This Toy Can Open Any Garage

Video Statistics and Information

Video
Captions Word Cloud
Captions
this video was sponsored by LastPass okay we have three garage doors here question is can you open them sir try he's got to the point of this video is to show how easy it is to reprogram a toy to open almost any radio frequency garage door or gate in seconds but first let's talk about LastPass you know the average person these days has about 200 different accounts that require passwords and of course 200 different passwords is far too much for anyone to remember so most of us use the same password across multiple sites and that is just a terrible idea so you really need a password manager and LastPass can do that for you can store all of your passwords in the one place which means you never have to remember them again you don't have to have that anxiety about getting locked out of accounts you don't have to write them down or you don't have to reset them LastPass takes care of all of that hassle it has a great number of features including unlimited numbers of passwords that you can store they're also free sync across all of your devices and if there is a password breach you get an alert plus LastPass has multi-factor authentication and as anyone who knows the internet knows that is the best way to keep your account secure you should use it on LastPass and all the other places where you possibly can recently LastPass teamed up with Yubikey and Microsoft to support their multi-factor authentication so to find out more about LastPass check out the link in the description and thanks again to LastPass for sponsoring this video and now let's try to break into my garage all right what do we got no wonder you have so many if you treat them like this okay well do you want to see the signals that these produce sure let's do that this is my friend Sammy now when you're dealing with garage garage door remotes they're typically in what's known as an is em ban industrial scientific medical basically they don't need to get really licensed to use those bans anyone can use them within some power rating within the US and typically it's gonna be like 300 or 400 33 megahertz all right so when I hit this button look to the right this is insane so what I can tell just by looking at this is how it's actually modulating the signal and how it's sending it this is called amplitude shift keying ASX and what's happening is every time I'm holding on the button multiple bits are getting sent on a single frequency and it has to do with the time that it's on or off which means a 1 or a 0 let me ask the obvious question which is like how secure is my garage it's not why don't we have to record the data 1 2 3 4 5 6 7 8 so it looks like your garage uses an 8-bit code here we have the dip switches so we basically see low low low high high high low low long long long short short short long long it's not like there's any special message format or anything this is kind of the most really the most basic that you can make it a transmitter well 2 to the 8 is 2 cubed ooh 16 256 possibilities to open your code now let's see let's just see how long this this period of data is so this is about 32 milliseconds 32 milliseconds to send a single code so if we did 32 milliseconds times the 256 possibilities it would take 8 thousand milliseconds 8 seconds to open your garage suggesting every possible variation of the code now semi might be overstating how easy it would be to open the garage because presumably you can't send all the codes back to back otherwise how does the garage receiver know what constitutes one code so you probably have to leave a gap between codes let's say we left a gap between codes that was roughly equal in length to the code itself well that doubles the time out to 16 seconds okay still not great but I guess that reveals the shortcomings of 8-bit codes but a lot of garages these days are actually twelve bit so if you used a 12 bit code that would give you 4096 different codes that you would have to try and again adding in gaps between each code that would take around four and a half minutes but then Sammy found something interesting so did you try to add I had a data in the beginning and it still worked so essentially it's like saying if your password for ABCD and I just did X ABCD but it's still opened I'm gonna try it again yeah okay I'm gonna try to putting even more information up front you're putting a whole bunch of junk okay whole bunch of junk yeah but I still have the right password it's in there but it's prepended with a bunch of junk right [Music] so what do you think it opens the door to other issues so it seems like the receiver is using a shift register which means it takes in each string of bits and instead of considering one 8-bit string and then throwing it out if it's wrong it just throws out the first bit and then considers the next eight bits and this is pretty profound security implications I mean not only does that mean we can throw out all the gaps between our codes that cover all the combinations it actually means we can merge some of those combinations together because essentially we can overlap the codes to make sure we have every combination in there a sequence like this is called a de bruin sequence and that reduces the number of bits you have to send dramatically for example if we were to send all eight bit combinations that's 256 different codes that would be 2048 bits altogether but the de bruin sequence that covers all the different combinations can be assured as 263 bits that's a reduction of almost 90% which means instead of taking 8 seconds to over the garage it would take less than 1 now what about in a 12 bit case well there are 4096 possible codes which yields 49,000 152 bits you have to send if you wanted to try each code individually but the de bruin sequence for 12 bits is only 4000 107 bits long so that's just 8% of the total that you would have to send if you wanted to send each code individually and so that reduces the time down from about four and a half minutes to ten seconds so now we are really looking at a way that you could possibly brute force your way into any fixed code garage or gate using a device like the IME it's a toy from Mattel I don't think they make it anymore but some hackers out there found that it actually has a pretty cool chip inside called the CC 1110 there's a microcontroller with the transceiver and the transceiver is really cool because it actually transmits and receives on a really wide range of frequencies down to around 200 megahertz up to like 950 megahertz so you talk to a lot of things including garages cars power meters alarm systems all sorts of things are in those bands and there's actually some contacts underneath a battery in the back which allows you to flash the board erase it and install your own software on this device so you can program in the de bruin sequence and then use this device to play those bits at the frequency you want to play and basically open any garage door or gate you like so let's give it a try question is can you open them sir try got one he's got two now you might be wondering why the third garage door didn't open and that's because I actually have a different garage door opener which has the next level of security instead of using fixed codes it uses what are called rolling codes so the way rolling codes work is that both your clicker and the receiver have inside them an algorithm that uses a seed which could just be a number to generate a pseudo-random number and that is the code that they both use to communicate so here I have an online pseudo-random number generator I can put in a seed which in my case I'll just keep it very simple and I can pick whichever algorithm I want now it's okay if the algorithm gets known because the thing that is secret between the transmitter and the receiver is that seed that's the seed they are using to generate the next pseudo-random number in the sequence so I can calculate a random number and this would be the code used by the clicker and the garage door to communicate if an attacker is sitting outside or they plant a device that's just listening to RF and stores that the code wants when you press the button well they have that code but it just got used up and now the receiver can say I will know never respect that code again as you can see I can continue generating new pseudo-random numbers and if anyone is overhearing this sequence they won't be able to predict what the next number is even if they knew the algorithm they would have to know the algorithm and the seed to make this work and it's not easy just by looking at these generated numbers to work backwards to the seed so you might think this is an unhackable protocol but Sammy has a solution for that too what I thought was what if you could actually interfere with that signal so what if I put a device on your garage or your car and it looked for something like a sync word and whenever it saw that there was data coming in it would Jam a frequencies close to that your car or garage would not be able to hear the actual password the rolling code that your transmitter sent and I would now record it then you're like okay I just press this button in my garage door and open what do I do you're probably gonna hit it again you hit it two two times and now you've produced two rolling codes well now that I have to I've jammed both I can replay the first one and the first one allows your garage to open you're like oh great it worked once I hit the button twice but now I have a future code by the code that will appears to be in the future and I can then come back later and use that code these devices have no time they have no sense of time all they have is that sequence so that is a kind of a big issue with the rolling codes themselves well but you know what amazed me about this was how hard it actually is to hack into these garage doors even the simple 8-bit ones not opening so we all have the red code I have an 8-bit gate that we tried to hack into and we failed every time using the I am me a 256 possibilities come on how long can it take you to crack this thing I think we have a book to work out no the gate is unmoved this was meant to be a video about just how easy it would be to crack a fixed code gate but it's harder than it looks I just I just did that for a minute everybody had it yeah it's hard to get the frequency exactly right it's hand-sew and the bit ring and one bit of information for that clicker which is custom-built for that purpose and simply has those dip switches is not one bit of information for a multi-purpose device like the IME there you have to get the baud rate right that is the timing at which you're sending these bits you have to get the length of the bits perfectly right so it's much more challenging as I found out to hack into these systems than I thought now if you want to investigate this some more for yourself you should check out Sammy's original videos on these topics it's very informative and he has links to code that you can use though not fully workable code because he doesn't want to of course expose a lot of people to security breaches so the link to his video is down in the description
Info
Channel: Veritasium
Views: 1,529,407
Rating: 4.8160152 out of 5
Keywords: veritasium, garage, hack, toy, radio, code, break, frequency, rf, samy, fixed code, rolling code, gate, IM ME, hacker, hacking, door, open, unlock
Id: CNodxp9Jy4A
Channel Id: undefined
Length: 12min 47sec (767 seconds)
Published: Wed Sep 19 2018
Reddit Comments

Samy did a defcon talk where he goes into more detail about this hack. Cool to see him on Vertasium.

👍︎︎ 42 👤︎︎ u/somuchbacon 📅︎︎ Sep 22 2018 🗫︎ replies

Hmm. I should check out what's in my parents garage. I think the new 1 time code... But it is kinda old.

👍︎︎ 6 👤︎︎ u/hechacker1 📅︎︎ Sep 22 2018 🗫︎ replies

this is almost 10 years old.....

👍︎︎ 20 👤︎︎ u/Tom_Neverwinter 📅︎︎ Sep 22 2018 🗫︎ replies

Is he's looking at the harmonics at 2:30?

👍︎︎ 3 👤︎︎ u/Gavekort 📅︎︎ Sep 22 2018 🗫︎ replies

Anyone have details on the dongle his friend was using?

👍︎︎ 4 👤︎︎ u/100100111 📅︎︎ Sep 22 2018 🗫︎ replies

glad to see it get more exposure!, still a big issue, even tho its a very old exploit.

👍︎︎ 2 👤︎︎ u/TmHAL9000 📅︎︎ Sep 22 2018 🗫︎ replies

Quite the house.

👍︎︎ 2 👤︎︎ u/Canadian_Infidel 📅︎︎ Sep 23 2018 🗫︎ replies
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.