Micca KE700 Acceptance of previously used rolling codes

Vulnerability details (2): acceptance of previously used rolling codes (RollBack attack)

Description 

The vulnerability exists in the alarm system's receiver, which contains flawed logic for resynchronization. The system can be forced to accept previously used (stale) rolling codes to execute a command. 

This attack requires sending two captured codes in a specific sequence:

Enabling signal

: The first signal sent is a rolling code that was captured at some point in the past (e.g., code n-15 or n-4). This signal "enables" the receiver, but does not itself unlock the car. The document notes it doesn't matter how old this code is, as long as it was sent before the second signal.

Execution signal

: The second signal is a newer captured code (e.g., code n-1). Because the receiver was put into an "enabled" state by the first signal, it now incorrectly accepts this second, stale code and executes the lock/unlock command.

Sending one "enabling" signal (e.g., captured code n-3) could allow multiple subsequent captured codes (e.g., n-2, n-1, and n) to be successfully replayed, causing the system to unlock several times in a row.

Attack Path 

The attack is carried out using standard radio replay tools.

Use a device like a Flipper Zero to capture and save at least two signals from the target's key fob at different times (e.g., an older code n-x and a newer code n-1).

Transmit the older "enabling" signal (n-x) toward the vehicle.

Immediately transmit the newer "execution" signal (n-1) toward the vehicle.

The car's alarm system will execute the command (e.g., "UNLOCK").

This attack was successfully automated using the AutoRFKiller tool and manually replicated using a Flipper Zero.

PoC video – RollBack attack: 

https://drive.google.com/file/d/180Sgi6wSXhNVVLByskJIu1hdmJEOPkMq/view?usp=sharing

CWE references

CWE-288 (Authentication bypass using an alternate path or channel)

: The system's flawed "enabling" logic provides an alternate, insecure path for authenticating a command.

CWE-348 (Use of less trusted source):

The system incorrectly trusts a stale, previously used signal (a "less trusted source") to initiate a critical state change.

Impact

Successful exploitation allows an attacker to clone the alarm key by capturing and replaying previously transmitted signals. This grants the attacker unauthorized access to the vehicle to unlock or lock the doors.

This vulnerability is categorized as

a high-severity

issue.

Tools and techniques

Flipper Zero (in Sub-GHz mode) 

AutoRFKiller tool 

Universal Radio Hacker (or similar tool for signal capture and analysis) 

Recommendations

Enforce strict anti-replay

: The receiver must maintain a persistent state (e.g., the counter value of the last valid code). It must never accept a code with a counter value less than or equal to the last known valid counter.

Secure resynchronization logic

: The "enabling" logic triggered by an old code is the flaw and must be removed. Secure resynchronization should only be triggered by codes that are ahead of the current counter (e.g., in a counter + 1 to counter + 1000 window) to allow a "drifted" key fob to re-sync.

Additional information

The vulnerability was reported by Danilo Erazo (

[email protected]

)