The security of modern vehicles is a growing concern, especially with the increasing sophistication of car theft techniques. A device known as RollJam has exposed a significant vulnerability in keyless entry systems, demonstrating how easily a “scanner” can be used to unlock cars. This article delves into the workings of RollJam, the extent of its threat, and what this means for car owners and manufacturers.
RollJam, a creation of security researcher Samy Kamkar, is a small, inconspicuous device that can intercept and bypass the rolling codes used in many keyless entry systems. These systems are designed to enhance security by changing the unlock code every time the key fob is pressed, preventing replay attacks. However, RollJam cleverly circumvents this mechanism. When a car owner presses their key fob to unlock their vehicle, RollJam simultaneously jams the signal while recording two subsequent codes. It replays the first intercepted code to unlock the car (or garage door), while storing the second code for future unauthorized access. This means that even if the owner presses the key fob multiple times, RollJam will always have a valid, unused code ready to unlock the vehicle at a later time.
Alt text: Diagram showing RollJam device intercepting two rolling codes from a key fob. The first code unlocks the car, while the second code is stored for later unauthorized access. Illustrates vulnerability of keyless entry system.
Kamkar’s research has shown that a wide range of vehicles are susceptible to this type of attack. He successfully tested RollJam on vehicles from major manufacturers including Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen, and Chrysler. Furthermore, the vulnerability extends beyond cars to include garage door openers from brands like Genie and Liftmaster, as well as alarm systems such as Cobra and Viper. The widespread nature of this issue points to a deeper problem within the automotive and security industries.
The root cause of this vulnerability, according to Kamkar, lies in the chips used by many of these manufacturers. Specifically, the Keeloq system sold by Microchip and the Hisec chips from Texas Instruments are implicated. These chips, while designed for rolling code security, appear to lack a critical feature: code expiration. Without code expiration, once a code is intercepted and stored, it remains valid indefinitely until used.
Industry responses to the RollJam revelation have been varied. Cadillac acknowledged the vulnerability as “well-known” but suggested it primarily affects older models, claiming newer Cadillac vehicles have adopted more secure systems. Other companies like Liftmaster and Volkswagen declined to comment, while Viper stated they were investigating Kamkar’s findings. This range of reactions highlights the differing levels of awareness and preparedness within the automotive industry regarding these types of scanner-based attacks.
Alt text: Image of the RollJam device, a small electronic circuit board designed for intercepting car key fob signals. Shows the compact nature of the scanner unlock car tool.
It’s important to note that Kamkar was not the first to explore this type of vulnerability. Security researcher Spencer Whyte had previously demonstrated a similar “delay attack” method. However, Kamkar’s RollJam device is more refined and automated, eliminating the need for a laptop connection during the attack. By planning to release the code for RollJam on Github, Kamkar aims to raise awareness and pressure manufacturers to address this security gap.
The solution to this vulnerability, as Kamkar and Cadillac suggest, lies in upgrading to more advanced security systems. The latest version of Keeloq chips, known as Dual Keeloq, incorporates code expiration. This system invalidates codes after a short period, effectively thwarting RollJam-style attacks. This approach mirrors the two-factor authentication systems used in online security, where codes expire within seconds, significantly enhancing security.
In conclusion, RollJam serves as a stark reminder of the vulnerabilities present in current keyless entry systems. This “Scanner Unlock Cars” exploit underscores the urgent need for automotive manufacturers to move beyond basic rolling codes and implement more robust security measures, such as code expiration. For car owners, this revelation emphasizes the importance of being aware of potential car theft techniques and advocating for enhanced vehicle security from manufacturers. The demonstration by RollJam is a clear call to action for the automotive industry to prioritize and improve the security of keyless entry systems, protecting vehicles from these increasingly sophisticated attacks.
