Breaking into cars wirelessly with a $32 homemade device called RollJam

At this years Def Con conference speaker Samy Kamkar revealed how he built a $32 device called “RollJam” which is able to break into cars and garages wirelessly, by defeating the rolling code protection offered by wireless entry keys. Def Con is a very popular yearly conference that focuses on computer security topics.

A rolling code improves wireless security by using a synchronized pseduo random number generator (PRNG) on the car and key. When the key is pressed the current code is transmitted, and if the code matches what the car is expecting the door opens. The seed for the PRNG in the car and key is then incremented. This prevents replay attacks.

The RollJam hardware currently consists of a Teensy 3.1 microcontroller and two CC1101 433 MHz RF transceiver modules. It works by recording the wireless key signal, but at the same time jamming it so that the car does not receive the signal. When the key is pressed a second time the signal is first jammed and recorded again, but then the first code is replayed by the RollJam device. Now you have an unused code stored in RollJam that can be used to open the car. Samy shows how this works using an SDR and waterfall display graph in the following slide.

How RollJam Works
How RollJam Works

Samy’s full set of presentation slides can be downloaded from samy.pl/defcon2015. Also several large publications including networkworld.coWired.com and forbes.com have also covered this story with longer more in depth articles that may be of interest to readers.

6 comments

  1. Mechanic

    I got hit I simply pulled the fuses for the driver door unlock and the other unlock relay for the other doors the doors still lock manually and with a key you cannot unlock it with the remote they are now blocked I plan to put an old school manual alarm no remote on my sub so if they gain access they will be screwed the pin will pull on the door sill alarm sounds. Also plan to put a baby monitor in the back seat to hear them the main box in bed room night stand with 45 cal ready to go!!

  2. Mladen B.

    To counter this “attack”, you can just get close to your car/garage and press the unlock button again on your remote. This will trigger the car/garage to drop the previous keys (one of which is also in the attacker’s hands) plus the current key which was sent when you pressed the unlock button near the car/garage and will initiate the process of random key generation again, rendering the captured key for the attacker useless. Shortly, just unlock your car/garage again once you are VERY close to it (to make sure that the attacker doesn’t interfere with you this time). Reference: http://auto.howstuffworks.com/remote-entry2.htm

    • Truth

      I think that you might have missed that they can also convert lock codes into unlock codes. So you push your button to lock, no audio feedback beep is sent, is your warning to physically go to your card and manually lock it.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>