How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It - ITS Tactical

Shop the ITS Store!

 

How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It

By The ITS Crew

garage-door-hack-main

We’ve talked in depth about garage doors and their vulnerabilities on ITS, but today we wanted to highlight a discovery made by Samy Kamkar using a children’s toy and some common materials. The device he’s created, dubbed the OpenSesame, can open a garage door using a brute force attack in less than 10 seconds.

How Garage Door Openers Work

Before we get into the details of the vulnerability, let’s explain a bit about how automatic garage door openers developed. The first electric garage door opener was introduced in 1926, but didn’t gain in popularity until after World War II. These openers usually involved a wired switch being run from the door motor to a keypad or button that could be pressed from inside the vehicle. As technology improved, the wireless remote was created and used radio signals to transmit a code from the remote control to the opener itself. Once the code was transmitted, the opener would receive it and run the motor to draw the door up or down.

garage-door-hack-02

In the 1960’s, as automatic openers were more widely adopted, it was discovered that the doors all used the same code. Since the doors used the same signal and code, any remote could open any door. Thieves quickly discovered that by purchasing a few remotes from different manufacturers, they could open nearly any door. This led the garage door industry to introduce new openers that featured changeable codes.

Don’t Be a Dip Switch

Manufacturers wanted to design an opener with a code that could be set by the owner in case they needed to replace or add new remotes. These new programmable openers featured a series of 8-12 dip switches that could be set in the up or down position to create a unique code. This meant that for an 8 switch remote there were 28 or 256 possible codes and on a 12 switch remote there were 212 or 4,096 possible codes. This greatly decreased the chances of the door’s code being matched by a thief armed with a standard remote, as they would need to sit outside and physically set each dip switch and test the new code.

This might sound like a large number of possible codes but in binary terms, it’s not much. In fact, using a two character alphanumeric password would be more secure than this and would provide more combinations.

Do the Math

The method that Samy Kamkar used to attack these type of garage doors was a brute force attack, in which he sent every possible code (4,096) to the door until it would open. The device he used to perform this brute force attack was a slightly modified IM-ME children’s toy. He found that if he transmitted each code five times with a wait period behind the code, he could transmit every possible code to the door in about 29 minutes. That’s a pretty scary fact as theoretically, a thief could sit in a car outside your home for that long without being noticed. Unfortunately, that’s not the worst of it as Samy discovered that he could dramatically shorten the length of time it took to open the door using math.

Samy found that by transmitting each code only once rather than five times, the time was reduced to 6 minutes. Many times, remotes transmit the code multiple times in case of interference, but there’s rarely ever any, so transmitting it once seems to work just fine. Not only that, he also discovered that removing the wait times between the codes took the time down to 3 minutes. So if there wasn’t a wait time between codes, how could the opener know when one code stopped and another began?

4-Bit_PISO_Shift_Register

The answer lies in the fact that the openers use what’s called a Bit Shift Register, where it’s only looking for a part of the code to match up with the actual code. This is a very insecure method to check the code and results in a dramatic decrease in the overall time it takes to send all the codes to the opener since the opener is checking all possible permutations of a code and doesn’t have a defined start and end point.

Knowing that the opener used a Bit Shift Register, Kamkar was able to apply The De Brujin Sequence to transmit all possible codes much quicker and managed to take the total time down to just 8.7 seconds.

Preventing the Attack

Luckily, most automatic openers today aren’t affected by this exploit since they use “Rolling” codes, where the code is changed every time the door is opened. However, there are some manufacturers that are still producing openers with dip switches. These manufacturers include Nortek / Linear / Multi-Code and NSCD/North Shore Commercial Door. Older models from vendors such as Chamberlain and Liftmaster can also be vulnerable so you should double check to ensure that your door does not feature this technology.

garage-door-hack-01

The best method to check your opener is to check the remote. If you open the remote and find dip switches, you should upgrade the opening system immediately. Look for a system that offers Rolling Codes, Hopping Codes, Intellicode or Security Plus. The remote above is a good example of a Rolling Code remote because it lacks dip switches. These technologies don’t rely on a fixed code and are harder to hack. Keep in mind though that nothing is foolproof, so you should design your security around that.

Additional ITS Article Resources

Top 10 Garage Door Security Tips to Prevent Break-Ins

Safety Announcement: Protecting Against Garage Door Break-Ins

How to Escape from Zip Ties

Use These Tips to Protect You and Your Family Against Home Invasions

Beat The Clock: Most Burglaries Take Place in Minutes

What To Do in the Crucial Three Hours after a Burglary

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.

Discussion

  • The Complete Combatant

    Great post!

  • Nick Kefalides

    Chris Topher

  • Any suggestions on how this might be done more cheaply. Replacing a perfectly functioning door opener system on the off-chance that it might matter seems wasteful.

    • kazzerax

      InklingBooks It’s about as wasteful as replacing your front door when it will only latch closed, but not lock.

  • Conor Lansdale

    Tom and Chuck FYI

  • Matthew Fisher
  • Matthew Fisher

    Just fyi that first video is an ad for some product. Check out the 2nd for a cheap solution

  • Bret Turner

    I have a vacation switch at night that kills power to the opener and the door that penetrates the house triggers the alarm during the day just in case.

  • bart

    Wait a minute.  If the exploit only works for obsolete dip switch openers, then only an amateur opportunist would attempt to use it.  A determined professional is going to work to defeat what you have, not just look for an available target that their tool works on.  If I have to replace my opener(s) just to stop an opportunist looking for an easy target, I should stop and think about what opening my garage does first.  For one thing, it constitutes burglary.  Stealing the hose out of my yard is one thing, but once they enter the house or garage, they’ve graduated to felony burglary.  And what is my risk?  My risk is the deductible on my homeowners insurance.  Does my insurance offer a discount for having upgraded openers?  No.

    Now apply the same reasoning to the car. If someone takes something, it’s theft or larceny.  If they take the car, it’s grand theft.  Homeowners insurance covers your property in the car, and comprehensive car insurance covers the car.  The fancy electronic chip and code keys just cost you money.  The key for my wife’s car cost me $240 and I had to apply for it at the dealership, which then requests it from the manufacturer (MB).  There’s no aftermarket.  Does it offer me more protection?  No.  The car can still be broken into and the contents stolen, or the car towed and stripped for parts.  All the fancy code key does is take my money.

    Suppose you don’t want insurance.  That’s fair.  Just don’t depend on a mass-produced product that is easily identifiable to provide your property’s security.  Anyone approaching your property has already identified it and is obviously prepared to defeat it or they wouldn’t bother.  They’re not going to stand there for 29 minutes screwing around figuring out what they’re going to do.  If they came prepared to do nothing else in 10 seconds, they’ll break the window of your car or garage and enter it.  Oh you have an alarm.  But alarms don’t get your property back.

  • Gary Puntman

    Without the right security, garage doors can be pretty easy to open.  This makes me want to find a new garage door opener that will be more secure.  I have some valuable things in my garage that I would hate to have stolen. http://lipebrothersgaragedoors.net/services.html

  • StevenHarrison

    Thanks for describing the dip switches. It’s good to be able to check my remote for vulnerabilities. It’s interesting that this vulnerability was found by thieves in the first place. http://www.crosstowndoors.ca/products.html

  • FredSummers

    I think it is so interesting how diligent you need to be to keep safe. It is so simple to check if you have the older garage door openers. It is important to keep up to date on these things especially with electronics. Thanks for sharing these safety tips. http://www.garagedoors4u.com.au/

  • April Williams

    This is some really good information for homeowners know about. It would be smart to make sure that your garage door is secure and safe. That way you don’t have to worry about people getting in through that point. I think one of the best things you can do is to have a strong door for your garage. http://www.gregjamesgaragedoors.com.au/services/

  • RaylinSutter

    My garage door was recently hacked and several things were stolen from it. They also left the garage door broken and it was in need of repair. However, I am also interested in making sure that this doesn’t happen again. What is the best way to make sure that someone can’t hack into it? http://www.smarrdoors.com/service.html

  • zzth1

    I don’t know many people that know how to do this type of hacking on a garage door. Basically, if you don’t live in a bad neighborhood or have valuables that people can see, you won’t really have that problem. I think it is interesting how easy you can get into an automatic garage door. I also think that it depends on the model of the garage door too. http://www.blaxlandhomeservices.com.au

  • PaulEdlin

    Hi Samy.

    This is a genuine question, i am based in New Zealand and own a Garage door business repairing residential garage doors. one of your hacking tools would be an asset to our business for genuine reasons i can elaborate on further. would you make one for us we can purchase?
    our website is ledoors.co.nz and i would love to hear from you. anychance you can flick me an email to [email protected]  ???

    Regards,

    Paul

  • robertsteel685

    You need a hacker to go to for all of your cyber issues, then robertcartercasting on outlook mail is the one you should consult or text +1 928-323-3115

    • yobro75

      robertsteel685 yeah i am going to fucking trust a random GodKnowsWho stranger on the Internet to take care of my “cyber issues”. Fuck yeah!

  • menardk

    yeah but even rolling code openers can be cloned right?

  • Do not run this risk of injuring yourself to save a few bucks. Leave this work to someone who knows what he is doing. Visit plz http://www.sarasota-garagedoor.com/garage-door-spring-replacement-.html

  • If your current garage door opener is not equipped with a safety reversing mechanism, or has one but is defective, it is highly recommended that you replace it with a new one. For more details, you can also navigate to this site

Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.