LAS VEGAS–Do not let Samy Kamkar near your car.

Kamkar has built a new device that is about the size of a wallet and can intercept the codes used to unlock most cars and many garage doors. The device can be hidden underneath a vehicle and when the owner approaches and hits the unlock button on her key or remote, the device grabs the unique code sent by the remote and stores it for later use.

Known as Rolljam, the device takes advantage of an issue with the way that vehicles that use rolling codes for unlocking produce and receive those codes. Kamkar said that the device works on most vehicles and garage doors that use rolling, rather than fixed, codes. Under normal circumstances, when a driver hits the unlock button her remote, it sends a rolling code to the vehicle. The car recognizes the code and unlocks. These codes are one-time-use only, and a vehicle won’t accept a code that it’s seen before in order to prevent a thief from intercepting the signal and replaying it later. Vehicles that use rolling codes also will invalidate all previous codes when they receive a new code.

Kamkar’s Rolljam device gets around these defenses by jamming the signal from the remote so the vehicle never hears it.

“So when you are walking towards your car, you hit the unlock button — because it’s jammed, the car can’t hear it, however my device is also listening so my device hears your signal (and removes the jamming signal because it knows what to remove). Now I have a rolling code that your car has not yet heard,” Kamkar said via email.

“Then you press unlock again because it didn’t work the first time, and I jam again, and listen, and now have two codes. However, at this point I replay the FIRST code I listened to from your key and your car successfully unlocks. To the user/owner, it appears the 2nd time pressing it worked because it happens so quickly (less than a second to jam/sniff+replay). However, I now have the NEXT rolling code in the sequence that hasn’t been used yet. I can come back later and conveniently unlock your car. Because I leave the device under your car, it always has the latest code.”

The Rolljam device is small now, but Kamkar said he plans to tweak it even further and will get it down to the size of a typical car remote. The device is built from about $30 in hardware, Kamkar said, and he plans to reveal more details about it at DEF CON here Friday. The attack he developed also works on garage door openers that use rolling codes.

This is the second time in the last few months that Kamkar has taken aim at the codes on garage doors. In June he released research that showed he could open any garage door that uses a fixed code in less than 10 seconds. That OpenSesame attack used a toy communicator to send signals to the garage door opener.

And just last week Kamkar released a device called OwnStar that enables him to intercept the traffic from a phone running the OnStar RemoteLink mobile app and locate, unlock, and remotely start a vehicle with OnStar.

Categories: Black Hat, Hacks

Comments (6)

  1. Trishna
    1

    Need to created a frequency transmitting barrier in a radius surrounding the auto. Can carry a rf detector.

    • Anonymous
      2

      Nah, what’s needed is bi-directional communication between the key and the car.

  2. techunsupport
    3

    Neat idea, bad for car owners. Still can’t drive the car away with it unless the car has remote engine start or hot wire it. The practicality of this method is less so. I mean, most of the time you unlock the car so you can drive. So if the sinister hacker unlock the car using the first code, then the owner drive the car out that means the hacker has to follow the car until it stop somewhere then use the 2nd code when car owner walk away from the car. Or this attack assume car owner stop at the car to grab or putting something in the car, like in the shopping mall. Again all these type of problems occur because manufacturers dont take security seriously. Pairing the remote to the car and use encryption none of this would happen. Why would the car accept code from any key is stupid. Most people use only one or two remotes for the entire life of the car. Why weren’t they requires to be paired in the first place other than this make it easy for manufacturers/dealers/techs?

  3. Seth
    4

    Great work. Anything that shines a light on the pathetic security of everyday devices is a step forward.

  4. NeoAtlantis
    6

    We need to use some challenge-response schema just like we do in Internet. The car itself should choose a one-time challenge, and as an answer the remote control should sign this. It doesn’t have to be RSA or alike, maybe just something like HMAC since the remote control and the car can share the same secret. There are also chips doing this hashing jobs(like the SHA chip), so it should not be hard.

Comments are closed.