Micca KE700 Replay Attack Vulnerability Allowing Unauthorized Access to Vehicle

A vulnerability in the Micca KE700 car alarm system's resynchronization logic allows for replay attacks. By sending two previously captured rolling codes in a specific sequence, an attacker can manipulate the system into accepting stale codes and executing commands. This exploitation enables the cloning of the alarm key, granting unauthorized access to the vehicle's locking mechanism.

Impact

Exploitation of this vulnerability allows for the cloning of the alarm key, unauthorized access to the vehicle, and manipulation of the door locks.

Reproduction

The vulnerability can be reproduced by capturing two rolling codes from the vehicle's key fob using a device like a Flipper Zero. The first code, an older 'enabling' signal, is transmitted to the vehicle, followed immediately by a newer 'execution' signal. The vehicle's alarm system will then execute the corresponding command, such as unlocking the doors.

Remediation

To address this vulnerability, it is recommended to enforce strict anti-replay measures by ensuring the receiver maintains a persistent state and only accepts codes that are ahead of the last known valid counter. Additionally, the flawed 'enabling' logic should be removed, allowing resynchronization only from codes within a specific forward window.