Can I Unlock Other People's Cars With My Remote?
Jason English, our esteemed editor, wonders, "How many other Camrys would my remote unlock? Is it really 1:1, or is there a chance my fob would open a Camry in Phoenix or Toronto?"
When you push a button on your car remote or garage door opener, a radio transmitter inside sends a signal containing a numeric code to a receiver in the car (or in the garage). When it gets the signal, the receiver tells the car (or the garage door controls) to lock or unlock (or open or close)—or whatever it's supposed to do given the button you pushed.
When remote garage door openers first came out in the 1950s, the transmitters in the remotes sent out a single signal. This was all well and good as long as you were the only person on your block with a garage door opener. But as they became more common, you could open any garage you wanted, because all remotes worked on the same signal. A security breakthrough came 20 years later when DIP switches—sets of eight manual electric switches packaged in a group and attached to a printed circuit board—were added. By setting the eight switches to a certain arrangement inside both the transmitter and the receiver, you had some control over the 8-bit code that they shared. The DIP switches could provide 256 possible codes. So while some security was provided, areas with lots of garage door remotes were still prone to code doubling and people opening up their neighbors' doors.
Early remote entry systems for cars were slightly more advanced. The system for each car had a unique code set by the manufacturer and used by that car's transmitter-receiver pair alone. The ratio really was 1:1. Just as my car lock or yours wouldn't open for Jason's key, our receivers wouldn't have responded to his transmitter's signal. These systems had their own problem: while the codes were unique to their cars, the same code was transmitted every time you used the remote. A radio transceiver called a "code grabber" could be used to intercept, store and retransmit the code later on. It was like having your key stolen and copied, without you knowing, while you were putting it in the keyhole and opening the door.
To combat the problem, manufacturers began using rolling codes (or hopping codes) in the mid-1990s. Instead of using a single fixed code, these newer systems use a set of rolling codes that change every time the remote is used. Now when you use the remote, the transmitter sends the current code to the receiver (most systems use 40-bit codes or longer, allowing for more than 1 trillion different combinations). If the receiver gets the current code, it responds; if not, it does nothing. The transmitter and receiver then "roll" the code using the same pseudorandom number generator (PRNG). When the transmitter sends the current code, it uses the PRNG to create a new code and remembers it. After receiving the current code, the receiver uses the same PRNG with the same original seed (the number that initiates the PRNG) to generate a new code. Using this method, the transmitter and the receiver generate matching sequences of codes and are synchronized (and, of course, all the information that's transmitted is encrypted).
What if you press a button on the remote while you're away from the car, generating a new code on the transmitter and desynchronizing the system? The receiver forgives your human error and accepts any of the next X valid codes in the code sequence (the number of "look-ahead" codes the receiver accepts varies among manufacturers). Push the button one too many times, though, and the receiver will ignore the remote and you'll have to resync the system.
Modern remote keyless entry systems are pretty secure, but there is a slight chance Jason could open another Camry if he wants to walk up to one and press the unlock button on his remote (assuming it uses a 40-bit code) one trillion, ninety-nine billion, five hundred eleven million, six hundred twenty-seven thousand, seven hundred and seventy-six times, running through all the possible codes his remote could transmit until one works (assuming he can hit the button once every second without taking any breaks, he'll need just shy of 34,842 years to do so). He'll also have to hope that the Camry he's trying to open has a receiver that uses a 40-bit like his remote, and isn't a newer model that might use a 66-bit code with 7.3 x 1019 possible codes.