RollJam, center. Photo courtesy Samy Kankar.
Imagine if you could use a small, inexpensive device to unlock almost any car or garage door. Well, that’s not a robber’s dream, that device actually exists.
It’s called RollJam, and it’s essentially a $30 “universal key” for cars and garage doors that use the same vulnerable wireless unlocking technology, according to its creator, the hacker and security researcher Samy Kamkar.
Car and garage door keys commonly use constantly changing codes to unlock doors. These are called “rolling codes,” unique combinations that change every time you press the lock or unlock button on your wireless key, and expire as soon as they are used (every new code also invalidates the previous ones). Because of this, and despite the fact that another researcher has shown in the past that these systems can be abused, they’ve been long considered relatively secure.
But with RollJam, Kamkar proves that they are anything but, and that they’re relatively easy to exploit.
“As you make more devices wireless most of those signals can be intercepted or abused in some way.”
Kamkar designed the device to be small and inconspicuous, roughly the size of a car key, so that it could be hidden under a car or near a garage door. The device is programmed to listen and intercept every signal that gets sent from a wireless key. When a person presses the unlock button on his or her car keyfob, for example, RollJam jams the signal and records it, forcing the person to press the button again. RollJam then jams the signal again, but replays the first code it intercepted, unlocking the car.
To the car owner, nothing’s happened. He or she just had to press the button twice to unlock the car, something that might be seen as a common occurrence. But in reality, Kamkar’s device now has in its memory a valid, yet to be used rolling code.
“I can put it on your car, so that the device will always have the latest code,” Kamkar told me in an interview ahead of his talk at the hacking conference DEF CON on Friday, where he plans to unveil RollJam. “Every single time you lock or unlock your car I’ll have the latest code.”
Another flaw in the system is that there’s no difference between a locking and an unlocking code; the code is “like a password that’s good for everything,” as Kamkar put it. In fact, if your car key has a remote control to start the car, RollJam could likely steal a code and use it to start the car remotely, Kamkar said, although he has yet to test this in the field.
So, when someone parks his or her car, and gets one signal stolen by the RollJam device hidden under it, whoever is using RollJam can then go and use that code to unlock the car or the garage door.
“Because I jammed two signals,” Kamkar said, “I still have one that I can use in the future.”
Photo courtesy Samy Kankar.
RollJam can even be programmed to steal two codes. At that point, if the car has remote ignition, the person with RollJam could unlock the car with the first stolen code, and then start it with the second.
Kamkar said RollJam could be used against a wide array of cars, since rolling codes are widely used. Kamkar said he has tested it on a variety of cars, such as Cadillac, Ford, Toyota, Lotus, Volkswagen, Nissan, and Chrysler. This technique also works with “virtually every garage door” using radio signals.
A couple of months ago the hacker had already showed that garage doors using an older technology, fixed pin codes, were extremely easy to hack. That time, he used a pink, outdated toy marketed at young girls to demonstrate the hack, which he dubbed OpenSesame.
Obviously Kamkar doesn’t want RollJam to be used to steal cars, but wants it to be a wake-up call to car manufacturers and the companies that build these vulnerable chips, such as KeeLoq or National Semiconductor, which are used for wireless car and garage keys.
In fact, Kamkar notes, a better, more secure technology already exists. It’s called Passive Entry/Passive Start technology and uses a simple solution to prevent an attack such as the one performed by RollJam, it makes codes expire after a certain time, according to Kamkar, who explained that this technology is already used by some car manufacturers to more securely turn on the ignition of cars remotely.
“It’s only when it’s public knowledge that people begin to improve.”
For him, the biggest issue here is that despite the fact that better, more secure technologies already exist, car manufacturers are not using them.
“Most manufacturers don’t really do anything until you demonstrate an issue,” Kamkar said in a phone interview. “It’s only when it’s public knowledge that people begin to improve.”
And that’s exactly the idea here, educate and inform not just the manufacturers and vendors, but also the public, that these technologies can be hacked if not properly secured. (Kamkar plans to publish details on how to make a RollJam, as well as its underlying code, after his talk on Friday.)
“As you make more devices wireless most of those signals can be intercepted or abused in some way,” Kamkar told me. “We’re not paying attention to the security around it.”