameter of wire needed? I'm thinking something like having a higher voltage power distribution network that distributes power to nodes that use a DC to DC converter to provide 12 V to the lights, sensors, etc near those nodes.
24v and 36v are common in trucks and industrial vehicles respectively for exactly this reason, among others. It's really expensive to increase voltage though because all the different components' power supplies have to be designed for transients and supply voltages anywhere from 2-5x nominal in normal operation. Companies will often design up to around 200v, for example.
High power systems do exist, particularly in electric vehicles. They have different challenges to do with being incredibly dangerous to work on.
Tesla have been pushing for a standardized 48v supply system for some time for exactly the reason that 12v 15-30A requires much thicker wiring than a 48v 5A system.
Can bus is a bus. You don’t need a dedicated run of wire per device. You can have a single loop that goes around the whole car that everything is connected to. Things that are “on the way” to others are relatively “free”. Compare this to an independent point to point wire for everything that’s under control.
This is trivially observed if you take a moment to compare a modern day wiring harness to something older, while considering the functionality provided by the later.
All new cars in the EU have to have always online SOS connectivity so I don't think anyone can charge for it
" eCall is a system used in vehicles across the EU which automatically makes a free 112 emergency call if your vehicle is involved in a serious road accident. You can also activate eCall manually by pushing a button. "
"Compulsory for new car models
If you buy a new model of car, approved for manufacture after 31 March 2018, it must have the 112-based eCall system installed."
Encrypting everything on the CAN would be overkill and probably cost-prohibitive for manufacturers. Not all messages need to be encrypted -- just the ones that allow you to disable the immobilizer.
The solution is signing packets with PKI and verifying them on receipt. Nothing says you can’t flash firmware to add new packets etc but the CAN bus couldn’t be spoofed unless you had the private key.
As someone who has (successfully) implemented this at multiple manufacturers, it is absolutely not as easy as "just signing it".
First off, almost all vehicles are running CANbuses right to the edge of their available bandwidth. Making the signature data fit is a vehicle-wide refactor unless you've designed for it from the beginning.
Secondly, many automotive MCUs don't have hardware crypto support or enough spare cycles for signing/verification. You have to design for that from the beginning.
Third, key distribution is hard. There are a lot of parties outside the OEM that need to flash firmware for various reasons during production. Do you give them all private keys or do you put up a public image signing service anyone can submit binaries to?
There's lots of other issues I could go on about like what the key rollover looks like, but I hope it's clear that retrofitting cryptography onto complicated systems that weren't designed for it is anything but straightforward.
I’m sure there are a lot of complexities, I think the general shape of the solution is the same. Another poster (perhaps you?) mentioned that luxury cars do sign CAN packets.
Anyways I’m not in this industry but work on SPIFFE and see similarities- you could have a centralized CA in the car that does attestation to remote workloads.
That can be a solution, but I usually push to simply scrap CAN everywhere possible and move to IP networking as mentioned by others in a sibling thread. That requires a ground-up system redesign, but it has a lot of benefits like not requiring a bunch of automotive programmers to implement a custom crypto architecture on constrained systems in C.
With CAN, you're pretty firmly in the land of tradeoffs because the safety-critical stuff you want to auth is also hard realtime and solutions that involve expensive coprocessors like HSMs are usually off the table for a number of reasons like cost, lack of vendors supplying high-integrity solutions, inability to do board spins, etc. Adding authentication also has the nasty problem of sometimes reducing your safety because it makes the channel less noise resistant, as demonstrated by Dariz et al [1]. Navigating these sorts of tradeoffs are why some manufacturers have gone with half-measures like only authenticating a small subset of messages.
While I agree with this instinct: this sounds like a simple "just use PKI" solution but it's really not simple at all. How do the vehicles' or devices' cert keys get provisioned and protected? Are they unique per device, per vehicle, or per manufacturer? Per device or per vehicle increases manufacturing process overhead (read: price) immensely [edit: as well as overhead at service departments]. Every device that can sign messages needs access to perform private key operations, which necessarily either increases cost (eg by storing the keys in a device-local HSM or adding network-based key operations along with the corresponding one-turtle-down auth problems) or decreases security of those private keys. What happens when they inevitably get extracted and baked into spoofing tools? Can the manufacturer rotate the root keys? What happens to vehicles that are offline when that happens?
I thought it was covered in the article but all the devices on the bus would need secret keys that were unique across all devices manufactured. This isn't impossible though since we've been making unique MAC addresses on NICs for many decades, and motherboards often come these days with the actual serial number of the server flashed into the DMI information, etc. It will also take an electron microscope to read the keys out of the chips, which is not a very mobile attack to use against a parked car on the street.
First, those unique MACs and serial numbers are not currently in storage that requires an electron microsocope to read, so that's a pretty big additional cost burden. Second, assuming all devices were to be given secure key storage parts, you also have the cost burden of the pairing process during manufacturing and maintenance, as I mentioned above (not to mention the design and development of that pairing database and its failure/diag/maintenance/factory-reset modes). It's far from trivial.
If you don't provide a convenient interface to read a MAC address then you're going to need an electron microscope to pull it off a NIC chip as well. They just always provide the convenient interface to get at it.
No, you don't need an electron microscope to overcome that type of inconvenience, because those pieces of data are not sensitive and no effort has been made to ensure you can't just read them out using the pins. This is why the problem of storing private keys is so different than the problem of storing a MAC address. Or put another way: inconvenience is not security, and what we're talking about is a security problem.
I think to be feasible from a maintenance and consumer-friendliness standpoint, each vehicle should have its own local CA and have some sort of open standard for how individual devices can have certificates provisioned so that they can be installed on a car. A replacement-part-pairing function that can only be performed by having physical access to a specific secured component (e.g. not just bus access) should work without contacting the manufacturer. I'm in for this startup idea. :D
Sensors whose outputs are used to do cruise control and lane keeping assistance and so on should also be encrypted.
I don't believe anything in this space is cost-prohibitive in the long term, or even in the medium term. It's just dev cost amortization, because the chips are cheap once they tape out.
ASIL-critical inputs/outputs should not be encrypted,full end stop. Do I really trust that the dinky economy-scale micro that GM would pick is always going to hold up that encryption when I'm starting to drift off road? Absolutely the hell not.
I worked in this space (auto RE, including keyless entry) for a while, and there's almost no way this would work at scale without a top-down platform redo for automakers.
> Do I really trust that the dinky economy-scale micro that GM would pick is always going to hold up that encryption when I'm starting to drift off road?
Is your concern that the key management can leave a mess of key disagreement? But that's like the sensors failing altogether, and that already has to be taken into account.
So yes, I would trust "that the dinky economy-scale micro that GM would pick is always going to hold up that encryption when I'm starting to drift off road" because I have to trust that the computers will handle sensor failure correctly.
That said I'd only trust that if the crypto is sensible. Specifically authenticated encryption is essential. Key exchange, pairing -- those are important too. It needn't be complicated to set up: trust-on-first-use-after-reset (with reset being not trivial to execute) should suffice.
> [...] there's almost no way this would work at scale without a top-down platform redo for automakers.
Agreed. Careful what you wish for. All those enthusiasts out their enjoying hacking their vehicles (in the traditional meaning of the term) would not like crypto and HSMs on that bus.
It's like in the old days when internet traffic was unencrypted and so was Wifi. You could have a lot of fun just watching what's happening in your home network, and perhaps your neighbors (so I heard..legal grey area). Today? Nope. Everything is locked down. Wireshark shows you only lots of SSL. And that's not even proprietary stuff as the car crypto will be. The bad guys will obtain the keys or workarounds somehow. The good guys will be locked out.
I had a BMW with encrypted CAN or very similar to what that would be. Would refuse to use a new module unless you had the dealership key. Which my mechanic managed to get from his friend at the dealership but still...
That started with the high intensity headlights. They were such a high theft item that when they're disconnected from the battery, they go into a locked state that requires a dealership to do the unlock.
> So be careful what you scream for. We already have enough un-repairable items.
Couldn't the keys for decryption be stored in a trusted module that can only be unlocked with the presence of the actual car key? Yes, this means key cloning attacks still get you access to the CAN, but if you can clone the key you can drive away with the car anyway.
> you will ABSOLUTELY get it from the manufacturers in the name of security
Fuckin' good. Then they can give me the damn encryption key so I can diagnose it myself. I am absolutely not going to subscribe to any sort of narrative like these things are mutually exclusive. I'll keep screaming for the security and the repairability.
They will never do that in the same name of security. Their aim is appl-ification and johndeerification; it's their object but will let you think it's yours as long as it's a revenue source.
you can scream all you want, most people who buy new cars won't care and will just lease for 3-5 years no matter what the manufacturer puts behind a paid upgrade/software subscription. They never have to repair their cars, because nothing breaks for the first 5 years. The used market might care, but manufacturers don't care about the used market at all, since they get no money from it.
Throwaway account. I have actually worked on this sort of stuff. These topics are well known in the industry and have been for a surprising amount of time (decades).
Some premium brands will have the immobilizer await proper crypto from the key reader. In this case the key reader is just there to read the key and pass on the message, there is no decision being made outside of the immobilizer.
Some premium brands will also have immobilizers in other places, like the gearbox. It too will await proper crypto to shift into gear.
Some premium brands will have signed CAN/FlexRay/Ethernet frames that will prevent message spoofing, though that isn't only for this situation.
Most of the time the Gateway module has a static firewall - basically fixed routing tables so only modules that need to will be allowed to talk to each other.
Finally some premium brands will have an HSM both in the key and in the immobilizers to keep the material safe.
There is a lot more to this topic obviously but the reason some brands don't have this (and other countermeasures) is simple: cost.
I've also worked in this space for a few years and the amount of HN-style overconfident "we can fix this in hardware like the old days, the computers are coming for us!" comments without understanding the automotive industry or how cars are wired is pretty hilarious.
Something that should be noted for anyone who actually reads this is that the level of vulnerability is wildly different between automakers. No universal solution exists.
Yep - and not just between automakers, the security model varies wildly between different electrical architectures from the same manufacturer. Like any industry, there are hard problems, some of which are technically difficult, and some of which are self-inflicted from history/culture/insularity. No sector with any significant value or market competition has only the latter.
Without working in the industry, how could someone vet for the internal cybersecurity of an upcoming car purchase? None of these security features seem to be publicly documented anywhere. I have spent a long time looking.
You can't. Heck, it's sometimes hard to tell even when you work inside and have all the docs. The best information you have is to look at the manufacturer's past history as evidence for their future security competence.
Manufacturers also aren't building every piece of software on a given vehicle. Many components will be done by suppliers that range from "meh" to "wtf" when it comes to security. Even the best reviewers will struggle to catch everything a sufficiently incompetent implementation screws up.
> Most of the time the Gateway module has a static firewall - basically fixed routing tables so only modules that need to will be allowed to talk to each other.
This was exactly my thought. If the headlights, and any other easily access CAN bus wiring, were properly isolated from critical security ECUs via a properly configured gateway, this attack would be impossible.
I don't think that segmenting CAN wiring is a good solution to this problem. The Powertrain CAN will always be accessible externally for some definition of "externally" (on older GM cars it ran across the bottom of the car to reach the transmission, for example), and even a separate "immobilizer" CAN would probably be accessible somewhere.
The solution, as implemented by many automakers already, is just to authenticate immobilizer messages. It works, and there's not a great excuse for not doing this in 2023.
Do manufacturer's advertise these features? Some manufacturers don't even include immobilizers. It would be nice to know which include extra features. Seems like it could be a selling point.
On the contrary unfortunately, it's all secret for the average consumer.
People that never worked in the industry greatly underestimate how much it really costs in R&D and production to make a car. Adding "authentication" and "encryption" in this environment is way more complex and has more implications than importing yet another library in a web app.
Even so a few manufacturers go to a great deal of effort to secure their stuff while others are using 20y old architecture because it works and it saves money.
I want to say that "premium" brands are much better, but there are a lot of exceptions. However cars with lower margins and lower overall cost will be worse.
How does a person with a CAN tool and an insatiable curiosity for knowledge about his own car find detailed documentation for his own edification? Any leads?
Reminds me of a former colleague of mine who got an alert from his phone (I believe he got a call from a BMW support center); there was an attempted break-in of his car. He had a BMW that had an air pressure sensor in the cabin, which was triggered because someone had broken the window.
No trace of course once he got to the car / once the police was around, just a broken window. But the would-be burglars made a mistake; they went into the frame of the car (between the driver and rear passenger doors) through the plastic to disconnect a bundle of cables, but didn't fit the plastic back properly.
This bundle of cables went to the antenna that was required for the phone home functionality; if he hadn't had that addressed, the thieves would have been back a day or a week later to get into the car, with the pressure sensor / phone home alarm not being able to contact BMW HQ.
Organized crime has enough money, time, opportunity and incentive to buy cars and take them apart to find weaknesses.
I feel like for most car break in's there's nothing you can do. The crime can take 10 second and only needs your tshirt wrapped around your fist. Or a spark plug. Or the air bladders tow truck drivers use that you can find at the hardware store.
Plus when the alarm does indeed go off, people are liable to ignore it because these alarms are always going off for nothing.
> frame of the car (between the driver and rear passenger doors)
FYI, that would the "B Pillar". The A Pillar is the one between the windshield and the driver door, the C Pillar is the one behind the rear passenger door.
For what it's worth, most European cars have much more robust immobilizer systems that use actual cryptographic primitives to both obfuscate and authenticate start-release messages.
This is for a variety of reasons - a legal and insurance company focus on immobilizer technology through companies like Thatcham Research as well as a more active threat model geopolitically.
There are, of course, weaknesses in these cryptosystems, but the documented attack describes an extremely poor system by modern standards.
Even in the mid-1990s the key-to-BECM protocols used in old Range Rovers was frankly massively overengineered, with a 48-bit rolling code key based off the vehicle's VIN and a 24-bit key code. The actual encryption routine is just a bunch of shifts, adds, and XORs, but so far it has resisted any attempt at spoofing keys.
There's a somewhat simple trick to get the engine to start without the immobiliser (but it requires special tools), but if the body ECU is immobilised most of the vehicle electrics will be locked out too.
I work in the space and I have not been impressed by the quality of Thatcham’s requirements once you get past the physical domain (door handle pull force, steering column locks, etc).
I would love to see a story about one! I don't work in automotive RE, it's only a hobby, so I don't have budget to go find and buy "emergency start" tools like these security vendors do.
As far as I am aware: there are All Keys Lost (AKL) immobilizer bypasses for, for example, Volkswagen Immo 5, but not "Emergency Start" bypasses. The difference is the level of access required: AKL bypasses require involved, long term physical access to a car, for example at a shop. They're useful for independent or fly-by-night shops and in a post-theft scenario, but they're not going to boost a car out of a driveway. Meanwhile, Emergency Start bypasses are plain-and-simple theft tools like the fake Bluetooth speaker from the article.
All of the VW Immo 5 exploits which I am aware are of the AKL style and revolve around being able to extract cryptographic material (CS/MAC/ImoDat_noKeyMst/ImoDat_noKeySecu depending on who you ask what it's called) from a control module by physically removing it from the vehicle.
This is a far cry from tapping the CAN bus at a headlight and injecting an unauthenticated CAN message.
What? This is a CAN bus hack, which is a standard that has been in EU cars for longer than US cars. I've worked with KeylessRide and also built my own hardware immobilizer/CANBUS device at a previous startup, and there is zero difference between European cars and American cars for this...
By design, all nodes on a CAN network receive all frames, which is the root of the problem. There are some differences in ECU validation, plus whether or not the vehicle supports UDS diagnostics, but these are differences by manufacturer and have nothing to do with the continent the car is being used on.
Calling something a "CAN bus hack" is like calling something an "Ethernet hack." It's just a bus, it's what's on the bus that matters.
European, American, and Japanese cars have completely different immobilizer module cryptography implementations. In this case, the real weakness was that the immobilizer protocol allowed the car to start without message authentication, the CAN-related message injection thing was a sideshow.
Generally, European cars have stronger immobilizer implementations. For example, in VW Immo 5, immobilizer messages are encrypted and authenticated using AES with a PRNG-based MAC. At a high level, participating modules need knowledge of a secret AES key in order to encrypt random number seed material. It's symmetric so it's still not perfect, but this type of simple "send one message through a headlight" attack would not be possible on these cars.
Update: ah, I see you edited your comment. Yes, it has nothing to do with where the cars are _used_. My point was that European _manufacturers_ tend to have more secure immobilizer implementations, and I will stand by that point.
I suspect older immo bypasses used an engine ECU read/write primitive to read & rewrite the firmware over the diagnostics port (K-Line or CAN). Those primitives are usually based on undocumented commands used during a legitimate firmware update process (loading new "calibrations" as it's called in the industry) - there's a chance those same undocumented routines exist in newer ECUs, in which case you don't actually need to break the cryptography if you can rewrite the firmware to skip the check or seed it with your own key material.
I did find an older VW "emergency start" product that claims to only work with Bosch MED17 and MED9, and I suspect it's using a memory-access primitive (either UDS or CCP) to release the immobilizer.
It's trivial to disable an immobilizer in software by re-flashing the ECU, yes, but modern ECUs have two strong protections against this:
* Cryptographic signature checking against update/re-flash payloads (I've done extensive research on these on VW Continental ECUs - https://github.com/bri3d/VW_Flash )
and an even better and more obvious protection:
* The ECU application software won't descend into the re-flash software (Customer Bootloader) unless the immobilizer is free (a valid key is present).
This is a lot of what helps to reduce surface area from an "emergency start" style attack to an AKL attack - now that the Customer Bootloader won't start without the Immobilizer being unlocked, an attacker needs to remove the control unit to flash it with a Supplier Bootloader exploit ( https://github.com/bri3d/simos18_sboot ) or physical access (BDM/JTAG).
Can't the AKL process effectively be turned into an "emergency start" attack anyway?
At least in the US, there are portals for non-official repair technicians to buy access to reprogram ECUs/keys/etc for a given car (keyed by VIN) - I can see this being abused (it can't be that hard to buy access under a false identity), not to mention that professional car theft gangs might convince/coerce an insider to give them even deeper access to the signing service if not the raw private keys.
Once you have access to the signing service in one way or another and a valid network connection, can't you just perform the AKL process in the field by simulating a legitimate AKL procedure that a dealership might do? Presumably writing custom software to automate all that (vs having to manually click through a slow scan tool or the often-terrible official software) would cut down the required time to a couple minutes.
In short: Yes. This is a big threat model that manufacturers try to guard against.
However, there are a few protections here:
* Most manufacturers do fairly aggressive KYC / risk protection for their online programming services. The VW one is called FAZIT/GeKo, you can find the subscription process online and it is similar to opening a business bank account. Still, you're right, aftermarket account sharing is a big thing and as always, a cat and mouse game that manufacturers are usually losing. You can easily rent VW online coding accounts by the hour on shady websites.
There's also second layer of protection for official AKL specifically which is harder to defeat, though:
* Most European manufacturers do not allow an All Keys Lost process to be carried out entirely online. For example, for VW, dealers or aftermarket vendors need to buy specific, physical "dealer keys" for a given VIN. These physical key fobs are seeded with some key material and registered with the shop and VIN in the backend / FAZIT database. The signing server backend for ODIS (GeKo) will not adapt keys to a car unless the key material matches and the VIN was already associated with the key in the backend. Of course, there are social engineering attacks here still, but it's basically 2FA for key programming, with a lead time of "they ship the key to you," and it prevents the attack you describe from being plausible by legitimate means.
HOWEVER, this is also one of the major weaknesses in the VW Immo 5 cryptosystem architecturally - since the actual message authentication is symmetric (MAC based), if the secret AES key material can be extracted from the immobilizer system, aftermarket tools (Abrites, Autel, VVDI/XHorse, etc.) can create and adapt a "Dealer Key" without prior authorization. So we get back to the current state of these systems - because authentication is symmetric, with long-term physical access to the car, specific control units can be removed and secret key material extracted and used for reprogramming. However, drive-by quick-and-dirty "plug two wires from outside" attacks are very challenging.
Very interesting, thanks! Glad to hear there's at least an attempt at actual due diligence and theft prevention as opposed to merely making it difficult/expensive for independent shops or car owners.
The longer and more involved I get in automotive diagnostics and programming as a hobby, the less I believe there is any particular conspiracy against independent shops and owners in the automotive industry (versus in the heavy equipment and ag industry, where there absolutely is a conspiracy).
The threat model most automotive systems are designed against (when they are designed against anything at all) is absolutely not "we want to screw over those damn independent shops trying to run diagnostic routines!" - it's "how do we lock down the immobilizer, the ADAS, and protect ourselves from tuning-related warranty fraud." Independent shops and individual enthusiasts are just caught in the crossfire between thieves, ADAS tampering, and manufacturers/insurance/regulators.
> In this case, the real weakness was that the immobilizer protocol allowed the car to start without message authentication, the CAN-related message injection thing was a sideshow.
Right ? Because the messages are not authentified, once the car stolen, the thieves can even remove the immobilizer and put a DIY with a set of keys when they send the car in a container, to make it 'ready to ride' ouf-the-box
You know that Toyota, the manufacturer here, is a Japanese company, right? European versus American regulations have literally nothing to do with this, which was your original point.
Their original point does not talk about American regulations at all, but rather that European regulations are stricter and therefore European cars will have tighter security.
You're the one that chose to interpret that as "stricter than American".
Just a reminder(I remember those times too) that before the advent of immobilisers and electronic ignition locks, any car could be started in about 30 seconds with some very basic tools. Car theft has been absolutely rampant until the mass adoption of immobilisers where it has literally dropped off a cliff - it hasn't stopped thieves completely of course, but it's very much the case of electronics reducing crime by an order of magnitude(at least here in Europe).
I remember those times too, though I've never had any cars stolen by car thieves. I have lost 4 cars to the tech. That is 4 times the security system bricked my car in a variety of different ways;
I suppose the big difference between a person stealing my car, and the immobilizer stealing my car is that my insurance has to pay out for that first one.
Could you elaborate? A friend of mine had his car randomly not starting the engine, but fixed it through the replacement of an electronic board, and some mechanics said they could circumvent that.
I had an old Mercedes 230TE that could be unlocked and started with any flattish piece of metal roughly the same size and shape as the key.
Once I went out to the car early one morning to find it parked up exactly where I'd left it, with 200 more miles on the clock, the petrol tank rather more full, and the engine still warm...
My family once found their car in the parking lot of the grocery store with the groceries of someone else already inside the car, and a note and contact info left on the windshield about how this person unlocked my parents’ car thinking it was theirs, accidentally loaded their groceries into the wrong identical vehicle, closed the trunk, and then couldn’t unlock it again after noticing the mistake.
To be fair those cars are trivial to install your own immobilizer. Autozone will sell you a switch for cheap and you can tuck it under the carpet by the pedals, or install a dummy switch in one of the spare slots on your dash.
I have a Volkswagen T3 from '84 and the most complicated "computerized" part is bus of relays.
Yet the car is trivial to break into. Hell, I've locked myself out a few times and the Key from another T3, a key from a bycicle lock and a nail-file could open the car (but not start it).
My countermeasures are mechanical too, though: hidden circuit breaker, a lock on the steering wheel, one on the gas-pedal and one on the hand-break. All of them easy to circumvent, given some time, but that's one thing thieves often don't have: time to figure out unknows and weird stuff. Actual "security by obscurity" in a way.
> Carburetors and point ignition systems have their issues.
One of which is that if you apply 12V to the coil, you can bump-start the car and it will run. Theft of such cars is truly trivial.
Modern cars are in fact very hard to steal. Just because the car from the article has a flaw that allows you to unlock and start it via canbus, doesn't mean that all modern cars can be stolen like this.
You can bring ECU from the same car, connect some wires and start any modern car just as well. Original ECU won't even know what's going on. We call it "spider". It's not as easy as just powering on ignition sparks, but similar attack.
Modern car theft in the US is unfortunately all too easy; you point a handgun at someone in their car and tell them to give you their keys. Until those who do that are violently stopped by the state cars will be easy to steal regardless of any technical countermeasures.
Car theft is largely a political problem, not a technical one.
Stealing car is not an only issue in keyless access. A friend of mine has lost a little bit because somebody used to open the car and steal everything costly what was in salon while the car was parked near a mall.
I built a 1994 Toyota pickup and swapped in a OM617a mechanical diesel. It's a really fun party trick to unplug the battery and have it continue running.
In terms of security, it's my most secure vehicle. Mechanical diesel means its gonna need to be glowed which I have it setup as a push button and no thief will know this. As well, my shutoff switch is a toggle switch under the dash I leave to "off". It'll just crank and crank forever. And my biggest security feature? It's a manual transmission. Most see that and won't even try.
My first car was a used 1976 MGB. Some models came with an electric overdrive, mine didn’t but it still had the switch in one of the steering wheel stalks. A friend showed me how to switch some wires around so the unused switch would control the fuel pump. That was the extent of my theft protection, with the loose rag top there was no point even locking the doors.
While having fewer computer controls in our cars may beneficial in some ways, theft-prevention is certainly not one of them.
My dad had an early-80s Ford pickup when I was a kid. The cylinder in its ignition switch was broken in a way that you could hop in, turn the ignition switch, start the truck, and drive away -- all without a key. The ONLY thing preventing extremely easy theft was a few tiny pins in a lock cylinder.
This is an extreme case, but it illustrates how easy it was to steal cars before modern theft-prevention: bypass the mechanical lock to connect a couple wires together, and drive it away.
I think nowadays an old car with a manual choke, a stick shift, and a separate coil where you can remove the ignition wire between the coil and the distributor would probably eliminate all theft outside someone just picking the whole thing up with a rollback tow truck. ;)
just remove some fuse that you know for sure prevents car from starting (fuel pump fuse for example) and you don't need to disconnect any wires.
sure, you will have to spend additional 20 seconds removing and putting it back every time, but it is simple and safe, unless thieves are willing to go full troubleshooting on why car doesn't start in the middle of the night
I have this. You can drive my truck from 1968 away just with a nail. You don't need any key at all. Not even the doors are locked and you woudn't need it anyway, because its a convertible truck like most of the trucks from that time. Does that make it better?
>Modern cars are protected against thefts by using a smart key that talks to the car and exchanges cryptographic messages so that the key proves to the car that it’s genuine. [...] The thieves found a simple way around this: they used a hand-held radio relay station that beams the car’s message into the home to where the keys are kept, and then relays the message from the keys back to the car. The car accepts the relayed message as valid because it is - the real keys were used to unlock the car. Now that people know how a relay attack works generally possible to defeat it: car owners keep their keys in a metal box
? The car talking to the key first? Can't the key just not talk to the car at all unless the button is pressed on the key fob or shortly thereafter?
A lot of cars in the 2010s made available touch-based convenience access. ie if I have the fob on my person, the car unlocks when I touch the handle of a door, or gesture to open the trunk.
In the 2020s, I’m increasingly seeing smartphone (NFC?) keys being the sole thing you need to drive off with the thing so no fob is even necessary.
Or bluetooth. I'd rather have a pocket fob than have to take my phone out and hold it up to an NFC reader.
The problem with the bluetooth method is reliability. My Tesla decides not to unlock for me perhaps once every 20 times I walk up to it. Sometimes just a few seconds while it figures it out, sometimes I have to open the up and hit the door unlock button.
My wife's Bolt uses a pocket fob, and so far it has never refused to unlock the doors on command.
This also happened (happens) to me and my 2020 Model Y. When I first purchased the car I had a Google Pixel 4 (I think) and now I have an iPhone 13 running the latest iOS. My car still doesn't unlock right away about 1 out of 20 times I walk up to it. It's not really a big deal as the car usually unlocks shortly after arriving but it is kind of a pain if my hands are full and I have to fumble with my phone to "manually" unlock it.
iPhone running iOS 16.4. This is something I've experienced for years, since I bought my first Model 3 in 2019. I don't think it has much to do with the phone or the OS revision.
That's sort of how it works. The car "wakes" the key up to auth with it when you touch the switch on the door. The relay attack is bidirectional so it replays both the wake up from car to key and the response from key to car.
This title should be "CAN injection" in all capitals. It's not a verb, it's the acronym for the Controller Area Network. (And is used in all caps by the article itself)
Typical corporate answer: We regret to inform you that the reported vulnerability is not in fact deemed as serious as you describe. A hacker/thief having physical access to your car, thus able to inject messages into the CAN bus, is not consider a serious security threat. Thank you for contacting our security department and perhaps you’d be interested in a monthly subscription for running a remote security diagnostic of you car!
The thing that has always bothered me about stuff like this is that there must be some incredbly skilled software and hardware engineers out there who can put this sort of thing together, and they basically decide to use their skills to steal peoples cars(or well, enable others to do that). On one hand I get it, on the other I really don't. I would love to read an interview with any of them and see what drives them.
As opposed to the incredibly skilled engineers who... steal your personal data (or enable others to do that)?
I would love to read an interview with someone who applied to work for, say, Facebook. After all the news about their complicity in trying to set the world on fire - what drives them?
Money (and a chance to apply what he learned at a much larger scale)? It pays very well and you can FIRE in less than 10 years. Especially when FB is much more legal than say stealing cars.
Bingo! But there are plenty of other harmful industries that exist today that are on the wrong side of history, but depend on skilled engineering to wreak the havoc they do on our people and our planet.
Most of these lines of reasoning assume the people involved have the same amount of agency as any other developer/engineer, and I'm sure they're right in many cases-- plenty of talented American software developers have worked at companies making scummy malware even having other options. But I'll bet that a big chunk of it is difficulty getting legitimate work if you've already been convicted of a felony.
I'm not making excuses; there are plenty of ways that someone with these skills could make money legally with a felony conviction, like online freelance work. But, life choices so often come down to the path of least resistance, and if you add in a language fluency barrier, intermittent or slow internet access, or some other resistance, I'll bet it's a lot easier to say "Screw it. I've already got a record-- what do I have to lose?"
If I were to guess, money. Good scratch to be made selling these tools, or even just working for a contractor and never be found making the tools themselves - just a one-off sell of information on how to build a device like these.
But yeah, morals are flexible, a lot of people don't care what their work is used for (whether they're directly aware or not). I mean personally I've worked for investment banking and the tobacco industry (websites/shops for e-smoking products), I've heard of others that have worked for gambling or "adult entertainment", and how many of you here work on either crypto or Amazon?
What's morally right, wrong and justifiable is flexible, is all I'm saying.
Could you link to a job post or something that would be willing to hire for these skills and pay decently? Because even expert-level embedded software engineers don't actually get paid that much, and the guys who designed this may not be able to pass a typical interview (unlike the job, building this car theft tool doesn't require expertise in anything - mere logic, trial and error and learning as you go will get you there).
You effectively get unlimited trial & error attempts, and nobody judges you on how you got to the end result (as long as the end result is working). Compare that to an interview (which sets a baseline level of knowledge necessary, not to mention trick questions and/or leetcode) and then the actual job (where you are under time pressures that may not allow unlimited time for a non-expert to get there by trial and error, and there are certain code quality standards to follow).
It goes like this - in eastern europe and other funny places there was no dealer network for cars and so no service. If you lost a key or similar someone needed to fix it. At first it was quite simple. Read eeprom, change eeprom etc. This industry developed over a number of years as did the skills. If you have no other option for being employed as an electrical engineer this is probably quite ok. Later as markets opened up and the internet became a thing the tools found an international outlet. First auto locksmiths, then thieves stealing to ship abroad (africa etc) and then drug dealers who had and would pay big money to access cars that are used for hits and other work. So it continues. The latest high end cars have real encryption onboard with unique keys. Taking them is much harder...
This doesn’t look particularly sophisticated. It takes understanding of basic circuit design and embedded programming. The genius bit is leveraging a Bluetooth speaker. That’s a clever choice.
In many countries, engineering (especially hardware) don’t get paid a lot. I could imagine the pull of illicit sources of income being strong.
I have an opinion that dealing with non-FOSS creates an ability to do this. And the ability creates the market. This is a cycle of stupidity where a client (most of it) does not want to learn anything and a vendor happily supplies shit. Appearing of that kind of "skilled engineers" reminds me water-and-dum supremacy where water is a kind of opportunist actor and dam is a shitty security software. A dam made of shit will fall in a matter of time.
Maybe they have felony convictions, dubious immigration status or personality problems that make traditional legal employment difficult or impossible for them. Or maybe it just pays well.
The whole supply chain of exporting stolen vehicles (and any other large scale illicit activity) is probably filled with people with great talent and skill: sales, logistics, banking, HR, information security, ... Someone in one of the importing countries might even get hired to develop the system for export to the US.
Imagine if you were someone with specific knowledge that was not remunerated and someone else with ill intent noticed. https://xkcd.com/2347/
As someone who's designed a product that's legitimately meant to unlock cars over the CAN bus, I'll be sad when encrypted/authenticated CAN communications become the norm! Users should be able to connect to the CAN bus in their own car and remotely lock/unlock the vehicle. There are ways of making a car more secure (there are already several different CAN buses in modern cars - having a security-specific CAN bus inaccessible without physical access to the inside of the vehicle should be a minimum!)
To start the vehicle, other manufacturers have the key communicate with the ECU directly, bypassing the accessory CAN bus.
Something I'd like to see is a unique private RSA key given to car owners on a USB stick upon purchase of the vehicle to allow them to replicate their own keys.
> And part of the problem is that this isn’t a vulnerability disclosure and so the processes that Toyota does have in place are not appropriate.
I didn't follow this part. I hear that the authors think their "you can use CAN fault injection followed by a spoofed unlock command to steal cars" technical writeup is not a vulnerability disclosure. But why not? (Other than because they said so.)
The fact that the vulnerability is exploited in the wild doesn't prevent it from being appropriate to report it as a vulnerability -- quite the opposite. They even provide several fix suggestions.
(I'm not personally arguing that it is wrong to disclose the vulnerability without coordination. I'm arguing that it's weird to make a choice like that while claiming you aren't making one.)
He's definitely letting Toyota off the hook there. This absolutely is a vulnerability and whatever the size of the company they should have a way to promptly deal with vulnerabilities.
(Of course it also doesn't surprise me in the least that Toyota isn't taking it seriously)
I can say that Toyota Insurance in the UK takes it seriously, they installed an immobilizer (the key fob for which is branded with a Lexus L) for free on my 2020 Lexus RX to combat this issue. I'm probably going to buy a steering wheel lock, more to advertise that the car will be a pain to steal than for any additional protection.
I first heard of the CAN bus hacking late last year (in an owners forum) but it does seem to have become more wide spread this year.
I can't tell whether they attempted to disclose it to Toyota through normal vulnerability disclosure channels, though. The article implies to me that they didn't.
I read that as more "we cold emailed people looking for a potential contact" than "we submitted this vulnerability to their PSIRT". The fact that they say this is not a vulnerability disclosure situation suggests that they did not use the vulnerability disclosure communication methods.
I read it as "we tried contacting them through their standard processes, and were told it didn't fit in" but I can see your reading now that I've gone back and reread that specific section again. It's indeed quite vague as if they were the ones that made the decision or Toyota.
I worry that industry solutions involving more proprietary layers and/or encryption on buses will make our vehicles and appliances even less modifiable, diagnosable, and serviceable by anyone except factory authorized techs.
In keeping thieves out, we're locking ourselves out.
Steering wheel locks and primitive offline immobilizers had their advantages...
If you live in one of these high-theft areas, you can still use security via obscurity. Put a rag between your intake and air filter, or remove a critical relay (fuel pump, starter) or unclip a critical sensor (crank, cam, etc.) if it's easily accessible. Or do all 3. Each takes about one minute.
For ease of use, you could also hide a fuel pump switch inside the car that you have to press before going. It's an easy but effective solution for protecting your car and needs basic tools / wires.
Of course, the important thing is making sure the wiring is well done (proper wire gauge) and the switch is actually in a hidden spot.
I installed a reed switch just under my windshield to unlock the doors. Swiping a magnet is easier than keeping a key in my pocket.
Getting myself locked out is more of a concern than a stranger noticing the switch and finding a magnet.
I'll even mention it on the internet, if any of you want to steal my car, please just fill up the gas and return it after. Thanks.
On my Lexus that doesn't disable keyless entry, just puts the key fob into sleep mode. There is an option somewhere to disable keyless entirely, but when enabled it means you need to hold the key near (I think less than 10mm from meory) to the push button start.
One look at the basic CAN architecture diagram and you see the problem. There's no reason for a secure key exchange to be on the same network path as every other device. Wrapping it in magic crypto sauce is not a permanent fix, because someone will just find a novel way to defeat the cryptosystem, like they always have.
If a thief wants to steal the car, make it harder. There should be one physical path from the key system to the ECU that allows key operations, and it should be protected by a really annoying and time-consuming process so that theft is so annoying that most people won't ever try it. After that is done, they can start sprinkling it with magic crypto sauce. (It's also very hard to get magic crypto sauce right; unless you hire the few really talented crypto people, whoever you hire to write crypto will make mistakes, and a hacker has unlimited time to find one)
Obviously existing car models won't be changed, but future ones should be. Car theft isn't just an inconvenience for the owner; it makes committing other crimes easier and harder to trace, results in more property damage, increases the black market for chopped cars, increases insurance premiums, etc.
If you have a vehicle that you don't want stolen, perhaps a kill switch for the fuel relay is needed. Easy to install and hide. Will prevent the fuel pump from coming on. Something else to consider is a steering lock although it can be defeated, just more work for the would be thief.
Sometimes simple hardware can be a good solution is for a software problem.
In the old days, before cars were computer systems, thieves could still steal cars by hotwiring them - as I understand, the key ignition was basically a lock where if you turn the key then wire A connects to wire B (and if you turn it even further into "starter" position then wire C is somehow involved too) and a competent thief could easily strip out the lock assembly and just connect the wires with a jumper cable. Plus ca change.
In said old days, my late grandfather had a steering wheel lock, basically a giant padlock with a metal bar attached and the whole thing painted yellow. I assume that would work just as well in today's electronic days.
It surprised me the hacking toolkit came in a JBL speaker - I guess they reverse engineered that as well, flashed it with custom firmware, and it had most of the hardware needed for this hack?
The article shows they soldered a custom board with a microcontroller on top of the JBL board - the only parts of the speaker board that are reused is the battery charging side of things.
Having owned some expensive cars and spent time with other owners, there are two schools of thoughts to this:
1) add every alarm, immobilizer, hidden kill switch, steering wheel lock, driveway bollard you can possibly afford and keep the keys in a signal blocking pouch at night.
OR
2)Make sure the car is as easy to start and drive away as physically possible - don't add anything extra fancy to keep it safe other than what's already there from factory, keep the keys on a shelf right in front of the main door of your property, easily and clearly visible should anyone enter.
The reason is simple - for owners of fancy/exotic cars, if someone is coming to steal your car, they will take it. If you make it difficult, if you hide the keys and put locks on the steering wheel, they will come into your house and ask that you unlock it for them. And putting aside the idea of any heroics with self defense, the last thing you want the thieves to do is harm you or your family to take what is essentially just an object. Cars are replacable. Insurance will pay for the loss and therapy for you and your family - but insurance will do nothing about losing your life because you decided to stand up to someone with a weapon coming to take your car. Let them find and take the keys and fuck off as quickly as possible.
I was in group 1 when I started, now I'm in group 2 - the risks to me and my family are just not worth it.
if someone is coming to steal your car, they will take it.
Not if stealing your neighbours car is easier. Unless you own something very exotic and the thief has essentially been hired to steal your specific car, no one want to steal _your_ car. They want to steal N reasonably nice cars as quickly and safely as possible and get out of there before anybody notices anything.
>> Unless you own something very exotic and the thief has essentially been hired to steal your specific car,
That's the entire point of my post, sorry if it wasn't completely clear. Having been in the community of people who own very expensive/exotic vehicles, these cars almost never get stolen by opportunistic thieves. If someone is coming to steal your ferrari, they are coming to steal your ferrari. They don't care what your neighbour has(they probably know already and they decided to steal yours first).
In my home town (UK) my father leaves his keys by the front door. We've had multiple neighbours with higher-end cars (think Range Rovers and upwards, presumably stolen to order) broken into, and threatened with knives and guns as the thieves couldn't find the keys.
It's the other way around - it's not that the incentive is there, it's that there is a lack of disincentive. Thieves know that there is literally no enforcement whatsoever and police is far too overworked to deal with trivial matters like armed robberies. I know someone whose house was broken into while they were inside, the thieves still took the keys and left with the car, the Manchester police didn't even send anyone out to inspect the scene, take fingerprints or anything. They were told to report it with their insurance company and that's it. My sister's house was broken into 3(!!!!!) Times when she lived in Manchester last year, she sent the police CCTV footage of the criminals and everything, they never came out and said thanks for the footage but they are all wearing balaclavas so it doesn't help in any way.
If you were a thief why wouldn't you break in if you knew that's the level of enforcement.
Most car thieves would not dream of upgrading to randomly breaking into a house in the US as there would be a non-trivial probability of meeting a resident with a shotgun.
So I'm actually kinda surprised upon looking this up - yes UK has a higher rate of burglaries per capita than US[0], but not that much higher - 527 vs 617. Despite owning literally 30x times more guns per capita than UK(120 vs 4)[1], US is still rating pretty badly on global burglary index. I suspect it's just not as much of a detterent as people think it is.
2) "Number of burglaries" is different from "Will upgrade from car theft to robbery".
Burglars and car thieves in the US are generally trying to make sure that nobody is around and would generally find a different target if that wasn't the case.
Few would upgrade to robbery as that very much would get the attention of the authorities in the US.
> 2)Make sure the car is as easy to start and drive away as physically possible - don't add anything extra fancy to keep it safe other than what's already there from factory, keep the keys on a shelf right in front of the main door of your property, easily and clearly visible should anyone enter.
Back in the early 90's when I first met my not-yet-wife, she drove a rusted out '85 Datsun (not Nissan). There was a rust hole right in the door panel where you could reach your fingers in and manipulate the mechanical locking rod to unlock the door. One time someone "broke in" to her car and rummaged around in all her crap, didn't take anything, and was polite enough to re-lock the door when they were done.
That helps only to a point. There are effectively three types of vehicle theft: to resell the car (whole or in parts), to use it for crime acts (robberies etc), or to joyride it. Category n.2 explicitly targets cheap cars, easy to steal but also easy to go unnoticed on the streets afterwards.
(1) having a cheap car stolen incurs a smaller loss than having an expensive car stolen; and
(2) the pool of cheap cars is larger, reducing the probability of a given car getting stolen (unless the "demand", so to speak, is also higher?)
Overall, it seems that the expected loss (actual loss times the probability) should be quite a bit lower for cheap cars than for expensive cars.
Having said that, if one has enough money to buy an expensive car, they presumably have enough money to insure it from theft, rendering this whole line of argument moot (they just pay higher premia and spread the risk across a population of car owners)...
That just means you have fewer actors, but it also means they are more focused and determined, more willing to go the extra mile. In the case of this post, it involved attacking the car twice; in other scenarios, it involves actual home-intruding. Depending on where you live, the chances of this happening might be very low, but there is a chance.
#2 is why people in my area generally leave their cars unlocked. If it's locked thieves will break your window or pry your door which is way more expensive than the $10 phone charger they'll get.
Yes, but like I said - if you have a Lamborghini or a Ferrari sitting in your driveway and someone comes to steal it, they didn't just happen to be walking past - they are there to take your car. Either on order, or it's been targeted through long time observation already. If there is a lock on the wheel they will come into your house, put a gun to your head and "ask" for you to take it off. There is no deterrent you can use because they are not there to be deterred - wheel locks work against opportunistic thieves because then yes, like with bikes - a thief will just move on to the next easier target.
may i ask in which region of the world you live where people have ferraris in their driveway but it's also dangerous enough for people to invade your home and put a gun to your head to steal it from you?
Very common(relatively speaking) in the UK if you live in London/Birmingham/Manchester and drive a fancy car. There was a time couple years ago when no insurance agency wanted to insure any Range Rover in London because they were being stolen at such incredible rates. Break-ins specifically to steal car keys and subsequently the car is one of the most common types of burglaries in the UK still.
You do need the equipment for a relay attack, but then it’s just waving an antenna near the door and seeing if it unlocks. Breaking in is riskier for a burglar.
Comma.ai is another great example of CANBUS hacking. I'm a bit worried there are a bunch of zero days sitting out there on CAN implementations. It's such a complicated system.
Newer Toyotas (Rav4 Prime and 2022+ Model years) are not compatible with Comma due to encryption, I would guess that probably also defeats this attack.
On a RAV4 Prime (or RAV4 PHEV for those outside of North America), these ECUs reportedly have "ECU Security Key" (A SecOC implementation) or signed/authenticated CAN bus commands since replacing them requires a check in with a Toyota server to "Update ECU Security Key" :
ECM
Hybrid vehicle control ECU
Forward recognition camera
No. 2 skid control ECU (brake actuator assembly)
Rack and pinion power steering gear assembly
Clearance warning ECU assembly
Steering sensor
Central gateway ECU (network gateway ECU)
Combination meter assembly
Airbag sensor assembly
---
There's nothing about smart key in here specifically. Not sure on later "ECU Security Key" vehicles though. If someone were to look up replacement instructions for the Smart Key ECU on Toyota's TechInfo, and if it has ECU Security Key update as a step or not, that could answer this.
SecOC is based on symmetric key cryptography. If an ECU is replaced and has a new key, this key will have to be taught to all other ECU's in the vehicle communicating with it.
I believe either the data from the adaptive cruise radar, or the data to control the steering is encrypted. I don't know if lock controls are. It was a small but important subset
It's really only troublesome on stuff that has a radio. Like it's not great that you can take over an electronic device with brief physical access, but the physical access reduces the scope of the problem a lot.
Great post. One thing to add is most car door locks can be opened without much difficulty and without damage and usually not turning on the alarm. Open and plug device straight into the can bus. No need for headlight damage...
If you have push button ignition then yes there's a chance your car is vulnerable.
Any CAN bus? No, it takes time to sniff the bus and get all the control messages, older cars may be especially vulnerable since they likely don't have as many security precautions in place.
CAN has been in cars for quite a long time, the infiltration systems haven't due to high-cost/lack of electronics.
On a side note, the hack talked about in the article could be performed by a Arduino UNO and a $5 can bus transceiver.
Age doesn't really matter in this case. This is laziness on Toyotas part by not authenticating the messages between the "Smart Key" ECU and the main engine control microcontroller.
Not sure what you mean by "not bridged across them", but devices on different communication busses (CAN, Flexray, Ethernet...) do communicate with each other through these devices called "Gateways".
One day used cars with the least amount of tech are going to be worth a lot of money in secondary markets. Especially because of the recent move to subscription based feature options some auto makers are trying out.
To whom exactly? A handful of people wearing tin-foil hats? The rest of the world is going to be happy they can pay $9.99 a month to be able to remotely turn on the AC in their car.
Sure people will people for convenience and automakers will charge a subscription for providing that remote connectivity. But that wasn't the point in context of this article - the specific exploit detailed in the article can be applied to almost any non-connected vehicle in the last decade.
At first I forgot what I was reading and assumed the vandalism was because this guy had annoyingly bright headlights and a neighbor was making a point for him to fuck off with that
Not sure why they are still using a 1000 year protocol when you have Ethernet as a faster alternative. Even commercial airliners uses tech based on Ethernet for their controls
I'm not sure if you know, but canbus is used all over the place, even in aviation. The main selling point is simplicity of wiring and circuitry, as well as the fact that many lower end / cheap microcontrollers have it built in.
Ethernet is great, don't get me wrong... but it is complex to implement in a system like a car. Each device needs to speak ethernet, be switched and likely have an IP stack. If you are lucky enough to have a built in MAC / PHY into your micro (which most don't), then you still need to put in transformers and protection circuits.
10BASE-T1S is the future IMHO, it is much simpler than traditional 10BASE-T, requires only 1 pair and can also provide power. For simple setups, only 2 resistors + 2 caps are necessary to implement and you can have multiple devices on a bus without requiring a switch.
They are including Eth, not switching to it completely. They will keep the CAN buss there as long as it makes sense.
Instrument clusters with graphical display output do use the Eth more and more because the amount of data beats the capacity of a CAN bus by far, but devices without big data transfer needs will stay on CAN. For example, what need is ther for Eth for an electronic gear lever? Not much data being exchanged.
If you don't want your car to be stolen, why not installing proper security measures? I don't really understand why someone would trust manufacturer to protect a car. In my country nobody does that, first thing you do after you bought a new car is you install additional security devices to prevent theft.
Additional security modules. They detect hits, they don't allow engine to start unless they're unlocked with remote control. In my country most popular brands are Starline and Pandora.
Here's the problem everyone needs to pay attention to: If you demand Encrypted OR Signed CAN Bus, you will ABSOLUTELY get it from the manufacturers in the name of security. They will _gladly_ lock out the CAN bus so no third party accessories or diagnostic tools can work with your car.
So be careful what you scream for. We already have enough un-repairable items.