Meet RollJam, the $30 device that jimmies car and garage doors

Widely used keyless entry systems can be hacked in seconds with wallet-sized device.

Read the whole story

 

[THavoc]

So, I wonder if there will be some update / patch for something like this in the near future?

Seems too big of a threat to ignore.

 

[Dachannien]

How much bigger would the key fob have to be in order to implement a bidirectional challenge-response system?

 

[potato44819]

Dachannien[/url]":23xxbq3b]How much bigger would the key fob have to be in order to implement a bidirectional challenge-response system?

At this point I'd rather use a bluetooth unlock. I take my cellphone out to put it into GPS mode anyhow, pressing a button to unlock (and hell, start) my car isn't that big of a jump anymore.

My cellphone is my second factor, it may as well be my primary car key as well.

 

[Natt]

THavoc[/url]":2w3shj5g]So, I wonder if there will be some update / patch for something like this in the near future?

Seems too big of a threat to ignore.

This is hardly the first device to exploit such keyless entry technologies. In London the majority of car break-ins and thefts have used this method for years now.

 

[Chemical Tribe]

"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

 

[THavoc]

Natt[/url]":9aop9rcc]

THavoc[/url]":9aop9rcc]So, I wonder if there will be some update / patch for something like this in the near future?

Seems too big of a threat to ignore.

This is hardly the first device to exploit such keyless entry technologies. In London the majority of car break-ins and thefts have used this method for years now.

So why is this news then?

If it's been done before, what makes this one different?

 

[potato44819]

sprockkets[/url]":20ftolaf]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

 

[total.wimp]

A new fob for my car costs close to $200. This is $30. Hmmm...

 

[Chemical Tribe]

Modern Major General Thanatos[/url]":1mc7ot3g]

sprockkets[/url]":1mc7ot3g]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Nope. Next time you use the fob, the code used is newer, thus invalidating the older code never used due to interference.

You'd have to hope that person never used the fob between then. I use mine 100% of the time to lock to guarantee I have the key.

edit: The scenario below me makes sense. Use it while locking as you are leaving in a parking lot or if you are leaving a house.

 

[DCRoss]

Modern Major General Thanatos[/url]":1zvzhozv]

sprockkets[/url]":1zvzhozv]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Close, but next day may be a bit much. As I understand it this attack only stores a one-time use code so it will be invalidated the next time the real owner unlocks the door.

Try waiting in a parking lot, watch for someone leaving their car and locking it as they walk away, and then opening the door again after they are gone.

 

[Quiet Desperation]

Sometimes I wonder what world we could have if all this cleverness was better focused.

 

[Llampshade]

THavoc[/url]":q42qnv4q]So, I wonder if there will be some update / patch for something like this in the near future?

Seems too big of a threat to ignore.

How often does your garage door opener receive patches? We have a hard enough time getting Android patches out to phones that are both capable of updating AND always online. Neither my car nor my garage door opener has those advantages. Even if a patch is available, I have no hope that >99% of vulnerable devices will ever have a chance to receive it.

 

[Dilbert]

My car is from 1938 (okay not really) and hasn't got keyless.

The garage door does and it's very very easy to hack into. When I haven't got anything better to do, I'll make my own wireless for the garage door. The interface between the motor and the radio receiver is dead simple. Just three inputs: positive, common ground/negative, and receiver signal. Need to sniff out what the receiver signal is (just a voltage pulse in all likelihood), replicate it, and then make my own wireless receiver. Probably Arduino with a Bluetooth or wifi module but open to suggestions? The garage motor won't know or care what I do with the radio receiver, as long as that 'open sesame' signal remains the same.

 

[potato44819]

Quiet Desperation[/url]":40jfvn9k]Sometimes I wonder what world we could have if all this cleverness was better focused.

Looks well focused to me.

 

[Dilbert]

total.wimp[/url]":2ab0b0s0]A new fob for my car costs close to $200. This is $30. Hmmm...

New fob for your car is really $20. The rest is dealer tax.

 

[Llampshade]

Quiet Desperation[/url]":2hl1e53m]Sometimes I wonder what world we could have if all this cleverness was better focused.

Like, if this cleverness was focused on getting us less vulnerable technology in the first place? The problem with using this criticism against work like this is that it ignores the fact that there is already a great deal of motivation to perform the same work in secret. This guy not only figured out how to do this work, but let us know about it. There's a decent chance that this same work has already been done by someone else, but using it instead to sell to people wanting to break into cars and homes. Because we know that this can be done, we can try to mitigate the problem. If the same amount of effort and "cleverness" were applied to a problem set, we might not be working towards stopping people from breaking into cars and homes through one more mechanism.

 

[Drizzt321]

THavoc[/url]":2vyp7zn7]So, I wonder if there will be some update / patch for something like this in the near future?

Seems too big of a threat to ignore.

I doubt this is patchable. It seems like it's part of the fundamental silicon, and not any firmware. If that's so, then it'd take physical replacement of both the transmitter & receiver (or, at least the receiver) to fix. So perhaps newer vehicles. I wonder if I can get that information (which system it uses) when I go shopping for my next vehicle in a couple of years.

 

[wb]

Modern Major General Thanatos[/url]":cdqtawee]

sprockkets[/url]":cdqtawee]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

I don't know about you, but I lock my car whenever I get out. In such a use case, this presumes the car has not moved since it was parked, or else the stored code would have already been used.

 

[chanman819]

Modern Major General Thanatos[/url]":3ju1gevo]
Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Well, you'd still have to get past the ignition, immobilizer and other anti-theft devices. I think a much more likely (ab)use case is in a high-end shopping area during say... Black Friday (US) or Boxing Day (Canada). Wait until someone drops off their purchases, intercept their keyless signal, and lift a new Coach bag or whatever overpriced designer goods are valuable this year.

 

[Violynne]

THavoc[/url]":1ua84qna]So, I wonder if there will be some update / patch for something like this in the near future?

Apparently not.

I saw this very same demo nearly 7 years ago at a security conference.

In fact, you can pull the very same instructions from YouTube right now.

The fact it's still possible to do is pretty telling how companies feel about security.

 

[skizzerz]

Modern Major General Thanatos[/url]":101uxgwg]

sprockkets[/url]":101uxgwg]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Close, but next day may be a bit much. As I understand it this attack only stores a one-time use code so it will be invalidated the next time the real owner unlocks the door.

Try waiting in a parking lot, watch for someone leaving their car and locking it as they walk away, and then opening the door again after they are gone.

Except wouldn't the stored code just lock the car again? If I press the lock button multiple times it continues to attempt to lock the car -- it doesn't send a "toggle locked state" code. In order for this to work you'd have to save off them pressing the unlock key, which presumably they'll do as they are heading back to the car, not away from it. You could possibly follow in your own car to wherever their new destination is and then attempt to re-unlock it at that time after they walk away, assuming that lock and unlock codes are tracked separately.

I don't see any link to the source of this article detailing RollJam so can't comment on what the researcher actually did to demonstrate this "hack" being practical.

 

[THavoc]

Violynne[/url]":38odn4ct]

THavoc[/url]":38odn4ct]So, I wonder if there will be some update / patch for something like this in the near future?

Apparently not.

I saw this very same demo nearly 7 years ago at a security conference.

In fact, you can pull the very same instructions from YouTube right now.

The fact it's still possible to do is pretty telling how companies feel about security.

Noted. But as I asked earlier, what makes this different? Why is this 'news'?

 

[potato44819]

THavoc[/url]":2is2077h]

Violynne[/url]":2is2077h]

THavoc[/url]":2is2077h]So, I wonder if there will be some update / patch for something like this in the near future?

Apparently not.

I saw this very same demo nearly 7 years ago at a security conference.

In fact, you can pull the very same instructions from YouTube right now.

The fact it's still possible to do is pretty telling how companies feel about security.

Noted. But as I asked earlier, what makes this different? Why is this 'news'?

Cost of entry on tech knowledge+cost is now far lower.

 

[jeadly]

Seems like you could protect yourself in questionable situations by A) locking your car when you are very close to it or B) locking your car multiple times to roll through 6-5 codes in a row.

 

[Dilbert]

Modern Major General Thanatos[/url]":uiz9gcis]

THavoc[/url]":uiz9gcis]

Violynne[/url]":uiz9gcis]

THavoc[/url]":uiz9gcis]So, I wonder if there will be some update / patch for something like this in the near future?

Apparently not.

I saw this very same demo nearly 7 years ago at a security conference.

In fact, you can pull the very same instructions from YouTube right now.

The fact it's still possible to do is pretty telling how companies feel about security.

Noted. But as I asked earlier, what makes this different? Why is this 'news'?

Cost of entry on tech knowledge+cost is now far lower.

This. It took Cap't Crunch to do such things in the past. Now every crook can order a device shipped direct from China, and enter garages and cars with impunity. What's really troubling is most people wouldn't give it a second though if they saw a break-in, and would not call the police, because they are conditioned to interpret remote control usage as ownership. It's easy crime, with zero skill required, low chance of getting busted, and low up front cost for entry. These things are sold on alibaba and dx for two digit US dollars.

 

[THavoc]

Dilbert[/url]":3tr5l6kj]

Modern Major General Thanatos[/url]":3tr5l6kj]

THavoc[/url]":3tr5l6kj]

Violynne[/url]":3tr5l6kj]

THavoc[/url]":3tr5l6kj]So, I wonder if there will be some update / patch for something like this in the near future?

Apparently not.

I saw this very same demo nearly 7 years ago at a security conference.

In fact, you can pull the very same instructions from YouTube right now.

The fact it's still possible to do is pretty telling how companies feel about security.

Noted. But as I asked earlier, what makes this different? Why is this 'news'?

Cost of entry on tech knowledge+cost is now far lower.

This. It took Cap't Crunch to do such things in the past. Now every crook can order a device shipped direct from China, and enter garages and cars with impunity. What's really troubling is most people wouldn't give it a second though if they saw a break-in, and would not call the police, because they are conditioned to interpret remote control usage as ownership. It's easy crime, with zero skill required, low chance of getting busted, and low up front cost for entry. These things are sold on alibaba and dx for two digit US dollars.

So wouldn't this make it a more serious issue the manufacturers will have to address?

 

[Thereitis]

skizzerz[/url]":2szyzek7]

Modern Major General Thanatos[/url]":2szyzek7]

sprockkets[/url]":2szyzek7]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Close, but next day may be a bit much. As I understand it this attack only stores a one-time use code so it will be invalidated the next time the real owner unlocks the door.

Try waiting in a parking lot, watch for someone leaving their car and locking it as they walk away, and then opening the door again after they are gone.

Except wouldn't the stored code just lock the car again? If I press the lock button multiple times it continues to attempt to lock the car -- it doesn't send a "toggle locked state" code. In order for this to work you'd have to save off them pressing the unlock key, which presumably they'll do as they are heading back to the car, not away from it. You could possibly follow in your own car to wherever their new destination is and then attempt to re-unlock it at that time after they walk away, assuming that lock and unlock codes are tracked separately.

I don't see any link to the source of this article detailing RollJam so can't comment on what the researcher actually did to demonstrate this "hack" being practical.

I'm guessing that the fob appends a lock/unlock bit or bit-string to the pass phrase. Which one gets sent depends upon which key you press. This device would just strip that lock/unlock/panic suffix and use the unlock code when it transmits.

Edit: Here's a link that describes PRNG and supports my explanation: http://auto.howstuffworks.com/remote-entry2.htm

 

[Dilbert]

THavoc[/url]":2wvqugxs]

Dilbert[/url]":2wvqugxs]

Modern Major General Thanatos[/url]":2wvqugxs]

THavoc[/url]":2wvqugxs]

Violynne[/url]":2wvqugxs]

THavoc[/url]":2wvqugxs]So, I wonder if there will be some update / patch for something like this in the near future?

Apparently not.

I saw this very same demo nearly 7 years ago at a security conference.

In fact, you can pull the very same instructions from YouTube right now.

The fact it's still possible to do is pretty telling how companies feel about security.

Noted. But as I asked earlier, what makes this different? Why is this 'news'?

Cost of entry on tech knowledge+cost is now far lower.

This. It took Cap't Crunch to do such things in the past. Now every crook can order a device shipped direct from China, and enter garages and cars with impunity. What's really troubling is most people wouldn't give it a second though if they saw a break-in, and would not call the police, because they are conditioned to interpret remote control usage as ownership. It's easy crime, with zero skill required, low chance of getting busted, and low up front cost for entry. These things are sold on alibaba and dx for two digit US dollars.

So wouldn't this make it a more serious issue the manufacturers will have to address?

They don't know how to. Entire wifi industry got their heads together and came up with..... WEP. We all know how that turned out. Besides it isn't a wide spread problem yet. Actually it is, but not much media/news coverage so it isn't in the public's psyche. As soon as it becomes A Thing Everyone's Aware Of (not a problem until that happens, right? :facepalm: ) then the manufacturers will "secure" their wireless. But it won't really be secure.

 

[pqr]

skizzerz[/url]":1ezz6i6u]

Modern Major General Thanatos[/url]":1ezz6i6u]

sprockkets[/url]":1ezz6i6u]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Close, but next day may be a bit much. As I understand it this attack only stores a one-time use code so it will be invalidated the next time the real owner unlocks the door.

Try waiting in a parking lot, watch for someone leaving their car and locking it as they walk away, and then opening the door again after they are gone.

Except wouldn't the stored code just lock the car again? If I press the lock button multiple times it continues to attempt to lock the car -- it doesn't send a "toggle locked state" code. In order for this to work you'd have to save off them pressing the unlock key, which presumably they'll do as they are heading back to the car, not away from it. You could possibly follow in your own car to wherever their new destination is and then attempt to re-unlock it at that time after they walk away, assuming that lock and unlock codes are tracked separately.

I don't see any link to the source of this article detailing RollJam so can't comment on what the researcher actually did to demonstrate this "hack" being practical.

Yes toggling would be dangerous because you don't know whether your car receives your signal so you must consistently send desired action (open/close) every single time. You can also lock car by hand without key and open with key again (or vice versa open by hand while inside and lock with key afterwards) so from remote key perspective it's not open/close/open/close/... alternating cycle.

I wouldn't be surprised if manufacturers only considered protecting opening as that's more important. So maybe closing has no rolling key? Or it's same key for all interaction but extra data to code request (open/close). At heart of it it's just two pseudo random sequences synchronized at installation and on subsequent open/close. Each sequence only steps upwards by one at time but cars programmed to step ahead if necessary and accept next N rolling keys where N is large like 256 or 1024(?) because kids might've been pressing fob for fun at home and you don't want that to lock owner out. So I was expecting some crypto attack on RNG based on knowing bunch of consecutive keys but this hack is far simpler and general.

 

[THavoc]

Dilbert[/url]":3irnw8qi]

So wouldn't this make it a more serious issue the manufacturers will have to address?

They don't know how to. Entire wifi industry got their heads together and came up with..... WEP. We all know how that turned out. Besides it isn't a wide spread problem yet. Actually it is, but not much media/news coverage so it isn't in the public's psyche. As soon as it becomes A Thing Everyone's Aware Of (not a problem until that happens, right? :facepalm: ) then the manufacturers will "secure" their wireless. But it won't really be secure.[/quote]

Agreed.

However, if what people here are saying is true and it's very simple (now) to get one of these devices, doesn't that raise the warning level to a point where they have to address the problem?

 

[Natt]

chanman819[/url]":28xvb9qt]

Modern Major General Thanatos[/url]":28xvb9qt]
Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Well, you'd still have to get past the ignition, immobilizer and other anti-theft devices. I think a much more likely (ab)use case is in a high-end shopping area during say... Black Friday (US) or Boxing Day (Canada). Wait until someone drops off their purchases, intercept their keyless signal, and lift a new Coach bag or whatever overprice designer goods are valuable this year.

A "RollJam" will will pair nicely with this technique to drive the car off.

http://www.carthrottle.com/post/gangs-a ... ry-system/

London has a problem. Gangs are using key-programming devices to create duplicate keys for a number of high-end vehicles, allowing them to gain entry to the vehicle and simply drive away.

Last year the technique was responsible for 6000 car and van thefts, which works out as an average of 17 vehicles every day. In fact, 42 per cent of all cars stolen in London were moved without the car’s keys.

One of the most common thefts involves criminals breaking a window on the car, plugging a device into the car’s OBD port and downloading the vehicle’s information to a blank key. That key is then paired with that car, allowing the thieves to turn the engine on and drive away. The devices are easy to obtain, as they’re used by legitimate mechanics for routine repairs and servicing.

 

[adipose]

wb[/url]":3kzma7br]

Modern Major General Thanatos[/url]":3kzma7br]

sprockkets[/url]":3kzma7br]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

I don't know about you, but I lock my car whenever I get out. In such a use case, this presumes the car has not moved since it was parked, or else the stored code would have already been used.

If you catch someone unlocking their car, you can unlock it later. Whether they lock it is immaterial, right? In a parking lot, that's not the greatest opportunity, but people do unlock their car without driving off. You could also follow them to where they go next.

Edit : if the rolling unlock code is invalidated when you lock, there would be no use case at all, so why is this even a thing? Maybe you have to buffer some lock codes as well.

 

[sryan2k1]

Dachannien[/url]":1h9dhe9c]How much bigger would the key fob have to be in order to implement a bidirectional challenge-response system?

No larger. Vehicles that use RFID keys to start them (push to start) use a challenge/response system (which is different than what pressing the unlock button on them does).

A good example is VW keys. The RFID and non-RFID keys are identically sized, and look almost identical.

 

[rick*d]

Sure coulda used one of these when my wife locked her keys in the car...

Seriously, she had to have the fire department break into her car. I'm sure emergency services could use a device like this - cheaper than the Jaws of Life and does much less damage to the car.

 

[sryan2k1]

Seriously, she had to have the fire department break into her car.

Or they could have towed it to a dealer or other lockshop that could have unlocked it.

I'm sure emergency services could use a device like this - cheaper than the Jaws of Life and does much less damage to the car.

Nope, because this device relies on stealing an unused unlock code out of the air, and the next time the vehicle is unlocked that stored code becomes useless.

 

[pqr]

rick*d[/url]":3bqo68yx]Sure coulda used one of these when my wife locked her keys in the car...

Seriously, she had to have the fire department break into her car. I'm sure emergency services could use a device like this - cheaper than the Jaws of Life and does much less damage to the car.

You need working key for this (to record) so it wouldn't help - if you had key you'd just use it. All that happens here is someone else effectively 'using' that key instead of owner.

 

[greatn]

Could something like this be used against my keyfob to my home security system?

 

[rick*d]

sryan2k1[/url]":1s2xymal]

Seriously, she had to have the fire department break into her car.

Or they could have towed it to a dealer or other lockshop that could have unlocked it.

I'm sure emergency services could use a device like this - cheaper than the Jaws of Life and does much less damage to the car.

Nope, because this device relies on stealing an unused unlock code out of the air, and the next time the vehicle is unlocked that stored code becomes useless.

Not where she was. It would have been cheaper for her to take a cab back to the hotel (except there was no cab in that town) and wait for me to drive six hours to bring her my spare key. It was such a podunk little burg that the fire department welcomed the opportunity to help, as it gave them something to do that afternoon. They're probably still talking about it, three months later.

 

[LrdDimwit]

total.wimp[/url]":2qpqf4fg]A new fob for my car costs close to $200. This is $30. Hmmm...

Except that this thing works by stealing codes from a legitimate fob using a replay attack. If you haven't got a legit key fob to generate valid codes, this thing is useless. So no, you can't save yourself $170. It also means that in order to use this attack, you have to physically shadow the person whose garage you want to break into (to get the code); you can't just roll up when they're gone, and bust in.