Opening Fixed-Code Garage Doors With a Toy In 10 Seconds

Trailrunner7 writes: It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child's toy. The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.

With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it's incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.

Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.

Simply use a smart power outlet

[bagboy]

and an app on your phone that you can turn on/off via wifi. Not foolproof, but certainly better.

They still sell those?

[Overzeetop]

It's been several years since I bought an opener...and even then I can't remember seeing a major brand that wasn't a paired-system remote.

Re:They still sell those?

[RenderSeven]

Yep. I havent seen a fixed code DIP-switch remote for 20 years. And the last door I hacked with one only took 10 minutes brute force guessing. Even if its 29 minutes, who needs a hack? And, to do it in 10 seconds you need to know the frequency in advance.

If you're looking for a hack for the IM_ME this Spectrum Analyzer mod looks downright cool and possibly even useful. Pretty wide frequency response too.

Re:They still sell those?

[stilwebm]

Most garage door openers built in the last 20 years do not use the DIP switch codes. Since the mid 1990s, most manufactures switched to shared codes with a larger keyspace (~35bit) - using the "learn" button on the opener - and in early 2000s switched to rolling codes to limit code interception vulnerability.

Of course most garage doors are a quick pry bar movement away from opening, so security is all relative.

Re:They still sell those?

[jep77]

Rolling code alone doesn't address it. The length of the code is key. A MARCSTAR document from 1997 cites the code as 40 bits, over 1 trillion possibilities. If you could transmit 10,000 tries per second, it would take over 3 years to try all the possibilities. Even if you got lucky and hit the right code in the first 1% of attempts, it would still take almost 2 weeks of trying.

Re:They still sell those?

[arglebargle_xiv]

I've seen the exact opposite, most openers are built using shitty Princeton 2262s, which sounds like what this guy hacked. Oh, and if you've been sold a fancy "rolling-code remote", open it up and look at the hardware, if it says 2262 on the chip (or one of the many derivatives) then you've been had (many so-called rolling-code remotes aren't, the vendors just claim they are).

In practice it's even worse than the article points out, the switches are tri-state not binary but most vendors of remotes forget that so you go from 3^n to 2^n, and then they only use 8 of the 12 pins you can toggle on because they're on one side of the chip and they forget there's more around the other side. So you go from 3^12 to 2^8 combinations, meaning you'll hit the right one after 128 tries on average. The receivers have no rate-limiting, so you can run them far faster than the vendor specifies and scan the code space in seconds. The novel thing in this case is the use of de Bruijn sequences, and the fact that he scans the entire code space in the same time a standard scanner takes for the (admittedly far too common) badly-designed ones.

There' a decent chance it's one of the big four

[blueshift_1]

Let's be honest, just check all on, all off, and alternating starting at 0 and 1.

Re:So he built a garage door opener.

[bill_mcgonigle]

The algorithm work is a good insight. The use of the toy is probably just for press coverage purposes, which may be a good strategy to get the word out and nudge social pressure to improve the industry.

All the hackers already know he probably could have build a transmitter with Sparkfun parts faster and for less money, so we should try to understand his methods rather than just dismissing them.

Not every security researcher is a PR genius, but the odds are much better than a Slashdot AC.

Ah sweet nostalgia...

[fustakrakich]

I remember the garage door opening and closing with every damn airliner flying overhead on finals.

Re:Good Dog

[Bob+the+Super+Hamste]

Unless that dog is my sister's fucking malamute. It thinks everyone that shows up is there to feed it or let it out to play.

This is why I don't like remote car locks

[davidwr]

Because in 10 years, I can't be sure that a "hack-resistant" car lock on the 2015 car buy today will be any stronger than these garage-door openers are now.

Re: Bad men could do bad things with this tech!

[ibpooks]

Why does it matter? The garage probably has a dozen different tools and garden or sports implements hanging on the wall that would make opening the door a trivial exercise whether locked or not. A person willing to break into the house once would certainly have no problem doing it twice.

Re:Why the garage ?

Wrong. You drive down any street with your toy and find a door that opens, you now know for sure you have access without ever leaving the getaway vehicle. Most people don't lock their inside garage door and the bad guys know this.

No one even knows you opened the garage door, for all they know someone inside the house did.

Once you go over the backyard fence, you've committed a crime, and you still don't know if you can actually get inside.

Getting the garage door code minimizes your risk.

I know to think this way because I used to live in a neighborhood destroyed by the housing bubble, crime, including drive by shootings, went off the charts, we had to start a block watch, and the local PD rep told us lots of scary stuff.

Re:Why the garage ?

[amiga3D]

He did say most, not all. Even then I doubt that it's most but I'd bet that it's a significant amount. Even if it's only 10 percent that's one out of 10. Not bad for quick and easy.