IoT Hack Enables Cybercriminals to Steal Cars
In a new fashion for stealing cars, automotive security experts have discovered that cybercriminals can hack into a vehicle’s control system through the headlight. The control system is managed by the controller area network (CAN) bus, an Internet of Things (IoT) protocol that allows devices and microcontrollers to communicate with each other within the car.
By manipulating the electronic control unit (ECU) in a Toyota RAV4’s headlight, attackers could access the CAN bus and gain control of the car. This approach, as described in a blog post by Canis Automotive Labs CTO Ken Tindell, is a unique way of car hacking that had not been seen before. Once connected through the headlight, the attackers could gain access to the CAN bus, responsible for functions like the parking brakes, headlights, and smart key, and then into the powertrain panel where the engine control is located.
Even though car hacking is not a new issue, this method of attack highlights the vulnerability of IoT protocols like the CAN bus and the need for improved security measures in automotive systems.
Tindell cautions that this form of CAN injection will compel manufacturers to reconsider the security of their vehicle control networks. “As a car engineer, your focus is on addressing a variety of challenges such as minimizing wiring, enhancing reliability, and reducing costs. Cybersecurity may not always be at the forefront of your mind.”
A Case of Stolen Toyota RAV4 in London
Ian Tabor, an automotive security consultant, woke up to discover that his parked Toyota RAV4 had been tampered with in London. The car’s front bumper and left headlight had been disturbed, and the same areas were later found to be tampered with again.
No fcuking point having a nice car these days, came out early to find the front bumper and arch trim pulled off and even worse the headlight wiring plug had been yanked out, if definitely wasn’t an accident, kerb side and massive screwdriver mark. Breaks in the clips etc. C&#ts pic.twitter.com/7JaF6blWq9
— Ian Tabor (@mintynet) April 24, 2022
Unfortunately, he didn’t…