Unintentional DOS Attack against Car-Door Openers

Radio noise from a nearby neon-sign transformer made it impossible for people to unlock their cars remotely.

Posted on August 19, 2016 at 1:32 PM • 40 Comments

Comments

TatütataAugust 19, 2016 2:06 PM

Here we go with the ARRL trying to sound important.

That neon sign must have interfered with TV as well.

If the FCC considers interference on 315 and 433 MHz as "not my department", then someone would probably like to perform an experiment and do a high-power transmission.

There is without doubt an awful lot of door openers all over the place that are based on simple data encoders such as the (formerly) Motorola MC145030. This chip offer offers a whopping capacity of 512 different codes. (A friend ask me to fix his remote sometimes in the the last decade. I was depressed to find that IC in the housing, and to see that the dip switches in the remote control set to something like "000000000" or "111111111". There must have been 50+ different tenants in that building.)

I wonder how many garages would open with a transmission from a well chosen site.

WSAugust 19, 2016 2:26 PM

For RF/security interested people in Seattle, checkout the 7000 block of California Ave SW, Seattle in West Seattle. Lots of remote car door openers don't work well there either. Discussions on the local neighborhood blogs think it is some RF emitter used by the dog daycare on that block that prevents dogs from barking too much.

albertAugust 19, 2016 2:48 PM

@Tatütata,

The FCC has regulations for neon sign transformers, as they are high-voltage items (6-10kV, as I recall). High voltage discharges can produce broadband interference, which will fall under a range of regulated frequencies*. The correct way to assess the problem is with an RF spectrum analyzer. The transformer itself may be legal, but the sign itself may not be. For example, any arcing in the output circuit could cause the problem described. Dollars to donuts that the problem isn't the transformer.

The FCC obviously doesn't want to deal with this sort of thing. Automakers aren't responsible for RF interference. Someone needs to hold the FCCs feet to the fire.

What ever happened to the days when Hams helped folks fix problems like this for free?
-------------
*The range of frequencies covered by the FCC is 9kH to 275GHz (see https://transition.fcc.gov/oet/spectrum/table/fcctable.pdf ) And read all the notes :)
. .. . .. --- ....

The places you goAugust 19, 2016 2:50 PM

The troublesome transformer was not replaced, but the building owner agreed to turn off the sign should problems arise.

o.O

Because every visitor who parks there is going to know that the reason they can't get into their car is because of a non-compliant power supply, am I right?

It is a dumb solution. The police themselves might not have a legal remedy but some government official must have the authority to force a replacement with a compliant part.

k15August 19, 2016 2:58 PM

If you want to disable your own car's key fob door opener, is there a way to do that?
(for example, if you bought it used, and you were only given a key)

tzAugust 19, 2016 3:00 PM

Note that 315MHz is exactly 1/5th of the GPS frequency.
Fun with cheap, surplus RF transmitters

k15August 19, 2016 3:00 PM

How's that government security organization coming along? Can we fund it on kickstarter?

MikeAAugust 19, 2016 3:14 PM

A neon sign _is_, essentially, an arc, so any other arcs may be superfluous. That said, the idea that a "transformer" could not be the problem (unless there is a bad connection inside) is taking things too literally. Nowadays, iron and copper (and shipping from China) are a bit expensive, so most "Neon transformers" are really switchmode power supplies. Just checked the article and, yes, this was one of those. Cheap no-name switchmode supplies are the bane of anybody doing any sensitive RF work. Since the emissions from the power supply would tend to have
peaks at various harmonics of the switching frequency, rather than broadband noise, it would need less power to mess things up.

As for "would interfere with TV", well, maybe, but in a world where most folks get their TV from a cableco or over the Internet, maybe not. There are not many of us left who like full resolution, fewer compression artifacts, and no tracking of what we watch, so we don't really count in the grand scheme of things. I suspect that over the air TV will disappear in a heartbeat if the FCC drops the "must carry" requirement that forces the cablecos to pay networks for any content that is locally broadcast (albeit at crappy resolution unless the customer pungles up more cash)

Iain MoffatAugust 19, 2016 3:22 PM

This is nothing new - back in the early 2000s we had cars being hauled away from the local hospital car park by the RAC and AA (UK car recovery organisations) which was eventually traced to a UHF radio pager installed by the hospital on a frequency about 20MHz high of the 433MHz key fobs. The problem with 433MHz is that the standards (and battery life) require fairly low transmit power, so the car gets a very sensitive (but also very cheap) receiver that is easily desensitised (blocked) by other strong signals. The distances in this case must have been much larger - probably at least 200 yards.

chris lAugust 19, 2016 3:29 PM

I've seen this happen on top of Mt. Wilson near LA. There's a large transmitter/antenna farm on the mountain serving the LA area and it's not unusual for people who come up for the view to get locked out of their cars. It's one of those times it's good to have a hard key to open the door instead of just an electronic fob.

SofaAugust 19, 2016 3:50 PM

Along the same lines with LED lights and garage door openers:
https://marco.org/2016/07/16/led-lights-garage-door-openers

Government guidelines for LED manufacturers require these control circuits to operate on frequencies between 30 and 300 MHz. By coincidence, most garage door opener remotes have been assigned frequencies between 288 and 360 MHz.

More on the problem:
http://www.phoenixazgaragedoorrepair.com/garage-door-repair/1786/how-led-lights-can-cause-problems-with-your-garage-door-opener/garage-door-blog/

-Sofa

ianfAugust 19, 2016 6:06 PM


But was it really a DOS attack? Sounds like a case of rather forceful radio interference to me… so what else is new.

I've had 2 direct "experiences" of such.

1. About 25? years ago the then-owner of my apartment building added an electronic unlocker to the keyed door lock, with a common pincode for all apt dwellers. It worked, and then it didn't. Then it worked again, then not. We kept reporting it, the PCB was swapped out for a new one, no significant change. I ask the caretaker in passing one day whether it might be affected by high humidity, condensation. But no, all these apparently are accounted for. Then I ask—more in spirit of eliminating all possible interference sources, than by having a clue—"have you considered that it may be due to intermittent emissions from that computer terminal in the office next to the entry door?" (less than a meter away). That they never previously thought of, and apparently nullified, because the unlock ceased to malfunction.

2. Much earlier still, a foundational kind of early education. We lived in an apartment on the ground floor, with my parents' bedroom next to the entry door in the stairway. On pressing a light switch, a electromechanical clockwork held the light in the stairway for 30? seconds. It was housed in a metal box approx. 40cm through the mortar from where father slept, woke him up and drove him nuts. My father, rather mild and none too talkative fellow, pleaded with the caretaker to, er… take care if it. But what could be done? I doubt there were other, silent types of such clocks, so nothing improved. Until the day when the young me received this valuable hands-on life lesson of the value of DIRECT ACTION.
        Father's limit of tolerance for being woken up apparently having passed, he sprang up in the middle of the night and ATTACKED the box with a hammer and a screwdriver. Trashed it entirely, still in his pajamas. Everybody knew who done it, and why, and the clock remained broken. The neighbours didn't mind a bit of dark on the stairs anyway. Think it remained broken until we moved away several years later. Not radio interference then, mere cyclical ticking noise—so sue me.

SchneieronSecurityFanAugust 19, 2016 6:12 PM

The interference disabled a cell phone which is either at the 850 MHz or 1900 MHz band in the U.S. The key fobs are at 315 & 433 MHz. This must have been a very noisy device.

Clive RobinsonAugust 19, 2016 6:18 PM

@ WS,

Discussions on the local neighborhood blogs think it is some RF emitter used by the dog daycare on that block that prevents dogs from barking too much.

The only "remote control" device I've heard of that prevents/reduces dogs barking, is a collar that has a high voltage generator in it that acts like a "mini-taser"[1]. Apparently they are legal in the US but not in other WASP nations, as they won't pass the electrical safety or EMC tests (for obvious reasons).

The way I got to hear about them originally was truly schocking, apparently a private childrens center was using them on disabled children according to a news article. A friend brought the story to my attention and we did a search for likely items and the dog control collar came up. One model can apparently deliver a high voltage high energy spike sufficient to cause a large dog to flip over due to the spasam induced rather than just yelp in pain. Apparently such a high level stimulus is required to stop "sheep worrying" and other livestock issues.

[1] http://www.thekennelclub.org.uk/our-resources/kennel-club-campaigns/electric-shock-collars/

Spaceman SpiffAugust 19, 2016 8:26 PM

That's some good engineering there Bruce! All the affected openers were from the same company? Or had the same chip set?

BystanderAugust 20, 2016 5:08 AM

So this is an EMI issue. Unintentional jamming because of radiated emissions exceeding the limits by a serious amount. This is becoming more and more frequent thanks to the race to the bottom in terms of price and quality.

This is just stupid - the FCC should have mandated a replacement or changes to the installation that reduce emissions.

Not the only case and here people should have known better:
http://www.emcuk.co.uk/awareness/pages/InterferenceExamples/RadioSusceptibility.htm#Tetra

DroneAugust 20, 2016 5:22 AM

@Tatütata,

"What ever happened to the days when Hams helped folks fix problems like this for free?"

What happened? Greedy Lawyers...

mike~ackerAugust 20, 2016 7:39 AM

what are the implications for self driving cars?

better cars would be self-regulating: computer to assist the driver not control the car. regulate speeding. stop lights, and signs. prevent tailgating. automatic braking, lane holding -- that sort of thing.

but a driver + computer is going to be better than either one working alone.

like having a full-time A-driver!

ianfAugust 20, 2016 7:44 AM


Wrote Bystander “This is just stupid - the FCC should have mandated [something or other] or changes to the installation that reduce EMI emissions.

There's nothing wrong with your logick bar for the fact that it presumes A Perfect Society where laws and regulations are enacted AND adhered to the last iota by all for the common good. I.e. an Utopia, however you then might call it. Those of us who have to live in the real, know, however, that unenforceable, toothless regulations, are worse than no regulations, and that it takes more than a couple of ever so well-meaning edicts to effect a change. Also things aren't always what they initially seem to be.

In this particular case, people locked out of their cars due to too easily RF-interfered car fobkeys have learned a valuable lesson for the future: always have a backup strategy for all situations where you've put your trust in—let's face it: invisible/ impalpable, thus might as well be magick—technology. An unrequited education, true, but at a very small self-caused cost to themselves. See? (also read my note on the benefit of sucking Phosphorus out of fish heads – Wael has the empirical data, and will share them for a small fee).

WaelAugust 20, 2016 11:14 AM

@Ted,

(also read my note on the benefit of sucking Phosphorus out of fish heads – Wael has the empirical data, and will share them for a small fee).

Crap! Not the way I like to start my Saturday mornings...

Like everything else in life, proper balance is key. Don't take my "self-designated" spokesperson's words as "set in stone". There are foods that have higher phosphorus content, such as Walnuts and Brazil nuts. I suggest you ask @ianf, the expert, to share how he ingests these nuts by sucking them through a garden hose. Alternatively, he can share the other kind of foods (chicken livers) that supplies him with his phosphorous daily intake. Be forewarned that Chicken livers come with a side effect. They'll make you grow feathers and cluck or crow depending on your gender.

Tell me, @ianf: what areas of security do you see important? Share with us some of your pain points, so that we perhaps can suggest something -- or discuss something technical. Please spare us your "psychological" pain points, as I highly doubt we have any 'Shrinks'[1] on this distinguished site.

[1] These sort of problems are best treated by your designated mental health care provider... at a mental health facility, AKA an Asylum, near you. :)

PS: No fee required! @ianf will pay the price on your behalf.

Clive RobinsonAugust 20, 2016 12:07 PM

@ Bystander, ianf,

This is becoming more and more frequent thanks to the race to the bottom in terms of price and quality.

In the case of the RAF Radar, it would be very difficult to make any receiver that could cope with the peak enevlop on the antenna it's on the upwards side of +90dbm. it takes a very expensive receiver to have a dynamic range of 90db which with a -130dbm sensitivity means the front end is not just going to be swamped but saturated.

If you look into filters in radios their skirt performance is usually not much better than -60db on the front end with abother -60db or so at the IF. The problem is that the ferrite used in some of those filters will saturate and behave in a nonlinear fashion thus generate lots of harmonics.

At the end of the day that energy on the antenna has to go somewhere and the OOK pulse modulation of radar ensures it gets everywhere including directly into the audio stages.

The comment attributed to an RAF officer is thus realy "PR nonsense for the dumb civizs".

BystanderAugust 20, 2016 12:30 PM

@Clive Robinson

With the 'race to the bottom' I was addressing the case of the faulty supply.

The radar case is different and more the result of an issue in frequency regulations in general of maybe the fact that the RAF simply doesn't care...

That didn't escape you - did it?

TedAugust 20, 2016 2:34 PM

@Wael

fish heads, empirical data, Saturday mornings, pain points

"Turning Point: Criminal Justice to Behavioral Health"

"For individuals entering the criminal justice system, the experience of incarceration can lead to disconnection from supportive relationships, weakened self-esteem, and additional trauma and violence. Those with behavioral health conditions have a particularly difficult time in jail and prison – not only do these environments impede recovery, they can make life even more challenging after release. Many justice systems, including police, corrections, and courts work closely with behavioral health agencies to screen for mental or substance use disorders and refer individuals who need help to treatment and support."

[…] "To better screen for and identify individuals who could benefit from diversion, SAMHSA developed the Screening and Assessment of Co-Occurring Disorders in the Criminal Justice System toolkit. This publication is particularly useful for professionals along the spectrum of intercepts in the criminal justice system so they can effectively screen for a range of behavioral health disorders, including depression, co-occurring disorders, suicide, trauma, and PTSD. The toolkit also includes an assessment resource to screen for motivation and readiness for treatment."

[…] "Cindy Schwartz, MS, MBA, a project director of the Jail Diversion Program of the Eleventh Judicial Criminal Mental Health Project in Miami, FL, echoed this opinion. “Our program has been using these evidence-based tools and it has helped to promote transition plans that are based on individualized risks and needs instead of what is available in the community. It is the next step toward system transformation.”"

DonAugust 20, 2016 4:16 PM

@ Wael

agreed RE: psychological pain points - and that's incredibly restrained and diplomatic of you.

I had the exact same response when I read the post in question. Mind you, 'PCB' is the most technical term that poster has ever written here

I just fast-scroll the mouse over that posters comments, from now

I'm sure many already do

ianfAugust 20, 2016 4:35 PM

Wael to Bystander (not Ted): »Don't take my "self-designated" spokesperson's [i.e. ianf's] words as "set in stone"«
Do not change the subject… it was fish, not sticks and stones. And, as for my alleged usurpatory spokespersonmanship[*], I do not recall—perhaps I missed it—you denying that very right to another, a fly-by poster – so what makes my obviously ironic use of it so special? Instead, a mere hour after that instance, you claimed to not be giving my words much attention. Perhaps if you could settle on one or the other, we'd be A–OK?

BTW. I honestly didn't know that sucking is a 4-letter word in your parlance… but how would I learn that if occasionally I didn't probe the envelope of your sensitivity?

[Boring arguments of foods deployed as a smoke screen deleted].

[…] what areas of security do you see important? Share with us some of your pain points, so that we perhaps can suggest something -- or discuss something technical.
Clearly, I'm here to learn the "secure think," so I can not contribute anything in that regard here—yet, if ever (I know why I need to learn about it, you don't need to know the motive). As for more general technical topics, I did actually raise a few such in the past. They either elicited no response, or only such that told me that there are monsters out there just waiting to subvert whatever it is they subvert, but gave away very little pragmatic information. Perhaps that's not the forum for that, but a few other fora that I visited previously were either too high-, or way too low-level programming, and nowhere near as vibrant as this one.

spare us your "psychological" pain points
Undef qualifier; speak en-clair, not in pseudo faux-code.


You've read that far, you deserve a bonus, here courtesy of The Economist magazine (read preferably wearing those Vulcan ears to better get into the spirit):
https://www.1843magazine.com/features/to-boldly-go

[^*] now, that's some Scrabble token to behold!

DonAugust 20, 2016 5:23 PM

@ Wael

oh look, an instant response I was able to fast-scroll over

where the disease lies - thus too the remedy
re: psychological pain points

@ Clive provided the remedy in this thread:
dog collars providing a palliative electro convulsive shock

WaelAugust 20, 2016 5:35 PM

@Don,

Sometimes I wonder... We engage in a lot of heated debates, interesting topics... and our generous moderator reads in silence. If I were him, and that's just me, I would probably be bored. Perhaps I would spawn a sockpuppet to participate in the fun. You know ... just the paranoid security mentality ;)

Clive RobinsonAugust 20, 2016 6:12 PM

@ Bystander,

That didn't escape you - did it?

Is that a rhetorical question?

If not I would have thought my last paragraph about "PR" would have covered it in a slightly more subtle way.

ianfAugust 20, 2016 8:14 PM


@ mink walkr,
             No, of course not. Wirelessness solves the [manufacturer's] problem of needing extra I/O sockets on the PCB, square holes in the casing, etc, by supplanting all that with radio ICs and antenna(s). By itself, going wireless does however not solve the problem of having anything coherent to transmit, as e.g. per proof provided above by digital security expert "Don" (HeKnowsHo HeKnowsHo).

rAugust 20, 2016 11:38 PM

@mike~acker,

"what are the implications for self driving cars?"

Siri, go get yourself clean nobody wants to go anywhere with you anymore.
Siri, go pick up the kids - take the dog for a ride.
Siri, I called Maaco and scheduled you a make-over I'm sick of looking at you.
Siri, go throw yourself into a ditch why don't you.

I can see thousands of advantages to self-driving cars.

rAugust 20, 2016 11:40 PM

@mike~acker,

If you think the roads are bad in America now, just wait until we can point and click from our lazy-boys for automated pickups/dropoffs.

There's no drugs in my car officer, I asked siri to pick me up a pair of shoes!

BystanderAugust 21, 2016 4:32 AM

@Clive Robinson

Maybe it was a little too subtle for me...

Thanks for the clarification.

Clive RobinsonAugust 21, 2016 5:17 AM

@ Monk Walkr,

does everything have to be wireless?

Short answer "yes".

But it's the reason it's going to happen that are of more interest.

The initial reason was electro mechanical items were unless large and built in certain ways unreliable. They almost always needed rare and therefore expensive metals to increase reliability. Thus the desire to remove electro mechanical items such as connectors and switches was high.

There was also a secondary problem which is cords are unreliable and dangerous, and wiring a place for convenience is eye watereringly expensive and obtrusive.

But hidden in this was the switch from parallel to serial communications. Due to technology limitations the world had little choice but to head down the "multi circuit" parallel communications route. Such cables are many times more expensive, heavy and less reliable and had all sorts of limitations such as crosstalk. Thus in the early 90's when technology had improved due to miniaturization the push away from parallel back to serial started as the technology could now work faster and at less overal cost than the problematic parallel communications. The first place this hit the consumer market was with the likes of the I2C bus on printed circuit boards. It spread to storage devices and to make the idea of "IO cards" redundant with the likes of USB. However a price was payed, for this in that whilst the prices dropped the increased complexity made the interfacing of equipment way way more complex, which limited "user freedom". Which was fine for manufactures as it reduced new competition by raising the entry level into such a lucrative market significantly. This actually was the start of the "walled garden" we now see closing around us. The manufactures formed what were effectivly cartels by "trade associations" and set a high entry fee. In theory anybody could join but in practice the entry price was to high except for a select few. This distorted the market in many ways most of them invisably to the consumer most of the time. However where there is a market with artificial barriers to entry people will find ways around them, and this can cause real pain for those that go along with the barriers. You may remember not solong ago that a manufacture tired of having it's chip design and USB ID misappropriated, and "kicked back" by updating their Microsoft driver to only work with their chips not the knock offs. The result was a masive backlash from millions of consumers who's devices suddenly stopped working. The result the company had to backtrack big style. Something Microsoft should have been very aware of as they got caught in the middle, however it's not stopped them doing the similar with the WebCams...

The upshot as many Android users are finding is that the days of "open hardware" are over. The ultimate serial communications is wireless be it WiFi NFC or cordless charging. From a manufactures point of view it means less problems, but also it creates a walled garden of epic proportions where by they can force things on you such as "Data Stealing" that they then profit from by selling the data to marketers and governments.

The probblem with this cordless world is that FOSS can not get into the walled garden that our Closed Hardware is making, except at the permision of the gate keeper. Who will at some point "close the gate" to all but those who can afford the rent they will extort.

That is the real price of "cordless" as the standards setters fully know, they will be rent seeking at an increasing rate, and the consumer will have no choice other than to go off grid, and as the legislators are busy making that less and less possible if not illegal the result will be distopian.

0lafAugust 22, 2016 4:03 AM

I read this wrong; thought it said "Unintentional DOS Attack against Cat-Door Openers".

Could have been messy.

ianfAugust 22, 2016 6:20 AM


No worry, 0laf… were EMI to lock out (or lock in) a cat, its internal all-organic-powered, and thus maintenance free EMŒRGENCY WARNINGS system would automagically kick in and ALERT any human within hearing distance to rectify it. Not for nothing are cats the default occupiers of the top rung of any feline-human abode's social ladder.

PS. I misread the title, too, only saw it as being about “MSDOS Attack against Car-Door Openers” and thought "unintentional?"

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.