back to article Hack a garage and the car inside with a child's toy and a few chips

Last month, pro hacker Samy Kamkar caused a kerfuffle at General Motors when he successfully hacked the car giant's RemoteLink mobile app to unlock and start vehicles, and now he's explained how it's done – and how to get into the garage that houses a target car. Speaking at a packed DEF CON talk on Friday, Kamkar explained …

  1. This post has been deleted by its author

    1. Anonymous Coward
      Thumb Up

      I don't know about laughing....but this is definitely hacking.

    2. Anonymous Coward
      Anonymous Coward

      Made me laugh too, I had visions of James Gandolfini in "In The Loop" where he's using the kids calculator to add up military invasion numbers.

      General George Miller

  2. Christian Berger

    Well...

    those garage door openers have been around for decades now, and they always had very short keys. I think I've seen people just attaching a binary counter to one of the remotes and making it try out all the keys in that way.

    So it's not exactly new. In fact with a simple SDR you can just record that signal, clean it up and re broadcast it.

    1. This post has been deleted by its author

      1. handle

        Re: Well...

        Don't all garage door openers use rolling codes now? So it's only old ones that would be susceptible to the attack described.

        1. Paul Crawford Silver badge

          Re: Well...

          "Don't all garage door openers use rolling codes now?"

          I have no idea, nor any obvious way of finding out.

          And therein lies the problem - so many crap implementations of systems with known flaws (to experts) and nobody doing any public ratings of them.

          While a garage door is less of a concern than, say, a self-driving car, it is high time that anything with high value or safety was forced to be independently audited for safety and security before sold (or at least insured). Yes, I know that sort of legal talk is not favoured round these parts, but we have seen time and time again really dumb mistakes being made (often to save some money in terms of who is hired to do it) and companies then using legal threats to silence those who question them.

          1. Doctor Syntax Silver badge

            Re: Well...

            "Yes, I know that sort of legal talk is not favoured round these parts"

            I don't know what gives you that idea. Plenty of us have said the same sort of thing just about every time a cock-up of this nature is brought to light, and goodness knows there's been no shortage of those recently.

          2. Cheshire Cat

            Re: Well...

            "Don't all garage door openers use rolling codes now?"

            Some do, some don't. I know ours does, because I can't use a cheap record-and-replay replacement key but need to buy a special one and program the system to accept it (rather than the other way around). However cheaper ones (such as the ones used to secure stargates) do use fixed codes.

        2. Anonymous Coward
          Anonymous Coward

          Re: Well...

          Don't all garage door openers use rolling codes now? So it's only old ones that would be susceptible to the attack described.

          In our case you'd also have to do this during the day - when the car isn't actually in the garage. Cutting the power to the door is part of the house lockdown routine for the night, so you're welcome to try any electronic hack.

          Sometimes it doesn't have to be high tech :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Well...

      The point of this attack is that it circumvents a rolling code. It has no knowledge of what the rolling code algorithm is, it simply tricks the user into leaking a future code that can then be used by the attacker.

      Fixing this sort of flaw is not straight forward. All the things that we're familiar with for securing comes links are hard to put in a package the size and longevity of a key fob.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well...

        The point of this attack is that it circumvents a rolling code. It has no knowledge of what the rolling code algorithm is, it simply tricks the user into leaking a future code that can then be used by the attacker.

        Not from what I read in the article...

        "The first stage was to get the garage door open. Using a radio analyzer, Kamkar discovered that wireless garage doors typically require a 12-bit access code to open, meaning he'd only need to check a maximum of 4,096 combinations to find the right one, which would take about 30 minutes to transmit..."

        He's trying all possible combinations on what appears a shitty garage door opener. One I had fitted several years ago frequency hops, has over 4 billion code combinations, and has to be programmed to accept the key. I think the days of just being able to open garage doors like this are headed into the rear view mirror.

    3. joed

      Re: Well...

      The hack has a problem though. It's one thing to open garage door in the middle of nowhere - and the quicker the better. It's entirely different thing to open them simultaneously on all buildings along the street (withing transmitter range). Neighborhood watch or not someone will look out the window.

      1. Destroy All Monsters Silver badge

        Re: Well...

        Neighborhood watch or not someone will look out the window.

        UFOS!

      2. Stuart Castle Silver badge

        Re: Well...

        "The hack has a problem though. It's one thing to open garage door in the middle of nowhere - and the quicker the better."

        If yours was the car that was stolen as a result of weak security, it would not matter to you whether it was the only one, or one of a thousand.

  3. This post has been deleted by its author

    1. Pliny the Whiner

      I took it for granted that the Mattel IM-ME was a rinky-dink little piece of shit that would fit into a girl's hand. Scotch that notion. This thing costs USD $400 (£258), more than enough to buy a nice crowbar and a serviceable notebook -- both of which will help you go far in your criminal ambitions. If you're into that sort of thing.

  4. msknight

    "Hello. Toys-R-Us? ... Yeh, need ain IM-ME, but can you do one in black; 'cause pink just isn't, "me," if you know what I mean...."

    1. DropBear

      Ehhh, what's wrong with a can of spray paint...?

  5. Roq D. Kasba

    Driving the car

    The numbers generated by a fob should effectively be a hash of the previous number, with the receiver accepting upto n (often 512) codes *ahead*. That would make a capture and replay of an earlier code useless, as the receiver would be looking ahead from the attempt that did start the car, all previous codes are garbage. This is the weak point in the plan, but hardly weak enough to spoil his otherwise fascinating research, just for completeness and may give him a lead...

    BTW, frustrate friends at parties, press the button on their car key fob 513 times, the receiver and it go out of sync, and you brick their key until someone with a spare key uses it a few times to get them all back in sync.

    1. Anonymous Coward
      Anonymous Coward

      Re: Driving the car

      I bet you're a hoot at swingers parties..

    2. Paul Crawford Silver badge

      Re: Driving the car

      The problems with the simple version of "high tide mark" sort of approach are:

      1) Key fobs usually reset when the battery is changed.

      2) You might have several key fobs for his & hers, etc, that are at different points in their sequences.

      A much better approach would be a two-way negotiation where the car can query the fob for information about a shared secret but then the cost & complexity of the fob, etc, goes up a lot.

      1. joed

        Re: Driving the car

        (2) would also be my concern (but I just keep using one key anyway).

        Cars usually have provisions for getting in when the fob is out of sync/juice (better RTFM before this happens;).

        In addition, having physical lock is hopefully more than just security theater sacrificed on behalf of premium trims with keyless entry (fine with this) and start (meh).

      2. StephenH

        Re: Driving the car

        "but then the cost & complexity of the fob, etc, goes up a lot."

        VW charge about $300 for a key replacement. I'm sure there is plenty of room to add complexity without the manufacturers starting to lose money

    3. Adam 1

      Re: Driving the car

      Wouldn't a far simpler solution be if the door detected say 1000 open attempts that it is switches off the receiver for 5 minutes. Make brute forcing impractical.

      1. DavCrav

        Re: Driving the car

        "Wouldn't a far simpler solution be if the door detected say 1000 open attempts that it is switches off the receiver for 5 minutes. Make brute forcing impractical."

        What about in a car park with lots of cars being opened? Don't they all use roughly the same frequency?

        1. Adam 1

          Re: Driving the car

          Sure. We move well past my knowledge of how they are implemented presently, but it really wouldn't be too hard to do. If each keyfob has an identifier that gets broadcast with the code, and the car ignores unpaired fob identifiers, then the brute force would have to emulate a particular fob. Then you can count brute force attempts by a fob id having too many wrong guesses and lock them out.

      2. Phil Endecott

        Re: Driving the car

        > Wouldn't a far simpler solution be if the door detected say 1000 open

        > attempts that it is switches off the receiver for 5 minutes. Make brute

        > forcing impractical.

        That makes you vulnerable to denial-of-service.

        There's a tradeoff between making it harder for someone to steal your car and making it easier for them to lock you out of it.

        1. Adam 1

          Re: Driving the car

          Yes, DOS is possible, but it is already possible. I remember visiting a scenic lookout tower about 10 years ago. It doubled as a communications tower. Upon returning to my car, the fob did not work. If you are going to DOS then the easiest and most effective technique is to flood the airwaves in those frequencies with white noise, not some elaborate fob emulator. The backup plan is to use your key. :)

  6. Anonymous Coward
    Anonymous Coward

    Hello Barbie...

    ... Let's go Stazi.

  7. Anonymous Coward
    Anonymous Coward

    Better to read than observe live

    The DefCon crowd at Bally's was very waspy today. Although the Portland influence was visible through abnormal facial hair and piercings. Would it kill them to hire some booth babes to help smooth out the crowd.

  8. Paul Crawford Silver badge
    FAIL

    Known technique

    From the Wikipedia page on De Bruijn sequence:

    The sequence can be used to shorten a brute-force attack on a PIN-like code lock that does not have an "enter" key and accepts the last n digits entered.

    So not only a fail for using only 12 bits for the garage code, but a fail for not enforcing a start and/or end sequence, nor a minimum time between codes, to make it harder to guess. And that is before we even consider a rolling sequence...

    1. DropBear

      Re: Known technique

      That's what got me wondering too, actually. Such a sequence is fine for _keypad_ devices that transmit keypress after keypress as distinct messages, but what is it doing in a _keyfob_ device that is supposed to transmit its code within one single message, inevitably flanked by a bunch of other bits that identify the code part as such?!? This smells fishy... Did that garage door opener setup also have an external wireless PIN-based keypad too perchance...?

    2. Destroy All Monsters Silver badge
      Trollface

      Re: Known technique

      But it's very easy to implement with a 12-bit shift register, simple AND/NOT logic and a wire...

  9. Anonymous Coward
    Anonymous Coward

    My garage door fob is crap

    I'll upgarde to an IM-ME

  10. Mr_Pitiful

    But, But, But

    I need a real key to open my garage door, is that less secure?

    1. Anonymous Coward
      Anonymous Coward

      Re: But, But, But

      Our 1970s house has a very common up and over metal door which uses a key to lock the release handle. One night next door had an expensive bicycle stolen from their garage. The investigating policewoman gave the locked door a bash with her hand in a very specific place - and the latch was released.

  11. Anonymous John

    Sorry?

    People keep cars in garages?

    1. Richard Taylor 2

      Re: Sorry?

      Living in Michigan we used to during the winter. It was so bloody cold that the ability to open the garage remotely and go in (so that the car did not free overnight) was a great benefit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sorry?

        "It was so bloody cold that the ability to open the garage remotely and go in [...]"

        In the 1970s colleagues in Sweden had a gadget in their car that warmed the oil in the cylinder block and filled the car with warm air while they had breakfast.

  12. Kev99 Silver badge

    Just one more bit of proof that relying on the internet and / or wireless apps is something for chumps, dupes, and fools.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Are you sure you are posting in the correct thread?

  13. Anonymous Coward
    Anonymous Coward

    Too cheap to put in some crypto

    Sign the request on the fob and pass along a cert; or challenge-response to thwart replay. (Yes, you can extract the private key out of a lot of "secure" chips but that is not as easy as this.)

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Too cheap to put in some crypto

      You must be one of the "vision" guys.

      1. Destroy All Monsters Silver badge

        Re: Too cheap to put in some crypto

        To reiterate on the above comment

        1) Put SoC with appropriate code and radio interface into door controller, all nicely hardened (but updateable via USB stick should a problem appear in any case)

        2) This will cost $$$ but it's going to be "The Right Thing"

        3) ???

        4) PROHIBITIVE COST, MARKETING APOPLECTIC, BOSS BLOWS A GASKET, FIRED!

  14. Crazy Operations Guy

    Rolling codes

    Given the bit-length that the key fobs are using, it shouldn't take too long to grab enough codes to start predicting the next in the series. The key-fob would be using a very low-power micro-controller, so the algorithm would need to be pretty brain-dead simple. The problem is that both sides have to arrive at the same code (or at least the vehicle would have to calculate the expected code + 50 or more to account for presses of the fob when it was out of range). So given that, the algorithm would fall pretty quickly to GPU-powered AWS instance.

    Of course I wouldn't put it past auto-makers to just burn a 1K long sting into the micro-controller and then just puke out 12-bits from there and just grab 2 bytes at a time and throw 4 of them away (first time take the first 12 bits, second round ignore the first bit, take the next twelve, etc). It'd theoretically give you 4096 codes before re-use (and make full use of the 12-bit space).

  15. Joey M0usepad Silver badge

    "DEF CON attendees could almost certainly fix the errors, but petty criminals would have a much tougher time of it, he said."

    So thats this security experts security measure?

  16. Alan Edwards

    Wouldn't work in the real world

    ... unless there's no replay attack protection. Or the jammer whatsit is in the car somewhere, but if you've already got physical access why do you need it.

    1) Car owner presses button, nothing happens, but code 1 has been recorded

    2) Car owner presses button again, code 2 is recorded, code 1 is replayed, car unlocks

    3) Car owner gets in, drives to shops, locks car with code 3

    4) Car owner gets home, locks car with code 4

    5) Thief attempts to unlock car with pre-recorded code 2, which is now invalid because code 3 and 4 have been used, nothing happens.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wouldn't work in the real world

      I refer you to this other article.

      https://threatpost.com/gone-in-less-than-a-second/114154

      "I can come back later and conveniently unlock your car. Because I leave the device under your car, it always has the latest code.”

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon