Toyota RAV4 Forums banner
Cancel
Create thread New Garage Forums

CAN Invader Attack -- Unstoppable New RAV4 Car Theft Method

Jump to Latest
41 - 60 of 87 Posts
#41 ·
Spoke with Steven Eagell Toyota Romford and they confirmed ToyotaUK have introduced a plate to protect the vulnerable area by the wheel well. They are charging £160. I also found Lexus are doing the same but aren’t charging the customers at all. If anyone knows a bit more please share.
 
#44 ·
Just read whole topic. Conclusion is - it's not unstoppable. CAN Bus immobilizer works perfectly fine in this case.
So, CAN is flooded with messages - car can be opened and even started, but to start it driving you have to stop flooding CAN Bus with messages and at this point immobilizer will shut it down.
I know a person with RX 350 which already survived CAN Attack 3 times, just some damage to bumper cover.
 
#48 ·
Forgot where I saw someone said the Autowatch Ghost is just a rebranded version of this:
www.ampire.de

AMPIRE WFS400-LIN CAN/LIN-Bus Immobilizer

AMPIRE WFS400-LIN CAN/LIN-Bus Immobilizer with Code-Disarming
www.ampire.de www.ampire.de
$199 euro.

I don't know if it comes with installation instructions or may need to be translated from German to English.
I don't know if IGLA is the same device. I've seen posts on other car brand forums where the installation costs runs about 1k-1.5k. Thats a lot of $$$.
 
Discussion starter · #49 ·
Snapper88 said:
I don't know if IGLA is the same device. I've seen posts on other car brand forums where the installation costs runs about 1k-1.5k. Thats a lot of $$$.
Click to expand...
I don't think an amateur should try to DIY install IGLA or any other immobilizer on a RAV4. If you make a mistake it may permanently screw up the car so it won't ever start.
 
#50 · (Edited)
Tazio Nuvolari said:
Aftermarket immobilizer systems like the IGLA are EXPENSIVE and have very few professional installers outside of a few big cities.
Click to expand...
Let's talk about XLE Hybrid here in Canada:
1. new car cost 43K - time frame to get 12+ month.
2. Insurance payout will be about 38-40K
3.To get used XLE Hybrid car on market will be 46+K
In this case investment of 1K in immobilizer seems a good use of money

Tazio Nuvolari said:
I don't think an amateur should try to DIY install IGLA or any other immobilizer on a RAV4. If you make a mistake it may permanently screw up the car so it won't ever start.
Click to expand...
Agree 100%. Installation of CAN immobilizer is relatively simple, but for Toyota it will require installation of secondary relay to handle CAN short cut attack.
 
Discussion starter · #51 ·
DrShadow said:
Let's talk about XLE Hybrid here in Canada:
Click to expand...
DrShadow said:
In this case investment of 1K in immobilizer seems a good use of money
Click to expand...
I agree with you for your situation in Canada (especially Montreal) and also in the UK where professional car theft rings are stealing RAV4s using the CAN Invader (wheel well) attack. In Montreal I understand the cars go right onto cargo ships bound for Nigeria and other places and the cops won't do anything even if an owner tracks the car to the ship tied to the wharf. These professional car thief a**holes have purchased the CAN Invader theft device from the dark web and I have read it may cost $1k US or even more. In the US the situation is different. There have been no RAV4 CAN Invader attacks I have read about. Possibly in the US they only happen to more expensive cars than the RAV4. Our US RAV thefts are done by the old remote fob signal capture method which is easily defeated by using "sleep mode" on the remote or faraday cage devices. Our US thefts are also done by remote fob cloning through the OBD2 port. However in the US, the 5th gen RAV is simply not in any lists of frequently stolen cars. This is because our crooks are mostly joy riding teen agers, and meth addled tweakers who steal Kias and Hyundais and older cars they can just mechanically jimmy to start without using any software or computer. In Portland, Oregon apparently the "homeless" steal cars for transportation and then simply park them at their large tent city encampments all over town where they either get stripped for parts to sell or just vandalized.There have been reports of vigilantes tracking their cars to these hobo camps and forcefully recovering them.
 
#53 ·
Tazio Nuvolari said:
The CAN attack WILL most likely work on the physical key model 5th gen RAVs. This is because all of the models-key and remote fob- use the CAN BUS system to interlink their various ECUs and modules. All the key or fob does is disable the engine immobilizer system and tell the main ECU to work the starting motor and fire the coils and energize the fuel injection on the gas models, and to start up the storage battery and electric motors on hybrid. BUT they ALL have a CAN BUS system.
Click to expand...
I’m buying a Toyota RAV4 Plug-In Hybrid, first registration was in May 2021. Will it be susceptible to the CAN injection hack?
 
#54 · (Edited)
I’m UK based. I’m buying a Toyota RAV4 Plug-In Hybrid, first registration was in May 2021. Will it be susceptible to the CAN injection hack?

since it’s a 2021 plug-in hybrid registered in May 2021, i’m wondering if toyota has fixed this issue. I’ve only signed the finance papers and paid the deposit so i’m not sure how to proceed with the dealership about my concerns, as they have yet to deliver the vehicle to me.

i was thinking of using a professional service to install a Smart Alarm System, Ghost immobilizer, and CAN bus immobiliser. Also i’ll be purchasing a steering wheel lock, and a Faraday box and pack.

any thoughts?
 
#55 ·
WI_Hedgehog said:
The more that a computer controls a system the less secure something is...keep that in mind as a general rule of thumb.

While I do have some experience in the field, I don't have a Toyota or Lexus affected by this type of attack nor the wiring and logic diagrams for an affected vehicle, so can only speak to this from afar...how applicable the following is up to you to decide, though it probably hits pretty close to the mark.

The problem is CANBUS is not encrypted and is being hijacked. Though the lights are off, the communications lines are still alive and active. Depending on how the bus is segmented it can be "relatively" easy to inject "Front Driver Side Door Inside Unlock." It should not be easy, however the problem being the Convenience Bus wiring (used for remote entry) may be used by the Tire Pressure Control Module (low bandwidth), Frontal Control Module (lights, low bandwidth), Access Control Module (low bandwidth), etc... Depending, these are different buses multiplexing for bandwidth (sharing time on the same data wires), so while it's not "easy" to get the signalling correct it appears someone figured out how to jump on the wiring, multiplex onto the ACM bus, and send an unlock packet.

I was totally surprised on the next step, pairing a smart key with the Remote Keyless Entry is not at all hard--it takes 15 seconds if automated.* Once that's done it's easy to use the rogue smart key to get the handshake certified. I know a different Japanese manufacturer is pretty rigorous about it, getting a new fob activated requires dealer intervention and authorization from H.Q. in Japan, and the dealer tends to soak the customer for $500 plus $125 for the fob, unlike Toyota where the owner can pair a new fob themselves (a huge win for Toyota/Lexus owners).** However, Toyota certainly could have improved the process by adding layered authentication.

Once the fob-vehicle handshake is certified, injecting "Start/Stop Button Press" isn't hard, it's just a convenience for the thief at this point.***

*RKE Module surface attacks are well known, the CANBUS attack while more complicated is simply a more expedient method.
**This is consistent with Toyota mentality of making easy-to-use/easy-to-maintain/easy-to-repair products.
***Some security details not necessary to the core understanding have been omitted.

====
So, what to do....

If you've been around a while the first thing that comes to mind is probably a switch interrupting the starter relay coil wire. A reed switch can be hidden in the dash and activated with a magnet; it can be bypassed but a thief would need a bit of time to figure it out, plus a few more tools. Chances are another theft attempt at a later date will be contemplated, if there's a good chance of success the vehicle might be gone within a week.

An ultimate (and poor) solution is to put a remote on the ECU power, something like:
Remote Control Battery Disconnect Switch Kill Switch for Car with 2 Keys Anti-Theft DC12V 200A Electromagnetic Solenoid Valve Terminal
I am NOT suggesting this--the ECU is not meant to be power cycled and doing so would cause a constant loss of stored settings (like engine tuning). Also of importance: the secondary remote system (such as in the Amazon link) reliability and security strength is unknown.

Getting steel shield plates bent and installed, plus disabling the remote (via ECU "disable" option, a setting stored in the ECU) could possibly be the best solution at the moment, as it will avoid the damage to the wiring and forestall or prevent theft.

Otherwise, a physical bus in the CANBUS system contains a CAN_High and CAN_Low wire.
  • CAN: Controller Area Network
  • bus: A communication standard that allows microcontrollers and devices to communicate with each other.
  • Serial communication: The process of sending data one bit at a time, sequentially, over a communication channel or computer bus.
  • CAN bus: A serial communication transport designed for robust performance within harsh environments (primarily automotive and industrial applications).
  • Attack surface: The number of all possible points, or attack vectors, where an unauthorized user can access a system. The smaller the attack surface, the easier it is to protect.
I'm going to guess on a Lexus there are two bus lines for the front, a Frontal Control Module-Left & Frontal Control Module-Right (these systems typically have the lights and possibly other sensors on them). If so, putting a Quad-Pole Single-Throw electronic switch on the bus lines for the FCM-L and FCM-R would disconnect them from the ECU, so all systems using the FCML and RCMR buses could potentially communicate with each other (if powered), but not the ECU.**** Since the door lock relay is usually on a different physical bus than the headlights (different wires), injecting Convenience commands should go unanswered.*^ I'd guess the Remote Keyless Entry receiver is under the dash or mounted to an A-pillar on a different physical bus, so the keyfob should still allow remote entry.

**** Do not assume a device is unpowered during an attack as power can be injected.
*^ The headlights and doors should be on different physical wires, so tapping into one system shouldn't allow communication with the other except through the ECU, which in this case would have been disconnected via tying 4 pins high on the electronic switch which opens the FCM bus lines, disconnecting the lights from the ECU.

Concerning the keyfob, there's a remote attack surface that's not uncommon, the following video explains it well. I would guess there's an ECU setting to disable this (until the ECU setting is reset to the default value).

Click to expand...
I’m UK based. I’m buying a Toyota RAV4 Plug-In Hybrid, first registration was in May 2021. Will it be susceptible to the CAN injection hack?

since it’s a 2021 plug-in hybrid registered in May 2021, i’m wondering if toyota has fixed this issue. I’ve only signed the finance papers and have paid the deposit so i’m not sure how to proceed with the dealership about my concerns.

i was thinking of using a professional service to install a Smart Alarm System, Ghost immobilizer, and CAN bus immobiliser.

any thoughts?
 
#56 ·
tmel88 said:
If you have a hybrid try removing the hybrid system battery plug behind the battery air filter. Relatively easy and should disable the vehicle still leaving 12 volt for the ECU.
Click to expand...
I’m UK based. I’m buying a Toyota RAV4 Plug-In Hybrid, first registration was in May 2021. Will it be susceptible to the CAN injection hack?

since it’s a 2021 plug-in hybrid registered in May 2021, i’m wondering if toyota has fixed this issue. I’ve only signed the finance papers and have paid the deposit so i’m not sure how to proceed with the dealership about my concerns.

i was thinking of using a professional service to install a Smart Alarm System, Ghost immobilizer, and CAN bus immobiliser.

any thoughts?
 
#57 ·
Tazio Nuvolari said:
Yes.
Click to expand...
I’m UK based. I’m buying a Toyota RAV4 Plug-In Hybrid, first registration was in May 2021. Will it be susceptible to the CAN injection hack?

since it’s a 2021 plug-in hybrid registered in May 2021, i’m wondering if toyota has fixed this issue. I’ve only signed the finance papers and have paid the deposit so i’m not sure how to proceed with the dealership about my concerns.

i was thinking of using a professional service to install a Smart Alarm System, Ghost immobilizer, and CAN bus immobiliser.

any thoughts?
 
#58 · (Edited)
IgboTifosi said:
Spoke with Steven Eagell Toyota Romford and they confirmed ToyotaUK have introduced a plate to protect the vulnerable area by the wheel well. They are charging £160. I also found Lexus are doing the same but aren’t charging the customers at all. If anyone knows a bit more please share.
Click to expand...
I bought a Toyota RAV4 Plug-in Hybrid 2021 number plate from Steven Eagell Toyota.
I’ll be speaking with them on Monday to ask about the plate to protect the vulnerable area if they can install it (for free) before delivering the vehicle to me.

did you get yours protected in the end?
 
Discussion starter · #59 ·
Rav4PluginDriverCat said:
I’m UK based. I’m buying a Toyota RAV4 Plug-In Hybrid, first registration was in May 2021. Will it be susceptible to the CAN injection hack?
Click to expand...
The PRIME is the PHEV Rav4. I think I read on the Reddit Rav4 Club that the PRIME in the US has some kind of software or encryption that prevents the CAN BUS attack and is the only Rav4 that is so protected. I am not sure about this. I suggest you ask this question in the PRIME sub forum.
 
#60 ·
Tazio Nuvolari said:
The PRIME is the PHEV Rav4. I think I read on the Reddit Rav4 Club that the PRIME in the US has some kind of software or encryption that prevents the CAN BUS attack and is the only Rav4 that is so protected. I am not sure about this. I suggest you ask this question in the PRIME sub forum.
Click to expand...
Thank you so much. I’ll definitely raise this question in the PRIME sub forum.
 
41 - 60 of 87 Posts
About this Discussion
86 Replies
25 Participants
Last post:
conanford
Toyota RAV4 Forums
posts
1.1M
members
174K
Since
2004
Rav 4 World is the internet's largest Toyota Rav4 SUV and EV online forum community. Discuss towing, modifications, and more.
Full Forum Listing
Explore Our Forums
4.3 General 4.3 Mechanical 4.5 RAV4 Hybrid (except Prime) 4.5 RAV4 Prime 4.3 Exterior