Suzuki Swift (2024): rolling-code keyless entry defeated by RollBack-style replay, enabling unauthorized lock/unlock

The Remote Keyless Entry System (RKES) of the Suzuki Swift (2024 model year) is vulnerable to a RollBack-style capture-replay attack against its rolling-code scheme. An attacker within radio range who passively captures a short sequence of the legitimate key fob's transmissions can later replay them to force the receiver to resynchronize and then accept a previously valid code, allowing the vehicle doors to be unlocked (and locked) without the owner's key fob. Because the captured transmissions remain usable after the fact, the rolling-code anti-replay protection — the RKES's primary defense — is defeated.

Impact is limited to unauthorized actuation of the door lock/unlock function and the resulting access to the vehicle interior. The weakness does not by itself defeat the engine immobilizer or allow the vehicle to be driven away.

Specific signal-capture and replay procedures, captured signal data, radio parameters, and the proof-of-concept have been withheld to avoid enabling reproduction while the issue is unremediated.

Recommended remediation:

Replace counter-based rolling codes with fresh-challenge cryptographic authentication (for example a bidirectional challenge-response keyed from a per-vehicle secret held in a secure element), reject stale or rolled-back counter values, and constrain resynchronization so that previously transmitted codes can never be re-accepted. Distance-bounding (e.g., UWB) further mitigates replay and relay against keyless entry.

Danilo Erazo (independent automotive cybersecurity researcher) (finder)

Reported to ASRG by the finder under coordinated disclosure.

2026-06-25: Advisory published by ASRG. Vendor remediation pending.