General

Does Security+ 2.0 protect against a RollJam attack?

Short answer

No. Security+ 2.0's rolling codes stop simple replay attacks but not RollJam. RollJam jams the RF signal while capturing the rolling code, then replays it later. Trellix security researchers documented a related myQ Hub vulnerability where jamming the door sensor causes the hub to toggle the door open when the user manually retries. Wired contact-closure control is immune.

Security+ 2.0 is significantly more secure than the fixed-code openers it replaced. But the rolling-code technology it uses has one specific gap: it was designed to stop replay attacks, not jamming attacks. RollJam exploits that gap. Here is the protocol-level reason why, what CVE-2026-49319 means for myQ Hub users, and what countermeasures actually work.

What Security+ 2.0 was designed to stop

Security+ 2.0 uses a rolling-code algorithm developed by Microchip Technology called KeeLoq. When you press a remote, the remote generates a unique code from a synchronized counter and a secret encryption key. The opener expects the next code in the sequence. It accepts the current code, advances the counter, and rejects any previously used code.

This design stops replay attacks completely. An attacker who records your signal from a distance gets a code that has already been used. When they try to replay it, the opener rejects it because its counter has already advanced past that code.

What rolling codes were not designed to stop: an attack that jams the signal before the opener can receive and accept it, while simultaneously capturing the code for later use.

How RollJam exploits the gap in rolling codes

The RollJam attack, published by researcher Samy Kamkar in 2015, uses the jam-and-capture technique:

The attacker places a device near your home (in a car on the street, or in a nearby space). The device jams the 315 MHz frequency that Security+ 2.0 uses.
When you press your remote, the opener never receives the signal (it is jammed). You press again. The attacker's device captures both codes while jamming them. Then it replays the first captured code to open the door, so you see the door open on your second press and assume the first press just did not connect.
The attacker now holds the second captured code. Your opener's counter is still synchronized to accept code #2. The attacker can replay it at any time.

The rolling code protocol cannot detect this attack because from the opener's perspective, code #1 arrived and opened the door. Nothing unusual happened. The attacker's captured code #2 looks like a legitimate unused code when replayed later.

Security+ 2.0's KeeLoq implementation does not include jamming detection. The protocol has no way to know whether a failed transmission was due to RF interference, dead batteries, or a deliberate jam. That is the protocol-level vulnerability.

The myQ Hub sensor jamming attack

Trellix security researchers published a related vulnerability specific to the myQ Hub and its wireless door sensor. Their research describes the following attack:

The attacker jams the wireless signal between the myQ tilt sensor (the sensor that reports door position to the Hub) and the myQ Hub.
The Hub loses contact with the sensor and reports door status as "unknown" in the myQ app.
The user, seeing "unknown" status, manually retries the close command via the myQ app.
Because the Hub is stateless at this point (no reliable sensor data), it sends a toggle command to the opener. If the door was already closed and the toggle command arrives, the door opens.

This is a different mechanism from classic RollJam: the attacker does not need to capture any specific rolling code. They only need to jam the sensor long enough to induce the user to retry the close command. The vulnerability is specific to the myQ Hub's handling of sensor loss states.

Mitigation: Chamberlain advises that the vulnerability is mitigated when the door sensor is wired rather than wireless. A wired sensor cannot be jammed. The same mitigation applies to Konnected blaQ in wired mode and to any contact-closure smart controller that uses a wired door position sensor.

What protocols actually protect against RF jamming

No current widely-deployed residential garage door protocol is immune to the basic RollJam attack. The countermeasures that work are either physical or require a different type of communication:

Wired contact-closure control: if the smart home controller connects to the opener via wires to the wall button terminals, there is no wireless signal to jam. An attacker cannot intercept or jam a copper wire from outside your home. This is the strongest defense against RF-based attacks, including both RollJam and the CVE-2026-49319 sensor jamming.

Ultra-wideband (UWB) authentication: UWB-based presence authentication is more resistant to relay and jamming attacks than RF. It is beginning to appear in automotive keyless entry systems and is being evaluated for building access. UWB-capable garage door openers are not yet widely deployed as of 2026.

Frequency-hopping systems: some newer access control systems use frequency-hopping spread spectrum, which jumps between frequencies in a pattern the attacker cannot predict. Standard residential garage door openers do not use frequency hopping.

Security+ 3.0 and BLE: the new Security+ 3.0 protocol (white learn button, 2025+) uses 2.4 GHz Bluetooth Low Energy plus an encrypted 900 MHz radio channel, replacing the 315/390 MHz bands used by Security+ 2.0. BLE makes unauthorized wireless pairing harder but does not eliminate the possibility of capturing and replaying the radio signal from the remote itself. Security+ 3.0 has not been published as RollJam-immune.

Practical risk assessment for Security+ 2.0 users

The RollJam attack is real and documented. The barrier to executing it, however, is higher than most residential break-in methods. The attacker must:

Be physically present at your home with RF jamming and capture equipment
Be present at the exact moment you use your remote
Return later to use the captured code

Most residential break-ins use opportunistic methods: unlocked doors, open windows, forced entry at the weakest point of the building. RollJam requires advance setup and precise timing. For comparison, forcing a hollow-core side door takes about 30 seconds and no electronics. A burglar choosing between RollJam and a crowbar typically picks the crowbar.

That said, the risk is not zero. High-value targets (cars in the garage, known valuables) increase the motivation to invest in a more technical attack. If your garage contains a sports car, expensive tools, or other items clearly worth the effort, a wired controller plus a keyed deadbolt on the garage entry door into the house is a reasonable upgrade.

One practical hardening step that does not require any new hardware: disconnect your opener when on vacation. A physically disconnected opener (power cord unplugged) cannot respond to any RF command, whether a replay, a RollJam capture, or any other signal. This is the simplest protection for extended absences.

Countermeasure	Stops Simple Replay	Stops RollJam	Stops myQ sensor-jam attack
Security+ 2.0 rolling codes	Yes	No	No
Security+ 3.0 (BLE + radio)	Yes	Unclear	Partially
Wired contact-closure control	N/A	Yes (no RF)	Yes (wired sensor)
Physical door deadbolt	No	Yes (door locked)	Yes (door locked)
Unplug opener	N/A	Yes (no power)	Yes (no power)

For most homeowners: keep Security+ 2.0, understand its limits, and add a wired smart controller or a manual deadbolt if you want to reduce RF-based risk. G Brothers Garage Doors serves the Denver metro and Front Range. We install wired smart controllers on any opener generation. Free estimates, same-day service available. Licensed and insured.