How Do Car Remote Rolling Codes Work?
How Do Car Remote Rolling Codes Work?
The car remote rolling codes system is a great way to secure keyless entry systems. It generates a new code every time the remote is used and then discards the old one.
This prevents replay attacks, but it also allows an attacker to send codes in sequence until the counter resynchronizes. Once that happens, the codes from the previous cycle start working again, which opens up replay attacks.
Pseudo-random number generator (PRNG)
Pseudorandom numbers are used in a wide variety of applications, including games and computer security. In addition to providing unpredictable elements to an experience, random numbers are important for cryptographic algorithms, which create codes that cannot be predicted or guessed.
Various methods are used to generate pseudorandom numbers, including pseudo-random number generators (PRNGs). These algorithms are often called digital random number generators or deterministic random bit generators (DRBGs), and they typically produce sequences of random numbers from an initial value, known as the seed, along with other inputs.
In cars, the remote rolling code feature allows a car remote to sync with the vehicle’s internal PRNG to generate unique codes for each button press. This prevents a single button press from triggering a repetitive set of codes and thus a replay attack.
However, researchers Kevin2600 and Wesley Li found that Honda vehicles are vulnerable to a “Counter Resynchronization” attack, or Rollback, which allows attackers to re-synchronize the car’s PRNG by replaying previous codes, even those that have been deemed invalid by the vehicle’s counter. This is a form of “rolling back” the vehicle’s internal pseudo-random number generator, and it can be launched from any point in the future without having to redo anything from scratch.
This is a particularly dangerous problem because it can allow an attacker to access the vehicle regardless of whether the owner has used the key fob or not. The attack works by recording the vehicle’s signal and then replaying a series of keys that have been valid for a certain amount of time.
While this sounds easy enough, it’s not. The process requires the attacker to capture signals from the vehicle’s counter, which is usually a 24 bit number. The first 12 bits are the code and the remaining 8 bits are a command, such as unlock or lock.
The attacker needs to be able to know when the next valid code hasn’t been used, and then launch an attack that will capture that unused code. This is why RollJam is so difficult to break, since it’s so sensitive to timing.
Syncing
Syncing is a process that allows two devices, such as a computer and a phone, to share data. It’s often used to keep content, such as music and videos, up-to-date. However, syncing can also slow down the speed of a computer. In addition, syncing can cause version control issues and create a bloated system.
In the case of a car remote, the code generated by the key fob is transmitted to the car’s receiver, which then authenticates the message and unlocks the door. This process prevents a code from being sent that can be used to lock or unlock the car without the owner’s permission.
To do this, the car’s receiver must have the same algorithm as the key fob. This ensures that each time the key fob generates a new code, the receiver will also generate the same code.
But, a flaw in the rolling code system makes it possible for an attacker to launch a replay attack on the system. This is known as a rolljam attack.
According to a report by The Next Web, an attacker can capture the signal of a Honda remote access fob that’s sending a signal to unlock the car. Once captured, the attacker can then use a HackRF software defined radio (SDR) to eavesdrop on it and send out a command that will reset the sync counter on the fob.
Once an attacker can capture the synchronization counter on the remote access fob, it’s easy to reset it to the wrong value. In this way, the attacker can unlock any Honda vehicle that has had a remote access fob paired since 2012.
Another way to break a rolling code-based system is to try and replay the signals that have been captured by an attacker. The attacker can then play the captured signals back to the vehicle, which will re-synchronize with the counters that were in the signals that were replayed.
These signals can be replayed over and over again until the attacker captures a valid one, which will unlock the car. If the attacker has caught enough valid signals, then he can launch a replay attack on the vehicle at any time in the future without having to redo anything from scratch.
Encryption
In order to prevent car remotes from being stolen, rolling codes must be generated and transmitted in a deterministically unique manner. This means that a new code must be created and transmitted every time the user presses the button on their key fob.
Traditionally, rolling codes are generated using a Pseudo Random Number Generator (PRNG). These PRNGs, given a seed, deterministically generate successive numbers; they are then compared with the sequence counters of both the transmitter and receiver to determine whether the transmitted code is valid.
However, these systems are susceptible to replay attacks and have been used in various ways by hackers. For example, if an attacker jams the transmitting frequency with a device such as a RTL-SDR dongle, they can intercept the transmissions and recover the keys that were sent. Another way that a hacker can get their hands on a car remote rolling code is by recording the transmissions from the key fob and playing them back later on.
This is called a Challenge Forward Prediction attack and works by recording the interrogation messages that are sent from the vehicle’s transceiver whenever the door handle is pulled. Then, an intruder will go to the car owner’s pocket and use the recorded messages to predict the next interrogation message.
The car’s transceiver and the key fob then synchronize to create a new code. When a new code is generated, the two devices will send it to each other and continue to sync until a new code is transmitted again.
As a result, the probability of an attacker finding a compatible remote and transmitting a code that will unlock the vehicle is very low. Even if a thief had access to an entire library of possible codes, it would still be very difficult for them to find a valid code.
In fact, it has been estimated that a thief could need to find a rolling code for up to a billion cars before they found one that worked correctly. That’s a long time to wait for the right code to come along.
Security
When you press a button on your remote, the remote generates a code that is then transmitted to the car receiver. The car receiver then checks the code and, if it matches, unlocks the door. If it doesn’t, the system rolls through a sequence of numbers looking for the next valid code to unlock the door.
One of the most important security measures used to generate car remote rolling codes is that they are based on pseudo-random number generators. These PRNGs are a safe and effective way to randomly generate codes for the car remote.
However, there is still a slight vulnerability in the design of these systems. Using a simple replay attack, a thief could record a signal that had been sent to the vehicle and then play it back at another time. The thief would need to have access to the car or the transmitter in order to decipher the code.
Fortunately, some of the newer car remote systems use cryptographic rolling codes that prevent this type of replay attack. These systems encrypt a set of 256 codes, making it difficult for a thief to break the encryption.
For instance, the rolling codes system in Honda vehicles is designed so that after each key fob button is pressed, a counter is increased to prevent an attacker from replaying a command that has been sent and received. The counter is then resynchronized, so the commands from the previous cycle of the counter work again.
These counters are synchronized at a rate that is typically 255 iterations from the initial 256-code seed. This means that a thief must have many different compatible remotes in order to be able to unlock the vehicle.
Researchers from Singapore have demonstrated an attack that works against the rolling codes system in modern Honda vehicles (they tested). By recording and replaying a couple of key fob signals, they were able to re-synchronize the system and unlock the vehicle.
They have dubbed the attack Rolling-Pwn. They claim that the attack requires very little hardware and does not require jamming. The only requirement is that the attacker captures a few signals, and then replays them. It’s a very simple and cheap attack that has been replicated by others.