What Is a CAN Bus Attack?

Before understanding the attack, you need to understand what it's targeting.

The Controller Area Network (CAN) is the communication backbone of modern vehicles. Developed by Bosch in 1986 and widely adopted since the early 2000s, it connects every electronic control unit (ECU) in your car: engine management, transmission, braking system, airbags, door locks, lighting, climate control, infotainment—everything.

When you press your key fob to unlock the door, a message travels over the CAN bus from the receiver module to the body control module: "Unlock doors." When you press the start button, messages flow between multiple modules: "Key authenticated," "Immobilizer check passed," "Enable fuel pump," "Engage starter." The CAN bus is how these systems coordinate.

The Design Trade-Off

The CAN bus was designed for reliability and speed in automotive environments—vibration, temperature extremes, electrical noise. It excels at this. What it wasn't designed for is security.

Messages on the CAN bus are broadcast to all connected modules. There's no authentication—any device connected to the network can send any message, and other modules will execute the command without verifying who sent it. This made sense in the 1980s when the assumption was that only factory-installed components would ever connect. That assumption no longer holds.

The attack exploits the CAN bus's lack of message authentication. Here's the sequence:

The entire process takes 2–3 minutes. Unlike relay attacks, there's often minor physical evidence—a removed headlight, pry marks on trim—but the vehicle shows no signs of forced entry in the traditional sense. Security cameras typically show someone working calmly at the front of the car, then getting in and driving away.

CAN bus injection gained widespread attention when the "headlight method" became the dominant technique for stealing certain luxury vehicles, particularly Toyota Land Cruisers, Lexus LX models, and various BMW X-series SUVs.

Modern adaptive LED headlights connect to the CAN bus because they need to communicate with other vehicle systems. Features like automatic high-beam adjustment, cornering lights, and dynamic leveling require data from steering angle sensors, speed sensors, and other modules. This connectivity creates an externally-accessible entry point to the vehicle's internal network.

Why Headlights?

Headlights are attractive attack points for several reasons:

• External access: Unlike the OBD port inside the cabin, headlights can be accessed without first getting into the vehicle.
• Quick removal: Many headlight assemblies are designed for easy bulb replacement and can be removed or displaced in under a minute.
• Direct CAN connection: Smart headlights often connect directly to the main CAN bus, not an isolated sub-network.
• Hood access: On many vehicles, the hood release is accessible without unlocking the doors—either through the grille or because the hood isn't latched securely.

CAN bus injection is theoretically possible on any vehicle with externally-accessible CAN bus connections. In practice, attacks target specific models where:

• The CAN message format has been reverse-engineered
• Injection devices are available (either commercial or shared in criminal networks)
• The vehicle is valuable enough to justify the effort

Frequently Targeted Models

Documented CAN bus injection thefts have affected:

• Toyota/Lexus: Land Cruiser, Lexus LX, Highlander, RAV4
• BMW: X5, X6, X7, and various 3/5/7 Series models
• Mercedes-Benz: GLE, GLS, G-Class
• Land Rover: Range Rover, Range Rover Sport, Defender
• Jeep: Grand Cherokee

This list is not exhaustive and evolves as new injection tools are developed. Luxury SUVs are disproportionately targeted because their high resale value—often for export—justifies the more technical attack method.

Manufacturer Responses

Some manufacturers have begun implementing countermeasures in newer models:

• CAN bus gateways: Isolating critical security functions on a separate network segment that external components can't access directly.
• Message authentication: Adding cryptographic verification to CAN messages so that unauthorized commands are rejected.
• Intrusion detection: Monitoring CAN traffic for anomalous patterns that indicate an attack in progress.

These protections are appearing in some 2023+ model year vehicles, but implementation varies by manufacturer and model. Older vehicles lack these defenses entirely, and even new protections may have implementation weaknesses.

Both methods steal keyless vehicles, but they work differently and have different requirements:

The key distinction: relay attacks require proximity to your key fob, so Faraday storage defeats them. CAN bus injection doesn't involve your key at all—it directly commands the vehicle. Storing your key in a Faraday pouch does nothing against this method.

Effective protection against CAN bus injection requires either blocking access to the network or adding authentication that the injection device can't replicate.

Block Physical Access

Since CAN bus injection requires connecting to the vehicle's wiring:

• Hood locks: Aftermarket hood locks prevent the hood from being opened without a key or special tool, blocking access to headlight wiring harnesses accessed from inside the engine bay.
• Headlight protection: Some owners install tamper-resistant screws or security brackets that make headlight removal significantly slower and louder.
• Garage parking: If the vehicle isn't accessible, the attack can't happen.

Physical barriers add time and difficulty. They're not impenetrable, but they may cause thieves to move to an easier target.

Add Secondary Authentication

The most effective countermeasure is adding an authentication layer that operates independently of the CAN bus commands:

• Aftermarket digital immobilizers: These devices connect to the CAN bus but add a PIN requirement before allowing engine start. Even if an injection device sends "start engine," the immobilizer blocks ignition until the correct PIN is entered via factory buttons. The thief has no way to know or inject the PIN.

This approach works because the immobilizer introduces a check that can't be bypassed by CAN commands—it requires physical interaction with a sequence that only the owner knows.

Combine Layers

The strongest protection combines physical access barriers with secondary authentication:

• Hood lock (slows access to engine bay)
• Digital immobilizer (requires PIN even if CAN bus is compromised)
• GPS tracker (recovery backup if prevention fails)

No single measure is perfect. Hood locks can eventually be defeated. Digital immobilizers could theoretically be removed if a thief had unlimited time. Layered security makes each barrier harder to overcome within the time window a thief is willing to spend.

Unlike relay attacks, CAN bus injection may leave physical evidence:

• Displaced or missing headlight: A headlight that's crooked, has visible gaps, or is missing entirely.
• Pry marks: Scratches or dents around the headlight housing, grille, or hood seams.
• Dangling wires: Visible wiring or connectors that aren't properly seated.
• Hood ajar: A hood that's not fully closed or latched.
• Trim pieces removed: Interior or exterior trim panels that are loose or missing clips.

If you see these signs and your vehicle is still present, the attack may have been interrupted or unsuccessful. Have the vehicle inspected—an incomplete injection attempt may have left behind a connected device, or wiring may be damaged.