Tested replay and roll jam attacks on a Suzuki Swift Dzire's remote keyless entry system using software-defined radio. Found that the 2020 model uses KeeLoq encryption, which has been broken since 2008.
Background
Car locking mechanisms have evolved significantly. Physical keys gave way to RFID immobilisers, then to Remote Keyless Entry (RKE) systems, and now to Passive Keyless Entry and Start (PKES). Each generation introduced new attack surfaces.
| Lock Type | Entry | Ignition |
|---|---|---|
| Physical Keys | Physical key | Physical key |
| Physical Keys + RFID | Physical key | Physical key + RFID |
| Remote Keyless Entry | RF signal (active) | Physical key + RFID |
| PKES | RF signal (passive) | RF signal (passive) |
RKE systems operate in the Ultra High Frequency range (315 or 433 MHz) and use On-Off Keyed (OOK) modulation with Pulse Width Modulation (PWM) for the baseband signal. The key fob transmits only when a button is pressed, conserving battery.
Setup
I procured a replacement Nippon keyless entry system from a Suzuki dealer: two key fobs, central locking unit, and wire harness. Opening the key fob revealed a Microchip 12F635 microcontroller and an RF IC.
For the attack apparatus:
- Receiver: RTL-SDR RTL2832U with ANT-700 antenna (300 MHz - 1.1 GHz)
- Transmitter: YARD Stick One (TI CC111-F32 chip, supports FSK and OOK)
- Software: gqrx for visualisation, rtl_433 for protocol analysis, Universal Radio Hacker for decoding, rfcat for transmission
Attacks
Frequency Detection
Using gqrx with the RTL-SDR, I tuned to 433.92 MHz (standard RKE frequency) and recorded keypresses. The FFT and waterfall plots confirmed the operating frequency at 433.9 MHz.
Modulation Analysis
Running rtl_433 -f 433900200 -A with pulse analysis detected OOK_PWM encoding. This confirmed the carrier wave uses On-Off Keying and the baseband signal uses Pulse Width Modulation.
Data Rate Calculation
Recording the signal in Audacity and measuring a single bit transition:
\[0.01040\text{s} - 0.00990\text{s} = 0.0005\text{s} = 500 \mu\text{s}\]
This gives a data rate of \(\frac{1}{500 \times 10^{-6}} = 2000\) bits/second.
Replay Attack
A simple replay attack failed. Inspection of decoded data showed the code changes on every keypress, indicating rolling codes with encryption. However, a one-time "replay attack at a distance" remains possible: recording the signal when the target is out of range of the car, then replaying it later.
Roll Jam Attack
The roll jam attack exploits rolling code systems by jamming the receiver while recording the key fob signal. When the user presses the button again, the attacker records the second code, transmits the first (which the user thinks finally worked), and saves the second code for later use.
The attack requires jamming on a nearby frequency (e.g., 431.56 MHz) that falls within the receiver's listening window, while simultaneously recording the legitimate transmission.
Findings
The rtl_433 analysis identified the key fob as a Microchip HCS200, which uses the Classic KeeLoq algorithm for code hopping and encryption. The HCS200 dates from 2002 and uses a Non-Linear Feedback Shift Register (NLFSR) where a 64-bit manufacturer code generates a 64-bit crypt key stored in read-protected EEPROM.
KeeLoq is a block cipher using 32-bit blocks with a 64-bit key. Multiple cryptanalyses have demonstrated it can be broken, including FPGA-based attacks and side-channel attacks on the microcontroller. The Swift Dzire 2020 model ships with a key fob specification from 2002, using encryption that has been publicly broken since 2008.