A new and custom firmware for the popular Flipper Zero multi-tool device is reportedly capable of bypassing the rolling code security systems used in most modern vehicles, potentially putting millions of cars at risk of theft.
A significant consequence of this attack is that the original, legitimate keyfob is immediately desynchronized from the vehicle and ceases to function. This could be the first sign for an owner that their vehicle’s security has been compromised.
Technically, the other fob shouldn’t be affected if it works the way I think it does. There’s usually a maximum number of keys synced to the vehicle.
This attack basically forces the key fob the flipper zero is substituting itself for to fall out of sync because the flipper zero doesn’t transmit the rollover response from the vehicle back to the key fob. So the F0 sends the rolling code it intercepted from the key fob to the vehicle. Vehicle is like, yep, that’s matches, and then it does it’s rollover and sends out the rollover response. The response doesn’t get back to the key because of range etc and then the key remains a step behind the vehicle in the rollover sequence from then on out.
Technically I think they key could potentially be resynced to the car. (My understanding is that a key of the correct type could be synced to any car that it can be programmed for so long as the key isn’t physically damaged, and the security module isn’t compromised with malicious code that would prevent it).
How does this work if a family is using two keyfobs? Does each one have its own rolling code?
Yeah I would assume there’s a maximum number of fobs you can register to an individual car and it just keeps the state for all of them individually
Technically, the other fob shouldn’t be affected if it works the way I think it does. There’s usually a maximum number of keys synced to the vehicle.
This attack basically forces the key fob the flipper zero is substituting itself for to fall out of sync because the flipper zero doesn’t transmit the rollover response from the vehicle back to the key fob. So the F0 sends the rolling code it intercepted from the key fob to the vehicle. Vehicle is like, yep, that’s matches, and then it does it’s rollover and sends out the rollover response. The response doesn’t get back to the key because of range etc and then the key remains a step behind the vehicle in the rollover sequence from then on out.
Technically I think they key could potentially be resynced to the car. (My understanding is that a key of the correct type could be synced to any car that it can be programmed for so long as the key isn’t physically damaged, and the security module isn’t compromised with malicious code that would prevent it).
Yeah. This is what I assumed also. Thanks for your input.
I think the first sign would be the stolen car