Skip to main content

Rolling-PWN — Coursework Study

Disclaimer
This document is a university coursework assignment, translated from the original German version using AI assistance (ChatGPT).
It is not peer-reviewed and not formally published.
Provided for educational and demonstrational purposes only.


Author: skull

Keywords: Rolling Code, Keyless Entry, Rolling-PWN, Car Key Fobs, CAN-Bus, Replay Attack


ABSTRACT

This coursework analyzes the Rolling-PWN attack on modern keyless entry systems in vehicles.
It explains the technical foundations, describes the attack in detail, and discusses potential countermeasures.


1. INTRODUCTION

With the widespread adoption of keyless entry systems, the attack surface for vehicles has expanded significantly.
Replay and rolling-code attacks pose serious threats, with Rolling-PWN being a recent high-profile example.

The objective of this coursework is to analyze the attack model, document its workflow, and evaluate its real-world impact.


2. TECHNICAL BACKGROUND

2.1 Keyless Entry Systems

Keyless entry allows unlocking and starting a car without pressing a button on the key fob.
Communication occurs over radio protocols and is typically encrypted.

2.2 Rolling Codes

To mitigate replay attacks, rolling codes are used.
Each transmitted code is unique and valid only once, with the next code derived from a pseudo-random sequence.


3. THE ROLLING-PWN ATTACK

3.1 Attack Workflow

The Rolling-PWN attack exploits weaknesses in rolling-code implementations.
By capturing and replaying signals, attackers can open a vehicle without possessing the legitimate key.

Rolling Code Principle

Steps:

  1. Signal Capture: Record a key fob transmission when the user unlocks the vehicle.
  2. Analysis: Inspect the captured rolling code.
  3. Replay: Transmit the code later to unlock the car.

Signal Capture

3.2 Vulnerability

If the vehicle’s ECU/BCM does not strictly validate that the received code is the immediate next value in the rolling sequence, replayed signals can “advance” the counter.
This flaw allows multiple successful replays.

Protocol Weaknesses


4. EXPERIMENTAL REPLICATION

To illustrate the concept, a Software Defined Radio (SDR) and a simple rolling-code key fob (433 MHz) were used.

4.1 Setup

SDR Setup

4.2 Results

  • Signals were captured and decoded with SDR software.
  • A replayed code successfully unlocked the test system.

Decoded Rolling Code
Replay Attack


5. DISCUSSION

5.1 Range and Accessibility

  • No physical access to the vehicle is required.
  • Low cost: SDR hardware and open-source software are sufficient.

Commercial Devices

5.2 Consequences

  • Unauthorized unlocking (and in some cases starting) of vehicles.
  • Rolling codes, when poorly implemented, do not prevent replay attacks.

6. COUNTERMEASURES

Recommended defenses include:

  • Stronger cryptographic challenge-response mechanisms.
  • Stricter validation windows for rolling codes.
  • Regular firmware and ECU updates.

Countermeasures Overview

Manufacturers should periodically test and update their implementations.


7. CONCLUSION

The Rolling-PWN attack highlights the importance of correct implementation, even with proven security mechanisms.
Continuous testing, penetration assessments, and timely patching are essential to maintain resilience against such attacks.

Summary Diagram


REFERENCES

  1. Original Rolling-PWN Whitepaper
  2. Heise: Rolling-PWN – New Attack on Car Key Fobs
  3. Wikipedia: Keyless Go
  4. Wikipedia: Rolling Code
  5. USENIX 2008: Practical Attacks Against Rolling Code Systems
  6. RTL-SDR Basics
  7. CAN-Bus Security Research
  8. NDR: Car Key Hack

For feedback or questions, contact: 📧 skull@ttl.zip