Does pressing a car remote many times offer denial of service attack for rolling codes?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












146















My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.



Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.



There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.



If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.



This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.



So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.



It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.










share|improve this question

















  • 31





    A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?

    – Xander
    Jan 23 at 13:11






  • 5





    @Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.

    – Oddthinking
    Jan 23 at 13:24






  • 47





    Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.

    – Oddthinking
    Jan 23 at 13:26






  • 23





    You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.

    – dwizum
    Jan 23 at 18:38






  • 7





    Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.

    – jpa
    Jan 23 at 19:41















146















My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.



Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.



There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.



If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.



This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.



So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.



It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.










share|improve this question

















  • 31





    A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?

    – Xander
    Jan 23 at 13:11






  • 5





    @Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.

    – Oddthinking
    Jan 23 at 13:24






  • 47





    Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.

    – Oddthinking
    Jan 23 at 13:26






  • 23





    You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.

    – dwizum
    Jan 23 at 18:38






  • 7





    Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.

    – jpa
    Jan 23 at 19:41













146












146








146


27






My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.



Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.



There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.



If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.



This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.



So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.



It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.










share|improve this question














My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.



Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.



There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.



If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.



This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.



So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.



It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.







wireless locks vehicle






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 23 at 12:56









OddthinkingOddthinking

1,33731015




1,33731015







  • 31





    A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?

    – Xander
    Jan 23 at 13:11






  • 5





    @Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.

    – Oddthinking
    Jan 23 at 13:24






  • 47





    Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.

    – Oddthinking
    Jan 23 at 13:26






  • 23





    You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.

    – dwizum
    Jan 23 at 18:38






  • 7





    Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.

    – jpa
    Jan 23 at 19:41












  • 31





    A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?

    – Xander
    Jan 23 at 13:11






  • 5





    @Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.

    – Oddthinking
    Jan 23 at 13:24






  • 47





    Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.

    – Oddthinking
    Jan 23 at 13:26






  • 23





    You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.

    – dwizum
    Jan 23 at 18:38






  • 7





    Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.

    – jpa
    Jan 23 at 19:41







31




31





A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?

– Xander
Jan 23 at 13:11





A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?

– Xander
Jan 23 at 13:11




5




5





@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.

– Oddthinking
Jan 23 at 13:24





@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.

– Oddthinking
Jan 23 at 13:24




47




47





Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.

– Oddthinking
Jan 23 at 13:26





Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.

– Oddthinking
Jan 23 at 13:26




23




23





You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.

– dwizum
Jan 23 at 18:38





You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.

– dwizum
Jan 23 at 18:38




7




7





Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.

– jpa
Jan 23 at 19:41





Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.

– jpa
Jan 23 at 19:41










3 Answers
3






active

oldest

votes


















228















it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.




Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:



  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.


  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.


  • Switch the ignition off.



yet I have never heard of anyone performing it




You don't have any 3-year olds around?



My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.



Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.






share|improve this answer




















  • 58





    Perfect. With that anecdote, this becomes a great answer.

    – Oddthinking
    Jan 23 at 15:08






  • 11





    How can you turn the car on and off eight times if your key fob is desynchronized?

    – stannius
    Jan 23 at 16:53







  • 32





    @stannius by opening the door using the real key, instead of remotely.

    – hobbs
    Jan 23 at 17:08






  • 10





    Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.

    – stannius
    Jan 23 at 17:10







  • 45





    I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).

    – JPhi1618
    Jan 23 at 21:03


















43














A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.



As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.






share|improve this answer


















  • 4





    I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.

    – ArrowCase
    Jan 23 at 19:37






  • 6





    @ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.

    – Wildcard
    Jan 23 at 20:58






  • 15





    @Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.

    – supercat
    Jan 23 at 21:56


















20














The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.



First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?



  • Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.

  • Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.

Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?



  • Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.

  • Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.

  • Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.

So - in summary - if the premise of the question is,




Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?




The answer is pretty much no that won't be an effective denial of service attack.



If, instead, the question was,




Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?




The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.



As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.



If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.






share|improve this answer























  • My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.

    – Martin Bonner
    Jan 24 at 16:17






  • 5





    @MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...

    – FreeMan
    Jan 24 at 20:00







  • 2





    But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.

    – Oddthinking
    Jan 24 at 20:53






  • 1





    I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.

    – Oddthinking
    Jan 24 at 20:56






  • 2





    @FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.

    – Dr Sheldon
    Jan 26 at 7:04










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202026%2fdoes-pressing-a-car-remote-many-times-offer-denial-of-service-attack-for-rolling%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









228















it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.




Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:



  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.


  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.


  • Switch the ignition off.



yet I have never heard of anyone performing it




You don't have any 3-year olds around?



My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.



Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.






share|improve this answer




















  • 58





    Perfect. With that anecdote, this becomes a great answer.

    – Oddthinking
    Jan 23 at 15:08






  • 11





    How can you turn the car on and off eight times if your key fob is desynchronized?

    – stannius
    Jan 23 at 16:53







  • 32





    @stannius by opening the door using the real key, instead of remotely.

    – hobbs
    Jan 23 at 17:08






  • 10





    Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.

    – stannius
    Jan 23 at 17:10







  • 45





    I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).

    – JPhi1618
    Jan 23 at 21:03















228















it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.




Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:



  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.


  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.


  • Switch the ignition off.



yet I have never heard of anyone performing it




You don't have any 3-year olds around?



My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.



Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.






share|improve this answer




















  • 58





    Perfect. With that anecdote, this becomes a great answer.

    – Oddthinking
    Jan 23 at 15:08






  • 11





    How can you turn the car on and off eight times if your key fob is desynchronized?

    – stannius
    Jan 23 at 16:53







  • 32





    @stannius by opening the door using the real key, instead of remotely.

    – hobbs
    Jan 23 at 17:08






  • 10





    Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.

    – stannius
    Jan 23 at 17:10







  • 45





    I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).

    – JPhi1618
    Jan 23 at 21:03













228












228








228








it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.




Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:



  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.


  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.


  • Switch the ignition off.



yet I have never heard of anyone performing it




You don't have any 3-year olds around?



My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.



Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.






share|improve this answer
















it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.




Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:



  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.


  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.


  • Switch the ignition off.



yet I have never heard of anyone performing it




You don't have any 3-year olds around?



My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.



Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 28 at 15:36









Dan Henderson

1836




1836










answered Jan 23 at 13:11









ThoriumBRThoriumBR

21.9k65369




21.9k65369







  • 58





    Perfect. With that anecdote, this becomes a great answer.

    – Oddthinking
    Jan 23 at 15:08






  • 11





    How can you turn the car on and off eight times if your key fob is desynchronized?

    – stannius
    Jan 23 at 16:53







  • 32





    @stannius by opening the door using the real key, instead of remotely.

    – hobbs
    Jan 23 at 17:08






  • 10





    Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.

    – stannius
    Jan 23 at 17:10







  • 45





    I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).

    – JPhi1618
    Jan 23 at 21:03












  • 58





    Perfect. With that anecdote, this becomes a great answer.

    – Oddthinking
    Jan 23 at 15:08






  • 11





    How can you turn the car on and off eight times if your key fob is desynchronized?

    – stannius
    Jan 23 at 16:53







  • 32





    @stannius by opening the door using the real key, instead of remotely.

    – hobbs
    Jan 23 at 17:08






  • 10





    Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.

    – stannius
    Jan 23 at 17:10







  • 45





    I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).

    – JPhi1618
    Jan 23 at 21:03







58




58





Perfect. With that anecdote, this becomes a great answer.

– Oddthinking
Jan 23 at 15:08





Perfect. With that anecdote, this becomes a great answer.

– Oddthinking
Jan 23 at 15:08




11




11





How can you turn the car on and off eight times if your key fob is desynchronized?

– stannius
Jan 23 at 16:53






How can you turn the car on and off eight times if your key fob is desynchronized?

– stannius
Jan 23 at 16:53





32




32





@stannius by opening the door using the real key, instead of remotely.

– hobbs
Jan 23 at 17:08





@stannius by opening the door using the real key, instead of remotely.

– hobbs
Jan 23 at 17:08




10




10





Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.

– stannius
Jan 23 at 17:10






Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.

– stannius
Jan 23 at 17:10





45




45





I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).

– JPhi1618
Jan 23 at 21:03





I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).

– JPhi1618
Jan 23 at 21:03













43














A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.



As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.






share|improve this answer


















  • 4





    I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.

    – ArrowCase
    Jan 23 at 19:37






  • 6





    @ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.

    – Wildcard
    Jan 23 at 20:58






  • 15





    @Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.

    – supercat
    Jan 23 at 21:56















43














A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.



As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.






share|improve this answer


















  • 4





    I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.

    – ArrowCase
    Jan 23 at 19:37






  • 6





    @ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.

    – Wildcard
    Jan 23 at 20:58






  • 15





    @Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.

    – supercat
    Jan 23 at 21:56













43












43








43







A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.



As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.






share|improve this answer













A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.



As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 23 at 17:51









supercatsupercat

1,63469




1,63469







  • 4





    I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.

    – ArrowCase
    Jan 23 at 19:37






  • 6





    @ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.

    – Wildcard
    Jan 23 at 20:58






  • 15





    @Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.

    – supercat
    Jan 23 at 21:56












  • 4





    I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.

    – ArrowCase
    Jan 23 at 19:37






  • 6





    @ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.

    – Wildcard
    Jan 23 at 20:58






  • 15





    @Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.

    – supercat
    Jan 23 at 21:56







4




4





I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.

– ArrowCase
Jan 23 at 19:37





I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.

– ArrowCase
Jan 23 at 19:37




6




6





@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.

– Wildcard
Jan 23 at 20:58





@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.

– Wildcard
Jan 23 at 20:58




15




15





@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.

– supercat
Jan 23 at 21:56





@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.

– supercat
Jan 23 at 21:56











20














The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.



First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?



  • Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.

  • Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.

Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?



  • Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.

  • Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.

  • Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.

So - in summary - if the premise of the question is,




Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?




The answer is pretty much no that won't be an effective denial of service attack.



If, instead, the question was,




Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?




The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.



As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.



If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.






share|improve this answer























  • My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.

    – Martin Bonner
    Jan 24 at 16:17






  • 5





    @MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...

    – FreeMan
    Jan 24 at 20:00







  • 2





    But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.

    – Oddthinking
    Jan 24 at 20:53






  • 1





    I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.

    – Oddthinking
    Jan 24 at 20:56






  • 2





    @FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.

    – Dr Sheldon
    Jan 26 at 7:04















20














The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.



First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?



  • Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.

  • Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.

Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?



  • Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.

  • Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.

  • Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.

So - in summary - if the premise of the question is,




Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?




The answer is pretty much no that won't be an effective denial of service attack.



If, instead, the question was,




Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?




The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.



As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.



If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.






share|improve this answer























  • My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.

    – Martin Bonner
    Jan 24 at 16:17






  • 5





    @MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...

    – FreeMan
    Jan 24 at 20:00







  • 2





    But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.

    – Oddthinking
    Jan 24 at 20:53






  • 1





    I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.

    – Oddthinking
    Jan 24 at 20:56






  • 2





    @FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.

    – Dr Sheldon
    Jan 26 at 7:04













20












20








20







The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.



First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?



  • Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.

  • Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.

Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?



  • Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.

  • Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.

  • Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.

So - in summary - if the premise of the question is,




Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?




The answer is pretty much no that won't be an effective denial of service attack.



If, instead, the question was,




Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?




The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.



As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.



If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.






share|improve this answer













The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.



First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?



  • Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.

  • Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.

Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?



  • Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.

  • Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.

  • Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.

So - in summary - if the premise of the question is,




Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?




The answer is pretty much no that won't be an effective denial of service attack.



If, instead, the question was,




Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?




The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.



As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.



If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 24 at 14:22









dwizumdwizum

3305




3305












  • My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.

    – Martin Bonner
    Jan 24 at 16:17






  • 5





    @MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...

    – FreeMan
    Jan 24 at 20:00







  • 2





    But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.

    – Oddthinking
    Jan 24 at 20:53






  • 1





    I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.

    – Oddthinking
    Jan 24 at 20:56






  • 2





    @FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.

    – Dr Sheldon
    Jan 26 at 7:04

















  • My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.

    – Martin Bonner
    Jan 24 at 16:17






  • 5





    @MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...

    – FreeMan
    Jan 24 at 20:00







  • 2





    But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.

    – Oddthinking
    Jan 24 at 20:53






  • 1





    I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.

    – Oddthinking
    Jan 24 at 20:56






  • 2





    @FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.

    – Dr Sheldon
    Jan 26 at 7:04
















My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.

– Martin Bonner
Jan 24 at 16:17





My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.

– Martin Bonner
Jan 24 at 16:17




5




5





@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...

– FreeMan
Jan 24 at 20:00






@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...

– FreeMan
Jan 24 at 20:00





2




2





But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.

– Oddthinking
Jan 24 at 20:53





But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.

– Oddthinking
Jan 24 at 20:53




1




1





I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.

– Oddthinking
Jan 24 at 20:56





I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.

– Oddthinking
Jan 24 at 20:56




2




2





@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.

– Dr Sheldon
Jan 26 at 7:04





@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.

– Dr Sheldon
Jan 26 at 7:04

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202026%2fdoes-pressing-a-car-remote-many-times-offer-denial-of-service-attack-for-rolling%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?