They’re small, they’re convenient, and, according to security researchers, they’re extremely hackable. The car key fob doesn’t exactly have the greatest reputation when it comes to digital security. Over the past few years, law enforcement agencies have alleged an uptick in the number of car thefts tied to hacking schemes and, more often than not, the key fob is the weak link that allows this to happen. But how, exactly, did the key fob end up being such a vulnerability? Here’s a quick rundown on why your car’s remote entry system is so damn hackable, and whether there’s anything you can do about it.
The Remote Keyless System and Its Many Foibles
Back in the day, car doors were like normal doors—you could only open them with a specific key. Then, in the 1990s, the key fob emerged. Suddenly, you could conveniently aim a piece of plastic at your car, press a button, and presto, the vehicle was unlocked. This seemingly magic process was accomplished via a short-range radio transmitter integrated into the key fob. The fob sends a signal to a receiver inside the vehicle that disarms the car’s lock system. Key fobs are part of what is technically known as the vehicle’s remote keyless system, or RKS. Different key fobs in different countries can operate at different radio frequencies. In America, pretty much all key fobs operate at a frequency of 315 MHz, though there are minor variations.
If opening your car via the magic of electromagnetic waves may be convenient, it comes with a certain amount of insecurity too. Radio signals can be intercepted if they’re not protected. Initially, when key fobs were first invented, their signals had few protections but, in recent years, car manufacturers have endeavored to provide cryptographic defenses for the device. The problem is that these defenses are not necessarily ironclad. There are ways to trick them.
Most modern car encryption is really just a “rolling code” system that deploys an algorithm-generated pseudo-random code within a preset range. Hackers have found ways around these protections, using creative methods and hardware to capture the necessary codes and redeploy them against cars.
How easy is the car key fob hack, really, though?
The scenarios in which a person could reliably hack their way into a car via a key fob compromise are…convoluted, to say the least. Indeed, while it might seem outwardly easy to intercept radio signals, the actual execution of that kind of digital attack is anything but simple. As one hapless amateur discovered when he tried to hack a car for his YouTube show, defeating a rolling code system takes a substantial effort that requires expertise and patience.
Bill Budington, an encryption expert and a technologist with the Electronic Frontier Foundation, said that it all depends on the type of car you’re dealing with and the kind of attack. “I haven’t heard of a lot of instances where a car was stolen outright, but it’s not out of the question,” Budington told Gizmodo. “It really just depends on the model of car and how hackable it is,” he added.
The replay attack
The easiest attacks involve fobs that were designed without a pseudo-randomized code system. These fobs just use the same code over and over again, which means that all an attacker has to do is capture the code, duplicate it, then re-deploy it. This is a classic Man-in-the-Middle attack, known technically as a “replay attack.” Cheap, off-the-shelf products are available online that allow for this kind of interception-and-duplication hacking scheme. “They weren’t building cars with advanced attack scenarios in mind when they were building them fifteen or twenty years ago,” Budington said.
The relay attack
The more complicated attack is known as the “relay attack.” This attack takes aim at the admittedly more secure rolling code security system in the modern car’s RKS. When it comes to the execution of the relay attack, however, there are a number of different variations.
Back in 2015, white hat hacker Samy Kamkar famously created what he calls the “RollJam attack,” which works by using a simple, $32 piece of hardware to intercept and then block a key fob’s signal to its vehicle. By doing this, Kamkar demonstrated that a hacker could nab a code that could then be redeployed in a later iteration of the car’s rolling security code sequence. In this scenario, a hacker intercepts, blocks, and records the driver’s first two unlock attempts via jamming. After the hacker has the first two codes, they quickly deploy the first code, which unlocks the vehicle for the driver. The driver then gets in the vehicle and proceeds to their destination. The hacker can then follow the driver to their destination and, with the second sequenced code that they previously captured, unlock the car when the driver leaves.
At the time of his debut of RollJam at that year’s DEFCON conference, Kamkar said he had successfully tested his attack on “Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen, and Chrysler vehicles, as well as Cobra and Viper alarm systems and Genie and Liftmaster garage door openers.”
Kamkar’s attack was later built upon via the “Rollback” attack, which debuted at one of 2022’s Blackhat conferences. Rollback streamlined certain parts of the exploit. A very similar exploit to RollJam/Rollback, the Rolling-PWN attack, was also publicized the same year. Researchers said that Rolling-PWN allowed “anyone to permanently open the car door or even start the car engine” of nearly half a dozen Honda models.
In short: For hackers with the requisite know-how, breaking the RKS rolling code system is not a problem.
What can you do?
Unfortunately, there’s probably not much you can do about this sort of thing. Car cybersecurity sucks and until manufacturers decide that they care about these vulnerabilities, they will persist. If you’re plagued by paranoid dreams of rogue hackers stealing your ride, you might try keeping your key fob inside a Faraday Cage. There are, in fact, many such products for sale on Amazon. But, again, this is of limited use. A cage could protect your fob from hackers who are trying to collect signals from your key fob while it’s at rest in your house or your pocket (yes, this is another thing that can happen). Of course, the unfortunate truth is that if you go this route you’ll likely have to keep the fob in the cage pretty much all of the time—except when you’re using it. And it won’t keep your fob safe when you’re actually unlocking your car, which is when a RollJam type attack would happen.
Frankly, people might also think you’re sort of weird if you insist on carrying your key fob around in a tinfoil-encased pouch all the time. They’ll definitely think you’re weird, in fact. Maybe it’s a small price to pay if you’re convinced people are out to steal your car, though. The choice is yours.