A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems

Page view(s)
89
Checked on Aug 28, 2025
A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems
Please use this identifier to cite or link to this item: https://oar.a-star.edu.sg/communities-collections/articles/18514
Title:
A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems
Journal Title:
BlackHat USA 2022
DOI:
Publication URL:
http://i.blackhat.com/USA-22/Thursday/US-22-Csikor-RollBack-A-New-Time-Agnostic-Replay-Attack.pdf
Authors:
Levente Csikor, Hoon Wei Lim, Jun Wen Wong, Rohini Poolat Parameswarath, Chan Mun Choon
Keywords:
blackhat, rollback, Replay attack, automotive security, keyless entry systems
Publication Date:
11 August 2022
Citation:
L. Csikor, H.W. Lim, J.W. Wong, S. Ramesh, R.P. Parameswarath, M.C. Chan, "RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems", BlackHat USA 2022 Briefings, Las Vegas, NV, USA, 2022.
Abstract:
Automotive Remote Keyless Entry (RKE) systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However, RollJam was proven to break all rolling code-based systems in general. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. RollJam, however, requires continuous deployment indefinitely until it is exploited. Otherwise, the captured signals become invalid if the key fob is used again without RollJam in place. We introduce RollBack, a new replay-and-resynchronize attack against most of today's RKE systems. In particular, we show that even though the one-time code becomes invalid in rolling code systems, there is a way to utilize and replay previously captured signals that trigger a rollback-like mechanism in the RKE system. Put differently, the rolling codes can be resynchronized back to a previous code used in the past from where all subsequent yet already used signals work again. Moreover, the victim can still use the key fob without noticing any difference before and after the attack. Unlike RollJam, RollBack does not necessitate jamming at all. Furthermore, it requires signal capturing only once and can be exploited any time in the future as many times as desired. This time-agnostic property is particularly attractive to attackers, especially in car-sharing/renting scenarios where accessing the key fob is straightforward. However, while RollJam defeats virtually any rolling code-based system, vehicles might have additional anti-theft measures against malfunctioning key fobs, hence against RollBack. Our ongoing analysis (covering the Asian vehicle manufacturers for the time being) against different vehicle makes, models, and RKE manufacturers revealed that ~70% of them are vulnerable to RollBack. Since most of the RKE transceivers from three out of the four (identified) manufacturers were vulnerable, the impact is expected to be bigger worldwide.
License type:
Publisher Copyright
Funding Info:
There was no specific funding for the research done
Description:
Presentation abstract and slides are available only for this publication. No paper submission is required, however, we plan to release a subsequent whitepaper about our research findings.
URI:
https://oar.a-star.edu.sg/communities-collections/articles/18514
ISBN:
1
Collections:
Institute for Infocomm Research
Files uploaded:

Manuscripts in This Item:
File Size Format Action
us-22-csikor-rollback-a-new-time-agnostic-replay-attack.pdf 3.68 MB PDF Open