When car manufacturers hear Samy Kamkar’s name, they likely cringe as Kamkar has been on a car-cracking spree. About a week after he unveiled OwnStar, Kamkar was at Def Con 23 presenting “Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars.”
At the end of July, Kamkar revealed his $100 OwnStar device that could “locate, unlock and remote start any vehicle with OnStar RemoteLink after intercepting communications between the RemoteLink mobile app and OnStar servers.” GM quickly patched the OnStar app.
Then Kamkar went public with RollJam, his wallet-sized device that only costs $32 to build, yet is capable of intercepting codes that are used to unlock most vehicles and garage door openers.
Wired reported RollJam works on “Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen, and Chrysler vehicles, as well as Cobra and Viper alarm systems and Genie and Liftmaster garage door openers.” Kamkar “estimates that millions of vehicles and garage doors may be vulnerable.”
“It works against a variety of market-leading chips, including the KeeLoq access control system from Microchip Technology Inc. and the High Security Rolling Code generator made by National Semiconductor,” added Ars. “RollJam is capable of opening electronic locks on cars from Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar. It also works against a variety of garage-door openers, including the rolling code garage door opener made by King Cobra.”
Kamkar’s Def Con 23 talk covered “new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).” Def Con 23 links to several “extras” from Kamkar’s talk, including a README and a list of OpenSesame goodies. In case you don't remember, Kamkar reprogrammed a child's pink toy which he dubbed OpenSesame since it could open a fixed-code garage door within seconds.
Before his Def Con presentation, Bloomberg asked Kamkar, “If you have a wireless car remote, then you’re vulnerable?”
Kamkar said, “Pretty much. If you’re using a remote to unlock your vehicle, then you’re vulnerable.” He added that RollJam had worked on “virtually every car” and “virtually every garage door opener” he tested. In fact, he believes thieves are currently using this method to break into cars with remote keyless systems.
He made his presentation available on his site and said the tools will be published “shortly.” If you are on a Windows box, then you need to convert his Apple Keynote file to another Windows-friendly file such as PDF. I’m not sure how long this stays active, but here’s the “share” link that converted Kamkar’s talk into a PDF.
RollJam jams the signal coming from a key fob remote and intercepts the rolling key code. If, and mostly likely when, the user presses the unlock button again, RollJam jams it again and snatches the second rolling code which can then be used to open the doors.
“So when you are walking towards your car, you hit the unlock button — because it’s jammed, the car can’t hear it, however my device is also listening so my device hears your signal (and removes the jamming signal because it knows what to remove),” Kamkar explained to Threatpost. “Now I have a rolling code that your car has not yet heard.”
“Then you press unlock again because it didn’t work the first time, and I jam again, and listen, and now have two codes. However, at this point I replay the FIRST code I listened to from your key and your car successfully unlocks. To the user/owner, it appears the 2nd time pressing it worked because it happens so quickly (less than a second to jam/sniff+replay). However, I now have the NEXT rolling code in the sequence that hasn’t been used yet. I can come back later and conveniently unlock your car. Because I leave the device under your car, it always has the latest code.”
Kamkar told Bloomberg that he programmed RollJam “to demonstrate an issue of vulnerability in most vehicles,” but a solution already exists. He said there is a new chip for car key fobs which would resolve this, but manufacturers haven’t been using the new chip. Kamkar tested some 2015 cars and all were vulnerable to RollJam, meaning none of those had taken advantage of the using the secure chip. Some car manufacturers like Cadillac claimed to have moved to the new and secure system.
Kamkar intends to keep tweaking RollJam until it’s about key fob size. Car thieves probably appreciate that.