2TreeIS

My 2023 IS was stolen in Ontario a few nights ago. They smashed my sunroof and drove off. I was able to recover the vehicle with a tracker! Where do I go from here after it is repaired by the insurance? Any recommendations on how to prevent this from happening again?
Background: My car was locked and keys were in a RFID box!

NYIS300awdFS

Sorry to hear, it’s the second incident I’ve seen reported here where the thieves smashed the sunroof.
Other victim says he is installing a kill switch.

ma3o

Absolutely ridiculous. And the Toronto police does nothing to stop it, they even tell you to leave your keys at your front door LMAO.

I think they steal the cars by making a new key through the OBD2, I’d find a way to disable it. Or just move to the US

Jazzrock

My car was stolen more than a month ago. A Kill switch is the best option. An Airtag is important in getting the car back. We don't have a garage, so I'm being more diligent about putting a cover on the car.
Going through the sunroof after shattering it is common now. The cop who came to our house said they plug a device into the OBDII reader and get the signal that way. I'm glad you got your car
back and it is repairable.

sunamer

1) Do you know whether your rfid box actually works?
2) where was the second key stores at?

You can try getting that box with the keys inside and try to open the door of a locked car to see if the box can provide strong enough attenuation or not.

ma3o

If they did a relay attack they wouldn’t need to break the sunroof, the key storage wasn’t the reason why it got stolen

kj07xk

I think what was being said earlier is that keys are not needed, they could be on the moon, and the thieves can still start and take your car.

sunamer

I agree... but this attack seems to be weird to me. Looks like, they access the main bus of the vehicle(hence the need to get inside or remove a headlight to get to the wiring, hook it up, and somehow produce/inject the "ok" signal that tells the ECU that it is okay to start the engine.

Interesting how this wasnt a problem before but now it is. Those thieves who use this, arent smart enough to develop the tech of this level.

found this: https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/
https://kentindell.github.io/2023/04/03/can-injection/

ma3o

Models like the RX and RAV4 are stolen through the headlight method, allowing them to start the car and break in without smashing any windows or having to make a new key. I wish Toyota did something to stop this but I guess they’re happy to sell you a new car to replace the stolen one

KennyFSU

The amount of Lexus cars being stolen recently is alarming; I saw 2 in CA within a week using a similar CANBUS attack.

sunamer

Yep.. The device to inject CANBUS messages is about 5k. Looks like its cost is less than $100 to make. Unless toyota finds a way to encrypt it, this wont stop.

Looks like Toyota's assumption about the integrity of the bus and vehicles perimeter integrity were wrong.
if they truly send "key authenticated" within the CAN and the ECU simply listens to that, that is just lame.
It is like having a connector on the side of a safe where if you apply voltage to it, it would open without the needed combination.

2TreeIS

Yes my RFID box works and both keys were inside. I believe they made a new key from the OBD port

BillCannon

In addition, systems segmentation and establishing trust boundaries would go a long way. The gateway chip that Toyota uses to bridge parts of the bus does nothing here.