It seems car thieves have come up with a new way to steal your car – "headlight hacking" as dubbed by Dr. Ken Tindell of Canis Automotive Labs. This method relies on accessing a car's CAN bus system (the communication network between the ECUs in a car) through a vehicle's headlight module. Attackers use a tool disguised as a JBL Bluetooth speaker, sold on the dark web, and wired into the CAN bus to impersonate the vehicle's key fob. This vulnerability is not limited to any specific model or manufacturer, meaning this is an industry-wide concern.
To access the CAN bus, thieves start by removing bumpers and trim pieces away from a vehicle, giving them direct access to the CAN bus near the headlight connector. Once they find the correct wires, the theft device will do the work and unlock the vehicle's doors with a simple “play” button.
Unfortunately, there is no good defense against headlight hacking as of yet. However, Dr. Tindell suggests fixes. One would be to roll out a software update that recognizes the sort of activity on the CAN bus systems and thwarts the tool. Another fix would be to implement a "Zero Trust" approach to CAN bus systems, which would require all messages from one ECU to another to be encrypted and carry authentication codes, as well as for every vehicle to carry its own secret keys to prevent a universal key extractor from being created.
While there is no surefire way to prevent headlight hacking, you can try and park your car in places that don't allow easy and uninterrupted access to its headlights. If you ever notice tampering with the trim or body panels near/around your headlights, you should immediately contact the police.
See https://kentindell.github.io/2023/04/03/can-injection/ for technical details of the hack.