yego.me
yego.me
💡 Stop wasting time. Read Youtube instead of watch. Download Chrome Extension

This Toy Can Open Any Garage

8m read
·Nov 10, 2024

This video was sponsored by LastPass. Okay, we have three garage doors here. The question is: Can you open them, sir? Try. He's got to. The point of this video is to show how easy it is to reprogram a toy to open almost any radio frequency garage door or gate in seconds. But first, let's talk about LastPass.

You know the average person these days has about 200 different accounts that require passwords. And of course, 200 different passwords is far too much for anyone to remember. So most of us use the same password across multiple sites, and that is just a terrible idea. So you really need a password manager, and LastPass can do that for you.

You can store all of your passwords in one place, which means you never have to remember them again. You don't have to have that anxiety about getting locked out of accounts. You don't have to write them down, or you don't have to reset them. LastPass takes care of all of that hassle. It has a great number of features including unlimited numbers of passwords that you can store. They also free sync across all of your devices.

If there is a password breach, you get an alert. Plus, LastPass has multi-factor authentication, and as anyone who knows the internet knows, that is the best way to keep your account secure. You should use it on LastPass and all the other places where you possibly can. Recently, LastPass teamed up with Yubikey and Microsoft to support their multi-factor authentication. So to find out more about LastPass, check out the link in the description. Thanks again to LastPass for sponsoring this video.

And now, let's try to break into my garage. All right, what do we got? No wonder you have so many if you treat them like this. Okay, well, do you want to see the signals that these produce? Sure, let's do that. This is my friend Sammy. Now, when you're dealing with garage door remotes, they're typically in what's known as an ISM band, Industrial, Scientific, Medical.

Basically, they don't need to get really licensed to use those bands; anyone can use them within some power rating within the US, and typically it's gonna be like 300 or 400 33 megahertz. All right, so when I hit this button, look to the right. This is insane! So what I can tell just by looking at this is how it's actually modulating the signal and how it's sending it.

This is called amplitude shift keying (ASK), and what's happening is every time I'm holding on the button, multiple bits are getting sent on a single frequency, and it has to do with the time that it's on or off, which means a 1 or a 0. Let me ask the obvious question, which is: How secure is my garage? It's not.

Why don't we have to record the data? 1, 2, 3, 4, 5, 6, 7, 8. So it looks like your garage uses an 8-bit code. Here we have the dip switches, so we basically see low, low, low, high, high, high, low, low, long, long, long, short, short, short, long, long. It's not like there's any special message format or anything. This is kind of the most really the most basic that you can make it a transmitter.

Well, 2 to the 8 is 2 cubed. Ooh! 16, 256 possibilities to open your code. Now, let's see. Let's just see how long this period of data is. So this is about 32 milliseconds. 32 milliseconds to send a single code. So, if we did 32 milliseconds times the 256 possibilities, it would take 8,000 milliseconds, 8 seconds to open your garage, suggesting every possible variation of the code.

Now, Sammy might be overstating how easy it would be to open the garage because, presumably, you can't send all the codes back to back; otherwise, how does the garage receiver know what constitutes one code? So you probably have to leave a gap between codes. Let's say we left a gap between codes that was roughly equal in length to the code itself.

Well, that doubles the time out to 16 seconds. Okay, still not great, but I guess that reveals the shortcomings of 8-bit codes. But a lot of garages these days are actually twelve bit. So if you used a 12-bit code, that would give you 4096 different codes that you would have to try. And again, adding in gaps between each code that would take around four and a half minutes.

But then, Sammy found something interesting. So did you try to add a data in the beginning and it still worked? So essentially, it's like saying if your password is for ABCD and I just did X ABCD, but it still opened. I'm gonna try it again. Yeah? Okay, I'm gonna try putting even more information up front.

You're putting a whole bunch of junk. Okay, whole bunch of junk. Yeah, but I still have the right password. It's in there but it's prepended with a bunch of junk, right?

[Music] So what do you think? It opens the door to other issues. So it seems like the receiver is using a shift register, which means it takes in each string of bits and instead of considering one 8-bit string and then throwing it out if it's wrong, it just throws out the first bit and then considers the next eight bits. And this has pretty profound security implications.

I mean, not only does that mean we can throw out all the gaps between our codes that cover all the combinations, it actually means we can merge some of those combinations together because, essentially, we can overlap the codes to make sure we have every combination in there. A sequence like this is called a de Bruijn sequence, and that reduces the number of bits you have to send dramatically.

For example, if we were to send all eight-bit combinations, that's 256 different codes; that would be 2048 bits altogether. But the de Bruijn sequence that covers all the different combinations can be assured as 263 bits. That's a reduction of almost 90%, which means instead of taking 8 seconds to open the garage, it would take less than 1.

Now, what about in a 12-bit case? Well, there are 4096 possible codes, which yields 49,152 bits you have to send if you wanted to try each code individually. But the de Bruijn sequence for 12 bits is only 4,096 bits long, so that's just 8% of the total that you would have to send if you wanted to send each code individually.

And so that reduces the time down from about four and a half minutes to ten seconds. So now we are really looking at a way that you could possibly brute force your way into any fixed code garage or gate using a device like the IME. It's a toy from Mattel; I don't think they make it anymore.

But some hackers out there found that it actually has a pretty cool chip inside called the CC 1110. There's a microcontroller with the transceiver, and the transceiver is really cool because it actually transmits and receives on a really wide range of frequencies, down to around 200 megahertz up to like 950 megahertz.

So you can talk to a lot of things including garages, cars, power meters, alarm systems, all sorts of things are in those bands. And there's actually some contacts underneath a battery in the back, which allows you to flash the board, erase it, and install your own software on this device. So you can program in the de Bruijn sequence and then use this device to play those bits at the frequency you want to play and basically open any garage door or gate you like.

So let's give it a try. The question is: Can you open them, sir? Try. Got one! He's got two! Now, you might be wondering why the third garage door didn't open, and that's because I actually have a different garage door opener, which has the next level of security.

Instead of using fixed codes, it uses what are called rolling codes. So the way rolling codes work is that both your clicker and the receiver have inside them an algorithm that uses a seed, which could just be a number, to generate a pseudo-random number, and that is the code that they both use to communicate.

So here I have an online pseudo-random number generator. I can put in a seed, which in my case I'll just keep it very simple, and I can pick whichever algorithm I want. Now, it's okay if the algorithm gets known because the thing that is secret between the transmitter and the receiver is that seed.

That's the seed they are using to generate the next pseudo-random number in the sequence. So I can calculate a random number, and this would be the code used by the clicker and the garage door to communicate. If an attacker is sitting outside, or they plant a device that's just listening to RF and stores that code once when you press the button, well they have that code, but it just got used up.

And now the receiver can say I will never respect that code again. As you can see, I can continue generating new pseudo-random numbers, and if anyone is overhearing this sequence, they won't be able to predict what the next number is. Even if they knew the algorithm, they would have to know the algorithm and the seed to make this work, and it's not easy just by looking at these generated numbers to work backwards to the seed.

So you might think this is an unhackable protocol, but Sammy has a solution for that too. What I thought was, what if you could actually interfere with that signal? So what if I put a device on your garage or your car and it looked for something like a sync word? And whenever it saw that there was data coming in, it would jam frequencies close to that.

Your car or garage would not be able to hear the actual password, the rolling code that your transmitter sent, and I would now record it. Then you're like, okay, I just press this button in my garage door and open. What do I do? You're probably gonna hit it again. You hit it two times, and now you've produced two rolling codes.

Well, now that I have two, I've jammed both. I can replay the first one, and the first one allows your garage to open. You're like, oh great, it worked once I hit the button twice. But now I have a future code by the code that will appears to be in the future, and I can then come back later and use that code.

These devices have no time; they have no sense of time. All they have is that sequence. So that is a kind of a big issue with the rolling codes themselves. Well, but you know what amazed me about this was how hard it actually is to hack into these garage doors. Even the simple 8-bit ones? Not opening, so we all have the red code.

I have an 8-bit gate that we tried to hack into, and we failed every time using the IME. 256 possibilities? Come on, how long can it take you to crack this thing? I think we have a book to work out. No, the gate is unmoved.

This was meant to be a video about just how easy it would be to crack a fixed code gate, but it's harder than it looks. I just did that for a minute. Everybody had it. Yeah, it's hard to get the frequency exactly right. It's hand-sewn, and the bit ring and one bit of information for that clicker, which is custom-built for that purpose, and simply has those dip switches is not one bit of information for a multi-purpose device like the IME.

There, you have to get the baud rate right; that is the timing at which you're sending these bits. You have to get the length of the bits perfectly right. So it's much more challenging, as I found out, to hack into these systems than I thought. Now, if you want to investigate this some more for yourself, you should check out Sammy's original videos on these topics. It's very informative, and he has links to code that you can use, though not fully workable code because he doesn't want to, of course, expose a lot of people to security breaches.

So the link to his video is down in the description.

What Happens If A Star Explodes Near The Earth?
Khan for Educators: Course Mastery

More Articles

View All
Diode graphical solution
Now I want to use a diode in a circuit and we’ll see how we, uh, solve circuits that include these nonlinear diodes in them. So I have a circuit here with a battery and a resistor and a diode here, and it’s going to be a special kind; it’s going to be an …
Worked example: Calculating the mass of a substance in a mixture | AP Chemistry | Khan Academy
We’re told that a 0.450 gram potassium supplement contains 22 percent potassium by mass. The potassium is present in the supplement as potassium chloride, which has a molar mass of 74.55 grams per mole. How many grams of potassium chloride are in the pota…
Testing a Shark Deterrent | Shark Beach with Chris Hemsworth
I think it’s fair to say, however good we get at keeping humans and sharks apart in the ocean, there will always be moments when we meet. In those worst-case scenarios when sharks bite, is there anything that can be done? Charlie Houveneers is a scientis…
In Your Face - Mind Field (Ep 7)
If I asked you to show me a picture of your mother, you wouldn’t show me a, uh, closeup shot of her elbow. But you could, and you’d be right. That would be a photo of her, but it wouldn’t feel right because it’s not her face. That’s how important faces ar…
Action and reaction forces | Movement and forces | Middle school physics | Khan Academy
You’ve probably heard the phrase that for every force there’s an equal and opposite reaction force, and this is also known as Newton’s third law of motion. But it’s also one of the most misunderstood laws of physics. So that’s why we’re going to dig into …
Why The Middle Class Is Financially Ruined - AGAIN
What’s up, Graham? It’s guys here. So, even though this channel focuses around investing, building wealth, and personal finance, every now and then, I come across an article that we have to talk about because it’s becoming more and more apparent that the …