Slashdot Mirror
Opening Fixed-Code Garage Doors With a Toy In 10 Seconds
Trailrunner7 writes: It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child's toy. The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.
With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it's incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.
Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.
With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it's incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.
Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.
and an app on your phone that you can turn on/off via wifi. Not foolproof, but certainly better.
Wrong. You drive down any street with your toy and find a door that opens, you now know for sure you have access without ever leaving the getaway vehicle. Most people don't lock their inside garage door and the bad guys know this.
No one even knows you opened the garage door, for all they know someone inside the house did.
Once you go over the backyard fence, you've committed a crime, and you still don't know if you can actually get inside.
Getting the garage door code minimizes your risk.
I know to think this way because I used to live in a neighborhood destroyed by the housing bubble, crime, including drive by shootings, went off the charts, we had to start a block watch, and the local PD rep told us lots of scary stuff.
I've seen the exact opposite, most openers are built using shitty Princeton 2262s, which sounds like what this guy hacked. Oh, and if you've been sold a fancy "rolling-code remote", open it up and look at the hardware, if it says 2262 on the chip (or one of the many derivatives) then you've been had (many so-called rolling-code remotes aren't, the vendors just claim they are).
In practice it's even worse than the article points out, the switches are tri-state not binary but most vendors of remotes forget that so you go from 3^n to 2^n, and then they only use 8 of the 12 pins you can toggle on because they're on one side of the chip and they forget there's more around the other side. So you go from 3^12 to 2^8 combinations, meaning you'll hit the right one after 128 tries on average. The receivers have no rate-limiting, so you can run them far faster than the vendor specifies and scan the code space in seconds. The novel thing in this case is the use of de Bruijn sequences, and the fact that he scans the entire code space in the same time a standard scanner takes for the (admittedly far too common) badly-designed ones.