Most cars you see on the road have key-less entry. This means that you do not have to use your key in the door, and can lock/unlock you car door from a few meters away, making life much easier. First a short explanation on how rolling codes work, and then how Subaru’s rolling codes failed.
Inside your key fob is a small radio transmitter, and inside the car is a corresponding radio receiver. When you press the unlock or lock button, a new 40 digit rolling code is generated from a pseudo-random number generator. The car and fob both use the same generator, so they both get the same new code without anyone on the outside being able to predict the pattern. If the code from the fob matches the code in the car, the car unlocks and locks. When the car receives a valid code, it generates the next number in the sequence. To account for things like pressing the lock/unlock buttons when the car is out of range, the car stores around 250 of the next numbers from the generator, so the fob can match any of those.
How Subaru failed is their rolling code was generated using an incremental algorithm, meaning by intercepting enough signals you could figure out how it increments and calculate the next code. Even worse, it is surprisingly easy and also cheap to execute this attack. The few supplies you need are: A raspberry pi with WiFi, a radio receiver, a wire, 433 MHz antenna, and smartphone. All you need to do is connect the receiver and antenna, wire it to the pi, connect to the pi, and run a script. Once a signal is received, the next code in the sequence is calculated and you can use it to unlock the car. If you don’t feel like committing grand theft auto, you can flood the car with hundreds of new rolling codes, meaning any code from the fob won’t work. This means you will not be able to use remote lock, and you have to take the car into a dealership to put it into programmer mode and reset the codes.
On newer models across all cars, some form of encryption is used to transmit the rolling code, and only the car knows the decryption key. The list of affected cars is:
2006 Subaru Baja
– 2005 – 2010 Subaru Forester
– 2004 – 2011 Subaru Impreza
– 2005 – 2010 Subaru Legacy
– 2005 – 2010 Subaru Outback
However, more Subaru vehicles could be affected.