Thieves are now stealing cars via a headlight 'CAN injection'

A lot of CAN hacking is used in the Leaf community so naturally does anyone know if someone can start a Leaf and make it driveable via CAN?

I have my doubts since there are so many steps and modules that need to boot up correctly to get into READY mode. I suspect the CAN Bus headlight trick (if the thieves could get to the connectors would leave the car in a mode similar to starting with a weak 12V battery.

Not only that, I think you may have separate use cases for Gen1 and Gen2 Leafs. I know that the Gen1 Leaf never supported "remote start" in any fashion.

Ah, make sense. You could ever only turn on the AC/Heat for 15 minutes, maybe lock or unlock the doors, but yeah, I never remember anyway to remotely just "start" the Leaf and drive off like nothing.

Security through obscurity. :lol:

My understanding of the headlight CAN injection hack is that it somehow tells the ECU that the key is present. So the normal startup sequence is followed with the only difference being that the car receives a bogus CAN message sequence saying the key-interlock security test is complete.

I've never tested this but I assume once the car is started you could throw the key out the window and drive away, ie the key is only interrogated once at startup.

The headlight part of the hack is just because the headlight provides easy external access to the CAN bus wiring. So if your Leaf doesn't use CAN to control the headlights, it isn't susceptible - to this hack - but if there are CAN wires anywhere that can be accessed the same strategy could probably be used.

Wow. More details here: https://kentindell.github.io/2023/04/03/can-injection/ It is likely many many vehicle are vulnerable.

MikeinPA said:

Wow. More details here: https://kentindell.github.io/2023/04/03/can-injection/ It is likely many many vehicle are vulnerable.

Click to expand...

That was a good read. I think if some of the CAN experts should could weigh in, can the Leaf be tricked into turning on or is too complex to just do a replay attack like what is being done to the Toyota vehicles?

If it is possible, do any "cheap" methods exist to protect the Leaf?

A relay (not replay) attack can be used on any push-button car. This attack uses an external transceiver to amplify the signals between the car and the key, so the key can be far away from the car (eg in your house) and the car still sends/receives the same messages it would when the key is in your pocket next to the car. I'd guess the thief would need to physically be in the car to press the brake pedal but opening a door can be done in the same way: amplify the signals and push the unlock button on the door of the car.

I wouldn't worry about a Leaf since I've read that most of these stolen cars are shipped over seas to countries in Africa or Asia and I don't think there is much demand for Leafs there. I think it was TopGear or some other show that followed the chain of cars. It is a highly organized operation and only certain types and models of cars were targeted. Think BMW, Lexus, Acura, high end SUVs etc.

If it is possible, do any "cheap" methods exist to protect the Leaf?

Click to expand...

A crude solution could be to add a hidden switch that prevents the shifter knob from exiting park. Maybe interrupt power to the servo that operates the parking pawl. But who is going steal a Leaf?

MikeinPA said:

But who is going steal a Leaf?

Click to expand...

If it only took a few minutes to steal a Leaf, every thief in the world for the battery alone.

goldbrick said:

A relay (not replay) attack can be used on any push-button car.

Click to expand...

Sorry I wasn't clear about the last post, I should have said a replay attack on the CAN bus of the "signal" that starts the vehicle is replayed to trick the vehicle computer.