Open garage-doors in less than a minute with a hacked kid's toy

Applied Hacking's Samy Kamkar (previously) has released Opensesame, an app for hacked IM-ME texting toys that can open millions of fixed-code garage doors in less than a minute.

These garage-doors have laughably weak security — fewer possible codes than a two-character password! — but Kamkar has also used some clever optimizations to get through the possible keys and frequencies very quickly.

His video explains how to test whether your garage-door is vulnerable.

The fixed-code garage door remotes Kamkar tested use at most 12 bit codes—that's 4,096 possibilities. In modern computer security terms, that's a trivial level of security: Kamkar calculates that a password with just two characters offers at least 5,184 possibilities. "Imagine if your bank only let you have a two character password," Kamkar says.

Using a straightforward cracking technique, it still would have taken Kamkar's program 29 minutes to try every possible code. But Kamkar improved his attack by taking out wait periods between code guesses, removing redundant transmissions, and finally using a clever optimization that transmitted overlapped codes, what's known as a De Bruijn sequence. With all those tweaks, he was able to reduce the attack time from 1,771 seconds to a mere eight seconds.

Even so, that eight-second attack only works for a single frequency; The hacker has to know which one the door uses and program it into OpenSesame. Kamkar says he's found different four frequencies for vulnerable garage doors he's tested, and OpenSesame can cycle through its brute-force attack on all four frequencies in less than a minute.

This Hacked Kid's Toy Opens Garage Doors in Seconds [Andy Greenberg/Wired]

Opensesame [Samy Kamkar/]