Car Hacker Can Unlock Almost Any Car
Hacker’s $30 Device Unlocks Just About Any Keyless Entry Car
Good-guy researcher Samy Kamkar’s homebuilt device exposes an old keyless entry vulnerability that most carmakers still haven’t stationary.
Digital security research Samy Kamkar has been on a car-hacking kick lately. Last week, he exposed a homebuilt device that can intercept signals from the OnStar smartphone app to track, unlock, and remote-start a car connected to the app. Now, he’s demonstrating off something even more sinister: A $30 device that can copy the coded signal from just about any car’s remote key fob, permitting him to lock or unlock the car at caprice.
As TechInsider reports, Kamkar’s latest fucktoy takes advantage of a rather old vulnerability in car keyless entry systems. Most remotes use rolling codes to communicate with the car—meaning that the remote sends a different coded signal every time you thrust the button. This is meant to prevent bad guys from copying the remote’s code to create a dummy remote. Most remote garage door openers operate on the same principle.
But there’s a catch: Most automakers don’t set an expiration date for the previously-used codes. While a single code can’t be used twice, if a code never reaches the car in the very first place, it’s still valid.
That’s where Kamkar’s little device comes in. Named RollJam, the wallet-sized gizmo can be hidden on or underneath the target car. When the possessor thrusts the remote unlock button, the device detects the remote signal and jams it, preventing the car from hearing the signal. Since the car hasn’t unlocked, the proprietor thrusts the Unlock button a 2nd time. The RollJam device records the 2nd code, and sends the very first code to the car. The car is unlocked, but the device has a stolen 2nd code that never reached the car—one that can be used at a later date by the bad guys to unlock the car. You can see a photo of the device over at TechInsider.
Kamkar hasn’t given away all the details of the device—he’s saving that for a talk on Friday at the Defcon hacking convention in Las Vegas. But as he explained to TechInsider, it’s nothing fresh:
“This has been sort of a theoretical attack for many, many years. This is not by any means brand fresh or a big surprise. The problem is no one has indeed demonstrated it, which is funny because the solution to this problem has been known about for more than twenty years online and has been written about many times, but again no one has demonstrated it.”
Kamkar explains that it’s the companies that make the keyless entry computer chips, not the automakers themselves, that have overlooked this vulnerability for so long. He says he knows of at least one chipmaker that has stationary the issue, tho’ the exploit worked on numerous cars he tested—including a Lotus Elise, which was the main vehicle he used to test the hack.
Hopefully, by exposing the vulnerability in more detail at Defcon this week, Kamkar will give the industry the kick in the pants needed to fix this problem—similar to how FCA was ultimately prodded into fixing the vulnerability that let hackers take control of a Jeep Cherokee in a widely-reported story last month.
Car Hacker Can Unlock Almost Any Car
Hacker’s $30 Device Unlocks Just About Any Keyless Entry Car
Good-guy researcher Samy Kamkar’s homebuilt device exposes an old keyless entry vulnerability that most carmakers still haven’t immovable.
Digital security research Samy Kamkar has been on a car-hacking kick lately. Last week, he exposed a homebuilt device that can intercept signals from the OnStar smartphone app to track, unlock, and remote-start a car connected to the app. Now, he’s displaying off something even more sinister: A $30 device that can copy the coded signal from just about any car’s remote key fob, permitting him to lock or unlock the car at fad.
As TechInsider reports, Kamkar’s latest fucktoy takes advantage of a rather old vulnerability in car keyless entry systems. Most remotes use rolling codes to communicate with the car—meaning that the remote sends a different coded signal every time you shove the button. This is meant to prevent bad guys from copying the remote’s code to create a dummy remote. Most remote garage door openers operate on the same principle.
But there’s a catch: Most automakers don’t set an expiration date for the previously-used codes. While a single code can’t be used twice, if a code never reaches the car in the very first place, it’s still valid.
That’s where Kamkar’s little device comes in. Named RollJam, the wallet-sized gizmo can be hidden on or underneath the target car. When the proprietor thrusts the remote unlock button, the device detects the remote signal and jams it, preventing the car from hearing the signal. Since the car hasn’t unlocked, the holder thrusts the Unlock button a 2nd time. The RollJam device records the 2nd code, and sends the very first code to the car. The car is unlocked, but the device has a stolen 2nd code that never reached the car—one that can be used at a later date by the bad guys to unlock the car. You can see a photo of the device over at TechInsider.
Kamkar hasn’t given away all the details of the device—he’s saving that for a talk on Friday at the Defcon hacking convention in Las Vegas. But as he explained to TechInsider, it’s nothing fresh:
“This has been sort of a theoretical attack for many, many years. This is not by any means brand fresh or a big surprise. The problem is no one has truly demonstrated it, which is funny because the solution to this problem has been known about for more than twenty years online and has been written about many times, but again no one has demonstrated it.”
Kamkar explains that it’s the companies that make the keyless entry computer chips, not the automakers themselves, that have disregarded this vulnerability for so long. He says he knows of at least one chipmaker that has immovable the issue, however the exploit worked on numerous cars he tested—including a Lotus Elise, which was the main vehicle he used to test the hack.
Hopefully, by exposing the vulnerability in more detail at Defcon this week, Kamkar will give the industry the kick in the pants needed to fix this problem—similar to how FCA was ultimately prodded into fixing the vulnerability that let hackers take control of a Jeep Cherokee in a widely-reported story last month.