BUILDING SECURITY IN

Editor: Jonathan Margulies, jonathan@qmulos.com

Garage Door Openers:

An Internet of Things Case Study
Jonathan Margulies | Qmulos

E arly last year, my garage door

opener’s motor died. While
researching potential replacement
opener. Because that’s the system
the MyQ is replacing, it seems like
the right standard.
units, I focused on Chamberlain’s Second, due to space con-
products because they had a reputa- straints, I focus only on design. The
tion for high quality. Once I settled usual implementation caveats—for
on a model, I noticed another option: example, the need for well-written
for a little more money, Chamberlain code and correct use of encryption
would include the MyQ Internet libraries—still apply, but I won’t
Gateway, its new system for moni- address them in detail.
toring and controlling the opener via Third, I assume the same basic
the Internet. Curiosity got the best of set of features the MyQ offers: a
me, so I went for it. user can open or close a garage door
After installing the opener, the via the Internet from a smartphone
MyQ languished in my closet for or computer and receive emails or
months. I loved the idea of getting an push notifications when the door’s
alert if I left my garage door open— status changes.
I can’t count the number of times
I’ve turned around five minutes after Standard Garage
leaving the house to double-check Door Openers
that it was closed—but I felt sure If the standard is the security of
there would be a security flaw in the ­rolling-code openers, we first need to
MyQ that would make me worse understand how those openers work.
off. The emergence of the Internet The most popular rolling-
of Things (IoT) has turned trusted, code implementation is a prod-
long-standing companies into unwit- uct called KeeLoq, a lightweight
ting network attack vectors.1 block cipher that generates codes
But the MyQ is different from— based on a cryptographic key
and more impactful than—other and a counter (www.webcitation­
IoT devices: it controls access to my .org/6ZZYZpH2n). When a user
house. That got me thinking: What syncs a remote control with a garage
if I wanted to solve this problem door opener, the remote control
from the ground up? How would I begins to generate the same codes,
design an Internet-connected garage in the same order, as that opener.
door opener (“IoT opener”) to be Thereafter, when a user pushes the
adequately secure? Is it possible? “open” button, the remote control
increments its counter, generates
The Ground Rules a new code, and broadcasts that
First, I define “adequately secure” code wirelessly. When the opener
to mean no less secure than the tra- receives a code, it checks the code
ditional rolling-code garage door against the next 256 codes in its

80 July/August 2015 Copublished by the IEEE Computer and Reliability Societies  1540-7993/15/$31.00 © 2015 IEEE

Authorized licensed use limited to: NYSS'S Yeshwantrao Chavan College of Engineering. Downloaded on April 10,2023 at 08:18:09 UTC from IEEE Xplore. Restrictions apply.
 queue. (Checking against so many are those intruders? Why aren’t they the opener on its own private vir-
possible codes helps ensure that the taking advantage of the universally tual LAN and having my wife use a
remote control and the opener don’t weak security of modern suburban virtual private network to reach it,
lose sync when a user presses the homes? As podcaster Roman Mars because who would trust a garage
button outside the opener’s receiv- eloquently observed, “locks have door opener company with network
ing range.) If the code is a match, become a social construct as much access control? But I was naive.
the opener increments its counter as they are a mechanical construct” The IoT industry has clearly
to just above the matching code (http://99percentinvisible.org decided that having a central ser-
and opens the door. In addition to /episode/perfect-security). Garage vice act as a clearinghouse for
using remote controls, some users door openers only need to be secure authentication, authorization, and
mount keypads in front of their enough to let passersby know we commands is a must, and it’s easy
garages that similarly sync with the don’t want them to come in. to see why: it frees them from hav-
openers; these keypads broadcast a ing to worry about configuring
code when a user correctly enters a Openers and the home routers, setting up dynamic
numeric password. Internet of Things DNS for when customers’ IP
The simplest way for attackers Exposing garage door openers to the addresses change, or having access
to open a rolling-code garage door Internet might make them such easy to all of a user’s relevant data when
opener is to sync it to a new remote targets as to pose a real risk. What if those inevitable tech support calls
control. Replacement remote con- an attacker could indiscriminately come in. The problem is that the
trols are available at just about any send open commands to any opener? cloud service opens another attack
hardware store, and sync- surface, and a big one:
ing them requires only a instead of having to hack
few minutes alone in the Exposing garage door openers to a single IoT opener at a
garage. A similarly easy time, attackers can try
option is to go after the the Internet might make them such to hack them all through
keypad by spying on the easy targets as to pose a real risk. the cloud service. It’s a
user, or deduce or brute- single point of failure for
force the code. A third authentication, integrity,
option is a physical attack. and availability. Indeed,
Most openers include an emergency What if every time an email account MyQ experienced an unplanned
release rope just inside the door. If is hacked, the hacker is given a clear four-hour disruption in late April
an attacker can slip a wire hanger path to find the user’s home address that affected all users, and I doubt it
above the door and latch onto that and credentials to open that user’s will be the last.
rope, a skilled tug can unlock the garage? What if an attacker managed
door. The final option for attacking to download a whole database of user Cloud Service
traditional openers is to go after the credentials for IoT openers? Any of Authentication
rolling-code mechanism itself. Over these possibilities would make home Using a cloud service as a central
the past decade, several researchers intrusions so easy as to be inevitable. hub isn’t the security decision I
have developed methods to derive a We’re starting to see this evolution would have made, but it seems like
KeeLoq key given access to a work- with cars that use Bluetooth keys; it’s such a foregone conclusion that
ing, synced remote control.2–4 A become so easy and cheap to break I’ll treat it as an assumption for the
simpler but less effective approach into some of them that insurers have remainder of this article. Authenti-
is to sniff a code over the air from started demanding additional secu- cation at both the cloud service and
a remote control by pushing the rity measures.5 the opener is of paramount concern.
“open” button outside the opener’s But before I can delve deeper The obvious way for the cloud ser-
range, and then using that code into how those types of attacks vice to authenticate to the opener is
before the owner comes home (at might happen on IoT openers, I with a certificate, but what happens
which point, that code will expire). must first address a key architec- when attackers compromise the
All these attacks require close tural question: Will the opener private key behind that certificate?
proximity to either the garage or the authenticate and authorize the user, This could allow attackers to send
remote control and are sufficiently or will a cloud service do so on the arbitrary commands to any opener,
difficult that virtually all intruders opener’s behalf? When I bought the or something much worse: if the
prefer to break a window, force a MyQ, I hoped it would be the for- certificate can be used to force over-
door open, or pick a lock. But where mer, as I had grand plans for putting the-air software updates, attackers

www.computer.org/security 81

Authorized licensed use limited to: NYSS'S Yeshwantrao Chavan College of Engineering. Downloaded on April 10,2023 at 08:18:09 UTC from IEEE Xplore. Restrictions apply.
 BUILDING SECURITY IN

Chamberlain Statement
The following statement was sent to the author on 12 June 2015:

Chamberlain built its MyQ technology—as we have all of our products for more than 40 years—on a foundation of safety and secu-
rity. We have an aggressive product roadmap that includes continuous security updates, including the feature recommendations
noted in the IEEE [Security & Privacy] story.

Specifically, Chamberlain will upgrade password requirements in the second half of this year [2015], and is looking at the best ways
to implement two-factor authentication based on our user needs and their usage scenarios. We also plan to introduce multi-user
access so that account administration details and log-in credentials are secure to only one account owner, while allowing garage
door access to other users. This will include assigning different levels of permissions based on user access level, times of day, days of
week, etc.

In addition to the specific updates noted above, we combine our own team’s expertise in security technologies with reputable third-
party security firms to audit our systems on an ongoing basis. Our continuous security updates and processes include using industry
standard encryption, applying the latest security techniques, and periodic security testing with respected outside services. We also
recommend IoT technology leaders continuously advise their customers on how to maximize the security of their home Wi-Fi net-
work, which are critical gateways to device security for consumers. Chamberlain’s brand and reputation are built on a heritage of
delivering safe and secure products to consumers; we take the safety and security of the smart home very seriously.

could gain control of the whole password reset, which, in this case, Potential Security
system. For this reason, software seems like a terrible idea: any time Improvements
updates should be user initiated and attackers hijack an email account, The other side of this discussion
openers should regularly check for they can search for emails con- is the security improvements net-
certificate revocation. taining the term “MyQ” to deter- worked openers might offer. One
Authentication at the cloud ser- mine whether the user has a MyQ improvement is two-factor authenti-
vice is more complicated. Perhaps account, and then search for ship- cation (2FA). Many of the problems
the worst-case scenario is when ping information to determine the outlined in this article can be miti-
attackers download the password user’s home address. Ironically, just gated by 2FA and, in a system that’s
database, as in the famous attacks about the only personal informa- already so reliant on smartphones,
on Sony’s PlayStation Network tion the MyQ website asked for users are already carrying the obvi-
(www.cnet.com/news/playstation was my home address, which is the ous second factor in their pockets.
-net work- st i l l- of f line-af ter information they should least want A second improvement is policy-
-suspected-attack) and LinkedIn to have on file. This combination based access control. This can be
(http://money.cnn.com/2012/06 of information allows attackers to useful in several ways:
/06/technology/linkedin-password build databases of locations of vul-
-hack). If the passwords aren’t suf- nerable openers. ■■ allowing multiple user accounts
ficiently complex to stymie brute- An opener is actually an inter- to control the door, but only one
force attacks or aren’t encoded by esting case from a password reset to administer it;
an adequate key derivation function perspective in that it has an unusual ■■ allowing administration from spe-
(such as bcrypt), user account take- security feature: it never moves. cific devices only;
over becomes trivial. That means a user can’t lose it, and ■■ restricting certain accounts (such
What about password reset, it would therefore be reasonable as caregiver or contractor) to
the issue behind attacks on count- for Chamberlain to require users to operating the door only during
less celebrities’ email and Apple electronically prove they have pos- business hours; and
iCloud accounts? Google recently session of it (for example, the opener ■■ creating time-limited guest ac-
published research suggesting could display a code that rolls every counts.
that security questions are insuf- few seconds). Such a feature would
ficient to protect accounts.6 As of also help new homebuyers prove These policies could be easy to
this writing, MyQ uses email for transfer of opener ownership. administer through a Web interface.

82 IEEE Security & Privacy July/August 2015

Authorized licensed use limited to: NYSS'S Yeshwantrao Chavan College of Engineering. Downloaded on April 10,2023 at 08:18:09 UTC from IEEE Xplore. Restrictions apply.
 A third improvement is a more access policy creation and enforce- Cryptographic Techniques (EURO-
granular alerting system. I’d be ment, logging and alerting capa- CRYPT 08), 2008, pp. 1–18.
much more interested in knowing bility, and secure communication. 3. A. Bogdanov, “Cryptanalysis of the
that a new user or remote control These problems are largely solved; KeeLoq Block Cipher,” Cryptology
was given access to my opener, or they just need to be made easy ePrint Archive, report 2007/55;
that the door opened in the middle for IoT developers to use. When htt ps://epr int.iacr.org/2007
of the night, than in knowing that that happens, and the right secu- /055.pdf.
my wife opened the door at 5 pm. rity features are in place, I think 4. I. Sheetrit and A. Wool, “Cryptana­
IoT openers could become diffi- lysis of KeeLoq Code-Hopping Using
cult enough to attack that no one a Single FPGA,” Cryptology ePrint

C onvenience will continue to

drive companies that lack
information security expertise to
would bother with them, just like
the openers most of us have today.
In the meantime, my MyQ is going
Archive, report 2011/242; https://
eprint.iacr.org/2011/242.pdf.
5. H. Osborne, “Thieves Target Luxury
build IoT devices, and consum- back in the closet. Range Rovers with Keyless Locking
ers to buy them. Ideally, this new Systems,” Guardian, 27 Oct. 2014;
IoT world would be built on a few Author’s Note www.theguardian.com/money
competing platforms by people I contacted Chamberlain after writ- /2014/oct/27/thieves-range-rover
who understand and can address ing this article, and a representative -keyless-locking.
the security risks—Apple, Google, responded with an outline of plans for 6. J. Bonneau et al., “Secrets, Lies,
and Facebook have all recently addressing some of the concerns in this and Account Recovery: Lessons
launched the beginnings of IoT article. See the sidebar for the response. from the Use of Personal Knowl-
platforms—rather than inexperi- edge Questions at Google,” Google
enced companies rolling their own References Research Archive, report 43783;
authentication, authorization, and 1. J. Fontana, “Belkin Patches Vulnera- http://research.google.com/pubs
communication code. Although bilities in WeMo Devices,” ZDNet, 19 /pub43783.html.
the risks and functions change Feb. 2014; www.zdnet.com/article
from one IoT device to another, /belkin-patches-vulnerabilities-in Jonathan Margulies is the chief tech-
they all need the same basic secu- -wemo-devices. nology officer at Qmulos. Con-
rity infrastructure: a way for users 2. S. Indesteege et al., “A Practical At- tact him at jonathan@qmulos­​
to authenticate, two-way map- tack on KeeLoq,” Proc. 27th Ann. .com or follow him on Twitter­
ping between users and devices, Int’l Conf. Theory and Applications of @unsaltedhash.

IEEE Pervasive Computing explores the many facets of pervasive and ubiquitous
computing with research articles, case studies, product reviews, conference reports,
departments covering wearable and mobile technologies, and much more.

Keep abreast of rapid technology change by subscribing today!

www.computer.org/pervasive
www.computer.org/security 83

Authorized licensed use limited to: NYSS'S Yeshwantrao Chavan College of Engineering. Downloaded on April 10,2023 at 08:18:09 UTC from IEEE Xplore. Restrictions apply.