Alarm Homelink, KeeLoq, garage doors, alarms and others - Civinfo
 
LinkBack Thread Tools
post #1 of 6 (permalink) Old 9th July 2011, 00:40 Thread Starter
 
Join Date: 14th July 2010
Location: Bratislava SK
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
iTrader: (0)
Question Homelink, KeeLoq, garage doors, alarms and others

Let me share with you some interesting findings around hopping codes and a big question I could not find an answer to it.

My garage door remote key fob almost broke today so i decided I needed a replacement. I soon realized that original replacement fobs are so hell expensive that it's not even funny. They charge 40+ pounds for something that's done in China for $1.5 a piece. I decided that's not going to be the way to go.
And so my research started.
There some "universal learning" remotes on ebay, but they state they can't learn "rolling codes". So I had to figure out, what do I have. Little did I know why would that be good or bad to have at that time.
After some hours of research it became clear that my device (Marantec) utilizes a "fixed code" remote protocol. At first I was happy, I thought I could order a cheap replacement from ebay.

However, during the research I also realized that having a fixed-code remote is not exactly secure to have these days, becase those are susceptible to replay attacks - someone "records" your remote's signal, and then replays it when you're away -> your garage door is open. Fixed code remotes are long history in the automotive sector because of easy theft. The new favourite are the "rolling" or "hopping" code systems that should be resitant to replay attacks. The majority of the manufacturer's use a solution called KeeLoq.

Anyway, apparently having a rolling-code remote is much better than a fixed code, or so I thought. At least they can't be copied by simple learning key fobs. So I started to think about an upgrade.

BTW: as it turned out, all Marantec devices are fixed code. And guess what? They're HOMELINK compatible.
You surely know, but just for the sake of completeness, HOMELINK is a system that can copy fixed and/or rolling code key fobs and make them available in your car. I became intrigued. How does it copy a rolling code system? I thought it's not possible. I started to dwell into the details of KeeLoq:
KeeLoq datasheet

and the attacks:
Defense against KeeLoq attacks

To sum up, it's now possible to retrieve the "master key" from the receiver and once you have it, it's very easy to fake any device from that given manufacturer. This master key is the root of all keys. You must know this key to "learn" or fake a new transmitter.

So I put the facts together:
1. If you want to learn rolling-codes, you must know the master key for that given manufacturer.
2. Homelink can learn all kinds of rolling-codes from all kinds of manufacturers (listed on their website).

=> Does this mean that HOMELINK transcievers contain all the master-keys of all the "compatible manufacturer brands"??? Does this also mean that if we crack a homelink device from an elder car, or a Homelink visor we will have all the master-codes? And if we have it, we can open all the garage doors in Europe with just 2 packets captured? If this assumption is really true then we just gave the thiefs our keys willingly.

This seems indeed dire. Imagine, if there was a device that contained all the master keys for automobile manufacturers for KeeLoq...

So... If there's someone knowledgeable in Homelink, please shed a light into how it is able to learn the rolling codes? How is it able to construct the encryption keys without knowing the master keys? And why is it, that only HomeLink transceivers can learn rolling codes and other "universal remotes" not?
By the way, do you know any alternative algorithms to KeeLoq that would be more secure? Are there encoder keyfobs/decoder modules publicly available? If yes, please post some infos/links.
Thanks!

Last edited by notabenem; 9th July 2011 at 01:07.
notabenem is offline  
Sponsored Links
Advertisement
 
post #2 of 6 (permalink) Old 9th July 2011, 01:35
Unofficial Trader
 
dablink's Avatar
 
Car: CRV Urban Titanium
Join Date: 7th August 2009
Location: London, UK GB
Posts: 1,295
Thanks: 207
Thanked 163 Times in 153 Posts
iTrader: (13)
emmmm......Me think posting any information about stuffs like this online could give "criminals" and "car thieves" all they need as soon as they start a search on google......

cheers
M
dablink is offline  
post #3 of 6 (permalink) Old 9th July 2011, 06:43
Administrator
 
Kremmen's Avatar
 
Join Date: 7th January 2007
Posts: 20,944
Thanks: 857
Thanked 1,708 Times in 1,431 Posts
iTrader: (0)
I'm always suspicious of first posts like this with embedded links, almost an advertising feature.

The only way my garage remotes get programmed is when I press a button on the unit to accept the new 'fob' so cannot be done without access to the garage.
Kremmen is offline  
 
post #4 of 6 (permalink) Old 9th July 2011, 10:47
¯¯¯¯¯¯¯¯¯
 
atomic's Avatar
 
Car: 2.2 Type S GT
Join Date: 3rd March 2010
Location: Norfolk GB
Posts: 941
Thanks: 3
Thanked 77 Times in 71 Posts
iTrader: (4)
Any car thief that will break into your house to get the car keys won't think twice about putting a crowbar/wrecking-bar to work on the garage.
atomic is offline  
post #5 of 6 (permalink) Old 9th July 2011, 12:16 Thread Starter
** Thread starter **
 
Join Date: 14th July 2010
Location: Bratislava SK
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
iTrader: (0)
Quote:
Originally Posted by dablink View Post
Me think posting any information about stuffs like this online could give "bad guys" all they need as soon as they start a search on google.
It was exactly google from where I got these information, so they're publicly available. What's (probably) genuine are my conclusions how to possibly misuse a homelink device but I bet there are a lot more smarter guys out there than me, and they thought of it already (and keep their mouth shut not to spoil their advantage of knowledge).
My point is that this may be again the infamous case of "security by obscurity" - you believe it's safe, but it's safe only because you (and the general public) don't know how it works. There'll be always persons "in the knowing" and they can certainly misuse such information.
Again, all this IF my hypothesis ('Homelink contains master keys') is correct.

Quote:
Originally Posted by Kremmen
I'm always suspicious of first posts like this
Sorry, was not my intention, but somehow I wanted to provide citations to support my statements.

Quote:
Originally Posted by Kremmen
The only way my garage remotes get programmed is when I press a button on the unit to accept the new 'fob' so cannot be done without access to the garage.
This is not correct according to the published attack methods. Homelink plays nice not duplicating the serial number of your device, but an attacker using those master keys certainly can (together with the counter), and at that moment your garage door would not know the difference.

Quote:
Originally Posted by atomic
Any car thief that will break into your house to get the car keys won't think twice about putting a crowbar/wrecking-bar to work on the garage.
I am actually not speaking about car thieves only. The point is, IF they have your manufacturer's master key, they don't need a crowbar at all. Using the published attack methods they can open your garage door with only 2 packet sniffed from YOU closing your garage with your remote, then get inside without any signs of intrusion and get the booty from your home (assuming your garage leads into your house). You'll have quite a difficult time explaining the insurance company how that happened.
So back to the original point, if Homelink contains those information I assume they do, they're a serious security threat to anyone who uses a RF remote to close their garage with it, or arm/disarm their house alarm system.

Last edited by notabenem; 9th July 2011 at 12:21.
notabenem is offline  
post #6 of 6 (permalink) Old 21st October 2011, 12:54 Thread Starter
** Thread starter **
 
Join Date: 14th July 2010
Location: Bratislava SK
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
iTrader: (0)
So it's now real. The key on this page is for an Audi A6. With a custom antennae I bet they could copy from a couple of meters away.
Rolling code HCS200 RF Remote control duplicator

PS: While some believe such information must be kept secret, I (and a lot of other crypto-pros) think publishing flaws is the best way to enforce manufacturers to step up in the level of security they implement and (sometimes falsely) claim.
notabenem is offline  
Reply

  Civinfo > 8th Generation Euro Honda Civic (2006 - 2011) > Electronics (8G)

Tags
code , garage door opener , hopping , keeloq , rolling

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Civinfo forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
Your User Name is the name that appears by all your posts on the forum, and so should not be your email address.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Similar Threads
Thread Thread Starter Forum Replies Last Post
Alarm alarm going off TimV-W Electronics (8G) 3 21st April 2011 11:30
Electrics Alarm list? Airbag alarm while driving? Robbieee Bugs, faults and irritations (8G) 3 16th January 2011 14:35
Electrics Homelink mfosbrooke Electronics (8G) 2 21st May 2010 15:02
Alarm Alarm.... henbury Electronics (8G) 2 29th April 2010 14:36
Alarm jockserb General Discussion (8G) 7 20th December 2007 19:57

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome