Does pressing a car remote many times offer denial of service attack for rolling codes?
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
add a comment |
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
3 hours ago
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
2 hours ago
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
2 hours ago
add a comment |
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
My understanding of remote car key fobs, and similar security devices with rolling codes, is that the key device is a transmitter that, each time the button is pressed, sends the next secret in a known sequence that is unique to the key. It does not contain a receiver.
Meanwhile, the receiver in the car tracks (for each key fob it recognises) what it expects the next secret to be, and only unlocks if it receives the correct code.
There is a risk that a transmission maybe lost - e.g. the button pressed when out of range - so the receiver actually accepts any of the next few secrets in the sequence. I have heard of one system that allowed a window of up to 256, but I don't know if that number is correct and whether it is typical.
If my understanding is correct, it is possible to render a key fob useless (i.e. perform a denial of service attack on the owner) by pressing the button at least 256 times while out of the range of the car.
This obviously relies on access to the key fob, but not when the car is close - which is a time the user may be less vigilant.
So, if a friend gets drunk in a pub, I can make sure they can't drive home by rapidly pressing their car remote 300 times while they are in the bathroom.
It has always bothered me that such an attack is possible, and yet I have never heard of anyone performing it, which makes me doubt that I have understood this completely.
wireless locks vehicle
wireless locks vehicle
asked 3 hours ago
OddthinkingOddthinking
6071612
6071612
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
3 hours ago
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
2 hours ago
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
2 hours ago
add a comment |
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
3 hours ago
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
2 hours ago
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
2 hours ago
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
3 hours ago
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
3 hours ago
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
2 hours ago
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
2 hours ago
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
2 hours ago
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
2 hours ago
add a comment |
1 Answer
1
active
oldest
votes
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize it by this typical procedure:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often.
– Oddthinking
2 hours ago
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
– ThoriumBR
2 hours ago
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
1 hour ago
You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine.
– John Dvorak
58 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202026%2fdoes-pressing-a-car-remote-many-times-offer-denial-of-service-attack-for-rolling%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize it by this typical procedure:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often.
– Oddthinking
2 hours ago
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
– ThoriumBR
2 hours ago
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
1 hour ago
You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine.
– John Dvorak
58 mins ago
add a comment |
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize it by this typical procedure:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often.
– Oddthinking
2 hours ago
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
– ThoriumBR
2 hours ago
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
1 hour ago
You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine.
– John Dvorak
58 mins ago
add a comment |
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize it by this typical procedure:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.
Not useless, but desynchronized. Any car will allow you to re-synchronize it by this typical procedure:
Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
Switch the ignition off.
yet I have never heard of anyone performing it
You don't have any 3-year olds around?
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.
edited 1 hour ago
Oddthinking
6071612
6071612
answered 3 hours ago
ThoriumBRThoriumBR
20.9k55068
20.9k55068
I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often.
– Oddthinking
2 hours ago
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
– ThoriumBR
2 hours ago
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
1 hour ago
You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine.
– John Dvorak
58 mins ago
add a comment |
I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often.
– Oddthinking
2 hours ago
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
– ThoriumBR
2 hours ago
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
1 hour ago
You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine.
– John Dvorak
58 mins ago
I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often.
– Oddthinking
2 hours ago
I have never heard of anyone saying "My three year old 'broke' my keyfob." and I guess I expected to hear this more often.
– Oddthinking
2 hours ago
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
– ThoriumBR
2 hours ago
My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.
– ThoriumBR
2 hours ago
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
1 hour ago
Perfect. With that anecdote, this becomes a great answer.
– Oddthinking
1 hour ago
You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine.
– John Dvorak
58 mins ago
You don't even need a three-year-old. A pack of chewing gums (Preferably reduced to just two or three remaining pills) in the same pocket will do just fine.
– John Dvorak
58 mins ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202026%2fdoes-pressing-a-car-remote-many-times-offer-denial-of-service-attack-for-rolling%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
A) You don't need the key fob to work to drive home. They contain back-up physical keys. B) If you want to prank your friend by disabling their key fob, wouldn't it be easier to just take the battery out and pocket it, rather than to push the button 300 times?
– Xander
3 hours ago
@Xander: It's been a while since I thought about it, but I believe my aftermarket alarm includes an immobiliser that requires the fob to deactivate. The physical car key isn't enough. Ironically, I keep a spare battery and jeweller's screwdriver in my glovebox and don't know the reset sequence in ThoriumBR's answer, so I am not typical.
– Oddthinking
2 hours ago
Let's be clear. Crushing the remote under your heel would also be a denial of service, but this is really more about understanding the weaknesses than actually attacking effectively.
– Oddthinking
2 hours ago