THE NEXT TIME you press your wireless key fob to unlock your car, if you find that it doesn’t beep until the second try, the issue may not be a technical glitch. Instead, a hacker like Samy Kamkar may be using a clever radio hack to intercept and record your wireless key’s command. And when that hacker walks up to your vehicle a few minutes, hours, or days later, it won’t even take those two button presses to get inside.
At the hacker conference DefCon in Las Vegas tomorrow, Kamkar plans to present the details of a gadget he’s developed called “RollJam.” The $32 radio device, smaller than a cell phone, is designed to defeat the “rolling codes” security used in not only most modern cars and trucks’ keyless entry systems, but also in their alarm systems and in modern garage door openers. The technique, long understood but easier than ever to pull off with Kamkar’s attack, lets an intruder break into cars without a trace, turn off their alarms and effortlessly access garages.
RollJam, as Kamkar describes it, is meant to be hidden on or near a target vehicle or garage, where it lies in wait for an unsuspecting victim to use his or her key fob within radio range. The victim will notice only that his or her key fob doesn’t work on the first try. But after a second, successful button press locks or unlocks a car or garage door, the RollJam attacker can return at any time to retrieve the device, press a small button on it, and replay an intercepted code from the victim’s fob to open that car or garage again at will. “Every garage that has a wireless remote, and virtually every car that has a wireless key can be broken into,” says Kamkar.
Thieves have used “code grabber” devices for years to intercept and replay wireless codes for car and garage doors. But both industries have responded by moving theISM radio signals their key fobs use to a system of rolling codes, in which the key fob’s code changes with every use and any code is rejected if it’s used a second time.
To circumvent that security measure, RollJam uses an uncannily devious technique: The first time the victim presses their key fob, RollJam “jams” the signal with a pair of cheap radios that send out noise on the two common frequencies used by cars and garage door openers. At the same time, the hacking device listens with a third radio—one that’s more finely tuned to pick up the fob’s signal than the actual intended receiver—and records the user’s wireless code.
When that first signal is jammed and fails to unlock the door, the user naturally tries pressing the button again. On that second press, the RollJam is programmed to again jam the signal and record that second code, but also to simultaneously broadcast its first code. That replayed first code unlocks the door, and the user immediately forgets about the failed key press. But the RollJam has secretly stored away a second, still-usable code. “You think everything worked on the second time, and you drive home,” says Kamkar. “But I now have a second code, and I can use that to unlock your car.”