Jump to content
Ad: Genuine Toyota parts & accessories from the Toyota official store on eBay ×
Do Not Sell My Personal Information


  • Join Toyota Owners Club

    Join Europe's Largest Toyota Community! It's FREE!

     

     

2022 RAV4 stolen

atartan

By atartan,
in Rav 4 Club

 Share

Recommended Posts

Rav Rob Proficient

Rav Rob

Posted
Posted
1 hour ago, RickyC said:

From what I've understood with this exploit thieves don't add a new key or replace existing ones.  Simply they connect a module ( let's call it "exploit module" )  to CANBUS that answers in place of the module that manages the keys.

So what happens should be something like that:

  • Thief touches driver handle to open driver door
  • ECU receives a request to unlock door so ask to key control module if has detected a valid key
  • Exploit module intercepts the request andì says "Yes I've detected a valid key"
  • ECU orders to lock control module to unlock the doors
  • Thief then pushes START button
  • Again ECU checks if a valid key is detected and exploit module says "Yes driver has a valid key"
  • So the car go in Ready and....  bye bye

Once that car has been transferred in thief garage, thief can add a new key with no hurry.

Interesting, so a better option might be say putting the key module to ECU on a direct separate dedicated bus port with the cable and connectors well embedded so very difficult to access and take such functionality off the main bus with its many physical access points.

Or how about an option to enable a pin code on the media touch screen that also has to be sent to the ECU to activate the car, the thief would have no idea what to transmit on the bus to satisfy the ECU.

  • Like 2
  • Replies 1.7k
  • Created
  • Last Reply

Top Posters In This Topic

  • Strangely Brown

    142

  • forkingabout

    92

  • Terry10

    85

  • ernieb

    83

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

atartan
atartan

I have not been on this forum for while but my 2022 March car was stolen last night. Fortunetly I used MYT app located the car and recovered. Entertainment Screen and some other stuff were removed and

Nick72
Nick72

I've just installed a small bear trap type device. Used for large rodents. Have put two under each wheel arch screwed down and one behind each headlight. I've added a paste made from Death Cap mushroo

AJones
AJones

For older cars I agree, but once catalytic converter theft is a known issue as it has been for some years now, it seems reasonable to expect car manufacturers would incorporate catalytic converter sec

Posted Images

ernieb Grand Master

ernieb

Posted
Posted

I think it's only the one tracker via a built in SIM. If you know the location is it not the responsibility of the insurance company to recover/repair the car?

forkingabout Grand Master

forkingabout

Posted
Posted
6 hours ago, Rav Rob said:

Or how about an option to enable a pin code on the media touch screen that also has to be sent to the ECU to activate the car, the thief would have no idea what to transmit on the bus to satisfy the ECU.

PSA Peugeot / Citroen excellent pin code immobiliser from the early 1990s got dropped as owners & motoring journalist continually moaned about having to enter a 4 digit pin code before they could start the vehicle.

 

  • Sad 1
nlee Mentor

nlee

Posted
Posted
On 1/20/2023 at 11:57 PM, RickyC said:

But there's are simple rules of thumb like a bus segregation connecting secure devices ( like the units that manage keyless entry and start and immobolizer ) on a secure bus that can't be accessed by an external point.  In such a way even if a thief can find an extenal access ( like happens on RAV ) he can't trick the ECU simulating the messages sent by keyless module.

My understanding of networking is limited but my understanding is that a Controller Area Network (CAN) is what connects the many Electronic Control Units (ECUs) together to save miles of wiring that would be required for the complex interactions between components that we all demand on modern cars for convenience and safety. You would only be able to have multiple completely separate CANs if there was never any need for any communication across network (as a basic example if lights were on one network and doors on another - you couldn't get door operation and lights to interact). The CAN is often split into sub-networks but they still cross communicate through gateways. Rather than for security, I believe the idea of subnetworks is for speed and it's not unusual to have a high speed network and a lower speed network (presumably to save money). The high speed is usually for critical safety equipment and to avoid network congestion but there is still communication between them through the gateway.

AFAIK, if you want to avoid certain messages being passed across networks, it's done by filters in the gateway (presumably similar to the filters and port controls in a router on a home network). So it would sound like functionality could be there for some software programming to block certain sequences of conditions but that's well beyond my small level of understanding.

Maybe we have some network engineers on here that might expand.

  • Like 4
Nick72 Grand Master

Nick72

Posted
Posted
6 hours ago, nlee said:

My understanding of networking is limited but my understanding is that a Controller Area Network (CAN) is what connects the many Electronic Control Units (ECUs) together to save miles of wiring that would be required for the complex interactions between components that we all demand on modern cars for convenience and safety. You would only be able to have multiple completely separate CANs if there was never any need for any communication across network (as a basic example if lights were on one network and doors on another - you couldn't get door operation and lights to interact). The CAN is often split into sub-networks but they still cross communicate through gateways. Rather than for security, I believe the idea of subnetworks is for speed and it's not unusual to have a high speed network and a lower speed network (presumably to save money). The high speed is usually for critical safety equipment and to avoid network congestion but there is still communication between them through the gateway.

AFAIK, if you want to avoid certain messages being passed across networks, it's done by filters in the gateway (presumably similar to the filters and port controls in a router on a home network). So it would sound like functionality could be there for some software programming to block certain sequences of conditions but that's well beyond my small level of understanding.

Maybe we have some network engineers on here that might expand.

Synchronized time varying encryption keys. One in the fob, the other inside the ECU. Problem solved. Easy fix, easy to implement. Cost might go up by 500 quid a car though.


kucyk Community Regular

kucyk

Posted
Posted
3 hours ago, Nick72 said:

Synchronized time varying encryption keys. One in the fob, the other inside the ECU. Problem solved. Easy fix, easy to implement. Cost might go up by 500 quid a car though.

Check the gameboy method, they have their people working for Toyota/Lexus and other car brands, stealing security and sensitive data, handing it over to groups stealing cars. Only a custom made switch disabling one of the crucial systems could possibly prevent the car from being stolen. All solutions delivered by the car manufacturer will be compromised, rather sooner than later.

https://www.motorious.com/articles/news/car-thieves-nintendo-game-boy/

  • Like 1
Terry10 Rising Star

Terry10

Posted
Posted
1 hour ago, kucyk said:

Check the gameboy method, they have their people working for Toyota/Lexus and other car brands, stealing security and sensitive data, handing it over to groups stealing cars. Only a custom made switch disabling one of the crucial systems could possibly prevent the car from being stolen. All solutions delivered by the car manufacturer will be compromised, rather sooner than later.

https://www.motorious.com/articles/news/car-thieves-nintendo-game-boy/

I will stick with the mechanical method and take my chances.Thinking about it I could do a mark 3 model with razor blades attached 😝😝.

Terry

 

  • Like 2
Nick72 Grand Master

Nick72

Posted
Posted
4 hours ago, kucyk said:

Check the gameboy method, they have their people working for Toyota/Lexus and other car brands, stealing security and sensitive data, handing it over to groups stealing cars. Only a custom made switch disabling one of the crucial systems could possibly prevent the car from being stolen. All solutions delivered by the car manufacturer will be compromised, rather sooner than later.

https://www.motorious.com/articles/news/car-thieves-nintendo-game-boy/

Ways to fix this. Only the user has the key upon issue by manufacturer which is then modified by the user on their PC or smartphone using a PIN only they know. No Toyota storage or trace recorded of that originally issued key which would be useless anyway. User syncs the key or seed with the ECU. 

Any request for a new key requires two factor authentication request. Hence in the user only hands.

Other ways of doing it involve homomorphic encryption. 

Defence has done the above and more for over three decades. All very easily fixed.

 

ernieb Grand Master

ernieb

Posted
Posted
8 hours ago, Nick72 said:

Ways to fix this. Only the user has the key upon issue by manufacturer which is then modified by the user on their PC or smartphone using a PIN only they know. No Toyota storage or trace recorded of that originally issued key which would be useless anyway. User syncs the key or seed with the ECU. 

Any request for a new key requires two factor authentication request. Hence in the user only hands.

Other ways of doing it involve homomorphic encryption. 

Defence has done the above and more for over three decades. All very easily fixed.

 

Sounds like a good idea, but I guess there would have to be a master override because loads of users would forget their PIN or whatever. If there is an override then it's out there for the perps to find.

  • Like 1
forkingabout Grand Master

forkingabout

Posted
Posted
1 hour ago, ernieb said:

If there is an override then it's out there for the perps to find.

Or they would get hold of a vehicle & reverse engineer the system to come up with a viable theft solution.

Relay theft used to be a problem - manufacturers cured that by upgrading the keyless fobs - thieves came up with a new theft method.

  • Like 2
Roy124 Grand Master

Roy124

Posted
Posted

Car theft today is little changed from hot wiring days where some mechanically minded kid on the block worked it out and passed it on. 

Then came steering wheel locks, and SKOTB realised you simply needed to bend the steering wheel. 

Manufacturers develop new defences but the  more complex engineering demands more scientific attack.  It is now probable that a new attractive vehicle is lifted off the street, or even bought legitimately, and reverse engineered.  The 'plans' are then sold on the dark Web. 

The cat (lock) and mouse game continue. 

 

 

  • Like 1
Roy124 Grand Master

Roy124

Posted
Posted

I once watched a police operation to move a number of cars from a temporarily closed square.  It was poetry in motion. Small truck backed up, car jacked up, a forked lift positioned under 2 wheels, jack down and off.  Rinse and repeat.  Took bare minutes to move them all. 

The tilt alarms were no bother. 

  • Like 1
  • Haha 1
nlee Mentor

nlee

Posted
Posted
9 hours ago, Nick72 said:

Ways to fix this. Only the user has the key upon issue by manufacturer which is then modified by the user on their PC or smartphone using a PIN only they know. No Toyota storage or trace recorded of that originally issued key which would be useless anyway. User syncs the key or seed with the ECU. 

I don't think any of us really understand the details of how these vehicles are stolen but can only speculate. What is clear though from these discussions is there are many different ways that thieves will use to stay ahead of the security systems in use, regardless of the make and model of the car. I suppose the positive spin is that these sofisicated methods are for organised criminals, your everyday thief probably wouldn't get their hands on this type of equipment. These vehicles are being targeted, probably after a period of surveillance. Note, most reports we've seen are theft from outside the home.

This "solution" would potentially make it more difficult to use the "Gameboy" approach, which could probably be grouped into category of fooling the car that a valid key is present, in the same way as relay theft.

From what I've read on the oracle of the internet, albeit one source did appear to be quite knowledgeable, keys and encryption don't appear to really affect the CAN attack that appears to be the method of choice we've seen the reports on. As far as I can understand, the data packets that are emulated to access the car and start the engine are "downstream" of all the key checking. Imagine it as a code. If all the multiple conditions are met, key present, in park, brake pressed, etc., send a code to put the car in ready. It seems as though that's the code that is emulated (note on the videos that the car appears to go into ready with lights on, etc. before anyone gets into the vehicle to press the pedal and start button).

I'm not clever enough to know the answer but for now, anything that slows them down or would make a fair amount of noise would be the enemy of thieves.

Its frustrating there is the known easy access point but there will be others. And it's not just Toyotas that are vulnerable, I read an article yesterday that there are currently over 2000 land rovers and range rovers stolen each year, just in London! There are Facebook groups dedicated purely to stolen land rovers and range rovers. Just looking down the posts there is almost one a day being newly reported. There may be more of these on the road but it still seems huge in comparison.

  • Like 4
forkingabout Grand Master

forkingabout

Posted
Posted

I know on Peugeots if they detect a correctly coded ignition switch on request - the built in safety logic will deactivate the deadlocks if there active.

I wouldn't be surprised if other vehicle are similarly set up for safety. 

  • Like 1

Roy124 Grand Master

Roy124

Posted
Posted

Discrete owner-only access might work but there are many occasions where other people need access.  Some airport car parks have valet parking, at the Southampton cruise terminal the car park operators operate valet parking and frequently move the cars to different car parks as the ship's terminal is changed.

At Gatwick I was able to track my car's movements where it was brought to a near airport carpark the day before we returned.  At Southampton the car was in a multi-story (new cars were on the upper decks) which would have negated solar panel charging too.

  • Like 2
forkingabout Grand Master

forkingabout

Posted
Posted
26 minutes ago, Roy124 said:

Discrete owner-only access might work but there are many occasions where other people need access. 

The PSA Peugeot / Citroen keypad immobiliser system allowed the owner to set a service 4 digit pin code that allowed a mechanic / friend etc to start the vehicle only but didn't give access to change the owners own pin code.

All the owner had to do to erase the service pin code was enter there own pin code.

  • Like 2
Lawnmowerman Experienced

Lawnmowerman

Posted
Posted
2 hours ago, Roy124 said:

Car theft today is little changed from hot wiring days where some mechanically minded kid on the block worked it out and passed it on. 

Then came steering wheel locks, and SKOTB realised you simply needed to bend the steering wheel. 

Manufacturers develop new defences but the  more complex engineering demands more scientific attack.  It is now probable that a new attractive vehicle is lifted off the street, or even bought legitimately, and reverse engineered.  The 'plans' are then sold on the dark Web. 

The cat (lock) and mouse game continue. 

 

 

Or just hire one (if available)?

  • Like 1
Rav Rob Proficient

Rav Rob

Posted
Posted
On 1/22/2023 at 7:08 PM, VANESSA LANCELLOTTI said:

My toyota rav4, fully equipped has been stolen on monday night and I realized it only 20 hours later. I had another car and I chased the tracker only to find  that it was  in a drain. I don`t tell you how much I feel sick.

Does the car has another tracker that TOYOTA can give the information to the police when it has been reported stolen? I have talked to a friend and Her landrover was stolen but had 2 trackers. I hope mine has it too. 

the police found HER CAR few weeks later.

BTW I crossed all London from west to east to chase the car, the tracker was at the beginning of Essex. Police didn`t look for it but waited for us to go at the location to come. I JUST WANT MY CAR BACK!

  

 I am guessing when you say you found the tracker in the drain it was a third party module you had fitted that they ripped out?

Yes the car does have a form of tracking built in, you have to use the Toyota app but from memory it needs to be linked to the car from the car so as you can't do that now its probably not going to help you.

Its a good reminder to owners though to get the app and connect it to the car sooner rather than later even if just for this situation. Unfortunately there is also evidence the criminals are aware of the system and disable it too when they get the chance.

  • Like 1
Fostel Collaborator

Fostel

Posted
Posted
On 1/17/2023 at 2:25 PM, Yugguy1970 said:

You see that gives me other worries about the car being remotely hacked.

Or they will shut you down when you go out of your '15 minutes city'.

  • Like 2
  • Haha 1
flash22 Grand Master

flash22

Posted
Posted

I turned this issue on its head, the simple fix is to secure the loom to the body with cable cleats or stainless rubber lined clips/P clips - this will reduce the movement of the loom, in turn restricting access to the connector

  • Like 3
Nick72 Grand Master

Nick72

Posted
Posted
14 hours ago, ernieb said:

Sounds like a good idea, but I guess there would have to be a master override because loads of users would forget their PIN or whatever. If there is an override then it's out there for the perps to find.

So the override is simply to issue a new key to the user but only the user with 2FA can do that and the transaction is transitory. That key is immediately converted by the user using a PIN rendering that issued by the manufacturer useless by anyone else. If the user loses the means to provide 2FA then it's a replace the ECU job. Of course you'd extend the options for the user so there's always a secure way for them to request a new key (then modification by them locally using their own PIN they and only they know and which is not needed after key modification) rather than the dealer visit and ECU replacement and being a grand down.

 

Other methods available too but can't describe those here.

  • Like 1
Nick72 Grand Master

Nick72

Posted
Posted
12 hours ago, nlee said:

I don't think any of us really understand the details of how these vehicles are stolen but can only speculate. What is clear though from these discussions is there are many different ways that thieves will use to stay ahead of the security systems in use, regardless of the make and model of the car. I suppose the positive spin is that these sofisicated methods are for organised criminals, your everyday thief probably wouldn't get their hands on this type of equipment. These vehicles are being targeted, probably after a period of surveillance. Note, most reports we've seen are theft from outside the home.

This "solution" would potentially make it more difficult to use the "Gameboy" approach, which could probably be grouped into category of fooling the car that a valid key is present, in the same way as relay theft.

From what I've read on the oracle of the internet, albeit one source did appear to be quite knowledgeable, keys and encryption don't appear to really affect the CAN attack that appears to be the method of choice we've seen the reports on. As far as I can understand, the data packets that are emulated to access the car and start the engine are "downstream" of all the key checking. Imagine it as a code. If all the multiple conditions are met, key present, in park, brake pressed, etc., send a code to put the car in ready. It seems as though that's the code that is emulated (note on the videos that the car appears to go into ready with lights on, etc. before anyone gets into the vehicle to press the pedal and start button).

I'm not clever enough to know the answer but for now, anything that slows them down or would make a fair amount of noise would be the enemy of thieves.

Its frustrating there is the known easy access point but there will be others. And it's not just Toyotas that are vulnerable, I read an article yesterday that there are currently over 2000 land rovers and range rovers stolen each year, just in London! There are Facebook groups dedicated purely to stolen land rovers and range rovers. Just looking down the posts there is almost one a day being newly reported. There may be more of these on the road but it still seems huge in comparison.

It's poor security architecture design if I'm honest. Another solution I can mention here is fully homomorphic encryption. The ECU software is encrypted. No one ever sees that in the clear, not even at run time, bar it's outputs. But IO and processing using the encrypted software can still occur using encrypted transactions. Without the key there is no software and no software means the car isn't driving anywhere.

What this all comes down to is price point and no burning platform for the manufacturers to act. Solutions already exist across the InfoSec topic.

  • Like 1
forkingabout Grand Master

forkingabout

Posted
Posted
6 minutes ago, Nick72 said:

ECU replacement

Hopefully not the security ECU as having seen where Toyota like to locate it I wouldn't want the labour bill for that 😉

  • Like 1
Nick72 Grand Master

Nick72

Posted
Posted
Just now, forkingabout said:

Hopefully not the security ECU as having seen where Toyota like to locate it I wouldn't want the labour bill for that 😉

Don't forget your login credentials 🤣

  • Haha 1
Terry10 Rising Star

Terry10

Posted
Posted
9 minutes ago, Nick72 said:

So the override is simply to issue a new key to the user but only the user with 2FA can do that and the transaction is transitory. That key is immediately converted by the user using a PIN rendering that issued by the manufacturer useless by anyone else. If the user loses the means to provide 2FA then it's a replace the ECU job. Of course you'd extend the options for the user so there's always a secure way for them to request a new key (then modification by them locally using their own PIN they and only they know and which is not needed after key modification) rather than the dealer visit and ECU replacement and being a grand down.

 

Other methods available too but can't describe those here.

Well at a grand down you may as well pay £450 for the ghost.This is all getting very complicated for your average guy in the street

Terry

  • Like 1

Latest Deals

Toyota Official Store for genuine Toyota parts & accessories

Disclaimer: As the club is an eBay Partner, The club may be compensated if you make a purchase via eBay links

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing





×
×
  • Create New...




Forums

News

Membership
  • Insurance
    •
  • Support
    •