If you have a wireless garage door, the child’s toy can open it wirelessly in seconds. [Samy Kamkar] is a security researcher who likes to “think bad, do good”. It is built open Sesamedevice that can wirelessly open almost any fixed-pin garage door in seconds using a new attack he discovered in fixed-pin wireless devices using the Mattel IM-ME toy.
The exploit only works on a portal or garage that uses “fixed codes”. To prevent this type of attack, all you need to do is upgrade to a system that uses rolling codes, skip codes, Security+ or Intellicode. They are not foolproof against attacks, but they prevent the OpenSesame attack along with other traditional brute-force attacks. It appears that there are at least a few vendors that still have such vulnerable products, as well as a few more whose older versions are also affected.
Before you read any further, a word of warning – the code issued by [Samy] is intentionally blocked to prevent its misuse. It might work, but not quite. If you’re an RF and microcontroller expert, you can fix it, but then you wouldn’t need his help in the first place, would you?
IM-ME is a defunct toy and Mattel no longer makes it, but it can be picked up on Amazon or eBay if you’re lucky. The Radica Girltech IM-ME texting toy has been widely hacked and documented. Not surprising since he sports a FROM CC1110 sub-GHz RF chip, LCD display, keyboard, backlight, etc. It’s a good starting point Good FET An open source JTAG adapter followed by the work of [Travis Godspeed] , [Dave] and [Michael Ossmann].
One problem with fixed code systems is their limited key space. For example, a remote control with 12 binary switches supports 12 bits of possible combinations. Since it’s binary and 12 bits long, that’s 2^12, which is 4096 possible combinations. With a little math, [Samy] shows that it takes 29 minutes to open an (8-12)-bit garage, assuming you know the frequency and baud rate, both of which are quite common. If you have to try several different frequencies and baud rates, then the time it takes is a multiple of 29 minutes. If you do not transmit the codes multiple times and remove the pauses between the codes, the entire exercise can be completed in 3 minutes.
The weak link in the hardware is how the shift registers that decode the received codes work. Each bit is loaded into the register sequentially, gradually shifting as additional bits come in and crowd out the previous ones. That and using an algorithm [Samy] wrote based on De Bruijn sequence, the entire brute force attack can be completed in just over 8 seconds. OpenSesame applies this algorithm to produce any possible overlapping sequence of 8-12 bits in the least amount of time.
You can take a look at how the code works by checking it out at Github. [Samy] likes to do such investigations – check out his combination lock code breaker we recently introduced scary wart on the wall sniffing the keyboard and on SkyJack – The hacking drone of all drones.
Comments are closed.