How vulnerable are rolling codes used in car keyfobs to simple replay attacks?

Question

I've read this question - Vehicle remote key security, and I have a few simpler questions that are not addressed in that one.

I just received a whatsapp viral forward raising a few claims regarding security of car keyfobs. I feel that one or more of these claims are bogus, and wanted to check with the community. It is hardly the work of sophisticated security professional, so the likelihood of claims being bogus is high.

Here is the video: https://www.youtube.com/watch?v=fjmEdYQo9K0. It's in Hindi, but I'll outline the claims here.

1. It claims that when you lock the vehicle, there is a universal remote that an attacker can use to capture the secret code, which it can replay to unlock the car at will.

2. It seems that the secret code is being captured from a single LOCK command.

3. The best way to guard this security code is to lock the car manually, so that potential attackers can't sniff out the security code.

We're talking about $10,000 cars here using OEM security systems, nothing fancy or high-end.

From the previous question linked here, I know that OEMs frequently use roll-your-own crypto, and the systems, especially in commodity vehicles, are hardly unbeatable. The simplicity of the supposed attack raises a lot of questions for me, though.

1. A simple replay attack should not be possible because most modern cars use some form of rolling codes.

2. While there is some body of work that talks about private keys being reconstructed from a set of 10-20 rolling codes, it hardly seems possible from just one rolling code.

3. There isn't a very good reason for a LOCK command to emit a rolling code. A malicious attacker spoofing a LOCK command would hardly be able to cause significant nuisance/denial of service. I'm not sure how the protocols work in practice.

4. Advising owners to manually lock the vehicle sounds like malicious advice. While a manual lock may mechanically secure the vehicle doors, it won't actually engage the car's immobilizer/electronic security system, leaving it actually more vulnerable.

Thoughts on these four points would be appreciated.

Answer 1

1. They should, but it is not necessarily true they do. There were smart locks that did not use rolling codes and could be cracked with one captured command.
2. Depends on how they implement rolling codes. I don't have a problem believing someone was clueless enough to use predictable algorithm, such as increase the previous hash value by one and hash, that would provide no security. These guys are usually hardly security experts. Or they may not use rolling codes as I noted in 1.
3. It is likely all commands use the same system of authentication.
4. Yes, it does seem dodgy. But it depends on the car. Some cars have central locking that would engage all the security regardless of how the vehicle was locked.