Hacker turns toy into tool that can open garage doors in seconds

The attack radically improves the time needed to crack the fixed codes of older garage door openers

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

A hacker reprogrammed a Girl Tech IM-me toy to hack garage doors

Owners of fixed-code garage door openers might want to consider upgrading them because a researcher has developed a technique that guesses the numbers in seconds.

To showcase the new attack, which he dubbed Open Sesame, security researcher Samy Kamkar reprogrammed a children's toy designed for short-distance texting called Radica Girl Tech IM-me because it has all the needed wireless components and because "it's pink," his favorite color.

With a fixed-code garage door opener, the remote control, or "clicker" always transmits the same 8 to 12-bit binary code. For a 12-bit code, there are 4,096 possible combinations -- strings of 1s and 0s.

The fact that openers' fixed-codes can be cracked through brute-force is a known issue, but doing so was believed to take longer. A typical clicker resends the same code 5 times, with a transmission time of 2 milliseconds per bit and an additional wait time of 2 milliseconds between each bit.

By Kamkar's calculations, following this process to iterate through all possible combinations for 8, 9, 10, 11 and 12-bit codes would take 29 minutes.

However, it turns out that retransmitting the same code 5 times is unnecessary and so is the wait time between each bit. By removing those steps, the researcher found that the time needed to brute-force a fixed garage door opener code is reduced to about 3 minutes.

But that was still not fast enough for him. Kamkar then figured out that when the opener interprets a continuous string of bits it doesn't test the first 12 bits as a possible code and then the next 12 bits and so on.

Instead, the opener tests the first n bits in the string -- n can be 8, 9, 10, 11 or 12, depending on which code length is expected -- and then drops only the first bit and tests the remaining sequence again. For example, if the expected length would be 3 bits and the opener would receive a 101011 sequence, it would first try 101, then 010, then 101 and so on.

This finding allowed Kamkar to develop a so-called De Bruijn sequence -- a sequence that includes each combination of bits only once. This is based on a formula devised by Dutch mathematician Nicolaas Govert de Bruijn.

"OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time," Kamkar said. "How little time? 8.214 seconds."

And that's the worst case scenario. Typically the correct code will be found faster than that.

New generation garage door openers that use rolling codes -- also known as Intellicode, Security+ or hopping codes depending on vendor -- are not affected by this attack. However, vulnerable products are still sold by some manufacturers and many discontinued ones are likely still in use, Kamkar said.

Kamkar released proof-of-concept code for his attack on GitHub, but the code is intentionally incomplete to avoid abuse by criminals.

"It almost works, but just not quite, and is released to educate," the researcher said. "If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you."

Join the PC World newsletter!

Error: Please check your email address.

Tags GitHubsecurityphysical securityAccess control and authentication

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?