Key Fob Cloned - Car Broken Into

[aromillo]

Just filed a police report, at 3am my 2021 Taycan 4S was opened using a remote device and contents taken. The car was locked and you can see on the surveillance camera how they drive up, unlock the vehicle, and then step out. Also, they know not to close the door fully, so the car wont make any additional noises or light announcements when locking. According to police this is a known tactic and while the car reported the issue with 'emergency call function error' it did not fail to open the doors for a cloned fob. Just FYI...

Sponsored

 

[PetroK]

Is this in US ? How you suspect they cloned fob ?

 

[TaycanHero]

Do you have Comfort Access?

 

[satchurator]

Yikes! Aware of this general risk but hadn’t heard of it happening with a Taycan. I thought the clone/replay risk had been mitigated with cryptography in modern Porsches, both for keyless entry and explicit unlock. Anybody have definitive information on the extent of the security of Taycan fobs?

 

[rx7arai]

I'm sorry this happened. I guess the only for sure way to prevent this is to park their Taycan in a private garage. Unfortunately, not everyone can do that?.

 

[daveo4EV]

Yikes! Aware of this general risk but hadn’t heard of it happening with a Taycan. I thought the clone/replay risk had been mitigated with cryptography in modern Porsches, both for keyless entry and explicit unlock. Anybody have definitive information on the extent of the security of Taycan fobs?

no - all of the existing remote FOB designs from the major automakers have this vulnerability - if you're using a wireless FOB it can be cloned - there are better designs that are more secure and less susceptible to cloning but those have yet to make it into the automotive supply chain…

until then this is a risk.

 

[YWGT3]

Thanks for sharing the distressing incident. Sorry that you're having to go through this.

I experienced a break-in with one of my vehicles a few weeks back. It was done the old-fashioned way by shattering the glass panel. It was suggested by my insurance agent and glass installer to keep garage openers, vehicle registration, and insurance information on me and when leaving the car parked in public areas.

Did the police offer any suggestions with regards to measures that would help mitigate this type of occurrence from happening in the future? Furthermore, will your key fob and vehicle need to be re-coded since it's been compromised?

 

[gnop1950]

Thanks for sharing the distressing incident. Sorry that you're having to go through this.

I experienced a break-in with one of my vehicles a few weeks back. It was done the old-fashioned way by shattering the glass panel. It was suggested by my insurance agent and glass installer to keep garage openers, vehicle registration, and insurance information on me and when leaving the car parked in public areas.

Did the police offer any suggestions with regards to measures that would help mitigate this type of occurrence from happening in the future? Furthermore, will your key fob and vehicle need to be re-coded since it's been compromised?

Faraday pouches/boxes are one mitigation method. I keep my fobs in a Faraday box at home and always have small Faraday keyfob pouches for my keys when I'm traveling. Whenever I get out of my car while traveling my key fob goes into a portable Faraday pouch.

 

[satchurator]

Yikes! Aware of this general risk but hadn’t heard of it happening with a Taycan. I thought the clone/replay risk had been mitigated with cryptography in modern Porsches, both for keyless entry and explicit unlock. Anybody have definitive information on the extent of the security of Taycan fobs?

Not suggesting @aromillo did not suffer a clone/replay attack, but this 2020 report from Thatcham found the Taycan to have mitigated the replay attack vulnerability.

@daveo4EV The clone and replay vulnerability can be mitigated by the same technique as OTP / one-time-passwords, popular as a multi-factor authentication solution for web and mobile apps. Essentially, the key fob is paired with the car by registering its cryptographic public key, and then the fob transmits a time based, cryptographically signed token that can be validated by the car. The fob cannot be cloned because the private key baked into the fob is never shared, ever. So a malicious alternate fob cannot generate the time based signed tokens that will pass validation by the car.

However, if a motivated attacker has the right equipment (software defined radio, two directional antennas), and proximity to the true key and physical access to the car, it is possible to record in real-time and ‘amplify’ the live signal of the true key, a bit like how WiFi range extenders work, and also the Taycan’s LTE signal booster.

IF the owner has comfort access / keyless unlock enabled, this is known as a relay attack and is quite hard to mitigate other than limiting fob transmission range and faraday pouches. The best practical defense is to disable keyless entry if your car is parked somewhere where the bad guys can gain physical access.

 

[aromillo]

Is this in US ? How you suspect they cloned fob ?

Yes Miami, Florida. I saw them drive up, access the vehicle without getting out of it to make sure it worked and unlocked the car.

 

[legataycan]

Not suggesting @aromillo did not suffer a clone/replay attack, but this 2020 report from Thatcham found the Taycan to have mitigated the replay attack vulnerability.

@daveo4EV The clone and replay vulnerability can be mitigated by the same technique as OTP / one-time-passwords, popular as a multi-factor authentication solution for web and mobile apps. Essentially, the key fob is paired with the car by registering its public key, and then the fob transmits a hashed, time based signed token that can be validated by the car. The fob cannot be cloned because the private key baked into the fob is never shared, ever. So a malicious alternate fob cannot generate the time based signed tokens that will pass validation by the car.

However, if a motivated attacker has the right equipment (software defined radio, two directional antennas), and proximity to the true key and physical access to the car, it is possible to record in real-time and ‘amplify’ the live signal of the true key, a bit like how WiFi range extenders work, and also the Taycan’s LTE signal booster.

IF the owner has comfort access / keyless unlock enabled, this is known as a relay attack and is quite hard to mitigate other than limiting fob transmission range and faraday pouches. The best practical defense is to disable keyless entry if your car is parked somewhere where the bad guys can gain physical access.

This is really useful information. It was my prior understanding that only vehicles with comfort access were susceptible to this kind of attack, I now feel a little less secure!

So how would the "amplification" method work? Surely there isn't a signal being sent by the key unless the owner is actually pressing "unlock"? And if the thief manages to capture this signal it's still no good later on as the time based tokens would not be correct?

Or does the amplification method only work for comfort access?

 

[legataycan]

Yes Miami, Florida. I saw them drive up, access the vehicle without getting out of it to make sure it worked and unlocked the car.

Does your Taycan have comfort access?

 

[daveo4EV]

Yes Miami, Florida. I saw them drive up, access the vehicle without getting out of it to make sure it worked and unlocked the car.

sounds like a relay/range extending attack as noted in previous postings - not a clone

keeping FOB in a faraday pouch/box may have prevented this.

but FOB security really isn't that great - motivated attackers will find a way.

 

[aromillo]

Not suggesting @aromillo did not suffer a clone/replay attack, but this 2020 report from Thatcham found the Taycan to have mitigated the replay attack vulnerability.

@daveo4EV The clone and replay vulnerability can be mitigated by the same technique as OTP / one-time-passwords, popular as a multi-factor authentication solution for web and mobile apps. Essentially, the key fob is paired with the car by registering its cryptographic public key, and then the fob transmits a time based, cryptographically signed token that can be validated by the car. The fob cannot be cloned because the private key baked into the fob is never shared, ever. So a malicious alternate fob cannot generate the time based signed tokens that will pass validation by the car.

However, if a motivated attacker has the right equipment (software defined radio, two directional antennas), and proximity to the true key and physical access to the car, it is possible to record in real-time and ‘amplify’ the live signal of the true key, a bit like how WiFi range extenders work, and also the Taycan’s LTE signal booster.

IF the owner has comfort access / keyless unlock enabled, this is known as a relay attack and is quite hard to mitigate other than limiting fob transmission range and faraday pouches. The best practical defense is to disable keyless entry if your car is parked somewhere where the bad guys can gain physical access.

Thank you for detailed answer, the police were not surprised and even shared they have one fob per type of vehicle and real-time scanner. Scary since I have just a "few" other toys and told me to ensure all fobs are kept in a secure box since constantly "ping".

 

[aromillo]

sounds like a relay/range extending attack as noted in previous postings - not a clone

keeping FOB in a faraday pouch/box may have prevented this.

but FOB security really isn't that great - motivated attackers will find a way.

Thank you, again just an FYI for my fellow Taycanians. I just ordered my GTS so excited about leaving this unfortunate event behind. Safe driving/flying all!

Sponsored