This Kids' Toy Can Hack Garage Doors in Seconds
All it takes to hack and open some remotely-controlled garage doors is a slightly modified pink texting toy—and less than ten seconds.
That's according to Samy Kamkar, a well-known hacker, who claims to have found a way to open all remotely-controlled garage doors from certain manufacturers with a modified and outdated wireless texting toy marketed specifically at girls that can be bought on Amazon or eBay for less than $50.
The toy, a Mattel Radica Girltech IM-ME, comes with a radio frequency (RF) chip, an LCD display, backlight and keyboard—"all the equipment we need to pull off the attack," Kamkar wrote in a detailed post about his new research.
"We could have built our own device," Kamkar wrote, "but the beauty of this is that it's all already packaged up for you, inexpensive, and is my favorite color."
"A two-character password on a website is more secure than most garages."
With some modifications, the toy can be programmed to transmit all possible combinations to unlock popular garage doors made by manufacturers like Nortek and North Side, which have fixed pin codes, according to Kamkar. These garage doors are trivial to crack because some of their door opener devices only accept 12 bits combinations, which means there are only 4096 possible combinations.
"A two-character password on a website is more secure than most garages," Kamkar said in a video explaining the hack.
To rig the toy, Kamkar used a device made by another security researcher, which allowed him to reprogram the Radica Girltech IM-ME.
The result is a rigged toy that takes less than ten seconds to unlock a garage door, as you can see in the video.
Kamkar called this attack OpenSesame and he even released the code that he wrote for it on GitHub. The code, however, is slightly modified so that it can't be reproduced and abused by criminals.
"It almost works, but just not quite, and is released to educate," Kamkar wrote. "If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you."
The good news is that newer garage door receivers use rolling codes and are not vulnerable to the OpenSesame attack, according to Kamkar, who also released another video explaining how to figure out if your garage door is vulnerable and what to do to protect against attacks like this.
The bad news is that for many garage doors, all it takes is a seemingly innocent pink toy.