Security Analysis of Rolling Code-based Remote Keyless Entry Systems




Ghanem, Ahmed

Journal Title

Journal ISSN

Volume Title



Providing privacy and security is a critical issue in smart- homes. Many residents are concerned about unauthorized access to their homes. This work focuses on the security analysis of remote keyless entry systems (RKES) for automatic garage door openers. Many of the RKES are unidirectional, but some are also bidirectional allowing for challenge-response authentication. The unidirectional RKES nowadays usually feature a rolling code. A rolling code is calculated on both the receiver (e.g., garage door) and the transmitter (e.g., key fob) and if there is a match of a received signal, the gate opens/closes. This way, the transmission is different every time, eliminating a simple replay attack. A widely used encryption algorithm for rolling codes is the Keeloq block cipher with is used to encrypt the value of the rolling code to prevent the generation of future valid codes. To obtain a picture of the level of security that current rolling code-based automatic garage door openers systems provide, a selection of three of them are analyzed. The research uncover security vulnerabilities in two of them that enable an adversary to open the garage door after wirelessly sniffing only one open/close signal produced by the remote control device owner. In our analysis, we use the Software-Defined Radio (SDR) HackRF to emulate a key, and to eavesdrop and record rolling code signals. We also use the open-source tool Universal Radio Hacker (URH), which is designed for RF protocol analysis. Using these tools, we reverse engineer the structure of the signal used in the protocol, identify the encrypted code bits, and successfully pin out some bits that exhibit low randomness. By iterating over such bits, we successfully generate new signals that opens the garage door. We also analyze the KeeLoq block cipher with respect to related key attack and present a chosen ciphertext attack for keys related by rotation. Our attack recovers the used 64-bit key with a negligible time complexity and data complexity of 66 chosen ciphertexts decrypted under 34 related keys.



Garage door openers, Rolling code, Keeloq