An electronic Mattel toy was transformed into a tool by Samy Kamkar to unlock all kinds of fixed-code garage doors within seconds.
This gadget although is not manufactured anymore can be found on eBay for prices ranging from $12 to $100.
Bypassing the security of fixed-code systems is quite difficult and apparently impossible because of the extremely limited key space. A normal attack would probably 30 minutes.
However, Samy Kamkar has defied the conventions and state that he has knowledge of around 4,096 combinations for getting the code of common garage openers containing 12 binary dip switches.
Kamkar, a hacker known for demonstrating how to hack consumer drones for personal use, calculated that it would only take 2 milliseconds and a waiting time of another 2 milliseconds before checking the next combinations. Moreover, a single combination is usually sent 5 times at every click. He further stated that to brute-force all the 8,9,10,11 and 12 bit key space it only takes 29 minutes if the hacker knows about all the details like frequency and baud rate.
He developed a method that minimizes the time required to less than ten seconds and named it OpenSesame. He used the Radica Girltech IM-ME communication toy. He used it because this toy already contains all the required components for sending out the codes such as the CC1110 RF chip for.
Kamkar removed the code retransmission and the waiting durations and also managed to minimize the time to around 3 minutes. Through implementing the De Bruijn sequence, Kamkar completed the Brute-force attack in just 8.2 seconds.
The IM-ME toy was reprogrammed by him with Travis Goodspeed’s GoodFET adapter and this is how he created the OpenSesame code that handles the codes sending.
The source code has been made available to the public but Kamkar says he bricked it purposefully for preventing abuse. He wrote: “It almost works, but just not quite, and is released to educate. If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn’t need my help in the first place, would you.”
Here is a live demo brought to you by Kamkar himself:
The above video is only for fun and educational purposes, don’t use it for criminal activities.
For those interested in how to make their electronic garage doors invulnerable to hacking, here’s a video for you:
Samy
