Thieves Discovered Using Hacking Tool Disguised As A JBL Portable Speaker To Steal Cars

A new form of carjacking has been discovered by UK-based automotive cybersecurity researcher Ian Tabor, which allows thieves to break into keyless vehicles using a special hacking tool to spoof the security system. One particular version of this device, he noted, could appear as a seemingly harmless portable speaker from JBL.

What led to Tabor researching the matter was actually caused by his own experience of losing his Toyota RAV4 last year. The first few attempts of the theft were even documented by the researcher on Twitter, where he assumed that these were merely acts of senseless vandalism on his car. More specifically, Tabor tweeted that vandals have torn off its front left-side bumper and partially dismantled the headlight not once but twice in three months. 

The third time, unfortunately, was the charm for the thieves as the RAV4 went missing a few days after the second attempt. This incident prompted Tabor to investigate how his car was stolen, together with fellow automotive security expert Dr. Ken Tindell. Their findings have been published as a detailed report via the latter’s Canis Automotive Labs blog on Github.

In their research, it is discovered that the carjackers are using a new and sophisticated approach called CAN (Controller Area Network) Injection, which exploits a newly found vulnerability in 2021 Toyota RAV4 vehicles dubbed as CVE-2023-29389. This particular flaw automatically trusts messages from other ECUs (electronic control units), allowing physically proximate attackers to drive a vehicle by accessing its CAN bus and then sending a forged key validation message. However, thieves are first required to pull away the bumper in order to expose the car’s headlight connector to access the ECU, hence the presumed vandalism attempts.

What’s even more concerning is that such methods, which have been documented on video by the way (shown above), would reportedly take only two minutes to break into keyless vehicles. Upon further digging on Youtube, crime forums and even the dark web, Tabor discovered that thieves have been using CAN Injection tools that are sold online as emergency start devices. These are originally intended for use by owners or automotive professionals when a car’s key fob is lost, stolen, or otherwise unavailable.

As mentioned earlier, one version of this hacking tool, which both security experts purchased for reverse engineering purposes, came in the form of a fake JBL portable speaker – a disguise that can easily fool any unsuspecting individual or authority if uninspected. Our own research has found that other similar tools are also available as generic key fobs and, of all things, a certain retro handset. Of course, we won’t link our discoveries here due to obvious reasons, and we do not condone the use of such equipment.

According to Tindell, pressing the play button on the fake JBL portable speaker will trigger it to send out a CAN message burst that instructs the targeted vehicle’s ECU to unlock its doors. Of course, with the car believing that the false key is valid, thieves are also given access to its Push Start function and are able to drive off.

While the attack was successfully replicated on a Toyota RAV4, it is still possible that something similar could occur on other vehicles using the same technology and architecture. Tabor and Tindell have alerted Toyota regarding the vulnerability, but have yet to receive any acknowledgement or response from the automaker.

AMD “big.LITTLE” Processor Fabrication Patent For Ryzen 8000 Series Discovered

It appears that AMD may be shifting the paradigm of its chip-making process for future Ryzen CPUs for the next decade. The company reportedly filed a patent in the US, detailing its use of the big.LITTLE design, otherwise known as heterogeneous computing.

For the record, the big.LITTLE processor concept has been a mainstay in mobile devices for several years now. That said, the main reason behind its existence is for better power consumption and as such, it isn’t widely applied to CPUs used in modern desktops.

In the case of AMD, the CPU and GPU maker’s patent, codenamed Strix Point, was filed back in 2019 and appears to be associated with its “Zen 5” based architecture. More importantly, the patent addresses a Zen 5 APU and features smaller cores, referred to as Zen4D in the filings.

Needless to say, the document is lengthy but apparently does not provide a detailed description of how AMD intends to execute the big.LITTLE CPU design in future Ryzen CPUs. To that end, we could see the CPU manifest itself in the form of AMD’s Ryzen 8000 series lineup, which is also expected to be based on an entirely new 3nm die lithography.

In any case, we’ll just have to wait and see what transpires over the next several years.