LAS VEGAS–Do not let Samy Kamkar near your car.
Kamkar has built a new device that is about the size of a wallet and can intercept the codes used to unlock most cars and many garage doors. The device can be hidden underneath a vehicle and when the owner approaches and hits the unlock button on her key or remote, the device grabs the unique code sent by the remote and stores it for later use.
Known as Rolljam, the device takes advantage of an issue with the way that vehicles that use rolling codes for unlocking produce and receive those codes. Kamkar said that the device works on most vehicles and garage doors that use rolling, rather than fixed, codes. Under normal circumstances, when a driver hits the unlock button her remote, it sends a rolling code to the vehicle. The car recognizes the code and unlocks. These codes are one-time-use only, and a vehicle won’t accept a code that it’s seen before in order to prevent a thief from intercepting the signal and replaying it later. Vehicles that use rolling codes also will invalidate all previous codes when they receive a new code.
Kamkar’s Rolljam device gets around these defenses by jamming the signal from the remote so the vehicle never hears it.
“So when you are walking towards your car, you hit the unlock button — because it’s jammed, the car can’t hear it, however my device is also listening so my device hears your signal (and removes the jamming signal because it knows what to remove). Now I have a rolling code that your car has not yet heard,” Kamkar said via email.
“Then you press unlock again because it didn’t work the first time, and I jam again, and listen, and now have two codes. However, at this point I replay the FIRST code I listened to from your key and your car successfully unlocks. To the user/owner, it appears the 2nd time pressing it worked because it happens so quickly (less than a second to jam/sniff+replay). However, I now have the NEXT rolling code in the sequence that hasn’t been used yet. I can come back later and conveniently unlock your car. Because I leave the device under your car, it always has the latest code.”
The Rolljam device is small now, but Kamkar said he plans to tweak it even further and will get it down to the size of a typical car remote. The device is built from about $30 in hardware, Kamkar said, and he plans to reveal more details about it at DEF CON here Friday. The attack he developed also works on garage door openers that use rolling codes.
This is the second time in the last few months that Kamkar has taken aim at the codes on garage doors. In June he released research that showed he could open any garage door that uses a fixed code in less than 10 seconds. That OpenSesame attack used a toy communicator to send signals to the garage door opener.
And just last week Kamkar released a device called OwnStar that enables him to intercept the traffic from a phone running the OnStar RemoteLink mobile app and locate, unlock, and remotely start a vehicle with OnStar.