CVE-2023-29389

Name of the Vulnerable Software and Affected Versions Toyota RAV4 2021 vehicles

Description The issue allows physically proximate attackers to drive a vehicle by accessing the control CAN bus after pulling the bumper away and reaching the headlight connector, and then sending forged "Key is validated" messages via CAN Injection. This has been exploited in the wild, for example, in July 2022. The technique, known as CAN Injection, involves sending specially crafted messages to the vehicle's Electronic Control Unit (ECU) to simulate a valid key, allowing the attacker to unlock the doors and start the engine. Researchers have found that this method has been used in the wild for at least a year and has been used to steal various car models, including Toyota, by exploiting the trust between ECUs on the CAN bus.

Recommendations For Toyota RAV4 2021 vehicles, consider restricting access to the headlight connector and the control CAN bus to minimize the risk of exploitation. As a temporary workaround, vehicle owners may want to take extra precautions to secure their vehicles, such as keeping them in a safe location and using additional security measures like steering wheel locks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.