Comment by londons_explore
6 hours ago
Seems doubtful that this security will be very strong. It won't be hard to spoof an official client.
6 hours ago
Seems doubtful that this security will be very strong. It won't be hard to spoof an official client.
If they’ve done it using Secure Enclave it’s essentially physically impossible to spoof.
The github OP reports that browser-based login still works, so it'll likely be circumventable.
Wouldn’t any Volkswagen keys need to cross the network to get into the Secure Enclave? Or couldn’t you exploit the Volkswagen app itself?
Keys in the Secure Enclave never leave the device (or the SE for that matter) and cannot be extracted even physically.
1 reply →
If the data is going through the air or a wire it can be sniffed, right? Is every message signed or encrypted like ssl/tls, or is this just some kind of extra header(s)?
Wrong.