OpenSesame is a great way to hack into garages because it reduces the time needed to guess the code to open the garage (passing from minutes to just 10 seconds).
“OpenSesame is a device that can wirelessly open virtually any fixed-code garage door in seconds, exploiting anew attack I’ve discovered on wireless fixed-pin devices. Using a child’s toy from Mattel.” Kamkar explained.
“Now in a common garage and clicker, we’re going to be using between an 8-12 bit code, and we see a single click sends the same code 5 times, and we see each ‘bit’ takes 2ms to send, with a 2ms wait period per bit after the entire code is sent. So a single 12-bit combination takes (12 bits * 2ms transmit * 2ms wait * 5 times = 240ms),” Kamkar explained.
Kamkar started with a normal brute-force attack, that took around 29 minutes, but he felt there was a need to reduce the time, so he stopped retransmitting each code. This trick allowed him to reduce the time to 6 minutes what was a great improvement, but he wasn’t happy yet so the next step was eliminating the waiting period between sent codes.
In this way he was able to reduce the attack to 3 minutes, what is a great time, but he didn’t stop there, and realized that many door openers use a technique called ” bit shift register”, meaning that when receiving a 12-bit code the opener will try to run a code, if incorrect it will shift out one bit and pull in one bit of the next code transmitted.
“So the garage actually tests: 011111100000 (incorrect) (chops off the first bit, then pulls in the next bit) 111111000000 (correct!) Meaning we sent 13 bits to test two 12-bit codes instead of sending a full 24 bits. Incredible!” continues Kamkar.
“What’s even more beautiful is that since the garage is not clearing an attempted code, a 12 bit code also tests five 8 bit codes, four 9 bit codes, three 10 bit codes, four 11 bit codes, and of course one 12 bit code! As long as we send every 12 bit code, the 8-11 bit codes will all be tested simultaneously.”
Kamkar implemented the De Bruijn sequence algorithm to automate guessing process and then loaded the code onto a now-discontinued toy called the Mattel IM-ME. The toy was originally designed as a short-range texting device for children, but the expert succeded reprogramming it using the GoodFET adapter built by Travis Goodspeed.
When finished, Kamkar tested the device in many garage doors and understood that the technique was working in many manufacture garage doors (Nortek NSCD. Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic) .
Samy Kamkar is known to be a great researcher and ethical so even if he released the source code to the OpenSesame attack, he modified enough to not be able to work, since he doesn’t want criminals to start using it.
The source code for the OpenSesame attack is available on GitHub.
Test it if you can and … upgrade your garage door opener.
About the Author Elsio Pinto
(Security Affairs – OpenSesame, hacking)