Using an RTL-SDR and RPiTX to Unlock a Car with a Replay Attack

Over on YouTube user ModernHam has uploaded a video showing how to perform a replay attack on a car key fob using a Raspberry Pi running RPiTX and an RTL-SDR. A replay attack consists of recording an RF signal, and then simply replaying it again with a transmit capable radio. RPiTX is a program that can turn a Raspberry Pi into a general purpose RF transmitter without the need for any additional hardware.

The process is to record a raw IQ file with the RTL-SDR, and then use RPiTX V2's "sendiq" command to transmit the exact same signal again whenever you want. With this set up he's able to unlock his 2006 Toyota Camry at will with RPiTX.

We note that this sort of simple replay attack will only work on older model cars that do not use rolling code security. Rolling code security works by ensuring that an unlock transmission can only be utilized once, rendering replays ineffective. However, modern rolling code security systems are still susceptible to 'rolljam' style attacks.

In the video below ModernHam goes through the process from the beginning, showing how to install the RTL-SDR drivers and RPiTX. Near the end of the video he shows the replay attack in action.

Unlock Cars with a Raspberry Pi And SDR - Replay attack

10 comments

  1. Jake Brodsky, AB3A

    This attack is older than most of you may realize. Nuts and Volts magazine used to have ads from firms who sold such devices back in the early 1990s. The FCC shut down those firms because the devices violated FCC Part 15 rules. Note that most of these key-fobs operate at 434 MHz and must adhere to 47CFR15.240(b) (no more than 60 seconds of transmit air time and at least 10 seconds between transmissions). The devices took longer than that to cycle through all the various codes. If I recall correctly, it was something like five minutes.

    I’m not thrilled with projects like this. The argument about demonstrating a security weakness would be stronger if this were a novel attack –which it is not. You might as well argue that we should all build slim jims to show how weak old automobile lock systems were. This attack has been known for decades. Aside of the price and methods, I don’t think anything is new here. I do not think we should encourage others to emulate this.

    Those are my ethics. You are welcome to argue for yours.

  2. Steve Kurtzman

    Giving hams everywhere a bad name… Yes hams are encouraged to experiment, but this serves no useful purpose. Unethical in my opinion. SAD

    • Elmer FUD

      Steve Kurtzman… YOU are sad, if you truly can’t think of ONE possible use for this? You’re probably one of those people that tattles to the FCC about some old man’s use of the word “crap” on air. Or screams at some kid that just got his ticket because he’s working the repeater with a Baofeng he just bought with his allowance money. If something doesn’t go exactly the way you want it to, it’s “giving hams everywhere a bad name”… Get real. THIS is what it’s always been about: Learning, experimenting, exploring, discovering, and sharing something cool with the other nerds that share your interests. I’ll bet my next paycheck you were one of those people ten years ago worried about ham radio, complaining that fewer and fewer people were getting their ticket. Get real!

      • Steve Kurtzman

        Wow Elmer, you assume a lot! Did I not mention that hams are encouraged to experiment? Why not emphasize one of those many other uses you mention? Showing new aspiring teenager hams how to inexpensively break into vehicles is unethical. YMMV

          • Steve Kurtzman

            It’s fine to alert the public. I have in the past regarding relay attacks. But you don’t need to explain details of how to build such a device in order to alert the public. All though old news in this case, it remains unethical, as would an article regarding building devices for attacks on current keyless entry systems.

            • Bill

              I don’t think showing a video on recording a digital key from my car key, and then transmitting it over a non-ham band is giving hams a bad name. Im highly doubtful people are now thinking “Ham radio operators, oh those guys breaking into people cars!”. It just seems out of touch with reality and general excuse to just be upset. Going back to your original comment you said hams are encouraged to experiment, but this isn’t “useful”. How much of ham radio is useful these days, especially with experiments? If we cut out everything that wasn’t useful, you’d pretty much eliminate the whole hobby. It has it’s usefulness for prepping if the grid goes down. So we might as well stop contesting, it’s not usefull. Digital modes too, who has time for a computer.

Leave a Reply to Elmer FUD Cancel reply

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.