Rolling code

Last updated

A rolling code (or sometimes called a hopping code) is used in keyless entry systems to prevent a simple form of replay attack, where an eavesdropper records the transmission and replays it at a later time to cause the receiver to 'unlock'. Such systems are typical in garage door openers and keyless car entry systems.

Contents

Techniques

HMAC-based one-time password employed widely in multi-factor authentication uses similar approach, but with pre-shared secret key and HMAC instead of PRNG and pre-shared random seed.

Application in RF remote control

A rolling code transmitter is useful in a security system for improving the security of radio frequency (RF) transmission, comprising an interleaved trinary bit fixed code and rolling code. A receiver demodulates the encrypted RF transmission and recovers the fixed code and rolling code. Upon comparison of the fixed and rolling codes with stored codes and seeing that they pass a set of algorithmic checks, a signal is generated to actuate an electric motor to open or close a movable component.[ citation needed ]

Rolling code vs. fixed code RF remote control

Remote controls send a digital code word to the receiver. If the receiver determines the codeword is acceptable, then the receiver will actuate the relay, unlock the door, or open the barrier. Simple remote control systems use a fixed code word; the code word that opens the gate today will also open the gate tomorrow. An attacker with an appropriate receiver could discover the code word and use it to gain access sometime later. More sophisticated remote control systems use a rolling code (or hopping code) that changes for every use. An attacker may be able to learn the code word that opened the door just now, but the receiver will not accept that code word for the foreseeable future. A rolling code system uses cryptographic methods that allow the remote control and the receiver to share codewords but make it difficult for an attacker to break the cryptography.

KeeLoq

HCS301 chip from an Audi A6 keyless entry remote, which uses a rolling code system Rolling-code-rf-remote-control-2.png
HCS301 chip from an Audi A6 keyless entry remote, which uses a rolling code system

The Microchip HCS301 was once the most widely used system on garage and gate remote control and receivers. The chip uses the KeeLoq algorithm. The HCS301 KeeLoq system transmits 66 data bits:

As detailed at KeeLoq, the algorithm has been shown to be vulnerable to a variety of attacks, and has been completely broken.

Rolljam vulnerability

A rolling code transmitted by radio signal that can be intercepted can be vulnerable to falsification. In 2015, it was reported that Samy Kamkar had built an inexpensive electronic device about the size of a wallet that could be concealed on or near a locked vehicle to capture a single keyless entry code to be used at a later time to unlock the vehicle. The device transmits a jamming signal to block the vehicle's reception of rolling code signals from the owner's fob, while recording these signals from both of his two attempts needed to unlock the vehicle. The recorded first code is forwarded (replayed) to the vehicle only when the owner makes the second attempt, while the recorded second code is retained for future use. Kamkar stated that this vulnerability had been widely known for years to be present in many vehicle types, but was previously undemonstrated. [3] A demonstration was done during DEF CON 23. [4]

Related Research Articles

In cryptography, pseudorandom noise (PRN) is a signal similar to noise which satisfies one or more of the standard tests for statistical randomness. Although it seems to lack any definite pattern, pseudorandom noise consists of a deterministic sequence of pulses that will repeat itself after its period.

In telecommunications, squelch is a circuit function that acts to suppress the audio output of a receiver in the absence of a strong input signal. Essentially, squelch is a specialized type of noise gate designed to suppress weak signals. Squelch is used in two-way radios and VHF/UHF radio scanners to eliminate the sound of noise when the radio is not receiving a desired transmission.

A prefix code is a type of code system distinguished by its possession of the "prefix property", which requires that there is no whole code word in the system that is a prefix of any other code word in the system. It is trivially true for fixed-length codes, so only a point of consideration for variable-length codes.

<span class="mw-page-title-main">Remote control</span> Device used to control other device remotely

In electronics, a remote control is an electronic device used to operate another device from a distance, usually wirelessly. In consumer electronics, a remote control can be used to operate devices such as a television set, DVD player or other digital home media appliance. A remote control can allow operation of devices that are out of convenient reach for direct operation of controls. They function best when used from a short distance. This is primarily a convenience feature for the user. In some cases, remote controls allow a person to operate a device that they otherwise would not be able to reach, as when a garage door opener is triggered from outside.

<span class="mw-page-title-main">Ciphertext</span> Encrypted information

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.

A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also referred to as a cryptographic random number generator (CRNG).

<span class="mw-page-title-main">Radio control</span> Use of radio signals to remotely control a device, vehicle or drone

Radio control is the use of control signals transmitted by radio to remotely operate a device. Examples of simple radio control systems are garage door openers and keyless entry systems for vehicles, in which a small handheld radio transmitter unlocks or opens doors. Radio control is also used for control of model vehicles from a hand-held radio transmitter. Industrial, military, and scientific research organizations make use of radio-controlled vehicles as well. A rapidly growing application is control of unmanned aerial vehicles for both civilian and military uses, although these have more sophisticated control systems than traditional applications.

<span class="mw-page-title-main">Coding theory</span> Study of the properties of codes and their fitness

Coding theory is the study of the properties of codes and their respective fitness for specific applications. Codes are used for data compression, cryptography, error detection and correction, data transmission and data storage. Codes are studied by various scientific disciplines—such as information theory, electrical engineering, mathematics, linguistics, and computer science—for the purpose of designing efficient and reliable data transmission methods. This typically involves the removal of redundancy and the correction or detection of errors in the transmitted data.

A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature.

Key generation is the process of generating keys in cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted.

<span class="mw-page-title-main">Garage door opener</span> Motorized device that opens and closes garage doors

A garage door opener is a motorized device that opens and closes a garage door controlled by switches on the garage wall. Most also include a handheld radio remote control carried by the owner, which can be used to open and close the door from a short distance.

<span class="mw-page-title-main">Smart key</span> Electronic access and authorization system

A smart key is an electronic access and authorization system that is available either as standard equipment or an option in several car designs. It was developed by Siemens in 1995 and introduced by Mercedes-Benz under the name "Keyless-Go" in 1998 on the W220 S-Class, after the design patent was filed by Daimler-Benz on May 17, 1997.

<span class="mw-page-title-main">Car key</span> Key used to open and/or start an automobile

A car key or an automobile key is a key used to open and/or start an automobile. Modern key designs are usually symmetrical, and some use grooves on both sides, rather than a cut edge, to actuate the lock. It has multiple uses for the automobile with which it was sold. A car key can open the doors, as well as start the ignition, open the glove compartment and also open the trunk (boot) of the car. Some cars come with an additional key known as a valet key that starts the ignition and opens the driver's side door, but prevents the valet from gaining access to valuables that are located in the trunk or the glove box. Some valet keys, particularly those to high-performance vehicles, go so far as to restrict the engine's power output to prevent joyriding. Recently, features such as coded immobilizers have been implemented in newer vehicles. More sophisticated systems make ignition dependent on electronic devices, rather than the mechanical keyswitch. A number of these systems, such as KeeLoq and Megamos Crypto have been demonstrated to be weak and vulnerable to cryptanalytic attacks.

<span class="mw-page-title-main">Remote keyless system</span> Electronic lock without a mechanical key

A remote keyless system (RKS), also known as remote keyless entry (RKE) or remote central locking, is an electronic lock that controls access to a building or vehicle by using an electronic remote control (activated by a handheld device or automatically by proximity). RKS largely and quickly superseded keyless entry, a budding technology that restrictively bound locking and locking functions to vehicle-mounted keypads.

Microchip Technology Incorporated is a publicly listed American corporation that manufactures microcontroller, mixed-signal, analog, and Flash-IP integrated circuits. Its products include microcontrollers, Serial EEPROM devices, Serial SRAM devices, embedded security devices, radio frequency (RF) devices, thermal, power, and battery management analog devices, as well as linear, interface and wireless products.

KeeLoq is a proprietary hardware-dedicated block cipher that uses a non-linear feedback shift register (NLFSR). The uni-directional command transfer protocol was designed by Frederick Bruwer of Nanoteq (Pty) Ltd., the cryptographic algorithm was created by Gideon Kuhn at the University of Pretoria, and the silicon implementation was by Willem Smit at Nanoteq (Pty) Ltd in the mid-1980s. KeeLoq was sold to Microchip Technology Inc in 1995 for $10 million. It is used in 'hopping code' encoders and decoders such as NTQ105/106/115/125D/129D, HCS101/2XX/3XX/4XX/5XX and MCS31X2. KeeLoq has been used in many remote keyless entry systems by such companies like Chrysler, Daewoo, Fiat, Ford, GM, Honda, Mercedes-Benz, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar.

<span class="mw-page-title-main">Radio</span> Use of radio waves to carry information

Radio is the technology of communicating using radio waves. Radio waves are electromagnetic waves of frequency between 3 hertz (Hz) and 300 gigahertz (GHz). They are generated by an electronic device called a transmitter connected to an antenna which radiates the waves. They are received by another antenna connected to a radio receiver. In addition to communication, radio is used for radar, radio navigation, remote control, remote sensing, and other applications.

<span class="mw-page-title-main">Samy Kamkar</span> American privacy and security researcher, computer hacker, whistleblower and entrepreneur

Samy Kamkar is an American privacy and security researcher, computer hacker and entrepreneur. At the age of 16, he dropped out of high school. One year later, he co-founded Fonality, a unified communications company based on open-source software, which raised over $46 million in private funding. In 2005, he created and released the fastest spreading virus of all time, the MySpace worm Samy, and was subsequently raided by the United States Secret Service under the Patriot Act. He also created SkyJack, a custom drone which hacks into any nearby Parrot drones allowing them to be controlled by its operator and created the Evercookie, which appeared in a top-secret NSA document revealed by Edward Snowden and on the front page of The New York Times. He has also worked with The Wall Street Journal, and discovered the illicit mobile phone tracking where the Apple iPhone, Google Android and Microsoft Windows Phone mobile devices transmit GPS and Wi-Fi information to their parent companies. His mobile research led to a series of class-action lawsuits against the companies and a privacy hearing on Capitol Hill. Kamkar has a chapter giving advice in Tim Ferriss' book Tools of Titans.

Automotive hacking is the exploitation of vulnerabilities within the software, hardware, and communication systems of automobiles.

<span class="mw-page-title-main">Orr Dunkelman</span> Israeli cryptographer and cryptanalyst

Orr Dunkelman is an Israeli cryptographer and cryptanalyst, currently a professor at the University of Haifa Computer Science department. Dunkelman is a co-director of the Center for Cyber Law & Privacy at the University of Haifa and a co-founder of Privacy Israel, an Israeli NGO for promoting privacy in Israel.

References

  1. Microchip (2001), HC301 KeeLoq Code Hopping Encoder (PDF), Microchip Technology Inc., DS21143B
  2. "Garage Door Remote Not Working Reasons". 4 November 2021.
  3. Thompson, Cadie (2015-08-06). "A hacker made a $30 gadget that can unlock many cars that have keyless entry". Tech Insider . Retrieved 2015-08-11.
  4. Kamkar, Samy (2015-08-07). "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars". DEF CON 23. Retrieved 2015-08-11.