The third time, unfortunately, was the charm for the thieves as the RAV4 went missing a few days after the second attempt. This incident prompted Tabor to investigate how his car was stolen, together with fellow automotive security expert Dr. Ken Tindell.
What’s even more concerning is that such methods, which have been documented on video by the way , would reportedly take only two minutes to break into keyless vehicles. Upon further digging on Youtube, crime forums and even the dark web, Tabor discovered that thieves have been using CAN Injection tools that are sold online as emergency start devices. These are originally intended for use by owners or automotive professionals when a car’s key fob is lost, stolen, or otherwise unavailable.
As mentioned earlier, one version of this hacking tool, which both security experts purchased for reverse engineering purposes, came in the form of a fake JBL portable speaker – a disguise that can easily fool any unsuspecting individual or authority if uninspected. Our own research has found that other similar tools are also available as generic key fobs and, of all things, a certain retro handset.
According to Tindell, pressing the play button on the fake JBL portable speaker will trigger it to send out a CAN message burst that instructs the targeted vehicle’s ECU to unlock its doors. Of course, with the car believing that the false key is valid, thieves are also given access to its Push Start function and are able to drive off.
While the attack was successfully replicated on a Toyota RAV4, it is still possible that something similar could occur on other vehicles using the same technology and architecture. Tabor and Tindell have alerted Toyota regarding the vulnerability, but have yet to receive any acknowledgement or response from the automaker.