Anatomy of the RollJam Wireless Car Hack

Caleb Kraft

Senior Editor for Make: I get ridiculously excited seeing people make things. I just want to revel in the creativity of the masses! My favorite thing in the world is sharing the hard work of a maker.

I'd always love to hear about what you're making, so send me an email any time at [email protected]

412 Articles

By Caleb Kraft

Senior Editor for Make: I get ridiculously excited seeing people make things. I just want to revel in the creativity of the masses! My favorite thing in the world is sharing the hard work of a maker.

I'd always love to hear about what you're making, so send me an email any time at [email protected]

412 Articles

Article Featured Image

rolljam hardware

If you’ve been on the internet lately, you’ve likely seen the storm of news of Samy Kamkar’s device that can intercept and store keyless entry codes for cars and garages. Built for under $50 using a Teensy 3.1 and a couple of radios, the “RollJam” device is said to allow its user unfettered access to your automobile or garage, via stolen electronic codes.

The concept is fairly simple. The device tricks you into giving it a functional code for your car or garage by making it appear as though the first click of the remote simply didn’t work. By then clicking again, you’re giving it two functional codes. It can then sacrifice one code to unlock your car and keep you from thinking about the fact that you were just hacked.

Here’s a breakdown of how it works.

 

rolljam1

The RollJam, detecting a signal, jams the vehicle’s frequency. The code is intercepted and stored.

 

rolljam2

The user clicks the button again and the rollJam broadcasts the old code while simultaneously capturing the new one. The car unlocks.

 

rolljam3

The RollJam device is retrieved, still holding the new unused code. The code can then be transmitted later to unlock the car.

 

 

If you want more detailed information on how exactly he’s doing these things, you can download his presentation slides from Defcon (21mb). So far, he has not released the code to his github account.

Is it real?

Samy Kamkar has a history of publishing very interesting security projects. Probably best known for the Myspace worm which made him the most popular person on Myspace, he has also released plans for hacking older garage doors that use fixed codes, as you can see in the video below.

Should you be worried?

The jam/capture then jam/broadcast method of RollJam was proven to be functional last year by Spencer Whyte, though Whyte’s required a laptop as part of the process. RollJam hardware can fit into a much smaller box.

Theoretically, people could start making these as soon as the code starts to circulate. The hardware appears to be pretty simple and doesn’t cost much. The ability to copy and paste code onto a Teensy 3.1 microcontroller and have a functional device could mean that this may be a common hack in the near term.

As Kamkar points out, an update to how the rolling codes work in cars could be a quick fix to the vulnerability. However, most cars don’t have over-the-air update capabilities, so a generation of cars on the road now could be vulnerable to this hack, if the complete system is released. Car manufactures might have to update millions of cars to guard against it.