Over the past decade, keyless entry systems have largely displaced traditional physical keys as the means for locking and unlocking cars and garages around the world. Just push a button and the electronic devices transmit a secret code that activates or deactivates the lock, saving people the hassle of manually controlling it.
Now, serial hacker Samy Kamkar has devised RollJam, a $30 device that steals the secret codes so attackers can use them to gain unauthorized access to a car or garage. It works against a variety of market-leading chips, including the KeeLoq access control system from Microchip Technology Inc. and the High Security Rolling Code generator made by National Semiconductor. RollJam is capable of opening electronic locks on cars from Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar. It also works against a variety of garage-door openers, including the rolling code garage door opener made by King Cobra.
Rolling codes are similar to the pseudo-random numbers used by the RSA SecurID and similar two-factor authentication devices—with one important difference that will be explained later in this post. An algorithm inside the electronic key and the lock allow the two devices to remain synchronized so the lock can determine when it has received a legitimate rolling code sent by the authorized key. A legitimate rolling code is valid until it's received by the lock. The next time the electronic key is pressed, it will issue a different code. In the event that the key issues a rolling code that isn't received by the lock—say, when the two devices aren't within radio range of each other—the lock is able to accept a newer rolling code and invalidate any earlier rolling codes that weren't received.