AMERICANS’ GARAGES, THOSE sacred suburban havens of automobiles and expensive tools, are probably more important to us than many of our online accounts. But some garages are only protected by a code whose security is equivalent to a two-character password. And security researcher Samy Kamkar can crack that laughable safeguard in seconds, with little more than a hacked child’s toy.
On Thursday, Kamkar revealed a new tool he’s created called OpenSesame, which he says can open any garage door that uses an insecure “fixed code” system for its wireless communication with a remote. Built from a discontinued Mattel toy called the IM-ME, altered with a cheap antennae and an open source hardware attachment, Kamkar’s less-than-$100 device can try every possible combination for these garage doors and open them in seconds.
“It’s a huge joke,” says Kamkar, a serial hacker who works as an independent developer and consultant. “The worst case scenario is that if someone wants to break into your garage, they can use a device you wouldn’t even notice in their pocket, and within seconds the garage door is open.”
Before barricading or booby-trapping your garage against OpenSesame intruders, it’s important to note Kamkar’s exploit doesn’t work against just any garage door—only ones that respond to a “fixed code” wirelessly transmitted by a remote instead of a more secure “rolling code” that changes with every button press. And it’s not clear just how many garage doors actually use that fixed code system. Kamkar found that his own garage door, in a newly built Los Angeles condo, was vulnerable to his attack, though he couldn’t identify device’s manufacturer; the receiver in his building was hidden. When he checked the attack against two friends’ garage door openers—both made by a company called Linear owned by the parent company Nortek—it worked both times.
Nortek didn’t immediately respond to WIRED’s request for comment. Another major brand of garage door opener, Genie, didn’t respond to to a request for comment either, but says on its website that its devices use rolling codes. A spokesperson for Chamberlain, the owner of the Liftmaster brand and one of the biggest sellers of garage door openers, initially told WIRED the company hasn’t sold fixed code doors since 1992. But when Kamkar dug up a 2007 manual for a Liftmaster device that seemed to use fixed codes, Chamberlain marketing executive Corey Sorice added that the company has supported and serviced older garage door openers until much more recently. “To the extent there are still operators in the market begin serviced by replacement parts, part of the objective is to get to safer and more secure products,” he said in a phone interview. “We’d love to see people check the safety and security of their [devices] and move forward.”
Kamkar has posted his own video to help people determine if their garage door is vulnerable or not.
To attack fixed code garage door openers, criminals have for years used “code grabbers” that capture the code from a user’s garage door button press and replay it later to open the door. But for these vulnerable systems, Kamkar has reduced the time necessary so that it’s become practical try everypossible wireless code. That means someone could walk or drive through a neighborhood, going door-to-door and trying the device until one of the vulnerable garages opens. “For code grabbers, you have to sit there and wait for the person to hit the button,” says Kamkar. “For this, [the victim] never even has to be there.”
To perform his brute-force attack, Kamkar used a pre-smartphone toy called a Radica IM-ME. That chunky pink handheld device for wireless text messaging, once sold by Mattel, has been adopted by radio hackers because it’s capable of broadcasting and receiving at a broad range of frequencies. Kamkar added his own antenna to the IM-ME and used GoodFET, a tool built by well-known radio hacker Travis Goodspeed, to reprogram the IM-ME with his cracking program.
The fixed-code garage door remotes Kamkar tested use at most 12 bit codes—that’s 4,096 possibilities. In modern computer security terms, that’s a trivial level of security: Kamkar calculates that a password with just two characters offers at least 5,184 possibilities. “Imagine if your bank only let you have a two character password,” Kamkar says.
Using a straightforward cracking technique, it still would have taken Kamkar’s program 29 minutes to try every possible code. But Kamkar improved his attack by taking out wait periods between code guesses, removing redundant transmissions, and finally using a clever optimization that transmitted overlapped codes, what’s known as a De Bruijn sequence. With all those tweaks, he was able to reduce the attack time from 1,771 seconds to a mere eight seconds.
Even so, that eight-second attack only works for a single frequency; Kamkar says he’s found four frequencies different for vulnerable garage doors he’s tested, and OpenSesame can cycle through its brute-force attack on all four frequencies in less than a minute.
Kamkar has detailed OpenSesame’s attack on his website, and also published the tool’s code. But he intends it to serve as a warning, not a how-to manual. In fact, he says he’s even disabled the code so that criminals can’t use it, and wouldn’t comment on exactly how he’s crippled his exploit.
That’s a rare move for Kamkar, and one that demonstrates how dangerous he believes his garage attack may be. OpenSesame is just the latest in a long string of high-profile hacks from Kamkar, who gained fame in 2007 when he launched a MySpace worm—what came to be known as the Samy worm—that added more than a million friends to his account in an hour. He’s also built a drone designed to seek out and wirelessly hijack other drones, and a 3-D printed robot that can crack Masterlock combination locks in seconds.
Anyone with a garage door that still uses a fixed code system should seriously consider upgrading to a more secure rolling code receiver. But Kamkar hints he’s working on another hack that would extend his attack to rolling codes, too, though he’s not yet ready to release any details about it. If that rolling code hack turns out to be effective, there may be no such straightforward answer for garage door security. “It’s a sticky situation. I haven’t even figured out what I’m supposed to do to my own garage,” Kamkar says. “I don’t have a great solution for anyone, including myself.”