{"id":172736,"date":"2016-07-24T18:28:34","date_gmt":"2016-07-24T16:28:34","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=172736"},"modified":"2016-07-24T18:29:58","modified_gmt":"2016-07-24T16:29:58","slug":"how-easy-it-is-to-hack-your-homes-gate-remote","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/172736-how-easy-it-is-to-hack-your-homes-gate-remote.html","title":{"rendered":"How easy it is to hack your home’s gate remote"},"content":{"rendered":"

It is easy for criminals to attack fixed-code garage and gate remote systems, according to security researchers.<\/p>\n

Using a technique known as a replay attack, someone could listen to the remote’s code you send to your gate or garage door motor.<\/p>\n

As\u00a0this code doesn\u2019t change in fixed-key systems, an attacker can record it and replay it to open your gate.<\/p>\n

Information security enthusiast Andrew MacPherson has written about the technical implementation of fixed-key replay attacks<\/a><\/strong>.<\/p>\n

MacPherson said there are also other ways to attack fixed-code systems, citing\u00a0research from Samy Kamkar regarding\u00a0a device he calls OpenSesame<\/a><\/strong>.<\/p>\n

Guessing the key of a fixed-code system<\/h3>\n

Kamkar said fixed-code remote systems suffer from a limited number of unique codes.<\/p>\n

Even remotes considered to support a high number of possible combinations only have 12 DIP switches, which translates to 4,096\u00a0unique keys.<\/p>\n

An attack who\u00a0searches all the combinations in the 8-bit, 9-bit, 10-bit, 11-bit, and 12-bit keyspaces would take just under 30 minutes.<\/p>\n

Trying different frequencies and baud rates results in you having to search through the keyspaces a few times.<\/p>\n

This means an attacker can\u00a0guess your key, even without listening to your gate remote.<\/p>\n

Hack a gate remote with bit-shifting<\/h3>\n

Kamkar then discovered a vulnerability in several fixed-code systems that let him cut the time it takes to guess a key by 99.5%<\/p>\n

He found that automated opening systems don\u2019t discard attempted codes that were incorrect, but use a bit-shift operation to test if a key matches.<\/p>\n

It is therefore possible to send 13 bits of data to test two 12-bit codes, instead of having to send 24 bits.<\/p>\n

With this technique, a 12-bit code also tests five 8-bit codes, four 9-bit codes, three 10-bit codes, and two 11-bit codes while testing the 12-bit code.<\/p>\n

Kamkar also found\u00a0an algorithm to get the shortest possible sequence of bits to exploit the shift register.<\/p>\n

Dutch mathematician Nicolaas Govert de Bruijn developed the\u00a0concept, called the De Bruijn sequence.<\/p>\n

Using the sequence, Kamkar was able to build a device from a Mattel toy that tests every key for a 12-bit remote in 8.214 seconds.<\/p>\n

Not all remote vendors are affected by this vulnerability, and many have fixed this issue in newer products.<\/p>\n

\"How<\/a><\/p>\n