Menu
Hacker turns toy into tool that can open garage doors in seconds

Hacker turns toy into tool that can open garage doors in seconds

The attack radically improves the time needed to crack the fixed codes of older garage door openers

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

Owners of fixed-code garage door openers might want to consider upgrading them because a researcher has developed a technique that guesses the numbers in seconds.

To showcase the new attack, which he dubbed Open Sesame, security researcher Samy Kamkar reprogrammed a children's toy designed for short-distance texting called Radica Girl Tech IM-me because it has all the needed wireless components and because "it's pink," his favorite color.

With a fixed-code garage door opener, the remote control, or "clicker" always transmits the same 8 to 12-bit binary code. For a 12-bit code, there are 4,096 possible combinations -- strings of 1s and 0s.

The fact that openers' fixed-codes can be cracked through brute-force is a known issue, but doing so was believed to take longer. A typical clicker resends the same code 5 times, with a transmission time of 2 milliseconds per bit and an additional wait time of 2 milliseconds between each bit.

By Kamkar's calculations, following this process to iterate through all possible combinations for 8, 9, 10, 11 and 12-bit codes would take 29 minutes.

However, it turns out that retransmitting the same code 5 times is unnecessary and so is the wait time between each bit. By removing those steps, the researcher found that the time needed to brute-force a fixed garage door opener code is reduced to about 3 minutes.

But that was still not fast enough for him. Kamkar then figured out that when the opener interprets a continuous string of bits it doesn't test the first 12 bits as a possible code and then the next 12 bits and so on.

Instead, the opener tests the first n bits in the string -- n can be 8, 9, 10, 11 or 12, depending on which code length is expected -- and then drops only the first bit and tests the remaining sequence again. For example, if the expected length would be 3 bits and the opener would receive a 101011 sequence, it would first try 101, then 010, then 101 and so on.

This finding allowed Kamkar to develop a so-called De Bruijn sequence -- a sequence that includes each combination of bits only once. This is based on a formula devised by Dutch mathematician Nicolaas Govert de Bruijn.

"OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time," Kamkar said. "How little time? 8.214 seconds."

And that's the worst case scenario. Typically the correct code will be found faster than that.

New generation garage door openers that use rolling codes -- also known as Intellicode, Security+ or hopping codes depending on vendor -- are not affected by this attack. However, vulnerable products are still sold by some manufacturers and many discontinued ones are likely still in use, Kamkar said.

Kamkar released proof-of-concept code for his attack on GitHub, but the code is intentionally incomplete to avoid abuse by criminals.

"It almost works, but just not quite, and is released to educate," the researcher said. "If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags GitHubsecurityphysical securityAccess control and authentication

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments