Opening Car Doors with an RTL-SDR, Arduino and CC1101 Transceiver

Recently we found this post from last year by security researcher Anthony which shows how an RTL-SDR combined with an Arduino and CC1101 transceiver can be used to open a car. The technique he presents is the jam, intercept and replay technique which was also used by Samy Kamkars Rolljam device

Most modern vehicles use some form of rolling code security on their wireless keyfobs to prevent unauthorized replay attacks. When the car owner presses a button on the keyfob, a unique rolling code is sent to the car. If it matches the codes stored in the car, the car will unlock and then invalidate that code so it can never be used again, thus preventing a replay attack. On the next press the keyfob sends a new code. This system can be defeated simply by jamming the car keyfob receiver, and using a more selective receiver to record the keyfob unlock packet, then replaying those packets at a later time.

The technique Anthony presents has the attacker use an Arduino with CC1101 transceiver as the jammer. Jamming is totally illegal within the USA, so Anthony does not show exactly how to do the jamming. While the signal is being jammed, the RTL-SDR captures and saves the signal from the keyfob. Later the signal is processed in GNU Radio to remove the jamming signal and extract the keyfob signal. He then uses GNU Radio to demodulate the ASK signal into a binary modulated waveform that he can replay later.

Anthony tested this technique on two cars and a truck and was successful at unlocking the doors all three times.

RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.
RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.
Subscribe
Notify of
guest

11 Comments
Inline Feedbacks
View all comments
Taylor

I understand that jamming is illegal in the US but redacting this completely defeats the purpose of open source community posts. I remember back in the BBS days when we just put little disclaimers and then exercised our freedom of speech. Grow some balls and post your code, otherwise, it’s all just hot air for the masses. Proof, or it didn’t happen.

MS

can you please get in contact with me.

Cookins

How receiver can hear code if jammer works in same freq in same time?

Xantematos

Hello anyone has got a scheme to build a rolljam or to configure it with arduino. Naturally this doesn’t mean I wanto to steal people 😉 it is intended only for educational purposes. I got the material, but I need the scheme to start working. Can anyone please give me one? Thanks.

Anthony @tech

@snn47
@SDR-User

Anthony here, I have redacted quite a bit of information but the POC is still there.
I have mention in my blog post:

-Buy using the capture device above (we’ll call this veh1), attach a magnet on it that can go underneath a vehicle where eyes can’t see.
-When the adversary key fob signal is captured and demodulated, we want to send this signal over a mesh network.
-Wifi/bluetooth isn’t going to be long enough to pull a signal, I used LoRa wireless communication, which can work up to 15 miles over low data rate.
-veh1 connects to it’s central hub and will post it’s binary modulated waveform which is low data.
-Building a packet-like network would be best, giving each device a name so you can build a system of these and know which car is which.
-Data comes into hub: vehicle name, color, location, and data for replay attack
-Place this on any car(s), and the central hub will be filled in a matter of minutes.

snn47

Is this scenario practical attack scenario? We can always use the mechanical car key to unlock the door 🙂

The jammer has to be stronger to block the signal from the key, however the thief has to be close enough to the owner to receive the signals from the car key, that the jamming signal won’t jam the car key signal in the thiefs receiver.

I am in average only 5 to 10m away from the car when I use a key. If the thiefs/receiver is opposite from me/the car, the jammer will be stronger than my car keys signal.
Less jamming EIRP would suffice if the owner would try to unlock from a larger distance, but than the car key signals would be weaker, unless the thief stays close to the owner.

How is the jammer activated, because I assume constant jamming would impact cars close by and could therefore arouse suspicion.

Francesco Pham

I replayed the signal once using a raspberry pi

SDR-User

No a practical attack!

Think about it, victim goes to car to unlock – you jam signal – victim presses unlock again still jammed you replay first signal car unlocks.

Driver gets inside his or her car and goes home presses lock
Hackers recorded signal is rendered useless as the code has hopped.

fjim

Think about it: victim leaves the car instead.

Anonymous

Dont think there is a car that would have the same button/command for lock/unlock…

Anonymous

Most cars have two (or more) remotes. People some times push the unlock button on their remote several times while they are away from their car (Also, Lock and unlock are used several times to make the horn blow and lights flash. Helps you find your car in a parking lot). Each vehicle has a group of about 50 codes (and I assume that is per transmitter key fob) that could unlock the door. It needs to be able to receive codes from at least two different key fobs. Because of this, it would be quite possible to use an unused (jammed) code for up to two or three days before the code would expire.