I made that assumption after watching a couple of videos, It would make no sense, nor would it be safe if the car reacted adversely after authentication had occurred.
I may be able to do my own testing in a couple of days also
Yeah so that basically confirms what I was curious about, and you wouldn’t need to keep your implant on the reader at all times while you drive, just when starting it
Thanks! I’m waiting to get it, but I’ll run a TagInfo scan once it arrives! I suspect it can be removed from the reader after starting the car, considering the Digital Key allows that.
Finally got my card today and kicked off a scan. (Maybe?) good news, it’s Java Card 2.2! Does that mean it might be possible to do a similar Fidesmo app to the Tesla one? Or at the very least maybe is good news on the decapping front?
I haven’t tried pairing it yet (and might purchase a different one to actually pair to my vehicle, although I imagine the pairing process likely installs an app w/ a unique cryptographic key, so perhaps sharing this isn’t really exposing me to any vulnerabilities?).
It’s a Java card with mifare emulation running and it looks like nothing is going on with the mifare bit. Chances are it’s a Java card application happening.
That’s good news maybe.
Can you sniff comms between the card and car with a proxmark3?
Amal put me onto this and it’s piqued my interest. I will have a look at reverse engineering the app to see where we can get. If you’re Australian and are in Brisbane or will be in Melbourne in November, I can do a scan with my PM3.
Nothing you included in the Key Card details has, at least from my visibility, any details that would make your car vulnerable.
Edit 1: I’m creating a github Gist with info found on the topic.
Edit 2:
Goddamn it appears they may use the Mifare emulation, but I doubt it’s required as a lot of phones can’t read Crapto1
Edit 3:
I don’t think they use Mifare emulation - ideally I need an authentication sniff and a pairing sniff. I’m going to buy a keycard from the local Hyundai dealer tomorrow, and I’ve put the beacon out to see if I can find anyone local to me with one.
To do that, I’d need to have them show me the keycard functionality (not standard), plus let me put my kit in the middle. They won’t be impressed, I imagine.
I’m keeping an eye out for anyone I know with one, though.
I have a bmw keycard which I thought was mifare but after seeing this it is clear it is Java. I am in Brisbane if it is something you can use to work stuff out…
my programming abilities finished around the commodore 64so I doubt I am any help beyond passing you a drink…
Ooh, I how this topic has blown up! I’ll respond to a few of these threads shortly!
I’m wondering if all of this might be more standardized across manufacturers than some people think! I was chatting to another person recently and ran across the “Car Connectivity Consortium” of which Hyundai and BMW (among others) are all members of. Their digital key 3.0 spec seems to describe some of the setup that we’re seeing perhaps?
I’ve got a Proxmark3 RDV4.0, but most of my experience is w/ LF cards and such. More than happy to sniff comms/pairing/authorization, but I’d be a bit out of my depth. Any suggestions on the commands I should be running to grab what you need?
You can pair the NFC card in vehicle without the app. My experience is with the US models, it’s possible this varies by market.
Models with navigation use the vehicle settings section on the radio to enter pairing mode. Models without navigation use steering wheel controls to enter the pairing mode on the digital cluster. Once you’re in pairing mode you place the NFC card on the wireless charger to pair.
I have a 23 Hyundai Tucson and a NFC card. I ordered a proxmark3 easy, arriving on Tuesday. Happy to help out, would be great to get this working.
I’d be a little worried about the viability of an implant. The NFC card needs to have contact with the door handle in order to read and unlock the car. I’m not sure if this is a limitation of the NFC antenna in the door or some limitation with the NFC card. When I scanned my card with my iPhone I needed to scan the card edge while making contact with the card.
If cloning this became possible, I’d be up to do an implant and see how it reads.
Edit for clarity: The NFC card cannot be read through a plastic card holder. It needs to be directly on the door handle.
Sounds like the cards are quite garbage. That’s surprising. If they truly did put the reader into the door handle itself, then it might not be well suited for reading large cards actually. They might actually be much better suited for reading transponders with smaller antennas that fit better within the magnetic field it generates. I’m super curious about this whole situation.
Actually come to think of it, they might have done this on purpose. If you have to make contact with the card then it should in theory protect against key card sniffing through wallets and back pockets.
Huh, so I finally got around to pairing the card with my car (Ioniq 5 Limited) and ran another Full Taginfo. Running a compare in Notepad++ showed me no change (except for the scan date at the top).
It took almost no time to add, so I suspect it’s not installing anything, just registering existing info on the card. Is it possible they’re installing a Javacard app and/or private key on these from the factory instead of at pairing-time? When I messed around with my Fidesmo card in the past, I recall it taking a while to install an app and I think it changed its Taginfo behavior?