Opening Fixed-Code Garage Doors With a Toy In 10 Seconds

Trailrunner7 writes: It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child's toy. The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.

With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it's incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.

Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.

Simply use a smart power outlet

[bagboy]

and an app on your phone that you can turn on/off via wifi. Not foolproof, but certainly better.

Re:

[Anonymous Coward]

Wrong. You drive down any street with your toy and find a door that opens, you now know for sure you have access without ever leaving the getaway vehicle. Most people don't lock their inside garage door and the bad guys know this.

No one even knows you opened the garage door, for all they know someone inside the house did.

Once you go over the backyard fence, you've committed a crime, and you still don't know if you can actually get inside.

Getting the garage door code minimizes your risk.

I know to think this

Re:

[mattack2]

Most people don't lock their inside garage door and the bad guys know this.

Citation needed.. Really?? I basically always lock all of my doors when I walk in the door, and I only put the "basically" in there for the literally one or two times I've forgotten and freaked out in the morning when I realized I didn't lock it.

Re:

[amiga3D]

He did say most, not all. Even then I doubt that it's most but I'd bet that it's a significant amount. Even if it's only 10 percent that's one out of 10. Not bad for quick and easy.

Re:

[peragrin]

I would put it closer to fifty percent.

However once the garage is ready. You can then close the garage and work inside which muffles the sounds of breaking a lock and jam nicely. And even if some one hears something they can't see it.

Re:

[mysidia]

I think most res. garage door openers these days are rolling code.... all the reasonably-rated openers i've seen for sale today are rolling code not fixed.

On the other hand, even if you do have a rolling code opener it's likely vulnerable to.... the coat hanger attack [youtube.com] on the backup release, which I understand takes a practiced person about 10 seconds and doesn't matter whether it's a fixed code or rolling code opener.

Re:

[amiga3D]

New doors may be immune but how many 20 year or older doors are out there?

Re:

[PrimaryConsult]

Depends on the neighborhood... before I moved to an apartment building I had a roommate who lost his key. For months (eventually we gave up searching and got a replacement), we just didn't bother to lock the door unless we were both home.

We would also regularly leave the back door unlocked.

The cat escaped by opening the front door, and the actual door was wide open for hours that day.

As has been said, the windows are a far more vulnerable target. If they decided to enter your home they are going to. Hell

Re:

[mysidia]

Most people don't lock their inside garage door and the bad guys know this.

Even if you do... the garage may be seen as a "great place to hide"

If the thieves happen to know you're on vacation, they can get into the garage with the remote code.. close the door behind them. Cut power to the opener...

And break-in at their leisure; using all the screwdrivers and power tools people often leave in their garage.

Another concern is that in the event the bad guy set off a burglar alarm; no worries -- all they

Re:

[dslbrian]

Indeed, inline one of these [belkin.com] with the door opener.

It can probably be rigged to automatically disable at night. Even better would be to disable anytime the controlling phone is out of WiFi range (not sure if that's possible).

They still sell those?

[Overzeetop]

It's been several years since I bought an opener...and even then I can't remember seeing a major brand that wasn't a paired-system remote.

Re:

[JBMcB]

That's what I was thinking. Cars with built-in garage door openers have supported paring/tumbling codes for at least 20 years.

I'm guessing there are a LOT of old garage door openers around.

Re:

[jep77]

Rolling code alone doesn't address it. The length of the code is key. A MARCSTAR document from 1997 cites the code as 40 bits, over 1 trillion possibilities. If you could transmit 10,000 tries per second, it would take over 3 years to try all the possibilities. Even if you got lucky and hit the right code in the first 1% of attempts, it would still take almost 2 weeks of trying.

Re:They still sell those?

[arglebargle_xiv]

I've seen the exact opposite, most openers are built using shitty Princeton 2262s, which sounds like what this guy hacked. Oh, and if you've been sold a fancy "rolling-code remote", open it up and look at the hardware, if it says 2262 on the chip (or one of the many derivatives) then you've been had (many so-called rolling-code remotes aren't, the vendors just claim they are).

In practice it's even worse than the article points out, the switches are tri-state not binary but most vendors of remotes forget that so you go from 3^n to 2^n, and then they only use 8 of the 12 pins you can toggle on because they're on one side of the chip and they forget there's more around the other side. So you go from 3^12 to 2^8 combinations, meaning you'll hit the right one after 128 tries on average. The receivers have no rate-limiting, so you can run them far faster than the vendor specifies and scan the code space in seconds. The novel thing in this case is the use of de Bruijn sequences, and the fact that he scans the entire code space in the same time a standard scanner takes for the (admittedly far too common) badly-designed ones.

Re:

[Bob the Super Hamste]

I have a Chamberlain 3/4hp one and it is probably getting close to 20 years old now. The only issues I have had with it are that I needed to replace the springs about 5 years ago and a couple of years ago I had to replace the stupid plastic gear that the worm gear turns because it got stripped out.

Re:

[TWX]

I just took down an opener that was original equipment on my house from '79, an Allister Type IIA that was branded as a Delden Type II. It was on an accessory building so it did not need to have the sensors that doors on homes have to have, and it didn't even have a built-in receiver, one had to be added on extra if one wanted to use a radio control.

I replaced it because I needed more ceiling clearance, so I went with a jackshaft opener. It was working fine when I took it down.

The unit on the house

Re:

[neoritter]

The one on my parents' garage is going on 20 years now. Don't know the brand off the top of my head sorry.

Re:

[slipped_bit]

Mine from 1983 is still going strong, too -- 32 years. I repaired it in 2001 when it stripped the gears. Also replaced a dried out motor capacitor at that time. It's also before the era of IR-beam sensors. It's from Sears, making it a re-branded Chamberlain or Lift-Master, as I recall.

Re:

[undefinedreference]

My parents have one with DIP switches from when the house was built, which was around the time I was born. No pressure plates.

My girlfriend's grandfather has three of them, one for each of his three garage doors. I don't think any are newer than the mid-1980s, if that. One doesn't even have an optical sensor, none have the pressure plates.

Most really don't do much work (that big spring up there is what is doing the work) and they're pretty simple, so I don't see any reason they shouldn't make it many decade

Re:

[Hussman32]

My house has the original opener that isn't rolling, it was built in 1983. Rolling code technology came out in 1993 [wikipedia.org], which really isn't that long ago considering how often you need to replace them.

Re:

[Demolition]

My house has the original opener that isn't rolling, it was built in 1983. Rolling code technology came out in 1993 [wikipedia.org], which really isn't that long ago considering how often you need to replace them.

Similar situation here. I have a side-by-side garage with two separate early-1980s openers manufactured by Overhead Door Company. Each opener came with two one-button remotes.

One of the openers was damaged in 1994 (a roofing contractor backed into the door with his truck), so we ended up wi

Re:

[RenderSeven]

Yep. I havent seen a fixed code DIP-switch remote for 20 years. And the last door I hacked with one only took 10 minutes brute force guessing. Even if its 29 minutes, who needs a hack? And, to do it in 10 seconds you need to know the frequency in advance.

If you're looking for a hack for the IM_ME this Spectrum Analyzer [blogspot.com] mod looks downright cool and possibly even useful. Pretty wide frequency response too.

Re:

[Tailhook]

I replaced a fixed code system about 10 years ago. I'm sure there are plenty of old ones still in use, but this claim that "most openers in commercially available garage door openers" are still using these ancient techniques is bogus.

Neat hack, but it isn't the revelation this misleading story claims.

Re:

[ncc74656]

Yep. I havent seen a fixed code DIP-switch remote for 20 years.

Maybe not for garage doors, but the gate remote for my neighborhood has a block of 10 DIP switches inside. IIRC, the first two or three are flipped one way and the rest are flipped the other way (wow! such security!). Mine was issued in 2000, but the system probably was installed in '97 or '98.

Re:

[stilwebm]

Most garage door openers built in the last 20 years do not use the DIP switch codes. Since the mid 1990s, most manufactures switched to shared codes with a larger keyspace (~35bit) - using the "learn" button on the opener - and in early 2000s switched to rolling codes to limit code interception vulnerability.

Of course most garage doors are a quick pry bar movement away from opening, so security is all relative.

Re:

[swb]

I use the dead bolt contraption on my door when I go out of town (and unplug the opener). I don't know how strong it is against a really big pry bar or someone using a hydraulic jack, but presumably it would frustrate the average dipshit with a small prybar.

Really, most residential garage doors are more about keeping the weather out and a psychological barrier than a real physical barrier. I would bet you could just knock them in pretty easily unless they are made of a stronger material.

I'd love one of th

Re:

[wcrowe]

It's one of those appliances that lasts a long time and a lot of people don't think about it. I replaced my old style door about a year and a half ago, and the only reason I replaced it was because I installed it in 1995 and it suddenly occurred to me that it was easy to break into. Mechanically, the old opener worked perfectly. I am glad the new door installer wanted the old unit (he builds automatic flag-raising systems with them). At least the old unit didn't go to waste.

Re:

[American AC in Paris]

Still plenty of openers from the 80's and 90's out there chugging away, and most homeowners aren't going to fix something that ain't broke. And while yes, a 10-second skeleton opener is "broke", that's still longer than it takes a practiced hand to pop a door or window open. Many folks are comfortable enough relying on the fact that doing either of these things lands you in very hot water with the local authorities that they're not too worried about not having reinforced locks and barred windows.

Upgrade kits

[rwa2]

It's been several years since I bought an opener...and even then I can't remember seeing a major brand that wasn't a paired-system remote.

Argh, damn you Slashdot, get out of my Amazon purchase history!
http://www.amazon.com/gp/produ... [amazon.com]

I guess 1993 was about when the garage door companies standardized on the the rolling-code thingy that has to be paired to each remote.

Though now I'm kicking myself for not just building my own https garage door opener using
http://www.instructables.com/i... [instructables.com] so I can let the kids in remotely when they forget their keys.

There' a decent chance it's one of the big four

[blueshift_1]

Let's be honest, just check all on, all off, and alternating starting at 0 and 1.

Re:

[Nukenbar]

Haha. The code to my condo complex is #3.

Re:

[RenderSeven]

Normally yes. But most of these were paired by the factory or professional installers who set them to more or less effectively random-ish codes. The few I've looked at had nothing I recognized as blatantly stupid.

Re: Bad men could do bad things with this tech!

[ibpooks]

Why does it matter? The garage probably has a dozen different tools and garden or sports implements hanging on the wall that would make opening the door a trivial exercise whether locked or not. A person willing to break into the house once would certainly have no problem doing it twice.

Ah sweet nostalgia...

[fustakrakich]

I remember the garage door opening and closing with every damn airliner flying overhead on finals.

Re:

[Anonymous Coward]

A friend of mine did this in KC,MO in 1985 for a design lab project. Back then every garage door opener used dip switches to setup the code. He built a small transmitter powered 12V car port and used a DAC to do the binary count that was then transmitted as the code. He was a really bright kid and got his A in the class. He was also asked to dismantle it and never build it again. 8^)

We tested it by driving through neighborhoods and letting it run in a loop. We could open just about every garage door o

Or...

[SuperKendall]

This really brings to mind the XKCD comic about the wrench and the password...

You could spend a lot of effort hacking an opener OR just break a window and go in to get the better stuff.

CB Radio

[krray]

Ah, I remember the old days. Driving around the neighborhood and keying up the mic on the CB radio. One of the channels would open dozens of doors around the neighborhood...

Re:

[0bject]

We had to unplug our garage door when we wanted to play with our RC car or the door would go up and down.

Fun hack of dubious value

[countSudoku()]

Pretty cute to house it in a child's toy when you can go to the hardware store and buy a universal garage door opener remote for $30 which already has all the codes you would need and instructions on how to open every brand. Then, to get the "loot" (broken things, my awesome gas-power mower, various motoring fluids, sweet Guitar Hero guitars and a drum set (that's got to be worth $8), other low-tech child's toys, a shitty ladder, a shitty mop, and some other really shitty stuff) you merely have to disguise

Re:

[PIBM]

If the alarm system is activated (no one at home) and the garage door open and the rfid of one of the cars aren't detected in a specific amount of time (detection confirmation by opening the lights for the next 5 minutes) the silent alarm is triggered. Why isn't that standard ?

Good Dog

[pubwvj]

This is when you begin to understand how much better a dog is than a garage door.

Re:

[Bob the Super Hamste]

Unless that dog is my sister's fucking malamute. It thinks everyone that shows up is there to feed it or let it out to play.

Re:

[jep77]

Wait a second... I left my garage door so I can park my car inside. If I lift my dog and then move the car forward, I'm going to smash into the house!

Re:

[jep77]

Lift. I lift my garage door. Stupid vowels.

or the old way

[beefoot]

Most garage door I've seen are secured with a simple latch. How about pry open the bottom of the door and pull it up. I'm sure it takes less than a few seconds. No?

Re:

[Gilgaron]

Yeah, my neighbor's house caught fire when they weren't there and before the firemen went in a policeman opened the garage door with a pry bar in about 3 seconds reaching through the top. Looked like he disengaged the chain.

Re:

[mOzone]

this has been out in other forms since 2000s https://myspace.com/householdh... [myspace.com]

if you dig around you can buy them prebuilt for police use etc etc

police ones open tons of doors

Re:

[Half-pint HAL]

Journalist fails to understand technology shocker! This is just another way of stating that the attack exploits the bit-shift behaviour.

Re:

[Nonesuch]

It's right in the summary, "...algorithm known as the De Bruijn sequence", named after the Dutch mathematician Nicolaas Govert de Bruijn, The algorithm is interesting and actually has a number of other practical applications beyond breaking weak codes.

This is why I don't like remote car locks

[davidwr]

Because in 10 years, I can't be sure that a "hack-resistant" car lock on the 2015 car buy today will be any stronger than these garage-door openers are now.

I sincerely hope...

[chispito]

I sincerely hope he didn't test it in a densely populated neighborhood. I imagine garage doors around the block opening and closing as he's standing there with his test unit, "Nope, let's try this... Nope, let's try this..."

How it's done in this neighbourhood

[Maow]

Thieves just take some type of sharp blade, cut a "V" shape into the garage door, reach in (likely with a hooked tool), pull the manual T-shaped handle that's connected with a rope to the locking latch mechanism, tug it, door's unlocked.

I counted about 10 such damage marks between 49th and 54th Ave in one laneway.

Re:

[Darinbob]

True. No one should rely on their garage door as a security mechanism. Don't keep valuables in the garage. If someone wants to steal your car then the best lock in the world won't keep them out if your door isn't steal or you have glass windows.

Re:

[Maow]

Indeed.

One neighbour, behind us, had their garage door sliced open on one occassion, and on another had the car in their car port broken into.

The thief was a particularly nasty prick, as they used a pry bar to pry the driver's door open, using the roof as a fulcrum.

The door was bent enough to reach inside and the roof was dented.

When all the thieving bastard had to do was break glass. Thousands of dollars damage instead of low hundreds.

Prick.

Another neighbour, two doors up from them, had their door sliced

2012 called

[mOzone]

https://myspace.com/householdh... [myspace.com]

http://www.shomer-tec.com/inde... [shomer-tec.com]
use to sell one that would do any older door in under 2 mins

and a couple of other websites showing code transmit open/close errors etc etc
dude didnt have to alter-code this is been out there for around 12 years

Not a big deal

[sk999]

Hacking my garage door opener is the hard way in. The left garage door and side door are both unlocked and open much faster. It's detached from the house - all you could steal are rusty tools and flower pots.

New wife time?

[RockDoctor]

It may be time to upgrade your garage door opener

This time I'll get a model with better suction, three holes and a more understanding attitude.

2600

[johnsnails]

2600 had a similar article that covers this called 'Brute forcing PIN Code keypads using combinational mathematics' in Spring 2014, uses the same technique to minimise the number of digits needed to crack an electronic pin lock.

Re:So he built a garage door opener.

[bill_mcgonigle]

The algorithm work is a good insight. The use of the toy is probably just for press coverage purposes, which may be a good strategy to get the word out and nudge social pressure to improve the industry.

All the hackers already know he probably could have build a transmitter with Sparkfun parts faster and for less money, so we should try to understand his methods rather than just dismissing them.

Not every security researcher is a PR genius, but the odds are much better than a Slashdot AC.

Re:

[antiperimetaparalogo]

I am not a "hacher" (nor a burglair!), but it was baffling for me why he used a toy and not build it himself, so: good points about the "press coverage purposes"!

Toys for grown ups.

[Col. Bloodnok]

I have two of those toys on my desk right now, they are useful dev kits for the TI CC1110 microcontroller - an 8051 based core with 32K flash and 4K RAM.

You also get a CC1111 part inside the wireless dongle which comes with it.

If you look at the PCB in the device, it is a hardware hackers dream. The debug port is broken out onto pads inside the battery compartment, and there are test pads all over.

The SPI screen is bitmap addressable and the keyboard is sanely wired up. You even get a piezo buzzer and 2 LED

Re:

[sexconker]

The only thing remotely interesting is the bit about the openers trying all codes in a rolling window.
If you send 01010101010110101010100 it tests, 01010100, 101010100, 10101010, 0101010100, etc. It's essentially doing a find operation for the code (be it 8 bits, 12, or whatever) in the entire mess of shit that you send it.
Knowing this, the only work you need to do in the attack is work out the timing of sending a string that contains all 4096 combinations.