lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 9 Oct 2017 16:27:57 -0400
From: Tom Wimmenhove <>
To: "" <>
Subject: [FD] Bad rolling code in keyfob for many Subaru cars

me <>

[Description of the vulnerability]
The rolling code used by the keyfob and car is predictable in the sense
that it is not random. It is simply incremental.

An attacker can 'clone' the keyfob and, unlock cars and, when increasing
the rolling code with a sufficiently high value, effectively render the
user's keyfob unusable.

[Affected vehicles]
The exploit has only been tested on a 2009 Subaru Forester, but the same
fob is used, and the exploit should work on, the following vehicles:
 - 2006 Subaru Baja
 - 2005 - 2010 Subaru Forester
 - 2004 - 2011 Subaru Impreza
 - 2005 - 2010 Subaru Legacy
 - 2005 - 2010 Subaru Outback

Don't use the most predictable sequential type of rolling code. Don't send
the command twice so that, in case of Samy Kamkar's rolljam attack, not
even the XOR checksum has to be recalculated when changing a lock to an
unlock command, since the 2 commands cancel each other out, leaving the
checksum in tact.

[Required hardware]
 - Raspberry Pi B+ with WiFi dongle or Raspberry Pi Zero W with built-in
 - RTL-SDR RTL2832U DBV-T tuner ($10 on ebay)
 - A piece of wire
 - A 433MHz antenna

pmsac at toxyn dot org for figuring out the checksum algorithm

A detailed explanation of the inner workings of the exploit, how to set
things up and code for the exploit can be found on GitHub:

- Tom

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ