
OpenSesame – A device that can open fixed-code garage doors in seconds - gh0std4ncer
http://samy.pl/opensesame/
======
mrb
Three weeks ago I reverse-engineered my garage door opener wireless protocol.
I probed the remote's PCB with a Saleae logic analyzer and found it was a
12-bit code ASK-modulated at 390 MHz with bits encoded as sequences of 10 kHz
and 20 kHz pulses. I bought a $13 spare remote to hack it and control the RF
transmitter section from my computer through an FT232 sending the ASK signal.
I just cut off the digital signal trace going from the MCU to the RF
transmitter and hooked it to the FT232. I built a brute-forcer and it works
quite well. I do not have my notes at the moment, but IIRC one code takes 25.6
ms to be sent. And my manufacturer (Genie) seems to require the code to be
transmitted 4 times consecutively to open the door, that's 102.4 ms.
Multiplied by 4096 combinations, this gave me a brute-forcing time of 7
minutes.

I had tried Samy's exact attack to reduce the brute-forcing time but it did
not work at the time because I tried it before I discovered the code had to be
sent 4 times consecutively (5 times makes it more reliable due to RF
interferences). So I am not surprised to see Genie absent from the list of
models Samy found vulnerable.

But I should try to find out the longest period of time during which these 4
repetitions of the code need to be sent. Maybe it does not have to be
perfectly consecutive, but it could be 4 codes received within an interval of
200 ms or 1000 ms. If so it might still be possible to build a modified De
Bruijn sequence that repeats codes 4 times while being only 4 times longer.

By the way it is very surprising a description of the 12-bit Genie protocol
does not appear to exist online. These remotes are so easy to reverse
engineer, so common (Genie is in the top 3 or top 4 most common openers), and
so old (the protocol has existed since 1985), you would think there would be
information about it online, but nope.

PS: I wonder if there could be commercial interest in cryptographically secure
garage door openers? A $0.50 ARM Cortex-M0 MCU is all you need to implement a
HOTP based on HMAC-SHA1. Then a simple learning/pairing system writing the key
in EEPROM can even sustain the battery being removed from the remote. But
there is probably no interest... which is why most remotes are insecure even
the "rolling code" ones.

(Edited to clarify some tech details.)

~~~
at-fates-hands
>>> I wonder if there could be commercial interest in cryptographically secure
garage door openers?

Probably not. Mainly because breaking a window or crowbarring a door is a lot
less expensive and a lot faster.

~~~
tptacek
Was thinking about making the same comment. People throw cinderblocks here to
get garage doors open. Until recently, we deliberately kept ours unlocked (if
we're going to get burglarized, at least we'd like to keep the doors on the
hinges).

~~~
marincounty
I had to do that when I worked in San Francisco. I just left it open with a
note, "Please take a nap in here, whatever, just don't break anything." I did
put a kill switch in that mechanics can't figure out. It wasn't the stupid
radio I cared about, it was repairing the windows.

------
zimbu668
> It may be time to upgrade your garage door opener.

If you're worried about this, make sure your garage door can't be opened with
a coat hanger as well:

[http://lifehacker.com/5549366/how-to-unlock-your-garage-
door...](http://lifehacker.com/5549366/how-to-unlock-your-garage-door-from-
the-outside-and-how-to-prevent-it)

Also most of your door locks can probably be opened in a few seconds with the
right tools+experience:

[http://en.wikipedia.org/wiki/Lock_bumping#Use_by_criminals](http://en.wikipedia.org/wiki/Lock_bumping#Use_by_criminals)

[http://www.carkeywholesale.com/wholesale/new-cordless-
electr...](http://www.carkeywholesale.com/wholesale/new-cordless-electric-
pick-gun.html)

Of course someone could always just throw a brick through a window.

~~~
kbenson
Exactly like computer security, it's not about making it impossible to gain
entrance[1], it's about making it both inconvenient _enough_ and require
_enough_ skill that it takes longer or is more noticeable, making it more
likely the intruder will be noticed, thus raising the likelihood they will be
caught.

That said, a few seconds is a pretty low bar. Commodity locks should be better
than this, for all our sakes.

1: This applies to anything where _someone_ has access. It's trivial to come
up with ways to secure things that need no ingress/egress whatsoever.

~~~
mattmaroon
While locks don't keep skilled criminals out, you'd be shocked how many
unskilled ones there are. Meth/crackheads routinely go around twisting
doorknobs in apartment complexes or pulling on car handles just hoping to find
something unlocked so they can steal whatever is there. They (usually) don't
break and enter, but if they happen upon an unlocked door they'll walk in and
steal anything.

~~~
vacri
Not that this is a common attack, but to add to the stew - I knew a guy who
left his leather jacket in his car, which was a soft-top convertable. The
jacket thief simply sliced open the top and took the jacket.

These days I just tell people to consider the inside of their car a public
place, and never to leave anything in there that you wouldn't leave lying on
your front fence or similar. There are simply too many ways for people to get
into cars to win that game, and ultimately, few things will stop a thief who's
willing to damage the car (hammer through a window, or knife through a soft-
top, for example).

~~~
sgustard
A car is like a glass vault on wheels. That's at least two weaknesses right
there.

------
murbard2
The Wikipedia article doesn't mention this, but the de Bruijn sequence can be
computed greedily.

Start with 000...0, keep appending the largest digit possible that doesn't
produce a code that's already been used and you'll go through all the codes.

------
ook
"but most of all, samy is my hero"

Context -
[http://en.wikipedia.org/wiki/Samy_(computer_worm)](http://en.wikipedia.org/wiki/Samy_\(computer_worm\))

------
phkahler
The "De Bruijn sequence". I was wondering what that was called, since I
realized it's optimal for creating IFS fractals. I figured it must have a
name. Yay!

------
unoti
Which should I consider more insecure: my garage door, or the deadbolt on my
front door? I wonder how commonly lock picking is used in crimes. I've picked
a lock before myself, but I have no real idea how effective locks are in
stopping people that want to commit house thefts.

I expect an automated garage door opener is much easier to use than a lock
pick though, and probably easier to produce and distribute than lock picks. So
I shouldn't consider garages as secure.

~~~
jandrese
My parents did the thing where they put keyed deadbolts on all of the doors.
So when someone wanted to break in they broke the glass on the door,
discovered the deadbolt, broke the glass on another door and discovered the
deadbolt, then broke the glass on a third door before yet again being foiled
by the deadbolt. Then they broke a window and stole our stuff anyway.
Apparently they were professional thieves too, since they were hitting half a
dozen houses each day while driving through the state. The cops finally caught
them when they were pulled over for driving on expired tags or something
stupid. They had robbed over 100 homes in two weeks before they were caught.

The only thing the deadbolts did was to make us replace three extra windows.

~~~
Joky
It reminds me of a friend that never lock his very old car so that no-one will
break a window to see if there is something to steal inside.

~~~
billyhoffman
About 15 years ago, my aunt stopped locking her convertible. She used to, but
people would slit the closed top to reach in and unlock the door to look for
CDs and such to steal. A few hundred bucks to replace the top was way worse
than losing some change and such. Then she switched to a late 90's Miata which
had a lockable center storage bin/arm rest.

~~~
bitJericho
A relative of mine had to do the same. He's considering sticking those scary
spring snakes in the center console as retribution.

------
josep2
Time to enable two-factor authentication on my garage.

------
windexh8er
Very interesting. I used to work with an older gentlemen who did RF comms in
the military and back in early 2000s he used to tell me stories about his
random RF hacking. One such story was around a garage door opener he modified
with a potentiometer so he could test opening frequencies by rotating the
dial. Obviously this wouldn't work for the "newer" style openers.

I've recently purchased a HackRF to start to learn about RF technologies in
consumer grade "security" products like garage door openers, Z-Wave, wireless
home security systems, etc. I've realized that after watching the first (very
well done) video by Michael Ossman on HackRF that it's not going to be
something easy to learn overnight.

While I'm sure this would be "easy" to do with HackRF given what I've read on
Samy's site, does anyone have any input on how/why using this recycled
hardware would be better in some regard?

~~~
samyk
Hi windexh8er, I choose this hardware because it's portable and convenient. It
would technically be much easier to carry out this attack with something like
rfcat via yardstick one, hackrf, etc, but I didn't want a USB based device and
no need to build my own device when something existed with everything I
needed! And did I mention it's pink?

~~~
windexh8er
Oh, don't get me wrong - I think it's awesome you're recycling and embrace
pink. Thanks for the insight though and, well, I partially answered my
question because the 8th video Ossmann actually walks through all of this on
HackRF...

[http://greatscottgadgets.com/sdr/8/](http://greatscottgadgets.com/sdr/8/)

------
acd
Can't one just sniff the code from the airwaves with a GNU radio RF scanner?
Not that it is as cool as brute forcing it in 8 seconds but in someways it
seems simpler and more universal.

------
unoti
Project idea: use a Raspberry Pi to control your garage door opener, and a
battery powered microcontroller in a remote to use a challenge-response scheme
to open a garage door.

------
fapjacks
I created a very similar device when I was 17. Back then though, most people
with openers had analog remotes. This was one of the first times in my life I
ever used (and subsequently purchased) a frequency counter. Oh, what excellent
memories.

------
tarikjn
That De Bruijn sequence is highly similar to the way DNA codons can be read.

------
pingec
Are there any arduino-based garage door brute forcing projects?

------
niels_olson
The classification markings (U) are a nice touch :)

------
untitaker_
Might as well post a more direct link:
[http://samy.pl/opensesame/](http://samy.pl/opensesame/)

~~~
noobie
The "source code" of [http://samy.pl](http://samy.pl) is quite interesting

    
    
        /*
        No source for you!
        *//
        /.source.replace(/.{7}/g,function(w){document.write(String.fromCharCode(parseInt(w.replace(/ /g,'0').replace(/	/g,'1'),2)))});

~~~
justaman
Nazi...

~~~
the-dude
This is a reference to 'The Soup Nazi' ( Seinfeld )

No soup for you!

~~~
justaman
Thanks Dude.

~~~
noobie
His name is Lebowski!

~~~
thanatropism
Say what you will about the tenets of National Soup-cialism, at least it's an
_ethos_.

