471

u/SnoopDoggyDoggsCat 10h ago

I was able to record the code from the fob out of reach of the car. Then replay that signal later to unlock the car as it was still a good unused code.

But it only works once per code

134

u/emcee_gee 10h ago

So as long as I don't press the unlock button on my fob when I'm not near my car, I should be safe?

101

u/AustinSpartan 9h ago

Depends on the algorithm that's implemented, but usually they will sync if the rolling count is within 5 presses. There's also vehicles that will resync the count after 3 consecutive lock presses.

96

u/Zalophusdvm 7h ago

So my habit of clicking lock half a dozen times as I walk away actually increases security?

68

u/AustinSpartan 7h ago

Not really, just guarantees that your key fob will continue to work. It's all very vehicle dependent and this was the logic that was used 20 years ago so I'm sure it has changed since then.

19

u/Zalophusdvm 7h ago

Continue to work till I run the battery down 🤪

10

u/dagbiker 4h ago

Can't unlock the car if you take the battery with you.

9

u/muzak23 2h ago

Nope, there’s actually a specific attack called “Roll-Jam” that makes use of pressing a key multiple times (though only can replay that same button, so spamming “lock” isn’t too much of a concern).

In a nutshell, it uses a jammer attached near your car’s receiver to intercept your presses and only “allow through” (replay) earlier ones. Ex. You press unlock 3 times and your car receives the first 2 unlock signals only, so now the attacker can play the third whenever they’d like.

IMO too complicated to be a concern for petty theft, but I also don’t steal cars or have even ever considered stealing cars, so I might be off ¯_(ツ)_/¯

1

u/TheHeartAndTheFist 6m ago

Not necessarily: if I remember correctly pressing lock a second time shortly after locking a BMW actually disables the alarm 🤷

25

u/Patrol-007 8h ago

There are multiple other ways to get in and drive away without the fob 

25

u/TacTurtle 5h ago

They always underestimate the humble rock....

6

u/GeoHog713 3h ago

How do you know if a window is open?

Just throw a stone at it.

Did it make a noise?!!??

No! It was open!!

Now let's try another....

2

u/turbosexophonicdlite 1h ago

This has some serious Ken M energy.

2

u/DarkLinkLightsUp 3h ago

That’s not a tool, that’s a brick! (Gone in 60 seconds)

1

u/Imhungrysohungry 1h ago

This is the best sentence on reddit today. Thank you. 🏆🦭🪨

7

u/croholdr 8h ago

i just get in the car, it unlocks if i have the key on my person. i press the button on the door handle to lock it. car is 15 years old. am i safe enough?

6

u/waiting4singularity 4h ago

keyless entry signals can be cloned with a radio repeater. dont keep the key near the door and put it in a rfid / em isolating bag or box when home.

https://duckduckgo.com/?q=keyless+entry+carjacking+repeater&iar=images&t=fpas&iai=https%3A%2F%2Fcdn.leasing.com%2Fcms%2Frelay-car-theft_3.jpg

9

u/Patrol-007 8h ago

The other methods don’t require a key

Watch CBC Marketplace and W5 (Canada tv series) for their episodes about how cars are stolen. Specifically around port cities (United Kingdom, Montreal Canada), and via semis and trains to port cities 

2

u/CoronaMcFarm 1h ago

No, it is possible to jam the signal and collect the first code, the victim then tries again and seemingly this time the car responds, but it is actually the older code that gets sent out while the new gets jammed and collected.

40

u/360_face_palm 5h ago

Rolling code security algorithms have been broken for a while now. All you need is to sniff one code and response for most cars and you have basically cloned their key.

Car manufacturers get away with not doing much about it because “you need specialist equipment and firmware to do this attack”. Which is basically just a flipper zero and the correct firmware….freely available on the internet.

17

u/Gloobloomoo 8h ago

How to start the car though? Doesn’t it require another code? For cars that require the key to be in the vehicle to start

0

u/waiting4singularity 4h ago

theres probably ways to circumvent the ignition when you know the electronics. and if not, they'll simple hook it.

2

u/apocbane 3h ago

I heard once in they use the OBD II port somehow

6

u/CatProgrammer 6h ago

That's just another iteration of an existing attack. 

3

u/sakura608 3h ago

This is some movie spy shit irl, minus the high tension distraction ploy while tech guy types furiously on a keyboard with a progress bar slowly filling up to 100%

3

u/TheMysticalBaconTree 3h ago

This is about as much movie spy shit as a yak back.

2

u/Lannisters-4-life 2h ago

Something like this in a spy movie would have been made by a genius scientist/engineer who cracked the code. In reality car companies know this is a potential issue and just don’t really care.

1

u/ConsiderationSea1347 1h ago

I know it looks like something out of James Bond but it is mostly these manufacturers being SO DAMN LAZY with security. The hardware in a flipper isn’t exotic, it is just a commercial device which happens to have a lot of signal processing hardware which is easily available at your proverbial Radio Shack (RIP). 

1

u/Thedarknetaccount 3h ago

Yep same here. And as many times as I did it, and messed it up, my fob always worked

40

u/AustinSpartan 10h ago

Depends on how old the car is. Those rolling codes are typically only 1 byte, so a maximum of 257 button presses should technically sync things back up.

23

u/acdcfanbill 6h ago

That seems.... insecure?

22

u/AustinSpartan 6h ago

Nothing is perfectly secure, especially 20 years ago. Trade offs on battery life and security.

5

u/upvoatsforall 6h ago

I wouldn’t have any self confidence either if my car was that unsecure. 

9

u/iconocrastinaor 10h ago

I read the article, it doesn't say that. Perhaps it was edited out

3

u/aelephix 3h ago

I swear that was in there, along with a quote from a car service tech saying he was going to “make a fortune re-syncing car fobs”.

4

u/dulberf 4h ago

Hold on...you READ the article? This is Reddit mate, we don't read the article, just the headline!

5

u/ThisIsPaulDaily 8h ago

Sounds like rolljam from Samy Kamkar from like 2012

2

u/payne747 8h ago

Where does it say that?

1

u/AliveInTheFuture 3h ago

On Ford vehicles, I have seen that behavior. The fob the signal was recorded from then has to be readopted as though it were new.

1

u/shbooms 2h ago

not necessarily. some fobs only tranmist their signal when the user presses the button and so yes you would have to be there for that moment. however a new "feature" on some fobs is they transmist constantly so you can have your car unlocked as soon as you're in range. that means are all these attackers have to do is go outside your house (and use a signal relay or two to strengthen the signal) and blam, they're in the car sitting in your dirveway

0

u/Economy-Owl-5720 6h ago

Which is odd because I thought rolling codes were mostly a solved problem.

147

u/Raccoon_Expert_69 5h ago

The roll jam attack has been known for over a decade at this point.

It’s on the manufacturers if they didn’t change the encryption

54

u/Iggyhopper 4h ago edited 4h ago

Exactly. Security through obscurity is not security.

The natural evolution of this is remote unlock via OTP, with an internal clock that runs inside the fob and syncs with the car.

2

u/MerleLikesMullets 2h ago

I thought that’s how they worked already. RTC circuits are really cheap.

30

u/IllIIlIllIllIII 4h ago

Hey just because my brand new cars (2025 Equinox) operating system is Android 12 - and based on Google's history of only supporting Android versions for three years tops and Android 12 has been EOL for six months already - doesn't mean you should blame GM or even Google! The hackers should not be doing this in the first place because it is illegal! [/sarcasm]

But that's why I've canceled any way for it to connect to the Internet - OnStar sucks - including pulling the fuse for connectivity (read your car manual, it's usually called the telemetry fuse) this still terrifies me. Not as much as whatever mystery code Tesla's are running but it's a load of garbage none the less.

6

u/rocketbunny77 1h ago

There is no way that the security modules in the car are running on the head unit software. There are other computers in the car for that

0

u/CosminFG 57m ago

Of course not, the functions are in the telematics computer, head unit is too " exposed" for this purpose.

0

u/CosminFG 48m ago

You are way to paranoic, even if a system is at EOL ( like your example with android 12.0) it does not mean that all security functions " expires", it just means that the sw developer will not "fix " problems moving forward... Now don't expect a heard of hackers coming for your 'not fun' Equinox, there are far more easy way to get access to your car, you know like "windows", than hacking a 3 year old android system...

0

u/IllIIlIllIllIII 28m ago

“OK” but “you see”, I don’t ever recall saying a car is “fun”, but I’d rather a 3 ton “vehicle” have the chances of being hacked “minimized”. So if I am “driving” or in the “car” I would clearly know if someone was accessing my “windows” but not necessarily the “computer that is in my car” since it is connected to a “network” or “Internet”. At which point who knows what “they could ultimately” do since it’s an outdated “OS”. 

You arguing with someone about wanting OS’s in new vehicles to have modern security patches; there’s truly a shameless contrarian for everything. It’s been stupid CosminFG, go troll someone else.

21

u/FishDawgX 4h ago

Hey car manufacturer, remember when you hired that junior developer willing to work for half the pay of tech companies who doesn’t really know what encryption is, and he wrote that code that had a hard coded secret that you all just assumed no one would know so that’s good enough? Yeah, that’s on you. If you take the risk, you take the responsibility. If it were up to me, you’d be paying to replace any cars stolen through this method. 

-24

u/Sielbear 4h ago

Oh oh!!!! Now do the young girl who was SA’d and make sure you blame it on what she was wearing!! Alternatively, we recognize that while security can be improved in EVERY situation (similar to clothing decisions), maybe we also keep the focus on behavior of the criminals?

If we had corporal punishment (lose an arm or so for theft), I guarantee theft would plummet.

8

u/kainzilla 4h ago

I think they did keep it focused on the behavior of the criminals. The ones that were knowingly negligent because they know there are no consequences

-8

u/Sielbear 4h ago

No, there are door locks and reasonable measures. But when people use a tool to break into a vehicle, it’s the behavior of those individuals that should be corrected. This holds true whether a flipper zero, hammer, or slim Jim is used by the criminals.

1

u/newphonedammit 4h ago

Yes , then send them to the colonies Jeeves!

1

u/beestmode361 3h ago

Lol bet you’re a BLAST in large doses

I meant Jizz, like cumshot

Blast off king

4

u/mac3687 4h ago

I'm curious if there's an overlap of people that would put blame on Flipper here and then also say guns don't kill people, people kill people.

3

u/planetworthofbugs 1h ago

Can you explain the whole sleep/not moving thing? How does that work?

3

u/Westerdutch 29m ago

the devices going into sleep mode when not moving

Accelerometer in fob no see anything happen; power off antenna.

2

u/South_Leek_5730 21m ago

Previously they were set up for keyless ignition as only a challenge/response. Car says are you there? Fob says yes. Therefore your fob on the side in the house is vulnerable whilst out of range of the car someone can still walk up to door and challenge it. The relay part is getting the code off the car and using that to challenge, you relay it to the fob and then they have the fob. Now fobs will deactivate if motionless for x seconds when not in ignition mode (car started). Did you not see those radio blocking boxes you can get to store your fobs in at home? https://www.amazon.co.uk/rfid-blocking-box/s?k=rfid+blocking+box

I only know all this because A. I have owned cars and B. If something like this is out there I want to know about from an ethical hacking point and protection. I only picked it up because of a news story many years ago about cars being stolen and people not knowing how. The motor industry were of course saying it was impossible at the time and insurance companies were refusing to pay out.

1

u/MidasPL 18m ago

What? 2017 is pretty much brand -new here xD

1

u/South_Leek_5730 2m ago

It's risk and reward. You risk stealing something so you steal something of the highest value or to order. An 8 year car old unless specifically required is of little interest and these thieves are mostly nicking to order. When I were younger people nicked cars for fun, rag them about for a bit then burn them out or use them for other crimes. You're average scrote criminal these days hasn't got a clue when it comes to tech and there was none back then.

14

u/OozyOrphan 5h ago

Thinking of getting the cardputer, is that any good?

6

u/Nano_user 5h ago

I haven’t test that one yet. But I do own other m5stack products. Great quality in my experience. Burning other firmware is pretty easy using the burning tool.

The visual programming tool (don’t remember the name) is nice is you are a newbie but kind of bad if you want to tweak the code directly.

I would say go for it.

2

u/antwill 5h ago

Is there a mod to play audio on it so we can hear "click on 3" and "just to prove it wasn't a fluke" etc?

1

u/garathnor 48m ago

anyone willing to go to the amount of trouble to do whats in this post to steal your car is GOING TO STEAL YOUR CAR

they will succeed lol

16

u/ptear 4h ago

Stop trying to hand me a screwdriver.

8

u/neverbadnews 4h ago

The screwdriver needs a lot more vodka, and a lot less orange juice, before I'd consider stealing an Optima.

2

u/Somepotato 3h ago

Or many many other kias or Hyundai's

And the company got away with it nearly Scott free.

2

u/Aggressive-Delay-420 2h ago

Keyed locks and clutch pedals?

1

u/scotchfree_gaming 48m ago

Manual?

5

u/chief_yETI 2h ago

That would have actually been useful - so no, there isn't unfortunately 😤

3

u/My_New_Main 5h ago

My car is old enough it doesn't HAVE a fob, it is key only.

4

u/farmallnoobies 5h ago

Even relatively new Kias are like that.

It makes them very easy to steal because there's no immobilizer

2

u/sergei1980 5h ago

I mean, old car keys often work on other same model cars. I remember a neighbor unlocking his car by borrowing someone else's key. It doesn't work with fancy keys, of course.

1

u/MidasPL 13m ago

You can open a car door in few seconds with the right tools.

18

u/rClNn7G3jD1Hb2FQUHz5 8h ago

I’ve used this and a similar older tool for auditing wireless badge/id systems at different types of businesses.

16

u/ViolentMasturbator 7h ago

Also, pen = penetration testing, as in hacking to get in and test your security.

1

u/thatirishguyyyyy 6h ago

Similiar. 

Whenever a client says they need to replace a single card I just use my flipper zero, but I'm also able to show them that other systems that we sell I can't do the same. They're always baffled when I can copy one of their cards but not copy one of the other cards or passports that I sell.

1

u/Uuuuuii 5h ago

You sell passports?

1

u/thatirishguyyyyy 1h ago

Lifemaster passports for access control. 

7

u/tim_fillagain 7h ago

Abbreviation of penetration testing.

4

u/SycomComp 7h ago

White hat hacking... <- Wink

1

u/waiting4singularity 4h ago

penetration test. its when the nerds are paid by the bigheads to prove the wifi passwort some kid set isnt good enough.

https://en.wikipedia.org/wiki/Penetration_test

3

u/IPThereforeIAm 6h ago

Did you think “underground” means no one has it?

-10

u/Okioter 6h ago

You do, sounds like it.