152

My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.

Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.

There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.

If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.

This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.

So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.

It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.

Oddthinking
  • 1,767
  • 3
  • 15
  • 17
  • 33
    A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times? – Xander Jan 23 '19 at 13:11
  • 5
    @Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical. – Oddthinking Jan 23 '19 at 13:24
  • 52
    Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively. – Oddthinking Jan 23 '19 at 13:26
  • 4
    @Xander - My car has push-to-start. I can get into the car with the back up key, but there's explicitly no way to start it up without the fob. – Bobson Jan 23 '19 at 18:15
  • 2
    @Bobson I'll be there is. There are probably cars out there that don't have a backup start mechanism, but they would certainly be the exception. – Xander Jan 23 '19 at 18:36
  • 25
    You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business. – dwizum Jan 23 '19 at 18:38
  • 8
    Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving. – jpa Jan 23 '19 at 19:41
  • 2
    @dwizum: Please be careful not to sound like a troll. Yes, I am already aware of this. I have followed such a process before when I got a new fob, but it wasn't in my car manual, and I couldn't do it again from memory should my fob fail. I recall it being more complicated than the process in ThoriumBR's answer, but I might be wrong. Do it to me at a pub, and I am stuck getting a lift home and dealing with in the morning. My keys ALSO have the RFID tag on the key, but that is separate from my after-market alarm fob, so that's a red herring. – Oddthinking Jan 23 '19 at 21:04
  • 1
    Resetting my key fob is as simple as turning it halfway in the ignition, then pressing the "lock" button (something that garages apparently charge £50 to do). Drunk-me could definitely manage that, if drunk-me ever became that reckless. Assuming drunk-me didn't think to just turn it the full way to ignition and drive off with that. – Mark K Cowan Jan 24 '19 at 00:31
  • @Xander another person that 100% does not have a way to start the car without the fob. There's a small key in the fob that can open the front door, and the glove compartment, but that is absolutely it. The manual states that if the battery dies in the fob that you use the fob itself to push the "Push to start" button. But you need the fob 100% – Brian Leishman Jan 24 '19 at 13:23
  • @Xander (the car I'm referring to is both a 2016 and 2018 Dodge Charger, an extremely common car in the US, and I'm sure this style extends to Dodge/Chrysler/etc.'s other cars as well) – Brian Leishman Jan 24 '19 at 13:24
  • @Oddthinking - I wasn't referring to procedures to re-sync a disabled fob, but rather backup procedures designed to allow you to *use a disabled fob* to still operate the vehicle. In the attempt of not sounding like a troll, I posted an answer that covers why I think this attack wouldn't be effective. – dwizum Jan 24 '19 at 14:24
  • @dwizum - My car has the hold-fob-to-start-button method as the way to start it with a dead fob (I didn't know this until I looked to answer this, so thanks for that). However, that's still not a way to start it *without the fob*. – Bobson Jan 24 '19 at 16:47
  • 4
    Starting a car *without the fob* seems like a different problem from starting a car *with the fob* against which someone has done a denial of service attack by fooling with the rolling codes, which is what I took as the subject of this question. I definitely agree, it would be hard to start a modern car without the fob even present, just like it would be hard to start an older car without the physical key present. But - to bring us back on topic - it is (probably, subjectively) not hard to start a car with the fob present, even if a rolling code disabling attack has been performed on the fob – dwizum Jan 24 '19 at 17:51
  • Before breaking ones keyfob, one *really* ought to go down to the dealer and price replacement keyfobs. Because 99% chance your buddy is going to consider the keyfob "broken" and go get another one. Now, you know the face Walter White's brother in law made on the toilet? That will be his face when he sees the bill. – Harper - Reinstate Monica Jan 26 '19 at 16:32
  • @dwizum: Don't make sweeping statements. While this might be valid for keyfobs merely replacing a key, alarm systems (often aftermarket ones) might not offer any disarming feature without the fob. I know for a fact that mine doesn't allow it and any kind of entry without the fob disarming (even with the legitimate key) will result in immediate alarm. And that's very good so. – Gábor Jan 27 '19 at 16:51
  • 1
    @Gábor - per my prior comment I was referencing starting a car with the OEM fob present but disabled. I agree it's hard to speak broadly about aftermarket alarms, due to their many differences. Some (apparently, like yours) with no backup are - IME - potentially just as dangerous to the owner as to a thief. With no backup or disable, what do you do when your fob battery dies, or the fob gets lost? Do you just junk your car, because there's no way to disable the alarm? Any legitimate system would have *some* kind of backup or disable feature. Unfortunately, some aftermarket alarms don't. – dwizum Jan 28 '19 at 13:41
  • I grab the other fob, I have more than one. If I run out of fobs, I buy a new one (yes, available, can be programmed to the system). Technically, of course, you can remove the battery and silence the alarm, get it out of the car, or whatever. You might call it a nuisance in that particular instance, however, it's not a frequent one, never ever happens in most owner's life and the security this solution provides is worth it. – Gábor Jan 28 '19 at 13:49
  • Even if you managed to de-sync the remote from the car rendering the remote useless. how would this prevent the person from simply unlocking the door with a physical key, and then again starting the car with said physical key? if you are concerned about your pals drunk driving, perhaps get them an uber, or refrain from drinking and drive them yourself? – jesse Feb 01 '19 at 14:47

3 Answers3

237

it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.

Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:

  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.

  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.

  • Switch the ignition off.

yet I have never heard of anyone performing it

You don't have any 3-year olds around?

My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.

Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often. – Oddthinking Jan 23 '19 at 13:24
  • My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote. – ThoriumBR Jan 23 '19 at 13:30
  • 61
    Perfect. With that anecdote, this becomes a great answer. – Oddthinking Jan 23 '19 at 15:08
  • 1
    You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine. – John Dvorak Jan 23 '19 at 15:15
  • 12
    How can you turn the car on and off eight times if your key fob is desynchronized? – stannius Jan 23 '19 at 16:53
  • 34
    @stannius by opening the door using the real key, instead of remotely. – hobbs Jan 23 '19 at 17:08
  • 10
    Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack. – stannius Jan 23 '19 at 17:10
  • 1
    How do you get *inside* your car to turn it on and off 8 times when your car has no physical key? – user2357112 Jan 23 '19 at 18:30
  • 7
    @user2357112: You mean that the car has no physical key hole? It has one, it's just hidden. See, for example, https://www.youtube.com/watch?v=OECOoNYZXmk – Heinzi Jan 23 '19 at 18:43
  • And as last resort, you can use a Slim Jim or coat hanger. – Barmar Jan 23 '19 at 18:51
  • @Barmar Or a rock, if you are particularly desperate! – GrumpyCrouton Jan 23 '19 at 19:32
  • 47
    I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case). – JPhi1618 Jan 23 '19 at 21:03
  • 5
    Never underestimate the ability of a toddler to prod computer and electronic systems into unintended modes of operation. – Roy Tinker Jan 24 '19 at 19:56
46

A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.

As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.

supercat
  • 2,029
  • 10
  • 10
  • 5
    I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size. – ArrowCase Jan 23 '19 at 19:37
  • 7
    @ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not *directly* an answer to the question. I'm glad it's there. – Wildcard Jan 23 '19 at 20:58
  • 16
    @Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob. – supercat Jan 23 '19 at 21:56
24

The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.

First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?

  • Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.
  • Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.

Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?

  • Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.
  • Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.
  • Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.

So - in summary - if the premise of the question is,

Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?

The answer is pretty much no that won't be an effective denial of service attack.

If, instead, the question was,

Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?

The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.

As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.

If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.

dwizum
  • 534
  • 2
  • 7
  • My garage doesn't *have* another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried. – Martin Bonner supports Monica Jan 24 '19 at 16:17
  • I'm sure there are others in your situation, which is why I said "most." What's your plan if the opener dies? I had a garage without another official door once in the past, the opener failed and I ended up breaking in through a window. Luckily the garage had enough wall width that I was able to install a normal door near the overhead door, so I could get in with a key if/when the door opener failed. – dwizum Jan 24 '19 at 16:49
  • 6
    @MartinBonner in _most_ US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline... – FreeMan Jan 24 '19 at 20:00
  • +1 because I agree with everything you say, and you say it better than many of the other attempts. However, it doesn't focus on my real question. (**My fault**. I think I obscured it.) This argues "Any weakness in the rolling codes system is compensated for by a complicated infrastructure of backup systems." I agree. (cont'd) – Oddthinking Jan 24 '19 at 20:52
  • 4
    But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case. – Oddthinking Jan 24 '19 at 20:53
  • 2
    I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole. – Oddthinking Jan 24 '19 at 20:56
  • Yes, I think you're essentially correct, with your explanation of where the circles are drawn. That said, per the details in @supercat's answer, it would take *a lot* of button mashing to exploit that hole. – dwizum Jan 24 '19 at 21:10
  • 3
    @FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died. – DrSheldon Jan 26 '19 at 07:04