Recent news talks of CANbus attacks by which the attacked pries off a headlight, plugs two wires into the CANbus, and with €10 of electronics, disables the engine immobilizer and starts the engine.

This would be possible as long as the CANbus isn't encrypted/ messages on the CANbus don't require cryptographic validation.

Anyone know whether the Octavia MkIII (2017-2020) model years -- or any/other model year ranges and other Skoda/VW cars -- have adequate cryptographic protections against this type of attack? Now that criminals are selling these devices (they're asking a few €thousand for the devices today, but it will be only months before they're available for €100, being that the technology needed is cheap off-the-shelf, and it's only the software, which is copyable, that does the clever part).

https://www.autoblog.com/2023/04/18/vehicle-headlight-can-bus-injection-theft-method-update/

If someone wants to go to that length to nick my skoda they're welcome to it.

 

I really wouldn't worry about it if i were you its highly unlikely and there are easier ways to steal a car.

Easier ways to steal a car than to buy an inexpensive product, break off a headlight (or in any other way at any other point on the vehicle get access to the CANbus wires), plug in wires, and thirty seconds later the doors are unlocked and the engine started?

  

57 minutes ago, skomaz said:

If someone wants to go to that length to nick my skoda they're welcome to it.

 

I really wouldn't worry about it if i were you its highly unlikely and there are easier ways to steal a car.

 

Skodas don't appear in the top 10 of cars that are stolen, so I'm not going to lose any sleep over it.

Per this article,  https://www.actualidadmotor.com/en/most-stolen-cars-spain/  

in 2019 6 of the top twenty stolen cars in Spain (where I live) were VW group cars (VW, Seat, and Audi); I imagine that a lot of these parts are interchangeable.

I've worked in information security for decades. The reality is that once a type of crime gets easier, more of that crime occurs unless something makes it unlikely to pay or makes it more likely that the criminals will get caught.

Stealing a bunch of types of cars just got easier. Alarm and key defeat, no noise, little fuss; five minutes (or less) in a dark garage or shadow, and the car starts up and the thief drives it away.

We probably have to worry about this more now than we did up until a few months ago.

  

18 minutes ago, PetrolDave said:

Skodas don't appear in the top 10 of cars that are stolen, so I'm not going to lose any sleep over it.

 

 

 

Once thieves find the correct wires to tap into, the theft device does the work for them. A simple “play” button on the fake JBL speaker injection tool is programmed to instruct the door ECU to unlock the doors, as though you have the actual key to the car in your hand. You turn the vehicle on in a similar fashion, and a thief can simply drive away with your car without ever coming into contact with the vehicle’s actual key fob.

 

I think the above is innacurate for the reasons of not wanting to publicise exactly what is done and for journalistic hyperbole.

 

A simple play button? Very unlikely.

 

You turn the vehicle on in a similar fashion, and a thief can simply drive away with your car without ever coming into contact with the vehicle’s actual key fob.

 

I think that is the hyperbole, with an operating can system I understand that you can access a  module and using the output tests function unlock doors etc and that the central locking module would always be awake for encoded remote control signals so that is feasible but the engine ECU is inoperative until the immobiliser module recognises a valid key or remote. I suppose they could "inject" the wake up command.

 

Given that 2 decades ago Rover vehicles were being stolen by thieves accessing a connector behind the wheel arch I think the immobiliser modules are much better protected but it sounds like they are faking the output signals.

 

I have tried to keep up with how thieves are actually overcoming systems in recent years but the reporting has always been deliberately vague (which I understand) until the knowledge is quite widespread and always panic inducing headlines, during the evolution of this and the lazy no key systems I said to myself they are making a big big mistake by removing the steering lock, the only mechanical anti-theft system, from vehicles.

Sadly, I believe that both of these are accurate, even if stated a bit simply in the article.

The CAN bus is a standard, over which known protocol messages travel. Any such communication environment, if not protected by message authentication or by overall encryption preventing intelligible injection, is trivially defeated by technology. The hard work is figuring out how. Once done (which clearly it has been) then it's a cheap job of copying it. Think about the old remote garage door universal openers that thieves were able to buy, until newer, much harder to copy/predict code remote garage door openers became standard. Same problem. Heck, our OBD11 and similar devices more-or-less prove that our cars are vulnerable to these things. Plug in a device that has no secret knowledge from the manufacturer, and it can perform all kinds of things; it may not be able to tell the car "disable alarm, start engine" but that's only because it's not programmed to. Once someone figures it out, the cat is permanently out of the bag, until a new lock is put on the bag...

 

Or, the replacement of the once-venerable "DES" encryption algorithm - strong enough for military and government use ... until computer technology advanced enough that it could be broken in a few hours on a $1000 retail PC. (So now we use AES-256 which is several orders of magnitude more computationally expensive to break, and should be good enough for another decade or so .. or until quantum cryptography becomes practical at that scale...).

 

So, the original question: is VW group/ Skoda CAN bus protected against this, either by the car's computer systems performing message authentication or by having all communication on the bus signed?

Or are our cars vulnerable? Actually, almost surely our cars are vulnerable, as my OBD11 example above suggests; if the cars' computers required authenticated messages or encryption, OBD11 couldn't work.

  

17 minutes ago, J.R. said:

Once thieves find the correct wires to tap into, the theft device does the work for them. A simple “play” button on the fake JBL speaker injection tool is programmed to instruct the door ECU to unlock the doors, as though you have the actual key to the car in your hand. You turn the vehicle on in a similar fashion, and a thief can simply drive away with your car without ever coming into contact with the vehicle’s actual key fob.

 

I think the above is innacurate for the reasons of not wanting to publicise exactly what is done and for journalistic hyperbole.

 

A simple play button? Very unlikely.

 

You turn the vehicle on in a similar fashion, and a thief can simply drive away with your car without ever coming into contact with the vehicle’s actual key fob.

 

I think that is the hyperbole, with an operating can system I understand that you can access a  module and using the output tests function unlock doors etc and that the central locking module would always be awake for encoded remote control signals so that is feasible but the engine ECU is inoperative until the immobiliser module recognises a valid key or remote. I suppose they could "inject" the wake up command.

 

Given that 2 decades ago Rover vehicles were being stolen by thieves accessing a connector behind the wheel arch I think the immobiliser modules are much better protected but it sounds like they are faking the output signals.

 

I have tried to keep up with how thieves are actually overcoming systems in recent years but the reporting has always been deliberately vague (which I understand) until the knowledge is quite widespread and always panic inducing headlines, during the evolution of this and the lazy no key systems I said to myself they are making a big big mistake by removing the steering lock, the only mechanical anti-theft system, from vehicles.

 

29 minutes ago, JayLibove said:

Actually, almost surely our cars are vulnerable, as my OBD11 example above suggests; if the cars' computers required authenticated messages or encryption, OBD11 couldn't work.

 

You have chosen a very bad example.

 

OBDII is a recognised unsecured data sharing protocole, probably the wrong wording, it is intended that any mechanic or DIY'er with an OBDII device can access and erase (within limitations) generic OBDII fault codes from any vehicle because they are standardised across all vehicles.

 

I can do this with my sub £10 code reader, I cannot access the canbus modules without my £300 VCDS, I know clones are available, I cannot read fault codes from within those modules, reprogram them or perform output tests, with VCDS I cannot overcome my own vehicles immobiliser let alone somebody elses.

 

I doubt that the signals are encypted, that would make the replacement of modules very difficult and expensive, I do think however there is far more security within the immobiliser system than the article or yourself claim.

 

It can be overcome, I bought a remapped "plug & play ECU" for my Octavia where the immobiliser function was disabled, that vehicle could then be started without an immobiliser key because the ECU was from another vehicle and still believed it was, without the mod it could never have started my engine, the mod could not be done via the canbus, it needed the ECU reflashed or whatever they do.

2 hours ago, JayLibove said:

Per this article,  https://www.actualidadmotor.com/en/most-stolen-cars-spain/  

in 2019 6 of the top twenty stolen cars in Spain (where I live) were VW group cars (VW, Seat, and Audi);

My point is that they were VW, SEAT and Audi but not Skoda - Skoda are not seen as desirable by vehicle thieves.

 

And as J.R. points out the immobiliser encryption is much stronger than the DES algorithm and has yet to be broken so any vehicle with the full immobiliser system in place cannot be stolen in the easy way the article suggests. I think the article has an element of journalistic simplification so should be treated with some scepticism.

 

BTW I spent many years working on vehicle electronics for a major automotive consultancy so I'm not ignorant on these issues.

Edited 26 April, 20233 yr by PetrolDave

6 hours ago, JayLibove said:

Easier ways to steal a car than to buy an inexpensive product, break off a headlight (or in any other way at any other point on the vehicle get access to the CANbus wires), plug in wires, and thirty seconds later the doors are unlocked and the engine started?

  

 

 

Yes - very much so...   Usually involving something simple (eg like a brick and an old laptop, or a signal repeater) and resulting in far less / cheaper damage to be repaired after the vehicle has ben stolen.

 

As others have pointed out Skodas are pretty low on the 'want to steal' list and, even if they weren't anybody going to that sort of length is probably going to get it regardless and is likely to be the type of person that will not take 'no; for an answer and you'd rather not challenge whilst they were in the process of taking the car.

 

If you're that concerned about theft of your own vehicle then maybe you need to consider additional security / immobilising measures, most probably of the mechanical variety.

He makes a good point about the parts being interchangeable with the other VAG vehicles, I doubt that any of them aside from the very expensive and desirable are stolen to be resold, broken up for parts is where the demand is.

 

Personally I would just steal the canbus connected headlights and sell them seeing how much they cost 😄

 

You have no doubt seen loads of photos of vehicles where the front bumper, headlights and crash beam with radiators/intercooler attached have been removed while the vehicle was parked, that can be done far quicker than stealing a vehicle by Canbus injection which would require the immobiliser (unlikely) and steering lock to be defeated plus they dont have to drive away in a partially dismantled car shouting "Nick me! - Nick me!"