Bypassing Keyless Entry Systems via Learning Code Exploitation

TLDR: Many automotive keyless entry systems rely on insecure learning code protocols that are vulnerable to replay and brute-force attacks. By reverse-engineering the signal modulation and chip-specific encoding, researchers can craft custom signals to unlock vehicles or install backdoors. This research demonstrates that these systems lack the security of modern rolling code implementations, leaving thousands of vehicles susceptible to unauthorized access.

Automotive security often feels like a black box, but the underlying protocols for keyless entry systems are frequently far less sophisticated than they appear. While modern vehicles have moved toward encrypted rolling codes, a massive segment of the global fleet still relies on legacy learning code chips. These chips, such as the HS2240 and EV1527, are designed for simplicity and cost-efficiency, not security. Recent research presented at DEF CON 2024 exposes how these protocols can be trivially bypassed, allowing an attacker to unlock vehicles or even inject a persistent backdoor into the receiver's memory.

The Mechanics of the Vulnerability

The core issue lies in the predictable nature of the learning code protocol. Unlike rolling codes, which change with every transmission to prevent replay, learning codes are static. When a user pairs a new key fob, the receiver simply stores the unique ID of that fob in its memory. Because the protocol is not designed to handle complex cryptographic handshakes, the receiver is essentially a passive listener waiting for a specific, hardcoded signal.

By using a logic analyzer to capture the signal directly from the key fob's transmit pin, we can observe the modulation and encoding scheme. These systems typically use Amplitude Shift Keying (ASK) modulation. Once the signal is demodulated, the structure becomes clear: a preamble followed by a 20-bit code and a 4-bit mode identifier. The 20-bit code provides only one million possible combinations, a space so small that a brute-force attack can be completed in minutes.

Exploiting the Protocol

For a pentester, the attack surface is wide open. Since the signal is static, a simple replay attack using a tool like Universal Radio Hacker is often sufficient to unlock a vehicle. However, the research goes further by introducing a custom tool, AutoRFKiller, which automates the process of brute-forcing these codes.

The tool works by iterating through the potential code space, sending signals at the target frequency, and waiting for the vehicle to respond. The efficiency of this attack is improved by the fact that many of these chips share the same encoding logic. If you know the chip model, you can significantly narrow down the search space.

# Example of brute-force logic structure
def brute_force_attack(start_code, end_code, frequency):
    for code in range(start_code, end_code):
        signal = generate_ask_signal(code)
        transmit(signal, frequency)
        sleep(0.03) # 30ms delay to avoid signal collision

The most alarming finding is the ability to install a "backdoor." Because the receiver is designed to learn new codes, an attacker with physical access to the vehicle's receiver can force it into programming mode. By sending a specific sequence of signals, the attacker can register their own key fob as a legitimate device. Once registered, the attacker retains permanent access to the vehicle, regardless of whether the original owner changes their own fobs.

Real-World Impact and Collision Risks

During a penetration test, you might encounter these systems in older vehicles or budget-friendly models where manufacturers prioritized cost over OWASP A07:2021-Identification and Authentication Failures. The risk is not just limited to a single vehicle. Because the code space is so limited, there is a non-zero probability of a "collision," where a signal intended for one vehicle inadvertently unlocks another. This is a classic example of security through obscurity failing in the face of widespread, low-cost hardware.

When assessing these systems, do not assume that the lack of a rolling code means the system is "just old." It means the system is fundamentally broken by design. If you are testing a vehicle, check for the presence of these legacy chips. If they are present, the vehicle is effectively unprotected against anyone with a $30 software-defined radio and a basic understanding of signal processing.

Defensive Considerations

Defending against these attacks is difficult because the vulnerability is baked into the hardware protocol. There is no software patch for a chip that lacks the logic to perform cryptographic verification. For manufacturers, the only viable path forward is to deprecate these legacy protocols in favor of modern, encrypted rolling code systems that adhere to current automotive security standards.

For fleet managers or vehicle owners, the best defense is to be aware of the limitations of your hardware. If your vehicle uses a legacy keyless entry system, consider adding a secondary, non-RF-based security measure, such as a physical steering wheel lock or an aftermarket alarm system that does not rely on the factory-installed receiver.

Security researchers should continue to investigate these legacy protocols, as they remain a significant, often overlooked, vector for physical access. The tools and techniques demonstrated here are not just for academic interest; they are a reminder that when we ignore the security of low-level hardware, we leave the door wide open for anyone willing to listen to the airwaves.