Okay, we have three garage doors here.

Question is, can you open them, sir?

Try goes.

I got one.

Ah, he's got to.

The point of this video is to show how easy it is to re program a toy to open almost any radio frequency, garage, door or gate in seconds.

But first, let's talk about last pass.

You know, the average person these days has about 200 different accounts that require passwords.

And, of course, 200 different passwords is far too much for anyone to remember.

So most of us use the same password across multiple sites, and that is just a terrible idea.

So you really need a password manager and last pass can do that for you can store all of your passwords in the one place, which means you never have to remember them again.

You don't have to have that anxiety about getting locked out of accounts.

You don't have to write them down or you don't have to reset them.

Last pass takes care of all of that hassle.

It has a great number of features, including unlimited numbers of passwords that you can store there also free sink across all of your devices.

And if there is a password breach, you get an alert.

Plus, last pass has multi factor authentication.

And as anyone who knows the Internet knows that is the best way to keep your account's secure.

You should use it on last past and all the other places where you possibly can recently last past teamed up with you, Beaky and Microsoft to support their multi factor authentication.

So to find out more about last pass, check out the link in the description.

And thanks again the last pass for sponsoring this video.

And now let's try to break into my garage.

All right, wait.

No wonder you have so many if you treat them like this.

Okay, Well, do you want to see the signals that these produce?

Sure that this is my friend Cindy.

Now, when you're dealing with garage garage, door remote, they're typically in what's known as an I S M.

Ban Industrial, scientific medical.

Basically, they don't need to get really licensed to use those fans.

Anyone can use them within some power rating within the U.

S.

And typically it's gonna be like 300 or 433 megahertz.

All right, so when I hit this button, look to the right.

This is insane.

So what?

I can tell just by looking at this is how it's actually a modulating the signal on out sending this is called amplitude Shift.

King A S K.

What's happening is, every time I'm holding on the button, multiple bits are getting sent on a single frequency and it has to do with the time that it's on or off, which means a one or a zero.

Let me ask the obvious question, which is like, How secure is my garage?

It's not s.

So why don't we have to record the data?

12345678 So it looks like you're garage used an eight bit code.

Here we have the dip switches, so obviously see Lo lo lo.

Hi hi, Hi.

Lo lo long, Long, long, short, Short, Short.

Long, Long.

It's not like there's any special message format or anything.

This is kind of the most really the most basic that you could make a transmitter.

Well to To the eight is two people.

16 256 possibilities to open your code.

Now, let's see.

Let's just see how long this this, uh, period of data is.

So this is about 32 milliseconds, 32 milliseconds to send a single code.

So if we did 32 milliseconds times the 256 possibilities, it would take 8000 milliseconds, eight seconds to open your garage.

Testing every possible variation of the coat now semi might be overstating how easy it would be to open the garage because presumably you can't send all the codes back to back.

Otherwise, how does the garage receiver know what constitutes one code?

So you probably have to leave a gap between codes.

Let's say we left a gap between codes that was roughly equal in length to the code itself.

Well, that doubles the time out to 16 seconds.

Okay, Still not great, but I guess that reveals the shortcomings of eight bit codes.

But a lot of garages these days air actually 12 bit.

So if you used a 12 bet code, that would give you 4000 and 96 different codes that you would have to try and again adding and gaps between each code that would take around 4.5 minutes.

But then Sammy found something interesting.

So did you try to add?

I had a data in the beginning and it's still worked.

So essentially, it's like saying, if your password for a B, C D and I just did x a VCD, but it's still opened.

June tried again.

Yeah.

Try putting even more information up front.

You're putting a whole bunch of junk.

The whole bunch of junk.

Yeah, but I still have the right password.

It's in there, but it's pretended with a bunch of junk, right?

Yeah.

So what do you think?

It opens the door to other issues.

So it seems like the receiver is using a shift register, which means it takes in each string of bits.

And instead of considering 18 bit string and then throwing it out, if it's wrong, it just throws out the first bit and then considers the next eight bits.

And this is pretty profound security implications.

I mean, not only does that mean we can throw out all the gaps between our codes that cover all the combinations, it actually means we can merge some of those combinations together because essentially, we can overlap the codes to make sure we have every combination in there.

A sequence like this is called a de Bruin sequence, and that reduces the number of bits you have to send dramatically.

For example, if we were to send all eight bit combinations, that's 256 different codes.

That would be 2000 and 48 bits altogether.

But the de Bruin sequence that covers all the different combinations could be a short as 263 bits.

That's a reduction of almost 90% which means instead of taking eight seconds to open, the garage would take less than one.

Now, what about in the 12 bit case will?

There are 4096 possible codes, which yields 49,152 bits.

You'd have to send if you wanted to try each code individually.

But the de Bruin sequence for 12 bits is only 4107 bits long, so that's just 8% of the total that you would have to send if you wanted to send each code individually and so that reduces the time down from about 4.5 minutes to 10 seconds.

So now we're really looking at the way that you could possibly brute force your way into any fixed code garage or gate using a device like the I Am knee.

It's a toy from his help.

I don't think they make it anymore.

But some hackers out there found that it actually has a pretty cool chip inside called the C C 11 10.

It's a micro controller with the transceiver, and the transceiver is really cool because it actually transmits and receives on a really wide range of frequencies down to around 200 megahertz, upto like 9 50 megahertz.

So you talked to a lot of things, including garages, cars, power meters, alarm systems.

All sorts of things are in those bands, and there's actually some contacts underneath the battery in the back, which allows you to flash the board, erase it and install your own software on this device so you can program in the de Bruin sequence and then use this device to play those bits at the frequency you wanna play and basically open any garage, door or gate you like.

So let's give it a try.

The question is, can you open them?

Sir?

We'll try goes I got one.

Uh, he's got to Now you might be wondering why the third garage door didn't open.

And that's because actually have a different garage door opener, which has the next level up of security instead of using fixed codes, uses what are called rolling codes.

So the way rolling codes work is that both your clicker and the receiver have inside them an algorithm that uses a seed which could just be a number to generate a pseudo random number.

And that is the code that they both used to communicate.

So here I have an online pseudo random number generator I can put in a seed, which, in my case, I'll just keep it very simple, and I can pick whichever our them I want.

Now it's okay if the algorithm gets known, because the thing that is secret between the transmitter and the receiver is that seed.

That's the seed they're using to generate the next pseudo random number in the sequence so I can calculate a random number, and this would be the code used by the clicker and the garage door to communicate if an attacker's sitting outside or they plant a device that's just listening to our F and stores that the code once when you press the button well, they have that code.

But it just got used up.

And now that receiver can say I will note, Never respect that code again.

As you can see, I can continue generating new pseudo random numbers, and if anyone is overhearing this sequence, they won't be able to predict what the next number is.

Even if they knew the algorithm, they would have to know the algorithm and the seed to make this work.

And it's not easy just by looking at these generated numbers to work backwards to the seed.

So you might think this is an unhappy bubble protocol.

But Sami has a solution for that, too.

What I thought was, what if you could actually interfere with that signal?

So what if I put a device on your garage, your car and it looked for something like a sink word, and whenever it saw that there was data coming in, it would jam a frequency close to that.

Your car garage would not be able to hear the actual password, the rolling code that your transmitter sent and I would now record it.

Then you're like, OK, I just press this button in my garage and open.

What do I do?

Probably gonna hit it again.

You get it to two times.

And I have produced two rolling codes.

Well, now that I have to have jammed both, I can replay the 1st 1 and the 1st 1 allows your garage to open.

You're like, Oh, great.

It worked once I hit the button twice.

But now I have a future code.

I have a code that appears to be in the future, and I can then come back later and use that goat.

These devices have no time.

They have no sense of timing.

All they have is that sequence.

So that is a kind of a big issue with rolling codes themselves.

Well, uh, but you know what amazed me about this was how hard it actually is.

Toe hack into these garage doors.

Even the simple eight bit ones not opening.

So we don't have the red code.

I haven't ate bit gate that we tried to hack into, and we failed every time using the I am me 256 possibilities.

How long could it take you to crack this thing?

I think we have booked a workout.

No, Thegame isn't moved.

This was meant to be a video about just how easy it would be to crack a fixed code gate, but it turns out that it's harder than it looks.

I just I just did that, Uh, for a minute, every thought he had it.

Uh, yeah, the gate.

It's hard to get the frequency exactly right.

It's hand.

So and the bit rate and one bit of information for that clicker, which is custom built for that purpose and simply has those dip switches is not one bit of information for a multi purpose device like the Miami There, you have to get the bod rate right.

That is the timing at which you're sending these bits.

You have to get the length of the bits perfectly right.

So it's much more challenging as I found out, hack into these systems than I thought.

Now, if you want to investigate this some more for yourself, you should check out Sami's original videos on these topics.

It's very informative.

And he has links to code that you can use, though not fully workable, code because he doesn't want to, of course, expose a lot of people to security breaches.

So the link to his video is down in the description.