CAN-Bus Diagnostic Theft · How a R30k Tool Drives Your Car Away

TL;DR

A pirated dealer diagnostic tool plugs into your car’s OBD port (the same one your mechanic uses) and programs a brand-new key to factory spec in 90 seconds. The factory immobiliser approves it because it’s technically “factory” software. The car drives off legally registered to its new key. This bypasses every prior-generation immobiliser. The fix is a second authentication layer that lives on the CAN bus itself, not in the key.

If you’ve ever watched a mechanic plug a small handheld unit into a socket somewhere behind your steering column to read fault codes — you’ve seen the attack surface.

It’s called CAN-bus diagnostic theft, and it’s the most rapidly-growing modern-vehicle theft vector in SA. SAPS doesn’t break it out as a category yet because the diagnosis after-the-fact looks identical to “car was driven away with a key.” That’s exactly the problem: the car was driven away with a key. Just not yours.

What CAN bus is, in plain English

Every car built after about 2006 uses a Controller Area Network (CAN) bus — a pair of wires running through the chassis that lets every electronic module (engine, transmission, ABS, climate, dashboard, immobiliser) talk to each other in a common language.

The CAN bus is exposed to the outside world through the OBD-II port — that little 16-pin trapezoidal socket your mechanic plugs the scan tool into. The socket is mandated by emissions regulation. It must be reachable from the driver’s seat without tools. It’s usually under the steering column, behind a small plastic cover.

The original design intent: diagnostic access for technicians. The unintended side-effect: full read/write access to every module on the car, including the immobiliser.

The attack, 90 seconds

The attack uses a tool called a key programmer. The legitimate version costs R30,000+ and is sold to licensed dealers, locksmiths, and panel beaters by tool brands. Pirated copies are available on the internet for under R8,000.

T+0s. Thief breaks the side window with a centre punch (or has already gained access via an unlocked door, valet job, etc). The window break takes 4 seconds.
T+15s. Thief locates the OBD port under the steering column. Plugs in the key programmer.
T+25s. Thief inserts a blank fob (or a re-flashable shell of the same model) into the programmer’s reader slot.
T+30s. The programmer queries the car’s immobiliser via CAN bus. The immobiliser provides the security seed. The programmer responds with the correct authentication sequence (it’s a dealer tool — it knows the protocol).
T+90s. The immobiliser registers the new fob as a paired key. From this moment forward, the car treats the new fob as factory-legitimate.
T+95s. Thief presses the start button. Engine cranks. Car drives away. Window broken, OBD cover loose, nothing else damaged.

The whole thing takes less time than waiting at a Spar self-checkout.

Why the factory immobiliser doesn’t help

The factory immobiliser’s entire job is to verify the key. It can’t tell the difference between “a legitimate factory key” and “a key that was just programmed by a tool the manufacturer designed.” The tool is using the same protocol as the dealer.

The CAN-bus attack isn’t breaking the security. It’s using the security. The system is doing exactly what it was designed to do — just for someone you didn’t authorise.

The platforms most exposed

Three categories rank highest:

Premium German marques 2010–2020. BMW, Audi, Mercedes-Benz with key-comfort access. Well-documented protocols. Heavy syndicate demand.
Japanese keyless trims 2015–2022. Hilux Legend with smart-entry, Fortuner GR-Sport, Ranger Wildtrak/Raptor. Protocols are reverse-engineered.
European hot hatches 2015–2024. VW Golf GTI/R, Audi S3, BMW 1 Series M Sport. Strong second-hand demand drives the programmer market.

Older vehicles with a separate transponder chip in the key blade are partially protected because the transponder isn’t on the CAN bus — it has to be physically present at the immobiliser antenna in the steering column. Those vehicles are vulnerable to relay attack instead.

Insider variations

The OBD port attack doesn’t need a broken window. Anywhere the car spends time without you is an opportunity:

Panelbeater overnight. 30 seconds with a key programmer. Pair a new key. Return the car. Two weeks later, the “original” spare goes missing — except the spare is now in someone else’s pocket.
Workshop service. Same mechanic. Same access. Same window of time.
Dealership demo / loan car returned. Demo programmer-paired during the test drive.
Valet parking, car park attendant, hotel handover. 90 seconds of unsupervised cabin access is enough.

None of these scenarios are addressed by relay-attack countermeasures (Faraday pouch, signal blocker). The fob is irrelevant — a new one is being made.

The four real countermeasures

1 · OBD lock (partial)

A physical metal lock that covers the OBD port. Adds 60–120 seconds of attack time. Doesn’t help on insider scenarios (the panelbeater unlocks it for you). Defeated by a determined thief with a cordless angle grinder.

2 · Steering lock (deterrent only)

Visible yellow steering lock. Increases attack visibility. Doesn’t close the OBD vector at all — once the new key is paired, the car drives.

3 · Tracker (recovery only)

The car still leaves. Recovery odds with a fitted tracker are ~82%. The car typically comes back stripped or chopped.

4 · CAN-bus authentication layer (the only prevention)

A second immobiliser unit sitting on the CAN bus, downstream of the factory immobiliser. It requires its own authentication — not via the key, not via the OBD port — before it will let the engine controller crank.

This is what carGuardian does. Your private PIN is tapped on existing factory dashboard buttons. The button presses themselves travel as ordinary CAN frames (the same frames a working radio or climate-control button sends) — but the stored reference PIN never leaves the carGuardian unit, isn’t held inside the factory immobiliser, and isn’t exposed to any production dealer diagnostic tool.

The programmer can pair as many new fobs as it wants. The factory immobiliser will approve them all. The engine still refuses to crank because carGuardian hasn’t received your PIN.

Why this matters more than relay attacks

Relay attacks need both: physical proximity to the key fob and physical proximity to the car. CAN-bus attacks only need physical access to the car — for as little as 90 seconds. That includes:

Any time the car is parked anywhere unattended.
Every workshop / panelbeater / dealership visit.
Every valet / parking-attendant interaction.
Any insider with car-park access — office, residential complex, gym.

The threat surface is dramatically larger than the relay attack’s. The industry doesn’t talk about it because the fix can’t come from the manufacturer — the manufacturer built the diagnostic tool. The fix has to be a second layer the manufacturer doesn’t control.

The second layer

A PIN no diagnostic tool can read · no PIN, no engine

carGuardian sits on the CAN bus, downstream of your factory immobiliser. A pocketful of dealer tools won’t open it. R7,499 once-off fitted.

Book My Installation Talk on WhatsApp

Sources

Help Net Security · Keyless car theft research
PCA Cyber Security · Real-world car theft attack surface
Chipkin · Only 7 of 237 cars tested could not be hacked
Mike Bolhuis · How criminals clone keys in SA
SAE J2534 (Pass-Thru) Standard for vehicle reprogramming, ISO 15765 CAN-bus protocol family.