Have you ever wondered why keyless remotes have to be programmed to a car before they work, or why your car’s remote never inadvertently unlocks another car in a crowded mall parking lot? It is because keyless entry and remote start systems use something called rolling code technology. The concept is simple. Every time a signal is sent from your remote to your car, a unique passcode is sent with it to verify the authenticity of the remote used to send the signal. Once a code has been used, it is never used again – preventing the possibility of someone snatching that code out of the air during transmission and using it to gain access at a later time. But this rolling code technology has a well-known flaw – one that, with a little help from you, makes it easy for someone to circumvent the entire system and access your property. All it takes is a $30 homemade device designed by privacy and security research Samy Kamkar.

If the device is being used against you, you probably won’t even know it. It works by blocking the signal from your remote the first time you attempt to use it. Since the signal never reaches your car’s onboard computer, the code sent with it isn’t scratched off the list and can be used later. To you, it appears your remote didn’t work, so you try again. This time, the device allows the signal and code to pass – leaving you to think nothing of it. Later on, the hacker using the device comes back and uses the stored code to unlock your car – leaving you with no explanation as to how your stuff came up missing from your locked car. Kamkar has tested his device on a variety of models from domestic manufacturers, including Ford->ke31, Cadillac->ke18 and Chrysler->ke21, as well as models from Volkswagen->ke94 and Nissan->ke62 with success. Kamkar claims the solution to this vulnerability is as simple as implementing expiration periods on the rolling codes before they are transmitted.

Read on to see my interpretation of the device and its compenents.

Continue reading for the full story.

Why it matters

Samy Kamkar spoke about this device at the 2015 Defcon Hacker Convention just a few days ago. Unfortunately, I haven’t been able to uncover detailed specifications or a build sheet yet, but the device is simple enough that I have a pretty good idea. The power supply is made up of a small watch battery and a couple of coils built into a small circuit board. On top, there is what looks to be a common wireless transmitter – found in just about every laptop – with an external antenna mounted on it. I assume this to connect to the target device from a distance. The circuit board opposite the power supply appears to be another wireless receiver and data storage point that's most likely used to store the rolling code that is sent with the intercepted signal. Either way, all of the circuitry is readily available online or from some electronics stores. I’m sure a build sheets will online soon enough. All of this is just speculation on my part, but given the simple design, I’m probably not too far off.

Considering the security vulnerability has been known about for some time, it’s disturbing to know that a lot of cars – and garage door openers for that matter – still use the same flawed system. So far, Cadillac has claimed its most recent models aren’t vulnerable, but I have yet to find information from any other manufacturer regarding this vulnerability. Now that Kamkar has gone public, I hope manufacturers will step up and address the concern before every thief on the planet has access to my car and garage.