The next time you press your wireless key fob to unlock your car, if you find that it doesn’t beep until the second try, the issue may not be a technical glitch. Instead, a hacker like Samy Kamkar may be using a clever radio hack to intercept and record your wireless key’s command. And when that hacker walks up to your vehicle a few minutes, hours, or days later, it won’t even take those two button presses to get inside.
At the hacker conference DefCon in Las Vegas tomorrow, Kamkar plans to present the details of a gadget he’s developed called “RollJam.” The $32 radio device, smaller than a cell phone, is designed to defeat the “rolling codes” security used in not only most modern cars and trucks’ keyless entry systems, but also in their alarm systems and in modern garage door openers. The technique, long understood but easier than ever to pull off with Kamkar’s attack, lets an intruder break into cars without a trace, turn off their alarms and effortlessly access garages.
RollJam, as Kamkar describes it, is meant to be hidden on or near a target vehicle or garage, where it lies in wait for an unsuspecting victim to use his or her key fob within radio range. The victim will notice only that his or her key fob doesn’t work on the first try. But after a second, successful button press locks or unlocks a car or garage door, the RollJam attacker can return at any time to retrieve the device, press a small button on it, and replay an intercepted code from the victim’s fob to open that car or garage again at will. “Every garage that has a wireless remote, and virtually every car that has a wireless key can be broken into,” says Kamkar.
Thieves have used “code grabber” devices for years to intercept and replay wireless codes for car and garage doors. But both industries have responded by moving the ISM radio signals their key fobs use to a system of rolling codes, in which the key fob’s code changes with every use and any code is rejected if it’s used a second time.
To circumvent that security measure, RollJam uses an uncannily devious technique: The first time the victim presses their key fob, RollJam “jams” the signal with a pair of cheap radios that send out noise on the two common frequencies used by cars and garage door openers. At the same time, the hacking device listens with a third radio—one that’s more finely tuned to pick up the fob’s signal than the actual intended receiver—and records the user’s wireless code.
When that first signal is jammed and fails to unlock the door, the user naturally tries pressing the button again. On that second press, the RollJam is programmed to again jam the signal and record that second code, but also to simultaneously broadcast its first code. That replayed first code unlocks the door, and the user immediately forgets about the failed key press. But the RollJam has secretly stored away a second, still-usable code. “You think everything worked on the second time, and you drive home,” says Kamkar. “But I now have a second code, and I can use that to unlock your car.”
If the RollJam is attached to the car or hidden near a garage, it can repeat its jamming and interception indefinitely no matter how many times the car or garage door’s owner presses the key fob, replaying one code and storing away the next one in the sequence for the attacker. Whenever the RollJam’s owner comes to retrieve the device, it’s designed to have a fresh, unused code ready for intrusion. “It will always do the same thing, and always have the latest code,” says Kamkar. “And then I can come at night or whenever and break in.”
Kamkar says he’s tested the proof-of-concept device with success on on Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen, and Chrysler vehicles, as well as Cobra and Viper alarm systems and Genie and Liftmaster garage door openers. He estimates that millions of vehicles and garage doors may be vulnerable. But he says he believes the problem is rooted in the chips used by many of those companies: the Keeloq system sold by the firm Microchip and the Hisec chips sold by Texas Instruments.
WIRED reached out one-by-one to each of those companies. All but a few have yet to respond. Liftmaster and Volkswagen declined to comment, and a Viper spokesperson said it’s trying to learn more about Kamkar’s findings. Cadillac spokesperson David Caldwell wrote in an email that Kamkar’s intrusion method “is well-known to our cyber security experts,” and he believes it works only with prior model year vehicles, “as recent/current Cadillac models have moved to a new system.”
Kamkar isn’t the first, as Cadillac implies, to invent the RollJam’s method of jamming, interception and playback. Security researcher Spencer Whyte wrote in March of last year that he’d created a similar device. But Kamkar says his refined RollJam is designed to better automate the attack Whyte used, without the need to attach the device to a laptop. And while Whyte appears to have kept the code for his tool under wraps, Kamkar plans to release his on Github, timed to his DefCon talk Friday.
Kamkar also says that Cadillac may be correct that its newest vehicles aren’t subject to the attack. The latest version of Keeloq’s chips, which the company calls Dual Keeloq, use a system of codes that expire over short time periods and foil his attack. In fact, Kamkar says his goal with RollJam is to demonstrate to car and garage door companies that they need to make that upgrade to expiring codes, or leave their customers vulnerable to interception attacks like the one he’s demonstrated.
After all, Kamkar points out, two factor authentication systems like Google Authenticator or RSA’s SecurID use codes that expire in seconds, while millions of car owners still protect their vehicles with vulnerable systems whose codes never expire. With those precedents in traditional internet security, car makers should know that using rolling codes without an added code expiration measure no longer suffices to keep their products secure. RollJam is intended to definitively demonstrate that lesson.
“This is throwing the gauntlet down and saying, ‘here’s proof this is a problem,’” says Kamkar. “My own car is fully susceptible to this attack. I don’t think that’s right when we know this is solvable.”