Lexus IS 300h not vulnerable to CANbus theft

[wharfhouse]

I asked on the Lexus mag forum about the vulnerability of the IS 300h to CANbus vulnerability through the headlights as it wasn't in the list of cars due for any retrofit, both for my current 2014 model (which shouldn't be vulnerable) and if I purchased a post face-lift 2017 model (which I thought might be) - this is the reply they posted:

Hello Phil,
Thanks for your question.
Your current IS 300h is not impacted as the technology that enables CAN bus theft isn’t in those vehicles.
While no car can be considered 100% immune to criminal intent, our Product Technical team have also advised that the IS 300h from October 2016 to September 2020 Production is not affected by CAN bus theft due to the platform of the vehicle.
We hope this helps.
Thanks.

[ColinBarber]

That’s correct. Whilst the facelift model has CAN bus controlled headlights, they are on a separate bus to the one the central locking system is connected to so you cannot directly inject a signal. 

[johnatg]

Does that apply to the pre-facelift GS300h, as I see that is also not on the list of cars for the security fix?

[ColinBarber]

2 hours ago, johnatg said:

Does that apply to the pre-facelift GS300h, as I see that is also not on the list of cars for the security fix?

Pre-facelift GS300h is unaffected.

[Mr_Groundhog]

On 3/17/2024 at 8:36 AM, ColinBarber said:

That’s correct. Whilst the facelift model has CAN bus controlled headlights, they are on a separate bus to the one the central locking system is connected to so you cannot directly inject a signal. 

What a relief! thanks to the OP for clarifying! 💙

It's a shame that this is all it would have taken the designers/engineers to avoid such a wave of thefts and disappointments (and insurane hikes!) for so many people
Next time someone at work tells you "design is ancillary/secondary" think of this...  (yes im a designer myself)

[matt8]

On 3/20/2024 at 10:56 AM, Mr_Groundhog said:

What a relief! thanks to the OP for clarifying! 💙

It's a shame that this is all it would have taken the designers/engineers to avoid such a wave of thefts and disappointments (and insurane hikes!) for so many people
Next time someone at work tells you "design is ancillary/secondary" think of this...  (yes im a designer myself)

More than separate buses, the simple thing to do would have been to apply encryption to the bus. 

Maybe posted elsewhere in the thread but an interesting read: https://kentindell.github.io/2023/04/03/can-injection/

[Cotswold Pete]

13 hours ago, matt8 said:

Maybe posted elsewhere in the thread but an interesting read: https://kentindell.github.io/2023/04/03/can-injection/

Interesting article with lots of tech depth and CANbus history.

I deal with Zero Trust systems in the world of computing, using a system invented by the CIA 16 years ago, and Zero Trust is a bit of a b*gger to do easily. 

I suspect will be a while before we see car manufacturers do what the kentindell link says.  Even doing Zero Trust in the PC world you need to deal with what is called a 'Living Off The Land' attack, which tells me even if the car tech is upgraded the hackers will eventually suss it out with a LOL attack.

Don't forget crims are not nice people with nothing better to do than work out how to nick things that are not theirs, by using tools developed by (usually) highly autistic geeks.