Hacker turns toy into tool that can open garage doors in seconds

# Hacker turns toy into tool that can open garage doors in seconds

The attack radically improves the time needed to crack the fixed codes of older garage door openers

Owners of fixed-code garage door openers might want to consider upgrading them because a researcher has developed a technique that guesses the numbers in seconds.

To showcase the new attack, which he dubbed Open Sesame, security researcher Samy Kamkar reprogrammed a children's toy designed for short-distance texting called Radica Girl Tech IM-me because it has all the needed wireless components and because "it's pink," his favorite color.

With a fixed-code garage door opener, the remote control, or "clicker" always transmits the same 8 to 12-bit binary code. For a 12-bit code, there are 4,096 possible combinations -- strings of 1s and 0s.

The fact that openers' fixed-codes can be cracked through brute-force is a known issue, but doing so was believed to take longer. A typical clicker resends the same code 5 times, with a transmission time of 2 milliseconds per bit and an additional wait time of 2 milliseconds between each bit.

By Kamkar's calculations, following this process to iterate through all possible combinations for 8, 9, 10, 11 and 12-bit codes would take 29 minutes.

However, it turns out that retransmitting the same code 5 times is unnecessary and so is the wait time between each bit. By removing those steps, the researcher found that the time needed to brute-force a fixed garage door opener code is reduced to about 3 minutes.

But that was still not fast enough for him. Kamkar then figured out that when the opener interprets a continuous string of bits it doesn't test the first 12 bits as a possible code and then the next 12 bits and so on.

Instead, the opener tests the first n bits in the string -- n can be 8, 9, 10, 11 or 12, depending on which code length is expected -- and then drops only the first bit and tests the remaining sequence again. For example, if the expected length would be 3 bits and the opener would receive a 101011 sequence, it would first try 101, then 010, then 101 and so on.

This finding allowed Kamkar to develop a so-called De Bruijn sequence -- a sequence that includes each combination of bits only once. This is based on a formula devised by Dutch mathematician Nicolaas Govert de Bruijn.

"OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time," Kamkar said. "How little time? 8.214 seconds."

And that's the worst case scenario. Typically the correct code will be found faster than that.

New generation garage door openers that use rolling codes -- also known as Intellicode, Security+ or hopping codes depending on vendor -- are not affected by this attack. However, vulnerable products are still sold by some manufacturers and many discontinued ones are likely still in use, Kamkar said.

Kamkar released proof-of-concept code for his attack on GitHub, but the code is intentionally incomplete to avoid abuse by criminals.

"It almost works, but just not quite, and is released to educate," the researcher said. "If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you."

Or

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

## Events

### Reseller News Innovation Awards 2020

Channel Choice Awards - Voting Open

### Women in ICT Awards (WIICTA) 2020

Finalists Revealed

### EDGE 2020

EDGE 2020 Goes Virtual

## Slideshows

### Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

### Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

### Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

## Latest News

Sep 25
5 ways agile devops teams can support IT service desks
10:09AM
Exclusive Networks signs up Infoblox in A/NZ
10:08AM
Napier cloud platform developer Magiq Software wins elite AWS status
09:18AM
Tyler Technologies clients report suspicious logins after hack
More News

## Reseller News Events

21 Oct
Reseller News Innovation Awards 2020
10 Nov
EDGE 2020
17 Nov
Reseller News WIICTA 2020
View all events