Attacking Keyless Entry Systems

Keyless entry is convenient and a rich attack surface. From garage remotes to passive car entry, these systems trade physical keys for radio, and radio can be captured, replayed, and relayed. Here is how the main attacks work, what defends against each, and what it means for anyone building access control on RF.

The Convenience-Security Tradeoff

Keyless entry exists because nobody likes fumbling for a key. That convenience is built on radio, and radio is reachable by anyone nearby with the right equipment, which is far cheaper and more available than it used to be. The result is a category of products where the user experience is excellent and the attack surface is wide open unless carefully designed.

The attacks divide into a few clear families, fixed-code replay, rolling-code weaknesses, and relay attacks against passive entry, and each maps to a defense. Understanding which family applies to a given system tells you both how it will be attacked and what it needs to resist. The same principles cover car fobs, garage remotes, and RF building access.

Fixed-Code Replay, the Easy Case

The simplest keyless systems send the same code every time, which makes them trivial to defeat by replay. Capture one press with a software-defined radio, transmit it back later, and the receiver opens. Cheap remotes for gates and garages still do this, and the attack needs no understanding of the code’s meaning.

# capture a fixed-code remote, then replay it
rtl_433 -f 433.92M -A                 # identify/decode common remotes
hackrf_transfer -r capture.iq -f 433920000 -s 2000000   # record the press
hackrf_transfer -t capture.iq -f 433920000 -s 2000000   # replay it later

If the replay opens the device, the system has no real protection, because the code is a static credential anyone in range can copy. Testing for this is a thirty-second check, and a system that fails it should be considered unlocked for anyone with a sub-hundred-dollar radio. Fixed codes belong only on things that do not matter.

Rolling Codes and Their Limits

Better systems use rolling codes: each press sends a different code derived from a shared secret and a counter, so a captured code is valid only once and a replayed old code is rejected. KeeLoq and similar schemes are standard in cars and quality garage openers, and they defeat the basic replay attack.

Rolling codes are not automatically safe, though. A shared manufacturer key across a product line means extracting it from one unit can break the family. A too-generous resync window can be abused. And the underlying cipher must be sound. Rolling codes raise the bar substantially, but their security lives in the key management and the implementation details, not in the concept alone.

The Jam-and-Replay Attack

A clever attack defeats naive rolling codes by jamming. The attacker jams the receiver while recording the user’s press, so the code is captured but never accepted. The user presses again; the attacker captures the second code and lets it through, while keeping the first, still-valid code to replay later, often called RollJam.

This works because the first captured code was never consumed by the receiver, so its counter value remains valid. Defenses include detecting jamming, tight timing windows that expire unused codes, and bidirectional challenge-response. The attack shows that moving from fixed to rolling codes closes the obvious hole but opens a subtler one that still needs designing against.

Relay Attacks on Passive Entry

Passive keyless entry, where the car unlocks as the fob approaches and no button is pressed, is vulnerable to relay attacks. The car emits a low-power signal the fob answers when close. Attackers use two relay devices to extend that conversation, one near the car, one near the fob inside the house, fooling the car into thinking the fob is present.

# relay attack concept: two linked radios bridge the car<->fob conversation
[car] <--LF--> [relay near car] === radio link === [relay near fob] <--LF--> [fob in house]
# the car believes the fob is in range; it unlocks and can be started

The relay does not break any crypto; it simply carries the legitimate signals over a longer distance than the system assumes. This has been used in real car thefts, and it is effective precisely because the security model assumed proximity that the relay defeats. The fob’s distance, not its secret, was the control, and distance is forgeable.

Defending Passive Entry

The defense against relay is to measure something the relay cannot fake, usually time. Ultra-wideband ranging measures the actual distance to the fob by timing the signal precisely, so a relayed signal that traveled farther fails the distance check even though the crypto is valid. Newer vehicles adopt UWB for exactly this reason.

Simpler mitigations help too: motion sensors that disable the fob when it is still, so a fob left by the door does not answer a relay, and user options to require a button press. But time-of-flight distance bounding is the real fix, because it attacks the relay’s only trick, the extra distance, directly rather than trying to out-crypto an attack that never touched the crypto.

Attacking the Fob Itself

Beyond the radio protocol, the fob is an embedded device with firmware and a secret key, and it can be attacked physically. Extracting the key from a fob, by reading its chip or via side-channel analysis, can let an attacker clone it. A shared or poorly protected key in the fob undermines the whole scheme.

This is where keyless entry meets embedded security generally: the fob needs its key in hardware that does not give it up easily, ideally a secure element, and the system benefits from per-device keys so cloning one fob does not threaten others. The radio attacks get the attention, but the fob’s own key storage is part of the attack surface.

Testing a Keyless System

Assessing one runs through the families in order. Capture and replay to test for fixed codes. Capture several presses to see if codes roll. Attempt jam-and-replay against the rolling code. For passive entry, test whether a relay extends the range. And examine the fob’s key storage. Each test maps to a known defense, so the results point straight at the gaps.

The tooling is accessible, an SDR, a couple of relay devices, standard RF analysis software, which is exactly why these systems are attacked in the real world. A test that walks the families gives a product team a clear picture of which attacks their system resists and which it does not, before the answer arrives as stolen vehicles or breached doors.

What It Means for Builders

Anyone building RF access control should pick the protection level deliberately against the consequence of unauthorized entry. Fixed codes are acceptable only for trivial uses. Rolling codes with sound key management cover much consumer gear. Passive entry needs distance bounding. And the fob’s key needs hardware protection and per-device uniqueness.

The recurring lesson is that the radio is not a trust boundary you can lean on, because anyone in range, or able to relay range, is on the other side of it. Authentication has to be real, the keys have to be protected, and proximity has to be measured, not assumed. Designing with that in mind is what separates a convenient system from a convenient and secure one.

Where This Fits

Testing keyless entry and RF access control across the full range of replay, rolling-code, and relay attacks is part of the wireless work in a product security assessment. If you build keyless access and want it tested the way a thief with an SDR would, that is the kind of work we do at Berkner Tech.

References and Further Reading

• Samy Kamkar: RollJam
• NXP: UWB Secure Ranging for Access
• rtl_433: RF Device Decoder
• MITRE CWE-294: Authentication Bypass by Capture-replay
• OWASP Firmware Security Testing Methodology (FSTM)