Vulnerability Description

Reproduction requires tools

Two attacking machines: Android devices, correctly configured with NFCGATE: https://github.com/nfcgate/nfcgate

One server: Configured with NFCGATE relay (official NFCGATE setup is available)

One victim device: NFC car key configured on a BYD Ocean

One victim car: Vulnerability confirmed on the “Dolphin” model

Reproduction process:

Start the server and connect the two attacking machines in relay mode. One machine selects reader mode, the other selects tag mode. The attacking machine in tag mode approaches the car’s NFC card reader.

The attacking machine in reader mode is placed close to the victim device.

Once the attacking machine is near the victim device, the victim’s NFC key is automatically activated and relayed to the tag. The tag interacts with the car, successfully unlocking it.