Hi all. Long-time listener, very part-time stalker, and basically no-time poster.
Just caught up with the last two weeks of SN last night, and I had a question about Rolling-PWN. I can't find the answer on the author's blog post, and a quick search of both these forums and the author's twitter does not come up with an answer. Hopefully, someone here knows the answer, or failing that hopefully this might spark some dicussion and speculation.
So my understanding of Rolling-PWN is that the attacker can resync the clock on the vehicle, allowing a previously captured command to be sent again (replay attack), despite the rolling codes being implemented explicitly to avoid this kind of attack.
The thing I don't follow, and for anyone reading this that is unaware of how these work, it is my understanding that rolling codes in vehicles have a window of x codes forward that the vehicle will accept. This is necessary since if an owner tries their fob when out of distance, and the car doesn't see it, the fob will cycle to the next code and the vehicle will not. Now you are permenantly locked out of wireless unlocking/anything else the codes control. So instead, the car allows any of the next, say, ten codes; once it sees one, it now only accepts the next ten codes from that code, and so on. This window allows for those cases where the owner might otherwise get locked out, but still provides the protection against replay attacks since no previously used code will ever be accepted again (unless it hapens to repeat, in which case I'd imagine the chances of that happening within the next window being vanishaly small).
So this attack allows an attacker to send codes to a vehicle which resets the window to some other, previous, state. This allows codes collected in the past to be used again. The thing I am unsure about, is the specifics of this windows reset. If this is a "feature" of the security system, I would expect the reset to return it to the beginning, in which case captured codes on anything but a brand spanking new car are going to be useless until the window encompasses those codes. So the only thing I can assume from this attack is that it is not a feature being exploited, but some very specific and frankly mind-boggling exploit that allows an attacker to somehow control where the resync returns to, allowing the immediate use of the codes again. However, I can't find any solid answers on these specifics, and it's really bugging me.
Does anyone know anything about this detail?
Just caught up with the last two weeks of SN last night, and I had a question about Rolling-PWN. I can't find the answer on the author's blog post, and a quick search of both these forums and the author's twitter does not come up with an answer. Hopefully, someone here knows the answer, or failing that hopefully this might spark some dicussion and speculation.
So my understanding of Rolling-PWN is that the attacker can resync the clock on the vehicle, allowing a previously captured command to be sent again (replay attack), despite the rolling codes being implemented explicitly to avoid this kind of attack.
The thing I don't follow, and for anyone reading this that is unaware of how these work, it is my understanding that rolling codes in vehicles have a window of x codes forward that the vehicle will accept. This is necessary since if an owner tries their fob when out of distance, and the car doesn't see it, the fob will cycle to the next code and the vehicle will not. Now you are permenantly locked out of wireless unlocking/anything else the codes control. So instead, the car allows any of the next, say, ten codes; once it sees one, it now only accepts the next ten codes from that code, and so on. This window allows for those cases where the owner might otherwise get locked out, but still provides the protection against replay attacks since no previously used code will ever be accepted again (unless it hapens to repeat, in which case I'd imagine the chances of that happening within the next window being vanishaly small).
So this attack allows an attacker to send codes to a vehicle which resets the window to some other, previous, state. This allows codes collected in the past to be used again. The thing I am unsure about, is the specifics of this windows reset. If this is a "feature" of the security system, I would expect the reset to return it to the beginning, in which case captured codes on anything but a brand spanking new car are going to be useless until the window encompasses those codes. So the only thing I can assume from this attack is that it is not a feature being exploited, but some very specific and frankly mind-boggling exploit that allows an attacker to somehow control where the resync returns to, allowing the immediate use of the codes again. However, I can't find any solid answers on these specifics, and it's really bugging me.
Does anyone know anything about this detail?