Attempted Theft of my RX450h 2020

[Bluemarlin]

2 hours ago, GMB said:

Good idea, but it will be parked on its own after 20 minutes😕

Assuming they can get both Range Rovers to start   🙂

[08ISF]

23 hours ago, eightk said:

This explains how the headlight thefts are done, how simple it is, where to get the equipment to do it, and how simple it would be for manufacturers to fix it.

Mechanical deterrents that are clearly visible and/or fuel relay switches etc are the only solution. A Tracker is all very well, but by the point the tracker is of use the damage is done.

https://kentindell.github.io/2023/04/03/can-injection/

Very interesting article, not that I understood much of it. A software fix seems attractive but I can't help thinking that whatever software solution is found someone will find a way round it. Lexus' proposed solution of a protective plate over the wiring seems like a plan and we just have to wait for them to roll it out. Truth of the matter is that nicking these cars is very lucrative and organised crime has enormous resources so whatever Lexus or any other manufacturer do, they will find a way of circumventing it, even to the point of car jacking,  breaking in and getting the immobilizer codes off us, or  turning up with a low loader and taking the car on that. (I heard of a case where they turned up on Christmas Day with a low loader and stole a new Range Rover off a drive, even chatting to the neighbours while they did it).

The root of all this is that we don't seem to have a law enforcement/judiciary system that actually works and criminals are having a field day, secure in the knowledge that they won't be caught.

So for now the only thing we can do is go back to the old ways and try and make our cars unattractive by putting on visible deterrents such as steering locks etc.

Just my opinion.

[katabrontes]

Having seen a report that many new cars (RR, Ferrari etc) can be stolen by accessing the wiring via a headlight it seems clear that any modern car with a CANBUS system can be stolen this way.  
The only solution seems to me to need complete physical and electrical separation of the CANBUS alerts included for convenience ( blown bulbs, tyre pressures etc etc) from the security part controlling the immobiliser, alarms etc.  

This could be easily incorporated into new models but is probably too complicated and expensive to be practical as an upgrade or after market adaption.

[08ISF]

Just had an email from Lexus Customer Services advising that they have successfully tested the blanking plates they mentioned in their earlier reply to me and were in the process of obtaining some before  working out how to roll out fitting them. So it seems they are on the case!

Watch this space.

 

[Rob62]

That sounds very promising Graham.

For them to move so fast on something means that the issue is a lot worse than we think. I will be first in line to get this fitted.

[PDM]

34 minutes ago, Rob62 said:

That sounds very promising Graham.

For them to move so fast on something means that the issue is a lot worse than we think. I will be first in line to get this fitted.

Hi Rob,

Unfortunately they should have know about this issue since 2021 (there are CAN invader reports from late 21 in Japan), so it's not been done rapidly I'm afraid.

https://japantoday.com/category/crime/japanese-police-struggling-with-growing-number-of-'can-invaders'-used-to-steal-luxury-cars

The best we can say is that perhaps it has been rapid since the bad press started increasing... With a lot of recent discussions on this forum of course.

At least they do seem now to be dealing with it. Not sure what other manufacturers are doing.

Cheers,

Paul

[eightk]

Good that they're on it and coming up with solutions,  a damn sight better than JLR for instance. The article I linked to is heavy going but it does propose a software solution which from my idiot's point of view looks like it'd be easy to implement.

Simple electrical switches preventing the gearselector operating, stopping the starter motor turning or isolating the fuel pump are easy, cheap, and unless you know they're there they work well enough to confuddle even the most determined pondlife. Go read your fusebox covers!

[Spock66]

2 hours ago, PDM said:

Unfortunately they should have know about this issue since 2021 (there are CAN invader reports from late 21 in Japan), so it's not been done rapidly I'm afraid.

Actually should have been known right from the outset of when the vehicle was first designed, CAN bus has been around for many years and even on the Wikipedia page it mentions the vulnerability to hacking.

The vehicle security subsystems should have been designed using an alternate solution.

But good news that Lexus does appear to be doing something about it.

[Glyn Jennings]

With all these RX’s and this week a GS-F stolen I have arranged for a Pandora Storm Canbus immobilizer to be fitted on my RX450h. I shouldn’t need to but it is better that than trying to find a replacement and arguing with the insurance company on my cars worth.

[ColinBarber]

On 4/10/2023 at 5:06 PM, katabrontes said:

Having seen a report that many new cars (RR, Ferrari etc) can be stolen by accessing the wiring via a headlight it seems clear that any modern car with a CANBUS system can be stolen this way.  
The only solution seems to me to need complete physical and electrical separation of the CANBUS alerts included for convenience ( blown bulbs, tyre pressures etc etc) from the security part controlling the immobiliser, alarms etc.  

This could be easily incorporated into new models but is probably too complicated and expensive to be practical as an upgrade or after market adaption.

It is just poor implementation, not an issue with CAN bus itself. Most Lexus vehicles have multiple CAN buses. The ones that are easily accessible from the exterior of the vehicle should be properly firewalled to stop access to higher security zones.

[northpolar]

Well I have come a bit late to this thread.  Earlier this week my 2016 RX450h was stolen overnight.  It was parked in the street.  It had a steering wheel lock fitted albeit I suspect they are as much a deterrent to these thieves as candy floss.  I live in Highbury north London.  When reporting the theft to the Met Police, I mentioned that a "People Friendly Streets' traffic enforcement camera was recently installed no more than 15 metres from my car.  Their response was that local authorities charge too much money therefore the police will not request access to the cctv records and I might ask some neighbours if they have a Nest type camera fitted to their front doors.  You could not make it up.  I guess this marks the end of my Lexus experience - the car itself was incredibly well put together and was the longest period of ownership I've experienced.  From this thread looks like RX, NX (I don't like them) RAV 4 and JLR products are out.  Does the LC500 suffer from a similar vulnerability?

Having read this thread, in Captain Hindsight mode, i would definitely recommend the fitting of any device which someone can demonstrate provides a robust defence.  Problem is how does one establish this?  Years ago I had a Porsche fitted with a tracker/ annual subscription.  To my knowledge there was no way of testing it and the provider offered nothing.  One day I came home and found the car missing.  I found the car a few hundred yards away - the local authority/ utility company needed access to the space and moved the car.  The tracker service new nothing about it and I received no notification.  Maybe I was unlucky and perhaps things have greatly improved over the years but the taste of snake oil back then was not a good one.

If a reliable defence mechanism can be sourced and fitted without invalidating Lexus warranty, I would definitely recommend paying for it rather than having to pick up the pieces I am now facing with insurance company, deciding on car replacement and impact on insurance premium (despite fully protected no claims discount, the premium is likely to rocket).  Take care all.

Peter

[Herbie]

I highly recommend one of these trackers https://www.rewiresecurity.co.uk/db2-self-install-diy-gps-tracker

£35 for the unit and £60/year for the SIM.

OK, there's no central monitoring so Plod won't automatically be alerted that someone's nicked your pride and joy, but there is real-time tracking on phone/computer/tablet so that you can ring Plod yourself and say it's currently doing x-speed down y-road and heading in the direction of z.

You can set up geofencing so that if the car goes out of a pre-determined zone (say 200m from your house) it will send an alert to your phone/computer/tablet. Alerts can also be set for movement, ignition on, and other parameters.

It really is a great little unit and can be placed anywhere in the car that you can get a 12V supply to.

[eightk]

A cat 5 or s5 insurance approved tracker can be fitted with the option of an immobilised circuit - no app or no fob present and it can’t be moved. Most insurers now require one if the car value is north of 60k.

Canbus theft is the next step from key signal theft and it affects loads of manufacturers not just lexus.

[08ISF]

1 hour ago, northpolar said:

Earlier this week my 2016 RX450h was stolen overnight.  It was parked in the street.  It had a steering wheel lock fitted

This is quite worrying. What sort of steering lock was it? I've fitted a Stoplock Pro in the possibly mistaken belief it might make the car less attractive. Looking at how my lock is constructed , it should take at least an angle grinder (and a lot of noise) to get it off.

[northpolar]

The lock was a Stoplock Pro Elite HG 150-00.  Probably not the best in the world and was bought more as a visual deterent as I think the professional thieves can get past these devices quite easily.

Peter

[PDM]

2 hours ago, 08ISF said:

This is quite worrying. What sort of steering lock was it? I've fitted a Stoplock Pro in the possibly mistaken belief it might make the car less attractive. Looking at how my lock is constructed , it should take at least an angle grinder (and a lot of noise) to get it off.

From what i just read it seems they cut the wheel itself and slide off the lock, rather than cutting the lock itself.  Or they drill the lock out. One of those disk type locks may be helpful preventing them cutting the steering wheel. I think I read that @Herbie uses one of those for that reason? (I may be misremembering).

Paul

[peniole]

Most are too easy to defeat:

 

[Herbie]

On 4/15/2023 at 3:32 PM, PDM said:

From what i just read it seems they cut the wheel itself and slide off the lock, rather than cutting the lock itself.  Or they drill the lock out. One of those disk type locks may be helpful preventing them cutting the steering wheel. I think I read that @Herbie uses one of those for that reason? (I may be misremembering).

Paul

You are indeed correct Paul, I do use a Stoplock Pro Elite because in various tests and reviews it took more than five minutes to defeat it.

https://www.autoexpress.co.uk/product-group-tests/95031/best-steering-wheel-locks-20212022

https://www.hagerty.co.uk/articles/maintenance-and-gear/reviewed-and-rated-steering-wheel-locks/

https://www.driving.co.uk/news/products/best-steering-wheel-lock/

https://thecarstuff.com/review-stoplock-professional-steering-wheel-lock/

https://smartsafehome.co.uk/stoplock-pro-elite-review-the-best-steering-wheel-lock/

[Slucky]

Hi,

Coming from the ES forum section as there was another member who's ES300h was stolen using the same CAN Bus method.
I see @eightk has already mentioned the link to the article of how the CAN bus injection method was done. 

It looks complicated, but the overall structure is quite simple compared with the large amounts of wires in the old days.

The Controller Area Network (CAN bus) is the nervous system, enabling communication.

The 'electronic control units' (ECUs) are like parts of the body, interconnected via the CAN bus. Information sensed by one part can be shared with another. The CAN bus system enables each ECU to communicate with all other ECUs - without complex dedicated wiring. An ECU can broadcast information (e.g. sensor data) via the CAN bus, consisting of two wires, CAN low (L) and CAN high (H). The broadcasted data is accepted by all other ECUs on the CAN network - and each ECU can then check the data and decide whether to receive or ignore it.

Looking at the device in the article. It seems the way these thefts are taking place is by accessing the CAN H wire and using a P-Channel FET device to send the signals necessary to confuse the system and gain access into the vehicle.

In software similar to SQL injection attacks, networking Denial of Service (overloading a network node by rapid requests) and this CAN bus attack has elements of both.

This issue has been noted to the The National Institute of Standards and Technology (NIST) in the US and this vulnerability is listed here. Toyota is aware of this but don't expect any quick solution as it requires a mass software updating of the the current and earlier models for a software fix, which would cost Toyota in the millions and not something they would want to undertake.

[Fatts]

Am sad to report that my beloved RX was nicked from my driveway last night. I can only suspect Canbus attack as we heard nothing, only woke up this morning to find the car missing. Matter now in the hands of my insurers who have been great thus far.

[Lmafudd]

Didn't your Lexus app show where it is? Or have they managed to beat that too?

[steve2006]

It’s absolutely diabolical that a known issue is basically being ignored by Lexus, it takes something for a car to appear in the top ten of stolen cars and I would expect more from a prestige manufacturer than an ostrich  with its head in the sand.

No doubt if this was the USA Lexus would be taking this seriously and have a modification already in place to avoid a class action suit resulting in RX450h vehicles being returned to the dealers forecourt for a full refund.

Being the UK it’s a case of put up and shut up even when that insurance renewal hits the carpet with double the premium!

 

[cdmaskell]

So sorry Banji that your Lexus has been stolen.  I totally agree with Steve about Lexus not coming up with a solution to this problem, which I have previously discussed on the ES forum.  I explained this situation to my ex pat technician working for Lexus dealership in the USA only yesterday.  They do not appear to have that problem there?  it takes me back to the Accord having a ferocious appetite for brake pads.  They were taken to court in the US and told to compensate all Accord owners costs. Bet it won’t happen here then.  Disgraceful.!
 

[Sumtingwong]

Oh this is heart wrenching, I'm so sorry for your loss. I had just spoken to Lexus dealership about test driving one of their approved vehicles. Keyless car entry fills me with dread for this very reason. It seems 2015 and earlier models have catalytic converters nice and accessible for thieves or 2015 and later models have keyless fobs. 

[KzA]

I think someone in an older thread said Lexus was working on a metal plate to guard the wheel arch area.