Older Genie garage door openers use a series of dip switches to program the receiver on the motor to work with the door opener remote control. When the positions of the nine or 12 dip switches in the remote fail to match the dip switch positions on the opener, the garage door will not operate when you press the remote button. Change the dip switches in the garage door opener to a random pattern rather than placing all the switches in the up or in the down position. This can protect against thieves matching your dip switch pattern. Unplug your Genie garage door opener from the electrical outlet in the ceiling. Although unplugging the opener is not necessary, it keeps a family member from accidentally opening the door during repairs. Remove the screws holding the plastic lens covering the garage door light bulb. Pull the lens from the opener motor to expose the white dip switches in the upper left corner. Older Genie openers may have a separate receiver attached to the top of the motor. Pry the cover from the receiver with a small flat-head screwdriver to access the dip switches.
Open the battery compartment on your Genie garage door opener remote to expose the dip switches. Depending on the style, the battery cover slides off the remote, or you must remove a small screw before removing the cover. Move the dip switches with the tip of an ink pen. Place each switch on the remote in either the up or down position. Match the dip switch positions on the opener motor or a separate receiver with the dip switch positions on the remote. For example, if the first three dip switches on the remote are in the down position, move the first three dip switches on the opener to the down position. Replace the cover on the remote. Replace the cover on the receiver, or the lens cover on the front of the garage door opener. Plug the opener back into the outlet in the garage ceiling. Things You Will Need Stepladder Screwdriver Small flat-head screwdriver Ink pen References YouTube: Garage Door Supply Company: Programming Genie GM3T-BX Master Remote with DIP SwitchesSky Link: Wireless Keyless Entry User’s Instructions Suggest a Correction
We’ve talked in depth about garage doors and their vulnerabilities on ITS, but today we wanted to highlight a discovery made by Samy Kamkar using a children’s toy and some common materials. The device he’s created, dubbed the OpenSesame, can open a garage door using a brute force attack in less than 10 seconds. Before we get into the details of the vulnerability, let’s explain a bit about how automatic garage door openers developed. The first electric garage door opener was introduced in 1926, but didn’t gain in popularity until after World War II. These openers usually involved a wired switch being run from the door motor to a keypad or button that could be pressed from inside the vehicle. As technology improved, the wireless remote was created and used radio signals to transmit a code from the remote control to the opener itself. Once the code was transmitted, the opener would receive it and run the motor to draw the door up or down. In the 1960’s, as automatic openers were more widely adopted, it was discovered that the doors all used the same code.
Since the doors used the same signal and code, any remote could open any door. Thieves quickly discovered that by purchasing a few remotes from different manufacturers, they could open nearly any door. This led the garage door industry to introduce new openers that featured changeable codes. Manufacturers wanted to design an opener with a code that could be set by the owner in case they needed to replace or add new remotes. These new programmable openers featured a series of 8-12 dip switches that could be set in the up or down position to create a unique code. This meant that for an 8 switch remote there were 28 or 256 possible codes and on a 12 switch remote there were 212 or 4,096 possible codes. This greatly decreased the chances of the door’s code being matched by a thief armed with a standard remote, as they would need to sit outside and physically set each dip switch and test the new code. This might sound like a large number of possible codes but in binary terms, it’s not much.
In fact, using a two character alphanumeric password would be more secure than this and would provide more combinations. The method that Samy Kamkar used to attack these type of garage doors was a brute force attack, in which he sent every possible code (4,096) to the door until it would open. The device he used to perform this brute force attack was a slightly modified IM-ME children’s toy. He found that if he transmitted each code five times with a wait period behind the code, he could transmit every possible code to the door in about 29 minutes. That’s a pretty scary fact as theoretically, a thief could sit in a car outside your home for that long without being noticed. Unfortunately, that’s not the worst of it as Samy discovered that he could dramatically shorten the length of time it took to open the door using math. Samy found that by transmitting each code only once rather than five times, the time was reduced to 6 minutes. Many times, remotes transmit the code multiple times in case of interference, but there’s rarely ever any, so transmitting it once seems to work just fine.
Not only that, he also discovered that removing the wait times between the codes took the time down to 3 minutes. So if there wasn’t a wait time between codes, how could the opener know when one code stopped and another began? The answer lies in the fact that the openers use what’s called a Bit Shift Register, where it’s only looking for a part of the code to match up with the actual code. This is a very insecure method to check the code and results in a dramatic decrease in the overall time it takes to send all the codes to the opener since the opener is checking all possible permutations of a code and doesn’t have a defined start and end point. Knowing that the opener used a Bit Shift Register, Kamkar was able to apply The De Brujin Sequence to transmit all possible codes much quicker and managed to take the total time down to just 8.7 seconds. Luckily, most automatic openers today aren’t affected by this exploit since they use “Rolling” codes, where the code is changed every time the door is opened.
However, there are some manufacturers that are still producing openers with dip switches. These manufacturers include Nortek / Linear / Multi-Code and NSCD/North Shore Commercial Door. Older models from vendors such as Chamberlain and Liftmaster can also be vulnerable so you should double check to ensure that your door does not feature this technology. The best method to check your opener is to check the remote. If you open the remote and find dip switches, you should upgrade the opening system immediately. Look for a system that offers Rolling Codes, Hopping Codes, Intellicode or Security Plus. The remote above is a good example of a Rolling Code remote because it lacks dip switches. These technologies don’t rely on a fixed code and are harder to hack. Keep in mind though that nothing is foolproof, so you should design your security around that. Top 10 Garage Door Security Tips to Prevent Break-Ins Safety Announcement: Protecting Against Garage Door Break-Ins How to Escape from Zip Ties