This looks like something you could knock up over lunch break without too much of a sweat but what it can do blows a hole in the radio security system used by most cars and garage door openers. When RF car fobs were first introduced there wasn’t too much thought put into security of the system. All you needed was to record the code sequence the fob emitted, wait for the owner to walk off and then you could open the door by replaying the same sequence using a transmitter working on the same frequency.

To baffle the thieves, car manufacturers introduced the rolling code system; each time you press your fob a different code is transmitted. The fob and receiver are synchronized and they both know the algorithm generating the number sequence in advance (its pseudo random i.e. predictable). Once the key fob code opens the door it is discarded so that only successive codes in the sequence will be accepted. The receiver needs to accept a range of successive codes because sometimes a key press doesn’t open the door and the next press causes the next code in the sequence to be transmitted.

Samy Kamkar, identified a weakness in the system. His Rolljam device listens for the RF signal from the fob then sends out a narrow band signal at the same frequency to swamp the receiver and disrupt communication. At the same time his device listens to a sideband of the signal to record the sequence. Rolljam now has the first sequence but the door didn’t open. Another fob press sends the next sequence which is also jammed and recorded. Now after a few milliseconds Rolljam transmits the first sequence. The door opens but Rolljam still has the next unused code in the sequence, tricky...

It was shown to work on Chrysler, Fiat, Honda, Toyota, Daewoo, GM, Volvo, Volkswagen Group, Jaguar and many other brands along with some garage-door openers. Samy is one of the good guys and plans to present his creation at the hacker conference DefCon in Las Vegas.