A security researcher has unveiled a device, dubbed RollJam, that acts as a sophisticated Car Unlock Scanner, exploiting vulnerabilities in keyless entry systems of numerous vehicles. This revelation underscores a significant weakness in modern car security, potentially putting millions of car owners at risk. The RollJam device, created by Samy Kamkar, showcases how easily attackers can bypass rolling code protections, which are designed to prevent replay attacks on car and garage door openers.
The core function of RollJam is to intercept and jam the signals between a key fob and a vehicle. When a car owner presses their key fob to unlock their car, RollJam springs into action. It simultaneously jams the signal from reaching the car and records it. Crucially, it also records the subsequent unlock code sent by the key fob. This “man-in-the-middle” attack leaves the attacker with a valid, unused unlock code ready for later use, even though the car owner successfully unlocked their vehicle.
Kamkar explains that RollJam is designed to be discreet and persistent. It can be attached to a vehicle or hidden nearby, allowing it to continuously intercept signals. Every time the car owner uses their key fob, RollJam will jam the signal, record two codes, use the first to allow the unlock to proceed, and store the second, fresh code. This ensures that the attacker always has a valid code to unlock the vehicle at their convenience. “It will always do the same thing, and always have the latest code,” Kamkar stated, highlighting the device’s efficiency in maintaining an up-to-date access key.
The researcher tested RollJam on a range of vehicles from major manufacturers, including Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen, and Chrysler. Alarm systems from Cobra and Viper, as well as garage door openers from Genie and Liftmaster, were also found to be vulnerable. Kamkar estimates that millions of vehicles and garage doors could be susceptible to this type of attack. He points to the underlying issue residing in the widespread use of chips like the Keeloq system from Microchip and Hisec chips from Texas Instruments in these devices.
Responses from car manufacturers have been varied. While Liftmaster and Volkswagen declined to comment, and Viper indicated they were investigating, Cadillac acknowledged awareness of the jamming method. A Cadillac spokesperson suggested that this vulnerability primarily affects older models, claiming that newer Cadillac vehicles have transitioned to more secure systems. However, Kamkar’s demonstration raises concerns about the security of a significant number of vehicles currently on the road.
It is worth noting that Kamkar is not the first to explore this type of vulnerability. Security researcher Spencer Whyte had previously described a similar device. However, Kamkar’s RollJam is designed for greater automation and ease of use, removing the need for a laptop connection. By planning to release the code for RollJam on Github, Kamkar aims to make this research accessible and push for quicker security improvements within the automotive industry.
The vulnerability RollJam exploits highlights a critical gap in security protocols. While Cadillac suggests newer vehicles are safer, Kamkar points to a readily available solution: the latest Dual Keeloq chips. These chips utilize expiring codes, which effectively neutralize the RollJam attack by rendering intercepted codes useless after a short period. Kamkar’s intention with RollJam is to urge car and garage door manufacturers to adopt this upgrade to expiring codes, thereby protecting their customers from such interception attacks.
Drawing a parallel with online security, Kamkar emphasizes the discrepancy between car security and internet security practices. Two-factor authentication systems like Google Authenticator and RSA SecurID utilize rapidly expiring codes for enhanced security. In contrast, millions of cars rely on systems with non-expiring rolling codes, leaving them vulnerable. Kamkar argues that the RollJam demonstration serves as a clear call to action for the automotive industry to prioritize and implement robust security measures, such as expiring codes, to safeguard vehicles from these increasingly sophisticated threats. “This is throwing the gauntlet down and saying, ‘here’s proof this is a problem,’” Kamkar concludes, stressing the urgency of addressing this vulnerability. “My own car is fully susceptible to this attack. I don’t think that’s right when we know this is solvable.”
