2022 RAV4 stolen

[philip42h]

53 minutes ago, Strangely Brown said:

 if the keyless entry system is "disabled" then does the CAN attack fail ...

20 minutes ago, Rigsby said:

the Icon [does not] have the smart entry and motion sensor key ... do we know if this type of attack can be done on the Icon model?

... and as Mark says, we don't know ...

On the Icon, Toyota can obviously save a few Yen by not fitting the physical "key present sensors". Disabling keyless entry could simply switch off the physical "key present sensors". But if the underlying system software remains exactly the same the attack will still succeed. And Toyota won't save money by having two different versions of the system software to maintain ...

In order to prevent this attack we would need the 'disable' to take effect right down at system level - so that the car stops recognising a "key present" signal" - and I rather doubt that is what happens.

But as above, I don't know ...

[Cyker]

I don't think disabling keyless would help; From what I understand, the CANbus attack bypasses the key authentication system entirely, and just sends a "Key Good, Start Engine!" signal to the car.

This is why I was saying in another thread I was shocked they didn't have 2 separate CANbus networks - One for normal trivial stuff like lights and radio, and one for stuff that needs to be secured, like engine start and door locks.

In tech terms, a 'bus' is a common set of wiring/conductors that all components are physically attached to; This means it is very vulnerable to attack, as if you can connect a rogue device to it, you can listen to everything that anything says on it, and talk to everything connected to it.

This is one of many reasons why, in computer networks, we stopped using bus-based topologies and now use hub-spoke/point-to-point, as it was very easy for someone to put a clamp or vampire-tap onto an exposed bus line and eavesdrop/inject data packets onto it.

 

The obvious ways to fix this is to encrypt all CANbus traffic, but that's unlikely because the whole point of CANbus is it's extremely fast, while encryption is very slow - It'd be the difference between the command to detonate the airbag charges going off at the right time to save you or kill you.

One thing they're trying is to just generate a small cryptographic token for privileged commands, so the different ECUs can determine if it's legit or not - This should have less impact, but will make the ECUs more expensive as they need lots of extra circuitry for the encryption stuff.

 

[ernieb]

I think I read somewhere that the EU required that the OBD/CANbus be accessible to users which is a potential reason it's not got an encrypted or dual circuit?

[Dushio]

I think Toyota should sell included in the car price a Stoplock pro and a wheel clamp as standard. ( I’m not a salesman for Stoplock)!

 

 

[philip42h]

3 hours ago, ernieb said:

I think I read somewhere that the EU required that the OBD/CANbus be accessible to users which is a potential reason it's not got an encrypted or dual circuit?

I don't think that we can really "blame the EU" for this one. The EU requirement seeks to ensure that the system remains 'open' to servicing by independent garages etc. and prevents manufacturer 'lock-in'.

Having committed to an open architecture "fly-by-wire" bus it seems, in hindsight, rather 'dumb' to have implemented the vehicle security features on the self-same bus. Again, with hindsight, a second secure bus for such things would seem sensible and, I suspect, the primary driver for not taking that approach was and is simply cost ...

[kucyk]

On 9/4/2023 at 8:05 PM, Cyker said:

One thing they're trying is to just generate a small cryptographic token for privileged commands, so the different ECUs can determine if it's legit or not - This should have less impact, but will make the ECUs more expensive as they need lots of extra circuitry for the encryption stuff.

 

That's already done in the never cars as far as I'm concerned, starting with RAV4 Prime.

[Yugguy1970]

My 2019 Focus had two canbus systems, as Cyker describes.  All you needed though was a special cable that switched to each system.

[flash22]

On 9/4/2023 at 4:21 PM, Rigsby said:

Mines a 21 Dynamic, all MY21 grades apart from the Icon have the smart entry and motion sensor key, but the Icon does have Push Button start, do we know if this type of attack can be done on the Icon model ?

No, as you need the key in the ignition to turn the car on and release the steering lock (good old physical security), but it doesn't stop the idiots trying, some cars have the push button start but still have a keyed ignition

Relay attacks are a non issue

there was an icon owner a few pages back that they tried the attack on

[Rigsby]

25 minutes ago, flash22 said:

No, as you need the key in the ignition to turn the car on and release the steering lock (good old physical security), but it doesn't stop the idiots trying, some cars have the push button start but still have a keyed ignition

Relay attacks are a non issue

there was an icon owner a few pages back that they tried the attack on

The reason that I asked is that in the brochure (2021) it states that the icon has push button start and the design has smart entry in addition to the icon grade.

 

[Cyker]

Keyless ("smart") entry and push-button start are not mutually... inclusive? My dad's old Verso had a push button start, but didn't have keyless entry (Just the more conventional key or remote fob)), so maybe that's what the difference is...?

 

[YarisHybrid2016]

There were some models that had push-button start but not keyless entry - my Gen.3 was one of them. I had to specify keyless entry as an option (it added keyless entry and power folding mirrors).

[Shootgun]

My 21 plate RAV4 was stolen last night from outside of my property and the police wouldn't do anything. 

Luckily i recovered it myself with the help of the MyT app, but the dash cams were ripped off and goods stolen. Also a headlight malfunction warning is on the dash... I'm shocked and confused as what to do next...

[Dippy]

Sadly, join this club. Headlight attack well known. 

 

[philip42h]

Take a look at [the length of] this thread:

 

Unfortunately, you are not alone ... 😞

There is a, by now well known, exploit that permits thieves to gain access to the car and drive it away using a CANbus attack via the front nearside headlight.

As for what to do next:

1. Get a Krooklock or equivalent as a visible deterrent against a subsequent theft
2. Avoid leaving valuables in the car
3. Get your dealer to fix the damage done

It's a sad world that we life in ...

[jcps001]

One of the reasons why I buy older cars...

https://kentindell.github.io/2023/04/03/can-injection/

[Strangely Brown]

1 hour ago, Shootgun said:

My 21 plate RAV4 was stolen last night from outside of my property and the police wouldn't do anything. 

Luckily i recovered it myself with the help of the MyT app, but the dash cams were ripped off and goods stolen. Also a headlight malfunction warning is on the dash... I'm shocked and confused as what to do next...

Sorry to hear about your theft.
Could you please tell us whereabouts in Surrey you are, i.e. how close to London?
Was the car taken from your driveway or further away from the house?
Also, can you tell how they gained access to the headlight? i.e. did they go through the wheel arch liner or did they pull the front bumper forward, or something else? Is the headlight disconnected?

If the dashcams being removed is all the interior damage then you appear to have escaped considerably more lightly that some others, not that that is any consolation.

[JDK-SL7]

I went for my appointment for the headlamp protection plate to be fitted today by Jemca Toyota Croydon today.

It was going to be £84 total with the rest of the ‘cost’ being subsidised by warranty… decent value for piece of mind. 

 

BUT when I got there the engineer said he wouldn’t do it as the plug-ins aren’t vulnerable to this method due to their software, apparently it is only Hevs? He checked the official Toyota info etc first and sounded confident! 

Mine is a 21 plate PHEV and seemingly immune to this method ?

He did still recommend a physical steering lock, and showed me how to turn off my key at night (hold down lock then press unlock 5 times for a red light). 
 

Has anyone else heard this?  

 

[NASY]

There has been mention in this forum some time ago that the PHEV models are not vulnerable to these attacks. 

[Shootgun]

I’m in Wallington, South London , and the car was just in front of our bedroom window.

They pulled the wheel arch liner out to gain access, and the headlight was disconnected.

Luckily the main dealership put it right without charge, all I have to do is replace the plastic trim as the clips are broken, and chip in for a new dash cams.

[JDK-SL7]

7 minutes ago, NASY said:

There has been mention in this forum some time ago that the PHEV models are not vulnerable to these attacks. 

Wow I didn’t realise. I’ve been very worried for a while. 

[Flatcoat]

I suggest that if not already you read the last few posts on the other thread about stolen RAV’s. It appears Toyota can supply and fit a headlamp protection plate to stop this. It is only applicable to HEV’s, the thieving toe rag scum of society have yet to find a way of stealing PHEV’s in this manner. 

[nlee]

24 minutes ago, Flatcoat said:

I suggest that if not already you read the last few posts on the other thread about stolen RAV’s. It appears Toyota can supply and fit a headlamp protection plate to stop this. It is only applicable to HEV’s, the thieving toe rag scum of society have yet to find a way of stealing PHEV’s in this manner. 

Hi Flatcoat. Is that right about the PHEVs? I hadn't picked up on that previously. I'd assumed it was the same for HEV and PHEV. Do you know what the difference is? I.e is it the access to the socket/wiring, or relies on different Canbus signals from the electronic box they use?

Even if it means a failed attempt at theft, the damage is still a big issue as I can't imagine the low-lives read the little Badge first (although even the most stupid might notice it's plugged in!)

If it's the programme in the electronics box, I can only imagine it's a matter of time before another version is developed that exploits the same method of access.

I still don't believe there are loads of these devices around. If we are to believe what we read, these are around £20k so require a lot of vehicles to be taken to make it really profitable (I doubt they are getting market value - and quite a lot of the reports we read here are oddly recovered). That's probably why we see the geographical concentration of vehicles being stolen. Maybe if it needs a different box of tricks for a PHEV, and because there are a lot less of them about, it's not worth the "investment".

Either way, HEV or PHEV, whichever part of the country, we can't be complacent.

I have to say, I've just been on holiday and my car was left at a hotel near Gatwick for 2 weeks. I have to say I was fairly relieved it was all present and correct when I returned, being in that there London area. By the way, I left it with the Stoplock on, they moved it to a different area of the carpark (twice) and when I picked it up, they had left the Stoplock off! Not sure if it was the start of the holiday or just before the return that they left it off.

[robo1]

I would have a word with Toyota to confirm this. Someone please correct if wrong but my understanding is the CAN bus cannot be encrypted as air bags are fired using signals through the CAN bus and encryption slows the process down. The PHEV might have 2 CAN buses with one non encrypted for safety critical systems but that would mean more expense for Toyota as parts diverge between the PHEV and HEV. 

[JDK-SL7]

43 minutes ago, robo1 said:

I would have a word with Toyota to confirm this. Someone please correct if wrong but my understanding is the CAN bus cannot be encrypted as air bags are fired using signals through the CAN bus and encryption slows the process down. The PHEV might have 2 CAN buses with one non encrypted for safety critical systems but that would mean more expense for Toyota as parts diverge between the PHEV and HEV. 

That’s what I presumed. 

[ernieb]

This is news to me I’d thought that we were all vulnerable to this problem. Mybe if Toyota UK had not been so tight lipped about the issue we’d be better informed.