The first line of defense for most homes is a version of the classic locking system and key used to secure all possible passages inside. These mechanisms are often reliable, encouraging residents to take for granted that this will always be the case. In this blog post, we take a closer look at one of these mechanisms, the simple garage door remote, to test two threat scenarios and show their security implications.
While this topic was raisedin the past, we saw a good opportunity to look at it again when we came across a broken garage door remote. We fixed the mechanism to see potential security vulnerabilities. UsingSoftware defined radio (SDR) and radio frequency (RF) technologywe were able to test two attack scenarios.
Figure 1. The attack chain summarizing this analysis
The first scenario is interesting because the key to this attack is the discrete function of the remote control, the direct receiver function (DOR). Using jamming and signal reproduction, we were able to record a second remote in the receiver and maintain constant access. The second scenario is an overview of the attacks with the moving code. Finally, we discuss the consequences of a device that can make such attacks more covert to conduct by minimizing its setup.
Our technical summary »Analysis of the security of remote devices for garage doors and the danger of DOR attacks“Provides a detailed and complete description of our test, including images of the tools we used and the results of each step of the two threat scenarios.
Signal decoding
The targets researched for this blog post are remotes and Cardin S449-QZ2 receivers that support these remote devices. We chose this remote because it was among several remotes that carry the DOR procedure, which we will look at later. We usedSDRto capture and analyze the signals sent by each push of a button on the remote control. After eradicating the frequency range, we were able to use a custom SDR frequency analyzer and observe two peaks representing the signal we wanted to capture.
This signal is recorded using a sophisticated file receiver. We then decimated and demodulated it to reveal the data we had to extract and decode. For this we used tools such as Inspectrum and Universal Radio Hacker (URH) for decoding.
We did this several times for all the buttons, including the hidden button mentioned earlier. After recording several different clicks, we were able to identify the fields as command, fixed and encrypted fields, which shows a rotating / jumping code mechanism. We had to analyze the moving code for the second scenario.
Scenario 1: Abuse of the DOR function
At this point we can test both scenarios. The first depends on the DOR procedure, which includes a hidden button in the remote control. As mentioned earlier, the Cardin is not the only remote that carries this feature, as it is often found even in devices manufactured by different manufacturers. It is important to note that the manual of the remote reveals that the hidden button allows remote recording of a new remote in the receiver. We also found that this button can be played again unlike other buttons, thus being the basis of the attack.
We sniffed the DOR command and blocked the first press of a button. We did this by silencing it and recording it at the same time. As a result, the procedure failed. This allowed us to replay the DOR button on the authenticated remote, play one of its button commands, and record our second remote by sending signals from its buttons.
The good news is that this technique will require an intruder to capture valid key presses, including that of the hidden DOR button, which would be rare in a real-world scenario. The attacker will need to have access to the resident’s actual remote or report his attack while maintaining the garage mechanism.
Scenario 2: Analyze the moving code
Moving on to the second scenario, we had to decode the moving code, and to do so, we turned to the KeeLoq algorithm, which is used to protect the packet from re-reproduction and decoding. Studies have already shown thisattacksof KeeLoq have been made before. Like many moving / jumping code mechanisms, KeeLoq does not use timestamping, which can help prevent an attacker from performing replay attacks. For our case, we used Kaiju to analyze the moving code, which allowed us to send a command over the air.
But Kaiju presents some limitations to the attention of non-LEA users. However, the attacker can always look at the memory of the remote devices and examine the manufacturer’s keys to generate the mobile code itself. This exercise can go further by looking at remote cloning, which includes master keys for several brands, which we show in our technical report.
The PandwaRF device
It can be argued that conducting such an attack will involve obvious equipment and will prevent the target of covert intrusion. However, a device like the PandwaRF, a compact frequency analyzer with the Android APK, can make this setting portable and easier to hide. In the technical description, we show in more detail how this device can be used to efficiently capture and assist in decoding signals.
Security implications
For intruders, a garage door can be a discreet option for breaking into a home. Inside the garage, they can make a plan for further penetration, safely hidden away from the view of passers-by. They can also just focus on everything in the garage.
This demonstration aims to show that these security gaps persist and can lead to the unraveling of home barriers in unexpected and hidden ways. To prevent such attacks from materializing, manufacturers should take steps to add more security measures to the mobile code mechanism, such as the following:
- Use a different key from the manufacturer to remotely and introduce diversification so that the attacker needs to understand the algorithm for generating each key, even after discarding the master key
- Debugging interfaces that are physically disabled on remotes and receivers
- Implement memory protection of remotes and receivers to avoid possible leaks
- Use an initial number when added to the synchronization counter to complicate the brute force process
For their part, homeowners need to ensure that the receivers are physically secure and well hidden. They should not leave their open garages unattended, consider where they keep their remote garages, and consider using traditional locks to secure their garages, especially when out of town. They should also be aware of features such as the DOR procedure highlighted in this record to prevent their use in attacks. In addition, homeowners should be aware that the DOR function can be deactivated by removing the jumper on the receiver.
This study aims to provide a framework for generating all keys and verifying that the configurations are correct. Here we have only described a summary of the process and provided a detailed description in our technical description, “Analysis of the security of remote devices for garage doors and the danger of DOR attacks“
Rebuttal
Trend Micro Inc. publishes this content on October 21, 2021 and is fully responsible for the information contained therein. Distributed by Public, unedited and unchanged, on 21 October 2021, 12:33:07 UTC.