It is easy for criminals to attack fixed-code garage and gate remote systems, according to security researchers.
Using a technique known as a replay attack, someone could listen to the remote’s code you send to your gate or garage door motor.
As this code doesn’t change in fixed-key systems, an attacker can record it and replay it to open your gate.
Information security enthusiast Andrew MacPherson has written about the technical implementation of fixed-key replay attacks.
MacPherson said there are also other ways to attack fixed-code systems, citing research from Samy Kamkar regarding a device he calls OpenSesame.
Guessing the key of a fixed-code system
Kamkar said fixed-code remote systems suffer from a limited number of unique codes.
Even remotes considered to support a high number of possible combinations only have 12 DIP switches, which translates to 4,096 unique keys.
An attack who searches all the combinations in the 8-bit, 9-bit, 10-bit, 11-bit, and 12-bit keyspaces would take just under 30 minutes.
Trying different frequencies and baud rates results in you having to search through the keyspaces a few times.
This means an attacker can guess your key, even without listening to your gate remote.
Hack a gate remote with bit-shifting
Kamkar then discovered a vulnerability in several fixed-code systems that let him cut the time it takes to guess a key by 99.5%
He found that automated opening systems don’t discard attempted codes that were incorrect, but use a bit-shift operation to test if a key matches.
It is therefore possible to send 13 bits of data to test two 12-bit codes, instead of having to send 24 bits.
With this technique, a 12-bit code also tests five 8-bit codes, four 9-bit codes, three 10-bit codes, and two 11-bit codes while testing the 12-bit code.
Kamkar also found an algorithm to get the shortest possible sequence of bits to exploit the shift register.
Dutch mathematician Nicolaas Govert de Bruijn developed the concept, called the De Bruijn sequence.
Using the sequence, Kamkar was able to build a device from a Mattel toy that tests every key for a 12-bit remote in 8.214 seconds.
Not all remote vendors are affected by this vulnerability, and many have fixed this issue in newer products.
Defending against remote hacking
Kamkar advised consumers to upgrade to a remote system that uses rolling or hopping codes to prevent being attacked.
These systems are not impervious, but are more difficult to hack.
MacPherson has researched attacks into rolling-code remotes, which are often used in car remotes, and said they are more resistant to replay attacks.
Together with Mike Davis, they presented a talk at ZaCon 2015 on the topic.
People should be as concerned about the security of their gate remotes as they are anything else, said MacPherson.
“I’d definitely move away from fixed key since it’s the equivalent of having a password you cant change and having to shout it at the top of your lungs to your garage to get it to work.”