Opening Car Doors with an RTL-SDR, Arduino and CC1101 Transceiver

Recently we found this post from last year by security researcher Anthony which shows how an RTL-SDR combined with an Arduino and CC1101 transceiver can be used to open a car. The technique he presents is the jam, intercept and replay technique which was also used by Samy Kamkars Rolljam device

Most modern vehicles use some form of rolling code security on their wireless keyfobs to prevent unauthorized replay attacks. When the car owner presses a button on the keyfob, a unique rolling code is sent to the car. If it matches the codes stored in the car, the car will unlock and then invalidate that code so it can never be used again, thus preventing a replay attack. On the next press the keyfob sends a new code. This system can be defeated simply by jamming the car keyfob receiver, and using a more selective receiver to record the keyfob unlock packet, then replaying those packets at a later time.

The technique Anthony presents has the attacker use an Arduino with CC1101 transceiver as the jammer. Jamming is totally illegal within the USA, so Anthony does not show exactly how to do the jamming. While the signal is being jammed, the RTL-SDR captures and saves the signal from the keyfob. Later the signal is processed in GNU Radio to remove the jamming signal and extract the keyfob signal. He then uses GNU Radio to demodulate the ASK signal into a binary modulated waveform that he can replay later.

Anthony tested this technique on two cars and a truck and was successful at unlocking the doors all three times.

RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.
RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.

6 comments

  1. snn47

    Is this scenario practical attack scenario? We can always use the mechanical car key to unlock the door 🙂

    The jammer has to be stronger to block the signal from the key, however the thief has to be close enough to the owner to receive the signals from the car key, that the jamming signal won’t jam the car key signal in the thiefs receiver.

    I am in average only 5 to 10m away from the car when I use a key. If the thiefs/receiver is opposite from me/the car, the jammer will be stronger than my car keys signal.
    Less jamming EIRP would suffice if the owner would try to unlock from a larger distance, but than the car key signals would be weaker, unless the thief stays close to the owner.

    How is the jammer activated, because I assume constant jamming would impact cars close by and could therefore arouse suspicion.

  2. SDR-User

    No a practical attack!

    Think about it, victim goes to car to unlock – you jam signal – victim presses unlock again still jammed you replay first signal car unlocks.

    Driver gets inside his or her car and goes home presses lock
    Hackers recorded signal is rendered useless as the code has hopped.

    • Anonymous

      Most cars have two (or more) remotes. People some times push the unlock button on their remote several times while they are away from their car (Also, Lock and unlock are used several times to make the horn blow and lights flash. Helps you find your car in a parking lot). Each vehicle has a group of about 50 codes (and I assume that is per transmitter key fob) that could unlock the door. It needs to be able to receive codes from at least two different key fobs. Because of this, it would be quite possible to use an unused (jammed) code for up to two or three days before the code would expire.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>