Forced Entry: A Security Test for Automatic Garage Doors Threat Researcher

The targets studied for this blog entry are Cardin S449-QZ2 remotes and receivers that support these remotes. We chose this remote because it was among several remotes that carry the DOR procedure, which we will elaborate on later. We used SDR to capture and analyze the signals sent by each remote button push. After rooting out the frequency range, we were able to use a custom SDR frequency analyzer and observe two spikes representing the signal we wanted to capture.

This signal was recorded using a complex file sink. We then decimated and demodulated it to reveal the data that we needed to extract and decode. For this we used tools like Inspectrum and the Universal Radio Hacker (URH) for decoding.

We did this several times for all of the buttons, including the hidden button mentioned earlier. After recording several different pushes, we were able to identify fields like the command, fixed, and encrypted fields, which indicates a rolling/hopping code mechanism. We needed to analyze the rolling code for the second scenario.

First scenario: Abusing the DOR feature

At this point, we can test the two scenarios. The first one hinges on the DOR procedure that involves a hidden button in the remote. As mentioned earlier, Cardin is not the only remote to carry this feature as it is commonly found even in devices made by different manufacturers.  It is important to note that the remote’s manual reveals that the hidden button allows one to remotely record a new remote into the receiver. We also found that this button can be replayed unlike the other buttons, thus the basis of the attack.

We sniffed the DOR command and blocked the first button press. We did this by jamming it and recording it simultaneously. As a result, the procedure failed. This allowed us to replay the DOR button of the authenticated remote, play one of its button commands, and record our second remote by sending its button signals.

The good news is that this technique would require an intruder to capture valid button keystrokes, including that of the hidden DOR button, which would be rare in a real scenario. An attacker would need to have access to the resident’s actual remote or time their attack during the garage mechanism’s maintenance.

Second scenario: Analyzing the rolling code

Moving on to the second scenario, we needed to decode the rolling code and to do so, we turned to the KeeLoq algorithm, which is used to protect the packet from being replayed and decoded. Studies have already shown that attacks on KeeLoq have been done before. Like many rolling/hopping code mechanisms, KeeLoq does not use a timestamp that can help prevent an attacker from conducting replay attacks. For our case, we used Kaiju to analyze the rolling code, which allowed us to send a command over the air.

But Kaiju presents some attentional limitations to non-LEA users. Nevertheless, an attacker can always look at remotes’ memory and study the manufacturer keys to generate a rolling code on its own. This exercise can go further by looking at the remote cloner that includes master keys for several brands, which we show in our technical brief.

The PandwaRF device

One could argue that conducting such an attack would involve obvious equipment and defeat the purpose of a stealthy break-in. However, a device like the PandwaRF, a compact frequency analyzer with an Android APK, can make this setup portable and easier to conceal. In the technical brief, we show in better detail how this device can be used to also effectively capture and help decode signals.

Security implications

For intruders, the garage door might be a discreet option for breaking into a residence. Inside the garage, they can piece together a plan to break in further, hidden safely away from the view of passersby. They could also simply target whatever is inside the garage.

This demonstration aims to show that these security gaps continue to exist and can cause a home’s barriers to unravel in unexpected and covert ways. To prevent such attacks from materializing, manufacturers should take steps to add more security measures on top of the rolling code mechanism, such as the following:

  1. Using a different manufacturer key per remote and introducing diversification so that an attacker would have to find out the generation algorithm of each key, even after dumping the master key
  2. Debugging interfaces that are physically disabled on remotes and receivers
  3. Implementing memory protection on remotes and receivers to avoid possible leaks
  4. Using a seed when adding to the sync counter to complexify the brute force process

For their part, homeowners should ensure that receivers are physically secured and well hidden. They should not leave their open garages unattended, be mindful of where they keep their garage remotes, and consider the use of traditional locks to secure their garages especially when they are out of town. They should also be aware of features such as the DOR procedure highlighted in this entry to prevent these from being used in attacks. Additionally, homeowners should note that the DOR feature can be disabled by removing a jumper on the receiver.

This research aims to provide a framework to generate all keys and check if configurations are correct. We have described only a summary of the process here and provide a detailed description in our technical brief, “A Security Analysis of Garage Door Remotes and the Danger of DOR Attacks.”

Read More HERE