Another poster's recent thread got me doing international research. There is a NEW car theft method which was just "invented" this summer in Japan and its use has exploded in the UK. It is widely used to steal 5th generation RAV4s and late model Lexus throughout England and Japan in the last few months. It is called a "Can Invader Attack". The thief goes through the passengers front wheel well (like changing a fog light bulb) and cuts the wires to the headlight and splices in a device by which he accesses the Toyota or Lexus CAN bus system. It takes less than three minutes to steal the car as the video shows. Police and English forums say the only way now to stop RAV4 thefts is to armor plate the wheel well or to use steering wheel locks. This Can invader attack is completely new and different from the older "Relay Attack" method of theft involving capturing the signal from the key fob which is used in the US and Canada. The Can Invader Attack can't be prevented currently by any known means. The screen shot is from a UK Toyota forum.
Tazio Nuvolari
CAN Invader Attack -- Unstoppable New RAV4 Car Theft Method
Another poster's recent thread got me doing international research. There is a NEW car theft method which was just "invented" this summer in Japan and its use has exploded in the UK. It is widely used to steal 5th generation RAV4s and late model Lexus throughout England and Japan in the last few months. It is called a "Can Invader Attack". The thief goes through the passengers front wheel well (like changing a fog light bulb) and cuts the wires to the headlight and splices in a device by which he accesses the Toyota or Lexus CAN bus system. It takes less than three minutes to steal the car as the video shows. Police and English forums say the only way now to stop RAV4 thefts is to armor plate the wheel well or to use steering wheel locks. This Can invader attack is completely new and different from the older "Relay Attack" method of theft involving capturing the signal from the key fob which is used in the US and Canada. The Can Invader Attack can't be prevented currently by any known means. The screen shot is from a UK Toyota forum.
Attachments
In Ontario we have an insane car theft problem. Rav4 have not been an issue as of yet but Lexus forget about it. We had some Lexus dealers get 10 high end SUV stolen in the same night.
Not a single one was ever recovered. If you have a high end Lexus in Ontario you'll be lucky to still have it after 6 months.
And if you park in a private garage and they cant steal it at night they will simply carjack you at gunpoint and steal it that way.
The main issue I see is that when they do catch someone in a stolen car they are booked and released within a few hours.
Even after being caught several times its very rare that car thieves are ever given prison time at all.
So they have the potential to make huge returns and if caught they don't face any harsh sentences so its a win win for them.
Not a single one was ever recovered. If you have a high end Lexus in Ontario you'll be lucky to still have it after 6 months.
And if you park in a private garage and they cant steal it at night they will simply carjack you at gunpoint and steal it that way.
The main issue I see is that when they do catch someone in a stolen car they are booked and released within a few hours.
Even after being caught several times its very rare that car thieves are ever given prison time at all.
So they have the potential to make huge returns and if caught they don't face any harsh sentences so its a win win for them.
Cannot see anything useful in the posted video. How can this sort of supposed device work as described unless the headlight circuit is somehow always live? On our RAV4 (different generation) the headlights are are switched off either manually or automatically after about 30 seconds when the ignition is switched off, so the headlamp circuit should be dead.
The more that a computer controls a system the less secure something is...keep that in mind as a general rule of thumb.
While I do have some experience in the field, I don't have a Toyota or Lexus affected by this type of attack nor the wiring and logic diagrams for an affected vehicle, so can only speak to this from afar...how applicable the following is up to you to decide, though it probably hits pretty close to the mark.
The problem is CANBUS is not encrypted and is being hijacked. Though the lights are off, the communications lines are still alive and active. Depending on how the bus is segmented it can be "relatively" easy to inject "Front Driver Side Door Inside Unlock." It should not be easy, however the problem being the Convenience Bus wiring (used for remote entry) may be used by the Tire Pressure Control Module (low bandwidth), Frontal Control Module (lights, low bandwidth), Access Control Module (low bandwidth), etc... Depending, these are different buses multiplexing for bandwidth (sharing time on the same data wires), so while it's not "easy" to get the signalling correct it appears someone figured out how to jump on the wiring, multiplex onto the ACM bus, and send an unlock packet.
I was totally surprised on the next step, pairing a smart key with the Remote Keyless Entry is not at all hard--it takes 15 seconds if automated.* Once that's done it's easy to use the rogue smart key to get the handshake certified. I know a different Japanese manufacturer is pretty rigorous about it, getting a new fob activated requires dealer intervention and authorization from H.Q. in Japan, and the dealer tends to soak the customer for $500 plus $125 for the fob, unlike Toyota where the owner can pair a new fob themselves (a huge win for Toyota/Lexus owners).** However, Toyota certainly could have improved the process by adding layered authentication.
Once the fob-vehicle handshake is certified, injecting "Start/Stop Button Press" isn't hard, it's just a convenience for the thief at this point.***
*RKE Module surface attacks are well known, the CANBUS attack while more complicated is simply a more expedient method.
**This is consistent with Toyota mentality of making easy-to-use/easy-to-maintain/easy-to-repair products.
***Some security details not necessary to the core understanding have been omitted.
====
So, what to do....
If you've been around a while the first thing that comes to mind is probably a switch interrupting the starter relay coil wire. A reed switch can be hidden in the dash and activated with a magnet; it can be bypassed but a thief would need a bit of time to figure it out, plus a few more tools. Chances are another theft attempt at a later date will be contemplated, if there's a good chance of success the vehicle might be gone within a week.
An ultimate (and poor) solution is to put a remote on the ECU power, something like:
Remote Control Battery Disconnect Switch Kill Switch for Car with 2 Keys Anti-Theft DC12V 200A Electromagnetic Solenoid Valve Terminal
I am NOT suggesting this--the ECU is not meant to be power cycled and doing so would cause a constant loss of stored settings (like engine tuning). Also of importance: the secondary remote system (such as in the Amazon link) reliability and security strength is unknown.
Getting steel shield plates bent and installed, plus disabling the remote (via ECU "disable" option, a setting stored in the ECU) could possibly be the best solution at the moment, as it will avoid the damage to the wiring and forestall or prevent theft.
Otherwise, a physical bus in the CANBUS system contains a CAN_High and CAN_Low wire.
**** Do not assume a device is unpowered during an attack as power can be injected.
*^ The headlights and doors should be on different physical wires, so tapping into one system shouldn't allow communication with the other except through the ECU, which in this case would have been disconnected via tying 4 pins high on the electronic switch which opens the FCM bus lines, disconnecting the lights from the ECU.
Concerning the keyfob, there's a remote attack surface that's not uncommon, the following video explains it well. I would guess there's an ECU setting to disable this (until the ECU setting is reset to the default value).
While I do have some experience in the field, I don't have a Toyota or Lexus affected by this type of attack nor the wiring and logic diagrams for an affected vehicle, so can only speak to this from afar...how applicable the following is up to you to decide, though it probably hits pretty close to the mark.
The problem is CANBUS is not encrypted and is being hijacked. Though the lights are off, the communications lines are still alive and active. Depending on how the bus is segmented it can be "relatively" easy to inject "Front Driver Side Door Inside Unlock." It should not be easy, however the problem being the Convenience Bus wiring (used for remote entry) may be used by the Tire Pressure Control Module (low bandwidth), Frontal Control Module (lights, low bandwidth), Access Control Module (low bandwidth), etc... Depending, these are different buses multiplexing for bandwidth (sharing time on the same data wires), so while it's not "easy" to get the signalling correct it appears someone figured out how to jump on the wiring, multiplex onto the ACM bus, and send an unlock packet.
I was totally surprised on the next step, pairing a smart key with the Remote Keyless Entry is not at all hard--it takes 15 seconds if automated.* Once that's done it's easy to use the rogue smart key to get the handshake certified. I know a different Japanese manufacturer is pretty rigorous about it, getting a new fob activated requires dealer intervention and authorization from H.Q. in Japan, and the dealer tends to soak the customer for $500 plus $125 for the fob, unlike Toyota where the owner can pair a new fob themselves (a huge win for Toyota/Lexus owners).** However, Toyota certainly could have improved the process by adding layered authentication.
Once the fob-vehicle handshake is certified, injecting "Start/Stop Button Press" isn't hard, it's just a convenience for the thief at this point.***
*RKE Module surface attacks are well known, the CANBUS attack while more complicated is simply a more expedient method.
**This is consistent with Toyota mentality of making easy-to-use/easy-to-maintain/easy-to-repair products.
***Some security details not necessary to the core understanding have been omitted.
====
So, what to do....
If you've been around a while the first thing that comes to mind is probably a switch interrupting the starter relay coil wire. A reed switch can be hidden in the dash and activated with a magnet; it can be bypassed but a thief would need a bit of time to figure it out, plus a few more tools. Chances are another theft attempt at a later date will be contemplated, if there's a good chance of success the vehicle might be gone within a week.
An ultimate (and poor) solution is to put a remote on the ECU power, something like:
Remote Control Battery Disconnect Switch Kill Switch for Car with 2 Keys Anti-Theft DC12V 200A Electromagnetic Solenoid Valve Terminal
I am NOT suggesting this--the ECU is not meant to be power cycled and doing so would cause a constant loss of stored settings (like engine tuning). Also of importance: the secondary remote system (such as in the Amazon link) reliability and security strength is unknown.
Getting steel shield plates bent and installed, plus disabling the remote (via ECU "disable" option, a setting stored in the ECU) could possibly be the best solution at the moment, as it will avoid the damage to the wiring and forestall or prevent theft.
Otherwise, a physical bus in the CANBUS system contains a CAN_High and CAN_Low wire.
- CAN: Controller Area Network
- bus: A communication standard that allows microcontrollers and devices to communicate with each other.
- Serial communication: The process of sending data one bit at a time, sequentially, over a communication channel or computer bus.
- CAN bus: A serial communication transport designed for robust performance within harsh environments (primarily automotive and industrial applications).
- Attack surface: The number of all possible points, or attack vectors, where an unauthorized user can access a system. The smaller the attack surface, the easier it is to protect.
**** Do not assume a device is unpowered during an attack as power can be injected.
*^ The headlights and doors should be on different physical wires, so tapping into one system shouldn't allow communication with the other except through the ECU, which in this case would have been disconnected via tying 4 pins high on the electronic switch which opens the FCM bus lines, disconnecting the lights from the ECU.
Concerning the keyfob, there's a remote attack surface that's not uncommon, the following video explains it well. I would guess there's an ECU setting to disable this (until the ECU setting is reset to the default value).
Which relay did you pull and from what location? It would be MUCH APPRECIATED if you could take a photo of that relay and post it here. It would help every 5th gen RAV owner.
For long term storage the owner's manual on vehicles with lots of small computer systems (modern vehicles) says to pull the "vacation block" (or "vacation disconnector") in the driver side fuse panel under the dash. The infotainment center and many other things are disconnected so the battery isn't worn down.
I haven't seen mention of "vacation disconnect" in a RAV4 manual.
I haven't seen mention of "vacation disconnect" in a RAV4 manual.
I made a post with a diagram on wiring a reed switch and magnet to create a "disable" circuit, it could be connected to the starter relay coil or whatever else you like. Also in the post: How to disable keyfob Proximity mode.
www.rav4world.com
Problem With Key Fob Sleep Mode and Thieves
People in this forum regularly recommend putting the push-to-start key fob aka remote into "Sleep Mode" to prevent thieves from capturing the radio frequency and making a cloned key or stealing the car with the frequency on a scanner. (Sleep Mode= hold down lock button and press unlock button...
www.rav4world.com
It is always advisable to use a visible deterrent steering wheel lock or brake lock. These can usually be overcome by professional, experienced crooks with bolt cutters, or hack saws to either cut the lock or steering wheel--but first they have to have bolt cutters or a saw and second it takes them some time to do the lock cutting and thieves like to be very quick. This generation of thieves are primarily computer whizz kids who use electrical gizmos and gimmicks--they are not very hands on, old school types who would bother with mechanical locks. There is a type of expensive wheel lock commonly used in England and the EU but not in the US called the Disklok. It is cumbersome, heavy and takes time to install. Many people like it. The other drawback is that if you have long fingers and know what you're doing you can drive the car with the Disklok installed albeit very slowly and laboriously. The Disklock can't be removed by a thief unless he has noisy power tools like are used to cut off catalytic converters.
![]()
Here is a new YouTube video that popped up TODAY. It discusses and shows details of the CAN Invader Attack. The video shows this thread and my post on this forum!
If you have a hybrid try removing the hybrid system battery plug behind the battery air filter. Relatively easy and should disable the vehicle still leaving 12 volt for the ECU.
The Club CL606 was able to prevent my 2003 Camry LE which only had a basic metal key from being stolen. Could be useful if in a high crime area.
It doesn't attach to the steering wheel so they'd have to break the lock mechanism to remove it. Not sure if it'll fit the RAV4 but I'm going to try it out when I find it again
![Image]()
It doesn't attach to the steering wheel so they'd have to break the lock mechanism to remove it. Not sure if it'll fit the RAV4 but I'm going to try it out when I find it again
A good article on the CAN Invader attack
There’s a new form of keyless car theft that works in under 2 minutes | Ars Technica
There’s a new form of keyless car theft that works in under 2 minutes | Ars Technica
Spoke with Steven Eagell Toyota Romford and they confirmed ToyotaUK have introduced a plate to protect the vulnerable area by the wheel well. They are charging £160. I also found Lexus are doing the same but aren’t charging the customers at all. If anyone knows a bit more please share.
Ravelco Anti Theft Device
Home page for the Ravelco anti theft device, anti theft device for cars, anti theft device for trucks, anti theft device for big rigs, anti theft device for heavy equipment. Not one vehicle ever stolen using the Ravelco Anti Theft Device!
www.ravelco.com
Just read whole topic. Conclusion is - it's not unstoppable. CAN Bus immobilizer works perfectly fine in this case.
So, CAN is flooded with messages - car can be opened and even started, but to start it driving you have to stop flooding CAN Bus with messages and at this point immobilizer will shut it down.
I know a person with RX 350 which already survived CAN Attack 3 times, just some damage to bumper cover.
So, CAN is flooded with messages - car can be opened and even started, but to start it driving you have to stop flooding CAN Bus with messages and at this point immobilizer will shut it down.
I know a person with RX 350 which already survived CAN Attack 3 times, just some damage to bumper cover.
Forgot where I saw someone said the Autowatch Ghost is just a rebranded version of this:
www.ampire.de
$199 euro.
I don't know if it comes with installation instructions or may need to be translated from German to English.
I don't know if IGLA is the same device. I've seen posts on other car brand forums where the installation costs runs about 1k-1.5k. Thats a lot of $$$.
AMPIRE WFS400-LIN CAN/LIN-Bus Immobilizer
AMPIRE WFS400-LIN CAN/LIN-Bus Immobilizer with Code-Disarming
www.ampire.de
I don't know if it comes with installation instructions or may need to be translated from German to English.
I don't know if IGLA is the same device. I've seen posts on other car brand forums where the installation costs runs about 1k-1.5k. Thats a lot of $$$.
I don't think an amateur should try to DIY install IGLA or any other immobilizer on a RAV4. If you make a mistake it may permanently screw up the car so it won't ever start.
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
