Digital security researcher Samy Kamkar has been on a car-hacking kick lately. Last week, he revealed a homebuilt device that can intercept signals from the General Motors OnStar smartphone app to track, unlock, and remote-start a car connected to the app. Now, he’s showing off something even more sinister: A $30 device that can copy the coded signal from just about any car’s remote key fob, allowing him to lock or unlock the car on a whim.
As TechInsider reports, Kamkar’s latest toy takes advantage of a rather old vulnerability in car keyless entry systems. Most remotes use rolling codes to communicate with the car—meaning that the remote sends a different coded signal every time you push the button. This is meant to prevent bad guys from copying the remote’s code to create a dummy remote. Most remote garage door openers operate on the same principle.
But there’s a catch: Most automakers don’t set an expiration date for the previously-used codes. While a single code can’t be used twice, if a code never reaches the car in the first place, it’s still valid.
That’s where Kamkar’s little device comes in. Named RollJam, the wallet-sized gizmo can be hidden on or underneath the target car. When the owner pushes the remote unlock button, the device detects the remote signal and jams it, preventing the car from hearing the signal. Since the car hasn’t unlocked, the owner pushes the Unlock button a second time. The RollJam device records the second code, and sends the first code to the car. The car is unlocked, but the device has a stolen second code that never reached the car—one that can be used at a later date by the bad guys to unlock the car.
Kamkar hasn’t given away all the details of the device—he’s saving that for a talk on Friday at the Defcon hacking convention in Las Vegas. But as he explained to TechInsider, it’s nothing new:
“This has been sort of a theoretical attack for many, many years. This is not by any means brand new or a big surprise. The problem is no one has really demonstrated it, which is funny because the solution to this problem has been known about for more than 20 years online and has been written about many times, but again no one has demonstrated it.”
Kamkar explains that it’s the companies that make the keyless-entry computer chips, not the automakers themselves, that have ignored this vulnerability for so long. He says he knows of at least one chipmaker that has fixed the issue, although the exploit worked on multiple cars he tested—including a Lotus Elise, which was the main vehicle he used to test the hack.
- Hackers Shut Down a Moving Tesla Model S
- OwnStar’d! OnStar Hacked to Enable Remote Functions, GM Closes Hole
- Fiat-Chrysler Recalls 1.4 Million Vehicles to Prevent Hacking
Hopefully, by revealing the vulnerability in more detail at Defcon this week, Kamkar will give the industry the kick in the pants needed to fix this problem—similar to how FCA was finally prodded into fixing the vulnerability that let hackers take control of a Jeep Cherokee in a widely-reported story last month.
This story originally appeared on roadandtrack.com.
