Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opening Fixed-Code Garage Doors With a Toy In 10 Seconds

Posted by Soulskill on from the your-cardboard-boxes-and-broken-sleds-are-not-safe dept.

Trailrunner7 writes: It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child's toy. The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.

With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it's incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.

Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.

61 of 105 comments (clear)

  1. Simply use a smart power outlet by bagboy · · Score: 2, Interesting

    and an app on your phone that you can turn on/off via wifi. Not foolproof, but certainly better.

    1. Re:Simply use a smart power outlet by dslbrian · · Score: 1

      Indeed, inline one of these with the door opener.

      It can probably be rigged to automatically disable at night. Even better would be to disable anytime the controlling phone is out of WiFi range (not sure if that's possible).

  2. They still sell those? by Overzeetop · · Score: 4, Insightful

    It's been several years since I bought an opener...and even then I can't remember seeing a major brand that wasn't a paired-system remote.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:They still sell those? by JBMcB · · Score: 1

      That's what I was thinking. Cars with built-in garage door openers have supported paring/tumbling codes for at least 20 years.

      I'm guessing there are a LOT of old garage door openers around.

      --
      My Other Computer Is A Data General Nova III.
    2. Re:They still sell those? by RenderSeven · · Score: 2

      Yep. I havent seen a fixed code DIP-switch remote for 20 years. And the last door I hacked with one only took 10 minutes brute force guessing. Even if its 29 minutes, who needs a hack? And, to do it in 10 seconds you need to know the frequency in advance.

      If you're looking for a hack for the IM_ME this Spectrum Analyzer mod looks downright cool and possibly even useful. Pretty wide frequency response too.

    3. Re:They still sell those? by Tailhook · · Score: 1

      I replaced a fixed code system about 10 years ago. I'm sure there are plenty of old ones still in use, but this claim that "most openers in commercially available garage door openers" are still using these ancient techniques is bogus.

      Neat hack, but it isn't the revelation this misleading story claims.

      --
      Maw! Fire up the karma burner!
    4. Re:They still sell those? by stilwebm · · Score: 2

      Most garage door openers built in the last 20 years do not use the DIP switch codes. Since the mid 1990s, most manufactures switched to shared codes with a larger keyspace (~35bit) - using the "learn" button on the opener - and in early 2000s switched to rolling codes to limit code interception vulnerability.

      Of course most garage doors are a quick pry bar movement away from opening, so security is all relative.

    5. Re:They still sell those? by Bob+the+Super+Hamste · · Score: 1

      I have a Chamberlain 3/4hp one and it is probably getting close to 20 years old now. The only issues I have had with it are that I needed to replace the springs about 5 years ago and a couple of years ago I had to replace the stupid plastic gear that the worm gear turns because it got stripped out.

      --
      Time to offend someone
    6. Re:They still sell those? by Hussman32 · · Score: 1

      My house has the original opener that isn't rolling, it was built in 1983. Rolling code technology came out in 1993, which really isn't that long ago considering how often you need to replace them.

      --
      "Who are you?" "No one of consequence." "I must know." "Get used to disappointment."
    7. Re:They still sell those? by wcrowe · · Score: 1

      It's one of those appliances that lasts a long time and a lot of people don't think about it. I replaced my old style door about a year and a half ago, and the only reason I replaced it was because I installed it in 1995 and it suddenly occurred to me that it was easy to break into. Mechanically, the old opener worked perfectly. I am glad the new door installer wanted the old unit (he builds automatic flag-raising systems with them). At least the old unit didn't go to waste.

      --
      Proverbs 21:19
    8. Re:They still sell those? by TWX · · Score: 1

      I just took down an opener that was original equipment on my house from '79, an Allister Type IIA that was branded as a Delden Type II. It was on an accessory building so it did not need to have the sensors that doors on homes have to have, and it didn't even have a built-in receiver, one had to be added on extra if one wanted to use a radio control.

      I replaced it because I needed more ceiling clearance, so I went with a jackshaft opener. It was working fine when I took it down.

      The unit on the house itself is also pre-rolling-code, but has the capability of using the sensors for objects in the door path. A rolling-code receiver has been added and the original fixed-code mechanism disabled. I think it also dates to '79.

      --
      Do not look into laser with remaining eye.
    9. Re:They still sell those? by American+AC+in+Paris · · Score: 1

      Still plenty of openers from the 80's and 90's out there chugging away, and most homeowners aren't going to fix something that ain't broke. And while yes, a 10-second skeleton opener is "broke", that's still longer than it takes a practiced hand to pop a door or window open. Many folks are comfortable enough relying on the fact that doing either of these things lands you in very hot water with the local authorities that they're not too worried about not having reinforced locks and barred windows.

      --

      Obliteracy: Words with explosions

    10. Re:They still sell those? by jep77 · · Score: 2

      Rolling code alone doesn't address it. The length of the code is key. A MARCSTAR document from 1997 cites the code as 40 bits, over 1 trillion possibilities. If you could transmit 10,000 tries per second, it would take over 3 years to try all the possibilities. Even if you got lucky and hit the right code in the first 1% of attempts, it would still take almost 2 weeks of trying.

    11. Re:They still sell those? by neoritter · · Score: 1

      The one on my parents' garage is going on 20 years now. Don't know the brand off the top of my head sorry.

    12. Re:They still sell those? by swb · · Score: 1

      I use the dead bolt contraption on my door when I go out of town (and unplug the opener). I don't know how strong it is against a really big pry bar or someone using a hydraulic jack, but presumably it would frustrate the average dipshit with a small prybar.

      Really, most residential garage doors are more about keeping the weather out and a psychological barrier than a real physical barrier. I would bet you could just knock them in pretty easily unless they are made of a stronger material.

      I'd love one of those steel, high-security rollup doors in its place but it's not worth the cost, at least where I live.

    13. Re:They still sell those? by ncc74656 · · Score: 1

      Yep. I havent seen a fixed code DIP-switch remote for 20 years.

      Maybe not for garage doors, but the gate remote for my neighborhood has a block of 10 DIP switches inside. IIRC, the first two or three are flipped one way and the rest are flipped the other way (wow! such security!). Mine was issued in 2000, but the system probably was installed in '97 or '98.

      --
      20 January 2017: the End of an Error.
    14. Re:They still sell those? by arglebargle_xiv · · Score: 5, Interesting

      I've seen the exact opposite, most openers are built using shitty Princeton 2262s, which sounds like what this guy hacked. Oh, and if you've been sold a fancy "rolling-code remote", open it up and look at the hardware, if it says 2262 on the chip (or one of the many derivatives) then you've been had (many so-called rolling-code remotes aren't, the vendors just claim they are).

      In practice it's even worse than the article points out, the switches are tri-state not binary but most vendors of remotes forget that so you go from 3^n to 2^n, and then they only use 8 of the 12 pins you can toggle on because they're on one side of the chip and they forget there's more around the other side. So you go from 3^12 to 2^8 combinations, meaning you'll hit the right one after 128 tries on average. The receivers have no rate-limiting, so you can run them far faster than the vendor specifies and scan the code space in seconds. The novel thing in this case is the use of de Bruijn sequences, and the fact that he scans the entire code space in the same time a standard scanner takes for the (admittedly far too common) badly-designed ones.

    15. Re:They still sell those? by slipped_bit · · Score: 1

      Mine from 1983 is still going strong, too -- 32 years. I repaired it in 2001 when it stripped the gears. Also replaced a dried out motor capacitor at that time. It's also before the era of IR-beam sensors. It's from Sears, making it a re-branded Chamberlain or Lift-Master, as I recall.

    16. Re:They still sell those? by Demolition · · Score: 1

      My house has the original opener that isn't rolling, it was built in 1983. Rolling code technology came out in 1993 [wikipedia.org], which really isn't that long ago considering how often you need to replace them.

      Similar situation here. I have a side-by-side garage with two separate early-1980s openers manufactured by Overhead Door Company. Each opener came with two one-button remotes.

      One of the openers was damaged in 1994 (a roofing contractor backed into the door with his truck), so we ended up with the old fixed-code opener on the left door and a new rolling-code opener (also by Overhead Door) on the right. The new opener came with a pair of three-button remotes. Two buttons are strictly for rolling-code openers, but the third button can do both fixed- and rolling-code. Now, I can open both doors with one remote. Very handy.

      Anyway, the point is that some of these openers can last a long time. Like your opener, my remaining fixed-code example is verging on 33 or 34 years old. Considering how often it's opened and closed, it sometimes surprises me how it continues to operate so smoothly.

    17. Re:They still sell those? by undefinedreference · · Score: 1

      My parents have one with DIP switches from when the house was built, which was around the time I was born. No pressure plates.

      My girlfriend's grandfather has three of them, one for each of his three garage doors. I don't think any are newer than the mid-1980s, if that. One doesn't even have an optical sensor, none have the pressure plates.

      Most really don't do much work (that big spring up there is what is doing the work) and they're pretty simple, so I don't see any reason they shouldn't make it many decades. The problem is that the technology is laughably archaic and there has never been any incentive to make them better.

  3. There' a decent chance it's one of the big four by blueshift_1 · · Score: 2

    Let's be honest, just check all on, all off, and alternating starting at 0 and 1.

    1. Re:There' a decent chance it's one of the big four by Nukenbar · · Score: 1

      Haha. The code to my condo complex is #3.

    2. Re:There' a decent chance it's one of the big four by RenderSeven · · Score: 1

      Normally yes. But most of these were paired by the factory or professional installers who set them to more or less effectively random-ish codes. The few I've looked at had nothing I recognized as blatantly stupid.

  4. Re:So he built a garage door opener. by bill_mcgonigle · · Score: 3

    The algorithm work is a good insight. The use of the toy is probably just for press coverage purposes, which may be a good strategy to get the word out and nudge social pressure to improve the industry.

    All the hackers already know he probably could have build a transmitter with Sparkfun parts faster and for less money, so we should try to understand his methods rather than just dismissing them.

    Not every security researcher is a PR genius, but the odds are much better than a Slashdot AC.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  5. Re:So he built a garage door opener. by sexconker · · Score: 1

    The only thing remotely interesting is the bit about the openers trying all codes in a rolling window.
    If you send 01010101010110101010100 it tests, 01010100, 101010100, 10101010, 0101010100, etc. It's essentially doing a find operation for the code (be it 8 bits, 12, or whatever) in the entire mess of shit that you send it.
    Knowing this, the only work you need to do in the attack is work out the timing of sending a string that contains all 4096 combinations.

  6. Ah sweet nostalgia... by fustakrakich · · Score: 2

    I remember the garage door opening and closing with every damn airliner flying overhead on finals.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Ah sweet nostalgia... by Anonymous Coward · · Score: 1

      A friend of mine did this in KC,MO in 1985 for a design lab project. Back then every garage door opener used dip switches to setup the code. He built a small transmitter powered 12V car port and used a DAC to do the binary count that was then transmitted as the code. He was a really bright kid and got his A in the class. He was also asked to dismantle it and never build it again. 8^)

      We tested it by driving through neighborhoods and letting it run in a loop. We could open just about every garage door on a street as we drive by. Not exactly a new idea. He just used a newer platform to run it on.

  7. Or... by SuperKendall · · Score: 1

    This really brings to mind the XKCD comic about the wrench and the password...

    You could spend a lot of effort hacking an opener OR just break a window and go in to get the better stuff.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  8. Re:So he built a garage door opener. by antiperimetaparalogo · · Score: 1

    I am not a "hacher" (nor a burglair!), but it was baffling for me why he used a toy and not build it himself, so: good points about the "press coverage purposes"!

    --
    Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
  9. CB Radio by krray · · Score: 1

    Ah, I remember the old days. Driving around the neighborhood and keying up the mic on the CB radio. One of the channels would open dozens of doors around the neighborhood...

    1. Re:CB Radio by 0bject · · Score: 1

      We had to unplug our garage door when we wanted to play with our RC car or the door would go up and down.

  10. Fun hack of dubious value by countSudoku() · · Score: 1

    Pretty cute to house it in a child's toy when you can go to the hardware store and buy a universal garage door opener remote for $30 which already has all the codes you would need and instructions on how to open every brand. Then, to get the "loot" (broken things, my awesome gas-power mower, various motoring fluids, sweet Guitar Hero guitars and a drum set (that's got to be worth $8), other low-tech child's toys, a shitty ladder, a shitty mop, and some other really shitty stuff) you merely have to disguise your rape van to look like a laundry delivery service van(or NSA surveillance van, your choice) so you can do your nearby attack, in the middle of the daytime. Good luck with that!

    There are some valuables inside the main house, but now you have to break in there too. Still, many folks consider this a viable option than to read some books, get some skills and make better money at a real job, but that's too hard. HAHAHAHAHA!!1! What dopes.

    --
    This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    1. Re:Fun hack of dubious value by PIBM · · Score: 1

      If the alarm system is activated (no one at home) and the garage door open and the rfid of one of the cars aren't detected in a specific amount of time (detection confirmation by opening the lights for the next 5 minutes) the silent alarm is triggered. Why isn't that standard ?

  11. Good Dog by pubwvj · · Score: 1

    This is when you begin to understand how much better a dog is than a garage door.

    1. Re:Good Dog by Bob+the+Super+Hamste · · Score: 2

      Unless that dog is my sister's fucking malamute. It thinks everyone that shows up is there to feed it or let it out to play.

      --
      Time to offend someone
    2. Re:Good Dog by jep77 · · Score: 1

      Wait a second... I left my garage door so I can park my car inside. If I lift my dog and then move the car forward, I'm going to smash into the house!

    3. Re:Good Dog by jep77 · · Score: 1

      Lift. I lift my garage door. Stupid vowels.

  12. or the old way by beefoot · · Score: 1

    Most garage door I've seen are secured with a simple latch. How about pry open the bottom of the door and pull it up. I'm sure it takes less than a few seconds. No?

    1. Re:or the old way by Gilgaron · · Score: 1

      Yeah, my neighbor's house caught fire when they weren't there and before the firemen went in a policeman opened the garage door with a pry bar in about 3 seconds reaching through the top. Looked like he disengaged the chain.

  13. This is why I don't like remote car locks by davidwr · · Score: 2

    Because in 10 years, I can't be sure that a "hack-resistant" car lock on the 2015 car buy today will be any stronger than these garage-door openers are now.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. Re:WTF? by Half-pint+HAL · · Score: 1

    Journalist fails to understand technology shocker! This is just another way of stating that the attack exploits the bit-shift behaviour.

    --
    Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
  15. Re: Bad men could do bad things with this tech! by ibpooks · · Score: 3, Informative

    Why does it matter? The garage probably has a dozen different tools and garden or sports implements hanging on the wall that would make opening the door a trivial exercise whether locked or not. A person willing to break into the house once would certainly have no problem doing it twice.

  16. I sincerely hope... by chispito · · Score: 1

    I sincerely hope he didn't test it in a densely populated neighborhood. I imagine garage doors around the block opening and closing as he's standing there with his test unit, "Nope, let's try this... Nope, let's try this..."

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  17. Re:WTF? by Nonesuch · · Score: 1

    It's right in the summary, "...algorithm known as the De Bruijn sequence", named after the Dutch mathematician Nicolaas Govert de Bruijn, The algorithm is interesting and actually has a number of other practical applications beyond breaking weak codes.

    --

    I do not deploy Linux. Ever.
  18. Re:Why the garage ? by Anonymous Coward · · Score: 3, Interesting

    Wrong. You drive down any street with your toy and find a door that opens, you now know for sure you have access without ever leaving the getaway vehicle. Most people don't lock their inside garage door and the bad guys know this.

    No one even knows you opened the garage door, for all they know someone inside the house did.

    Once you go over the backyard fence, you've committed a crime, and you still don't know if you can actually get inside.

    Getting the garage door code minimizes your risk.

    I know to think this way because I used to live in a neighborhood destroyed by the housing bubble, crime, including drive by shootings, went off the charts, we had to start a block watch, and the local PD rep told us lots of scary stuff.

  19. How it's done in this neighbourhood by Maow · · Score: 1

    Thieves just take some type of sharp blade, cut a "V" shape into the garage door, reach in (likely with a hooked tool), pull the manual T-shaped handle that's connected with a rope to the locking latch mechanism, tug it, door's unlocked.

    I counted about 10 such damage marks between 49th and 54th Ave in one laneway.

    1. Re:How it's done in this neighbourhood by Darinbob · · Score: 1

      True. No one should rely on their garage door as a security mechanism. Don't keep valuables in the garage. If someone wants to steal your car then the best lock in the world won't keep them out if your door isn't steal or you have glass windows.

    2. Re:How it's done in this neighbourhood by Maow · · Score: 1

      Indeed.

      One neighbour, behind us, had their garage door sliced open on one occassion, and on another had the car in their car port broken into.

      The thief was a particularly nasty prick, as they used a pry bar to pry the driver's door open, using the roof as a fulcrum.

      The door was bent enough to reach inside and the roof was dented.

      When all the thieving bastard had to do was break glass. Thousands of dollars damage instead of low hundreds.

      Prick.

      Another neighbour, two doors up from them, had their door sliced and the freezer full of food in there was emptied. Frozen food!

      I had my catalytic converter stolen...

      I hate thieves.

  20. 2012 called by mOzone · · Score: 1

    https://myspace.com/householdh...

    http://www.shomer-tec.com/inde...
    use to sell one that would do any older door in under 2 mins

    and a couple of other websites showing code transmit open/close errors etc etc
    dude didnt have to alter-code this is been out there for around 12 years

  21. Re:He hacked the garage doors by mOzone · · Score: 1

    this has been out in other forms since 2000s https://myspace.com/householdh...

    if you dig around you can buy them prebuilt for police use etc etc

    police ones open tons of doors

  22. Not a big deal by sk999 · · Score: 1

    Hacking my garage door opener is the hard way in. The left garage door and side door are both unlocked and open much faster. It's detached from the house - all you could steal are rusty tools and flower pots.

  23. Re:Why the garage ? by amiga3D · · Score: 2

    He did say most, not all. Even then I doubt that it's most but I'd bet that it's a significant amount. Even if it's only 10 percent that's one out of 10. Not bad for quick and easy.

  24. Upgrade kits by rwa2 · · Score: 1

    It's been several years since I bought an opener...and even then I can't remember seeing a major brand that wasn't a paired-system remote.

    Argh, damn you Slashdot, get out of my Amazon purchase history!
    http://www.amazon.com/gp/produ...

    I guess 1993 was about when the garage door companies standardized on the the rolling-code thingy that has to be paired to each remote.

    Though now I'm kicking myself for not just building my own https garage door opener using
    http://www.instructables.com/i... so I can let the kids in remotely when they forget their keys.

  25. Toys for grown ups. by Col.+Bloodnok · · Score: 1

    I have two of those toys on my desk right now, they are useful dev kits for the TI CC1110 microcontroller - an 8051 based core with 32K flash and 4K RAM.

    You also get a CC1111 part inside the wireless dongle which comes with it.

    If you look at the PCB in the device, it is a hardware hackers dream. The debug port is broken out onto pads inside the battery compartment, and there are test pads all over.

    The SPI screen is bitmap addressable and the keyboard is sanely wired up. You even get a piezo buzzer and 2 LEDs under software control.

    It also runs at 2.5V on 3 AA cells, via a pretty nice LDO regulator that cuts out at 2.9V, so a set of NiMH cells will run down to 1V per cell, squeezing out almost every last drop of juice.

    One of my IM-MEs cost £1, I forget what I paid for the other one, but it wasn't over a fiver.

  26. Re:Why the garage ? by peragrin · · Score: 1

    I would put it closer to fifty percent.

    However once the garage is ready. You can then close the garage and work inside which muffles the sounds of breaking a lock and jam nicely. And even if some one hears something they can't see it.

    --
    i thought once I was found, but it was only a dream.
  27. Re:Why the garage ? by mysidia · · Score: 1

    Most people don't lock their inside garage door and the bad guys know this.

    Even if you do... the garage may be seen as a "great place to hide"

    If the thieves happen to know you're on vacation, they can get into the garage with the remote code.. close the door behind them. Cut power to the opener...

    And break-in at their leisure; using all the screwdrivers and power tools people often leave in their garage.

    Another concern is that in the event the bad guy set off a burglar alarm; no worries -- all they have to do is hang tight, bide their time while they locate and destroy or cut all the cables on the control box, and the police will come and leave, because; "Everything looks secure. No signs of forced entry. Looks like a false alarm."

    Once the authorities have been away for 15 minutes, proceed, with noone the wiser.

    Best to put a physical locking mechanism on that door that will require an assault that creates evidence of entry.

  28. Re:Why the garage ? by PrimaryConsult · · Score: 1

    Depends on the neighborhood... before I moved to an apartment building I had a roommate who lost his key. For months (eventually we gave up searching and got a replacement), we just didn't bother to lock the door unless we were both home.

    We would also regularly leave the back door unlocked.

    The cat escaped by opening the front door, and the actual door was wide open for hours that day.

    As has been said, the windows are a far more vulnerable target. If they decided to enter your home they are going to. Hell the first day my forgetful roommate got back without his key he simply opened the window on the porch and climbed in!

  29. Re:Why the garage ? by mysidia · · Score: 1

    I think most res. garage door openers these days are rolling code.... all the reasonably-rated openers i've seen for sale today are rolling code not fixed.

    On the other hand, even if you do have a rolling code opener it's likely vulnerable to.... the coat hanger attack on the backup release, which I understand takes a practiced person about 10 seconds and doesn't matter whether it's a fixed code or rolling code opener.

  30. New wife time? by RockDoctor · · Score: 1

    It may be time to upgrade your garage door opener

    This time I'll get a model with better suction, three holes and a more understanding attitude.

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  31. 2600 by johnsnails · · Score: 1

    2600 had a similar article that covers this called 'Brute forcing PIN Code keypads using combinational mathematics' in Spring 2014, uses the same technique to minimise the number of digits needed to crack an electronic pin lock.

  32. Re:Why the garage ? by amiga3D · · Score: 1

    New doors may be immune but how many 20 year or older doors are out there?