A new and custom firmware for the popular Flipper Zero multi-tool device is reportedly capable of bypassing the rolling code security systems used in most modern vehicles, potentially putting millions of cars at risk of theft.
Demonstrations by the YouTube channel “Talking Sasquach” reveal that the firmware, said to be circulating on the dark web, can clone a vehicle’s keyfob with just a single, brief signal capture.
Rolling code security, the industry standard for vehicle keyless entry for decades, was designed to prevent so-called “replay attacks.” The system works by using a synchronized algorithm between the keyfob (transmitter) and the vehicle (receiver).
Each time a button is pressed, a new, unique, and unpredictable code is generated. An old code, once used, is rejected by the vehicle, rendering simple signal recording and re-broadcasting useless.
Previously known attacks on this system, such as “RollJam,” were technically complex and difficult to execute in the real world. RollJam required jamming the vehicle’s receiver to prevent it from getting the first signal from the legitimate keyfob, while simultaneously recording that unused code for later use.
This new exploit, however, is far more dangerous due to its simplicity. According to the demonstrations, an attacker using a Flipper Zero equipped with this custom firmware needs only to be within range to capture a single button press from the target’s keyfob, for instance, as the owner locks or unlocks their car. No jamming is required.
From that one captured signal, the device can apparently reverse-engineer the cryptographic sequence, allowing it to emulate all keyfob functions, including lock, unlock, and trunk release, effectively creating a master key.
A significant consequence of this attack is that the original, legitimate keyfob is immediately desynchronized from the vehicle and ceases to function. This could be the first sign for an owner that their vehicle’s security has been compromised.
There appear to be two leading theories on how the firmware achieves this. Talking Sasquach suggests the method involves reverse engineering the rolling code sequence, which may have been made possible by prior leaks of manufacturer algorithms or extensive brute-force attacks on known code lists.
However, other security experts point to a known vulnerability detailed in an academic paper called “RollBack.” This attack method involves capturing several codes and then replaying them to the vehicle in a specific, manipulated order.
This tricks the vehicle’s synchronization counter into “rolling back” to a previous state, which the attacker can then exploit to gain control. Regardless of the precise method, the result shown in videos is the same: one capture grants full access.
The list of affected manufacturers is extensive and includes many popular brands: Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi, and Subaru.
For consumers and manufacturers, the implications are severe. As the vulnerability lies deep within the vehicle’s hardware-based receiver, there is no easy fix like a simple software update.
Experts warn that the only comprehensive solution would be a mass recall to replace the physical components in affected vehicles, a logistical and financial nightmare for the automotive industry.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
The post Flipper Zero ‘DarkWeb’ Firmware Bypasses Rolling Code Security on Major Vehicle Brands appeared first on Cyber Security News.
