Micca KE700 Cleartext transmission of key fob ID

Vulnerability Disclosure Report

Overview

Three vulnerabilities were discovered in the car alarm system made by Micca Auto Electronics Co., Ltd. The system's proprietary rolling code implementation is fundamentally insecure, exposing it to multiple attack vectors.

The design transmits codes in plain text, allowing attackers to read internal data. This enables a brute-force attack to predict the next valid code.

Separately, the system contains a flawed resynchronization logic. This "RollBack" flaw allows attackers to replay old, captured signals to unlock the car. This replay attack is categorized as the highest impact vulnerability, a high-severity issue.

Product Information

Affected Product/Component Name

OEM Car Alarm System

Services or other product relevant to the affected products

Micca Auto Electronics Co., Ltd.

Version(s) 

KE700 or KE700+

Vendor/OEM/Supplier

Factory (China)

: MICCA AUTO ELECTRONICS CO., LTD. (Zhongshan City, Guangdong)

Office (Hong Kong)

: MICCA INTERNATIONAL GROUP CO., LTD. (Hennessy Road, HongKong)

Other Vendors/Organizations affected

–

 

Vulnerability details (1): Rolling code transmitted in plain text

Description

The system does not encrypt its 41-bit transmission frame. This allows any attacker to passively intercept and read the frame's contents, including a 16-bit counter and a 9-bit Key Fob ID. This is a fundamental design flaw that enables further attacks.

Attack Path

An attacker uses a logic analyzer or radio hacking tool to passively capture a single transmission.

The attacker decodes the signal (where 1 is sent as 1110 and 0 is sent as 1000).

Because the frame is unencrypted, the attacker can directly read the current counter value and Key Fob ID.

This information (specifically the counter) is the key prerequisite for launching the brute-force attack (Vulnerability 3).

CWE references

CWE-319: Cleartext transmission of sensitive information.

The rolling code counter and key ID are sensitive components of an authentication system, and they are transmitted without encryption.

Impact

Successful exploitation allows an attacker to passively intercept and read the contents of the rolling code frame. This breaks the confidentiality of the transmission and exposes sensitive operational data. This information disclosure is a critical prerequisite for launching the "Predictable or Brute-Forceable Rolling Code" attack (Vulnerability 3), as it provides the attacker with the current counter value.

Tools and techniques

Universal Radio Hacker (URH)

SDR device (e.g., HackRF or BladeRF)

Logic Analyzer

Recommendations

Implement encryption

: The entire transmission frame must be encrypted using a standard, proven symmetric algorithm (e.g., AES-128). The receiver would decrypt the frame before processing any rolling code logic.

Authenticate the frame

: The encrypted payload should include a Message Authentication Code (MAC) to prevent tampering or spoofing.

Additional information

The vulnerability was reported by Danilo Erazo (

[email protected]

)