oops.... here's why you need to familiarize yourself with how RF devices work, and how to avoid interfering with other things...

[unclejed613]

https://www.dailywire.com/news/46996/people-small-ohio-town-couldnt-open-their-cars-or-ashe-schow

yes, you are allowed to home-build RF devices for testing and learning, but be aware that the RF does NOT stop at your doorstep or property line. i'm thinking the experimenter here was using an ISM band device for his project thinking everything was fine as long as he was using an ISM band. there are power limits under part 15, and this is why. at least it doesn't seem to have attracted the attention of the FCC. there are much higher power limits within the ISM bands for things like wireless phone chargers (i think that's "Part 18"), but the equipment described doesn't fit the definition of "wireless power transmission".

 

[Mickster]

I read some of this saga on AAC and EEVBlog and it seems the person responsible had home-brewed some kinda PIR contraption which was transmitting on 315 MHz?
Did I also read that it was battery-backed?
Local officials were going door-to-door asking that all devices were turned off/disconnected in order to try and pinpoint the source.

 

[unclejed613]

if they had asked for the help of a ham radio operator, they might have found it sooner. there's a "sport" called "foxhunting", the goal of which is finding hidden radio transmitters. most hams know at least some of the basics of foxhunting, even if they don't do it. a directional antenna for 300Mhz is not hard to construct, and a "run of the mill" SDR dongle can tune 30Mhz-2Ghz, and running on a phone or laptop makes an excellent portable setup for foxhunting.

 

[picbits]

This happened near our local opticians - someone had a misbehaving wireless PIR which was causing the local area to be a dead spot for car remote fobs.

 

[unclejed613]

car remotes and garage door openers, etc... are Part 15 devices, and one of the requirements of Part 15 devices is they must "accept" interference from other Part 15 devices. another requirement is that their transmit field strength is below a certain threshold. so, basically what you have with Part 15 devices can generally be described as:
1) use as little field strength as you can for the device to function, and don't exceed the ERP limits
2) if you find out you are interfering with another Part 15 device, try to be a "good neighbor" and minimize the interference
3) if someone else's Part 15 device is interfering with yours, try to find ways (without modifying your transmitter or receiver) to minimize the interference.
3A) if you know who is operating the equipment interfering with yours, and your attempts to reduce the interference have failed, ask them to try to find a way to mitigate the interference
4) very directional antennas can provide a good signal path with interference sources outside the antenna pattern (or, the flip side of this where your neighbor's ISM devices are outside the antenna pattern reducing your interference to his devices). an example of this is the use of "cantennas" between wifi devices.
5) if feasible, try a different ISM band. this isn't as easy as it might sound, as certain devices are made for a particular band. a Bluetooth device for instance only works in the 2.4Ghz ISM band.

 

[Nigel Goodwin]

This happened near our local opticians - someone had a misbehaving wireless PIR which was causing the local area to be a dead spot for car remote fobs.

The boss where I used to work has a villa in Spain, and he parked his car in the centre of a nearby town/city, just across from the Police Station. When he came back to the car it wouldn't start - so he called someone to have a look at it, they came out and didn't even try to start it - they simply towed it about 100 yards, and it then started perfectly. The mechanic said it's a common problem, there are strong RF fields there, it prevents many modern cars starting, and he gets multiple calls per day for the same problem. I presume it prevents the RFID chip in the key been read?, so the immobiliser is still active.

 

[unclejed613]

The boss where I used to work has a villa in Spain, and he parked his car in the centre of a nearby town/city, just across from the Police Station. When he came back to the car it wouldn't start - so he called someone to have a look at it, they came out and didn't even try to start it - they simply towed it about 100 yards, and it then started perfectly. The mechanic said it's a common problem, there are strong RF fields there, it prevents many modern cars starting, and he gets multiple calls per day for the same problem. I presume it prevents the RFID chip in the key been read?, so the immobiliser is still active.

note to self.... get myself a tow truck and a keyfob jammer=BIG BUCKS!!!! just kidding, but i wouldn't put it past a lot of tow companies to try such a thing...

the keyfob and car have a rolling crypto key. if the keyfob sends a request to the car, the car sends an ACK, so the keyfob will use the next random number the next time it's used. if the car doesn't get the request, or the keyfob doesn't get the ACK, the number the keyfob transmits the same number. since the devices use a rolling key, you can't use a simple playback of the fob signal to unlock the car. what people have done successfully, is interfere with the receiver in the car, and grab the fob's transmission. as long as the car never receives the request, the cipher doesn't go to the next key. this makes a replay attack difficult because the car owner will usually use the physical door key when the fob doesn't work. so this replay attack only works if the car owner goes and does something else rather than open the door using the key.

 

[Mickster]

This may be wrong, but I have a different understanding of the remote signals, feel free to correct any misunderstanding.
Pretty sure that I read that the rolling codes are in a block allocation, and there was no mention of the key receiving an ACK....the key just transmits a randomly seeded code from the block, then the next code (which is also randomized using a seed, so it's not sequential) until that block is used up and another block is generated. That's why remote keys can sometimes lose sync, say for instance when a toddler has been given a bunch of keys to play with, to keep them quiet.
And that scenario is what led to Samy Kamkar demonstrating his Rolljam Attack - his lil' box o' tricks jammed the first remote fob signal to the vehicle and grabbed it. The owner pressed the remote again and the Rolljam also grabbed the second signal, but then replayed the first and opened the vehicle. As the transmitter then rolls onto the next code from the block, the box o' tricks still has the second code to transmit sometime later.

Hacking a Car’s Key Fob with a Rolljam Attack

Most cars these days come with a key fob to remotely unlock the doors, pop the trunk, and sometimes even start the engine. For obvious…

blog.hackster.io

 

[unclejed613]

i've seen some DEFCON videos on the subject, but not paid a lot of attention when they were doing attacks on car fobs. even though i do a lot of SDR stuff, i'm really not interested in messing with car locks.