2022 RAV4 stolen

[Rigsby]

27 minutes ago, Hybrid21 said:

Hi Dorin, does that fitment prevent them whipping the front bumper off, which also gives access ?

I would think that the brackets just prevent access to the headlight connector, which is all well and good but I can’t see it preventing the damage to the bumper and / or the wheel arch liner before the scrotes discover it’s had the modification.

But I suppose some damage is better than theft and potentially more damage.

 

 

[Shootgun]

32 minutes ago, Terry10 said:

Hi Dorin,can you tell us the dealer name please that fitted these brackets for you.Any extra protection has got to be worth the effort 

regards Terry

 

Jemca Toyota in Croydon. 

[Yugguy1970]

I want to get mine done, going to call my local dealer today.

I thought about putting a small sticker in the window, "Canbus shielded" or something.  

Wether they'd beleive it or not, no idea.

[Strangely Brown]

2 hours ago, kucyk said:

This was explained a couple of times, however, we have a very limited information regarding this and it's based on the research from people working on the openpilot project.
In PHEV and 23' HEV and other new Toyota cars the communication between the ECU and components is signed using a digital signature that proves the identity of the source. This way ECU "knows" that the commands to open and start the car are coming from the legitimate source and it's dropping any injected / spoofed messages from the attackers.

I wouldn't bet my car on it too but so far this theory seems to be true. And don't expect Toyota to confirm this and tell you what they do, the research from openpilot is the best we can get.

Also, the car can still be stolen using the gameboy method which will emulate the key. I guess the only way to protect from that is turning off the smart entry and steering wheel lock. Steering wheel lock on its own is probably the best way to protect your car. Whether it's a can attack, gameboy or relay attack, the thieves will move on to the next car when they see it.

Signing of CAN packets would certainly kill the exploit stone dead. I think that would also require that every car has a unique signature[*] and that every component on the CAN that sends packets be able to generate that signature, so that adds a significant layer of complexity when changing parts, e.g. a broken headlamp. Every replacement part would have to be coded to the car, or vice-versa. It also means no retro-fit for older cars.

Note: it could also be more involved than my simple assumption and I do not have in-depth knowledge of the RAV4 CAN, but I do understand the networking principles.

The PHEV was launched in Dec 2019 so, if it uses signed CAN traffic, that means Toyota have been aware of, or at least the potential of, this problem since then? It does not make sense to me that the PHEV would have signed CAN from 2019 yet the HEV continued on a separate path until the 2023 update. If the PHEV only got signed CAN traffic in a later update then that means that early cars are vulnerable.

While I am happy that there is a potential solution out there, I am not yet convinced that we know which cars are at risk and which are not.

Given that I am confident mine is on the risk register it will continue to sport a rather fetching yellow bar through the steering wheel when parked overnight etc. I'll think of it as a fashion statement. 🙂

 

[*] Without a unique signature an attack developer would only need to obtain a signature once, and remember: CAN is not encrypted so it is unlikely to be that hard. Once obtained the developer could make a new attack tool that injects the same commands, but signed.

[nlee]

8 minutes ago, Strangely Brown said:

The PHEV was launched in Dec 2019

Some really interesting stuff, thanks. Just one amendment, the PHEV was only introduced (at least to the UK market) in 2021. I think Ernie had one of the first.

[Yugguy1970]

I've just been to Toyota Coventry.

Although noone there was aware of the fix, they were very interested.

They looked it up and the procedure is on their system, so the warranty manager is just getting some more info from Toyota GB and will then book me in for the work.

Although it is an official recall it is not an automatic notification so is only done on customer request.

[Yugguy1970]

Also looking on the RAV FB group, some people have been quoted £250, several have paid £70 which is the labour cost and one got it for free.

It will be interesting to see what Listers come back with.

The chap had the work sheet with pictures and it's a plate that goes over the headlamp connections to stop the theives accessing them.

It looks like it's screwed on so he hoped they were tamperproof screws otherwise what's the point?

[ernieb]

29 minutes ago, nlee said:

Some really interesting stuff, thanks. Just one amendment, the PHEV was only introduced (at least to the UK market) in 2021. I think Ernie had one of the first.

It was introduced in the US in 2019 and 2021 in the UK. You’re correct, Nigel, in that I was one of the first to drive off the forecourt with a PHEV.

 

[kucyk]

1 hour ago, Strangely Brown said:

Signing of CAN packets would certainly kill the exploit stone dead. I think that would also require that every car has a unique signature[*] and that every component on the CAN that sends packets be able to generate that signature, so that adds a significant layer of complexity when changing parts, e.g. a broken headlamp. Every replacement part would have to be coded to the car, or vice-versa. It also means no retro-fit for older cars.

The headlight doesn't send any commands, they just use its connector to get into the network. The only communication protected in this case is between the keyless module and ECU - the keyless module commands ECU to open and start the car. I think in this attack method they act as a keyless module in the CAN network and ECU believes that the command it gets are legitimate. This is patched in PHEV using digital signature.

PHEV for sure has it and open pilot guys confirmed it as they can't get their software to work with newer Toyotas including PHEV/Prime. They also confirmed the signing keys are stored in the ECU memory.

[Strangely Brown]

1 minute ago, kucyk said:

Headlight doesn't send any commands, the only communication protected in this case is between the keyless module and ECU - the keyless module commands ECU to open and start the car. I think in this attack method they act as a keyless module in the CAN network and ECU believes any command it gets. This is patched in PHEV using digital signature.

OK, fair enough, that makes sense for UK models but it still leaves RAV4 Prime cars 2019 to 2021 in the USA and RAV4 PHV for JDM 2020-2021 vulnerable unless the signed CAN traffic was introduced earlier.

If a new keyless module was introduced in 2021 (or earlier) for Plug-In variants and the ECU was updated to reject unsigned packets then surely it would have made more sense to update the HEV at the same time. I'm sure there must have been a reason, whether technical or financial, but these are not areas of the car that are functionally, significantly different. i.e. it's not like the engine, transmission, Battery and charging system. These are small components with different internals and/or firmware.

I think there is still a requirement for each keyless module to produce cryptographically unique signatures though. This suggests that the module and ECU may need to be paired.
 

4 minutes ago, ernieb said:

It was introduced in the US in 2019 and 2021 in the UK. You’re correct, Nigel, in that I was one of the first to drive off the forecourt with a PHEV.

Thanks. If PHEV and HEV had separate component streams from 2021 (or earlier) to 2023... that's a lot of cars.

[Hayzee]

One of the guys on the Lexus NX board emailed Lexus Customer Services and received the following reply

"I appreciate your enquiry and wish to understand how best to protect your vehicle, as we are aware of the rising trend in theft within the motor industry, to which we are sadly not immune.

The new generation Lexus NX has seen changes in production which do prevent the currently known can-bus style attacks from being effective. Having said this, we believe that criminal gangs are constantly working on new and novel tools and attack methods. 

Therefore we cannot offer any guarantee that any vehicle cannot be attacked via this method, sadly nor can we provide assurance that any vehicle cannot be stolen by the multitude of attack methods that are being employed in organised and well prepared criminal gangs."

The new gen NX started UK sales in 2022 and do have a software (I assume) change to the CAN to prevent this type of attack. THis applies to both the HEV and PHEV. I would imagine this also applies to similarly produced RAV's

[kucyk]

34 minutes ago, Strangely Brown said:

If a new keyless module was introduced in 2021 (or earlier) for Plug-In variants and the ECU was updated to reject unsigned packets then surely it would have made more sense to update the HEV at the same time. I'm sure there must have been a reason, whether technical or financial, but these are not areas of the car that are functionally, significantly different. i.e. it's not like the engine, transmission, battery and charging system. These are small components with different internals and/or firmware.

I don't know, maybe ECU in Prime/PHEV saw some major upgrades due to the traction Battery and BZ4X on the horizon, and the changes were too big to easily implement them in the existing models / mid production cycle, so they waited for the facelift.

[Rigsby]

3 hours ago, Yugguy1970 said:

I've just been to Toyota Coventry.

Although noone there was aware of the fix, they were very interested.

They looked it up and the procedure is on their system, so the warranty manager is just getting some more info from Toyota GB and will then book me in for the work.

Although it is an official recall it is not an automatic notification so is only done on customer request.

Just been into Toyota Southport where I purchased my Dynamic HEV new in 2021, they claim not to know anything about either the problem or the fix.

He went away and searched their system and still couldn’t find anything, if anyone knows the part number that would be helpful.

[Terry10]

Hi all, well I was passing my Toyota dealer a couple of hours ago and popped in. Asked if I could speak with someone who would be aware of Rav 4 security. The lady said to me that she had worked there for several years and there were no security issues Toyotas!!!!! When I informed her that she was mistaken and gave her the relevant information she said she would go see the in house garu who new all. She came back within 2 minutes to tell me that Toyota had issued a fix but it was only being rolled out in London and parts of Midlands. However in view of my concern the guy is going to contact Toyota and get details of parts and prices. He will then telephone me with relevant information.What annoys me about Toyota's narrow minded actions is that it hasn't occurred to them that just because I/other owners live in other parts of the country that we aren't ever likely to go to London/ Midlands. As it happens I am going to a wedding in a few months time in the Cheshire area and was in the centre of London a few moths back as well.Will be interesting to hear what this wiz kid has to say when they ring back

Terry

[Adaml99]

Hello again all. Sorry to derail the conversation, but really would like clarity over how the mobile app tracks the car because I’ve received another notification telling me my stolen car is at the same location and the doors have been left unlocked. I don’t want to discard this information on the assumption that they’ve disabled the tracker and it’s sending out its last known location, when really it’s there and the car park security is either lying to me or being incompetent (the police have failed to check on my behalf despite asking them twice already!! I don’t even know if an investigator will be assigned to it 🤦‍♂️). 

I called the car park twice yesterday to tell them I keep getting alerts about its location and they said it’s definitely not there, even though the first time I called, one of the security guys rung me back and said there was a car that matched the description but with different plates, but after checking the VIN, it wasn’t the same one. The whole thing sounds really strange to me. If it wasn’t so far away, I would travel there and see for myself but it’s a 200 round mile trip and I don’t really know what I’ll be met with if I start snooping around the public and private car park. What an absolute nightmare!

edit: I forgot to mention that I spoke to my local dealer and they informed me that the recent location signals will be legitimate, but the person I spoke to didn’t really fill me with much confidence based on other generic information she shared about vehicle crime that I know is not true. You guys are much more informed and savy about the tech in these vehicles because of your invested interest, so really looking for a steer from you all. Thanks!  

[philip42h]

1 hour ago, Adaml99 said:

would like clarity over how the mobile app tracks the car

So, while the car is moving it periodically records its position using the onboard GPS for the duration of the trip. This much is all within the car itself.

At the end of the trip, it attempts to report the trip details to Toyota's servers using the built-in eCall / SOS SIM. This works provided that it has signal. Each time the car goes into Ready mode it should start a new trip; each time it's switched off again it should report the trip details including its final destination.

The app picks up information when it synchronises with the Toyota servers.

So, if the components involved in trip reporting are still functional and still within the car it should report the car's current position when it was last switched off.

We know that the system isn't very reliable - i.e. we've all had instances of missed trips - but the car should never report a position that it hasn't visited.

[Adaml99]

Many thanks @philip42h.

In the last hour I’ve had a flurry of activity within the app. It’s reported that the vehicle was unlocked and in-movement and used 2% of fuel. It’s now showing it is locked, but at some point in the vehicle’s journey it had severe failure of both the automatic headlight levelling system and the SRS airbag system. No last trip has been recorded and it’s still showing the location of the car park where the stolen vehicle was taken to on Friday.

I think I can assume now that the tracking has been disabled, but everything else that is being transmitted is likely to be reliable. Do you think Toyota would be able to share a log of all of the recent vehicle’s activity? Reason I ask is this can be used to give an indication of when the car was shown as ‘in movement’ (after the car gps has been disabled) and possibly give the security team at the car park (assuming they are legitimate!) a time stamp to aim for when searching for cars that left the car park. Perhaps this would show if the number plates have been changed and what to, and provide better images of the scumbags that took my car?

I don’t know, perhaps I’m clutching at straws and I should just give up and stop looking at the app - it’s been a horrific experience and I’m feeling pretty exhausted now tbh. 

[Strangely Brown]

For information:
 

The "MyT Toyota" app was updated in the iOS App Store yesterday. No new features. Just bug fixes and performance.

[nlee]

11 hours ago, Adaml99 said:

Many thanks @philip42h.

In the last hour I’ve had a flurry of activity within the app. It’s reported that the vehicle was unlocked and in-movement and used 2% of fuel. It’s now showing it is locked, but at some point in the vehicle’s journey it had severe failure of both the automatic headlight levelling system and the SRS airbag system. No last trip has been recorded and it’s still showing the location of the car park where the stolen vehicle was taken to on Friday.

I think I can assume now that the tracking has been disabled, but everything else that is being transmitted is likely to be reliable. Do you think Toyota would be able to share a log of all of the recent vehicle’s activity? Reason I ask is this can be used to give an indication of when the car was shown as ‘in movement’ (after the car gps has been disabled) and possibly give the security team at the car park (assuming they are legitimate!) a time stamp to aim for when searching for cars that left the car park. Perhaps this would show if the number plates have been changed and what to, and provide better images of the scumbags that took my car?

I don’t know, perhaps I’m clutching at straws and I should just give up and stop looking at the app - it’s been a horrific experience and I’m feeling pretty exhausted now tbh. 

As per what Philip says but if your's gives unlocked warnings (mine doesn't so not 100% sure how this works) there must also be a "dial in" on a specific state change (e.g. unlocked for X mins without moving, or similar). If you are getting alerts them the DCM is still connected and working. In some cases of recovered vehicles, they have tried to remove these causing a lot of internal damage. If the location is not updating, maybe the GPS antenna has been ripped out. I think one of the earlier reports of theft on here reported that had happened on a recovered vehicle.

I don't know if Toyota have access to any more information than you can see in the app but I has to be worth asking them the question.

[Rav4ster]

18 hours ago, Rigsby said:

Just been into Toyota Southport where I purchased my Dynamic HEV new in 2021, they claim not to know anything about either the problem or the fix.

He went away and searched their system and still couldn’t find anything, if anyone knows the part number that would be helpful.

Same here, if anyone can share the TSB number please. Some dealers are saying they don't know and even the Toyota recall line cannot find it.

[George22]

22 hours ago, Yugguy1970 said:

Also looking on the RAV FB group, some people have been quoted £250, several have paid £70 which is the labour cost and one got it for free.

It will be interesting to see what Listers come back with.

The chap had the work sheet with pictures and it's a plate that goes over the headlamp connections to stop the theives accessing them.

It looks like it's screwed on so he hoped they were tamperproof screws otherwise what's the point?

Just been to my dealer and he looked it up with the part number. I watched him find the part online and buried in the page said “cost £4.20” he didn’t notice I had seen this, then he said part cost £70 and around £130 labour. What a rip off I thought. I said I would think about it, hopefully it will becom a recall issue. The picture was the same as below Part no GBN GAB RACK01. (Picture taken from another post) 

[Yugguy1970]

So in the FB forums people have just been paying the £70 part cost and the labour is covered by Toyota.  

Find the posts on the Toyota RAV4 Hybrid UK fb group and show your dealer, posts from me Guy Heaton and Lisa Lindsay.  She had them fitted for 70 quid at Steven Eagell Chelmsford.

[Rav4ster]

I spoke to Toyota Coventry service department, and they gave me the part number (same as above) Gbngabrack01 and confirmed that customer is only paying £70 for the part and rest is covered by Toyota. Should take about an hour according to the documentation they have. He did say that tsb was released a few days ago.

[FROSTYBALLS]

53 minutes ago, George22 said:

hopefully it will becom a recall issue.

Unless it is related to a safety problem, which a security issue isn't, it won't be treated as a DVSA recall. Which is presumably why Toyota have issued a Toyota Service Bulletin on the subject.

[George22]

1 hour ago, Yugguy1970 said:

So in the FB forums people have just been paying the £70 part cost and the labour is covered by Toyota.  

Find the posts on the Toyota RAV4 Hybrid UK fb group and show your dealer, posts from me Guy Heaton and Lisa Lindsay.  She had them fitted for 70 quid at Steven Eagell Chelmsford.

Many thanks 👍