Jump to content

Garage Door Opener Wireless Code Compromised


apostolakisl

Recommended Posts

I thought this didn't happen anymore.  But it seems as though someone randomly got on the same code as our garage door opener.  This is a 6 year old rolling code Liftmaster garage door opener.  One day last week, I get a call from the wife while at work asking if I am messing with the house again.  She says her garage door kept opening and closing.  No, I wasn't.  My immediate assumption was that one of my HA gizmos was going cafluey.  So I came home and physically disabled the link to my elk which was the gateway to all HA.  It kept happening.  It only happened during the day while, perhaps coincidentally, a construction crew was at work next door.  After 2 days of this, I erased all the codes on the GDO and reprogrammed all the remotes.  Problem solved (it has been 4 days now).  So, it would seem, somehow the construction guys were using something with a rolling code that was on the same code sequence as I was.  This did not seem deliberate as no one ever tried to take advantage of it.  It only affected my wife's door, not our other two doors.

Link to comment

I had an old Genie that was opening and closing on it's own, I emailed genie_info@geniecompany.com with the model number and after convincing them I was not crazy, or had a remote somewhere I was not aware of, they told me there was a connector to the receiver that I could disconnect and see if it happened anymore.  Which I did, and it didn't happen again.  But of course they did not have a new one to send me, so ended up having to buy a new opener.

 

Link to comment

Does anybody have knowledge of the methodology these GDO security codes work?

 

Seems to me the security codes were only 6 bit and the rolling code was a technique to make it appear more secure using a 1 of 32 possibility.

 

Years back pressing your mobile button as you drove down the street opened garage doors at random every few blocks with likely only one or two powered GDO on each block "back in them days."

 

 

It would be interesting to know how a security code is "rolled" each time it is used, when a second remote fob is not present while the first one last used and the security code is "rolled". Since generic and third party fobs can be used the "roll" doesn't sound too secret  or varied either.

Link to comment

Is it possible your wife's visor/keyfob remote had a stuck button or a low battery?

 

No, we went through everything.  All of our openers are multi-button and the other buttons controlled the other 2 doors.  No probs with them and the other two doors.  We built this house 6 years ago and I know exactly everything that exists.

Link to comment

Does anybody have knowledge of the methodology these GDO security codes work?

 

Seems to me the security codes were only 6 bit and the rolling code was a technique to make it appear more secure using a 1 of 32 possibility.

 

Years back pressing your mobile button as you drove down the street opened garage doors at random every few blocks with likely only one or two powered GDO on each block "back in them days."

 

 

It would be interesting to know how a security code is "rolled" each time it is used, when a second remote fob is not present while the first one last used and the security code is "rolled". Since generic and third party fobs can be used the "roll" doesn't sound too secret  or varied either.

 

You can google it and get a descent explanation.  But the basic idea is that the remote and the unit share a secret formula.  When you program the opener to work with a remote, it puts the current remote code into the memory of the opener.  Then every time it receives a code from that opener, it runs it through the formula and generates the next code.  The remote does the same and since the share the same formula, both will come up with the same new code.  Therefore, the number only works once and both the remote and opener move on to the next code in the sequence.  The opener actually will accept any one of the next 100 codes to allow for someone pushing the remote button and being out of range.  So you could push the button up to 100 times when out of range before you need to re-sync them.  Supposedly there are millions and millions of codes, so the odds of someone else matching the code is very small.

Link to comment

Here's how they can be exploited using a cheap $20 RTL-SDR dongle and open-source software.

 

http://hackaday.com/2014/03/17/hacking-rolling-code-keyfobs/

 

 

 

There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.

Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.

Link to comment

Here's how they can be exploited using a cheap $20 RTL-SDR dongle and open-source software.

 

http://hackaday.com/2014/03/17/hacking-rolling-code-keyfobs/

It doesn't hack the security though. It only jams the original source and uses a parrotted signal without decrypting anything.

 

 

This is reported to possibly work on vehicle security although some dispute that is actually works due to signal strength logic.

 

 

GDO units use lots of bit but only a small number of bits actually change before scrambling with known cyphers used by generic GDO fobs. Rolling codes only stop the repeat use of a code by a hacker and adds nothing to code security hacking. My uneducated guess is that GDO codes really only have low security but use public ignorance to sound really secure.

"generate one of my next 100 possible codes and I'll be yours forever."

Link to comment

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...