Re: Rolling codes and vehicle locks

From: Richard (rh86_at_azglobal.com)
Date: 02/19/04 

Date: Thu, 19 Feb 2004 08:12:27 -0700

"Lewin A.R.W. Edwards" wrote:
> I'm puzzled. I thought the whole point behind
> rolling-code keyless entry devices was that a
> single capture won't reveal the current state of
> the engine in the transmitter.

>From a crypto perspective, I'd expect it's to prevent replay attacks,
where the code is "snooped" from RF and then played back later verbatim.

Speculating... you've got 4 data elements: fob serial number, keypress
code, sequence number (rolling code), and a "secret" (if any).

Unless the car transmits a unique shared secret key to the fob (very
unlikely), the secret isn't really secret (since it'd be identical in
every car and fob) - someone will have compromised the "secret", whether
it's a proprietary algorithm or the manufacturer's crypto key. It's
likely that they didn't bother with a secret, for this very reason.

Consider this - will one keyfob work on two cars at once if properly
"programmed"? (Likewise with garage door openers.) If so, there's your
answer.

I'd wager that the burden of logic is on the car's side to track the
last-used sequence number for each fob. For each fob (serial number),
simply accept any sequence number geater than the last used, and the fob
just increments with each button press.

So, I doubt the process is as secure as people think (it rarely is) -
you just need a smarter "snooper" that increments the sequence number on
playback.

Richard