How Much do we have to Worry about Key Cloning?

[ipca204]

Former network security guy here. I’m not worried about key cloning… any remotely (pun intended) modern implementation will use asymmetric encryption with a nonce, which will effectively prevent replay attacks. A more realistic attack vector is getting your password phished and having someone remotely start your car via the API. Set up MFA, and don’t reuse passwords and you should be fine.

TRANSLATOR! TRANSLATOR! Can we get someone who speaks GEEK over here!

Sponsored

 

[jdsimard2012]

I have no worries about this and also why I have insurance.

 

[Maquis]

A more realistic attack vector is getting your password phished and having someone remotely start your car via the API.

They could remote start and unlock it, but they still couldn’t drive it away.

 

[ChasingCoral]

You should be more worried about pickpockets. Only sophisticated crooks own and understand cloning technology. They're not looking for cars worth less than $50K used.

 

[david_quick]

TRANSLATOR! TRANSLATOR! Can we get someone who speaks GEEK over here!

I’m game.
Modern car key systems don’t just send a static signal you can copy—they use a secure “challenge and response” process built on asymmetric encryption (a pair of related keys).

Think of it like this: your key or phone has a private key (a secret it never shares), and the car has the matching public key (which can verify things but can’t recreate your secret).

Each time you try to unlock or start the car, the car generates a random one-time number (a “challenge”). Your key uses its private key to “sign” that challenge—basically creating a unique response that proves it holds the secret key, without revealing it. The car then uses the public key to verify that signature.

If it checks out, access is granted.

Because the challenge is different every time, even if someone records the signal, they can’t reuse it later—old responses won’t work. And because the private key never leaves your device, an attacker can’t derive it from what they see. That’s why replay attacks and simple key cloning are largely ineffective against modern implementations.

 

[JohnFoxeSheets]

TRANSLATOR! TRANSLATOR! Can we get someone who speaks GEEK over here!

I understood every word

 

[JohnFoxeSheets]

They could remote start and unlock it, but they still couldn’t drive it away.

Indeed

 

[ave]

Generally we don't have to worry about it, any modern entry system should be using "rolling codes" which means that the sending and receiving both systems follow a pre-defined pseudorandom sequence with a certain offset allowed and you can't copy that by simple replay attack of the static packets on the air interface

Even better ones use PKI/PKC systems which are for all practical purposes impossible to clone without access to per vehicle secret keys

 

[dtkindler]

Former network security guy here. I’m not worried about key cloning… any remotely (pun intended) modern implementation will use asymmetric encryption with a nonce, which will effectively prevent replay attacks. A more realistic attack vector is getting your password phished and having someone remotely start your car via the API. Set up MFA, and don’t reuse passwords and you should be fine.

Even the hackers who I frequently see on social media aren't that enthusiastic about it since rolling codes have increased the expense and difficulty of cloning fob transmissions.

Sponsored