Scary news out of the DefCon conference in Las Vegas this weekend: Your car may not be as safe and secure as you think it is. Hacker Samy Kamkar made a presentation on a device he created called RollJam that effectively allows him access to any car or garage with keyless remote entry. Scarier still, the device can be made by just about anyone with some technical expertise and $32 in their pocket.
“This is throwing the gauntlet down and saying, ‘here’s proof this is a problem,’” Kamkar told Wired. He hopes shedding light on the issue will lead towards a fix. “My own car is fully susceptible to this attack. I don’t think that’s right when we know this is solvable.”
Here are the basics of how Kamkar’s tech works. A would-be thief would attach a small receiver device to your car, or place one near your garage door. When you approach and press the button to open your vehicle or door, the receiver records that code and blocks your car from hearing it. When you press the button a second time, generating an entirely different code, the receiver again blocks the car from hearing the code. But this time, it replays the first code, commanding the car to unlock its doors. You then drive off, unaware that a thief is following you, waiting to unlock your door with the second stored code on the receiver and steal whatever’s inside your car (or the car itself) after you leave it parked.
RollJam has been tested on a number of different vehicle makes, including Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen and Chrysler. Genie and Liftmaster garage door openers are also vulnerable to hack in this manner, as are Cobra and Viper car alarm systems.
Kamkar is not the first person to have discovered this particular vulnerability. But he is taking a step that other hackers haven’t – he’s publishing the code needed to execute the attack.
Fortunately, some carmakers are aware of how easy it is for standard remote vehicle entry systems to be hacked. Cadillac, in particular, has moved to a hack-proof system in its 2015 line. And other carmakers now have access to a new remote entry chip called Dual Keeloq that creates access codes that expire over time. These are much less vulnerable to attack, especially in this manner.
In April, it was revealed that a different type of automatic keyless remote entry system used in cars like the Toyota Prius and Mazda 3 is also vulnerable to hacking. Perhaps even more worrying, last month over 1.4 million Chrysler vehicles were recalled due to a security vulnerability in their Internet-connected entertainment systems that could lead to the car’s functions being remotely taken over.
[Car keyfob via Shutterstock]