Does pressing a car remote many times offer denial of service attack for rolling codes?

it is possible to render a key fob useless by pressing the button at least 256 times while out of the range of the car.

Not useless, but desynchronized. Any car will allow you to re-synchronize, and one example of a typical procedure is:

  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.

  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.

  • Switch the ignition off.

yet I have never heard of anyone performing it

You don't have any 3-year olds around?

My older daughter did that... She got the garage door remote when we were putting things on the car, and after driving 10 minutes without her complaining about anything, I saw her pressing buttons on the remote... Got home to a desynchronized remote.

Three-year-olds can be dangerous, relentless attackers, so take care with the physical security of your key fobs.


A typical rolling code fob from a decade ago which used a 64-bit payload would unlock if it received one code that was within 16 of what it was expecting, or two consecutive codes that were within 32768 of what it was expecting and adjacent to each other. Pushing the button 32768 times would cause a fob to become sufficiently desynchronized as to be useless, but only if the battery lasted that long.

As payload sizes have increased, the need to have a tight window has decreased. The bigger problem with rolling codes is that they have no immunity against passive relay or jam and replay attacks. If someone uses the same key fob button to operate two garages, someone who receives the code sent at one garage and relay it to someone at the other garage and use it any time before the original owner next uses his fob. Someone who puts a jammer near a receiver and has their own receiver nearer a person's key fob could capture a few transmissions while preventing the receiver from hearing them, and then transmit the first code they receive. The person with the key fob may be annoyed at how unreliable it seems to be, but would be unlikely to perceive anything wrong. Unless he uses his fob again when it isn't jammed, however, the crooks would have a second code that they could use at their leisure.


The problem with the attack as you're describing it is that it's glossing over a lot of details about how keyless entry and start systems work, and details about built-in backup systems, some of which have been covered in comments on the question and other answers.

First, let's cover getting into the vehicle: In other words: could the attack described in the question function as denial of service in the sense that it would stop you from entering the vehicle?

  • Manufacturers of automobiles understand that active electronics are prone to faults, and hence they design workarounds. For instance, key fobs provided for remote or hands-free unlocking of doors typically include a backup physical key, which can be used in a backup keyhole in the door to open the vehicle if it is locked. So, an attack designed to disable the rolling code process of authenticating the key would not stop someone in possession of the key fob from getting into the vehicle.
  • Further, some keyless hands-free transponders (ie the variety that unlock the door when you touch the door handle) work on bidirectional communication, so once again a rolling-code-disabling attack wouldn't stop you from entering the vehicle.

Now, let's cover starting it once you're inside: Could the attack stop you from starting and driving the vehicle once you were inside?

  • Vehicles with keyless start (ie a "push to start" button) work with bidirectional transponders, not rolling codes - the starting sequence includes two-way communication between the vehicle and key. So, an attack designed to disrupt rolling code generation would not stop someone in possession of a functional key fob from starting the vehicle once they were inside it.
  • Further, vehicles with keyless start typically include a passive starting mechanism, designed to allow you to drive the vehicle in the event that the active electronics in the fob have been disabled. (for instance, if the battery dies). These systems are typically meant to be "idiot proof" and not involve complicated procedures - typically, you hold the fob itself against the start button, or you hold the fob against a designated spot on the steering column (both of which which nicely mimic the old-fashioned method of using a physical key), or the backup physical key you use to enter the vehicle also works in a hidden keyhole on the steering column. So - once again, even if the active electronics are disabled in the fob, as long as you have the fob, you can still start and drive the vehicle.
  • Cars with fobs always have procedures to re-sync a new (or disabled) fob to the vehicle. These procedures are designed to allow an owner to sync a replacement fob, ie in the event that their original fob(s) have been destroyed or lost. Sometimes, these procedures are complicated, and sometimes they require some sort of backup authentication mechanism - ie you need to have another working fob, or you need one of the built-in backup keys from a working fob, or you need a brand-specific diagnostics tool plugged into the vehicle. This makes things inconvenient for sure, but as a last backup against the above-mentioned points, it would still let you operate the vehicle if all else failed, and you remained in possession of a fob that had somehow been un-synced from the vehicle.

So - in summary - if the premise of the question is,

Can I perform a denial of service attack - ie, prevent someone from using a vehicle - with an attack designed to disable the rolling code feature potentially used by the fob to authenticate with the vehicle?

The answer is pretty much no that won't be an effective denial of service attack.

If, instead, the question was,

Can I make it annoying or difficult to use a car by disabling the rolling code feature in the key fob?

The answer is probably yes although this is somewhat subjective. If you have a friend who isn't very "aware" of how their vehicle works, and doesn't understand the backup features, and is out of their wits because they've been drinking, then yes - this would probably be an effective denial of service attack. But so would removing the battery from the fob, which is probably easier and quicker than button-mashing a few hundred or thousand times. And it's definitely easier and quicker to just take their keys.

As a final footnote, if the question was meant to include aftermarket alarms/security systems installed on vehicles, I think it's safe to say all bets are off since there have been a variety of such systems over the years that work (or don't) in all kinds of different ways - some of which are just as destructive as poorly designed antivirus software, in the sense that they cause loss of use just as much as they prevent a perceived problem.

If the question was meant to include garage door systems, then - yes - it will basically work, at least against older, simpler systems that had a button-mash potential that was reasonable (hundreds, versus tens of thousands). However, it would still likely only be an inconvenience, as most garage door systems also have backups - ie, the homeowner can enter through another door, make their way into the garage, and pull the manual release handle on the door's drive system, which decouples the opener from the door and allows the door to be opened by hand.

Tags:

Wireless

Locks

Vehicle

Related

Hashing email addresses for GDPR compliance Is stand-alone one-time password less secure than OTP + traditional password auth? How do universities and schools securely sync passwords between multiple services? Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks? Should ports be visible to nmap? Why is breach-detection site "Have I Been Pwned" considered safe? Proprietary RF Protocol Security Is the data between a keyboard and a web browser secure from local computer applications? As an end user, what risk is there in browsing a public website that uses TLSv1? How to connect a Raspberry Pi IDS to the home router to detect intrusions network wide? Is it worth storing email addresses as hashes? Let's Encrypt is based in the US and subject to US laws

Recent Posts