Site icon Sophos News

Gone in 10 seconds: Man hacks kids’ toy to open garage doors

Hacked kids' toy can open a garage door in secondsAll too often we hear about people not using strong enough passwords for their online accounts.

But it’s not just online accounts that are secured using weak passwords – other items closer to home are too.

Take the humble garage door for example. If you are fortunate enough to have one that can be opened remotely, then you may be shocked to learn that many rely upon 12-bit codes, meaning the number of possible combinations is capped at 4096. That’s less than a two-character password!

Taking advantage of that fact, independent security researcher Samy Kamkar, who has previously developed a $10 USB wall charger capable of logging wireless keystrokes and a DIY combination lock-picking robot, has detailed how he can take a discontinued kids’ toy (typically available on eBay for around $15/£10) to open a garage door in less than 10 seconds.

Kamkar’s attack, known as OpenSesame, uses a Radica Girltech IM-ME texting toy from Mattel – popular among hackers and radio enthusiasts because of its ability to broadcast and receive over a wide range of frequencies – modified with a cheap antenna and an open source hardware attachment.

The exploit only works against garage doors that respond to a “fixed code” that is transmitted by a wireless remote rather than newer, more secure alternative doors which use a “rolling code” that changes with each button press.

But the older type garage door is still rather common – they’ve been in production for at least 30 years – prompting Kamkar to say:

It's a huge joke.

The worst case scenario is that if someone wants to break into your garage, they can use a device you wouldn't even notice in their pocket, and within seconds the garage door is open.

Using regular cracking techniques would, according to Kamkar, take up to 29 minutes to generate the correct code but by removing wait periods generated between each guess, redundant transmissions, and by overlapping codes with a De Bruijn sequence, he was able to whittle that down to under 10 seconds.

On the downside, Kamkar found that his speedy attack only works on a single frequency which must be programmed into OpenSesame. So far, though, he has only found four different frequencies across the garage doors he has tested, allowing him to combine a brute force attack against each in a combined total of less than a minute.

Kamkar said avoiding remote and unauthorised opening of your garage is tricky, but did recommend upgrading to a system that uses rolling codes, rather than fixed ones:

If you are using a gate or garage which uses "fixed codes", to prevent this type of attack, ensure you upgrade to a system which clearly states that it's using rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with traditional brute forcing attacks.

Kamkar also recorded another video explaining how to tell if your garage door is vulnerable to this kind of attack.

The attack has obvious implications for homeowners – the speed with which every door combination can be tried makes it practical for criminals to cruise through a neighbourhood looking for every vulnerable garage, something that prompted Kamkar to bork the source code he posted to Github.

Image of remote controlled garage door courtesy of Shutterstock.

Exit mobile version