Is Your Car Key Fob Vulnerable to This Simple Replay Attack?

pcmag.com:

Most people probably take for granted that their key fob is secure. Locking and unlocking cars is, after all, enormously important. But at the Black Hat security conference, researchers showed how a simple replay attack can roll back the safety measures built into car key fobs.

The system for locking and unlocking cars remotely is called Remote Keyless Entry (RKE), and it's more complex than it might seem. Each button-press is unique, which prevents an attacker from simply recording you hitting the unlock button and playing it back later. 

Levente Csikor, a Senior Research Scientist at NCS Group, explained that RKE systems use a rolling code. The key fob and the car have a counter that increases each time a button is pressed. That way, a previously recorded button press will not be accepted. 

But not all your key fob presses make it to your car. Perhaps you're out of range, behind thick glass, or just fidgeting with your keys. These button-presses move the counter on the key fob forward but not the car. To prevent accidental button-presses from locking out car owners, RKE systems reset to the lower counter number if they detect that the fob has more button-presses than the car.

The reset system assumes that as long as the counter number on the fob is higher than the car, it can't be a replay attack. But this means that codes captured before the reset occurred—which never made it to the car—would be accepted.

Csikor said that this is the crux of the RollJam attack that debuted(Opens in a new window) seven years ago from different researchers. Using low-cost materials, a RollJam device captured a key fob button signal, then jammed the airwaves and captured a second button-press. The second signal never reached the car, and