Playing with the LimeSRD and Remote Entry Fobs
In the age of modern vehicles, consumers have become accustomed to the convenience offered by a whole plethora of electronics. The most ubiquitous of which is the keyless entry system. At the time of this writing the vast majority of vehicles are outfitted with a keyless entry system. Keyless entry systems have several inherent security vulnerabilities. The automotive industry is extremely competitive and so often the bare minimum in hardware capabilities is chosen in order to remain financially competitive. The bare minimum then applies by extension, to the security of the hardware in question.
In the early days of wireless remote entry, it was adequate to use a single signal transmitted on a random frequency to activate the controls. Once more of the wireless devices were being used, a fixed key was added to the transmission to identify the accessor. Then came the real attempts at building in some level of security into the devices. Each key and receiver were set up with a “rolling code” that would be incremented each time the key was activated. At first, the algorithms that dictated the codes were simple and were easily reverse engineered by recording a few generated codes in succession.
Modern rolling code algorithms are far more complex and are focused on not only being secure from eavesdroppers but also from individuals with access to the hardware and time to attempt exploits. With the older and easier to reverse engineer cryptographic functions, any individual with access to the hardware could relatively quickly come up with a way to generate the correct key codes after just viewing a few in a row. After accomplishing this it would then be possible to generate the correct key codes forever, or at least until the car was rekeyed.
The vulnerability that we will be exploring in this paper was first demonstrated by Samy Kamkar at in 2015 at DEFCON 23. The attack circumvents the complexity of reverse engineering the rolling code algorithm and allows the attacker to accomplish a similar result. The rolljam attack works by jamming the cars reception abilities while recording the first key transmission. After the car fails to respond, the owner will press the key button again. The second press will be recorded as well but the first recorded key press will be transmitted to unlock the vehicle. Now the vehicle rolling code counter will be one step behind the key fob. The attacker will have this unused unlock recording that the vehicle will still find valid.
The rolling code receiver will accept the current code as well as several codes ahead of the current code. The reason for this is to account for any unreceived key presses that would cause the transmitter and receiver to become out of sync. Upon receiving the “current” code from the key all previous codes are invalidated. This causes an issue for the rolljam attack since the recorded key code will be invalidated by any subsequent key presses of the fob.
The initial approach was to break the attack into a series of steps and then coordinate them all into one process. Given all of the components and timing required to execute the attack it was a necessity to separate and confirm that all of the steps were functioning as expected before attempting them all together. The steps of the attack are as follows:
- Locate the frequency of the key fob transmissions.
- Isolate and record the key fob without the vehicle receiving the transmission.
- Playback the recorded transmission and confirm that the vehicle responds as expected.
- Create jamming signal and confirm that it disrupts key fob reception.
- Transmit jamming signal while recording key fob transmission.
- Replay key fob transmission to activate vehicle. The software used to record, analyze and transmit the signals was Universal Radio Hacker by Johannes Pohl. The software is free to use and available from the authors GitHub account. The hardware used were the LimeSDR and RTL-SDR. The LimeSDR is a small USB dongle full-duplex software defined radio and the RTL-SDR is a low cost (approx. $20) unit capable of RX only. The necessity of the RTL-SDR was due to the lack of effective LimeSDR support with regards to it’s full-duplex operation. The RTL-SDR was utilized for recording while the LimeSDR was transmitting.
Figure 1 shows the main window with the recorded waveforms in the left-hand menu. To the right is the recorded waveform and all the analysis tools with corresponding output. While the rolljam attack does not require intricate knowledge of the transmitted messages it was helpful to learn more about the security methods of the key.
The transmitted signal mode is amplitude shift keying (ASK) and each key press will transmit a long synchronization string followed by the rolling code, then a shorter synchronization string and the same rolling code two more times. The data is shown in the lower portion of Figure 3.
A major challenge was successfully preventing the vehicle from receiving a valid key press without preventing a clear recording of the transmission. Figure 4 shows the waveform of a recorded key press with no jamming signal present. The message is quite clear above the background noise. Figure 5 shows the receiver and jammer, both using omni-directional antennas and located in close proximity to one another. Finally Figure 6 demonstrates a simulated opposing directional antenna setup. A logistical issue of this project was the lack of availability of supplies to properly build a pair of directional antennas so omni-directional antennas with considerable spacing, one located near the vehicle and the second located near the key, were used to simulate the expected difference in directional gain.
Due to the high difficulty in executing this attack it is not PARTICULARLY effective if the owner were to do anything unexpected such as pressing the unlock button multiple times with a small time spacing or pressing the unlock button after entering the vehicle. Due to the attack being executed at unlock time it would also be possible to render the stolen codes obsolete by locking and unlocking the VEHICLE after arriving at the destination. This would be effective since it is unlikely that the attacker would arrive AT the destination before the target and have time to set up if they were able to arrive ahead of time. Another potential issue is the need for the attacker to be positioned IN BETWEEN the VEHICLE and the owner. It would be possible to transmit a jamming SIGNAL that can be filtered out from the RECEIVER but this adds a small amount of added complexity to an already complex system. It was demonstrated to be far more effective to just have two directional antennas opposing EACH OTHER, one for RECEIVING and one for transmitting.
The conclusion of this research is that the complexity of a rolljam attack either requires a large amount of luck and skill or a very tightly controlled environment. While the possibility of automating such an attack is viable it is not practical. There are many faster, simpler and cheaper ways to gain access to a vehicle. It should be noted that there may be times that the use of a rolljam attack is highly desired such as during a covert operation but in this case it would most likely be sponsored by a nation state so complexity and budget would be of little to no concern. Another issues with executing the attack is that the antennas used must be rather large and may not be conducive to a covert operation.
 Defcon 23 (2015), “Drive It Like You Hacked It”. Retrieved from https://samy.pl/defcon2015  Remote keyless system 2020. Retrieved from https://en.wikipedia.org/wiki/Remote_keyless_system  Universal Radio Hacker 2020. Retrieved from https://github.com/jopohl/urh
The first video is just me playing around with SDR Console and a few different key fobs.
Here is a replay attack of pre-recoded key presses. Due to the rolling code