What is a RollJam attack and can it open my garage door?

Rolling codes were supposed to solve the garage door security problem for good. They did solve the original problem. But RollJam exploits a gap in how rolling codes work, and it is worth understanding whether your opener is at risk and how realistic the threat actually is.

How rolling codes work and why they seemed secure

Before 1993, most garage door openers used a fixed code: one specific number that your remote transmitted every time you pressed the button. Anyone who recorded that signal could replay it later to open your door. This is called a replay attack.

Rolling codes, introduced in the early 1990s and standardized in protocols like Security+ 1.0 and 2.0, solved the replay attack. Every time you press the remote, it transmits a different code. The opener accepts the current code, then advances its expected sequence. A code already used is rejected. Even if someone recorded your signal, replaying it would not work because the opener has already moved past that code.

This worked against simple replay attacks. RollJam found the gap.

How RollJam defeats rolling codes

RollJam was demonstrated publicly by security researcher Samy Kamkar in 2015. The attack works in two steps that happen nearly simultaneously:

Step 1: Jam and capture. When you press your remote, a RollJam device transmits radio interference on the same frequency as your opener (315 MHz or 433 MHz, depending on the system). Your remote's signal is jammed. The door does not open. The RollJam device captures the code your remote transmitted while the door was still jammed.

Step 2: Replay and capture. You press the button again because the door did not open. The RollJam device jams again, captures this second code, and simultaneously replays the first code to open the door. You see the door open on the second press and assume nothing was wrong. The attacker now holds your second unused rolling code.

Later, when you are gone, the attacker replays the captured second code and opens your door.

The attack requires a device built with a software-defined radio (SDR), a jammer, and logic to handle the timing. Tools like the Flipper Zero, combined with open-source software, lower the technical barrier significantly compared to 2015 when custom hardware was required. A published 2024 variation uses AI to improve jamming precision and reduce the chance of detection.

CVE-2026-49319 documents a related vulnerability specific to myQ Hub wireless sensors: jamming the tilt sensor causes the hub to report door status as unknown. If a user then manually triggers close via the app, the stateless opener may toggle open instead of closing. This is distinct from classic RollJam but uses a similar jamming vector.

Is Security+ 2.0 vulnerable, and how serious is the risk?

Yes. Security+ 2.0 is a rolling-code protocol, and RollJam targets rolling codes. The jam-and-capture method works against Security+ 2.0 just as it works against other rolling-code systems.

Security+ 2.0 was designed to stop replay attacks, not jamming attacks. The protocol cannot tell the difference between "the remote was pressed and the signal happened to not reach the opener" and "the remote was pressed and the signal was jammed on purpose."

What Security+ 2.0 does very well: it stops simple replay attacks that fixed-code openers were vulnerable to. A signal captured from across a parking lot cannot open your door. That remains true. The specific threat it does not stop is RollJam.

The real-world risk, however, is low for most homeowners. The RollJam attack requires the attacker to be physically near your home with active jamming equipment at the exact moment you use your remote. A burglar cannot download your codes from the internet. They have to be present with specialized hardware at the moment you press the button.

Contrast this with a break-in through an unlocked side door, an open window, or a weak deadbolt. Those attacks need no technical knowledge and can happen at any time without advance setup. Most residential break-ins use those simpler methods.

That said, RollJam is a documented attack with published code. If you store high-value equipment in your garage, work in a high-security environment, or have reason to think you might be a targeted victim rather than a random one, the risk is worth taking seriously.

What actually protects against RollJam

Rolling codes alone do not stop RollJam. Here is what does provide meaningful protection:

Wired contact-closure integration. A smart home controller that opens and closes the door via a wired connection to the wall button terminals is completely immune to RollJam. There is no wireless signal to jam. This is the strongest garage-specific countermeasure.

Ultra-wideband (UWB) openers. UWB-based proximity authentication is beginning to appear in automotive and building access systems. It is significantly harder to spoof than RF. UWB-capable garage door openers are not widely deployed yet as of 2026, but they represent the technical direction the industry is moving.

Physical deadbolt backup. A manual slide-bolt lock on the inside of the door means that even if an attacker opens the door electronically while you are away, the door cannot be pushed up if the bolt is engaged. This is practical for vacation homes or longer absences.

Vacation mode or disconnect. Most garage door openers have a vacation lock mode that disables the remote entirely. This also disables RollJam, since there is no signal to jam and capture. Use it when you will be away for more than a few days.

Security+ 3.0 and BLE pairing do not fix RollJam specifically, as the attack targets the radio signal from the remote rather than the pairing handshake. However, the BLE-based proximity requirement in newer systems does add a layer of presence authentication beyond simple RF range.

What to do about your current opener

For most homeowners: Security+ 2.0 is still far better than a fixed-code opener, and the RollJam threat is low for standard residential use. Do not panic, but understand the limitation.

If you want to reduce garage-specific RF risk: install a wired smart home controller, use vacation lock mode when away for extended periods, and add a manual slide bolt if your door does not already have one.

G Brothers Garage Doors serves the Denver metro and Front Range. We can advise on opener security options and install contact-closure smart controllers compatible with any opener generation. Free estimates, same-day service available. Licensed and insured.

A few additional points worth knowing on the RollJam topic:

The Flipper Zero is often mentioned in RollJam discussions. The device can receive and replay RF signals, but it cannot perform a full RollJam attack out of the box. RollJam requires simultaneous jamming and capturing, which demands purpose-built software and additional hardware. The Flipper Zero lowered the skill floor for experimenting with RF signals but does not make RollJam trivial to execute.

Frequency matters for the attack as well. Security+ 2.0 operates on 315 MHz. Older garage door systems used 390 MHz or 433 MHz. A RollJam device must be built for the specific frequency of the target opener. This means an attacker targeting a 315 MHz opener needs equipment tuned for that band.

Finally, if you notice your garage door remote stops working reliably in a particular spot or at a specific time of day, and it is not a battery issue, consider whether RF interference from a nearby source could explain it. Repeated unexplained remote failures in the same location are worth noting, though most cases have mundane causes like competing RF sources or a weak remote battery.