25Jul 2016




How easy it is to hack your home’s gate remote

Technology by mytohost

It is easy for criminals to attack fixed-code garage and gate remote systems, according to security researchers.

Using a technique known as a replay attack, someone could listen to the remote’s code you send to your gate or garage door motor.

As this code doesn’t change in fixed-key systems, an attacker can record it and replay it to open your gate.

Information security enthusiast Andrew MacPherson has written about the technical implementation of fixed-key replay attacks.

MacPherson said there are also other ways to attack fixed-code systems, citing research from Samy Kamkar regarding a device he calls OpenSesame.

Guessing the key of a fixed-code system

Kamkar said fixed-code remote systems suffer from a limited number of unique codes.

Even remotes considered to support a high number of possible combinations only have 12 DIP switches, which translates to 4,096 unique keys.

An attack who searches all the combinations in the 8-bit, 9-bit, 10-bit, 11-bit, and 12-bit keyspaces would take just under 30 minutes.

Trying different frequencies and baud rates results in you having to search through the keyspaces a few times.

This means an attacker can guess your key, even without listening to your gate remote.

Hack a gate remote with bit-shifting

Kamkar then discovered a vulnerability in several fixed-code systems that let him cut the time it takes to guess a key by 99.5%

He found that automated opening systems don’t discard attempted codes that were incorrect, but use a bit-shift operation to test if a key matches.

It is therefore possible to send 13 bits of data to test two 12-bit codes, instead of having to send 24 bits.

With this technique, a 12-bit code also tests five 8-bit codes, four 9-bit codes, three 10-bit codes, and two 11-bit codes while testing the 12-bit code.

Kamkar also found an algorithm to get the shortest possible sequence of bits to exploit the shift register.

Dutch mathematician Nicolaas Govert de Bruijn developed the concept, called the De Bruijn sequence.

Using the sequence, Kamkar was able to build a device from a Mattel toy that tests every key for a 12-bit remote in 8.214 seconds.

Not all remote vendors are affected by this vulnerability, and many have fixed this issue in newer products.

How the Gate Remote Bit-Shifting Exploit Works