This $30 Device Can Break Into Almost Any Keyless Door in Your Car or Home
You probably don't think about thieves when you unlock your car, but Samy Kamkar certainly does. The security researcher known for his droll (and scary) hacks has created a device called "Rolljam" that cracks the wireless entry systems used by car- and garage-door makers. He demonstrated it at Defcon 2015, and here's how it works. When a victim tries to remotely open their car with a fob, they'll notice it didn't work the first time. The second time will be the charm, but at that point, the thief will have stolen a code they can use to open your vehicle at their leisure.
Car makers came up with "rolling code" after thieves figured out how to wirelessly steal codes from early keyless devices. The system works by changing the code every time you use a fob, preventing it from being used a second time. In theory, that makes any stolen code useless to an attacker. As with many of his hacks, Kamkar's workaround is simple yet ingenious. Rolljam blocks the remote signal from reaching the vehicle with a pair of radios, then uses a third one to record the wireless code.
Naturally, the mark will try to use the fob again, and once again, Rolljam will jam the signal and steal the second code. But this time, Kamkar's device will re-transmit the first code and unlock the car, so the victim thinks everything's alright. Since your vehicle didn't receive the second code, however, it can now be used by Rolljam to unlock the vehicle anytime a thief wants. If the device is placed in proximity of a car or garage, it can keep stealing and retransmitting codes, ensuring it always has a fresh, working one.
Other researchers have built devices that can hack vehicle locks in a similar way, but Kamkar is the first to automate the method. His prototype worked on vehicles from Nissan, Ford, Toyota, Volkswagen and others, along with numerous brands of garage door openers. Car companies are aware of the issue, and many have switched to a new system where the codes expire quickly, defeating Kamkar's system. But he told Wired that he released details of his attack at Defcon to force car and garage companies to upgrade older products as well. "My own car is fully susceptible to this attack. I don't think that's right when we know this is solvable," he said.