2006+ Honda Civic Forum banner

1 - 6 of 6 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter #1 (Edited)
Let me share with you some interesting findings around hopping codes and a big question I could not find an answer to it.

My garage door remote key fob almost broke today so i decided I needed a replacement. I soon realized that original replacement fobs are so hell expensive that it's not even funny. They charge 40+ pounds for something that's done in China for $1.5 a piece. I decided that's not going to be the way to go.
And so my research started.
There some "universal learning" remotes on ebay, but they state they can't learn "rolling codes". So I had to figure out, what do I have. Little did I know why would that be good or bad to have at that time.
After some hours of research it became clear that my device (Marantec) utilizes a "fixed code" remote protocol. At first I was happy, I thought I could order a cheap replacement from ebay.

However, during the research I also realized that having a fixed-code remote is not exactly secure to have these days, becase those are susceptible to replay attacks - someone "records" your remote's signal, and then replays it when you're away -> your garage door is open. Fixed code remotes are long history in the automotive sector because of easy theft. The new favourite are the "rolling" or "hopping" code systems that should be resitant to replay attacks. The majority of the manufacturer's use a solution called KeeLoq.

Anyway, apparently having a rolling-code remote is much better than a fixed code, or so I thought. At least they can't be copied by simple learning key fobs. So I started to think about an upgrade.

BTW: as it turned out, all Marantec devices are fixed code. And guess what? They're HOMELINK compatible.
You surely know, but just for the sake of completeness, HOMELINK is a system that can copy fixed and/or rolling code key fobs and make them available in your car. I became intrigued. How does it copy a rolling code system? I thought it's not possible. I started to dwell into the details of KeeLoq:
KeeLoq datasheet

and the attacks:
Defense against KeeLoq attacks

To sum up, it's now possible to retrieve the "master key" from the receiver and once you have it, it's very easy to fake any device from that given manufacturer. This master key is the root of all keys. You must know this key to "learn" or fake a new transmitter.

So I put the facts together:
1. If you want to learn rolling-codes, you must know the master key for that given manufacturer.
2. Homelink can learn all kinds of rolling-codes from all kinds of manufacturers (listed on their website).

=> Does this mean that HOMELINK transcievers contain all the master-keys of all the "compatible manufacturer brands"??? Does this also mean that if we crack a homelink device from an elder car, or a Homelink visor we will have all the master-codes? And if we have it, we can open all the garage doors in Europe with just 2 packets captured? If this assumption is really true then we just gave the thiefs our keys willingly.

This seems indeed dire. Imagine, if there was a device that contained all the master keys for automobile manufacturers for KeeLoq... :confused:

So... If there's someone knowledgeable in Homelink, please shed a light into how it is able to learn the rolling codes? How is it able to construct the encryption keys without knowing the master keys? And why is it, that only HomeLink transceivers can learn rolling codes and other "universal remotes" not?
By the way, do you know any alternative algorithms to KeeLoq that would be more secure? Are there encoder keyfobs/decoder modules publicly available? If yes, please post some infos/links.
Thanks!
 

·
Administrator
Joined
·
21,250 Posts
I'm always suspicious of first posts like this with embedded links, almost an advertising feature.

The only way my garage remotes get programmed is when I press a button on the unit to accept the new 'fob' so cannot be done without access to the garage.
 

·
¯¯¯¯¯¯¯¯¯
Joined
·
941 Posts
Any car thief that will break into your house to get the car keys won't think twice about putting a crowbar/wrecking-bar to work on the garage.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #5 (Edited)
Me think posting any information about stuffs like this online could give "bad guys" all they need as soon as they start a search on google.
It was exactly google from where I got these information, so they're publicly available. What's (probably) genuine are my conclusions how to possibly misuse a homelink device but I bet there are a lot more smarter guys out there than me, and they thought of it already (and keep their mouth shut not to spoil their advantage of knowledge).
My point is that this may be again the infamous case of "security by obscurity" - you believe it's safe, but it's safe only because you (and the general public) don't know how it works. There'll be always persons "in the knowing" and they can certainly misuse such information.
Again, all this IF my hypothesis ('Homelink contains master keys') is correct.

Kremmen said:
I'm always suspicious of first posts like this
Sorry, was not my intention, but somehow I wanted to provide citations to support my statements.

Kremmen said:
The only way my garage remotes get programmed is when I press a button on the unit to accept the new 'fob' so cannot be done without access to the garage.
This is not correct according to the published attack methods. Homelink plays nice not duplicating the serial number of your device, but an attacker using those master keys certainly can (together with the counter), and at that moment your garage door would not know the difference.

atomic said:
Any car thief that will break into your house to get the car keys won't think twice about putting a crowbar/wrecking-bar to work on the garage.
I am actually not speaking about car thieves only. The point is, IF they have your manufacturer's master key, they don't need a crowbar at all. Using the published attack methods they can open your garage door with only 2 packet sniffed from YOU closing your garage with your remote, then get inside without any signs of intrusion and get the booty from your home (assuming your garage leads into your house). You'll have quite a difficult time explaining the insurance company how that happened.
So back to the original point, if Homelink contains those information I assume they do, they're a serious security threat to anyone who uses a RF remote to close their garage with it, or arm/disarm their house alarm system.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #6
So it's now real. The key on this page is for an Audi A6. With a custom antennae I bet they could copy from a couple of meters away.
Rolling code HCS200 RF Remote control duplicator

PS: While some believe such information must be kept secret, I (and a lot of other crypto-pros) think publishing flaws is the best way to enforce manufacturers to step up in the level of security they implement and (sometimes falsely) claim.
 
1 - 6 of 6 Posts
Top