Pierluigi Paganini
November 01, 2015
According to the CCTV footage, a Jaguar XFR parked in a parking lot in Auckland (New Zealand) was stolen with this technique. The video shows the thief that walks towards the car, opens the door and jump in.
According to the law enforcement, hacking devices like the one used in the theft are offered for sale on the Internet and could be easily configured to target specific car models using wireless systems.
In 2014, nearly 6000 cars have been stolen in London with this technique.
“This guy is a professional, it’s sophisticated. It’s something that has been organised. It’s not your everyday car theft.” said Mr Beacham, the manager of the dealership. “We never heard anything and only realised an hour later … that the car was missing.” “The CCTV shows him speeding off down Great South Rd in broad daylight.
Unfortunately, such kind of hack seems to very common, hackers are using devices that are designed to deceive the authentication process implemented by wireless car.
These devices act as a jamming device and are also able to capture legitimate signals sent by the owner of the vehicle when he tries to unlock the car.
To better understand how these devices work, let me introduce you the RollJam, a cheap device designed by the popular hacker Samy Kamkar, composed of a microcontroller and a battery. RollJam is capable unlocking any car or garage door, it is easy to use and costs under $30.
RollJam exploits security vulnerabilities in the wireless unlocking technology that is currently implemented by the majority of car manufacturers.
Keyless entry systems allow car owners to unlock the vehicle remotely within a range of 20 meters.
RollJam was designed to steal the secret codes, also known as Rolling Code, that is generated by Keyless entry systems when the car owner presses the unlock or lock button on his wireless key. The Rolling code is a one-time code randomly generated and sent over a radio frequency to the car when the car owner presses the button of its key fob.
When the Rolling code is used the car generates a new one to use for the next time.
How does RollJam work?
The principle is simple, when the car owner presses the key fob to unlock the car, RollJam used its radio frequency to block the signal and then records it.
The car will never receive the code and the car owner likely will press the button again. When the button is pressed the second time, the RollJam again jams the signal and record also this second code, meantime it reply to the challenge mechanism by providing the first code it intercepted, unlocking the car.
When the victim parks the vehicle in his/her car, you can use that stolen signal to unlock the car. “Because I jammed two signals,” Kamkar said, “I still have one that I can use in the future.”
The RollJam works on several cars, Kamkar discovered that the attack works against widely adopted chips, including the High-Security Rolling Code Generator made by National Semiconductor and the KeeLoq access control system from Microchip Technology.
Among the car makers vulnerable to the RollJam device there are Chrysler, Fiat, Honda, Toyota, Daewoo, GM, Volvo, Volkswagen Group, and Jaguar.
(Security Affairs – Car Hacking, Jaguar)
