Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Opening Fixed-Code Garage Doors With a Toy In 10 Seconds 105

Trailrunner7 writes: It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child's toy. The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.

With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it's incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.

Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.
This discussion has been archived. No new comments can be posted.

Opening Fixed-Code Garage Doors With a Toy In 10 Seconds

Comments Filter:
  • by bagboy ( 630125 ) <neoNO@SPAMarctic.net> on Friday June 05, 2015 @12:16PM (#49849553)
    and an app on your phone that you can turn on/off via wifi. Not foolproof, but certainly better.
    • Indeed, inline one of these [belkin.com] with the door opener.

      It can probably be rigged to automatically disable at night. Even better would be to disable anytime the controlling phone is out of WiFi range (not sure if that's possible).

  • by Overzeetop ( 214511 ) on Friday June 05, 2015 @12:18PM (#49849575) Journal

    It's been several years since I bought an opener...and even then I can't remember seeing a major brand that wasn't a paired-system remote.

    • by JBMcB ( 73720 )

      That's what I was thinking. Cars with built-in garage door openers have supported paring/tumbling codes for at least 20 years.

      I'm guessing there are a LOT of old garage door openers around.

      • My house has the original opener that isn't rolling, it was built in 1983. Rolling code technology came out in 1993 [wikipedia.org], which really isn't that long ago considering how often you need to replace them.

        • My house has the original opener that isn't rolling, it was built in 1983. Rolling code technology came out in 1993 [wikipedia.org], which really isn't that long ago considering how often you need to replace them.

          Similar situation here. I have a side-by-side garage with two separate early-1980s openers manufactured by Overhead Door Company. Each opener came with two one-button remotes.

          One of the openers was damaged in 1994 (a roofing contractor backed into the door with his truck), so we ended up wi

    • Yep. I havent seen a fixed code DIP-switch remote for 20 years. And the last door I hacked with one only took 10 minutes brute force guessing. Even if its 29 minutes, who needs a hack? And, to do it in 10 seconds you need to know the frequency in advance.

      If you're looking for a hack for the IM_ME this Spectrum Analyzer [blogspot.com] mod looks downright cool and possibly even useful. Pretty wide frequency response too.
      • by Tailhook ( 98486 )

        I replaced a fixed code system about 10 years ago. I'm sure there are plenty of old ones still in use, but this claim that "most openers in commercially available garage door openers" are still using these ancient techniques is bogus.

        Neat hack, but it isn't the revelation this misleading story claims.

      • by ncc74656 ( 45571 ) *

        Yep. I havent seen a fixed code DIP-switch remote for 20 years.

        Maybe not for garage doors, but the gate remote for my neighborhood has a block of 10 DIP switches inside. IIRC, the first two or three are flipped one way and the rest are flipped the other way (wow! such security!). Mine was issued in 2000, but the system probably was installed in '97 or '98.

    • Most garage door openers built in the last 20 years do not use the DIP switch codes. Since the mid 1990s, most manufactures switched to shared codes with a larger keyspace (~35bit) - using the "learn" button on the opener - and in early 2000s switched to rolling codes to limit code interception vulnerability.

      Of course most garage doors are a quick pry bar movement away from opening, so security is all relative.

      • by swb ( 14022 )

        I use the dead bolt contraption on my door when I go out of town (and unplug the opener). I don't know how strong it is against a really big pry bar or someone using a hydraulic jack, but presumably it would frustrate the average dipshit with a small prybar.

        Really, most residential garage doors are more about keeping the weather out and a psychological barrier than a real physical barrier. I would bet you could just knock them in pretty easily unless they are made of a stronger material.

        I'd love one of th

    • by wcrowe ( 94389 )

      It's one of those appliances that lasts a long time and a lot of people don't think about it. I replaced my old style door about a year and a half ago, and the only reason I replaced it was because I installed it in 1995 and it suddenly occurred to me that it was easy to break into. Mechanically, the old opener worked perfectly. I am glad the new door installer wanted the old unit (he builds automatic flag-raising systems with them). At least the old unit didn't go to waste.

    • Still plenty of openers from the 80's and 90's out there chugging away, and most homeowners aren't going to fix something that ain't broke. And while yes, a 10-second skeleton opener is "broke", that's still longer than it takes a practiced hand to pop a door or window open. Many folks are comfortable enough relying on the fact that doing either of these things lands you in very hot water with the local authorities that they're not too worried about not having reinforced locks and barred windows.

    • It's been several years since I bought an opener...and even then I can't remember seeing a major brand that wasn't a paired-system remote.

      Argh, damn you Slashdot, get out of my Amazon purchase history!
      http://www.amazon.com/gp/produ... [amazon.com]

      I guess 1993 was about when the garage door companies standardized on the the rolling-code thingy that has to be paired to each remote.

      Though now I'm kicking myself for not just building my own https garage door opener using
      http://www.instructables.com/i... [instructables.com] so I can let the kids in remotely when they forget their keys.

  • Let's be honest, just check all on, all off, and alternating starting at 0 and 1.
    • Haha. The code to my condo complex is #3.

    • Normally yes. But most of these were paired by the factory or professional installers who set them to more or less effectively random-ish codes. The few I've looked at had nothing I recognized as blatantly stupid.
  • I remember the garage door opening and closing with every damn airliner flying overhead on finals.

    • by Anonymous Coward

      A friend of mine did this in KC,MO in 1985 for a design lab project. Back then every garage door opener used dip switches to setup the code. He built a small transmitter powered 12V car port and used a DAC to do the binary count that was then transmitted as the code. He was a really bright kid and got his A in the class. He was also asked to dismantle it and never build it again. 8^)

      We tested it by driving through neighborhoods and letting it run in a loop. We could open just about every garage door o

  • This really brings to mind the XKCD comic about the wrench and the password...

    You could spend a lot of effort hacking an opener OR just break a window and go in to get the better stuff.

  • Ah, I remember the old days. Driving around the neighborhood and keying up the mic on the CB radio. One of the channels would open dozens of doors around the neighborhood...

    • by 0bject ( 758316 )
      We had to unplug our garage door when we wanted to play with our RC car or the door would go up and down.
  • Pretty cute to house it in a child's toy when you can go to the hardware store and buy a universal garage door opener remote for $30 which already has all the codes you would need and instructions on how to open every brand. Then, to get the "loot" (broken things, my awesome gas-power mower, various motoring fluids, sweet Guitar Hero guitars and a drum set (that's got to be worth $8), other low-tech child's toys, a shitty ladder, a shitty mop, and some other really shitty stuff) you merely have to disguise

  • This is when you begin to understand how much better a dog is than a garage door.

    • Unless that dog is my sister's fucking malamute. It thinks everyone that shows up is there to feed it or let it out to play.
    • by jep77 ( 1357465 )

      Wait a second... I left my garage door so I can park my car inside. If I lift my dog and then move the car forward, I'm going to smash into the house!

  • Most garage door I've seen are secured with a simple latch. How about pry open the bottom of the door and pull it up. I'm sure it takes less than a few seconds. No?
    • Yeah, my neighbor's house caught fire when they weren't there and before the firemen went in a policeman opened the garage door with a pry bar in about 3 seconds reaching through the top. Looked like he disengaged the chain.
  • Because in 10 years, I can't be sure that a "hack-resistant" car lock on the 2015 car buy today will be any stronger than these garage-door openers are now.

  • I sincerely hope he didn't test it in a densely populated neighborhood. I imagine garage doors around the block opening and closing as he's standing there with his test unit, "Nope, let's try this... Nope, let's try this..."
  • Thieves just take some type of sharp blade, cut a "V" shape into the garage door, reach in (likely with a hooked tool), pull the manual T-shaped handle that's connected with a rope to the locking latch mechanism, tug it, door's unlocked.

    I counted about 10 such damage marks between 49th and 54th Ave in one laneway.

    • True. No one should rely on their garage door as a security mechanism. Don't keep valuables in the garage. If someone wants to steal your car then the best lock in the world won't keep them out if your door isn't steal or you have glass windows.

      • by Maow ( 620678 )

        Indeed.

        One neighbour, behind us, had their garage door sliced open on one occassion, and on another had the car in their car port broken into.

        The thief was a particularly nasty prick, as they used a pry bar to pry the driver's door open, using the roof as a fulcrum.

        The door was bent enough to reach inside and the roof was dented.

        When all the thieving bastard had to do was break glass. Thousands of dollars damage instead of low hundreds.

        Prick.

        Another neighbour, two doors up from them, had their door sliced

  • https://myspace.com/householdh... [myspace.com]

    http://www.shomer-tec.com/inde... [shomer-tec.com]
    use to sell one that would do any older door in under 2 mins

    and a couple of other websites showing code transmit open/close errors etc etc
    dude didnt have to alter-code this is been out there for around 12 years

  • Hacking my garage door opener is the hard way in. The left garage door and side door are both unlocked and open much faster. It's detached from the house - all you could steal are rusty tools and flower pots.

  • It may be time to upgrade your garage door opener

    This time I'll get a model with better suction, three holes and a more understanding attitude.

  • 2600 had a similar article that covers this called 'Brute forcing PIN Code keypads using combinational mathematics' in Spring 2014, uses the same technique to minimise the number of digits needed to crack an electronic pin lock.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...