Hacking a Car’s Key Fob with a Rolljam Attack

Most cars these days come with a key fob to remotely unlock the doors, pop the trunk, and sometimes even start the engine. For obvious reasons, key fobs are incredibly convenient and are something most people consider to be a necessity when purchasing a new car. But that convenience comes with a, admittedly small, risk of hacking. Gonçalo Nespral has a guide on how to do exactly that — for educational purposes of course, don’t do this with someone else’s car!

This is actually a recreation of an earlier exploit demonstrated by Samy Kamkar, called a rolljam attack. When you push the door unlock button on your key fob, it sends out a modulated radio signal that gets picked up by a receiver in the car. If the modulated code matches the car’s, then it will unlock. But that would be incredibly easy to hack without any additional security. All a black hat hacker would need to do is record the radio signal and then play it back later — a classic replay attack.

To thwart that possibility, modern key fobs use a rolling code system. Each time you push the unlock button, the key fob uses an algorithm to generate a new code. The car knows the same algorithm, and the old codes are discarded each time a new one is generated. That keeps hackers from simply executing a replay attack, but the system still has a vulnerability, which is what Kamkar’s rolljam attack exploits.

The rolljam attack works by recording and blocking the radio signal from the key fob. Because the signal was blocked, the car doesn’t unlock and the owner will naturally try again. That creates a second signal that is also recorded and blocked, but this time the attacker replays the first code to unlock the door. The owner is none the wiser, but now the attacker knows the next code in the sequence — which hasn’t yet been expired — and can use it to unlock the car at their leisure.

Nespral was able to recreate that rolljam attack with just a few simple components. A YARD Stick One is used to jam the original radio signal and transmit the new one, while an RTL-SDR (Software-Defined Radio) is used to record the original signal. With a laptop and a few open source software tools, Nespral successfully performed the rolljam attack on his own car.