Menu
Hacker turns toy into tool that can open garage doors in seconds

Hacker turns toy into tool that can open garage doors in seconds

The attack radically improves the time needed to crack the fixed codes of older garage door openers

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

Owners of fixed-code garage door openers might want to consider upgrading them because a researcher has developed a technique that guesses the numbers in seconds.

To showcase the new attack, which he dubbed Open Sesame, security researcher Samy Kamkar reprogrammed a children's toy designed for short-distance texting called Radica Girl Tech IM-me because it has all the needed wireless components and because "it's pink," his favorite color.

With a fixed-code garage door opener, the remote control, or "clicker" always transmits the same 8 to 12-bit binary code. For a 12-bit code, there are 4,096 possible combinations -- strings of 1s and 0s.

The fact that openers' fixed-codes can be cracked through brute-force is a known issue, but doing so was believed to take longer. A typical clicker resends the same code 5 times, with a transmission time of 2 milliseconds per bit and an additional wait time of 2 milliseconds between each bit.

By Kamkar's calculations, following this process to iterate through all possible combinations for 8, 9, 10, 11 and 12-bit codes would take 29 minutes.

However, it turns out that retransmitting the same code 5 times is unnecessary and so is the wait time between each bit. By removing those steps, the researcher found that the time needed to brute-force a fixed garage door opener code is reduced to about 3 minutes.

But that was still not fast enough for him. Kamkar then figured out that when the opener interprets a continuous string of bits it doesn't test the first 12 bits as a possible code and then the next 12 bits and so on.

Instead, the opener tests the first n bits in the string -- n can be 8, 9, 10, 11 or 12, depending on which code length is expected -- and then drops only the first bit and tests the remaining sequence again. For example, if the expected length would be 3 bits and the opener would receive a 101011 sequence, it would first try 101, then 010, then 101 and so on.

This finding allowed Kamkar to develop a so-called De Bruijn sequence -- a sequence that includes each combination of bits only once. This is based on a formula devised by Dutch mathematician Nicolaas Govert de Bruijn.

"OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time," Kamkar said. "How little time? 8.214 seconds."

And that's the worst case scenario. Typically the correct code will be found faster than that.

New generation garage door openers that use rolling codes -- also known as Intellicode, Security+ or hopping codes depending on vendor -- are not affected by this attack. However, vulnerable products are still sold by some manufacturers and many discontinued ones are likely still in use, Kamkar said.

Kamkar released proof-of-concept code for his attack on GitHub, but the code is intentionally incomplete to avoid abuse by criminals.

"It almost works, but just not quite, and is released to educate," the researcher said. "If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you."


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags GitHubsecurityphysical securityAccess control and authentication

Featured

Slideshows

Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Reseller News ICT Industry Awards 2017 - Meet the winners...

Reseller News ICT Industry Awards 2017 - Meet the winners...

Reseller News honoured the industry’s finest on a standout evening for the New Zealand channel, recognising the achievements of established and emerging partners on a memorable night in Auckland.

Reseller News ICT Industry Awards 2017 - Meet the winners...
Show Comments