Home Maker News Technology
Anatomy of the RollJam Wireless Car Hack

rolljam hardware

If you’ve been on the internet lately, you’ve likely seen the storm of news of Samy Kamkar’s device that can intercept and store keyless entry codes for cars and garages. Built for under $50 using a Teensy 3.1 and a couple of radios, the “RollJam” device is said to allow its user unfettered access to your automobile or garage, via stolen electronic codes.

The concept is fairly simple. The device tricks you into giving it a functional code for your car or garage by making it appear as though the first click of the remote simply didn’t work. By then clicking again, you’re giving it two functional codes. It can then sacrifice one code to unlock your car and keep you from thinking about the fact that you were just hacked.

Here’s a breakdown of how it works.

 

rolljam1
The RollJam, detecting a signal, jams the vehicle’s frequency. The code is intercepted and stored.

 

rolljam2
The user clicks the button again and the rollJam broadcasts the old code while simultaneously capturing the new one. The car unlocks.

 

rolljam3
The RollJam device is retrieved, still holding the new unused code. The code can then be transmitted later to unlock the car.

 

 

If you want more detailed information on how exactly he’s doing these things, you can download his presentation slides from Defcon (21mb). So far, he has not released the code to his github account.

Is it real?

Samy Kamkar has a history of publishing very interesting security projects. Probably best known for the Myspace worm which made him the most popular person on Myspace, he has also released plans for hacking older garage doors that use fixed codes, as you can see in the video below.

Should you be worried?

The jam/capture then jam/broadcast method of RollJam was proven to be functional last year by Spencer Whyte, though Whyte’s required a laptop as part of the process. RollJam hardware can fit into a much smaller box.

Theoretically, people could start making these as soon as the code starts to circulate. The hardware appears to be pretty simple and doesn’t cost much. The ability to copy and paste code onto a Teensy 3.1 microcontroller and have a functional device could mean that this may be a common hack in the near term.

As Kamkar points out, an update to how the rolling codes work in cars could be a quick fix to the vulnerability. However, most cars don’t have over-the-air update capabilities, so a generation of cars on the road now could be vulnerable to this hack, if the complete system is released. Car manufactures might have to update millions of cars to guard against it.

 

4 thoughts on “Anatomy of the RollJam Wireless Car Hack

  1. To counter this “attack”, you can just get close to your car/garage and press the unlock button again on your remote. This will trigger the car/garage to drop the previous keys (one of which is also in the attacker’s hands) plus the current key which was sent when you pressed the unlock button near the car/garage and will initiate the process of random key generation again, rendering the captured key for the attacker useless. Shortly, just unlock your car/garage again once you are VERY close to it (to make sure that the attacker doesn’t interfere with you this time). Reference: http://auto.howstuffworks.com/remote-entry2.htm

  2. thís ìs how you can refíll your bank-account with addìtíonal cash each week.. check my profíle for more info

  3. All cars need to be in communication with the mothership in some way, be it satellite link, cellular network etc.

Comments are closed.

Tagged

Senior Editor for Make: I get ridiculously excited seeing people make things. I just want to revel in the creativity of the masses! My favorite thing in the world is sharing the hard work of a maker.

I'd always love to hear about what you're making, so send me an email any time at caleb@make.co

View more articles by Caleb Kraft