Hacker turns toy into tool that can open garage doors in seconds

The attack radically improves the time needed to crack the fixed codes of older garage door openers

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

Owners of fixed-code garage door openers might want to consider upgrading them because a researcher has developed a technique that guesses the numbers in seconds.

To showcase the new attack, which he dubbed Open Sesame, security researcher Samy Kamkar reprogrammed a children's toy designed for short-distance texting called Radica Girl Tech IM-me because it has all the needed wireless components and because "it's pink," his favorite color.

With a fixed-code garage door opener, the remote control, or "clicker" always transmits the same 8 to 12-bit binary code. For a 12-bit code, there are 4,096 possible combinations -- strings of 1s and 0s.

The fact that openers' fixed-codes can be cracked through brute-force is a known issue, but doing so was believed to take longer. A typical clicker resends the same code 5 times, with a transmission time of 2 milliseconds per bit and an additional wait time of 2 milliseconds between each bit.

By Kamkar's calculations, following this process to iterate through all possible combinations for 8, 9, 10, 11 and 12-bit codes would take 29 minutes.

However, it turns out that retransmitting the same code 5 times is unnecessary and so is the wait time between each bit. By removing those steps, the researcher found that the time needed to brute-force a fixed garage door opener code is reduced to about 3 minutes.

But that was still not fast enough for him. Kamkar then figured out that when the opener interprets a continuous string of bits it doesn't test the first 12 bits as a possible code and then the next 12 bits and so on.

Instead, the opener tests the first n bits in the string -- n can be 8, 9, 10, 11 or 12, depending on which code length is expected -- and then drops only the first bit and tests the remaining sequence again. For example, if the expected length would be 3 bits and the opener would receive a 101011 sequence, it would first try 101, then 010, then 101 and so on.

This finding allowed Kamkar to develop a so-called De Bruijn sequence -- a sequence that includes each combination of bits only once. This is based on a formula devised by Dutch mathematician Nicolaas Govert de Bruijn.

"OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time," Kamkar said. "How little time? 8.214 seconds."

And that's the worst case scenario. Typically the correct code will be found faster than that.

New generation garage door openers that use rolling codes -- also known as Intellicode, Security+ or hopping codes depending on vendor -- are not affected by this attack. However, vulnerable products are still sold by some manufacturers and many discontinued ones are likely still in use, Kamkar said.

Kamkar released proof-of-concept code for his attack on GitHub, but the code is intentionally incomplete to avoid abuse by criminals.

"It almost works, but just not quite, and is released to educate," the researcher said. "If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you."

Join the CSO newsletter!

Error: Please check your email address.

Tags GitHubsecurityphysical securityAccess control and authentication

More about Girl TechRadica

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place