frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Flipper Zero DarkWeb Firmware Bypasses Rolling Code Security

https://www.rtl-sdr.com/flipperzero-darkweb-firmware-bypasses-rolling-code-security/
82•lq9AJ8yrfs•2h ago

Comments

lq9AJ8yrfs•2h ago
flipper zero implementation of a variant [1] of the rolljam [2] attack

[1] https://arxiv.org/abs/2210.11923 [2] https://news.ycombinator.com/item?id=10018934

IshKebab•55m ago
Kind of insane that this works... Surely whoever implemented this knew it was insecure? I honestly wouldn't have thought to check for this vulnerability because... who would do that??
dylan604•40m ago
I don't think the word "secure" was ever part of the discussion on keyless entry for cars. They would have used something like "convenience". Secure would maybe be considered in that the car doors are now locked from the keyless. But as far as "secure" being used in regards to the transmission/receiving of the wireless signal? I doubt if it was ever mentioned by anyone other than PR.
palata•2h ago
> A consequence of this is that the original keyfob gets out of sync, and will no longer function.

I always wonder about this: what is the consequence of that? Can the user reset it, or does it have to be done by a retailer or something?

brk•1h ago
Depends on the implementation. Most times you just have to click it a few times in a row. The receiver then realizes it missed a few button presses and it re-syncs. I’m not sure what that window is though, at some point it might get so out of sync that the receiver ignores it and assumes it is a wrong fob.
cakealert•1h ago
Why are so many car manufacturers incapable of using cryptography properly?
the_mitsuhiko•1h ago
To some degree customers love it. It allows you to program your own replacement key without having to go through the manufacturer or an official dealer.
j1elo•1h ago
No doubt they would charge $100 or more for just clicking a button and having the equivalent of an NFC writer.
colechristensen•1h ago
When my favorite quadruped knocked my keys into the trash I had to get my car towed to the dealer for them to program me a new key. One one hand, top notch security as it was impossible to do any other way. On the other hand the total to get this done was something like $500 after everything.
dylan604•46m ago
I did this to myself by placing my keys in a pocket of a bag that I've never used before when returning to the airport parking. I found the keys in the bag after paying to have it re-keyed after paying for the tow from the airport to the closest dealer.
pkaye•24m ago
I wonder who make more money on this. The car dealer or the manufacturer.
IshKebab•1h ago
What does? The article is very unclear about what exactly this does.
the_mitsuhiko•54m ago
The attacks to rolling code keys are well known but these keys continue to exist. They allow you to pair a key yourself to the car that you buy online. Particularly in the US it's quite common that people buy used cars and then another key online that they pair themselves.

You won't be able to do this for instance with VAG cars that have KESSY. First of all the immobilizer is paired to the key, secondly the only way to pair a new key to it is via the manufacturer or a licensed dealership because you need a blob from their central server. But the consequence is that people feel like they are being fleeced when they need another key, because it can cost you hundreds of dollars to pair one.

In general these types of attacks are much harder in Europe where immobilizers have a legal minimum standard that manufacturers have to meet. On the other hand in the US immobilizer are entirely optional, which has famously led to KIA and Hyundai cars shipping without them and the Kia Boys TikTok phenomenon.

tamimio•1h ago
Car manufacturers are like automation/control manufacturers; they existed before cybersecurity and never caught up to the pace. If you ever audited any SCADA system, you will see nightmares. For cars, some new models of popular brands (not specifying any), you can access the CANbus from the headlight where you can reprogram the ECM to your new key. It's that simple to "own" a modern car.
bbarnett•36m ago
I've seen one-manufacturer, 2024 models at least, which requires two keys in range, before a third key may be programmed.

Good idea, don't know how effective it is in reality.

bayindirh•31m ago
Needing two keys for a third one is not new. My 25 year old car needs two keys for adding the third, old Fiats has “red master” keys which are also required during adding keys.
sneak•57m ago
They're not. There is AFAIK an ssh key infrastructure for OnStar that's modern and well-run, for example.

Things like key fobs are most likely very incremental changes on "this is the way we've always done it". These organizations are behemoths and steer with all of the inertia of a containership.

dylan604•43m ago
Proper security is a total pain in the ass, and makes things nigh impossible to use in the manner people want to use them. This naturally makes things more expensive to recover from oopsies.

This is why YubiKeys will only ever work for people technical enough to understand them. Normies will loose it at the first chance, and then be locked out of everything. At that point, YubiKeys will be banned by Congress from all of the people writing in demanding something be done about their own inabilities to not be an ID10T

tamimio•1h ago
Cool, I was planning to get a spare car key, not anymore!

Also, glad I have one before they would ban it. It’s a neat tool that I have everything I want there, instead of having 4 fobs, one garage remote, plenty of IR remotes, it’s AIO. Plus I don’t have to pay fees to replace my lost fobs

imzadi•1h ago
Sadly, it won't work as an extra key, because it causes the original key to stop working.
tamimio•1h ago
Welp, that’s a bummer! Have you tried it?
Alejandro9R•59m ago
It says in the article
tamimio•34m ago
In that case, it mostly will be used in a bad way.
xyst•52m ago
cool, I needed a new car, thanks
hsbauauvhabzb•50m ago
What practical use does this have? From my reading if I capture an unlock signal, the car will not unlock for the owner, so they’ll press their remote a few times.

If I capture a lock signal, presumably I can instead prevent it from locking. The only real world malicious action I can see is being viable is to block the car lock, meaning the car is still in an unlocked state, open the boot (which I’m guessing can be done from the car dash anyway) then locking it afterwards?

theChaparral•15m ago
This attack lets you use all the functions of the key fob, and not just the action captured.
Terr_•42m ago
I sometimes imagine how much of this could be avoided if the communication signals weren't (a) broadcast or (b) a imperceptible to humans.

If it an electrical contact in the door handle, it would be very difficult for anyone to monitor or inject other signals.

If the signals were audible sound, you'd know when someone was jamming it.

In practice, my number one use of a fob from a remote distance is locking, rather than unlocking, and those two operations don't have the equivalent security risk.

antirez•32m ago
I guess this attack is against the keeloq protocol. There are no known total breakage of this kind AFAIK, against the cryptography implemented in the chip. This will be interesting to understand, I mean: what they are exactly doing here.
theoreticalmal•14m ago
If the attack causes the original key to no longer work, imo the major threat vector is someone sitting in a parking lot, capturing key presses, performing the attack, and forcing the user to tow+re-program the key as a nuisance, rather than stealing the vehicle
waltbosz•2m ago
Jokes on them, I lost my key fob years ago.

Bitcoin mining and Gold mining: more alike than it seems

https://www.youtube.com/watch?v=XBHm8We2D64
1•unicorn_chaser•12s ago•1 comments

Everyone Is Along for the Crypto Ride Now, Even If It Ends Badly

https://www.barrons.com/articles/bitcoin-crypto-washington-economy-financial-system-c072e362
1•kamaraju•1m ago•0 comments

Warranty that was never meant to protect you

2•olemindgv•3m ago•0 comments

Immich – Cursed Knowledge

https://immich.app/cursed-knowledge/
3•bqmjjx0kac•3m ago•0 comments

Echelon kills smart home gym equipment offline capabilities with update

https://arstechnica.com/gadgets/2025/07/firmware-update-hinders-echelon-smart-home-gym-equipments-ability-to-work-offline/
1•akyuu•4m ago•0 comments

OpenAI's GPT-5 Is Here

https://www.wsj.com/podcasts/tech-news-briefing/tnb-tech-minute-openais-gpt-5-is-here/caec227a-8a47-48a4-9eff-915b7ee05a0e
2•ricecat•5m ago•0 comments

Ask HN: Recommendations for specification management software?

1•gusmally•8m ago•0 comments

Creating a Simple Nix Flake

http://www.simonjjones.com/#/posts/creating-a-simple-nix-flake
1•simojo•11m ago•0 comments

Video Coding for Machines: The Need for Compression (2024)

https://www.interdigital.com/post/video-coding-for-machines-the-need-for-compression
1•breve•12m ago•0 comments

Show HN: Magic Face Fixes with CodeFormer AI

https://codeformerai.com
1•kangfeibo•14m ago•0 comments

Louis Rossmann: Clippy for Vendetta (change your profile pic to Clippy)

https://www.youtube.com/watch?v=2_Dtmpe9qaQ
2•burnt-resistor•16m ago•1 comments

Show HN: Instant AI Videos with LTX – Fast, Smooth, and Easy

https://ltxvideoai.com
1•sudofoo•17m ago•0 comments

Swimming and Audiobooks

https://www.tomups.com/posts/swimming-and-audiobooks/
1•freediver•19m ago•0 comments

Ask HN: Enterpreneurs, does AI hurt you?

2•alganet•20m ago•0 comments

Fast and Efficient Emulation of Matrix Multiplication Using INT8 Matrix Engines

https://arxiv.org/abs/2508.03984
1•matt_d•23m ago•0 comments

Show HN: Explore the Power of Gemma 3n AI

https://gemma3n.app
1•NullPointerWin•26m ago•0 comments

Ask HN: How much would it cost to build a new commercially viable OS?

1•quacked•30m ago•3 comments

People from U.S. base in Antarctica evacuated in high-risk rescue operation

https://www.cbsnews.com/news/us-base-antarctica-evacuation-new-zealand-air-force-high-risk/
1•domofutu•31m ago•0 comments

How HN: Vidya AI – Ask Questions and Get Real-Time Answers from YouTube Videos

https://www.vidyaai.co
1•pingakshya2008•32m ago•1 comments

Show HN: Ace Step – Generate, remix, and edit original music with AI in seconds

https://acestepai.app
1•404NotBoring•33m ago•0 comments

Stella Rimington, First Woman to Lead U.K.'S MI5, Dies at 90

https://www.nytimes.com/2025/08/05/world/europe/stella-rimington-dies.html
1•bookofjoe•37m ago•2 comments

I Tried to Port Linux to an Obscure SoC. It Caught Fire.

https://blog.neagaru.com/p/i-tried-to-port-linux-to-an-obscure
3•digeex•46m ago•0 comments

Maintainer Needed for the OpenDroneMap Repo

https://community.opendronemap.org/t/maintainer-needed-for-the-odm-repo/25089
1•raybb•48m ago•0 comments

Meta Clip 2: Worldwide

https://arxiv.org/abs/2507.22062
1•ignoramous•54m ago•0 comments

Eggs are off the hook–study reveals bacon's the real heart risk

https://www.sciencedaily.com/releases/2025/07/250727235827.htm
12•bookmtn•57m ago•3 comments

Discord Voice Is Down

https://discordstatus.com/incidents/js2f68mctrtc
1•0xC0ncord•1h ago•0 comments

I Made An Encrypted, Security Optimized Gentoo on the Raspberry Pi 5 That's Easy

https://github.com/commtac2/komon-dei
2•mannyemanuel2•1h ago•0 comments

Apple's iPad site is running Next.js

https://twitter.com/wesbos/status/1953446448529355218
1•tosh•1h ago•0 comments

PostgreSQL vs. ClickHouse: Learnings from building my first database benchmark

https://github.com/514-labs/LLM-query-test/blob/main/blog-db-learnings.md
2•oatsandsugar•1h ago•0 comments

Kikoff CEO: We're not gonna IPO until you work harder

https://old.reddit.com/r/ExperiencedDevs/comments/1mkbkvz/ceo_were_not_gonna_ipo_until_you_work_harder/
9•nowickcounter•1h ago•0 comments