By Jason Yuan (Engineer, Automotive)
At a recent automotive capture-the-flag (CTF) event, hosted by the security researcher Willem Melching and held in late March, participants revisited a long-known but still significant vulnerability in Hitag2. Hitag2 is a remote key entry protocol that has been the subject of multiple research papers (including these 2012 and 2018 papers) and the recent CTF event showed just how quickly attackers could exploit the said vulnerability to capture and clone a Hitag2 key fob.
In his detailed writeup, Stephan DB, one of the participants, explains the steps that he used to exploit this vulnerability. In this blog entry, we summarize the technical steps involved and explain why stealthy key duplication remains alarmingly simple.
A popular yet outdated system
Hitag2 is a widely used RFID-based transponder system for car key fobs and immobilizers. It gained substantial traction during the 2000s and 2010s, as its affordability and simplicity led to its widespread deployment in vehicle remote key entry systems across numerous brands. Despite hitting the market decades ago, it still appears in some 2023 models, underscoring how legacy technology can persist far beyond its expected lifespan.
Although Hitag2 was once considered reliable, demonstrations have made it clear that its security flaws aren’t just theoretical. Attackers can use discreet software-defined radio (SDR) devices to capture a Hitag2-based key fob’s transmissions from a distance and then exploit the short 48-bit cipher to forge a functional clone. Automated theft kits that bundle these techniques have surfaced on dark web markets, enabling criminals with minimal technical skill to replicate the attack and thus presenting tangible danger.
This real-world scenario highlights the risk of relying on outdated security measures in modern vehicles, since stealthy data collection and swift cryptanalysis make successful key cloning both common and relatively easy to execute.
Cloning the fob: from raw signals to secret keys
Cloning a Hitag2-based key fob begins by capturing its radio transmissions, decoding the underlying protocol, and then employing a guess-and-determine approach to reveal the secret key. In the recent CTF challenge, participants demonstrated how straightforward this process could be.
Attackers first gather raw signals using an SDR, such as HackRF One. By listening to the specific frequency range where most automotive remotes broadcast, they can capture the short bursts transmitted by a fob whenever the driver presses “lock” or “unlock.” Because these signals are usually repeated multiple times for reliability, obtaining a few valid samples does not take long.
To illustrate, we replicated the attack for this article and produced screenshots from our attempt.
Figure1. Captured signals from the fob
After recording, the next step is fine-tuning parameters in a tool like the Universal Radio Hacker (URH). Key fob transmissions typically use on-off keying (OOK) or amplitude shift keying (ASK) modulation combined with Manchester encoding. URH’s “demodulated” view helps confirm the correct sample rate and whether an inverted Manchester scheme is in play. A reliable indicator of success is a 13-byte frame starting with “FFFF” in the decoded output, which usually represents a valid Hitag2 packet. This packet format usually contains the fob’s unique identifier (UID), a counter, a button code, and a cryptographic output. Even if the signal is noisy, a correct checksum often confirms that enough valid data has been captured.
Figure 2. Decoded signals
To fully exploit these packets, researchers rely on refined guess-and-determine techniques outlined in publications like the 2018 research titled “Hitag 2 Hell – Brutally Optimizing Guess-and-Determine Attacks.” Modern cracking tools substantially reduce the effort compared to basic brute-force attacks by harnessing GPU acceleration and methodically testing partial guesses. Once the correct portion of the 48-bit key is identified, built-in dependencies within the cipher allow the rest of the bits to be quickly deduced. Gathering two pairs of parameters — nRx and aRx in each pair — from separate signals typically provides enough information to launch the attack. With those values in hand, the remaining unknown bits collapse in a minute, leaving the attackers with a fully recovered Hitag2 key. Once the attackers have reached this point, creating a functional clone fob to lock, unlock, or even start the vehicle becomes a simple matter.
Figure 3. Cracked secret key
Real-world impact
Although the weaknesses of Hitag2 have been discussed in academic research for years, real cases of theft continue to highlight the serious nature of this vulnerability. Criminals can quietly record key fob transmissions by waiting in parking lots or on residential streets for owners to lock or unlock their cars. With only a few recorded signals, they can apply off-the-shelf cracking tools to create fully functional clone keys in under a minute, leaving no visible signs of tampering.
This threat remains especially concerning because many vehicle models, including those from recent production years, still rely on Hitag2 for their key fobs. Vehicle owners, unaware that their vehicles use an outdated encryption scheme, risk having their vehicles unlocked or even stolen without any outward indication of a break-in — revealing how legacy protocols continue to pose significant security issues.
