Same Kill Chain, Different Target: Why Car Theft Belongs on CISOs’ Risk Register

TL;DR

Car theft is no longer just a physical crime—it’s an outright cyber attack, following the same kill chain, vulnerability classes, and frameworks CISOs already manage. As vehicles become part of the extended enterprise, digital car theft carries significant security, financial and regulatory impacts for OEMs and insurers. PlaxidityX vDome is an AI-powered software solution specifically designed to detect and prevent these types of attacks in real time, closing a critical gap in automotive cybersecurity.

If you heard about a network scenario in which a rogue hardware device is plugged into a trusted internal network, sniffs broadcast traffic on an unauthenticated protocol, and then injects forged messages to bypass authentication and take full control of an endpoint — you’d undoubtedly call it a cyber attack. You’d map it to your threat model, check it against MITRE ATT&CK, and escalate it to your incident response (PSIRT) team.

That’s exactly what happens when a vehicle is stolen using a so-called “CAN Invader.” The only difference is the physical layer — CAN bus instead of Ethernet — and the target — an automotive ECU instead of a server. The vulnerability classes, attack patterns, and kill chain are structurally identical to threats already on your risk register.

A kill chain very familiar to CISOs 

Here’s what a CAN injection vehicle theft looks like when you strip away the automotive jargon and map it to the enterprise equivalents your team works with daily.

Step 1 – Physical access. The attacker splices into the vehicle’s CAN bus wiring, typically through the headlight connector or the OBD-II diagnostic port. In enterprise terms, this is a rogue device — a dropbox or LAN turtle — plugged into an Ethernet port in a server room or lobby. In both cases, unauthorized hardware is inserted into a trusted internal network.

Step 2 – Network reconnaissance. The device passively sniffs CAN traffic, reading all ECU message IDs, timing, and payloads. CAN is a broadcast protocol with no encryption — every node sees every message. The enterprise parallel is sniffing Ethernet traffic on a flat network with no 802.1X or NAC, mapping hosts, services and protocols.

Step 3 – Exploit execution. The device injects forged CAN frames that exploit implicit trust in the protocol — spoofing a “key validated” message to disable the immobilizer. This is a zero-day attack against the vehicle’s authentication logic. In the enterprise world, this is a rogue device launching a crafted exploit against an unpatched service to gain administrative access.

Step 4 – Impact. The vehicle is unlocked and started. In advanced variants, ECU firmware is modified, diagnostic keys are extracted, or a persistent backdoor is installed. The enterprise equivalents are data exfiltration, ransomware , or persistent access.

Same kill chain. Same vulnerability classes. The only difference is the target.

CAN injection maps to the frameworks you already use

This isn’t a stretch or an analogy. The attacks used to steal vehicles map directly to standard cybersecurity frameworks:

CWE (Common Weakness Enumeration): CWE-306 (Missing Authentication for Critical Function) — the CAN ECU accepts any frame without sender verification. CWE-74 (Injection) — crafted messages interpreted as commands. CWE-290 (Authentication Bypass by Spoofing) — impersonating a trusted node on the network. CWE-294 (Authentication Bypass by Capture-Replay) — recorded legitimate traffic replayed to bypass controls.

MITRE ATT&CK for ICS: T0830 (Adversary-in-the-Middle), T0856 (Spoof Reporting Message), T0814 (Denial of Service), T0890 (Exploitation for Privilege Escalation).

OWASP Top 10 (2021): A03 (Injection), A07 (Identification & Authentication Failures), A01 (Broken Access Control), A08 (Software & Data Integrity Failures).

Microsoft STRIDE: Spoofing (impersonating trusted ECU identity), Tampering (injecting forged messages), Denial of Service (bus-off attacks to silence legitimate nodes), Elevation of Privilege (diagnostic session abuse).

These are not theoretical mappings. UNR 155 Annex 5 Part A, item 7 (7.1-7.4)  specifically covers threats to internal vehicle networks, exploitation of diagnostic interfaces, and insufficient access control. ISO/SAE 21434 requires threat analysis and risk assessment using exactly these frameworks.

Why digital/keyless car theft is much more than a vehicle problem

If you’re a CISO at an automaker, fleet operator, mobility provider or insurer, keyless car theft is not someone else’s problem. It intersects with and impacts your domain in three significant ways.

It’s the same attack surface. As vehicles become software-defined and connected, they become part of your extended enterprise. The CAN bus is an operational technology network, and OT security is already on your plate. The same “rogue device on an unauthenticated network” attack pattern that you defend against in your manufacturing plants and facilities is being exploited in the vehicles you manufacture, insure or operate.

It creates regulatory exposure. UNR 155 and ISO/SAE 21434 require OEMs to implement cybersecurity management systems that cover the entire vehicle lifecycle, including threat monitoring and incident response for in-vehicle networks. If your organization is involved in vehicle cybersecurity, these attacks fall within your compliance scope.

It has a major financial impact. Theft-related insurance claims in Canada alone exceeded $900 million in 2025. In the US, insurers like State Farm, Progressive, and Allstate have refused to write policies for vehicle models with known security vulnerabilities. Munich Re’s Hartford Steam Boiler unit now offers dedicated commercial cyber insurance for auto — covering business interruption from vehicle cyberattacks. The insurance industry is already pricing this as a cyber risk. Your risk register should also reflect this reality.

Plain and Simple – Keyless Car Theft Is a Cyber Attack 

Part of the reason digital car theft hasn’t been taken seriously as a cybersecurity issue is terminology. The media calls these devices “CAN Invaders” or “car theft gadgets” — catchy names that sound like physical tools rather than cyber weapons. Modern car theft isn’t just a physical break-in – it’s the exploitation of vulnerabilities to gain physical control. Here’s how to reframe these  these devices to reflect the fact that they are full-blown cyber attacks:

• “CAN Invader” , “Car theft gadget”  → CAN Injection Tool
• “CAN bus hack” → CAN Injection
• “Emergency start device” → Engine Start Spoofing Tool
• “Key emulator” →  Key Provisioning Spoofing Tool

When you use these terms, the threat immediately becomes recognizable to every security professional in the room — and the appropriate response can be taken within existing frameworks.

If you had to communicate the essence of this threat to your board or executive team, here’s a 30-second pitch:

“Criminals are plugging rogue hardware devices into vehicle networks and running exploit code against automotive endpoints — exactly the same attack pattern as a malicious device that connects to a corporate Ethernet network and runs a zero-day against an unpatched server. The vehicle’s internal network protocol lacks authentication, making every connected component vulnerable to injection and spoofing. This is not traditional car theft  — it is a cyber attack exploiting known vulnerability classes (CWE-74 Injection, CWE-306 Missing Authentication) that map directly to OWASP Top 10 A03 and A07, and MITRE ATT&CK ICS techniques already in our threat model.”

What CISOs can do to stop cyber theft

The good news is that this attack pattern is detectable and preventable at the vehicle level. PlaxidityX vDome software detects CAN injection attacks and unauthorized key fob registration in real-time, using attack signatures for known vectors with virtually zero false positives. Upon detection, it triggers immediate prevention actions — such as disabling the engine — to stop the theft before the vehicle ever moves.

For CISOs, the key takeaway is straightforward: if you wouldn’t leave an Ethernet network unauthenticated and unmonitored, the same logic applies to the CAN bus in the vehicles your organization builds, operates or insures. This isn’t a new threat category; it’s a known cyber attack pattern applied to a new target. The frameworks are already there. The threat is already mapped. All that’s needed is the in-vehicle security layer to close the gap.

Contact us to learn more about how vDome software prevents keyless car theft and other attacks, helping protect your organization from this new variation of cyber attacks.