Most of us may find it hard to believe that a hacked kid’s toy can open a garage door in less than ten seconds. However, a security researcher has discovered a new tool, which he dubbed OpenSesame, an app for hacked IM-ME texting toys that can open millions of fixed-code garage doors in less than a minute.
Samy Kamkar claims that the toy can open any garage door that uses an insecure “fixed code” system for its wireless communication with a remote.
The researcher reprogrammed the children’s toy, which is designed for short-distance texting called Radica Girl Tech IM-me.
Moreover, the toy (remote control) is in ‘pink’ color which is Kamkar’s favorite color.
With a fixed code garage door opener, the remote control always transmits the same 8 to 12-bit binary code. For a 12-bit code, there are 4,096 possible combinations strings of 1s and 0s.
The fact that openers’ fixed-codes can be cracked through brute-force is a known issue, but doing so was believed to take longer. A typical clicker resend the same code 5 times, with a transmission time of 2 milliseconds per bit and an additional wait time of 2 milliseconds between each bit.
The researcher has calculated that the process to repeat through all possible combinations for 8, 9, 10, 11 and 12-bit codes would take 29 minutes.
However, he found out that to re-transmit the same code 5 times is unnecessary. Once he removed all the unnecessary bits, the researcher noticed that the time needed to brute-force a fixed garage door opener code was reduced to 3 minutes.
In order to reduce the time, Kamkar discovered that the first n bits in the string can be 8, 9, 10, 11 or 12, depending on which code length is expected. For example, if the expected length would be 3 bits and the opener would receive a 101011 sequence, it would first try 101, then 010, then 101 and so on.
As per his findings and based on the formula of Dutch mathematician Nicolaas Govert de Bruijn, Kamkar developed a De Bruijn sequence which includes each combination of bits only once.
“OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time,” Kamkar said. “How little time? 8.214 seconds.”
However, there are now, new types of garage door openers which use Intellicode, which are not vulnerable to the attack.
“Vulnerable products are still sold by some manufacturers and many discontinued ones are likely still in use,” the researcher said.
There is proof-of-concept code for his attack which he published on GitHub, but the code is intentionally incomplete to avoid abuse by criminals.
“It almost works, but just not quite, and is released to educate,” he said. “If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn’t need my help in the first place, would you.”
