Meet RollJam, the $30 device that jimmies car and garage doors

Widely used keyless entry systems can be hacked in seconds with wallet-sized device.

Read the whole story

 

[Metaluna]

DCRoss[/url]":33r9utla]

Modern Major General Thanatos[/url]":33r9utla]

sprockkets[/url]":33r9utla]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Close, but next day may be a bit much. As I understand it this attack only stores a one-time use code so it will be invalidated the next time the real owner unlocks the door.

Try waiting in a parking lot, watch for someone leaving their car and locking it as they walk away, and then opening the door again after they are gone.

Since the most common use case would be recording someone locking their door, then using the stored code to unlock, it seems to me that one mitigation might be to have separate one-time use codes for each function. So stealing a lock code would be useless for unlocking and vice versa. Then, whenever any valid code is received, you update all the one-time codes, e.g. if you lock the car, the unlock code also gets updated. This covers the case of recording someone unlocking their car, then following them home and unlocking it again, since they would still have invalidated the unlock code when they locked the car at home.

Of course, that all requires a new implementation, so is useless for the millions of existing locks. As someone else mentioned, if they gave a crap they would have fixed this years ago anyway. They're also somewhat power limited so maybe more sophisticated methods aren't possible when you have to run for years on a single coin cell.

 

[Dilbert]

greatn[/url]":18i6gczh]Could something like this be used against my keyfob to my home security system?

Oh yes. For home security/automation, I strongly recommend using a wifi solution, and control the system from your smartphone*. Just secure the wifi, and keep that wifi WAP and all the home automation devices on a separate network with no internet connection and no connection to your computers either. Easily done with a proper switch/router with VLAN ability and a proper WAP capable of broadcasting two completely separate SSIDs.

*Edit: that smartphone or whatever device you are using to control the system, that then becomes a weak point because for convenience's sake it will most likely be connected to the internet. Best if a walled garden device is used, one that requires signed code. That's much harder, but not impossible!, to hack.

 

[potato44819]

THavoc[/url]":3oncyu40]
So wouldn't this make it a more serious issue the manufacturers will have to address?

Not until a string of burglaries with no forced entry occurs.

 

[greatn]

Dilbert[/url]":14t3mruf]

greatn[/url]":14t3mruf]Could something like this be used against my keyfob to my home security system?

Oh yes. For home security/automation, I strongly recommend using a wifi solution, and control the system from your smartphone*. Just secure the wifi, and keep that wifi WAP and all the home automation devices on a separate network with no internet connection and no connection to your computers either. Easily done with a proper switch/router with VLAN ability and a proper WAP capable of broadcasting two completely separate SSIDs.

*Edit: that smartphone or whatever device you are using to control the system, that then becomes a weak point because for convenience's sake it will most likely be connected to the internet. Best if a walled garden device is used, one that requires signed code. That's much harder, but not impossible!, to hack.

Hrmm, maybe I should just use the keypad. I do have an app on my phone, but I don't know how secure my wi-fi truly is.

 

[Aelix]

Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

 

[nagi]

greatn[/url]":2695r1q3]

Dilbert[/url]":2695r1q3]

greatn[/url]":2695r1q3]Could something like this be used against my keyfob to my home security system?

Oh yes. For home security/automation, I strongly recommend using a wifi solution, and control the system from your smartphone*. Just secure the wifi, and keep that wifi WAP and all the home automation devices on a separate network with no internet connection and no connection to your computers either. Easily done with a proper switch/router with VLAN ability and a proper WAP capable of broadcasting two completely separate SSIDs.

*Edit: that smartphone or whatever device you are using to control the system, that then becomes a weak point because for convenience's sake it will most likely be connected to the internet. Best if a walled garden device is used, one that requires signed code. That's much harder, but not impossible!, to hack.

Hrmm, maybe I should just use the keypad. I do have an app on my phone, but I don't know how secure my wi-fi truly is.

Well, with Windows 10's wifi password sharing, it isn't.

 

[leebert]

Dilbert[/url]":1umm6bl6]My car is from 1938 (okay not really) and hasn't got keyless.

The garage door does and it's very very easy to hack into. When I haven't got anything better to do, I'll make my own wireless for the garage door. The interface between the motor and the radio receiver is dead simple. Just three inputs: positive, common ground/negative, and receiver signal. Need to sniff out what the receiver signal is (just a voltage pulse in all likelihood), replicate it, and then make my own wireless receiver. Probably Arduino with a Bluetooth or wifi module but open to suggestions? The garage motor won't know or care what I do with the radio receiver, as long as that 'open sesame' signal remains the same.

Check this out: http://lowpowerlab.com/garagemote/

This guy has a bunch of neat home-automation hacks he's put together with his Arduino/wireless clone. He has them all feeding a Raspberry Pi webserver and controls all kinds of different stuff from there via a webpage. There are a lot of similar projects at any of the multitude of maker/hacker-space sites.

I know my garage opener (older model LiftMaster) has way a you can lock out the radio remotes from the keypad like if you're going on vacation so it can only be opened by the wired buttons. Could do that after wiring up your own wireless receiver to effective disable your old remotes.

 

[mogbert]

Arg, I'm guessing I'm just old fashioned. I like the idea of a piece of metal with a difficult to copy series of indentions. While house keys appear to be subject to bumping, car keys are made differently and I suspect not so bumpable. Or possibly some sort of physical connection between the key and the card so that an antenna can't pull it down?

Wouldn't pressing the button a third time invalidate the previously stored code? I guess if you had to press the button twice and you don't think you should have needed to, you can always press it again to be sure and invalidate earlier codes.

 

[G-Force]

rick*d[/url]":ru72mnvu]Sure coulda used one of these when my wife locked her keys in the car...

Seriously, she had to have the fire department break into her car. I'm sure emergency services could use a device like this - cheaper than the Jaws of Life and does much less damage to the car.

Without the key, she couldn't have hit the fob to trigger to intercept and perform this hack. This only can work if you(someone in range) actually has the fob.

 

[pqr]

Aelix[/url]":1htj20kr]Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

I'm am wondering about this too.

 

[pqr]

Metaluna[/url]":3sf31p7t]

DCRoss[/url]":3sf31p7t]

Modern Major General Thanatos[/url]":3sf31p7t]

sprockkets[/url]":3sf31p7t]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Close, but next day may be a bit much. As I understand it this attack only stores a one-time use code so it will be invalidated the next time the real owner unlocks the door.

Try waiting in a parking lot, watch for someone leaving their car and locking it as they walk away, and then opening the door again after they are gone.

Since the most common use case would be recording someone locking their door, then using the stored code to unlock, it seems to me that one mitigation might be to have separate one-time use codes for each function. So stealing a lock code would be useless for unlocking and vice versa. Then, whenever any valid code is received, you update all the one-time codes, e.g. if you lock the car, the unlock code also gets updated. This covers the case of recording someone unlocking their car, then following them home and unlocking it again, since they would still have invalidated the unlock code when they locked the car at home.

Of course, that all requires a new implementation, so is useless for the millions of existing locks. As someone else mentioned, if they gave a crap they would have fixed this years ago anyway. They're also somewhat power limited so maybe more sophisticated methods aren't possible when you have to run for years on a single coin cell.

In simple case I know of there is no real communication to the fob (except at installation). Fob keeps going through its sequence one by one irrespectively of what rest of world is doing. Car somewhat more intelligent in that it checks against next N keys and if founds match jumps ahead to that one in its sequence. But yes having separate sequences for open close would prevent someone from jamming/recording close sequence and using it to open car later. So standard parking + locking would be fine. They'd have to catch you opening, starting, following as you drive and then steal car after you park again. But you're screwed if you open car just to drop something into it and walk on (common in big cities).

 

[Deleted member 270259]

mogbert[/url]":39og7izb]Arg, I'm guessing I'm just old fashioned. I like the idea of a piece of metal with a difficult to copy series of indentions. While house keys appear to be subject to bumping, car keys are made differently and I suspect not so bumpable. Or possibly some sort of physical connection between the key and the card so that an antenna can't pull it down?

Wouldn't pressing the button a third time invalidate the previously stored code? I guess if you had to press the button twice and you don't think you should have needed to, you can always press it again to be sure and invalidate earlier codes.

Unfortunately, those indentations aren't difficult to copy. Recreating keys based on photos isn't particularly new tech - UC San Diego demonstrated it at 200 feet 7 years ago, and apparently there are now there are handy web apps (though I haven't investigated them much) that will do the same thing for you. Given that consumer cameras have been getting better over time as well, I'd expect the envelope for such an attack has increased by a meaningful amount. Something like a Nikon P900 isn't terribly expensive, has ginormous zoom, and would give good enough results from a long distance indeed.

Also, there are "jigglers" or "try out keys" for most makes of cars, which might not be quite as simple or easy as a bump key but tend to be a lot faster and easier than just straight picking would be. In fact, if you have a little spare time and a little dexterity, I'd suggest you give lockpicking as a hobby a try - even if you don't take to it, it's enlightening, and a little frightening, to see just how easy many common locks are to bypass. Those slivers of metal we like to rely on aren't as secure as we might want to think.

 

[Andara]

sprockkets[/url]":2u719iz2]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

The basic idea is that the thief is present when the owner clicks their fob. The receiver is blocked and the first code is stolen by the device and never received by the car/garage door, so the owner clicks a second time. The second code is likewise stolen by the device which then unblocks the receiver and sends the first code, which is still valid, and the owner stops clicking, leaving the second, still-stolen code valid for use on the next click.

This will work for cars that people are locking, but since if they're getting in, they're likely going to be clicking against when they get out again, and thus invalidating the stolen code. But it's pretty much universally useful for garage doors, since the thief can hit after the owner has left the premises. This is a much, much bigger issue than the car one, though a person could hide out in the back and carjack you later.

In the car scenario, the places they're likely going to try this are things like gas stations, convenience stores, and fast food joints that have a high volume of constant traffic to choose from.

total.wimp[/url]":2u719iz2]A new fob for my car costs close to $200. This is $30. Hmmm...

If you don't have the fob for the device to cadge codes from, the device is useless.

skizzerz[/url]":2u719iz2]Except wouldn't the stored code just lock the car again?

No. The code is an access code. The actual command is separate.

When you press your fob button, it's telling the receiver, "Hey, I'm legit, here's my access code, execute $function" as two separate items strung together. The access code it sends will be the same regardless of which function you tell it to execute.

sryan2k1[/url]":2u719iz2]No larger. Vehicles that use RFID keys to start them (push to start) use a challenge/response system (which is different than what pressing the unlock button on them does).

A good example is VW keys. The RFID and non-RFID keys are identically sized, and look almost identical.

I have a new car with a the push-to-start option that also has push-button lock/unlock in the doors, which we use pretty much exclusively (bonus: no fob code to steal). The fob with the tech in it also comes with a chipped key that is no larger than any other key I've ever had (and actually slots into the back of the fob for if the fob stops working, like this).

greatn[/url]":2u719iz2]Could something like this be used against my keyfob to my home security system?

If your home security uses simple rolling codes, then yes.

If your system uses challenge/response, then no.

Aelix[/url]":2u719iz2]Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

Because it's jamming the device set to receive the code, not the one sending the code it subsequently steals.

mogbert[/url]":2u719iz2]Arg, I'm guessing I'm just old fashioned. I like the idea of a piece of metal with a difficult to copy series of indentions. While house keys appear to be subject to bumping, car keys are made differently and I suspect not so bumpable.

Yeah, but there are only X# of different keys for each model, often used across quite a few years.

My ex once got into someone else's Chrysler LeBaron because of that. Apparently at the time, Chrysler only had 7 different key variations for that line.

 

[Chuckstar]

Andara[/url]":18jb36an]
My ex once got into someone else's Chrysler LeBaron because of that. Apparently at the time, Chrysler only had 7 different key variations for that line.

I'd be shocked if it were true that Chrysler only used 7 combinations. More likely Chrysler used cheap locks that wear out. If the lock mechanism is worn enough, just about any key will work.

 

[Skelator123]

THavoc[/url]":12x74yic]

Natt[/url]":12x74yic]

THavoc[/url]":12x74yic]So, I wonder if there will be some update / patch for something like this in the near future?

Seems too big of a threat to ignore.

This is hardly the first device to exploit such keyless entry technologies. In London the majority of car break-ins and thefts have used this method for years now.

So why is this news then?

If it's been done before, what makes this one different?

I believe this is the first hardware to really be publicly disclosed, along with the actual mechanism for the attack.
And there are still a lot of people and companies who try to claim such devices don't, and can't really exist.

 

[SiberX]

Andara[/url]":2nktcm1b]

Aelix[/url]":2nktcm1b]Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

Because it's jamming the device set to receive the code, not the one sending the code it subsequently steals.

This doesn't make sense to me. There's only a single frequency at play here, and your RollJam device will need to transmit a powerful signal on the fob's frequency to prevent the receiver from detecting the legitimate transmitter. Unless your jamming antenna is highly directional, this will make it very hard for your jamming device to (itself) hear the original code, so it won't know what to replay after the transmitter attempts to send a second (new) code that you're trying to steal (and will also be attempting to jam)

Sequence:
1. Receiver is listening for Code A
2. RollJam is jamming the fob frequency, while somehow simultaneously listening on the same frequency
3. Transmitter transmits Code A, which fails to unlock the door because of jamming. RollJam stores this code
4. Legitimate user re-presses fob button, transmitting Code B (which is also jammed and fails to open door). RollJam stores this code as well (having somehow received it through the jamming), then immediately disables jammer and replays Code A which unlocks the door (to the user, their fob just "worked")
5. RollJam now posesses the unused Code B (next in sequence) which it can transmit at a later time to unlock the door

Edit: I just thought of one possibility: Since the legitimate fob and receiver are probably very cheap, they likely have very poor frequency selectivity and wide filters. It might be possible for your jammer to transmit a strong signal slightly below/above the center frequency of the keyless system such that the receiver's RF front-end is saturated and hears nothing. Then, by having a much better/sharper filter on your RollJam's receiver you should be able to filter out your own jamming signal and still detect the fob.

 

[pqr]

SiberX[/url]":3tuvbksz]

Andara[/url]":3tuvbksz]

Aelix[/url]":3tuvbksz]Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

Because it's jamming the device set to receive the code, not the one sending the code it subsequently steals.

This doesn't make sense to me. There's only a single frequency at play here, and your RollJam device will need to transmit a powerful signal on the fob's frequency to prevent the receiver from detecting the legitimate transmitter. Unless your jamming antenna is highly directional, this will make it very hard for your jamming device to (itself) hear the original code, so it won't know what to replay after the transmitter attempts to send a second (new) code that you're trying to steal (and will also be attempting to jam)

Sequence:
1. Receiver is listening for Code A
2. RollJam is jamming the fob frequency, while somehow simultaneously listening on the same frequency
3. Transmitter transmits Code A, which fails to unlock the door because of jamming. RollJam stores this code
4. Legitimate user re-presses fob button, transmitting Code B (which is also jammed and fails to open door). RollJam stores this code as well (having somehow received it through the jamming), then immediately disables jammer and replays Code A which unlocks the door (to the user, their fob just "worked")
5. RollJam now posesses the unused Code B (next in sequence) which it can transmit at a later time to unlock the door

Edit: I just thought of one possibility: Since the legitimate fob and receiver are probably very cheap, they likely have very poor frequency selectivity and wide filters. It might be possible for your jammer to transmit a strong signal slightly below/above the center frequency of the keyless system such that the receiver's RF front-end is saturated and hears nothing. Then, by having a much better/sharper filter on your RollJam's receiver you should be able to filter out your own jamming signal and still detect the fob.

Meanwhile I thought of another one. Since you know your jamming signal you can just subtract it out from your observed one and get to real signal. Of course you must account for distortions and time delay in signal propagation and measurement itself but that you can calibrate with running only jammer (no fob at all).

 

[bamn]

Andara[/url]":22nzokmk]
The basic idea is that the thief is present when the owner clicks their fob. The receiver is blocked and the first code is stolen by the device and never received by the car/garage door, so the owner clicks a second time. The second code is likewise stolen by the device which then unblocks the receiver and sends the first code, which is still valid, and the owner stops clicking, leaving the second, still-stolen code valid for use on the next click.

The clever bastards!

I've long known about this 'rolling code' implementation of keyless entry and garage openers, and thought it was pretty solid when enough bits were used in the key and given a robust implementation of truly unpredictable pseudorandom numbers (and a secure way of seeding them in tandem). This attack never occurred to me. I love how security researchers come up with this stuff - they are wickedly intelligent people.

Unfortunately, this is going to be tough to fix. The form factor and battery requirements of these fobs may very well pose a challenge to implementing more advanced two-way handshakes or other techniques that could mitigate the risk. And even where improvements can be made, hundreds of millions of vulnerable fobs are in people's pockets all around the world, including in my own.

 

[pqr]

bamn[/url]":3n97gzlm]

Andara[/url]":3n97gzlm]
The basic idea is that the thief is present when the owner clicks their fob. The receiver is blocked and the first code is stolen by the device and never received by the car/garage door, so the owner clicks a second time. The second code is likewise stolen by the device which then unblocks the receiver and sends the first code, which is still valid, and the owner stops clicking, leaving the second, still-stolen code valid for use on the next click.

The clever bastards!

I've long known about this 'rolling code' implementation of keyless entry and garage openers, and thought it was pretty solid when enough bits were used in the key and given a robust implementation of truly unpredictable pseudorandom numbers (and a secure way of seeding them in tandem). This attack never occurred to me. I love how security researchers come up with this stuff - they are wickedly intelligent people.

Unfortunately, this is going to be tough to fix. The form factor and battery requirements of these fobs may very well pose a challenge to implementing more advanced two-way handshakes or other techniques that could mitigate the risk. And even where improvements can be made, hundreds of millions of vulnerable fobs are in people's pockets all around the world, including in my own.

If you're really paranoid (some might say realistic ) then whenever your fob fails to work right away you should expect such attack happening and just drive away and park elsewhere. Garage door harder to fix unless fob reprogramming could be done via cable (and not over air). Maybe just walk back to house and disable it completely.

 

[Jeremy W]

pqr[/url]":3fzl34y0]

bamn[/url]":3fzl34y0]

Andara[/url]":3fzl34y0]
The basic idea is that the thief is present when the owner clicks their fob. The receiver is blocked and the first code is stolen by the device and never received by the car/garage door, so the owner clicks a second time. The second code is likewise stolen by the device which then unblocks the receiver and sends the first code, which is still valid, and the owner stops clicking, leaving the second, still-stolen code valid for use on the next click.

The clever bastards!

I've long known about this 'rolling code' implementation of keyless entry and garage openers, and thought it was pretty solid when enough bits were used in the key and given a robust implementation of truly unpredictable pseudorandom numbers (and a secure way of seeding them in tandem). This attack never occurred to me. I love how security researchers come up with this stuff - they are wickedly intelligent people.

Unfortunately, this is going to be tough to fix. The form factor and battery requirements of these fobs may very well pose a challenge to implementing more advanced two-way handshakes or other techniques that could mitigate the risk. And even where improvements can be made, hundreds of millions of vulnerable fobs are in people's pockets all around the world, including in my own.

If you're really paranoid (some might say realistic ) then whenever your fob fails to work right away you should expect such attack happening and just drive away and park elsewhere.

Or just hit the button a bunch of times, which will invalidate the code that was stolen.

 

[pqr]

Jeremy W[/url]":3ah3ks9u]

pqr[/url]":3ah3ks9u]

bamn[/url]":3ah3ks9u]

Andara[/url]":3ah3ks9u]
The basic idea is that the thief is present when the owner clicks their fob. The receiver is blocked and the first code is stolen by the device and never received by the car/garage door, so the owner clicks a second time. The second code is likewise stolen by the device which then unblocks the receiver and sends the first code, which is still valid, and the owner stops clicking, leaving the second, still-stolen code valid for use on the next click.

The clever bastards!

I've long known about this 'rolling code' implementation of keyless entry and garage openers, and thought it was pretty solid when enough bits were used in the key and given a robust implementation of truly unpredictable pseudorandom numbers (and a secure way of seeding them in tandem). This attack never occurred to me. I love how security researchers come up with this stuff - they are wickedly intelligent people.

Unfortunately, this is going to be tough to fix. The form factor and battery requirements of these fobs may very well pose a challenge to implementing more advanced two-way handshakes or other techniques that could mitigate the risk. And even where improvements can be made, hundreds of millions of vulnerable fobs are in people's pockets all around the world, including in my own.

If you're really paranoid (some might say realistic ) then whenever your fob fails to work right away you should expect such attack happening and just drive away and park elsewhere.

Or just hit the button a bunch of times, which will invalidate the code that was stolen.

But if device is done right then it will keep jamming, while caching last request and resending previous one, no matter how many times fob is activated. So it will always have one yet unused code.

 

[iEvolution2]

Every electronic, smart or dumb, expensive or just a cheapy, they all share one common weakness. To make the long story short, they all need some sort of a power supply to make them function properly.

When its power supplies got cut off, they are dead. To defeated the car thieves from Scrowing you off by using one of these high tech gadget one such as this one mentioning in this article, the most simple and cheapest way to protect your personal properties from thieves is to cut off the power source to your devices.

A simple "relay" that only costs you around $3 at your local hardware store will do just fine.

Get under the daskboard, unscrewed the panel underneath, look for the power line, likely it is the red wire out of the alarm. Connected the red and the white wire to the relay and have the wires run through the panel between the motor and your car interior.

Have those two wires connected to a on/off switch that hide under the hood of your car, or have it hide somewhere else that won't be too noticeable to the car thief that set nearby at the parking garage and watching every single movement of yours and when you reach over to the switch by hand he would not think of you have something more up your sleeves.

You activated your alarm. The alarm is on. The care thief got your code. He was smiling. "Dumb ass.."

You walked around your car and pretenting you are to check up your parking skill "Son of a gun, it's a prefect parking. I am getting better and better every day..." While you were talking to youself like you are some kind of a weird dude. You quickly reach over to the switch and turned the sucker to an off position.

The alarm is now a sitting dead duck without any power source from nowhere. And now, no matter how many times the car chief push his button it will not do a thing. Your car is still yours when you got back.

As for the garage door opener... I do have an idea too, and that is to have a remote on/off desk-top lamp switch you can get one from your local hardware store that cost you less than $10 USD.

What this gadget does is for you to plug that power plug to the wall outlet located on your ceiling 2 feet above your door opener and plug the door opener power to the remote lamp switch. Now the lamp switch is in between your door opener and the outlet on the ceiling.

You got out of your garage. You closed your door. You then shut off the lamp switch through the remote controller provided with the unit. Now, the garage opener is a sitting dead duck also. It won't do nothing until you remotely turned on the lamp switch from outside of the garage before you push the remote door opener. Just don't let the guy who has been sitting not far away from your house and watching know about this lamp switch then you will be okay.

 

[AWilco]

iEvolution2[/url]":2bc87t1z]Every electronic, smart or dumb, expensive or just a cheapy, they all share one common weakness. Too make the...

...ill be okay.

Welcome to security through obscurity. While an individual might make this work, you can't replicate it at even a small scale.

If you're certain you're good at security, designing your own is a very secure method. If you're not though, you'll almost certainly leave a hole bigger than the original threat. I suggest this would be one of the latter.

 

[iEvolution2]

I don't see any wrong with cutting off the power sources. Matter of fact an average person with little experience with electronic will get the job done.

I am pretty confident to break a common security device such as this one than to build one out of my own. Breaking is always much easier than building one. In my opinion. That just me.

Edit: I didn't thought of these ideas today. I have thought of this and had performed all types of security to keep myself and my family safe. My family owned houses, (plural) one after another. Sold one home and used the money to bought ourselves another one, and also several of my family cars have been broken into and sabotage. I am speaking from my bad experiences.

 

[slugabed]

Llampshade[/url]":lp0hyi05]

Quiet Desperation[/url]":lp0hyi05]Sometimes I wonder what world we could have if all this cleverness was better focused.

Like, if this cleverness was focused on getting us less vulnerable technology in the first place? The problem with using this criticism against work like this is that it ignores the fact that there is already a great deal of motivation to perform the same work in secret. This guy not only figured out how to do this work, but let us know about it. There's a decent chance that this same work has already been done by someone else, but using it instead to sell to people wanting to break into cars and homes. Because we know that this can be done, we can try to mitigate the problem. If the same amount of effort and "cleverness" were applied to a problem set, we might not be working towards stopping people from breaking into cars and homes through one more mechanism.

So by your logic it's not actually this guy's responsibility not to produce burglar tools. So clever. By selling these car theft/burglary devices on the open market he's actually making us safer.

What a guy.

This guy not only figured out how to do this work, but let us know about it.

And letting me know about it protects me from his device somehow?

 

[pqr]

slugabed[/url]":wjd000ja]

Llampshade[/url]":wjd000ja]

Quiet Desperation[/url]":wjd000ja]Sometimes I wonder what world we could have if all this cleverness was better focused.

Like, if this cleverness was focused on getting us less vulnerable technology in the first place? The problem with using this criticism against work like this is that it ignores the fact that there is already a great deal of motivation to perform the same work in secret. This guy not only figured out how to do this work, but let us know about it. There's a decent chance that this same work has already been done by someone else, but using it instead to sell to people wanting to break into cars and homes. Because we know that this can be done, we can try to mitigate the problem. If the same amount of effort and "cleverness" were applied to a problem set, we might not be working towards stopping people from breaking into cars and homes through one more mechanism.

So by your logic it's not actually this guy's responsibility not to produce burglar tools. So clever. By selling these car theft/burglary devices on the open market he's actually making us safer.

What a guy.

This guy not only figured out how to do this work, but let us know about it.

And letting me know about it protects me from his device somehow?

First of all he isn't selling such device but only demonstrated that one can build one and how.

Second now you have many new options if you find that your garage opener is vulnerable. Such as

- discontinue using it. One minute of manual open/close small price to pay for not having house burglarized.

- find model that's not vulnerable and install that one.

- complain to your garage door's manufacturer about their lousy security. Usually nothing accomplished that way except you may feel better. But if many people complain they may come up with safer model later or might even recall your current model (or go out of business).

- design your own workaround and use that one. Or have some friend do so for you. If no can do don't worry now that problem is known some people will fix it anyway and post their solutions on WWW, for free!, just like this guy did about the problem.

- if your house burglarized with no sign of entry now you know what might've happened. Handy if insurance company balks at paying (no forced entry etc). They never like paying by the way so having good arguments pretty useful when dealing with them.

- etc etc

 

[theSeb]

rick*d[/url]":dopmfalc]Sure coulda used one of these when my wife locked her keys in the car...

Seriously, she had to have the fire department break into her car. I'm sure emergency services could use a device like this - cheaper than the Jaws of Life and does much less damage to the car.

Next time just find a decent locksmith. The ones I've used have managed to break into cars in less than 30 seconds. A long time ago I had issues with the immobiliser in my car and it would not turn off one evening, so I could not drive home.

I managed to find somebody that found it and bypassed it and put all of the panels back together in under 10 minutes. I asked him how long it would take if "he was in a hurry". He reckoned he could do it in about 2 minutes.

 

[Chuckstar]

SiberX[/url]":z5himlyd]

Andara[/url]":z5himlyd]

Aelix[/url]":z5himlyd]Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

Because it's jamming the device set to receive the code, not the one sending the code it subsequently steals.

This doesn't make sense to me. There's only a single frequency at play here, and your RollJam device will need to transmit a powerful signal on the fob's frequency to prevent the receiver from detecting the legitimate transmitter. Unless your jamming antenna is highly directional, this will make it very hard for your jamming device to (itself) hear the original code, so it won't know what to replay after the transmitter attempts to send a second (new) code that you're trying to steal (and will also be attempting to jam)

Sequence:
1. Receiver is listening for Code A
2. RollJam is jamming the fob frequency, while somehow simultaneously listening on the same frequency
3. Transmitter transmits Code A, which fails to unlock the door because of jamming. RollJam stores this code
4. Legitimate user re-presses fob button, transmitting Code B (which is also jammed and fails to open door). RollJam stores this code as well (having somehow received it through the jamming), then immediately disables jammer and replays Code A which unlocks the door (to the user, their fob just "worked")
5. RollJam now posesses the unused Code B (next in sequence) which it can transmit at a later time to unlock the door

Edit: I just thought of one possibility: Since the legitimate fob and receiver are probably very cheap, they likely have very poor frequency selectivity and wide filters. It might be possible for your jammer to transmit a strong signal slightly below/above the center frequency of the keyless system such that the receiver's RF front-end is saturated and hears nothing. Then, by having a much better/sharper filter on your RollJam's receiver you should be able to filter out your own jamming signal and still detect the fob.

You don't need to completely jam the channel. You just need to insert enough noise into the signal to confuse the receiver. Since you know what noise you're transmitting, you can subtract it off from the receiver. Or if that amount of noise would still swamp the original signal at your receiver, you could listen to the very beginning of the signal, find the timing of bits, and only insert noise between bits, stopping your transmission when you expect to receive the next bit.

EDIT: Actually, just thought of it even easier solution. You only need to flip a single bit in the signal, so wait until you detect a zero, then transmit a one. You should be able to transmit fast enough that the receiver sees it as a one, but you know it was zero. So the receiver ignores that code, and you received it in its entirety. The analog waveform for that one bit may look funnier than usual, but to a simple digital receiver that hasn't been designed to look for something like that, it should just show up as a one.

EDIT2: the added benefit of just flipping a angle but is that your jamming signal can be a rather short pulse, even short compared to the already short signal that a key fob sends. That means making a device for law enforcement that tries to detect RollJam's jamming signals would be that much more difficult.

 

[kakemoms]

Dachannien[/url]":av8h9bou]How much bigger would the key fob have to be in order to implement a bidirectional challenge-response system?

The igloo-nano FPGA is only 3*3mm:

http://www.microsemi.com/products/fpga- ... igloo-nano

So with proper programming you can do most things with current key size (its the battery and antenna that takes most of the space). FPGA's are also better suited as the whole system can be updated as more advanced encryption schemes become developed (and cracked again...).

 

[marsilies]

Aelix[/url]":11aan2mm]Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

From this article:
http://www.wired.com/2015/08/hackers-ti ... s-garages/

The first time the victim presses their key fob, RollJam “jams” the signal with a pair of cheap radios that send out noise on the two common frequencies used by cars and garage door openers. At the same time, the hacking device listens with a third radio—one that’s more finely tuned to pick up the fob’s signal than the actual intended receiver—and records the user’s wireless code.

So it jams the general frequencies, but its receiver is better at tuning into the specific signal. I'm betting it relies on car manufacturers using cheaper receivers since they're "good enough" to pick up the signal when there's not jamming.

 

[Quiet Desperation]

Modern Major General Thanatos[/url]":143qdu5v]

Quiet Desperation[/url]":143qdu5v]Sometimes I wonder what world we could have if all this cleverness was better focused.

Looks well focused to me.

Better focused?

 

[NinjaNerd56]

I was in Vegas all week...at another conference...and there was a constant stream of attacks 24x7 by the AssHat attendees and wannabes.

 

[Llampshade]

slugabed[/url]":3qd006ml]

Llampshade[/url]":3qd006ml]

Quiet Desperation[/url]":3qd006ml]Sometimes I wonder what world we could have if all this cleverness was better focused.

Like, if this cleverness was focused on getting us less vulnerable technology in the first place? The problem with using this criticism against work like this is that it ignores the fact that there is already a great deal of motivation to perform the same work in secret. This guy not only figured out how to do this work, but let us know about it. There's a decent chance that this same work has already been done by someone else, but using it instead to sell to people wanting to break into cars and homes. Because we know that this can be done, we can try to mitigate the problem. If the same amount of effort and "cleverness" were applied to a problem set, we might not be working towards stopping people from breaking into cars and homes through one more mechanism.

So by your logic it's not actually this guy's responsibility not to produce burglar tools. So clever. By selling these car theft/burglary devices on the open market he's actually making us safer.

What a guy.

This guy not only figured out how to do this work, but let us know about it.

And letting me know about it protects me from his device somehow?

Yep, that's exactly what it does. Two scenarios: the device exists and you don't know about it; the device exists and you do know about it. In which one of those scenarios are you more likely to be able to produce a mitigation? I guarantee you that someone else has already produced a similar device and didn't let any of us know.

 

[mmiller7]

Dilbert[/url]":12rj7ke0]My car is from 1938 (okay not really) and hasn't got keyless.

The garage door does and it's very very easy to hack into. When I haven't got anything better to do, I'll make my own wireless for the garage door. The interface between the motor and the radio receiver is dead simple. Just three inputs: positive, common ground/negative, and receiver signal. Need to sniff out what the receiver signal is (just a voltage pulse in all likelihood), replicate it, and then make my own wireless receiver. Probably Arduino with a Bluetooth or wifi module but open to suggestions? The garage motor won't know or care what I do with the radio receiver, as long as that 'open sesame' signal remains the same.

Don't even bother, just unhook the radio module...and put a relay on the button control. At least the ones we have are just a doorbell button which shorts the wires when pressed (like a real doorbell).

 

[mmiller7]

Metaluna[/url]":3q24dl5l]

DCRoss[/url]":3q24dl5l]

Modern Major General Thanatos[/url]":3q24dl5l]

sprockkets[/url]":3q24dl5l]"Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code."

Weird, sounds like a short window.

Problem is, it sounds like this happens when you go to unlock your car. You'd be physically present the whole time until later when you go to unlock or lock which then makes that newer code never used, useless.

Right?

Wrong.

Find car you want in a parking lot. Save code. Come back next day. Unlock car. Congrats, you have a car.

Close, but next day may be a bit much. As I understand it this attack only stores a one-time use code so it will be invalidated the next time the real owner unlocks the door.

Try waiting in a parking lot, watch for someone leaving their car and locking it as they walk away, and then opening the door again after they are gone.

Since the most common use case would be recording someone locking their door, then using the stored code to unlock, it seems to me that one mitigation might be to have separate one-time use codes for each function. So stealing a lock code would be useless for unlocking and vice versa. Then, whenever any valid code is received, you update all the one-time codes, e.g. if you lock the car, the unlock code also gets updated. This covers the case of recording someone unlocking their car, then following them home and unlocking it again, since they would still have invalidated the unlock code when they locked the car at home.

Of course, that all requires a new implementation, so is useless for the millions of existing locks. As someone else mentioned, if they gave a crap they would have fixed this years ago anyway. They're also somewhat power limited so maybe more sophisticated methods aren't possible when you have to run for years on a single coin cell.

Would it not have to be unique for lock and unlock?

Seems like that's already the case. If I'm unlocking my car, the number of presses determines if it unlocks the driver's door, all doors, or hatch. The number of times I press lock determines if it just locks or beeps and chirps. I can lock then unlock if I so desire (fun to mess with friends) or unlock then relock.

If they were the same code, it seems like you couldn't lock and unlock at will, you would always have to alternate which you do.

 

[mlandsjr]

And this is why we can't have nice things.

 

[Nezvanova]

I don't see this item at amazon/ebay and darknet is closed for biz.
Thus, I must request contact information for purchase.
My girlfriend's birthday is coming and this is the ultimate gift for her as she is always losing her car keys.

 

[Andara]

bamn[/url]":1di6fsuw]Unfortunately, this is going to be tough to fix. The form factor and battery requirements of these fobs may very well pose a challenge to implementing more advanced two-way handshakes or other techniques that could mitigate the risk. And even where improvements can be made, hundreds of millions of vulnerable fobs are in people's pockets all around the world, including in my own.

Thankfully, no. The keyless entry fobs for cars that include push button entry and start already use a challenge/response instead of the rolling code, and those aren't susceptible to this particular attack.

mmiller7[/url]":1di6fsuw]If they were the same code, it seems like you couldn't lock and unlock at will, you would always have to alternate which you do.

When you click your fob, it sends out a code that's a combination of authorization and action. What the action is depends on what button you press, but the authorization code is completely independent of that and will increment on every press.

 

[greenmr]

Dilbert[/url]":2iimg9ng]

total.wimp[/url]":2iimg9ng]A new fob for my car costs close to $200. This is $30. Hmmm...

New fob for your car is really $0.2. The rest is dealer tax.

FTFY

 

[greenmr]

Aelix[/url]":2js04kj4]Possibly stupid question -- how does it capture the first code, if it's jamming the receiver at the same time?

That's what I wondered too. If the jammer TX is right next to the interception RX, there should be no way for the RX to capture the jammed code.