Key Fob Cloning

Radio Frequency Key Fob Cloning

Overview of the Vulnerability

The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations.

Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit the target system by creating a permanent clone of the key fob, giving permanent access to any vehicle of the same make/model.

Business Impact

This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle.

Steps to Reproduce

  1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}}

  2. Use the {{application}} on {{target}} to clone key fob by {{action}}

  3. Use the original key fob to roll the nonce, then unlock {{target}} using spoofed {{hardware}}

Proof of Concept (PoC)

The image(s) below demonstrates the RFH misconfiguration:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. For a RF Hub misconfiguration vulnerabilities, please include detailed instructions that can be followed to easily demonstrate and reproduce the issue.

Attempt to completely stop the vehicle from functioning through the CAN system. If this is possible, provide a full Proof of Concept (PoC) here.

Recommendation(s)

There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:

  • Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.

  • Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.

  • Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

PreviousData Leakage Pull Encryption MechanismNextRelay

Last updated