Bypassing Rolling Code Systems – CodeGrabbing/RollJam

A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.

Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:

  1. Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
  2. Target presses the remote, car does NOT lock and the attacker obtains the first keypress
  3. Target presses the remote a second time and the attacker obtains the second keypress
  4. Attacker then sends the first key press to lock the car, car locks as per normal
  5. Target assumes all is well and carries on about their day
  6. Attacker then sends the second keypress to the car, unlocking it
  7. Profit.
  8. Target returns to the vehicle and remote works as per normal

In the video below Andrew uses an SDR to help demonstrate the RollJam attack.

https://www.youtube.com/watch?time_continue=108&v=xAggMOEazDI
Showing how the RollJam attack works.
Showing how the RollJam attack works.

10 comments

  1. Para noid

    This may have happened to me, but the thief was unable to jimmy the ignition to steal my Jeep.
    Question: if I use one of the alarm auxiliary outputs, in latching mode, to a relay that breaks the door unlock circuit, would this defeat the rolljam exploit? I could use the fob normally as I do now. But, if I wanted to add another layer of security, I could hit the aux channel, after locking the doors, so that to unlock them I would first need to trig the aux code again, before sending the unlock code. If the thief tries to send an unlock code, without the aux first, no power will flow to the door solenoid. So, I guess I am asking if these devices can recognize, store, and capture the two separate signals.

    • Para noid

      Also, under this scheme, even if they disable the alarm, without the aux to enable the unlock, the doors would still be locked.

  2. wayne

    I hope you don’t mind me asking. I want to learn how to hack rolling codes, can you be kind enough to tell me what exactly I need to buy in order to do this. I want to learn step for step while having the items in my possession I would find it much easier that way.

    hope to hear from you soon!

    thank you

    • KarNut

      Wayne, You don’t need to buy anything. Just go to your local Police station and Repeat what you just stated above, to a Detective. Also ask him how much time if any, you can get for Conspiracy to Burglarize or steal cars. If you are lucky, then you can get like 5-10 years and you will have plenty of time to learn how it is done without spending any money on parts PLUS you get a Free state funded, all meals and boarding included vacation!

  3. Victim_Of_This_Vulnerability

    Hi,
    they stole my car last month, and while I am searching I found this post but I wonder how they
    can convert the stolen lock code (which a Rolling code) to an unlock code, as I understood that a Rolling code is encrypted and the ‘next’ code (a pseudorandom number) is inside the Rolling code which is encrypted. So how they can change the function lock code to the function unlock code.

    I know that they can decrypt the rolling code, modify the function code, encrypt it again, but they need the encryption Private/Public keys, so how they can get the encryption keys. Or all the remote smart keys use the same Private/Public keys, if yes it is very stupid from car manufactures.

    I know a very simple method to prevent this Vulnerability 100%, it looks that the car manufactures engineers are not qualified for software security at all.

    Thanks
    Victim_Of_This_Vulnerability

  4. Cop this

    Are you not aiding and abiding car theft by publishing this? Maybe you just want to show the world what a clever little vegimite you are.

    • admin

      If you’re talking about us, most famous news sites like wired.com share stories like this all the time too, as well as several regular news outlets. If you’re talking about Andrew’s blog, the argument most security researchers make is that knowledge like this is already commonly known amongst criminals, but not the regular public, so by popularizing the flaws with the public it should get the big companies interested in actually fixing their products. Most good researchers will not publish zero-day exploits without notifying the responsible companies first.

      • Andrew MacPherson

        Additionally while I do show actually opening the VW (I’d have thought you would use that video here), I dont show the full code that can be used with the devices, so you can’t simply plug and play. Lastly this attack was first described in full in 2009, its definitely not my attack, but having some of the functionality done for you means more people can look and play with this sort of thing and help create better, more secure devices.

        -AM

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>