DISCO5.CO.UK - View thread - CAN Bus Injection Theft Vunerability

↓ Advertise on DISCO5.CO.UK ↓

Reply
Down to end

Page 1 of 2

Geeboy

Member Since: 12 Aug 2023

Location: Doncaster

Posts: 8

CAN Bus Injection Theft Vunerability

On Christmas Eve my neighbour had their 2019 Discovery Sport stolen in less than 2 minutes. I have a 2020 Discovery 5 so looked into how this might have happened. There is a lot of outdated information out there and a lot of it points to Remote Relay theft where thieves use an amplifier to make the car think the key fob is closer to the car than it is. It seems that Landrovers after 2018/19 don't have vulnerability to this as they use Ultra Wide Frequency which checks the distance between key fob and car and in the CCTV footage from the neighbour no amplifier was used. Having researched more it's alarming that the latest technique doesn't need the original key fob to be amplified and relies merely on access to the CAN Bus somewhere on the car. For those that don't know the CAN bus is two wires that are link most electrical parts to the ECU along which communication takes place. The latest technique uses an piece of kit which injects code through the some equipment that has CAN bus connection (such as a headlight) to the ECU instructing it that the thief has a key and to open the doors and disarm the immobiliser. Once inside the car the thieves generally disconnect the device and plug it directly into the ODB2 (faultfinding) port under the steering wheel and use the same technique to start the car and drive off. If the ODB2 has been secured they can also do the same from the original place but inside the car is more convenient. More information about this is below which talks about the problem on Toyotas but searching various websites these devices are available for Landrovers with Youtube videos showing them in action with the latest vehicles.
https://kentindell.github.io/2023/04/03/can-injection/
Watching the CCTV footage it is how our neighbours was stolen. The devices cost around £5k so would put off most petty thieves, but as is the case with electronics it won't be long before the prices come down as they are cloned and it still looks a good investment for proper crooks given the cost of the cars they are targeting.
My questions to anyone knowledgeable in this area are
1) Would a ghost type immobiliser protect against this as it also uses the CAN bus and there are reports that this device forces a priority over other devices?
2) Where are thieves using this technique getting access to CAN bus on a Discovery 5? (Preferably DM me so it's not encouraged by thieves who might read this)
3) What measures have people taken to protect against this kind of attack (old school kill switches etc.)?
4) Are Landrover planning to update their software to protect against these attacks?
I find it really alarming that this started surfacing last April and that so many peoples very expensive vehicles are still vulnerable to such a quick and easy attack
Post #38420 5th Jan 2024 10:03 am
- Profile
- PM
- Gallery
jimbg

Member Since: 23 Jun 2016

Location: Devon

Posts: 1455

Read my post on the Sport site.

https://www.rrsport.co.uk/forum/post628354.html

This is supposed to give you the same security level as the new Sport and full size Range Rover.

Hopefully positive update from JLR - from their website Dec 23 - fully launched Jan 24

“Range Rover clients in the UK can now benefit from a new insurance solution through Land Rover Insurance. The new solution is designed for clients who may be facing challenges with increasing insurance premiums, which are affecting the industry. (2)

Land Rover Insurance will improve the buying and ownership experience for Range Rover clients. Eligible clients can now obtain a quote online and manage their monthly rolling subscription and policy cover in a flexible way, at any time.

The fully comprehensive insurance ensures any repairs are completed by a JLR authorised bodyshop, using only genuine parts. The policy is completely flexible, with no deposits or interest charges, and clients are able to amend or cancel their cover with no fee. The price is also guaranteed for 12 months, for added assurance and peace of mind.

Also available to clients looking to insure Defender and Discovery vehicles, as well as Jaguar clients through Jaguar Insurance, the service has provided quotes to more than 4,000 clients since October, with an average monthly premium of less than £200. JLR has also proactively shared with leading insurance providers its latest data – reflecting the robustness of security in new and older models – to help increase the range of insurance options on the open market.

The latest vehicles are proving highly resilient to thefts: UK police data shows that since January 2022, only 9 of the 12,200 new Range Rovers on the road have been stolen (0.07 per cent), while only 13 of the 13,400 new Range Rover Sports on the road have been affected (0.1 per cent).

As part of a suite of services to enhance the ownership experience for its clients, JLR announced last month its £10 million investment in vehicle security to help tackle keyless thefts. This included an extensive rollout of security updates benefitting more than 70,000 older vehicles in the UK since the initiative began in 2022, ensuring the same levels of protection against theft as current, new models. This, along with dedicated collaboration with police and partners, is reducing thefts.”

2017 HSE now sold, if you own WF17AXN then you have a well sorted car!
2022 Range Rover Sport P400e HSE Dynamic and 2023 Sport P440e Dynamic SE on order
Post #38421 5th Jan 2024 12:54 pm
- Profile
- PM
- Gallery
Geeboy

Member Since: 12 Aug 2023

Location: Doncaster

Posts: 8

Thanks for the reply Jim,
I'm not entirely convinced that the fix will prevent the latest devices as one of the websites has a video showing the latest Range Rover Sport L461 being bypassed, but I suppose it depends on the gangs ability to update their devices and will likely be a game of cat and mouse for LR until the communication on the CAN bus is somehow encrypted.
I only bought my D5 second hand last year. Is there a way to check whether the update has been done or do I need to contact a dealer?
Steve
Post #38423 5th Jan 2024 1:21 pm
- Profile
- PM
- Gallery
jimbg

Member Since: 23 Jun 2016

Location: Devon

Posts: 1455

You check details here: https://topix.jaguar.jlrext.com/topix/vehicle/lookupForm

Service history here: https://www.landrover.co.uk/ownership/serv...story.html

2017 HSE now sold, if you own WF17AXN then you have a well sorted car!
2022 Range Rover Sport P400e HSE Dynamic and 2023 Sport P440e Dynamic SE on order
Post #38424 5th Jan 2024 2:01 pm
- Profile
- PM
- Gallery
JonM

Member Since: 30 Jun 2016

Location: North Yorkshire

Posts: 574

The UWB keys were introduced in 2018 but LR have now started recalling pre 2022 cars for a software update to make them as secure as 2022 onwards vehicles.

They are not publicly revealing what the software update does but as it is being applied to vehicles that already have the UWB key system, it seems likely that it is addressing the CAN bus vulnerability. They are also boasting about how few of the latest vehicles (which already have this update) are being stolen. Whatever it is, seems to be working until the thieves find a new attack.

MY2022 D5 HSE D300 - with extra nice bits added
MY2019 D5 HSE 3.0 SDV6 - sold to a dealer for a crazy price!
Post #38425 5th Jan 2024 2:06 pm
- Profile
- PM
- Gallery
Geeboy

Member Since: 12 Aug 2023

Location: Doncaster

Posts: 8

Thanks Guys
Having checked Jim's link it says there's no campaigns outstanding which could explain why they went for the neighbours car rather than mine. Might ask them for their VIN to check but puts my mind at rest a little bit.
Steve
Post #38426 5th Jan 2024 3:05 pm
- Profile
- PM
- Gallery
jimbg

Member Since: 23 Jun 2016

Location: Devon

Posts: 1455

I would check with a dealer as it’s a campaign that’s being rolled out in batches.
If they have not reached your VIN then it would not show as outstanding?

2017 HSE now sold, if you own WF17AXN then you have a well sorted car!
2022 Range Rover Sport P400e HSE Dynamic and 2023 Sport P440e Dynamic SE on order
Post #38427 5th Jan 2024 3:09 pm
- Profile
- PM
- Gallery
Geeboy

Member Since: 12 Aug 2023

Location: Doncaster

Posts: 8

Just spoke to JLR customer services who have confirmed that my vehicle is not eligible for the update yet and that it's still unsure as to whether the update will solve the problem as they are not able to identify how it's happening. She said they are releasing the update to try on some vehicles to see if it solves the issue and have advised to use steering wheel lock etc.
Doesn't fill me with much confidence especially with very recent videos of latest models of RR Sports showing as quickly unlocked and started.
Post #38428 5th Jan 2024 3:53 pm
- Profile
- PM
- Gallery
jimbg

Member Since: 23 Jun 2016

Location: Devon

Posts: 1455

Well they claim only 13 have been stolen out of 13,400 delivered!

Do you have a link to the video?

2017 HSE now sold, if you own WF17AXN then you have a well sorted car!
2022 Range Rover Sport P400e HSE Dynamic and 2023 Sport P440e Dynamic SE on order
Post #38429 5th Jan 2024 5:00 pm
- Profile
- PM
- Gallery
Geeboy

Member Since: 12 Aug 2023

Location: Doncaster

Posts: 8

*Link deleted

Last edited by Geeboy on 8th Jan 2024 12:42 pm. Edited 1 time in total
Post #38437 5th Jan 2024 10:30 pm
- Profile
- PM
- Gallery
jimbg

Member Since: 23 Jun 2016

Location: Devon

Posts: 1455

Thanks, but that is a link to the manufacturer of a device, and he has opened the boot to attach it.

Probably best to delete the link and not help his sales efforts!

2017 HSE now sold, if you own WF17AXN then you have a well sorted car!
2022 Range Rover Sport P400e HSE Dynamic and 2023 Sport P440e Dynamic SE on order
Post #38438 6th Jan 2024 9:37 am
- Profile
- PM
- Gallery
Geeboy

Member Since: 12 Aug 2023

Location: Doncaster

Posts: 8

I've removed the link and will PM you
Post #38460 8th Jan 2024 12:45 pm
- Profile
- PM
- Gallery
harrythespider

Member Since: 19 Jul 2018

Location: cumbria

Posts: 404

I watched the video, before the link was deleted, as mentioned there was a lead coming from the closed rear tailgate, I assume that was the connection used to access the canbus to enable the software to interogate the vehicle and ulimately allow theft, So was it a cloned key? reprogrammed key ? or is the creator of the video taking us for a ride and actually using the cars original key (which allowed opening the taigate) and hoping someone will send him £5k and receive nothing?

3.0 HSE. climate HUD active diff. elec towbar. FBH and timed climate.Capability plus pack.split TV. surround sound. Intelligent seating. adaptive lights, wade sensing. 360 cameras.pro pack.cooler.advanced tow, auto park,activity key+ more!!!!
Post #38468 9th Jan 2024 9:16 pm
- Profile
- PM
- Gallery
Geeboy

Member Since: 12 Aug 2023

Location: Doncaster

Posts: 8

The devices are real and plenty of examples of them being used ( I've pm'd you more details).
Our neighbours stolen Discovery Sport looks to have been opened using a latest version of relay theft where the keyfob can now be repeated from 300m. They came back the following weekend and had a leisurely hour and a half walk through our village, opening several car doors and stealing the contents before starting and taking another 2 vehicles (not landrovers). Landrover's keyless entry can be disabled, so I'd suggest everyone doing that if they haven't already haven't already.
Post #38469 9th Jan 2024 10:29 pm
- Profile
- PM
- Gallery
Aldo

Member Since: 23 Jul 2019

Location: Cheshire

Posts: 106

Main methods of theft

Relay. Boosting a key signal to trick the car into thinking the key is next to it.

Coding a new key. Key is coded and have read posts about cars being in for a valet or service/repair etc. coincidentally then not long later getting stolen.

Emergency start hack. OBD is targeted to creat an emergency start.

As an absolute minimum, owners should invest in at lease a S5 tracker, one with no tag no start immobiliser is better. Some also now offer to block the OBD.

Can highly recommend this (I’ve no affiliation with website or Meta)

https://www.trackershop-uk.com/metatrak-s5-deadlock-pro.html
Post #38491 15th Jan 2024 7:51 pm
- Profile
- PM
- Gallery
Display posts from the last

Page 1 of 2

Forum Permissions
You cannot create new threads in this forum
You cannot reply to threads in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Tools
Previous Thread · Next Thread

DISCO5.CO.UK is independent and not affiliated to Jaguar Land Rover.