There are many things that we trust implicitly, often by the simple idea that since it’s everywhere or that many people use it then it must be safe. It’s hard not to do this as few of us possess the knowledge and understanding of all the systems we use in order to establish explicit trust. Indeed it’s often the case that these systems are considered safe until a flaw is exposed in them, then leading to a break in trust which then must be reestablished. One such system, the keyless entry fobs many of us have with our cars, has just proven itself to be vulnerable to attack but it all could have been avoided with an incredibly simple change to the underlying code.
Keyless entry on your car relies on a fairly simple system for its operation. What happens when you press the unlock button is that a code is wirelessly transmitted from your fob to your car, unlocking the doors. Back in the early days the code that these fobs sent was unique and fixed which, whilst preventing one person’s fob from opening your car, meant it was incredibly simple to copy the code. This was then changed to the current standard of a “rolling code” which changes every time you press the key. This made straight up duplication impossible, as the same code is never used twice, however it opened it up to another, more subtle, attack.
Whilst the codes changed every time the one thing that the manufacturers of these systems didn’t do was invalidate codes that had already been used. This was primarily due to convenience as there’s every chance your fob got pressed when you weren’t in range of the car, burning a code. However the problem with this system is that should someone capture that code they could then use it to unlock your car at a later date. Indeed there had been many proof of concept systems developed to do this however the latest one, a $30 gadget called RollJam, takes the process to a whole new level.
The device consists of a receiver, transmitter and signal jammer. When the device is activated it will actively jam any wireless key entry signal, stopping it from reaching the car. Then, when a user presses their key fob to unlock their doors, it captures the code that was sent. This stops the doors from unlocking however nearly all users will simply press it again, sending another code. RollJam then transmits the first code to the car, unlocking the doors, whilst capturing the other code. The user can now enter their car and RollJam now has a code stored which it can use to gain access at a later date. The device appears to work on most major brands of vehicles with only a few of the more recent models being immune to the attack.
What amazes me is that such an attack could’ve easily been prevented by including an incremental counter in the key fob. Then when transmitting a code the fob also sends with it the current count, meaning that any code sent with a previous number is void. This can also be defeated by making the codes expire after some time which, I admit, is a little more difficult to implement but surely not beyond the capability of companies with billions of dollars in annual revenue. To their credit some companies have made headway in preventing such an attack however that won’t mean a lot for all the cars that are currently out there with systems that are susceptible to such an attack.
In the end it comes down to a combination of convenience and bottom dollar programming that led such a pervasive system being as broken as it is. Unfortunately unlike IT systems, which can be patched against such vulnerabilities, these keyless entry systems will likely remain vulnerable as long as they’re in use. Hopefully current car manufacturers take note of this issue and work to address it in future models as, honestly, it seems like one of the most rookie mistakes ever.