Some Key Fobs Lock the Car with Predictable Codes
The remote keyless entry system for some Subaru cars generates predictable rolling codes that lock or unlock the vehicle. An electronics engineer has reported the vulnerability and demonstrated it using a device he created that imitates the original key fob’s functionality, capable of predicting and passing valid authorization codes to the car.
The lock mechanism in modern cars activates electronically when it receives a legitimate input from an authorized transmitter, such as the paired key fob. The input is typically a randomly generated code that is used once. Tom Wimmenhove has found that, in the case of 2009 Subaru Forester cars, the codes spawn in sequence, in increments of one, making them predictable.
Wimmenhove has assembled multiple hardware components available off the shelf into a gadget he calls the Subaru Fob Rob. He has also created “fobrob,” an application that captures the packets traveling from the key fob to the car and generates a new valid code to send commands that would be accepted by the receiver. Full details about how the device works are available on GitHub, where Wimmenhove reveals that his gadget can issue four commands: “lock,” “unlock,” “trunk” and “panic.”
Building Subaru Fob Rob is no tricky thing, and it requires a small budget, depending on the cost of components. The hardware pieces include a Raspberry Pi computer, a Wi-Fi dongle (if not included in Raspberry Pi), a DVB-T tuner, an antenna, a piece of wire and an external battery for portability. The total cost could be under $25 plus the powerbank, if a WiFi-enabled Raspberry Pi is available.
Wimmenhove says that other older Subaru models may be affected by this vulnerability because they use the same key fob. His list includes 2006 Subaru Baja, Forester models between 2005-2010, Impreza manufactured between 2004-2011, Legacy and Outback models that came out between 2005-2010. However, all testing was done on a 2009 Subaru Forester.
After releasing his findings, including a video that demonstrates the flaw, the engineer was contacted by multiple individuals saying that the bug was not present on Subarus in the UK, Australia, Belgium, the Netherlands and Luxemburg and that it may affect only models for the United States. The researcher has not confirmed the information, though.key fob rolling code Subaru Subaru Forester vulnerability