by Unknown
The second generation of remote (wireless) garage door openers had
a shared frequency problem, so multicode systems were developed which
required the operator to preset a digital code by switching 8–12 DIP switches on the receiver and transmitter. While these switches provided garage door systems with 28 = 256 to 212 = 4096 different codes, they were not designed with high security in mind. The intention was to avoid interference with similar nearby systems. Criminals were able to defeat the security of this system by trying different codes on a transmitter. They could also make code grabbers to record and retransmit a signal or use code scanners that would try every possible combination in a short time. Multicode openers became unpopular in areas where security was an issue, but due to their ease of programming, such openers are often still used to operate gates in gated apartment complexes and similar environments.
The third generation of garage door opener uses a frequency spectrum
range between 100 and 400 MHz, and most of the transmitters/receivers rely on hopping or rolling code technology to prevent burglars from recording a code and replaying it to open a garage door. Because the signal is supposed to be significantly different from that of any other garage door remote control, manufacturers claim it is impossible for someone other than the owner of the remote to open the garage. When the transmitter sends a code, it generates a new code using an encoder. The receiver, after receiving a correct code, uses the same encoder with the same original seed to generate a new code that it will accept in the future.
Because there is a high probability that someone might accidental y push the open button while not in range and desynchronize the code, the receiver generates look-a-head codes ahead of time. Rol ing code is the same method of security used on the car remotes and with some Internet protocols for secure sites.
The fourth generation of garage door openers is similar to third genera-
tion, but is limited to the 315 MHz frequency. The 315 MHz frequency range avoids interference from the land mobile radio service (LMRS) used by the U.S. military. (Some sources report that ELSIMA units use 27.145 MHz narrow band FM, but this information is vague and uncorroborated.) (See Table 5.1.) Many of garage door opener remote controls that use fixed-code encoding use DIP switches or soldering to do the address pins coding process and
Forced Entry into Buildings
91
Table 5.1 Garage Door Remote Opener Frequencies
Color of Programming
Button (on Chamberlain
Dates
System
Manufactured Units)
1984–2004
8–12 DIP switch on 300–400 MHz
White, gray, or yellow button
with red LED
1993–1997
Billion code on 390 MHz
Green button and green or
red LED
1997–present
Security+ (rolling code) on 390 MHz
Orange or red button with
amber LED
2005–present
Security+ (rolling code) on 315 MHz
Purple button with amber
LED
2011–present
Security+ 2.0 (rolling code) on 310,
Yellow button with amber
315, and 390 MHz
LED and yellow antenna
wires
they usually use pt2262/pt2272 or compatible ICs. These fixed-code garage door opener remotes can be cloned using a self-learning remote control
duplicator (copy remote), which can make a copy of the remote using face-
to-face copying. Cloning garage door remotes involves three key points: 1. The operating frequencies of both the copy remote and the original remote must be the same.
2. Only fixed-code models can be cloned; rol ing-code models, which is also used on car remotes, is not supported.
3. The code of the copy remote must be cleared before the cloning procedure.
How to Change the Frequency for a Garage
Door Opener (Instructions)
Genie Openers
1. Look for a small black button behind the lens light of the head receiver on the door opener, near the antenna. Press and hold this
button until the light stops blinking.
2. Point the door opener remote toward the head receiver (2 feet or
closer) and press the Learn Code button three times, then Pause.
3. Press the remote button once to test the new code.
Chamberlain, Sears, or LifeMaster Openers
1. Find a button labeled Smart or Learn on the motor unit of the door opener. Press it and then release it.
2. Press and hold the Learn button on the door opener remote within 30 seconds.
92
Advanced Criminal Investigations and Intelligence Operations
3. Release the Learn button when the motor unit light blinks or clicks twice, then Pause.
4. Press the remote button once to test the new code.
Garage door companies have created rolling code technology for better security. With this technology, the remote doesn’t rely on a frequency only: A new code is generated every time you press the remote. To change the frequency and rolling code digits, look for a button on your remote labeled Learn or Learn Code. You may also need to access the motor head unit of the opener itself.
Levels of Security
Security against forced entry (burglary) follows three models: (1) The Five Ds (deter, detect, delay, deny, and destroy), (2) lines of defense (target hardening), and (3) internal and external threat identification (see Figure 5.11 and Table 5.2). Barriers, access control, lighting, alarms, surveillance cameras and monitors, etc. are all a part of denying access to a premises or structure.
Three models of physical security
Property perimeter
The dynamic D’s
Structure perimeter
Anti-ram
Deter
Barrier
Asset
Bollards
Detect
and
Planters
Delay
Lines of defense
Deny
Onion philosophy
Destroy (remove the threat)
( layers)
Lines of defense
Internal/external threat identification
Figure 5.11 Three models of physical security.
Table 5.2 In-Car Camera Microphone Frequencies
MHz frequency range
2404.8–2475.0 MHz
GHz frequency range
2.4048–2.4750 GHz
Physical range
Approximately 1200 feet (line-of-sight)
Safes, Combinations,
and Automobile Locks
6
Two common methods for opening safes are (1) by forced entry, such as
drilling a hole through the door above the fence to examine and align the tumbler positions, and (2) by manipulation. The first method is not stealthy at all and leaves clear indication of entry (or attempted entry). The second method is more covert and leaves little or no trace. Safes are not the only artifacts that use combination locks. Luggage (such as brief cases or attaché cases), padlocks, furniture, and a variety of items use combination locks.
Forced Entry
The rip job or peel job is sometimes used for lightly constructed safes. A hole is drilled in the upper left corner of the front plate, which is usually riveted to the casing door. A long jimmy is inserted in the hole, and the tip of the plate is pried away from the casing. Once the plate is ripped or peeled away from the casing, the bolts are accessible and can be opened.
The punch job can be used on older insulated safes. The dial and ring are cut or chiseled off. A punch, smaller than the spindle, is driven through the door to punch out the spindle by driving the curb and tumblers from their seat in the lock case. Once the tumblers are removed, the fence drops to the unlocked position, and the safe can b
e opened. Newer and more expensive
safes are designed to defend against this type of attack.
The can opening method involves turning the safe upside down and drilling a hole through the bottom. A 5 foot steel tool, resembling a big can opener, is inserted and used to cut out the light sheet metal bottom of the safe.
The torch job requires knowledge of the construction of the target safe.
An oxyacetylene torch is used by the burner on burglarproof safes, but requires a great deal of skill and the equipment required is not easily con-cealable or conducive to covert action. Some burglars use this method.
Use of explosives is probably the most extreme and least covert method of attacking safes or vaults. In most cases, it should be considered a last resort and resorted to only by someone fully qualified to handle explosives.
Extreme caution is required. One technique is to drill a hole above the dial and insert a glove finger (or similar delivery device) containing dynamite or nitroglycerine. When detonated, the lock mechanism is destroyed.
93
94
Advanced Criminal Investigations and Intelligence Operations
An antiburglar device is often used in safes to deter this method. A dynamite trigger is sometimes installed to jam the door by deadlocking the door when the lock is destroyed. This is only one drawback of this method. The danger and skill required are not the least of the other drawbacks. Again, stealth is not a characteristic commonly associated with this method. Explosives, particularly nitro, can also be used to fill the seams and blow the door off of the safe. The drawbacks are still pretty much the same.
Manipulation
Manipulation is the method of opening a combination lock using sight,
sound, and touch and without the combination number. Sometimes, this is
aided by a stethoscope or an electronic listening device (Figure 6.1). As with the lock-pick practice exercises, a combination lock should be set up for practice by mounting it on a stand of some type. First, it is important to know how a safe combination lock operates. The driving mechanism of a combination lock is made up of the dial, the spindle, and the driving cam.
To practice manipulation, begin with the cover plate removed from
your practice lock. Pull the spline key out and unscrew the drive cam
Figure 6.1 Electronic stethoscopes.
Safes, Combinations, and Automobile Locks
95
from the spindle. Pull the dial and spindle assembly out and set it aside for now.
Remove the tube nuts and dial ring. Mark the removed tube and cut off 1/16 inch past the tube nut and file the cut end smooth, then mount the lock on your stand.
Mount the dial ring with the remaining tube nut. Reinstall the dial and spindle in the tube, screw on the drive cam, and measure the length of the spindle that protrudes past the drive cam and cut it off (Anonymous, 1978, pp. 5–6).
As the dial is turned, the driving cam moves in the same direction as it is keyed to the spindle. Once the cam sets the last tumbler in place, the dial is rotated slowly to the left until the gate of the cam reaches the same position as the gates of the tumblers. Continued movement of the dial to the left draws the fence down and moves the bolt to the open position. Turning the door handle releases the bolts and opens the safe.
When turning the dial one complete turn, the drive cam contacts the third wheel and it starts turning. Another complete turn causes the third wheel to contact the second wheel and it starts turning. On the third complete turn, the second wheel contacts the first wheel and all three wheels, the drive cam, and the dial all turn as one unit.
Looking at only the dial, turn it (at least) four times to the right and stop on 0 (zero). Next, turn back to the left to 90 and then turn quickly past 0.
As you pass 0, you should hear and feel the drive cam as it contacts the third wheel. Continue to the left to 90 and then turn quickly past 0 (again). You should feel the third wheel contacts the second wheel. Repeat this once again, and you should feel the second wheel contacts the first wheel. If you repeat this procedure a fourth time, you should not feel or hear anything as the dial passes 0 if the lock is a three-wheel lock. Repeating these steps of passing 0 until no more wheels are detected is important because it reveals how many wheels the lock has.
Once you feel competent with this, replace the cover plate on the lock
and reset the combination (or have someone else do so), following the changing instructions given here or that come with your lock. Using graph paper, you can now chart a graph of each number in the combination. Note that the drive cam can be keyed to the spindle in four different positions (each 90°
apart on the dial) and the dial may read one of the four different numbers.
• Turn the dial left at least four times, until all the wheels are turning, and stop at 0.
• Turn to the right to the contact point and record the dial reading.
• Turn back to the left, past 0, and stop at 2½.
• Turn to the right to the contact point and record that reading.
• Turn left again, past 2½, and stop at 5.
• Turn right to the contact point and record that reading.
• Repeat this until you move the wheels to the left and record contact
points every 2½ numbers.
96
Advanced Criminal Investigations and Intelligence Operations
When you pass the contact point you will have only a short distance to turn right for a contact point reading (Anonymous, 1978, p. 25).
The next step is to make a magnifying graph to get more precise in each particular area. To find which wheel is indicating, use this process of elimination:
• Turn the dial left at least four times, stopping at your first reading (from your first graph).
• Turn right one turn, picking up the third wheel at your reading and
past about 10 numbers.
• Turn left to the contact point and take a reading.
• Repeat this process after picking up the third wheel, turning one
more revolution to the right to pick up the second wheel.
• Turn back left to the contact point and take a reading. (A high read-
ing would indicate that the second wheel is indicating and a low
reading would indicate that the first wheel is.)
• Make another graph to plot the readings of the first and second
wheels (Anonymous, 1978, p. 26).
With the third wheel now set to the combination number determined with the graph, read the first and second wheels every 2½ numbers.
• Turn right (at least) four times and stop at 0 (zero).
• Turn left one turn, picking up the third wheel at 0 and stop at the
previously recorded reading.
• Turn right to the contact point and record the reading of the second
number.
• Repeat this process until you complete a graph of every 2½ numbers
around the dial.
Do another magnifying graph of this area for the second number (if the reading is low, wheel one is indicating; if the reading is high, wheel two is indicating).
• Turn the dial (at least) four times to the left, stopping at the previously recorded reading.
• Turn the dial one turn right, picking up the third wheel, and continue right one more turn to pick up the second wheel at the previously recorded number.
• Wheel two is carried past that point approximately 10 numbers
(lower).
• Turn left one turn to pick up the third wheel (at that lower number) and continue to the number determined for wheel three.
Safes, Combinations, and Automobile Locks
97
• Turn right to the contact point and take a dial reading (determining
the second combination number) (Anonymous, 1978, pp. 29, 31).
Now that the third and second numbers are known, the first number ca
n
now be determined by trying every 2½ numbers, using the known numbers
for the second and third numbers.
• Turn the dial (at least) four times to the left, stopping at 0.
• Turn right past the third known number two turns and stop on the
third known number the third time.
• Turn left past second known number and stop on that number the
next time.
• Turn back right to the drop-in position and quickly turn the dial
between the two contact points. (In cases where the combination is
close, but not exact, this may work the fence into the gates.)
• Repeat this process, setting the number on 2½.
• Continue dialing this combination, but advancing the first number
2½ numbers each time until the lock opens (Anonymous, 1978, p. 31).
Manipulation resistant locks (usually called manipulation proof by manufacturers) may be indicated by the addition of a pointer knob in the cen-
ter of the dial. The manufacturer has tightened up the tolerances and added mechanical features that (1) prevent the reading of contact points and/or (2) provide false sound or feel readings. Such measures make it more difficult to manipulate these locks and make the process much longer. This is a part of the process of target hardening. While it may not be impossible to defeat, the security measures make the process more difficult and time-consuming, thus increasing the chances of failure and detection.
In such locks, the drive cam is often altered by making it a two-piece moving part (the inner and outer slide) with a spring. These slides are actu-ated by a shaft extending through the center of the spindle to a small pointed knob in the center of the dial knob. The lock is normally opened using the combination and turning the dial to 0, the drop-in position, and turning
the pointed knob to the right. The inner slide is withdrawn and exposes the drop-in opening in the drive cam. The fence drops into the gates and allows the lever nose to engage the drive cam. Turning the dial CLOCKWISE withdraws the bolt (Anonymous, 1978, p. 34).
The lock has all the features for contact point reading, but they are