It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child’s toy.
The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.
“Now in a common garage and clicker, we’re going to be using between an 8-12 bit code, and we see a single click sends the same code 5 times, and we see each ‘bit’ takes 2ms to send, with a 2ms wait period per bit after the entire code is sent. So a single 12-bit combination takes (12 bits * 2ms transmit * 2ms wait * 5 times = 240ms),” Kamkar said in a post explaining his new attack.
[youtube https://www.youtube.com/watch?v=iSSRaIU9_Vc&w=560&h=315]
With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it’s incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.
“So the garage actually tests: 011111100000 (incorrect) (chops off the first bit, then pulls in the next bit) 111111000000 (correct!) Meaning we sent 13 bits to test two 12-bit codes instead of sending a full 24 bits. Incredible!” Kamkar said.
“What’s even more beautiful is that since the garage is not clearing an attempted code, a 12 bit code also tests five 8 bit codes, four 9 bit codes, three 10 bit codes, four 11 bit codes, and of course one 12 bit code! As long as we send every 12 bit code, the 8-11 bit codes will all be tested simultaneously.”
Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.
“I don’t think there’s any solution to having a really small key space. Upgrade is the only solution. Unfortunately the upgrades have their own set of problems, but no where nearly as bad,” Kamkar said via email.
Kamkar has released the source code for the OpenSesame attack, but he has modified it slightly so that it won’t actually work, to prevent criminals from using it.
Kamkar has a long history of creative projects like OpenSesame. Earlier this year he released a tool called KeySweeper, which is a $10 USB wall charger that can record keystrokes from wireless keyboards. And last year he released a project called SkyJack that could forcibly disconnect drones from their controllers and make them connect to his drone.
Kamkar said it took him quite a bit of time to get this attack in working order, but said he wasn’t working on it full time.
“I got all of this working late last year (2014). I just kept improving the attack over time and honestly, getting the pink toy working was the longest part. Using existing RF hardware to employ the attack takes seconds or minutes if you know what you’re doing, but making a mobile version on a very small hardware budget (very little memory to produce a lot of data) took many nights, on and off,” Kamkar said.
