Flipper Zero DarkWeb Firmware Bypasses Rolling Code Security
43 comments
·August 7, 2025palata
> A consequence of this is that the original keyfob gets out of sync, and will no longer function.
I always wonder about this: what is the consequence of that? Can the user reset it, or does it have to be done by a retailer or something?
brk
Depends on the implementation. Most times you just have to click it a few times in a row. The receiver then realizes it missed a few button presses and it re-syncs. I’m not sure what that window is though, at some point it might get so out of sync that the receiver ignores it and assumes it is a wrong fob.
cakealert
Why are so many car manufacturers incapable of using cryptography properly?
tamimio
Car manufacturers are like automation/control manufacturers; they existed before cybersecurity and never caught up to the pace. If you ever audited any SCADA system, you will see nightmares. For cars, some new models of popular brands (not specifying any), you can access the CANbus from the headlight where you can reprogram the ECM to your new key. It's that simple to "own" a modern car.
dfex
PREACH!
Currently sitting in a control room at a greenfield manufacturing facility trying to describe why even VLANning the control network would be a good idea to some controls engineers who want a plant-wide subnet for all PLCs that will be remotely supported by 6 different vendors. The struggle is real
bbarnett
I've seen one-manufacturer, 2024 models at least, which requires two keys in range, before a third key may be programmed.
Good idea, don't know how effective it is in reality.
bayindirh
Needing two keys for a third one is not new. My 25 year old car needs two keys for adding the third, old Fiats has “red master” keys which are also required during adding keys.
kube-system
The reason these vulnerabilities affect many brands is because they don’t use cryptography. They buy these electronics from other suppliers.
dylan604
Proper security is a total pain in the ass, and makes things nigh impossible to use in the manner people want to use them. This naturally makes things more expensive to recover from oopsies.
This is why YubiKeys will only ever work for people technical enough to understand them. Normies will loose it at the first chance, and then be locked out of everything. At that point, YubiKeys will be banned by Congress from all of the people writing in demanding something be done about their own inabilities to not be an ID10T
theamk
As far as car security is affected, "normies" really don't care what the algorithm is. The entire UX is "press button to open car, go to dealership if you need new key" and it allows a wide variety of choices re algorithms.
The only reason they use KeeLoq (with whopping 32 bits of security!) instead of something normal, like I dunno, AES-128 or something, is because they are trying to save $0.50 in parts on the item they sell for $100. Oh, and because they don't like any change and don't have organizational ability to use anything recent, like other poster says.
the_mitsuhiko
To some degree customers love it. It allows you to program your own replacement key without having to go through the manufacturer or an official dealer.
theamk
[delayed]
j1elo
No doubt they would charge $100 or more for just clicking a button and having the equivalent of an NFC writer.
hungmung
Well they don't call them stealerships for nothing.
pkaye
I wonder who make more money on this. The car dealer or the manufacturer.
colechristensen
When my favorite quadruped knocked my keys into the trash I had to get my car towed to the dealer for them to program me a new key. One one hand, top notch security as it was impossible to do any other way. On the other hand the total to get this done was something like $500 after everything.
IshKebab
What does? The article is very unclear about what exactly this does.
the_mitsuhiko
The attacks to rolling code keys are well known but these keys continue to exist. They allow you to pair a key yourself to the car that you buy online. Particularly in the US it's quite common that people buy used cars and then another key online that they pair themselves.
You won't be able to do this for instance with VAG cars that have KESSY. First of all the immobilizer is paired to the key, secondly the only way to pair a new key to it is via the manufacturer or a licensed dealership because you need a blob from their central server. But the consequence is that people feel like they are being fleeced when they need another key, because it can cost you hundreds of dollars to pair one.
In general these types of attacks are much harder in Europe where immobilizers have a legal minimum standard that manufacturers have to meet. On the other hand in the US immobilizer are entirely optional, which has famously led to KIA and Hyundai cars shipping without them and the Kia Boys TikTok phenomenon.
nullc
Cryptography is actually difficult for the requirements of a key fob.
The principle issue is that requiring two way communication greatly increases hardware cost and lowers range/reliability. You also would prefer to minimize or eliminate any volitile storage on the devices.
Also you very much want to absolutely minimize the data sent, both for battery life and range/reliability reasons.
And whatever volatile storage the devices have you need to have some way of handling it being reset when its lost due to a dead battery or replaced device.
So standard replay resistant protocols like "door sends a random challenge, fob signs/decrypts/encrypts it and sends the result" are excluded due to the two-way requirement.
The next obvious set is along the lines of "device sends an encrypted counter, door enforces that the counter only goes up" requires nonvol storage in both devices, and then gets tripped up when the fobs counter goes back down due to being reset. (also harder to implement multiple fobs, as they each need unique state).
sneak
They're not. There is AFAIK an ssh key infrastructure for OnStar that's modern and well-run, for example.
Things like key fobs are most likely very incremental changes on "this is the way we've always done it". These organizations are behemoths and steer with all of the inertia of a containership.
antirez
I guess this attack is against the keeloq protocol. There are no known total breakage of this kind AFAIK, against the cryptography implemented in the chip. This will be interesting to understand, I mean: what they are exactly doing here.
lq9AJ8yrfs
flipper zero implementation of a variant [1] of the rolljam [2] attack
[1] https://arxiv.org/abs/2210.11923 [2] https://news.ycombinator.com/item?id=10018934
IshKebab
Kind of insane that this works... Surely whoever implemented this knew it was insecure? I honestly wouldn't have thought to check for this vulnerability because... who would do that??
dylan604
I don't think the word "secure" was ever part of the discussion on keyless entry for cars. They would have used something like "convenience". Secure would maybe be considered in that the car doors are now locked from the keyless. But as far as "secure" being used in regards to the transmission/receiving of the wireless signal? I doubt if it was ever mentioned by anyone other than PR.
theoreticalmal
If the attack causes the original key to no longer work, imo the major threat vector is someone sitting in a parking lot, capturing key presses, performing the attack, and forcing the user to tow+re-program the key as a nuisance, rather than stealing the vehicle
summermusic
In addition to being able to break in and steal anything that’s kept in the car
waltbosz
Jokes on them, I lost my key fob years ago.
tamimio
Cool, I was planning to get a spare car key, not anymore!
Also, glad I have one before they would ban it. It’s a neat tool that I have everything I want there, instead of having 4 fobs, one garage remote, plenty of IR remotes, it’s AIO. Plus I don’t have to pay fees to replace my lost fobs
imzadi
Sadly, it won't work as an extra key, because it causes the original key to stop working.
null
xyst
cool, I needed a new car, thanks
jeffbee
Pretty sure you want an old car to avoid this one. A bicycle would also avoid it.
withinboredom
Unless you're my son who has to buy a new bicycle lock every month because he loses his bike keys.
egypturnash
Get your son a key ring with a chain and make him attach it to his bag or his pants somewhere.
servis
[dead]
hsbauauvhabzb
What practical use does this have? From my reading if I capture an unlock signal, the car will not unlock for the owner, so they’ll press their remote a few times.
If I capture a lock signal, presumably I can instead prevent it from locking. The only real world malicious action I can see is being viable is to block the car lock, meaning the car is still in an unlocked state, open the boot (which I’m guessing can be done from the car dash anyway) then locking it afterwards?
theChaparral
This attack lets you use all the functions of the key fob, and not just the action captured.
I sometimes imagine how much of this could be avoided if the communication signals weren't (a) broadcast or (b) a imperceptible to humans.
If it an electrical contact in the door handle, it would be very difficult for anyone to monitor or inject other signals.
If the signals were audible sound, you'd know when someone was jamming it.
In practice, my number one use of a fob from a remote distance is locking, rather than unlocking, and those two operations don't have the equivalent security risk.