The first line of defense for most homes is a version of the classic lock and key system used to secure all possible passages inside. These mechanisms are often reliable, leading residents to assume that this will always be the case. In this blog post, we take a closer look at one of these mechanisms, the Common Garage Door Remote Control, to test two threat scenarios and show their security implications.
While this topic was discussedin the pastwe saw a good opportunity to review it again when we encountered a broken garage door remote. We tinkered with the mechanism to see potential security holes. UsingSoftware-Defined Radio (SDR) and Radio Frequency (RF) Technologywe were able to test two attack scenarios.
Figure 1. The chain of attack summarizing this analysis
The first scenario is interesting, because the key to this attack is a discrete remote control function, the DOR (direct-on-receiver) function. Using scrambling and replay signals, we were able to register a second remote control into the receiver and maintain permanent access. The second scenario is an examination of rolling code attacks. Finally, we discuss the implications of a device that can make such attacks more stealthy to conduct by minimizing its configuration.
Our technical sheet “A security analysis of garage door remotes and the danger of DOR attacks“provides the detailed and complete description of our test, including pictures of the tools we used and the results of each step of the two threat scenarios.
Decode the signal
The targets studied for this blog entry are the Cardin S449-QZ2 remotes and the receivers that support these remotes. We chose this remote because it was part of several remotes that carry the DOR procedure, which we will develop later. We usedDTSto capture and analyze the signals sent by each remote button press. After uprooting the frequency range, we were able to use a custom SDR frequency analyzer and observe two peaks representing the signal we wanted to capture.
This signal was recorded using a complex file receiver. We then decimated and demodulated it to reveal the data we needed to extract and decode. For that, we used tools like Inspectrum and Universal Radio Hacker (URH) for decoding.
We have done this a few times for all buttons including the hidden button mentioned earlier. After recording several different pushes, we were able to identify fields such as command, fixed, and encrypted fields, indicating a rolling / skipping code mechanism. We had to analyze the rolling code for the second scenario.
First scenario: abusing the DOR functionality
At this point, we can test both scenarios. The first is based on the DOR procedure which involves a hidden button in the remote control. As mentioned earlier, Cardin isn’t the only remote to offer this feature, as it is commonly found even in devices made by different manufacturers. It is important to note that the remote control manual reveals that the hidden button allows you to remotely register a new remote control in the receiver. We also found that this button can be replayed unlike the other buttons, thus the basis of the attack.
We sniffed the DOR control and stuck the first button press. We did this by scrambling it and recording it simultaneously. As a result, the procedure failed. This allowed us to replay the DOR button on the authenticated remote, play one of its button commands, and register our second remote by sending out its button signals.
The good news is that this technique would require an intruder to capture valid button keystrokes, including that of the hidden DOR button, which would be rare in a real-life scenario. An attacker should have access to the resident’s actual remote or time their attack while maintaining the garage mechanism.
Second scenario: Analyze the rolling code
Moving on to the second scenario, we needed to decode the rolling code and to do this we turned to the KeeLoq algorithm, which is used to protect the packet from replay and decoding. Studies have already shown thatattackson KeeLoq have already been made. Like many rolling code / hopping mechanisms, KeeLoq does not use a timestamp which can help prevent an attacker from carrying out replay attacks. In our case, we used Kaiju to analyze the rolling code, which allowed us to send a command over the air.
But Kaiju presents some attentional limitations to non-LEA users. However, an attacker can still look in the remotes memory and study the manufacturer’s keys to generate a rolling code himself. This exercise can go further by looking at the remote cloner which includes master keys for several brands, which we show in our technical sheet.
The PandwaRF device
It could be argued that carrying out such an attack would involve obvious equipment and defeat the purpose of a stealth break-in. However, a device like the PandwaRF, a compact frequency analyzer with an Android APK, can make this setup portable and easier to hide. In the datasheet we show in more detail how this device can be used to effectively capture and help decode signals.
For intruders, the garage door can be a discreet option for breaking into a residence. Inside the garage, they can devise a plan to enter further, safely hidden away from the sight of passers-by. They could also just target anything inside the garage.
This demonstration aims to show that these security holes continue to exist and can cause a house’s gates to collapse in unexpected and secret ways. To prevent such attacks from materializing, manufacturers should take steps to add more security measures in addition to the rolling code mechanism, such as the following:
- Use a different manufacturer key by remote control and introduce diversification so that an attacker would have to discover the generation algorithm of each key, even after having emptied the master key
- Physically disabled debugging interfaces on remotes and receivers
- Implement memory protection on remote controls and receivers to prevent possible leaks
- Using a seed when adding to the sync counter to complicate the brute force process
For their part, owners must ensure that receivers are physically secure and well hidden. They shouldn’t leave their open garages unattended, be careful where they keep their garage remotes, and consider using traditional locks to secure their garages, especially when they’re out of town. They should also be aware of features such as the DOR procedure highlighted in this entry to prevent them from being used in attacks. Additionally, owners should note that the DOR feature can be disabled by removing a jumper on the receiver.
This research aims to provide a framework for generating all the keys and verifying if the configurations are correct. We have only described a summary of the process here and provide a detailed description in our technical note, “A security analysis of garage door remotes and the danger of DOR attacks. “
Trend Micro Inc. published this content on 21 October 2021 and is solely responsible for the information it contains. Distributed by Public, unedited and unmodified, on October 21, 2021 12:33:07 PM UTC.