For about $30, a hacker has made a device that can unlock many cars that use keyless entry.
Samy Kamkar, who recently revealed he built a device that could breach GM cars wirelessly, told Tech Insider that his latest gadget exploits a basic vulnerability in car and garage key remotes that has existed for quite some time.
Here’s the gist: Car key remotes, like garage remotes, use rolling code to authenticate access. Rolling code is basically just code that changes every time so that no one can use it later. So typically when you hit "unlock" on your remote key, a unique code is sent to the car’s system, the doors open, and that code will never be used again.
But there’s a catch. While the same code cannot be used twice, there is no expiration date on when the code can be used.
So Kamkar built his device, called the RollJam, to take advantage of that flaw.
It works like this: A hacker places the wallet-size device somewhere on the targeted car and then when the owner tries to unlock their vehicle by pressing the ‘Unlock’ button on their remote, the device jams the signal so that the vehicle’s system doesn’t hear it, while at the same time intercepting the code.
When the owner of the car tries to use the car key remote to unlock the vehicle a second time, the device jams the signal and steals a second code, but at the same time sends the first stolen code so that the driver can get in the car.
Now the hacker has one unique code left that can still be used because the car never heard that signal. All the hacker has to do is press a button on the Kamkar’s gadget and the car uses the stolen code that it saved to unlock the doors.
Kamkar said he has tried his device on a few different cars from different manufacturers, but has primarily been tested it on a Lotus Elise, because that is what he has had access to. He will reveal more details about how he conducted the exploit on Friday when he speaks at the hacking conference Defcon in Las Vegas.
“This has been sort of a theoretical attack for many, many years. This is not by any means brand new or a big surprise. The problem is no one has really demonstrated it, which is funny because the solution to this problem has been known about for more than 20 years online and has been written about many times, but again no one has demonstrated it,” Kamkar said.
“So a lot of manufacturers haven’t cared to solve the problem because it didn’t seem like a big enough problem. Unfortunately, I think it is a big problem.”
The problem really lies with the manufacturers who make the chips
for the keyless entry, Kamkar said. The chip makers need to begin
implementing expirations for the rolling code, which would
essentially fix the problem.
Kamkar said he knows of at least one chip maker who has fixed this issue.