Buzz
Jason English, our distinguished editor, wonders, "How many other Camrys could my remote unlock? Is the process truly 1:1, or could my fob accidentally unlock a Camry in Phoenix or Toronto?"
When you press a button on your car remote or garage door opener, an internal radio transmitter sends a signal with a numerical code to the receiver in the car (or garage). Once the receiver gets the signal, it instructs the car (or garage door) to either lock or unlock (or open or close)—depending on the function assigned to the button you pressed.
When remote garage door openers were first introduced in the 1950s, their transmitters only emitted a single signal. This worked well as long as you were the only person on your block with a garage opener. However, as more people adopted the technology, it became possible to open any garage you wanted, because all remotes operated on the same signal. A breakthrough in security arrived 20 years later with the addition of DIP switches—sets of eight manual switches grouped together on a printed circuit board. By setting these switches to a particular pattern, both the transmitter and the receiver could share an 8-bit code, offering 256 possible combinations. While this improved security, areas with numerous garage door openers still faced issues with code duplication, allowing neighbors to inadvertently open each other's doors.
Early car remote entry systems were a bit more advanced. Each vehicle had its own unique code, set by the manufacturer, and only the corresponding transmitter-receiver pair could use that code. It was truly a 1:1 ratio. Just as my car lock or yours wouldn't open for Jason's key, our receivers wouldn’t react to his transmitter's signal. However, these systems had a flaw: while the codes were unique, the same code was sent every time the remote was used. A device called a "code grabber" could intercept, store, and resend the code later. It was like having your key stolen and copied without your knowledge, while you were unlocking your door.
To address this issue, car manufacturers introduced rolling codes (or hopping codes) in the mid-1990s. Instead of using a fixed code, these new systems utilized a set of changing codes that differed with every use of the remote. When you press the remote button, the transmitter sends the current code to the receiver (most systems now use codes of 40 bits or longer, allowing for over a trillion combinations). If the receiver gets the correct code, it responds; if not, it ignores it. The transmitter and receiver then "roll" the code using the same pseudorandom number generator (PRNG). After sending the current code, the transmitter generates a new one using the PRNG, and the receiver does the same. This way, both the transmitter and receiver are synchronized, and all transmitted information is encrypted.
What happens if you accidentally press the remote button while you're away from the car, generating a new code on the transmitter and causing desynchronization? The receiver is forgiving and will accept any of the next X valid codes in the sequence (the number of "look-ahead" codes the receiver accepts depends on the manufacturer). However, if you press the button too many times, the receiver will ignore the remote and you'll need to resync the system.
Modern keyless entry systems are quite secure, but there's still a slight chance Jason could unlock another Camry if he were to walk up to one and repeatedly press the unlock button on his remote (assuming it uses a 40-bit code). He’d need to press the button one trillion, ninety-nine billion, five hundred eleven million, six hundred twenty-seven thousand, seven hundred and seventy-six times, running through all possible codes his remote could transmit until one works (and assuming he can press the button once every second without stopping, it would take him nearly 34,842 years to finish). He would also need to hope that the Camry he's trying to unlock uses a 40-bit receiver, not a newer model with a 66-bit code, which would have 7.3 x 10 possible codes.
