This is a report about a cyber security issue identified in Joy ebike unlock feature
Summary: Joy ebike Wolf variant manufactured in 2022 has a feature to lock or unlock/drive the vehicle via ebike key fob. In this vehicle, if the unlock/drive command is sniffed by Hackrf and replayed, it is possible to unlock/drive the vehicle.
Affected Product: Joy ebike Wolf, Manufacturing year 2022
Addition details URL: https://www.joyebike.com/product/wolf-bike/
Detailed report
Required Setup:
- Joy ebike Wolf, Manufacturing year 2022
- Joy ebike vehicle keys.
- Hackrf with antenna
Following steps shall be followed to achieve the Proof of concept:
- Activate Hackrf in rx mode on 433.92 MHz
- Press unlock/drive button on key fob
- Hackrf captures the unlock frame command.
- Lock the vehicle with a key.
- Now replay the command which is captured.
- Vehicle gets unlocked and is able to drive.
Additional Note: Further analysis is not conducted, but multiple commands can be replayed.
Video proof of concept:
https://drive.google.com/file/d/1COrBDuncLs5yR5lotpxyMSWQDY6Br-qj/view?usp=sharing
Credits: Neelam Verma, Krutarth Raut, Nikhil Bogam