Hacking Rolling Code Keyfobs

 

hacking-rolling-code

Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.

[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.

Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.

Keyless BMW cars prove to be very easy to steal

A lot of higher end cars are now coming out with RF fobs that unlock and start the car. There is no longer a physical key that is inserted in the ignition. It turns out that for BMW this means stealing the cars is extremely easy for a sophisticated criminal. We always liked the idea of metal keys that ALSO had a chip in them. The two-tiered security system makes sense to us, and would have prevent (or at least slowed down) the recent  rash of BMW thefts that are going on in the UK.

So here’s the deal. A device like the one seen above can be attached to the On-Board Diagnostic (ODB) port of the vehicle. It can then be used to program a new keyfob. This of course is a necessary feature to replace a lost or broken device, but it seems the criminals have figured out how to do it themselves. Now the only hard part is getting inside the car without setting off the alarm. According to this article there are ultrasonic sensors inside which are designed to detect intrusion and immobilize the vehicle. But that’s somehow being circumvented.

You can check out a keyfob programming demo, as well as actual theft footage, after the break.

[Read more...]

Follow

Get every new post delivered to your Inbox.

Join 94,651 other followers