My car has a built-in garage door opener transmitter that can learn the code for all (most?) garage door openers. I understand that garage door openers these days typically employ a rolling code scheme to prevent an eavesdropper from listening in to your transmitter’s signal and then playing it back later to open your garage door.
A few questions:
-do all brands of openers employ the same rolling code algorithm to determine the next code based on the previous one?
-if not, how does my car’s built-in transmitter know which rolling code scheme to employ?
-if I program my car’s transmitter with the opener’s handheld transmitter, aren’t both transmitters then using the same starting point for the rolling code algorithm? If I use my car’s transmitter once, why does my handheld transmitter work? Shouldn’t its next transmission be seen as an “old/expired” code, since it was just used by my car’s transmitter?
-are the rolling code algorithms all kept secret by garage door opener manufacturers? If they’re a big secret, they must share them with car manufacturers. That’s a lot of people who know the secret, which makes it difficult to keep secret. So…are the algorithms really secret?
One answer is that they talk to each other and stay in sync that way. Compatibility means they are able to work together and and sync up on all future rolling codes.
I don’t know about the algorithms, but a strange device can’t be ‘introduced’ to your door opener’s settings and rolling code protocol except by accessing the actual opener and initiating it. So, a strange device will know the methodology and maybe even the algorithm, but not know where to start or sync up within the millions of codes.
I can’t answer the first two questions but your third one “programming from the handheld transmitter” doesn’t seem right. I had to enable a learning mode from the opener’s main unit, not the handheld transmitter. In effect I was pairing up the receiver with a new transmitter, not just cloning an old transmitter.
Your last question about rolling code algorithms being known by car manufacturers and not being safe. I think you simplify it too much. The method is known but it’s not the method that protects the security but the “seed” that is provided.
Look at it this way, I could tell my whole neighborhood that the combination to the lock on my front door will be the correct response to “what is 17 times X”.
But I only tell you that X is equal to 3.567973821
So the next time you want in you give my lock the proper answer (and tell that number to the whole neighborhood) and my lock allows you entry but also tells only you that your new number is your old number times 5.327893.
So now the whole neighborhood knows your expired code but doesn’t have a clue as to what the next code is.
So it’s the seed value that is implanted in your transmitter during setup that protects your security. People can eavesdrop on everything your transmitter and receiver do but won’t be able to but in because they don’t know the pass codes that the seed was used to generate.
That’s all well and good, but I have two cars. When I leave in the morning, I use the wired switch to open the door. I back out and use the remote to close the door. My wife does the same thing later. So, her remote is the last one to speak to the garage door. Now, if I get home before she does, I can still get in. How does my garage know it’s me if the code was reset when my wife left?
Rolling code schemes typically will check +/- n codes to allow the two ends to stay in sync. For security though, once a code opens the door, it won’t be allowed to open it again. So your spouse may have to push the opener twice. An alternative is that the two transmitters place a transmitter ID, so that they can each have their own rolling code sequence.
Howstuffworks said remote car keys used this system, and if you pressed the key while out of range of the car too many times, they’d go out of sync. I think new systems use the current time, like those bank security tokens.
Yes, but since the latest systems use *billions *of codes, you’d have to press the remote tens of thousands of times at least in order for it to get ‘out of sync’. That’s how many ‘active’ codes it will accept. It may seem insecure that an encryption system can at any given time accept 100,000 possible valid codes, but not when the total is in the billions…
Nice discussion. Thanks, Drum God, for the great analogy.
I stumbled on to this thread while trying to solve a related, practical problem. If I understand this discussion correctly, I think I’m stuck. Tell me if I’m right…
I have an old garage remote that originally worked with my rental property next door to me. I was about to “teach” my opener to work with the remote, when I realized that the remote might still work on the next door opener. Sure enough it does, and my house is within range of it.
I suppose I could go ask my tenant if I can erase his opener, and then re-assign his remotes (excluding the one I have.) But to save the hassle, I’ve been trying to find out if I can somehow reset this remote itself, so it will no longer work with his door. Then re-teach my opener to work with the reset remote.
If I’m understanding things correctly, this idea can’t work, because the remotes “seed” is fixed. Is that right?
How old is this remote? If it’s really old it won’t use rolling encryption, it may use a preset code using eight or ten DIP switches. Open the battery cover and see if there’s something like this under it. If so it’s changeable, but it will only work with correspondingly old ‘fixed code’ receiver units like your neighbor’s (best to just give it to them then). If it is a newer remote then no, you can’t re-pair the remotes, only the receivers.
While this technique has been known in theory, someone has finally manufactured the device and proven it works in practice.
The method, in short:
The device picks up someone sending a code to a door opener or a car. It saves the code while at the same time sending out a jamming signal to prevent the door from opening.
The human presses the button a 2nd time. The device repeats step 1 and then sends the first code. (Saving the 2nd code.) The door opens.
Repeat step 2 for each ensuing press.
When needed, the device is ordered to send the last saved code. The door opens. Perp gains access.
Note that to simultaneously pick up a code and jam it, the device needs to be favorably located. Basically right next to the garage door for a door opener or stuck under the targeted car.
Maybe not too much of a problem for most people’s garage doors, but likely a big problem for cars.
Any idea what that +/- n number might be? For instance my wife may go out of town with her car for a couple weeks with her opener. While she’s gone I may use my opener 30+ times. When she returns her opener works fine.
As Kevbo said, some openers are able to distinguish one remote from another. If yours are like that you could press your button a jillion times with no effect on the code the opener is expecting from your wife’s remote.
If your’s are not that fancy, the +/-n could easily be thousands or tens of thousands as **Hail Ants **said.
Wow, that sounds feasible. Except don’t rolling code transmitters & receivers also use encryption? And the only time they communicate via ‘plain text’ is when you briefly put the receiver (i.e. the car) in pairing mode to program it to accept a new remote?
BFD. Another breathless security vulnerability which is impossible to implement in any significant fashion! Just how do you expect the bad guys to use this exploit?
I was gonna mention this too. While technically interesting and clever (if true), it isn’t really practical in real life. You’d have to attach the receiver/jammer to the target car, wait for the owner to unlock the car, follow them to where ever they’re going, wait for them to leave, then get inside the car. And it only lets you inside, it does nothing to help actually steal the vehicle.
The specs of the device are going to be widely available. Based on history with similar devices, they will soon be available over the Internet.
People tend to park their cars in the same places over and over. E.g., on the street outside their homes, work, etc. Plus there are ways to add a tracking system to such a device.
Why not break a window? People notice that. Alarms go off. Get in using an exploit, it looks quite normal.
Also, getting in is step 1 of driving off with a car. The newest systems have incredible holes in their onboard software. If you can get access to a port inside the car, you can take control. (Although Bluetooth/WiFi exploits are simpler and quite common. So expect garage doors to be the main target.)
This is a really neat way to bypass this algorithm. “Back to the drawing board”. I wonder how you can fix this. When I worked out my own coding scheme, I used 2 codes sent one after another, with a timeout, to solve this particular problem. (I just worked out on paper a theoretically secure scheme. It isn’t complex, it just uses FPGAs implementing the TCP/IP stack to put a sort of “firewall” between incoming network packets and a system that is programmable, in order to block all takeover/buffer overflow hacks in theory. It uses one time pad to block all encryption breaking efforts, in theory)
Clearly, the way to defeat this hack is to never allow an out-of-sequence code to work.
Then, your window of vulnerability is one keypress - if the bad guy captures your code, he must use it before you press your remote again, or his code is invalidated.
But, I really find it hard to believe that this hack is anything but a theoretical exploit. The requirement that device must be able to receive the remote code while at the same time squelching the reception of said code means that the location of the gadget is critical - I would think too critical to be useful.
It’s not that complicated. Your jamming signal is actually a chipping code - it’s a sequence of signal state changes that you know the sequence to. This allows you to extract, with signal processing, the signal sent by the remote control while the receiver in the garage door opener doesn’t see it.
This would let you stick the box that does this in a wide range of places. It does need to be reasonably close to the opener for signal strength reasons, but it doesn’t have to be precisely in between. There are probably a huge number of ways and places to hide it.
Also, the hackers don’t actually have to retrieve their box. Once they install it, they could pickup the code remotely. If I were designing such a box, I would make it all in one - there would be a way to tell the box to open the garage door, so I wouldn’t need a separate radio.
With all this said, while it is a neat security bypass, I doubt burglars actually need such a device. There are so many other ways to get in.
This is all TV/film secret agent stuff. It would be useful for cases where you had to get in without letting someone know you got in, but it’s overkill for real-world thieves. Plus with almost all garage door openers there’s the old ten second coat hanger trick (search YouTube)…
