The subject of car hacking has been a hot topic recently, especially with the latest demonstration on how hackers were able to remotely take over a Jeep Cherokee while on the highway. Well a new researcher has released his latest tool, a byte-sized device that can unlock a majority of cars or garage-doors on the market.
Security researcher and hacker Samy Kamkar released his $30 device that can steal secret codes that allow attackers to gain unauthorized access to nearly any car or garage. Rolljam works with a number of market-leading chips, including KeeLog and the National Semiconductor’s Rolling Code generator. The tiny device is capable of unlocking electronic locks on cars from Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar. The device also works against a number of garage-door openers, including the rolling code generator garage doors.
An algorithm within the electronic key and lock allow two devices to stay synchronized so that the lock is able to determine if it has received a legitimate rolling code sent by an authorized key. Rolling codes remain valid until they are received by the lock itself, and if pressed again, issue an entirely different code. In the event that a rolling code isn’t received by the lock, the lock is still able to accept newer rolling codes generated, and invalidate earlier rolling codes that weren’t received.
Kamkar presented his research and the Rolljam device at last weeks Def Con security conference. Kamkar was even kind enough to gift a working version of his OpenSesame device (similar to Rolljam) to a kid in the audience, the device was valued at a couple hundred dollars due to modifications he made.
Rolljam uses a clever method to exploit keys and lock as the device uses two radios. One which jams the airwaves, preventing the lock from receiving any type of rolling code sent electronically. In the event that someone were to try and open their door while Rolljam was in place, it would be almost guaranteed that the user would press the lock or unlock button once again. Rolljam will in turn collect the rolling code and use the second radio to broadcast the code to the lock. As Rolljam stores the code within the device, the code is never received by the lock, meaning it remains totally valid as long as Rolljam continues blocking the signal.
The reason the $30 device works is because rolling codes are invalidated only after another rolling code is actually received by the lock.
Currently Rolljam is roughly the size of a wallet, but with extra work could be shrunk down to the size of a car key.
This whole time we’ve been talking about where Rolljam could succeed, but there are any number of scenarios in which Rolljam could fail. Kamkar said a chip manufacturer has introduced a newer version that invalidates rolling codes after a certain period of time, but it’s unclear on how many devices the newer system actually runs on.