Open a Garage Door in Seconds with a $12 Toy

Sure, we all know that for computer whiz-kid types, hacking is “child’s play.” But an attack that uses a $12 kid’s toy to remotely open a locked garage door in seconds takes that phrase to a whole new level.

Security researcher Samy Kamkar has developed a new technique, cleverly dubbed OpenSesame, which enables him to open almost any garage door that uses a fixed code, in 95% less time than other similar hacks. It gets the opening time down to less than 10 seconds.

What’s notable here is the sophisticated tool of the trade of this masterful cyber-coup: Mattel’s Radica Girltech, a $12 short-range texting toy for tween lasses.

It has sub-GHz RF chip, an LCD display, keyboard, backlight (and more!). And it's pink. Or purple, depending on the cybercriminal’s preference.  Squee!

This totes adorbs little package can be used to brute-force the code by crunching through all of the possible combinations that could be used to open the door—then sends that code to the garage box.

Ordinarily, doing that with a standard clicker takes about 29 minutes. “Now in a common garage and clicker, we’re going to be using between an 8-12 bit code, and we see a single click sends the same code five times, and we see each ‘bit’ takes 2ms to send, with a 2ms wait period per bit after the entire code is sent. So a single 12-bit combination takes (12 bits * 2ms transmit * 2ms wait * 5 times = 240ms),” Kamkar said in a post.

The trick to making this faster? Coding efficiency, using an algorithm known as the De Bruijn sequence. Kamkar was able to reprogram the toy using the GoodFET adapter built by Travis Goodspeed.

“So the garage actually tests: 011111100000 (incorrect) (chops off the first bit, then pulls in the next bit) 111111000000 (correct!) Meaning we sent 13 bits to test two 12-bit codes instead of sending a full 24 bits. Incredible!” Kamkar said.

 “What’s even more beautiful is that since the garage is not clearing an attempted code, a 12 bit code also tests five 8 bit codes, four 9 bit codes, three 10 bit codes, four 11 bit codes, and of course one 12 bit code,” he explained. “As long as we send every 12 bit code, the 8-11 bit codes will all be tested simultaneously.”

The technique works on doors made by Nortek and NSCD, and on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3 and Moore-O-Matic. The attack will not open garages that use rolling codes (often called Intellicode, Security+ or hopping codes), though these are susceptible to other types of compromises.

Bottom line: Don’t rely on that garage door to lock your house, and maybe think twice about keeping your life savings in a box on the tool shelf out there.

What’s Hot on Infosecurity Magazine?