Another poster's recent thread got me doing international research. There is a NEW car theft method which was just "invented" this summer in Japan and its use has exploded in the UK. It is widely used to steal 5th generation RAV4s and late model Lexus throughout England and Japan in the last few months. It is called a "Can Invader Attack". The thief goes through the passengers front wheel well (like changing a fog light bulb) and cuts the wires to the headlight and splices in a device by which he accesses the Toyota or Lexus CAN bus system. It takes less than three minutes to steal the car as the video shows. Police and English forums say the only way now to stop RAV4 thefts is to armor plate the wheel well or to use steering wheel locks. This Can invader attack is completely new and different from the older "Relay Attack" method of theft involving capturing the signal from the key fob which is used in the US and Canada. The Can Invader Attack can't be prevented currently by any known means. The screen shot is from a UK Toyota forum.
CAN Invader Attack -- Unstoppable New RAV4 Car Theft Method
Tazio Nuvolari
1 - 20 of 87 Posts
Another poster's recent thread got me doing international research. There is a NEW car theft method which was just "invented" this summer in Japan and its use has exploded in the UK. It is widely used to steal 5th generation RAV4s and late model Lexus throughout England and Japan in the last few months. It is called a "Can Invader Attack". The thief goes through the passengers front wheel well (like changing a fog light bulb) and cuts the wires to the headlight and splices in a device by which he accesses the Toyota or Lexus CAN bus system. It takes less than three minutes to steal the car as the video shows. Police and English forums say the only way now to stop RAV4 thefts is to armor plate the wheel well or to use steering wheel locks. This Can invader attack is completely new and different from the older "Relay Attack" method of theft involving capturing the signal from the key fob which is used in the US and Canada. The Can Invader Attack can't be prevented currently by any known means. The screen shot is from a UK Toyota forum.
Attachments
Joined
·
518 Posts
In Ontario we have an insane car theft problem. Rav4 have not been an issue as of yet but Lexus forget about it. We had some Lexus dealers get 10 high end SUV stolen in the same night.
Not a single one was ever recovered. If you have a high end Lexus in Ontario you'll be lucky to still have it after 6 months.
And if you park in a private garage and they cant steal it at night they will simply carjack you at gunpoint and steal it that way.
The main issue I see is that when they do catch someone in a stolen car they are booked and released within a few hours.
Even after being caught several times its very rare that car thieves are ever given prison time at all.
So they have the potential to make huge returns and if caught they don't face any harsh sentences so its a win win for them.
Not a single one was ever recovered. If you have a high end Lexus in Ontario you'll be lucky to still have it after 6 months.
And if you park in a private garage and they cant steal it at night they will simply carjack you at gunpoint and steal it that way.
The main issue I see is that when they do catch someone in a stolen car they are booked and released within a few hours.
Even after being caught several times its very rare that car thieves are ever given prison time at all.
So they have the potential to make huge returns and if caught they don't face any harsh sentences so its a win win for them.
Joined
·
10,644 Posts
Cannot see anything useful in the posted video. How can this sort of supposed device work as described unless the headlight circuit is somehow always live? On our RAV4 (different generation) the headlights are are switched off either manually or automatically after about 30 seconds when the ignition is switched off, so the headlamp circuit should be dead.
Joined
·
32 Posts
The more that a computer controls a system the less secure something is...keep that in mind as a general rule of thumb.
While I do have some experience in the field, I don't have a Toyota or Lexus affected by this type of attack nor the wiring and logic diagrams for an affected vehicle, so can only speak to this from afar...how applicable the following is up to you to decide, though it probably hits pretty close to the mark.
The problem is CANBUS is not encrypted and is being hijacked. Though the lights are off, the communications lines are still alive and active. Depending on how the bus is segmented it can be "relatively" easy to inject "Front Driver Side Door Inside Unlock." It should not be easy, however the problem being the Convenience Bus wiring (used for remote entry) may be used by the Tire Pressure Control Module (low bandwidth), Frontal Control Module (lights, low bandwidth), Access Control Module (low bandwidth), etc... Depending, these are different buses multiplexing for bandwidth (sharing time on the same data wires), so while it's not "easy" to get the signalling correct it appears someone figured out how to jump on the wiring, multiplex onto the ACM bus, and send an unlock packet.
I was totally surprised on the next step, pairing a smart key with the Remote Keyless Entry is not at all hard--it takes 15 seconds if automated.* Once that's done it's easy to use the rogue smart key to get the handshake certified. I know a different Japanese manufacturer is pretty rigorous about it, getting a new fob activated requires dealer intervention and authorization from H.Q. in Japan, and the dealer tends to soak the customer for $500 plus $125 for the fob, unlike Toyota where the owner can pair a new fob themselves (a huge win for Toyota/Lexus owners).** However, Toyota certainly could have improved the process by adding layered authentication.
Once the fob-vehicle handshake is certified, injecting "Start/Stop Button Press" isn't hard, it's just a convenience for the thief at this point.***
*RKE Module surface attacks are well known, the CANBUS attack while more complicated is simply a more expedient method.
**This is consistent with Toyota mentality of making easy-to-use/easy-to-maintain/easy-to-repair products.
***Some security details not necessary to the core understanding have been omitted.
====
So, what to do....
If you've been around a while the first thing that comes to mind is probably a switch interrupting the starter relay coil wire. A reed switch can be hidden in the dash and activated with a magnet; it can be bypassed but a thief would need a bit of time to figure it out, plus a few more tools. Chances are another theft attempt at a later date will be contemplated, if there's a good chance of success the vehicle might be gone within a week.
An ultimate (and poor) solution is to put a remote on the ECU power, something like:
Remote Control Battery Disconnect Switch Kill Switch for Car with 2 Keys Anti-Theft DC12V 200A Electromagnetic Solenoid Valve Terminal
I am NOT suggesting this--the ECU is not meant to be power cycled and doing so would cause a constant loss of stored settings (like engine tuning). Also of importance: the secondary remote system (such as in the Amazon link) reliability and security strength is unknown.
Getting steel shield plates bent and installed, plus disabling the remote (via ECU "disable" option, a setting stored in the ECU) could possibly be the best solution at the moment, as it will avoid the damage to the wiring and forestall or prevent theft.
Otherwise, a physical bus in the CANBUS system contains a CAN_High and CAN_Low wire.
**** Do not assume a device is unpowered during an attack as power can be injected.
*^ The headlights and doors should be on different physical wires, so tapping into one system shouldn't allow communication with the other except through the ECU, which in this case would have been disconnected via tying 4 pins high on the electronic switch which opens the FCM bus lines, disconnecting the lights from the ECU.
Concerning the keyfob, there's a remote attack surface that's not uncommon, the following video explains it well. I would guess there's an ECU setting to disable this (until the ECU setting is reset to the default value).
While I do have some experience in the field, I don't have a Toyota or Lexus affected by this type of attack nor the wiring and logic diagrams for an affected vehicle, so can only speak to this from afar...how applicable the following is up to you to decide, though it probably hits pretty close to the mark.
The problem is CANBUS is not encrypted and is being hijacked. Though the lights are off, the communications lines are still alive and active. Depending on how the bus is segmented it can be "relatively" easy to inject "Front Driver Side Door Inside Unlock." It should not be easy, however the problem being the Convenience Bus wiring (used for remote entry) may be used by the Tire Pressure Control Module (low bandwidth), Frontal Control Module (lights, low bandwidth), Access Control Module (low bandwidth), etc... Depending, these are different buses multiplexing for bandwidth (sharing time on the same data wires), so while it's not "easy" to get the signalling correct it appears someone figured out how to jump on the wiring, multiplex onto the ACM bus, and send an unlock packet.
I was totally surprised on the next step, pairing a smart key with the Remote Keyless Entry is not at all hard--it takes 15 seconds if automated.* Once that's done it's easy to use the rogue smart key to get the handshake certified. I know a different Japanese manufacturer is pretty rigorous about it, getting a new fob activated requires dealer intervention and authorization from H.Q. in Japan, and the dealer tends to soak the customer for $500 plus $125 for the fob, unlike Toyota where the owner can pair a new fob themselves (a huge win for Toyota/Lexus owners).** However, Toyota certainly could have improved the process by adding layered authentication.
Once the fob-vehicle handshake is certified, injecting "Start/Stop Button Press" isn't hard, it's just a convenience for the thief at this point.***
*RKE Module surface attacks are well known, the CANBUS attack while more complicated is simply a more expedient method.
**This is consistent with Toyota mentality of making easy-to-use/easy-to-maintain/easy-to-repair products.
***Some security details not necessary to the core understanding have been omitted.
====
So, what to do....
If you've been around a while the first thing that comes to mind is probably a switch interrupting the starter relay coil wire. A reed switch can be hidden in the dash and activated with a magnet; it can be bypassed but a thief would need a bit of time to figure it out, plus a few more tools. Chances are another theft attempt at a later date will be contemplated, if there's a good chance of success the vehicle might be gone within a week.
An ultimate (and poor) solution is to put a remote on the ECU power, something like:
Remote Control Battery Disconnect Switch Kill Switch for Car with 2 Keys Anti-Theft DC12V 200A Electromagnetic Solenoid Valve Terminal
I am NOT suggesting this--the ECU is not meant to be power cycled and doing so would cause a constant loss of stored settings (like engine tuning). Also of importance: the secondary remote system (such as in the Amazon link) reliability and security strength is unknown.
Getting steel shield plates bent and installed, plus disabling the remote (via ECU "disable" option, a setting stored in the ECU) could possibly be the best solution at the moment, as it will avoid the damage to the wiring and forestall or prevent theft.
Otherwise, a physical bus in the CANBUS system contains a CAN_High and CAN_Low wire.
- CAN: Controller Area Network
- bus: A communication standard that allows microcontrollers and devices to communicate with each other.
- Serial communication: The process of sending data one bit at a time, sequentially, over a communication channel or computer bus.
- CAN bus: A serial communication transport designed for robust performance within harsh environments (primarily automotive and industrial applications).
- Attack surface: The number of all possible points, or attack vectors, where an unauthorized user can access a system. The smaller the attack surface, the easier it is to protect.
**** Do not assume a device is unpowered during an attack as power can be injected.
*^ The headlights and doors should be on different physical wires, so tapping into one system shouldn't allow communication with the other except through the ECU, which in this case would have been disconnected via tying 4 pins high on the electronic switch which opens the FCM bus lines, disconnecting the lights from the ECU.
Concerning the keyfob, there's a remote attack surface that's not uncommon, the following video explains it well. I would guess there's an ECU setting to disable this (until the ECU setting is reset to the default value).
Previous threads discussed these potential kill switch methods: (1) 2- way switch to starter motor (2) 2- way switch to fuel tank low pressure pump (3) removing fuse or relay to starter motor (4) removing fuse or relay to low pressure fuel pump in tank. No one has posted that they have successfully done any of these methods. No one has supplied photos or details. The few wiring diagrams available are confusing. There are multiple relays and fuses for the low pressure fuel pump. A poster removed the most likely relay for the fuel pump and the RAV still ran and he got DTCs.
Had opted the relay method as suggested by Scotty. Per observation the security light is still blinking and doors are locked/unlocked using fob. But engine is disabled (pushing the start/stop button) if the fob is compromised. Haven't tested for DTC code yet.
Which relay did you pull and from what location? It would be MUCH APPRECIATED if you could take a photo of that relay and post it here. It would help every 5th gen RAV owner.
EFI-MAIN no.1, driver side in the engine room.
Thank you!
Are you getting a check engine MIL light or warning messages on the MID screen when you push the button to try to start the RAV with the EFI-main No.1 relay removed? Also what year and model and ICE or hybrid is your RAV?
Keyfob not detected, then it says something ON just like when you are using techstream. I have the 2020 Rav4 XLE gas.
Try to replace the relay and see if these messages/warnings go away. The other poster who previously pulled a fuel pump relay had DTCs and warnings even after he replaced his relay. I don't know if he was able to erase them with his OBD2 scan tool.
This is what happen: The previous messages occurs after a few hours ago of relay removal with keyfob disabled. Pressing the start/stop button results in message that system is ON with engine and other error icons appearing like when doing techstream diagnostics. After several hours, relay is replaced and all errors disappears and car start normally. A day or two later with relay removed, keyfob enabled this time, errors are displayed in the mid display. Running techstream results in 11 DTC codes. Relay is then replaced and diagnostic run again results with 13 DTC codes. Starting the car results in same mid errors with engine not starting (even though DTC codes are erased earlier). Jump starting restores normal operation with normal display in mid. My conclusion is that the relay removal will work provided battery is not drained.
I really appreciate the tests you did. However do you really think removing that EFI-main No.1 relay is a practical means for most RAV4 owners to use as a kill switch to prevent car theft on a daily basis? I mean if you get 13 DTCs and MID screen warnings AND the RAV won't start when you replace the relay obviously no one will do this whenever they park their car.
Joined
·
32 Posts
I think the point is determining what will happen if adding a starter-coil-interrupter switch--without going through the effort of adding the switch. If you have a de-pinner this isn't so difficult, but it's still easier to pull a relay and see what happens in different circumstances.
For instance, pulling the low-pressure fuel pump relay was a lot easier/faster than identifying and de-pinning the coil wire for that relay and patching in a switch, using the switch, then wondering if pulling a wrong wire or acidentally depinning two wires is what threw Diagnostic Trouble Codes given the real-world situation the pump kept running even without the relay--pulling the relay avoided all those questions.
My real intension is to use the method if the car will be in the garage for a long time like two or more weeks. It could be easier. However, I have not anticipated the battery problem.
OK. That makes sense. If someone was going on vacation and storing the RAV for several weeks or months. You would need a jump starter pack and an OBD2 scanner to erase the DTCs. Same thing for long term storage at an airport. Bottom line--unfortunately, fuel pump relay removal is NOT practical for daily theft prevention.
For daily thief prevention the relay method is not appropriate I agree. However, as pointed out there is no such thing as a perfect prevention. We may have to participate whether we like it or not in the Russian roulette scheme as suggested.
Joined
·
32 Posts
For long term storage the owner's manual on vehicles with lots of small computer systems (modern vehicles) says to pull the "vacation block" (or "vacation disconnector") in the driver side fuse panel under the dash. The infotainment center and many other things are disconnected so the battery isn't worn down.
I haven't seen mention of "vacation disconnect" in a RAV4 manual.
I haven't seen mention of "vacation disconnect" in a RAV4 manual.
1 - 20 of 87 Posts
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
