Macan stolen!

All Porsche Macan Related Discussion
Post Reply
muzziman
Posts: 24
Joined: Thu Aug 03, 2023 11:08 pm

Post by muzziman »

Sorry to hear this. Hope insurance pays out quickly.

Do you have any idea how long it took them? How do you know it was 3am?

I wish we could get an idea of how they’re stealing them. Hard to protect against it without knowing what they’re doing.

Jams

User avatar
Col Lamb
Posts: 9635
Joined: Fri Oct 30, 2015 8:38 pm
Location: Lancashire

Post by Col Lamb »

muzziman wrote: Tue Jul 09, 2024 12:29 am Sorry to hear this. Hope insurance pays out quickly.

Do you have any idea how long it took them? How do you know it was 3am?

I wish we could get an idea of how they’re stealing them. Hard to protect against it without knowing what they’re doing.

Jams
Easy.

1) Keyless entry signal sampled and a key cloned

Or

2) Non keyless unlock code sampled and a key cloned

Or

3) Lockpick used to gain entry, then a connection made via OBD port to override security and start the car

Then

4) Once the car is started it can be driven off around the corner and the Tracker disabled.

I am an Engineer and if I was to take up the life of car crime in these my latter years the first buy would be a battery powered angle grinder.

Then I would find a suitable Macan and using the angle grinder I would remove the drivers door handle and be away with it, estimated time 30>60 seconds.

I would buy a lock picking set as per the image or similar and practice on the acquired lock until I was proficient at unlocking and locking it.

Next up is the decoding device to plug into the OBD port,

Watch the How To videos to learn the intricacies of using it.

Practice on all available cars.

One is then good to go.

But, just what I am going to do with Tracky’s GT4 once I nick it is another matter.

IMG_5349.jpeg

Col
Macan Turbo
Air, 20” wheels, ACC, Pano, SurCam, 14w, LEDs, PS+, Int Light Pack, Heated seats and Steering, spare wheel, SC, Privacy glass, PDK gear, SD mirrors, Met Black, rear airbags
Monaco2323
Posts: 222
Joined: Sat Apr 01, 2023 12:30 am

Post by Monaco2323 »

:mrgreen:
Tracky will now bollard his place
Col Lamb wrote: Tue Jul 09, 2024 11:31 am
muzziman wrote: Tue Jul 09, 2024 12:29 am Sorry to hear this. Hope insurance pays out quickly.

Do you have any idea how long it took them? How do you know it was 3am?

I wish we could get an idea of how they’re stealing them. Hard to protect against it without knowing what they’re doing.

Jams
Easy.

1) Keyless entry signal sampled and a key cloned

Or

2) Non keyless unlock code sampled and a key cloned

Or

3) Lockpick used to gain entry, then a connection made via OBD port to override security and start the car

Then

4) Once the car is started it can be driven off around the corner and the Tracker disabled.

I am an Engineer and if I was to take up the life of car crime in these my latter years the first buy would be a battery powered angle grinder.

Then I would find a suitable Macan and using the angle grinder I would remove the drivers door handle and be away with it, estimated time 30>60 seconds.

I would buy a lock picking set as per the image or similar and practice on the acquired lock until I was proficient at unlocking and locking it.

Next up is the decoding device to plug into the OBD port,

Watch the How To videos to learn the intricacies of using it.

Practice on all available cars.

One is then good to go.

But, just what I am going to do with Tracky’s GT4 once I nick it is another matter.

IMG_5349.jpeg
-----------------------------
On order : 992 Carrera S
Current : 2024 Macan

Ex cars:
2018 White Audi A5 45 TSFI Quattro Coupe
2015 Scuba Blue Audi TT
2016 Silver Chrysler 300 SRT
muzziman
Posts: 24
Joined: Thu Aug 03, 2023 11:08 pm

Post by muzziman »

Col Lamb wrote: Tue Jul 09, 2024 11:31 am
Easy.

1) Keyless entry signal sampled and a key cloned
Yeah, this is an attack vector, but only for a keyless entry car - and this wasn't keyless entry.
Col Lamb wrote: Tue Jul 09, 2024 11:31 am Or

2) Non keyless unlock code sampled and a key cloned
Shouldn't be possible. Modern keys don't just send codes passively which can be intercepted and replayed. They're processing systems in their own right. If I understand correctly, they send a message to the car, that then makes up a code and sends it back to the key. The key then digitally signs the code with something stored internally in the key that never leaves the key and transmits it back to the car. The car verifies the signed data using the digital "public" key stored in the car (which is paired with the key's internal one). That signed data would only be valid for a very short time.

Something capturing either the initial "request" wouldn't be able to successfully sign the code the car generates. Something capturing the unlock code wouldn't be able to use it after about a second (or if the car recevied it, it would be invalidated - it should only work once).
Col Lamb wrote: Tue Jul 09, 2024 11:31 am
Or

3) Lockpick used to gain entry, then a connection made via OBD port to override security and start the car
Yeah, this is my suspicion. Getting to the electronics somehow. Either a) picking the lock (though that should trigger the alarm), b) having someone on the inside (Porsche/Vodafone) who's able to unlock the car remotely or c) getting to the wiring (e.g. removing headlight, mirror, radar, cutting a panel). That should be possible to defend against using encryption/authentication on the car's network (CAN bus) but, as I understand it, that's not commonplace in car systems.
Col Lamb wrote: Tue Jul 09, 2024 11:31 am
Then

4) Once the car is started it can be driven off around the corner and the Tracker disabled.
The bit that doesn't match here is that Vodafone said there were no events triggered, such as alarm, leaving geo fence etc. It's as though they're blocking the signal temporarily while gaining entry, then disabling the comms.
Col Lamb wrote: Tue Jul 09, 2024 11:31 am I am an Engineer and if I was to take up the life of car crime in these my latter years the first buy would be a battery powered angle grinder.

Then I would find a suitable Macan and using the angle grinder I would remove the drivers door handle and be away with it, estimated time 30>60 seconds.
To defend against that, the ECU should(*) only trust the specific immobilizer it's paired with, which should only trust the keys its registered with. Gaining physical access wouldn't be able to start the car. Each device would also need to trust official Porsche devices to allow an OPC to swap out failed devices, but doing so should require a one-time authorization code from Porsche's central systems which logs who's requesting the change (i.e. the logged-in Porsche employee). Then if the car was stolen, Porsche would have definitive log of any devices that have been made to trust another, together with who authorized it.

(* I say "should" - this isn't currently the way it works, but it's how I think it should be)
User avatar
Col Lamb
Posts: 9635
Joined: Fri Oct 30, 2015 8:38 pm
Location: Lancashire

Post by Col Lamb »

muzziman wrote: Tue Jul 09, 2024 1:22 pm
Col Lamb wrote: Tue Jul 09, 2024 11:31 am
Easy.

1) Keyless entry signal sampled and a key cloned
Yeah, this is an attack vector, but only for a keyless entry car - and this wasn't keyless entry.
Col Lamb wrote: Tue Jul 09, 2024 11:31 am Or

2) Non keyless unlock code sampled and a key cloned
Shouldn't be possible. Modern keys don't just send codes passively which can be intercepted and replayed. They're processing systems in their own right. If I understand correctly, they send a message to the car, that then makes up a code and sends it back to the key. The key then digitally signs the code with something stored internally in the key that never leaves the key and transmits it back to the car. The car verifies the signed data using the digital "public" key stored in the car (which is paired with the key's internal one). That signed data would only be valid for a very short time.

Something capturing either the initial "request" wouldn't be able to successfully sign the code the car generates. Something capturing the unlock code wouldn't be able to use it after about a second (or if the car recevied it, it would be invalidated - it should only work once).
Col Lamb wrote: Tue Jul 09, 2024 11:31 am
Or

3) Lockpick used to gain entry, then a connection made via OBD port to override security and start the car
Yeah, this is my suspicion. Getting to the electronics somehow. Either a) picking the lock (though that should trigger the alarm), b) having someone on the inside (Porsche/Vodafone) who's able to unlock the car remotely or c) getting to the wiring (e.g. removing headlight, mirror, radar, cutting a panel). That should be possible to defend against using encryption/authentication on the car's network (CAN bus) but, as I understand it, that's not commonplace in car systems.
Col Lamb wrote: Tue Jul 09, 2024 11:31 am
Then

4) Once the car is started it can be driven off around the corner and the Tracker disabled.
The bit that doesn't match here is that Vodafone said there were no events triggered, such as alarm, leaving geo fence etc. It's as though they're blocking the signal temporarily while gaining entry, then disabling the comms.
Col Lamb wrote: Tue Jul 09, 2024 11:31 am I am an Engineer and if I was to take up the life of car crime in these my latter years the first buy would be a battery powered angle grinder.

Then I would find a suitable Macan and using the angle grinder I would remove the drivers door handle and be away with it, estimated time 30>60 seconds.
To defend against that, the ECU should(*) only trust the specific immobilizer it's paired with, which should only trust the keys its registered with. Gaining physical access wouldn't be able to start the car. Each device would also need to trust official Porsche devices to allow an OPC to swap out failed devices, but doing so should require a one-time authorization code from Porsche's central systems which logs who's requesting the change (i.e. the logged-in Porsche employee). Then if the car was stolen, Porsche would have definitive log of any devices that have been made to trust another, together with who authorized it.

(* I say "should" - this isn't currently the way it works, but it's how I think it should be)
Do remember:-

Porsche Software programming is crap.

Bought in software programming will be subjected to complying with a specification written by the very same Porsche Software Programmers and then subjected to the company accepting the lowest tender.

If a thief does not have a original key then they have to be using a system to hack and defeat the car’s software security system to gain entry and start the car.

The thieves must know the location of the tracker system such that if they gain access to the car then as has been experienced by members here they disable the tracker outside the owners home before driving off.

There are only so many options to nick a car.
Col
Macan Turbo
Air, 20” wheels, ACC, Pano, SurCam, 14w, LEDs, PS+, Int Light Pack, Heated seats and Steering, spare wheel, SC, Privacy glass, PDK gear, SD mirrors, Met Black, rear airbags
Tracky
Posts: 4399
Joined: Fri Feb 22, 2019 10:26 pm

Post by Tracky »

Monaco2323 wrote: Tue Jul 09, 2024 11:50 am :mrgreen:
Tracky will now bollard his place

I’m quite safe - even though he can break in to it in 20 seconds it will take him another 10 minutes to lower himself in to the 918 carbon bucket seat before he can drive off!
On order

GT4 RS (track toy)

Current

992 S
Macan.2 S
928S4
Modified Lotus Exige V6
Seat Ibiza 1.0 (115ps) DSG Excellence Lux(dog’s!)
Jag Mk2 3.4

Ex

981 Boxster S
Monaco2323
Posts: 222
Joined: Sat Apr 01, 2023 12:30 am

Post by Monaco2323 »

Actual photo:
Tracky wrote: Tue Jul 09, 2024 5:47 pm
Monaco2323 wrote: Tue Jul 09, 2024 11:50 am :mrgreen:
Tracky will now bollard his place

I’m quite safe - even though he can break in to it in 20 seconds it will take him another 10 minutes to lower himself in to the 918 carbon bucket seat before he can drive off!

96E5F0D1-F634-4029-9B6D-7B25BE49B447.webp

-----------------------------
On order : 992 Carrera S
Current : 2024 Macan

Ex cars:
2018 White Audi A5 45 TSFI Quattro Coupe
2015 Scuba Blue Audi TT
2016 Silver Chrysler 300 SRT
muzziman
Posts: 24
Joined: Thu Aug 03, 2023 11:08 pm

Post by muzziman »

Tracky wrote: Tue Jul 09, 2024 5:47 pm
I’m quite safe - even though he can break in to it in 20 seconds it will take him another 10 minutes to lower himself in to the 918 carbon bucket seat before he can drive off!
Hah. Reminds of this delightful tale.

https://www.hagerty.com/media/advice/a- ... al-my-914/
Post Reply

  • Similar Topics
    Replies
    Views
    Last post