Kamkar on Thursday unveiled a new tool, known as OpenSesame, which he says can open any garage door that makes use of an insecure “fixed code” system for its wireless communication with a remote. He says that it the duration to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most garage door openers that are commercially available have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly restricted keyspace and is open to violent attacks. However, those attacks take some time even on such a small keyspace. Kamkar, a serial hacker who works as an independent developer and consultant says “It’s a huge joke. The worst case scenario is that if someone wants to break into your garage, they can use a device you wouldn’t even notice in their pocket, and within seconds the garage door is open.” In a post explaining his new attack, Kamkar says “Now in a common garage and clicker, we’re going to be using between an 8-12 bit code, and we see a single click sends the same code 5 times, and we see each ‘bit’ takes 2ms to send, with a 2ms wait period per bit after the entire code is sent. So a single 12-bit combination takes (12 bits * 2ms transmit * 2ms wait * 5 times = 240ms)”. With a straightforward cracking technique, it still would have taken Kamkar’s program 29 minutes to try every possible code. In order to reduce that time, Kamkar improved his attack by eliminating wait periods between code guesses, retransmission of each code, and finally using a clever optimization that sent out overlapped codes. This means that the code will be tested when the opener receives a 12-bit code, and if it’s incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted. With all those changes, he was able to reduce the attack time from 1,771 seconds to a mere eight seconds. “So the garage actually tests: 011111100000 (incorrect) (chops off the first bit, then pulls in the next bit) 111111000000 (correct!) Meaning we sent 13 bits to test two 12-bit codes instead of sending a full 24 bits. Incredible!” Kamkar said. “What’s even more beautiful is that since the garage is not clearing an attempted code, a 12 bit code also tests five 8 bit codes, four 9 bit codes, three 10 bit codes, four 11 bit codes, and of course one 12 bit code! As long as we send every 12 bit code, the 8-11 bit codes will all be tested simultaneously.” Kamkar made use of an algorithm known as the De Bruijn sequence to automate this process. He then loaded his code onto a discontinued Mattel toy called IM-ME. He later tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic. “I don’t think there’s any solution to having a really small key space. Upgrade is the only solution. Unfortunately the upgrades have their own set of problems, but no where nearly as bad,” Kamkar said via email. Kamkar has released the source code for the OpenSesame attack. However, it intends it to serve as a warning, not a how-to manual. In fact, he has also disabled the code so that criminals are not able to use it. He refrained from commenting on exactly how he has disable his exploit. OpenSesame is just the latest in a long string of creative projects from Kamkar, who gained popularity in 2007 when he launched a MySpace worm—which was later known as the Samy worm—that added more than a million friends to his account in an hour. A tool called KeySweeper, released by him earlier this year is a $10 USB wall charger that can record keystrokes from wireless keyboards. Last year, he had released a project called SkyJack that could forcibly disconnect drones from their controllers and make them connect to his drone. He has also built a 3-D printed robot that can open Masterlock combination locks in seconds.
Kamkar said it took him quite a bit of time to get this attack in working order; however, he was not working on it full time, he said. “I got all of this working late last year (2014). I just kept improving the attack over time and honestly, getting the pink toy working was the longest part. Using existing RF hardware to employ the attack takes seconds or minutes if you know what you’re doing, but making a mobile version on a very small hardware budget (very little memory to produce a lot of data) took many nights, on and off,” Kamkar said. People who still use a fixed code system for their garage door should seriously think of upgrading to a more secure rolling code receiver. But Kamkar hints that he is working on another hack that would spread his attack to rolling codes, too, although he is not yet ready to divulge any details about it. In the event the rolling code hack turns out to be successful, there may be no such uncomplicated and easy answer for garage door security. “It’s a sticky situation. I haven’t even figured out what I’m supposed to do to my own garage,” Kamkar says. “I don’t have a great solution for anyone, including myself.”