back to article CAN do attitude: How thieves steal cars using network bus

Automotive security experts say they have uncovered a method of car theft relying on direct access to the vehicle's system bus via a smart headlamp's wiring. It all started when a Toyota RAV4 belonging to one of the tech gurus suffered suspicious damage to the front wing and headlight housing, and was eventually successfully …

  1. Oh Matron!

    Easily solvable....

    My XC90 (RIP) used MAC based authorisation for things like the Radio, etc, and replacement radios wouldn't work unless you switched off the MOST protection

    HOWEVER: The second that you turn on mechanisms like this for the entire bus, hobbiest CANBus readers are likely to stop working for all but the most simplistic of faults

    At the very least, radio keyfob messsages should be signed

    1. Mishak Silver badge

      Re: Easily solvable....

      I'm not sure how that would help here, as CAN doesn't have anything equivalent to MAC ids?

      It's not that easy to protect CAN messages:

      1) Some form of payload validation/encryption could be added - this is not really practical, as a lot of systems still use the original CAN protocol, which only supports 8 byte payloads.

      2) Some more recent CAN hardware allows the authorised sender of a particular CAN identifier (message) to invalidate any attempt to generate a spoofed message (basically, the "owner" of the identifier intentionally corrupts any transmission that it does not initiate). In this case, the thief would have to disable the security node before the spoof would work.

      3) Split the vehicle architecture so that there are multiple CAN buses (this is quite often the case anyway), and ensure that it is not physically possible to access any bus that is security-related from outside of the vehicle. This would not prevent this type of attack, but it would mean that the security system would have a chance to activate some other defence mechanism as it would be able to detect an intrusion via the alarm system.

      1. martinusher Silver badge

        Re: Easily solvable....

        CAN proper doesn't have MAC IDs that identify specific senders or receivers, its just an address that's used to allow particular nodes to identify messages that are of interest to them. (This is a bit confusing to network types (and really messy to set up) so a lot of CAN type messages use CAN/Open which is a message format that implies a controller talking to individually addressed nodes.)

        The failure here is to assume that the physical bus was safe and that messages couldn't be reverse engineered and misused. Toyota, like early Internet protocol designers, didn't think that anyone would access, much less misuse, the system for criminal gain. It should be easy to engineer secure messages, if a bit of a pain to implement.

        1. 43300 Silver badge

          Re: Easily solvable....

          "The failure here is to assume that the physical bus was safe and that messages couldn't be reverse engineered and misused. Toyota, like early Internet protocol designers, didn't think that anyone would access, much less misuse, the system for criminal gain. It should be easy to engineer secure messages, if a bit of a pain to implement."

          Which really shouldn't have happened. With early network pioneers it's understandable as there was no precedent for what they were creating, but in this case it's just a new type of network, and experience shows that networks will always get targeted for nefarious purposes, so security should have been a core consideration of the design. It doesn't take a great deal of imagination to think up scenarios which might get attempted, and attempt to block / severely mitigate them at the design stage.

          1. tip pc Silver badge

            Re: Easily solvable....

            Development of can bus started in 1983 and the first vehicle to use it was produced in 1991

            https://en.wikipedia.org/wiki/CAN_bus#History

            Bosch released version 2 of CAN protocol in 1991.

            Local data networks where similar to CAN bus in that they where shared access medium until “Mac bridges” where invented in 1983 and then standardised by ieee, even then it wasn’t till the 2000’s until switches fully took off due to the expense and complexity.

            non-encryption use of cryptography (such as access control and message authentication) was removed from export control In 1989.

            https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#PC_era

            Encryption didn’t really take off till ~2000 after the us government relaxed its export ban on cryptographic technologies meaning browsers didn’t have to have a a domestic version with strong encryption and an international version which was weakened and with back doors.

            Soooooooo, CAN bus is not new, it’s 40 years old and developed at the time the early network pioneers were innovating and is effectively an emulation of early LAN technology for a car using shared access medium, like a hub (not a switch) sharing a collision domain, and new iso standards for CAN maintain backward compatibility to CAN v2 which hasn’t been updated in over 30 years, but like ipv4 still rocks on because it’s used in different ways today than originally envisaged.

            Which is why it did happen.

      2. thorlancaster328

        Re: Easily solvable....

        This sort of a problem could easily be solved with a two way handshake.

        Fob Receiver: Unlock the car.

        ECU: Prove it. (Sends random number)

        Fob Receiver: (Hashes random number with shared secret) Here's your hash

        ECU: (Unlocks car)

        Unless you know the shared secret you aren't getting in. Replay won't work either because of ECU's random number

        1. Anonymous Coward
          Anonymous Coward

          Re: Easily solvable....

          That's actually how they work already, well, the new ones anyway. It is the reason you have to 'resync' them in the car after they run out of battery - during that process they communicate the shared secret the rolling codes are generated from.

          The problem is a classic in security in that it's a hard shell/soft centre approach where components inside the car are deemed trustworthy. As with corporate security it appears car manufacturers have to move to zero trust frameworks. That's going to be annoying as heck because it means every component on the bus will have to be re-authorised when replaced, but it appears it's the only way to go.

          1. Wellyboot Silver badge

            Re: Easily solvable....

            Yes, easily solvable - Remove the bus.

            Have each circuit wired back to a CAN switch that is powered off when the vehicle is locked, this switch will be buried in the dashboard. Central locking cables (a stand alone system) can be placed where they can't physically be reached from outside the vehicle.

            Crypto secured fobs make unlocking a serious challenge*, only for the thief to be confronted with a totally disconnected vehicle that is waiting for another crypto exchange (fob physical contact with different key chain) to allow the central CAN switch to power on.

            Legal entry into a secured vehicle will end up requiring a time consuming major strip down theft will require a recovery vehicle and large tinfoils sheets.

            * why they moved to CAN attacks - weaker target.

        2. johnfbw

          Re: Easily solvable....

          I think the problem is a little more involved than simple unlocking (which probably uses basic handshake like you mention). It is every single operation must be done via communication with the fob. Turn on the engine, unlock the steering wheel, go left, accelerate, stop etc. The fob would run out of batteries before you are round the first corner.

        3. Anonymous Coward
          Anonymous Coward

          Re: Easily solvable....

          Fob Receiver: (Hashes random number with shared secret) Here's your hash

          Vulnerability: Car has shared secret, so it's not necessary to have the fob to unlock the car .i.e. get the shared secret after compromising the car, and you can correctly hash the random number and start the car.

          Solution: PKI (private / public key pair). Car has public key, fob has private key. Fob signs the random number from the car with the private key and sends the result back to the car. Using PKI algorithm, the car compares both signed message and public certificate, and can tell that its random number has not been tampered with can only have been signed by a device that has the secret key which is paired with the public key it has, so unlocks the car. Compromising the car will allow access to public key which is of no use if you want to unlock the car. If you have access to the fob, well you have the fob so don't need to do anything other than press the button. Intercepting the radio message from the fob to the car and attempting a replay attack will not work as the message changes every time the fob button is pressed due to the initial random number, and cryptographically there is no way of generating the secret key, even if you intercept the initial random number and the signed response.

      3. thorlancaster328

        Re: Easily solvable....

        As for (2), the attacker could probably bypass this with a low resistance H bridge to force the desired bits onto the bus. Most CAN transceivers have thermal overload protection, such as the MCP254x. Once this happened the attacker could transmit unimpeded.

        1. Adrian 4

          Re: Easily solvable....

          CAN's MAC layer actually involves a wire-or operation to get collision-free operation. Overdriving it is part of the spec.

      4. cozappz

        Re: Easily solvable....

        So, your answer confirms is not easy solvable but it has to be approached seriously and addressed fully, not half-baked as it is now.

        It reminds me od Cisco router security in 1990, btw.

    2. Cliffwilliams44 Silver badge

      Re: Easily solvable....

      Simpler, don't own a car with any of this nonsense.

      I own a car build in 2014 jointly by Toyota and Suburu. Of course it has an ECU, it also has a Bluetooth capable sound system, but nothing else! No hands free start, no lane departure, nothing!

      1. Great Bu

        Re: Easily solvable....

        The best security feature of your car is that they didn't put a turbo on it like they should have. As a result, it is woefully underpowered and hence nobody actually wants to steal it....

        1. Anonymous Coward
          Anonymous Coward

          Re: Easily solvable....

          Perhaps one might, indeed, prefer to steal a 9 year old turbocharged sports car instead of the one I think is referred to here. But to buy one? Oh no. Oh no no.

      2. Anonymous Coward
        Anonymous Coward

        Re: Easily solvable....

        Even easier, don't own a car and drive your neighbour's. Preferrably with his/her permission, though :).

      3. Orv Silver badge

        Re: Easily solvable....

        My 1994 Honda doesn't have any of those features, either, but it's lamentably trivial to steal because its physical security features are also nonexistent.

    3. bigtreeman

      Re: Easily solvable....

      Tech people will want a clever tech answer to a problem.

      Adding another layer of complexity, another point of failure

      and a challenge for future hackers.

      How about a low tech, old school, key lock somewhere in the network.

      Only has to short CANH and CANL, could be retrofitted to all can bus vehicles.

      A modern version of a steering lock (youngsters can google that).

  2. JimC

    Cui Bono?

    I was thinking that the complacency/incompetence of the motor industry in regards to electronic theft was staggering, what with all the fundamental security rules being broken, but then I got to thinking, well, if theft is below a level where buyers will avoid the brand, what motivation is there for the car industry to make security a priority. Never ascribe to malice what may be ascribed to incompetence is a useful rule of thumb, and I doubt the manufacturers are deliberately making their vehicles easy to steal, but a moderate level of theft and thus extra sales doesn't actually seem to to have much of a downside for them.

    1. chivo243 Silver badge
      Go

      Re: Vui Bono?

      "...but a moderate level of theft and thus extra sales doesn't actually seem to to have much of a downside to counter the extra sales."

      Leaking this kind of info would also 'boost' sales, the invisible column in the spreadsheet, repeat customers? Maybe not if their car gets boosted!

    2. NeilPost

      Re: Cui Bono?

      “All Of This Has Happened Before And Will Happen Again”

      Battlestar Galactica.

      Why they disconnected their ship systems and reverted to paper (albeit with the corners cut off).

    3. tip pc Silver badge

      Re: Cui Bono?

      International regulations mandate the use of certain technologies within vehicles like OBD-IIB etc.

      CAN bus in theory makes cars cheaper as manufacturers can buy in CAN bus compliant components “off the shelf” without having to actually develop them and certify them themselves.

      So BOSCH and others can develop a load of control systems that are used in multiple cars from multiple brands but are essential the same control system perhaps with some specific model tweaks, ABS is a good example as are modern collision avoidance systems.

    4. Killfalcon

      Re: Cui Bono?

      Surprised the car insurance industry hasn't gotten shirty with manufacturers about this yet. They're the ones who end up paying out for replacing the stolen cars, after all.

      1. SEDT

        Re: Cui Bono?

        It's actually we who pay.

  3. chivo243 Silver badge
    Windows

    What's old is new?

    Still hot wiring cars! Now it's from the outside! Now they break into the exterior lighting compartment, that's thinking out of the box!

    1. Anonymous Coward
      Anonymous Coward

      Re: What's old is new?

      that's thinking out of the box!

      .. quite literally ..

    2. Blazde Silver badge

      Re: What's old is new?

      Now you get an ol' coat hanger yea? Metal one like this. Open it out and twist it like so to form a bit of a hook. Ram it through the gap at the top of thee window of your desired vehicular. Takes a bit of force to open it a crack but most times it'll go in a charm. Then you can wave the end with the hook around inside the car, good eh? Now press it gently against the data pin of the USB socket on the sat nav, simulate a USB storage device wiv this PCB on the other end, initiate firmware update, takes a few seconds hold your horses, then we own the TomTom. Bluetooth to the in-car entertainment system - nice stereo that - an exploit to get us onto the CAM, packets to deactivate the immobiliser and unlock. Helps to wind the window down before you extract the coat hanger.

      1. Yet Another Anonymous coward Silver badge

        Re: What's old is new?

        You gotta pick a packet or two boys, you gotta pick a packet or two

        1. John Brown (no body) Silver badge
          Pint

          Re: What's old is new?

          Oh, very well played :-)

          Have an icon or two!

  4. b0llchit Silver badge
    Facepalm

    One big mess of bad programs and connections

    ...break open a headlamp and use its connection to the bus to send messages.

    You know you are doing it wrong when the headlamp can pawn the car.

    Time to add producer liability to the books?

    1. Geoff Campbell Silver badge
      Pirate

      Re: One big mess of bad programs and connections

      There's nothing new under the sun. Early alarms could be defeated by breaking an indicator bulb and shorting it to ground (the more stylish thieves did this by pissing on the broken bulb, I understand). This blew the fuse that fed the alarm, so the car could be started and driven away, in most cases using any random key that you had to hand, because car locks were rubbish in those days.

      GJC

    2. MachDiamond Silver badge

      Re: One big mess of bad programs and connections

      "You know you are doing it wrong when the headlamp can pawn the car."

      I think this comes down to greed. The only necessity in having a CAN connection to the headlight is so they can install some DRM code into the headlight so only OEM replacements can be used legally. Any company that produces a replacement that circumvents that DRM code is guilty of several crimes and prosecutable by the State. This means the car company has weaponized DMCA type laws to their benefit and savings. Since it's a criminal offense and not just a matter of Copyright infringement, the State pays for the attorneys. The really annoying thing is the 'DRM' doesn't have to be any good and doesn't have to serve any useful purpose.

      1. Orv Silver badge

        Re: One big mess of bad programs and connections

        There are other reasons. It reduces the amount of wiring required, especially in the case of headlights that are steerable, have bulb-out detection, or other advanced features. Tail lights benefit even more from this -- instead of having one wire for brake, one for tail, one for turn, and another for reverse running the length of the car for each tail light assembly you just have power, ground, and the CAN bus.

  5. Flocke Kroes Silver badge

    Massive improvement in security over the decades

    You used to be able to steal a car by reaching under the wheel arch, unplugging a connector and plugging in your CAN bus device. At this rate, next decade you will need a hammer for one of the windows _and_ a screw driver to get to a CAN bus connector.

    1. Anonymous Coward
      Anonymous Coward

      Re: Massive improvement in security over the decades

      Most modern cars have OTA update facilities that are apparently so badly protected that it appears feasible someone will soon write a Nessus plugin for it, all wireless, so they won't even get dirty while breaking in.

      Add to that that most steering wheel locks and covers apparently don't offer too much of a challenge either and I think it's time to restore the old "rusty nail in the seat cushions" protocol.. I can't see any other way of protecting a vehicle. If you have a nice car they'll even open your garage to get at it. I have some ideas for vehicle security, but given that you can get sued by burglars for getting injured while breaking in I'm not sure it's worth it - the morons took over the asylum years ago.

      1. The Oncoming Scorn Silver badge
        Holmes

        Re: Massive improvement in security over the decades

        "If you have a nice car they'll even open your garage to get at it."

        As a friend discovered with his house with internal garage & some limited edition XR3i that he owned.

        He thought he heard a noise outside, but drifted back to sleep......

        30 mins later the police rang him up.

        "Do you have a XR3i"

        "Yes, its in my garage"

        "Would you mind confirming you still have it, as it drove past us in the opposite direction at high speed, we got the number, but lost it by the time we turned around"

        Walks downstairs to garage, open space & open garage door where the miscreants had opened it up & pushed the car out & onto the road.

        Not the only targeted theft in Somerset I knew of, friend parked his rare Morris Minor with split screen in the school car park adjacent to his house while he was working on my car, when he hears it start up & driven away, he dashed to give chase in his other car, leaving me confused as to WTF was going on. He returned having called the cops & lost the Morris Minor in a "High Speed Pursuit".

        He graciously returned to work to finish mine, pointing out his car had obviously been targeted & the theft brought forward by simple opportunity of it being exposed on the school car park.

        1. anothercynic Silver badge

          Re: Massive improvement in security over the decades

          This is unfortunately a common occurrence for motorcyclists both on the road, and off-road.

          Back in the day when I had fun with off-road motorcycling, the number of posts of people having their garages broken into, their off-site unit doors jimmied up etc was staggering. A whole cottage industry of building anchors good enough to force intruders to simply go "nah, not worth it mate" sprang up. No doubt this continues to be an issue today when I still see Facebook posts from people still in that field posting about how their pride and joy had been nicked overnight.

          Despite those things not having the CAN bus problem, yeah, if people want something enough (stolen to order or whatever), you'll be surprised what the perpetrators are willing to do to get it (including breaking in and threatening you with a gun/knife).

          1. MachDiamond Silver badge

            Re: Massive improvement in security over the decades

            "Back in the day when I had fun with off-road motorcycling, the number of posts of people having their garages broken into, their off-site unit doors jimmied up etc was staggering. "

            There are also lots of cases of people camping at an off-road recreation area camp site having their bikes and buggies stolen. Since people come and go all the time, a thief will roll the bikes onto a trailer in the wee hours and slowly leave with them like anybody might do. Nobody pays much attention and there's nothing to see on a dark night but the lights on the truck and trailer.

      2. A.P. Veening Silver badge

        Re: Massive improvement in security over the decades

        but given that you can get sued by burglars for getting injured while breaking in

        They will need to be alive to sue you, so your only problem is to get rid of the bodies (without getting caught at it).

        1. Anonymous Coward
          Anonymous Coward

          Re: Massive improvement in security over the decades

          Ah, that explains why you never hear of burglaries at pig farms (if the gangster movies I've seen are to be believed, of course, I'm a townie).

          :)

  6. devin3782

    I still don't understand why cars aren't using asymmetric keys, your key stores the cars public key and your car stores the public key's of your physical key, you know the way SSL, SSH, Wireguard works. I'm so glad my car doesn't have key less entry

    1. IGotOut Silver badge

      This is nothing to do with keyless entry.

    2. Anonymous Coward
      Anonymous Coward

      Ah yes, because keys are SO secure.

      (They're not. Car locks are notoriously easy to pick.)

      1. gotes

        I've read several stories (probabably on this very site) about people driving off in someone else's identical vehicle, or at least opening the door because the keys have so few possible combinations.

        I could get into my old Ford Escort by pulling the lock out with my fingers.

      2. Anonymous Coward
        Anonymous Coward

        Keys now have an electronic component which is sensed when you insert the key in the lock (that was before all this keyless rubbish started), and that was linked to engine management. The physical key could open it, but engine management would not start unless it sensed the electronics in the key.

        So yes, the physical keys had problems so leaving things in a car was never a good idea, but driving away was harder.

        1. J. Cook Silver badge

          ... unless the immobilizer system was crap. (There was a known issue with a bunch of the Saturn models in the early 2000's with the anti-theft system working a little too well and keeping the owners from starting their cars with legit keys.)

      3. Orv Silver badge

        Picking them is often unnecessarily slow. Many car locks can be opened with a slim jim or other tool quicker than you can open them with the key. Another common trick used to be to just rip the whole lock cylinder out by its roots with a slide hammer.

    3. Anonymous Coward
      Anonymous Coward

      "I still don't understand why cars aren't using asymmetric key"

      I believe some of the newer immobilizers are doing this.

      Even older immobilizer tech (circa 2004) should prevent the attack from the article. The keyfob, transmission controller (for automatics, not sure if manual transmissions have immobilizers), engine controller, and key module should all agree that they're happy together before allowing the engine to run or the transmission to engage. Messages are designed so that replay attacks don't work.

      Plus as others have mentioned, cars have multiple CAN busses. Headlights should be on a different bus than the powertrain.

      Source: at $dayjob I work on and with these controllers.

      1. vtcodger Silver badge

        Why

        Headlights should be on a different bus than the powertrain.

        I'm having a bit of trouble groking why the headlights are on ANY bus. I learned to drive on a 1939 plymouth sedan. It had headlights. Two. Right and left. They had two settings. High and Low. High/low was controlled by a switch on the floor. Don't remember where that switch was exactly. Maybe high up to the right of the brake pedal? Needed three wires(power to the two filaments and ground, a fuse and two switches (lights on and lights-high/low) Every car I've owned since has had pretty much the same system except they moved the high/low switch from the floor to a stalk on the steering column in the 1970s or 1980s and some cars added an automatic switch for Daytime Running Lights in the 1990s (not all DRLs use the headlight low beam filament and the US doesn't require DRLs so low end models may not have them).

        I really don't see the any significant cost savings from or need for "smart" (i.e. the intellectual peer of a mildly retarded cocker spaniel) headlights. All I see is gratuitous complexity that will add to the cost of vehicle maintenance and repair .. and might get your car stolen ... not that the latter is all that great a feat.

        1. SCP

          Re: Why

          I'm having a bit of trouble groking why the headlights are on ANY bus.

          Well for differing values of "need" there are advantages. Not having to have large power cables running too and from mechanical switches (sited in locations convenient to the driver not the wiring loom) along with those for all the other controls makes builds easier (and cheaper). Then you get all kinds of automation being more practical:

          - auto lights on/off for dusk/dawn/poor weather;

          - auto main/dipped beams;

          - extended courtesy lighting (leaving lights on while you get out of the car and to your door);

          - flashing lights on unlock (to help you locate your car if you forget just where it is);

          - lamp/LED test at ignition on (check it draws the right current);

          1. BitGin

            Re: Why

            If you're paying so little attention to your driving that you need your lights automated then you shouldn't be on the road.

            1. MattPi

              Re: Why

              If you're paying so little attention to your driving that you need your lights automated then you shouldn't be on the road.

              If you're paying so little attention to your driving that you don't realize the spark needs to be manually advanced, then you shouldn't be on the road.

              1. An_Old_Dog Silver badge

                Re: Why

                I've driven several cars in which I wished for a manual spark advance/retarder control, as the "automatic" one was doing a terrible job: the engine clattered when I drove up hills, despite using high-octane gasoline.

              2. Martin-73 Silver badge

                Re: Why

                Absolutely agreed... if you're driving that kind of car... But auto headlights are still evil

              3. BitGin

                Re: Why

                Not really.

                Your ignition timing is not safety critical. You might damage your engine or create more pollution than you otherwise would but you are unlikely to kill anyone. I'd also assume anyone with manual ignition timing would have a manual transmission so they already have a job to do that reminds them what speed they're doing.

                Your headlights on the other hand...

                If you are paying so little attention to your driving that you haven't noticed an oncoming vehicle that you need to dip your lights for or that it's dark and you can't see without turning your headlights on then you will eventually kill someone and shouldn't be on the road.

                Do you honestly think that drivers are using all the "free time" this kind of automation gives them to worry about safety or to check text messages / watch Harry Potter movies?

            2. SCP

              Re: Why

              But, sadly, there do seem to be a number of them. And, despite flashing full beam at them repeatedly and after passing them flashing hazard lights they continue onwards oblivious.

              Some automation falls into the category "nice to have" (and YMMV) - but I am perfectly happy to have some nice things. And if there are complaints to be made about modern cars I will save mine for the awful interfaces that require you to take your eyes off the road and look at an interior screen in order to figure out what mode the button/dial you are pushing/turning is in.

              1. Solviva

                Re: Why

                Funnily it happened to me yesterday.

                I'm the sole user of my car. There's a switch to alter the light setting - off, auto, parking, along with a light above it indicating the lights are on. Unfortunately this switch and light are 100% obscured by the steering wheel and to look at them you need to shift your head a good deal to the left. On the instrument cluster display, the only light indication is for when you're on full beam.

                The switch lives on auto and works perfectly.

                Took the car for annual inspection last week, and it would appear the inspector fiddled with this switch ultimately leaving it in the off position. Cue a coach frantically flashing me yesterday when it was approaching dusk, me bemused. After a minute or so, I tilted my head to see... that b*ard inspector!

            3. Anonymous Coward
              Anonymous Coward

              Re: Why

              If you're paying so little attention to your driving that you need your lights automated then you shouldn't be on the road.

              Personally I think anyone caught with rear fog lights on without the right weather conditions for it should have an extra one mounted on the dash right in front of them so it shines right into their eyes. Maybe make it blink as well.

              The amount of morons blinding people with their rear fog light weeks after a mere wisp of fog really ought be a massive source of revenue for the police if they could be bothered. I'm all for automating that so it needs to be switched on again when starting the vehicle.

              /rant

              1. A.P. Veening Silver badge

                Re: Why

                The correct solution to unnecessary rear fog lights is an automatic speed limiter to 40 km/h (25 mph) when the rear fog lights are on.

                1. Adrian 4

                  Re: Why

                  > The correct solution to unnecessary rear fog lights is an automatic speed limiter to 40 km/h (25 mph) when the rear fog lights are on.

                  Could do that on the front lamps too.

            4. keith_w

              Re: Why

              Many people appear to believe that if the console lights are on, which they are pretty much all the time in a modern vehicle, and the DLRs are on, then their headlights are on. Especially when driving on roads that are lit by overhead lights.

              1. MachDiamond Silver badge

                Re: Why

                "Many people appear to believe that if the console lights are on, which they are pretty much all the time in a modern vehicle, and the DLRs are on, then their headlights are on."

                I can understand that. The headlight on indicator on my dash is neatly hidden by the steering wheel in the position I sit. If the road is highly lit, I may not notice that my dash is brighter than usual when the headlights are on. (it dims when the headlights are on).

            5. ske1fr
              Mushroom

              Re: Why

              Ass-backwards. If you're still manually controlling your headlights instead of leaving it to an automated system built into the car and paying more attention to the road, sigh. And to the occasional numpties who flash me at night when my headlights are on dip, yes, these are modern LED headlights, not faded filament bulbs in fogged plastic housings, or better still, one barely working headlight set to full beam, or fog lights on because both headlight bulbs have blown...Every new thing in cars like auto lights on, auto dip, lane departure warning, adaptive cruise, these all seem to address the carelessness of some drivers I see every day. Actually, it would be better if the car wouldn't start at night unless all car lights were in full working order. All together now, to the tune of Guantanamera: "One working headlight! You've only one working headlight!"

              1. John Brown (no body) Silver badge

                Re: Why

                "If you're still manually controlling your headlights instead of leaving it to an automated system built into the car and paying more attention to the road, sigh."

                Seriously? Knowing how and when to turn lights on or off is a distraction from driving? For a fraction of a second?

                If automatic headlights actually worked *properly*, then maybe they would be a good idea. but they don't. The settings for switching on are massively over cautious, turning them on long before they are needed and leaving them on long after they are no longer needed. And I've yet to see an "automatic lights" system that even has the *concept* of side lights, let alone "know" when to use them. It's not unusual to be driving through a cutting and see peoples headlights come on and then remain on even though being back into bright sunlight when the sun is low in the sky and I still need sunglasses on as the road bends towards that low sun.

                Many UK drivers seem to be unaware of The Highway Code rules on Lighting Requirements. Admittedly, there doesn't appear to be a rule telling you NOT to use headlights at certain times, but honestly, it's implied by when you MUST use them that outside of those conditions you probably ought not to be using them.

                Sadly, there doesn't appear to be any rules on how bright headlights are allowed to be either, so those cars with high intensity lights are allowed on the roads, despite the fact that their "normal" dipped headlights, under certain normal road conditions are dazzling other drivers at times, which actually IS breaking the law. No one seem to care enough to do anything about it though. Or Volvos, which drive around with headlights permanently on.

                I have little issue with LED headlights and other more modern forms of lighting most of the time, it's the high intensity ones which are the real issue. They stand out in a line of oncoming traffic because compared to all the other cars, they seem to be on full beam. Some of the very bright but more targeted headlights can be in issue over the brow of a hill or bumps in the road too as it can seem like a camera flashing going off in front of your or in the rear view mirror. Very distracting if not actually dazzling and often can seem like blue flashing lights when seen from a slightly off angle for a moment or two, especially in the rear view mirror.

                1. MachDiamond Silver badge

                  Re: Why

                  "If automatic headlights actually worked *properly*, then maybe they would be a good idea. but they don't. "

                  The bigger problem I see as an engineer is there are more things between the battery and the automated headlights to go wrong. A switch and relay are super easy to troubleshoot. The black box with the automated gubbins the maker won't release a schematic for is a bit of a problem. It might also be that some other thing has gone sproing that's preventing the proper operation of the headlights. Good luck with that costing less than a couple of hundred to fix.

                2. Orv Silver badge

                  Re: Why

                  When I drive my Honda Del Sol I always drive with my headlights on, day and night, so that the guys in big SUVs can see me. It's been proven to work for motorcycles so I figure it'll work for me too.

            6. Solviva

              Re: Why

              If you're paying so little attention to your driving that you need your transmission automated....

          2. Martin-73 Silver badge

            Re: Why

            Auto headlights are the invention of satan, so many MORONS driving round in crap weather with NO lights (other than DRLs) on... The flashing on unlock and lamp test and courtesy lighting are perfectly possible with a relay under the bonnet, not a CANbus directly to the dang headligh

            1. SCP

              Re: Why

              And there is still more chance that the dumbest of automation will turn the lights on before they do.

              Ah relays - more heavy duty wiring, extra manufacturing costs, lower reliability. Fantastic.

              If you want the vintage motoring experience that's fine, I am happy to leave it in the 1970s.

              Mistakes with bus architectures have been made, but modern cars still outperform their predecessors - including in security.

              1. Martin-73 Silver badge

                Re: Why

                So where do you propose the heavy duty wiring goes? want a battery in each headlamp.. and re: relays being low reliability... HAHAHHAHAHAHAHHAHAHAHAHHAHAHAHH

                1. Richard 12 Silver badge

                  Re: Why

                  Compared to a MOSFET, relays are extremely low reliability.

                  A relay will do about 10,000 cycles.

                  MOSFETs will do far more than twice that every second, and they'll keep doing that until the doping drifts out of the junctions.

                  A well-designed relay will probably last about a decade. An average MOSFET will last fifty to a hundred years.

                  Of course, both will die if you do evil things to them - pitted and welded contacts, blow the top off...

                  1. Derezed
                    Trollface

                    Re: Why

                    I’ve had my car 10 years…I’m thinking of throwing it in the bin and getting a new one.

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: Why

                    Yes, but they don't make a nice clicky sound, which is why indicators still have a relay involved somewhere - somehow our great progress in automation and artifical sound for EVs have not been able to equal that single, oh so efficient bit of sound. Yes, they have tried, but it never caught on.

                    In addition, another feature of ye olde relay was kept as well: the change of frequency if a bulb blew. I suspect that wil fall by the wayside now most cars are 100% LEDs (although on a Tesla I find the lights rediculously small), but that too is something that we kept from decades ago where the mechanics inadvertedly provided extra sensing ability.

                    I actually liked the ingeniousness some of those early indicator relays. I've seen one from a bus which genuinely had a little spinning wheel in it to control the click instead of a bimetal heating element - the relay would spin it against a spring load and its mass would delay it spinning back for a second and re-closing the contact. Annoyingly mesmerising :).

                    1. Adam JC

                      Re: Why

                      Fun fact, the 'clicky' noise from most modern(ish) cars is produced by a little speaker behind the dash, not the relays :-)

                    2. Timop

                      Re: Why

                      Have you ever tried blinker when you have for example seat belt alert or similar beeping all the time? At least all post 2008 cars I have tested this with have been 100% SFX from loudspeaker with the blinker sounds.

                  3. Anonymous Coward
                    Anonymous Coward

                    Re: Why

                    "A relay will do about 10,000 cycles."

                    Depends on the relay and the load. Most relays I encounter specify a minimum of 1,000,000 mechanical cycles or more. Electrical life cycles (how many actuations before the contact resistance becomes unacceptable) can be an order of magnitude less depending on switching conditions. If a relay is not suitable for its load, 10,000 may be unattainable, you could be limited to dozens of actuations (look into contactors for EV batteries... this post is already too long, I won't bore everyone with a discussion about actuator histograms in BMUs)

                    Wetting currents (too low or too high can both be bad) and surge currents are key factors with relay life. For higher loads, extinguishing the arc during breaking is the challenge.

                    MOSFETS are pretty rugged. Big things there are 1) heat (particularly deadly if you need to have multiple FETs switching in parallel due to the load, hottest FET in the set takes the most load which can get out of hand quickly). 2) ESD (relay contacts don't care, but its pretty easy for a discharge to punch through a FET) 3) inductive spikes (high dI/dt can generate overvoltage and blow the FET, outside of automotive this can be an issue with switching AC, you want to switch when current is at 0, not voltage).

                  4. MachDiamond Silver badge

                    Re: Why

                    "A well-designed relay will probably last about a decade. An average MOSFET will last fifty to a hundred years."

                    My current car is 16 and my last car had to be 'put to sleep' at around 21 years. I've never had to replace a headlight relay in either one. In fact, I have the relay from the older one (a Buick) in a box since it's still good.

                    A good MOSFET can be long lived too, but automakers have the nasty habit of putting their own codes on rather than leaving the suppliers part number so you either pay dearly for a replacement or find somebody that can find one that will work well enough. Just about anything in the same form factor will fit and a low on-resistance is all you need. You'd be hard pressed to find a power MOSFET with a voltage rating under 25v.

          3. Richard 12 Silver badge

            Re: Why

            None of those things require the headlights to have a data connection. The power controls could be anywhere.

            My car has all of those things, and there's no data connection to the headlights at all. Only power, switched (and monitored for failure) by something else.

            They have a data connection because it was convenient for someone to put the power control hardware inside the headlight module. And they have a bidirectional link to CAN because that's the only control protocol car manufacturers understand.

            1. Timop

              Re: Why

              Mandatory height adjustment for brighter xenon/led beams make things much more trickier. Unless you have redundant car position sensor built inside the headlights.

            2. MachDiamond Silver badge

              Re: Why

              "My car has all of those things, and there's no data connection to the headlights at all. Only power, switched (and monitored for failure) by something else."

              Yeah, and that means you don't have an extension lead to the car's security system brought to a convenient point to access from outside the car. It's like an alarm keypad having points that connect to the programming interface of the microcontroller. Not everybody can exploit that but once somebody has, the next person does need anywhere that level of skill. They'll just watch the YouTube video and buy the interface box they need from AliExpress.

          4. MachDiamond Silver badge

            Re: Why

            "Well for differing values of "need" there are advantages. Not having to have large power cables running too and from mechanical switches "

            It's been some time since the power to operate the headlights has been routed through the switch on the dash. The switch activates a relay that acts the main power control. That relay could be controlled by a black box and be turned on and off without ever resorting to the need for a CAN bus connection to the headlight itself. It's dead simple to test for a broken filament. I can think of half a dozen ways without breaking a sweat and none of them need a CAN bus connection at the headlight.

        2. Adam JC

          Re: Why

          It may shock you, but modern cars are fairly more complicated than your 1939 plymouth.

          For starters, I doubt it had:

          Laser/Matrix LED headlights

          Xenon-type/Self levelling headlights

          At it's most basic level, CANBUS is required to detect a faulty incandescent bulb and alert the driver by a warning on the dash/infotainment. At a much more advanced level, the headlights need to link to the steering sensor, the chassis/suspension sensors, accelerometers (For example, headlights that adjust on the fly whilst driving to allow you to see around sweeping corners better), or with matrix/LED headlights need to communicate with a sensor on the back of the rear-view mirror cluster so they can automatically adjust to stop dazzling drivers coming the other way or turn on automatically when it gets dark.

          There are plenty of reasons for a CAN interface to exist in a headlight in 2023, it's not about cost savings it's about providing extra features that weren't possible before. It could be argued as to whether they're necessary or even useful, but they do exist in some vehicles regardless.

          1. An_Old_Dog Silver badge

            Re: Why

            CANBUS is required to detect a faulty incandescent bulb

            No, it is not. Detecting a faulty incandescent bulb used to be done by the driver placing the ignition-key switch into the position just before "RUN"; this lit up all lamps on the dashboard; if a lamp was not lit, there was a defect in the lamp and/or wiring. If you're writing about a faulty incandescent headlight, such detection also was done by the driver paying attention: "Hey, my right low-beam headlight is out!" (Driver then temporarily clicks to high beams to check them, as well.)

            1. Anonymous Coward
              Anonymous Coward

              Re: Why

              Or the man out front with the red flag would tell them about it.

              1. Spamolot

                Re: Why

                Or those horse-drawn cart drivers would helpfully tell you that your kerosene lamps needed refilling.

              2. MachDiamond Silver badge

                Re: Why

                "Or the man out front with the red flag would tell them about it."

                The DIY store has a person that walks in front of any powered material handling equipment with some red flags. Only one older employee I ever made a joke about that to understood the reference. ... Kids......

            2. Martin-73 Silver badge
              Pint

              Re: Why

              Also the faulty bulb could be detected via volt drop, a sense wire, and simple comparator circuitry, i wholeheartedly agree this statement was heinous bullpuckey... hell a dead bulb can be detected by an LED in series with it but paralleled with a resistor... Maplin (RIP) used to do a chip with the comparator circuits built in for I think 8 channels (bulbs) in the 80s... have a beer for the weekend

              1. Orv Silver badge

                Re: Why

                My Volvo had a system like that. It had frequent false alarms, though, and then people would ask me why there was a warning light on my dash with a picture of a hand grenade.

            3. Martin-73 Silver badge

              Re: Why

              I tend to drive with low beams on all the time, doesn't cost me anything much, and makes me more visible, i usually see my low beam reflection in the bumper or tailgate of the car in front even during daylight, that's how i knew to stop and install a new bulb yesterday. Canbus is not needed, AT ALL

              1. Wellyboot Silver badge

                Re: Why

                In the 1970s Volvos you didn't have any choice in the matter of running lights, they also had a light that came on when a bulb failed (sometimes even before it went) I believe it used the change in resistance.

            4. Adam JC

              Re: Why

              You stripped the second half of my statement which completely takes it out of context.. (The important bit where I say it's required to **alert the driver by a warning on the dash/infotainment** ) -

              That's the bit that requires the CAN interface, not so much the bulb being blown rather the signal to the infotainment/dash display.

              1. Michael Wojcik Silver badge

                Re: Why

                That still doesn't require a CAN connection to the headlamp. A lamp failure can be detected electrically, and that signal can be detected by a CAN-connected component in the engine compartment.

                Having CAN connections easily exposed to the exterior of the vehicle is a security failure, plain and simple. It's done for convenience, not necessity.

              2. An_Old_Dog Silver badge

                Out-of-Context Quotation / Cui Bono?

                Adam JC, I didn't mean to quote your comment out-of-context. At the same time, literally speaking, CANBUS is not required to alert the driver by a warning on the dash/infotainment. The dash/infotainment currently is designed in a way which requires CANBUS, but alternative dash/infotainment systems could be devised which did not require CANBUS.

                I understand the "benefits" a computer-message-bus-based system can bring, but I see the most-significant benefits going to the manufacturer, to the disadvantage of the consumer.

                * Wiring looms are heavier and reduce fuel mileage.

                * Wiring looms cost more in raw materials.

                * Wiring looms cost the manufacturer more time to install.

                * Computerized-everything produces a wealth of data which can be used to profile the end-user, and sold at profit by the manufacturer.

                * Computerized-everything increases the ease with which manufacturers can implement buyer-attractive features (profiles by keyfob which auto-set seat adjustments, mirror adjustments, music, etc.)

                * You may find your insurance rates going up because according to your profile, you tend to hot-foot it away when the traffic lights change from red to green, and because you rarely use your turn blinkers.

                * Computer interface modules can/will be integrated into many components, giving the the car-maker the ability to shut out 3rd-party component replacements, ala John Deere.

                * Replacement-component computer-based-enablement can be limited to dealership repair shops only, eliminating the possibility of competition from 3rd-party repair shops or from the car-owner repairing it themselves.

                * Each field-replaceable unit can now be exhoribtantly priced, making repair less cost-effective, in turn leading to additional replacement car sales.

                * Anyone with a basic understanding of electricity and some simple, cheap, widely-available tools can successfully troubleshoot and repair a point-to-point-based wiring system. That's false for a computer-message-bus-based system; people will be largely forced to take it to a dealer for repairs (ka-CHING!).

                1. Adam JC

                  Re: Out-of-Context Quotation / Cui Bono?

                  After reading it back, I really ought to have worded it differently so that's my mistake - apologies.

                  I I read a lot about the JD situation and it's one of the biggest pushes behind the 'right to repair' movement. Hearing stories of tractors and farm machinery some worth well into 6-figures being stuck in 'limp mode' without going back to a JD dealership to be 'reset' is absolutely disgusting.

                  I can't help but fear we're going to hear more and more stories like this crop up as things get more advanced in automotive technology. I since read another article (Or may have been a comment on here actually) about someone removing a radar sensor on the front of a car to access the CAN interface with the same attack vector in mind. It's pretty clear they need to add some two-way authentication/encryption/validation to the system and can't rely on security by obscurity as it's clear that isn't the case any more!

                  We support a lot of local small independent garages and recently had to get our 2020 Citroen Despatch serviced. Turns out the servicing record is 'all digital' (No service book any more!) -Nearest main dealer is ~30 miles away and wants over £600 for an interim service... Local independent garage says access to the digital service book system is free *although* purposely difficult to access as an independent, so they advised purchasing a paper service book and stamping it the old-fashioned way (So we did!).

                  Lastly, this point you mentioned sticks out for me:

                  * Computerized-everything increases the ease with which manufacturers can implement buyer-attractive features (profiles by keyfob which auto-set seat adjustments, mirror adjustments, music, etc.)

                  Pretty sure it's BMW who announced recently 'options as a subscription' - As in, heated seats? Sure, that can be remotely activated for £10/mo. Cruise control? Sure! +£15/mo.

                  That's a slippery slope, but a sign of the times with every manufacturer on the planet dipping their toe into the subscription based model I guess.

          2. Martin-73 Silver badge

            Re: Why

            LED/laser headlights should also be banned, too much glare,... but my point was the bus doesn't need to be actually at the headlight, just a few inches further in at the controller module, out of reach of the miscreant

            1. tip pc Silver badge

              Re: Why

              https://youtu.be/f7R1z_tUrJs

              Newer cars with bright lights have anti glare features.

              My 2011 e class has adaptive lights that individually lower when following traffic or for oncoming traffic.

              My 2021 e class has active matrix led that does the same but now actually outputs less light around cars ahead, looks like a dark box that tracks oncoming and ahead cars.

              Newer versions specifically illuminate a path to pedestrians and will project warning signs on roads and lane lines to aid drivers.

              Newer premium headlights greatly add to driver safety and do not glare oncoming traffic.

              1. Mixedbag

                Re: Why

                This is mostly true until your driving a vehicle where the driver is low to the ground, like a triumph spitfire and then every dam car light is at about head height.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Why

                  Well, then don't drive a Triumph Spitfire.

                  Any other problems I can solve for you?

                  :)

                  1. The Oncoming Scorn Silver badge
                    Devil

                    Re: Why

                    Triumph Spitfires, having actual operational lights of any form would be a help, thanks to Lucas - Prince of Darkness (Icon).

                2. Orv Silver badge

                  Re: Why

                  Or if you're driving a car at all in the US, where most vehicles are SUVs or pickups and a lot of the latter have had their suspension raised.

          3. vtcodger Silver badge

            Re: Why

            It may shock you, but modern cars are fairly more complicated than your 1939 plymouth.

            Indeed they are. And some of those complications are genuine improvements. Let me list some of those.

            1. Seat Belts (Although even in 1939 the Plymouth could have had seat belts had anyone thought to put them in cars)

            2. Modern electronic ignition which truly is a substantial advance over carburetors (not that there were ever more than a dozen entities in the known universe who actually understood carburetors)

            3. Materials. Just about everything on the cars -- tires, paint, brakes, working fluids, etc, etc, etc is better now. More durable, does its job better. Much is it a lot better.

            4. Automatic transmissions -- I don't much care having, of necessity, mastered using a clutch in my youth. But a huge boon to those learning to drive

            5. Anti-lock brakes. They work well on dry or wet roads which is where most people drive. And they work after a fashion on unpaved roads. They do not work worth a damn in snow and ice and actually make it harder to stop where one wants to stop pointed in the direction one wants to be pointed on icy roads.

            6. Emission controls. Something of a PITA for most of us, but a real benefit to residents of some urban areas -- notably the Los Angeles basin.

            7. Rear view cameras

            OTOH not every improvement is actually an improvement or works all that well.

            Case to point. Something called Electronic Stability Control. It's principle function seems to be to prevent the ascension of hills in Winter although I believe that it will also tell me if the car is upside down -- something many, I think most, drivers can likely figure out without help. It's complicated, adds expense and really looks to be kind of dumb. My mechanic agrees with me for what that's worth.

            I'd also point out that it took a long time to get some of those things -- electronic ignitions, emission controls, automatic transmissions working right. Many decades in some cases.

            My point -- not every idea is a good one. And doing stuff just because you can usually is not a very good idea. Cars nowadays often last 20 years or more. People need to be able to fix them. I don't think you need, or should want, complex electronics to replace something that is simple, straightforward, and works well -- headlights. OTOH the stuff on the back of the car -- taillights, licence plate lights, blinkers, backup lights, brake lights, rear view camera, proximity sensors -- is sufficiently diverse that installing a simple digital device and control via the CAN bus may be reasonable.

            1. quxinot

              Re: Why

              ABS does not make a car stop shorter, ever. It allows you to steer while failing to have any decel force (which is why it's so miserable in genuinely low-grip situations like snow--rather than mandate it, why not just mandate better damned tires?)

              This does not belong in the 'benefit' list at all. It's a useless pile of crap that just adds weight. That said, it does make it very much easier to add additional pressure when emergency braking, as most drivers are unable or unwilling to properly push on a brake pedal in an emergency, and a temporary massive boost can be provided in a detected emergency.

        3. david 12 Silver badge

          Re: Why

          I really don't see the any

          Dunning-Kruger effect

          FWIW, everything just needs to be connected identically to the power bus and to the CAN bus. This is simpler, cheaper, and generically more reliable.

          A "smart" headlight doesn't need to be connected to switched power, and switched power doesn't need to be connected to the dashboard. And the dashboard also only has a power bus and CAN connection.

        4. Anonymous Coward
          Anonymous Coward

          Re: Why

          Hoping all these luddites are driving around with crash gearboxes. Any hint of a synchromesh or automatic gearbox would be rank hypocrisy.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why

            Yup. Double clutching all the way. Literally.

            1. Wellyboot Silver badge

              Re: Why

              Syncro is an aid to double (de?)clutching, using it as such would see modern manual gearboxes lasting into the millions of miles instead of the syncro cones abuse lifetime.

              Gearbox abuse? - Guilty M'lud.

        5. d2

          Re: Why

          A 21 st ct boat anchor? pbs.twimg.com/media/FRolWv3VsAALVwg?format=jpg&name=large

          =Text in image=

          THIS VEHICLE EQUIPPED

          WITH

          MILLENNIAL ANTI-THEFT DEVICE

      2. thorlancaster328

        With a Manual, the immobilizer is the thief not knowing how to use it. There are no electronics in my Hyundai's manual transmission.

        1. Martin-73 Silver badge

          My berlingo has manual transmission, the immobilizer simply tells the engine control thingy not to allow the engine to run

        2. Anonymous Coward
          Anonymous Coward

          You will still have engine management electronics. That's usually where the counterpart to a chip in your key hides so you can mechanically open the vehicle but not start it.

    4. TheMeerkat Silver badge

      The issue in the text has nothing to do with keyless entry.

      As for keyless entry the main vector of attack is relaying messages between the car and the key, making it look like the key is in a pocket of an attacker (when in reality it is inside the house). You can’t defend from it by introducing better encryption.

    5. Michael Wojcik Silver badge

      I still don't understand why cars aren't using asymmetric keys

      Because the branch of the threat tree that asymmetric cryptography would protect against, which isn't protected by a pre-shared secret assigned when the car is manufactured, is largely negligible, and doesn't justify the additional fragility and power consumption that would be added to the key fob. Asymmetric cryptography isn't some magic solution to everything. It's primarily useful when there's no secure channel for initial secret agreement, and for cars there is: it's called the factory.

      That's assuming asymmetric cryptography would be implemented properly, with a protocol that actually provided additional security. And that's pretty damn unlikely when we're talking about auto manufacturers.

      Asymmetric cryptography wouldn't help with relay attacks, which are the most common attacks against the unlocking protocol. What does help with relay attacks is requiring user interaction on the key-fob end, but we can't have that because people are too damn lazy.

      And, of course, this attack has nothing to do with defeating the unlocking protocol.

  7. Plest Silver badge
    Happy

    Another one of those classic "illgeal sure, but props for the ingenuity"

    nice

  8. Stuart Castle Silver badge

    Why do headlamps need to be smart? At most, the only things accessible in the light should be lamp itself (including electronics for driving any LEDs) and possibly some sort of sensor. Any electronics required for controlling the lights should be buried somewhere where they are not easily accessible outside the car.

    1. martinusher Silver badge

      Wiring harnesses are expensive. CAN reduces wiring costs by networking the parts together rather than everything being point to point connections.

      1. DJO Silver badge

        Could be done by putting the CAN smarts in the socket and using a dumb light. Make it so the socket cannot be replaced without access to the engine bay.

        They already do something like that for the rear lights - There's often a single CAN connected circuit board behind the coloured lens with the smarts and the various bulbs plug into the board. But that was in the incandescent era, The much longer lifetimes of LEDs allow them to complicate matters nicely as LEDs can be expected to outlive the car so allowing easy replacement is no longer necessary.

        1. Julian 8

          amount of cars I see with a LED light arrangement not working is quite worrying - especially at the cost of a total replacement

          1. Martin-73 Silver badge

            yes, classically it's the brake lights, as they're overdriven for brightness, and people tend to have been taught to just stand on the brake at lights (NO, but that's a separate rant)...even in the olden days, leaving a 21w bulb lit in a tiny enclosure for 5 mins at railway crossings could cause melted lenses!

            1. Anonymous Coward
              Anonymous Coward

              The brake light thing is because many cars now have an automatic gearbox, and I found that automatic hold functions light them up too. Even worse, I found that the automatic distance management radars in some cars light up the brakes too when the vehicle slows down, irrespective of with how much force they do this.

              It is of course nice for the manufacturer that that defrays their liability of someone runs into the back of such a car (despite laws that say the one behind should keep distance), but it makes the driver of said car look like a nervous lunatic.

            2. The Oncoming Scorn Silver badge
              Boffin

              Melted Lenses!

              Well "four eyes" in the car behind you is obviously too close to you at the lights.

          2. vtcodger Silver badge

            Hmmmm

            I got to thinking and realized that I haven't replaced a light bulb in any of our cars for maybe two decades. It's not that I don't check the lights. I do a walk around on all of them once a month. And it's not that they are problem free. I've recrimped/resoldered a few corroded connections over the years. But the bulbs? They seem pretty durable nowadays. I have a container in the garage with a few spares for common bulbs -- 921, 1156, 1157 and something smaller with no part number. It's pretty dusty.

            Maybe I've just been incredibly lucky.

      2. IGotOut Silver badge

        Some Mercs have wireless Headlamp cluster controllers. If a person selling one with a "faulty" bulb, beware, that may be a £500 fix!

        1. DaemonProcess

          less than a BMW then.

          Some bimmers require you to drain the coolant and remove the radiator in order to change a light bulb. Purposely designed to make more money for the dealers and prevent owner servicing.

          Its rounded up to a 2 hour job and up to 750 squids to you guv.

          1. FirstTangoInParis Bronze badge
            FAIL

            Re: less than a BMW then.

            I had a Mark 6 Golf Plus with those LED rear lamp clusters. Failed for a pastime. 500 quid a pop, too.

            1. Martin-73 Silver badge

              Re: less than a BMW then.

              OOF, did you consider an incandescent replacement?

          2. gotes

            Re: less than a BMW then.

            Christ. Makes me glad I no longer own a car.

          3. Anonymous Coward
            Anonymous Coward

            Re: less than a BMW then.

            Not a new idea, I once had an Audi S4 (the naturally aspirated v8 one), and that too told you to go to the garage for replacing bulbs, even in the manual. It also knew when a bulb went, as it sensed all of them and then nagged you about it until you fixed it. I could see why they recommended a garage visit, in the front there wasn't exactly much space to work (the engine bay being rather full with engine) so lights had to be unmounted to get to the bulbs which is not something for everyone.

            That said, they did not get much income from me, I worked out fairly quickly how to do it myself and I had the gear for it. I was also in the habit of replacing bulbs in sets (4 indicators, 2 brake lights) as bulbs of the same age tend to fail reasonably close to each other. That way I had to do it once :).

      3. Pascal Monett Silver badge

        Security is expensive.

        You have it, or you don't.

        Apparently, Toyota doesn't.

      4. Brian 3

        This is a totally false economy - you'll still need however many amps at the back "distribution box" (think those are free?) so the feed wire will just be a big gauge. All these "smart" distribution relay boxes are insanely expensive, by the way, and have ridiculous failure rates. I bet the 19-23 generation of cars will be super extra dodgy with fake components everywhere.

        What is needed is to stop putting a whole load of inappropriate tat in cars.

        1. Yet Another Anonymous coward Silver badge

          >you'll still need however many amps at the back "distribution box" (think those are free?)

          You need one power wire to the rear and one data bus

          Alternately you need a separate power wire from 2 rear lamps, 3 brake lights, 2 reversing lights and probably some in-boot lights and an automatic boot lock all back to separate physical switches on the dash and then to physical fuses then to the battery

          1. Mishak Silver badge

            And it's not just the number of wires

            When I was contracting with an automotive OEM about 20 years ago, it was not uncommon for the (pre-CAN) wiring harness (+ switches and the like) to weigh in at close to 100Kg. The amount of fuel needed to keep accelerating that mass is not insignificant - especially when the design is on the edge of legislated fuel economy figures.

            1. Brian 3

              Re: And it's not just the number of wires

              I'm calling bollocks here. I work on cars every day for my living. Wiring harness in a typical car is more like maybe 20-30kg at most. Normal couple relay boxes included. My colleague Dave sells VW harnesses all the time because they're shite. It will all fit in a medium cardboard box and is easily carried by 1 person. Most scrap yards don't bother dismantling them except the engine harness (maybe 5-10kg) - and only because they've removed the engine as it's crushed for aluminum. Your 100kg figure, only if you add all the bollocks computers and distribution boxen in modern cars (say a fully loaded caravan). Including a set of video screens and blu-ray players and more bollocks like the "distribution boxes" under the fricking seats, you say all the switches but you must be including the blower fans and actuator motors and all kinds of things to get 220lbs of stuff. All mostly plastic, which will never go away. You really think EVERY DOOR needs it's own separate computer? Several if it has "power" doors. Tailgate has 2 or 3 if it's "power" operated.

              Even with a computer for every door, they still put all the wires to the window switch same as in 1980 you know? All the way to the driver's door from all the other doors with electric windows. Even though, yes, the signals all end up going through the computers. To avoid this wiring I see many newer cars put the window switches in the middle of the car so there is only 1 bank. But now the dealer can shake down the body shop when it's time to replace your door after a bang-up. And I don't really SEE the weight savings you were suggesting.

              1. Orv Silver badge

                Re: And it's not just the number of wires

                VW harnesses are light because VW figures out what size wire would be prudent for a circuit's amperage load, then goes down a size. This results in a very lightweight harness that also spontaneously combusts to protect the fuses.

              2. Mishak Silver badge

                I'm calling bollocks here

                The figure did include the boxes, relays, fuses, connectors and the like that were needed in the days before functionality was moved to electronics (there was some for fuel injection, but that was the exception).

                This was "for real", and was for a top-of-the-range Merc (I don't remember the model). It was disassembled by the OEM I was working with and placed on large, wooden panels all along the walls of one wing of the electrical design centre for "competitive evaluation" (the OEMs exchanged models as they all did this, and this made the process a lot cheaper)!

          2. BitGin

            Yeah but given all these lights are LEDs now those wires can be much smaller and cheaper.

            Having separately wires also means you're much less likely to have a total failure leaving you with no lights at all.

    2. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      "Why do headlamps need to be smart?"

      There's plenty of stuff inside a humble headlamp cluster that needs controlling via the CAN bus: as well as the dip, main, side and parking lights, there are the indicators, the motors for the self leveling function (required for certain types of high intensity lights), there might also be sensors for detecting failures. Yes, you could have the bus connection secure inside the vehicle and all those functions separately hardwired into the light cluster, but as pointed out elsewhere here, wiring looms are expensive to fit, bulky and can wear out due to vibration etc. (The CAN bus is more robust than a conventional loom, it's differential driven and the spec is such that even if one wire breaks, it will still work).

      This isn't new. I heard over 10 years ago from someone who knew about doing nefarious things to cars for a living, that a very well known brand had their CANbus exposed at the headlights. Looking back, it probably wasn't just that brand.

      1. Anonymous Coward
        Anonymous Coward

        when you implement smart in a foolish way is it still... "smart"?

        It is "smart" for marketing and profit only. The argument that it is cheaper (especially during "chip shortages") is laughable. It is a new 'additional' technology bolted in.

        It is a light which is either on or off. It should use very little power and it should be simple not smart.

        This exploit is pure silliness as it should not even exist as a potential.

        This is right up there with subscriptions for basic functions of the car and in dash tablets more uselessness in modern vehicles...

    3. Helcat Silver badge

      They can be smart these days.

      Reactive/auto sensors, cornering, auto-dim, there's quite a list.

      Sure, most of it just needs a control unit to tell the lamp what to do, but those lamps return diagnostic data, too - and I suspect that's the problem.

      What annoys me is the manufacturers should put security on a separate system. However, with the difficulty in getting chips, I can see why they'd route everything through one system instead.

      Flip side: How hard is it to add a limiter to say 'if the car unlock doesn't come through this route, don't unlock the car, the same for the ignition, and for the immobilizer: That would stop this plugging a CAN into a headlight circuit to allow bypassing/disabling security systems.

    4. Anonymous Coward
      Anonymous Coward

      Why is the ignition lock on a bus, anyway? For critical items (like safety or security), run a dedicated wire. If the ignition module is happy, there's power on the wire (which is only accessible inside the steering column or the engine compartment), if not, don't start the car. No amount of messing with headlights can interfere.

  9. wolfetone Silver badge

    The only way to protect your vehicle is to put a disclok on the steering wheel. That's it.

    If your car is going to be stationary for a while, take the rear wheels off and put it on bricks.

    You can't rely on yet more technology to help mitigate the problems technology has brought to the car.

    1. Mishak Silver badge

      Even that isn't always enough

      "Transcript" of a conversation at a place I once worked (names "randomised"):

      Eve: "Hi Steve, I see you're having trouble with that flashy Toyota Supra again"?

      Steve: "What do you mean"?

      Eve: "They're loading on to the flatbed now".

      Steve: "****".

      The car had all sorts of locks and immobilisers, but it still went missing.

      1. 43300 Silver badge

        Re: Even that isn't always enough

        We had a transit van nicked from right beside one of our buildings, during the day when people were in the building. It was found by the police a few hours later dumped in a layby with the engine ripped out - apparently there was quite a demand for transit engines at the time.

        1. Yet Another Anonymous coward Silver badge

          Re: Even that isn't always enough

          In the good old days they would at least have left you a sawn-off shotgun or a bag of used notes in the back

        2. Anonymous Coward
          Anonymous Coward

          Re: Even that isn't always enough

          Those were the days when "I'll be ten minutes later; I'm coming in a Tranny" meant something a fair bit different to what it means today.

    2. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      "The only way to protect your vehicle is to put a disclok on the steering wheel"

      https://www.lancashiretelegraph.co.uk/news/1973370.car-thieves-use-transporter-lift-12-cars-four-days/

      They'll just lift the cars away instead. In the story above, police think the cars were stolen for scrap, meaning they wouldn't even need to get the car into a workshop somewhere and use a disk cutter in slow time to cut the steering wheel lock off.

      1. Jan 0 Silver badge

        Whenever I see a car on a transporter with its alarm blaring I always wonder ....

        1. Mishak Silver badge

          Yep

          Either stolen or repossessed!

          1. Anonymous Coward
            Anonymous Coward

            Re: Yep

            Same thing, pretty much.

      2. Blazde Silver badge
        Holmes

        The only way it makes business sense to source a transporter for 4 days just to steal 12 cars with an average scrap value of 80 quid each is if they stole and scrapped the transporter too. Then you're looking at a cool 1500 pounds easily for 4 nights work? Split between however many schmucks signed up for the job.

        Or it was cover for some much more serious or enriching crime...

        1. Brian 3

          80 quid? Bollocks! My local dealer is paying $380 a ton (CDN). That's $600+ per car, another $4-600 for catalysts and maybe tire $ or alloy$ too.

        2. Mishak Silver badge

          Yes, they're not worth a lot if sold for scrap. However, if they are broken down and sold as spares*...

          * Which is often why it is well worth negotiating when selling for scrap, as this is what a lot of the scrap (or "breakers") yards do.

      3. MachDiamond Silver badge

        "police think the cars were stolen for scrap, "

        If an OEM replacement headlight is $880, damn right those cars will be picked up to be parted out. Just the main exterior lighting, front and back, adds up to thousands not to mention things like catalytic converters and other things that don't have the VIN stamped on them.

    3. Dave314159ggggdffsdds Silver badge

      Diskloks are basically a con, like a lot of so-called 'security' devices. They are trivial to remove, what with being roughly as hard to cut as a tin can, having useless locks, and being openable with a hammer, but even worse, you can actually steer with one in place.

      The idea thieves who come equipped with specialist knowledge and thousands of quid in specialist tools to break in via Canbus can't also remove a disklok is a bit silly.

      There's a simple test for whether a car security device actually offers any security: does your insurer give you a reduction on your premium for fitting one. The answer, at least with the disklok, and every other steering lock I've heard of, is no.

      1. Mishak Silver badge

        It would be interesting to see how long it takes "LockPickingLawyer" to get one off.

        1. Derezed

          “Click on two…three is binding…and it’s open. This is a pretty powerful lock, I really am just that good”

          1. Dave314159ggggdffsdds Silver badge

            I've always wanted to see him have a go at the door to the halls of Erebor...

        2. Dave314159ggggdffsdds Silver badge

          The cores they use are so utterly uninteresting it'd be a boring video - one of his standard 'here's a typical cylinder that takes seconds to open'. I'd be more interested to see him pointing out all the other flaws.

      2. Yet Another Anonymous coward Silver badge

        The point of a disklock isn't to protect your Lamborghini if you regularly park in a bad part of town.

        It's to make a casual thief go for the Honda parked next yours

        1. Dave314159ggggdffsdds Silver badge

          But there aren't any casual thieves anymore.

    4. Anonymous Coward
      Anonymous Coward

      The only way to protect your vehicle is to put a disclok on the steering wheel.

      Switch in the fuel pump wire, or tap in the fuel line still works. The latter has the beauty that they drive a bit down the road and it dies.

      Back in the day, I also put a relay contact in the fuel gauge wire too, so it also looked like the tank was dry.

  10. Julian 8

    Good to know

    So when you buy a car in the future and the manufacturer wants to lock you out, you have a way to get around it

  11. heyrick Silver badge

    Oh my god

    If it's accessible from the outside, then it shouldn't be trusted. End of.

    (and really there should be two buses, a secure inaccessible one for the engine management and control and another less secure one for all the other crap like lights and media player)

    1. I am David Jones Silver badge
      Headmaster

      Re: Oh my god

      It’s hardly “accessible” if you need to break open the car to get to it.

      1. My other car WAS an IAV Stryker

        Re: Oh my god

        For battery electric vehicles, the data link (CAN or other) will be accessible (if not now, then soon) to an offboard charger via the charging port.

        Open hatch (may require minimal breakage), insert dummy plug, inject messages, unlock, enable driving mode, goodbye car... and no tell-tale vroom as they speed away.

        1. Orv Silver badge

          Re: Oh my god

          That's true of Teslas, which use a CAN bus extension to identify the car to the charger for billing purposes. I don't think any of the other current charging standards use CAN.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh my god

      why bother to have one that is less secure?

      Lights and media, shouldn't need a bus, just power. if that's what you mean.

    3. steelpillow Silver badge

      Re: Oh my god

      Should be OK to run the secure control bus as an encrypted VPN or similar over the insecure bus.

      Most decent auto systems already have a wall between the critical subsystem and the passenger toadying subsystems, so it shouldn't need a revolution in the architecture.

      1. Mishak Silver badge

        Re: Oh my god

        Not really, as CAN is a hard real-time bus (which means messages are very time critical). For example, I work on systems where a specific CAN message is sent out 1000 times a second and is used to trigger events in other nodes (setting outputs, sampling inputs). Most nodes run on low-end microprocessors (which are very cheap - you don't want to have to spend an extra few £/$ per node when there are lots of them).

  12. Andy the ex-Brit

    I don't have a car that's likely to be stolen (it's 18 years old and has a manual transmission in the US) but if I did, I'd install a hidden switch somewhere in the cabin, with a relay that simply cut power to the ECU when toggled off, then make a habit of flipping it when I parked the car. Maybe a couple of hours of work for a lot of peace of mind.

    1. Giles C Silver badge

      I remember someone making a double number plate for a car , there were 3 number plates the one on the car had the normal number in front of that was one held with electromagnets on one side it has the normal plate on the other it said stolen.

      The idea was a switch in the car had to pressed to engage the magnet otherwise when you drove off it would flop down and reveal the word stolen to anyone following

      Seems very simple in principle.

      Mind you the biggest protection they could make for bus networks is to route the cables where they are only accessible with a bit of work, ie the headlamp bus connector is only accessible if you remove the headlamp which also means opening the bonnet and stripping out a few covers first.

      1. Wellyboot Silver badge

        One good thump and the small plastic lugs* holding the light fitting in place will shear, allowing access with a screwdriver and a little more brute force.

        *I've replaced these at a cost of a few pounds each, dealers will sell you them if you ask for the correct part numbers - but they'll never volunteer then as an alternative to several hundred $/£ for a full assembly. (look for screw mounting holes next to the lugs)

    2. Dave314159ggggdffsdds Silver badge

      A kill switch is a good idea, but bear in mind you don't want to switch off the alarm when you flip it. Easy enough to wire it in to the ignition circuit instead.

      1. Andy the ex-Brit

        My car doesn't even have an alarm, as far as I know.

      2. Richard 12 Silver badge

        Modern cars don't have an ignition circuit.

        Mine does have an alarm, as I discovered last night.

        1. Dave314159ggggdffsdds Silver badge

          "Modern cars don't have an ignition circuit."

          Depends on how pedantic you're being about terminology. I was using the term very loosely indeed, but you're right, it's the wrong term if we're focusing on the actual ignition part. Cutting power to the injectors is probably easiest, on most modern cars.

          Mainly I use the classic anti-theft technique of parking next to a much nicer car than mine :)

          1. MachDiamond Silver badge

            "Mainly I use the classic anti-theft technique of parking next to a much nicer car than mine :)"

            An even older method is to look at the neighborhood and not park up if it looks pretty dodgy. It sucks to have your car stolen, but it's also a huge PIA if they smash the glass and destroy the steering column only to find they can't make it go.

      3. Michael Wojcik Silver badge

        A kill switch is a good idea, but bear in mind you don't want to switch off the alarm when you flip it

        Oh, yes, I would. When has a car alarm ever done anything other than annoy people in the area?

        When I were a lad, many of my friends had kill switches of some sort in their cars, whether the cars were at all desirable or not. It was one of the first projects for the aspiring home mechanic. Just pick up a toggle switch at Radio Shack and wire it into the ignition wire under the dash, then mount it in an inconspicuous location. Easy to defeat but it takes a bit of time.

  13. Anonymous Coward
    Anonymous Coward

    Been happening to Alfa Romeos as well

    This is not confined to Toyotas only, there's been a spate of thefts of Alfa Romeo Stelvios and Giulias recently where a similar approach was used, in this case they "remove" (rip out) the cruise control rader module in the front grille which gives access to a CANbus connecter on a bus which talks to the car's security systems. They can then unlock the car and once inside program a new key into the car's computer (using the connection from the bumper) and drive off.

    Third parties are now offering steel brackets to surround the radar module to prevent them from removing it and accessing the connector. Top tip: the original plastic bracket is often damaged during attempts and Alfa only sell it together with the radar module for an eye watering amount.

    The module is actually from Bosch and is used by other brands, including Volkswagen / Audi, and VAG sell the plastic mounting bracket separately, just in case anyone with a broken off radar sensor is reading this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Been happening to Alfa Romeos as well

      I know which other website you hang out on ... :-p

  14. wsm

    Yet another unsecured network

    I had no idea Toyota was producing cloud-mobiles.

  15. Anonymous Coward
    Anonymous Coward

    World domination vector.

    CAN is used in robots, which are much easier to break into - just take off a plastic panel. (For anyone interested in taking over the world in a few years.)

  16. Henry Wertz 1 Gold badge

    Network isolation

    Network isolation....

    I'd just like to point out, after the demo of remote starting, dicking around with brakes, and enabling/disabling power steering, etc. on a Jeep via Onstar, that at least some car companies have seperated their CAN busses to some extent. (The Onstar had access at all because one of the features is to notify you, and a repair place if you want, if your car sets any check engine light codes; and you can (why you'd want to, I don't know?) check your fuel level remotely.) Previously the Onstar module was relied on to behave itself and was directly on the (single) CAN bus; after that incident, it is isolated and only requests it's supposed to be able to make are let through. How much isolation is there? Would the headlight be isolated from the remote key receiver? That I don't know (other than on Toyota RAV4s where clearly the answer is "no".)

    1. Mishak Silver badge

      Re: Network isolation

      Back in the early 2000's I designed a CAN "firewall" that basically did that - though it was really there to prevent experimental / development / prototype hardware from corrupting the powertrain CAN.

      It's not easy to do though, as you ideally don't want to introduce latency into the messages - I managed to get it down to about 12uS, which was about as good as you could get at the time using "store and forward".

    2. The Oncoming Scorn Silver badge
      Coat

      Re: Network isolation

      OnStar® is on Chevrolet,® Buick,® GMC® and Cadillac® vehicles on the road today.

      Jeep is the brand of Chrysler Automobiles that has no collaboration with GM motor or OnStar.

  17. DS999 Silver badge

    I find it hard to care about this

    I have a 2021 Audi with a smart (proximity based and encrypted) key that's supposed to be super secure but I would be completely unsurprised if there isn't some simple attack like this that could allow it to be stolen. So what? That's what insurance is for.

    The only cause for worry would be if 1) the attack is widely known on the internet 2) is simple enough an average thief can manage it and 3) is impossible to correct via software and won't be corrected via hardware (i.e. because the recall would cost too much) Even then the likelihood my car is stolen would be pretty low, my main concern would be the higher cost of insurance.

    1. Mishak Silver badge

      1) the attack is widely known on the internet

      Like the Kia Hack

    2. Richard 12 Silver badge

      Re: I find it hard to care about this

      Any such thing will quickly become easily available.

      The hardware parts needed are standard and cheap, plus some firmware that will be trivially purchasable by those who know where to look

    3. Anonymous Coward
  18. James R Grinter

    Lucky it belonged to someone working in the security field

    On the other hand, unlucky that they didn’t already know of the vulnerability.

  19. Anonymous Coward
    Anonymous Coward

    Not an issue

    I just take all 4 wheels with me when I park up…

    1. Orv Silver badge

      Re: Not an issue

      When I had a VW I used to take the ignition coil lead with me.

  20. Richard Pennington 1
    Coat

    Hacking a bus ...

    If you can steal a Toyota by hacking a bus, can you steal a bus by hacking a Toyota?

    I'm sure I left my coat on the front passenger seat ...

  21. Anonymous Coward
    Anonymous Coward

    People can violate trust......then there's anonymous messages................

    Quote: "...these internal messages aren't protected: the receivers simply trust them...."

    Where have I heard this before? Yup....."trust". Same with email messages (e.g. phishing)....the receivers simply trust them!!!

    When will the IT folk learn a simple lesson.......even with actual face-to-face time, some people are untrustworthy. When you get to IT messages.......

  22. diguz

    Nothing new under the sun

    Nobody remembers the Jeep hack of some years ago? Even ElReg reported on it (https://www.theregister.com/2015/07/21/jeep_patch/).

    You can indeed steal cars without even breaking the bumper or the headlight, just get into its infotainment system via cell connection....

  23. Steve Jackson

    This kinda stuff is sold as convenience and generally ends up working against you

    Inconvenient.

    At least with this they still had to rip parts of the car physically apart.

    The perfect crime will be when your car just drives off to RV with the attacker.

    I can wait....probably not long.

  24. An_Old_Dog Silver badge

    Bus Security

    This is not a recently-discovered problem. In 1979(!) Brian Daley wrote "Han Solo at Stars' End" in which a sentient computer got control of a building's environmental control/alarm system by compromising a robot which was controlled via that same network.

    Said the sentient computer: "It's an integrated network. Great cost savings, but lousy security, huh Captain?"

  25. unaware

    Interesting that this was discussed on the Altium podcast rencently and the same story shows up here. From what is said most cars older than 3 years old are less vonurable. Anyhow in the future your car will be hacked via the web, not CAN. Ha.ha.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like