Skip to main content

Hacked Child's Toy Opens Your Garage Door in Seconds

Image: Amazon/Mattel

Image: Amazon/Mattel

As if you couldn't tell from the fun Samy Kamkar has had hacking Master Lock combinations, he doesn't like being told that something is off-limits. That unstoppable quest for new frontiers has now led Kamkar to your garage door, which he might be able to open with a child's toy before you've finished reading this sentence. Or, in more technical terms, in under 10 seconds. 

"The worst-case scenario is that if someone wants to break into your garage, they can use a device you wouldn't even notice in their pocket," Kamkar told Wired News. "Within seconds, the garage door is open."

Not only can Kamkar -- a Los Angeles-based independent hacker, developer and consultant -- open any garage door that uses a hard-wired, fixed-code password, but his only weapon is the aforementioned children's toy, a discontinued product called the IM-me that was marketed by Mattel to replicate texting on a single-use device for young girls. All it took was some modification from Kamkar for this pocket-sized pink-and-purple gadget to become a homeowner's worst nightmare.

MORE: How Smart Homes Have Dumb Security

All Samy did to modify the toy was add a cheap antenna and modify the firmware using an open-source tool and associated software. (Since it was first marketed in 2007, the IM-me has become a favorite with tinkerers, who have modified it to become a remote control and a spectrum analyzer, among other things.)

Image: Samy Kamkar

Image: Samy Kamkar

Fixed-code garage-door-openers have only a dozen binary lock switches that are permanently set at the factory, meaning there are only 4,096 possible codes to that need to be tested in order to gain access. (The combination of merely two alphanumeric characters would provide many more possibilities.)

Kamkar says that with an ordinary garage-door opener, cycling through all the 4,096 combinations would have taken at least 29 minutes. But the hacking tools developed for the IM-me allowed him to get that time down to less than 10 seconds.

As with his previous hacks, Kamkar has revealed this exploit as a project done with no malice in mind, and gives credit to the hardware hackers who came before him. He has also releases the source code and materials list for this hack, but has modified the code so that it won't actually work.

In a video, Kamkar expressed that this was done to embarrass garage-door-opener manufacturers, since fixed-code locks have been known to be vulnerable for 30 years, yet are still sold to consumers. (A list of brands and models that Kamkar says are vulnerable is on his website.)

Kamkar notes that "code grabbers," which make it easy for burglars to record and store codes transmitted by homeowners to open their garage doors, have been on the black market for years. Unfortunately, as any suburbanite can tell you, many homeowners leave the doors between their garages and homes permanently unlocked, depending on the garage door to keep out intruders.

If you're interested in replicating Kamkar's feat, you'll have to shell out a bit more for the IM-me than he did. We found two units on eBay being sold at $375.62. The toy originally sold for $64.99, though it was reportedly available for $12 a few years ago, even if one of the discontinued Amazon product pagesdisplays a "Customers Who Bought This Item Also Bought" list of hardware-hacking tools.

Henry T. Casey is a Staff Writer at Tom’s Guide. Follow him on Twitter @henrytcasey. Follow us @tomsguide, on Facebook and on Google+.