Does pressing a car remote many times offer denial of service attack for rolling codes?
Clash Royale CLAN TAG#URR8PPP
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
|
show 14 more comments
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
31
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
Jan 23 at 13:11
5
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
Jan 23 at 13:24
47
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
Jan 23 at 13:26
23
You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.
– dwizum
Jan 23 at 18:38
7
Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.
– jpa
Jan 23 at 19:41
|
show 14 more comments
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
wireless locks vehicle
asked Jan 23 at 12:56
OddthinkingOddthinking
1,33731015
1,33731015
31
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
Jan 23 at 13:11
5
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
Jan 23 at 13:24
47
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
Jan 23 at 13:26
23
You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.
– dwizum
Jan 23 at 18:38
7
Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.
– jpa
Jan 23 at 19:41
|
show 14 more comments
31
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
Jan 23 at 13:11
5
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
Jan 23 at 13:24
47
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
Jan 23 at 13:26
23
You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.
– dwizum
Jan 23 at 18:38
7
Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.
– jpa
Jan 23 at 19:41
31
31
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
Jan 23 at 13:11
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
Jan 23 at 13:11
5
5
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
Jan 23 at 13:24
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
Jan 23 at 13:24
47
47
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
Jan 23 at 13:26
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
Jan 23 at 13:26
23
23
You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.
– dwizum
Jan 23 at 18:38
You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.
– dwizum
Jan 23 at 18:38
7
7
Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.
– jpa
Jan 23 at 19:41
Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.
– jpa
Jan 23 at 19:41
|
show 14 more comments
3 Answers
3
active
oldest
votes
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
58
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
Jan 23 at 15:08
11
How can you turn the car on and off eight times if your key fob is desynchronized?
– stannius
Jan 23 at 16:53
32
@stannius by opening the door using the real key, instead of remotely.
– hobbs
Jan 23 at 17:08
10
Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.
– stannius
Jan 23 at 17:10
45
I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).
– JPhi1618
Jan 23 at 21:03
|
show 8 more comments
A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.
As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.
4
I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.
– ArrowCase
Jan 23 at 19:37
6
@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.
– Wildcard
Jan 23 at 20:58
15
@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.
– supercat
Jan 23 at 21:56
add a comment |
The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.
First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?
- Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.
- Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.
Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?
- Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.
- Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.
- Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.
So - in summary - if the premise of the question is,
Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?
The answer is pretty much no that won't be an effective denial of service attack.
If, instead, the question was,
Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?
The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.
As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.
If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.
My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.
– Martin Bonner
Jan 24 at 16:17
5
@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...
– FreeMan
Jan 24 at 20:00
2
But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.
– Oddthinking
Jan 24 at 20:53
1
I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.
– Oddthinking
Jan 24 at 20:56
2
@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.
– Dr Sheldon
Jan 26 at 7:04
|
show 3 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202026%2fdoes-pressing-a-car-remote-many-times-offer-denial-of-service-attack-for-rolling%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
58
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
Jan 23 at 15:08
11
How can you turn the car on and off eight times if your key fob is desynchronized?
– stannius
Jan 23 at 16:53
32
@stannius by opening the door using the real key, instead of remotely.
– hobbs
Jan 23 at 17:08
10
Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.
– stannius
Jan 23 at 17:10
45
I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).
– JPhi1618
Jan 23 at 21:03
|
show 8 more comments
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
58
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
Jan 23 at 15:08
11
How can you turn the car on and off eight times if your key fob is desynchronized?
– stannius
Jan 23 at 16:53
32
@stannius by opening the door using the real key, instead of remotely.
– hobbs
Jan 23 at 17:08
10
Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.
– stannius
Jan 23 at 17:10
45
I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).
– JPhi1618
Jan 23 at 21:03
|
show 8 more comments
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
edited Jan 28 at 15:36
Dan Henderson
1836
1836
answered Jan 23 at 13:11
ThoriumBRThoriumBR
21.9k65369
21.9k65369
58
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
Jan 23 at 15:08
11
How can you turn the car on and off eight times if your key fob is desynchronized?
– stannius
Jan 23 at 16:53
32
@stannius by opening the door using the real key, instead of remotely.
– hobbs
Jan 23 at 17:08
10
Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.
– stannius
Jan 23 at 17:10
45
I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).
– JPhi1618
Jan 23 at 21:03
|
show 8 more comments
58
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
Jan 23 at 15:08
11
How can you turn the car on and off eight times if your key fob is desynchronized?
– stannius
Jan 23 at 16:53
32
@stannius by opening the door using the real key, instead of remotely.
– hobbs
Jan 23 at 17:08
10
Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.
– stannius
Jan 23 at 17:10
45
I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).
– JPhi1618
Jan 23 at 21:03
58
58
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
Jan 23 at 15:08
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
Jan 23 at 15:08
11
11
How can you turn the car on and off eight times if your key fob is desynchronized?
– stannius
Jan 23 at 16:53
How can you turn the car on and off eight times if your key fob is desynchronized?
– stannius
Jan 23 at 16:53
32
32
@stannius by opening the door using the real key, instead of remotely.
– hobbs
Jan 23 at 17:08
@stannius by opening the door using the real key, instead of remotely.
– hobbs
Jan 23 at 17:08
10
10
Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.
– stannius
Jan 23 at 17:10
Oh, the rolling codes are just for opening the doors, and keyless start systems use a transponder, which isn't subject to the same hypothetical DOS attack.
– stannius
Jan 23 at 17:10
45
45
I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).
– JPhi1618
Jan 23 at 21:03
I think saying "any car" and "typical procedure" is a bit generous. There are many ways to have a car learn a new key fob or synchronize an old one. Some can be done on your own, and some require regulated dealer-level equipment. I think the only thing you can say is here is one such procedure for one certain model of car (some date range of Ford cars in this case).
– JPhi1618
Jan 23 at 21:03
|
show 8 more comments
A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.
As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.
4
I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.
– ArrowCase
Jan 23 at 19:37
6
@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.
– Wildcard
Jan 23 at 20:58
15
@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.
– supercat
Jan 23 at 21:56
add a comment |
A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.
As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.
4
I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.
– ArrowCase
Jan 23 at 19:37
6
@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.
– Wildcard
Jan 23 at 20:58
15
@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.
– supercat
Jan 23 at 21:56
add a comment |
A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.
As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.
A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.
As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.
answered Jan 23 at 17:51
supercatsupercat
1,63469
1,63469
4
I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.
– ArrowCase
Jan 23 at 19:37
6
@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.
– Wildcard
Jan 23 at 20:58
15
@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.
– supercat
Jan 23 at 21:56
add a comment |
4
I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.
– ArrowCase
Jan 23 at 19:37
6
@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.
– Wildcard
Jan 23 at 20:58
15
@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.
– supercat
Jan 23 at 21:56
4
4
I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.
– ArrowCase
Jan 23 at 19:37
I don't think the second paragraph is relevant, but the first has very relevant information not found in the accepted answer. It would be even better if you could expand on that to include the margins of a typical fob today with the larger payload size.
– ArrowCase
Jan 23 at 19:37
6
6
@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.
– Wildcard
Jan 23 at 20:58
@ArrowCase, I too would like to see more information on modern margins, but the second paragraph is still excellent even though not directly an answer to the question. I'm glad it's there.
– Wildcard
Jan 23 at 20:58
15
15
@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.
– supercat
Jan 23 at 21:56
@Wildcard: Among other things, the second paragraph is intended to help put the described attack in perspective. Security design requires weighing the cost of guarding against various attacks with the risks posed thereby, and accepting the possibility of attacks that aren't guarded against. Rolling codes accept certain vulnerabilities to facilitate low-cost implementation, and while the DOS attack is a vulnerability it is minor compared to far more serious ones which--unlike the DOS attack--don't require that attackers have unfettered access to the fob.
– supercat
Jan 23 at 21:56
add a comment |
The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.
First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?
- Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.
- Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.
Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?
- Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.
- Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.
- Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.
So - in summary - if the premise of the question is,
Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?
The answer is pretty much no that won't be an effective denial of service attack.
If, instead, the question was,
Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?
The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.
As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.
If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.
My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.
– Martin Bonner
Jan 24 at 16:17
5
@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...
– FreeMan
Jan 24 at 20:00
2
But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.
– Oddthinking
Jan 24 at 20:53
1
I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.
– Oddthinking
Jan 24 at 20:56
2
@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.
– Dr Sheldon
Jan 26 at 7:04
|
show 3 more comments
The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.
First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?
- Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.
- Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.
Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?
- Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.
- Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.
- Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.
So - in summary - if the premise of the question is,
Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?
The answer is pretty much no that won't be an effective denial of service attack.
If, instead, the question was,
Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?
The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.
As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.
If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.
My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.
– Martin Bonner
Jan 24 at 16:17
5
@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...
– FreeMan
Jan 24 at 20:00
2
But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.
– Oddthinking
Jan 24 at 20:53
1
I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.
– Oddthinking
Jan 24 at 20:56
2
@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.
– Dr Sheldon
Jan 26 at 7:04
|
show 3 more comments
The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.
First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?
- Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.
- Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.
Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?
- Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.
- Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.
- Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.
So - in summary - if the premise of the question is,
Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?
The answer is pretty much no that won't be an effective denial of service attack.
If, instead, the question was,
Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?
The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.
As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.
If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.
The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.
First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?
- Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.
- Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.
Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?
- Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.
- Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.
- Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.
So - in summary - if the premise of the question is,
Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?
The answer is pretty much no that won't be an effective denial of service attack.
If, instead, the question was,
Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?
The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.
As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.
If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.
answered Jan 24 at 14:22
dwizumdwizum
3305
3305
My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.
– Martin Bonner
Jan 24 at 16:17
5
@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...
– FreeMan
Jan 24 at 20:00
2
But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.
– Oddthinking
Jan 24 at 20:53
1
I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.
– Oddthinking
Jan 24 at 20:56
2
@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.
– Dr Sheldon
Jan 26 at 7:04
|
show 3 more comments
My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.
– Martin Bonner
Jan 24 at 16:17
5
@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...
– FreeMan
Jan 24 at 20:00
2
But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.
– Oddthinking
Jan 24 at 20:53
1
I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.
– Oddthinking
Jan 24 at 20:56
2
@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.
– Dr Sheldon
Jan 26 at 7:04
My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.
– Martin Bonner
Jan 24 at 16:17
My garage doesn't have another door. One side wall is hard against the neighbours garage, the other side wall and the back wall are buried.
– Martin Bonner
Jan 24 at 16:17
5
5
@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...
– FreeMan
Jan 24 at 20:00
@MartinBonner in most US jurisdictions, that violates building codes. My garage, which is L shaped and has a "people" door at the top L and out of view of the "car" door is borderline...
– FreeMan
Jan 24 at 20:00
2
2
But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.
– Oddthinking
Jan 24 at 20:53
But, I am not really trying to best attack my friends. I am trying to shore up an apparent hole in my academic understanding of rolling codes. So, my question was really "Does this theoretical weakness exist (which might then require alternative processes to overcome)?" which you seem to acknowledge in passing is the case.
– Oddthinking
Jan 24 at 20:53
1
1
I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.
– Oddthinking
Jan 24 at 20:56
I think this is a matter of where you draw the circles around the border of the "system". If you draw it tightly around the rolling codes part of the remote, there is a hole. If you draw it more loosely around the whole physical key/backup fob/resynch process/crawling through garage windows system, there is no hole.
– Oddthinking
Jan 24 at 20:56
2
2
@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.
– Dr Sheldon
Jan 26 at 7:04
@FreeMan: That's not always true. I once lived in a place with a detached garage with no service door or windows. There was a key lock on the face of the garage door. With the correct key inserted, you could pull out the lock's cylinder, which was attached by a metal cable to the manual door release. I had to use it once when the opener's motor died.
– Dr Sheldon
Jan 26 at 7:04
|
show 3 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202026%2fdoes-pressing-a-car-remote-many-times-offer-denial-of-service-attack-for-rolling%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
31
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
Jan 23 at 13:11
5
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
Jan 23 at 13:24
47
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
Jan 23 at 13:26
23
You guys need to read your owner's manuals. I guarantee there's a way to start it with a "dead" fob. Sometimes, there's a backup manual key that you need to remove by popping open fob, and a matching keyhole under a trim cover on the steering column. Other times, there's a passive RFID tag inside the fob, totally separate from the active electronics, which is read when pressed against an indicated spot on the steering column - and a separate manual key just for opening doors. No car manufacturer would make a car that could be rendered useless by a dead fob, they'd be ridiculed out of business.
– dwizum
Jan 23 at 18:38
7
Note also that newer cars are likely to use challenge-response type of authentication instead of a simple rolling code. This involves bidirectional communication between key and car, so the key knows if the car is not receiving.
– jpa
Jan 23 at 19:41