14 DAY TRIAL // A hacker turned an electronic toy from Mattel into a tool that can open almost any fixed-code garage door in seconds; the gadget is no longer manufactured, but it is still found on eBay for prices ranging from $12 / €10.60 to over $100 / €89.
Although it is far from impossible to bypass the security rendered by fixed-code systems because of their extremely limited key space, a regular attack would still require a significant amount of time.
A regular attack can take more than 30 minutes
Samy Kamkar, a researcher and hacker, explains that for common garage openers with 12 binary dip switches there is a total of 4,096 possible combinations to get the correct code.
However, sending a bit requires two milliseconds and there is a wait time of another two milliseconds before sending the next one. Apart from this, a single code is sent five times at each click.
He calculated that it would take 29 minutes to brute-force the entire 8, 9, 10, 11 and 12-bit key space, if all the details (frequency and baud rate) are known to the attacker.
Trimming down the attack time
Kamkar devised a method he dubbed OpenSesame that reduces the amount of time to less than ten seconds, using the Radica Girltech IM-ME communication toy, which happens to include the necessary components (CC1110 RF chip) for sending out the codes.
He eliminated code retransmission and the wait times and managed to reduce the time to about three minutes. By applying the De Bruijn sequence, he managed to complete the brute-force attack in 8.2 seconds.
Kamkar reprogrammed the IM-ME toy with Travis Goodspeed’s GoodFET adapter and created the OpenSesame code that handles the sending of the codes.
Code is helpful only to the knowledgeable
The source code is publicly available, but the hacker says it is bricked on purpose to prevent abuse. “It almost works, but just not quite, and is released to educate. If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you,” he wrote on Thursday.
The list of vendors with products vulnerable to OpenSesame includes Nortek and North Shore Commercial Door. The attack also works on older systems from Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.
The researcher says that it is advisable to upgrade to a system that clearly states that it relies on rolling codes, hopping codes, Security+ or Intellicode, as these would prevent the OpenSesame attack and traditional brute forcing attempts, despite not being a fully secure solution.
Explanation of the OpenSesame attack:
