The security of car remote systems has long been taken for granted by many vehicle owners. However, recent revelations by security researchers have brought to light significant vulnerabilities that could compromise the security of millions of vehicles. One such vulnerability is exploited by a device known as RollJam, demonstrating a critical flaw in widely used car remote technology. This article delves into the workings of RollJam, the extent of its potential impact, and what it means for the security of your vehicle.
RollJam, conceived by security researcher Samy Kamkar, is a device designed to intercept and bypass the rolling codes used in many car and garage door remote systems. These rolling codes are intended to enhance security by changing with each use, preventing replay attacks where a captured code is reused to unlock a vehicle or door. However, RollJam cleverly circumvents this security measure.
When a car owner attempts to unlock their vehicle with their key fob while RollJam is active, the device jams the signal, preventing the car from receiving the unlock command initially. Simultaneously, RollJam intercepts the transmitted code. Thinking their first attempt might have failed, the car owner typically presses the unlock button again. RollJam then allows the second unlock signal to reach the car, successfully unlocking it. Crucially, in this process, RollJam has captured two rolling codes: the first, jammed code, and the second, successfully used code. It stores the first code, which is now a valid, unused code in the rolling sequence.
This stored code is the key to future unauthorized access. As Kamkar explains, “It will always do the same thing, and always have the latest code. And then I can come at night or whenever and break in.” The attacker, possessing this valid code, can later return and unlock the vehicle at their convenience. This method effectively renders the rolling code system ineffective, as RollJam always ensures a fresh, usable code is available for intrusion.
Kamkar’s testing of RollJam has revealed vulnerabilities in a wide range of vehicles and security systems. Makes like Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen, and Chrysler, along with Cobra and Viper alarm systems, and Genie and Liftmaster garage door openers, have been shown to be susceptible to this type of attack. This widespread vulnerability is attributed to the utilization of specific chips in these systems, namely the Keeloq system from Microchip and Hisec chips from Texas Instruments. Millions of vehicles and garage doors employing these chips could be at risk.
Responses from manufacturers to these findings have been varied. While Liftmaster and Volkswagen declined to comment, and Viper indicated they were investigating, Cadillac acknowledged the RollJam method as “well-known” to their cybersecurity experts. However, Cadillac suggested that this vulnerability primarily affects older models, claiming that “recent/current Cadillac models have moved to a new system.”
It’s important to note that Kamkar is not the originator of this type of jamming and replay attack. Security researcher Spencer Whyte had previously demonstrated a similar device and technique. Kamkar’s RollJam refines this approach by automating the attack and eliminating the need for a laptop connection, making it a more practical and readily deployable threat. Furthermore, Kamkar intended to publicly release the code for RollJam, amplifying awareness of this vulnerability and potentially prompting quicker action from manufacturers.
The vulnerability highlighted by RollJam isn’t insurmountable. Kamkar points out that newer versions of Keeloq chips, known as Dual Keeloq, incorporate expiring codes, which effectively neutralize this attack. These Dual Keeloq systems invalidate codes after a short period, preventing the kind of replay attack RollJam relies on. Kamkar’s goal with RollJam is to urge car and garage door manufacturers to adopt these more secure systems with expiring codes.
He draws a parallel to online security, noting that two-factor authentication systems like Google Authenticator and RSA SecurID have long employed rapidly expiring codes. In contrast, the continued use of non-expiring rolling codes in vehicle remote systems represents a significant security gap. RollJam serves as a stark demonstration of this deficiency, acting as a “gauntlet” thrown down to the automotive industry to prioritize and implement robust security upgrades.
The core message is clear: relying solely on standard rolling codes without code expiration is no longer sufficient to secure vehicles in the face of evolving attack methods. As Kamkar himself states, “My own car is fully susceptible to this attack. I don’t think that’s right when we know this is solvable.” The existence of devices like RollJam underscores the urgent need for enhanced security measures in car remote systems to protect vehicle owners from potential theft and unauthorized access.
