
I am Danilo Erazo, an independent hardware security researcher. I discovered and exploited several vulnerabilities in cars with key fobs that use learning codes as part of their keyless entry systems (KES). Currently, all vehicles worldwide use rolling codes in their alarm systems to lock or unlock the vehicle. The use of rolling codes in vehicle security systems became popular worldwide in the mid-1990s and reached Latin America soon after, around the late 90s and early 2000s. Rolling code is a technology primarily implemented in remote door-opening systems using radio frequency. It uses a code that changes randomly with each use, making cloning or replay attacks difficult.
Any vehicle that does not use rolling codes instead uses fixed codes, which are vulnerable to replay (key cloning) and brute force attacks. Among fixed codes, there are learning codes, which, unlike common fixed codes, are programmable and not soldered to the key fob in both the receiver and the transmitter. Therefore, each vehicle has a different set of learning codes and typically allows programming up to 4 learning codes (fixed codes). They are called learning codes because, to program them, the receiver “learns” or stores the signal emitted by the key fob, recording the fixed code. This system is vulnerable to replay attacks, where if someone captures the vehicle’s radio frequency signal, they can clone the signal because the code does not change within the same frequency (315, 370, or 433 MHz).
The chip used in the KIA Ecuador 2022 key fobs is the HS2240, which is a learning code. The KIA Ecuador 2023 and 2024 key fobs use the EV1527 chip, which is also a learning code, meaning these key fobs are vulnerable to replay or signal cloning attacks. All this information was obtained through independent research conducted by Engineer Danilo Erazo (Ethical Hacker, Pentester, and Hardware/Car Security Research), founder of Reverse Everything and coordinator of the Car Hacking Village at Ekoparty in Argentina. This research was presented live at DEFCON32 2024 (August) and Ekoparty 2024 (November), the most important technical hacking events on the continent. In these talks, all vulnerabilities related to learning codes were demonstrated for the first time, concluding the following:
- Any vehicle using learning codes can be opened via brute force, as the learning code has a range of 1 million possible fixed codes. The probability increases because vehicles can have up to 4 learning codes, meaning brute force is applied to 4 codes simultaneously.
- Any vehicle using learning codes can be opened by capturing the signal that opens the vehicle using an antenna. Then, this signal is replicated, and since it is always the same (because it does not change), it is possible to clone the key fob. See replay/cloning attack for KIA Ecuador 2024 key fob
- Vehicles with key fobs based on learning codes are vulnerable to backdoors. This means an attacker can set an additional learning code on the receiver to open the vehicle with their own external fixed code, outside of the owner’s codes. This is possible because receivers typically accept up to 4 learning codes: two for the owner and two additional slots for configuring other external keys (from malicious actors). Therefore, this backdooring can occur in the production chain of the vehicle before it reaches the end user.
- The use of learning codes presents a serious global collision problem. That is, one vehicle’s key fob could open another vehicle or even a garage door using learning codes. This probability increases because chip manufacturers use the same range to generate fixed codes for learning codes. For example, chips like HS2240, EV1527, HS1527, among others, generate key fobs with fixed codes within the same range of 1 to 1,048,576 possible combinations. At some point, this 1 million combinations range will be filled, or may already be filled, due to the large number of devices using this range. Just in Ecuador, there are thousands of vehicles with these key fobs, plus devices like garage doors that use learning codes worldwide, along with the vulnerable vehicles entering each country daily.
This research sheds light on critical vulnerabilities in car KES systems, offering insight into the risks posed by learning code technologies used in key fobs:

I presented my research for the first time at DEFCON32 in Las Vegas, August 2024. Complete detailed explanation in English of the vulnerabilities present in key fobs with learning codes, including KIA Ecuador key fobs – Event: DEFCON32 Las Vegas Nevada 2024:
Complete detailed explanation in Spanish of the vulnerabilities present in key fobs with Learning Code – KIA Ecuador – Cybersecurity Event Ekoparty 2024 in Buenos Aires, Argentina:
Currently in Ecuador, there are many car thefts occurring in public and private parking lots, and in many cases, the vehicles affected have this vulnerability. It is confirmed that the Kia Soluto, Kia Río, and Kia Picanto models from 2022, 2023, or 2024 come with these insecure KES installed. The KIA Ecuador key fob from 2022 and early 2023 used the HS2240 chip, as shown below:
This key fob has the HS2240 learning code chip:
Reverse Engineering applied to the Key Fob circuit of Kia Ecuador:

Reverse engineering applied to the learning code before being modulated:

Comparison of the results of Radio Frequency Hacking and Hardware Hacking:

Video of how to unlock a car with the KIA Ecuador key fob:
Finally, these key fobs are installed in some new KIA cars in Ecuador, and there is also the option to purchase them from the KIA Ecuador website. These key fobs are not an official part of KIA cars, but KIA Ecuador carries out the homologation process for them to be installed with the KIA logo on official cars assembled in Ecuador.
“I developed AutoRFKiller, a tool that can unlock any car using key fobs with learning codes. The tool is built in Python utilizing GNURadio module, and requires a HackRF SDR device. Additionally, I incorporated attacks targeting cars with rolling code systems, including the rolljam attack, to unlock vehicles effectively. This tool was presented at DEFCON32.

It is known that this issue does not only affect KIA Ecuador. It is estimated that other countries in the region also officially implement vulnerable key fobs, so the goal is to promote key fob research in Latin America.
Solution:
- As users and vehicle buyers, we must demand that the key fobs installed in our cars use rolling code technology, a security measure that has existed since the 1990s to prevent key cloning. It is unacceptable that, in 2024, systems based on fixed codes are still in use, and even more concerning that such key fobs are being officially installed. Currently, dealerships condition the vehicle warranty on the installation of these outdated key fobs, indirectly exposing and forcing users into serious security vulnerabilities.
- The vulnerability was reported to KIA Ecuador in May 2024, but there was no success in remediation/mitigation. The vulnerability is now being managed with the support of ASRG ‘Automotive Security Research Group,’ a non-profit group that helps in reporting vulnerabilities in vehicles worldwide. The process of reporting this vulnerability has been complex, as there is no solid automotive cybersecurity culture in Ecuador and much of Latin America. As a result, vehicles assembled in the region often do not undergo security analysis of installed key fobs, leaving significant gaps in user protection against thefts.
- Uninstall the key fob using learning code and replace it with one using rolling code.
Datasheet chip EV1527: https://pdf1.alldatasheet.com/datasheet-pdf/view/1132432/ETC2/EV1527.html
Datasheet chip HS2240: https://www.datasheet4u.com/datasheet-pdf/HUIYUAN/HS2240/pdf.php?id=951682