Hack long enough and hard enough, and it’s a pretty safe bet that you’ll eventually cause unintentional RF emissions. Most of us will likely have our regulatory transgression go unnoticed. But for one unlucky hacker in Ohio, a simple project ended up with a knock at the door by local authorities and pointed questions to determine why key fobs and garage door remotes in his neighborhood and beyond had suddenly been rendered useless, and why his house seemed to be at the center of the disturbance.
Few of us want this level of scrutiny for our projects, so let’s take a more in-depth look at the Great Ohio Key Fob Mystery, along with a look at the Federal Communications Commission regulations that govern what you can and cannot do on the airwaves. As it turns out, it’s easy to break the law, and it’s easy to get caught.
Hobbled Fobs
According to a report in the New York Times, the problems in North Olmstead, Ohio began in late April when people began to notice that key fobs and garage door remotes weren’t working. Fearing malicious activity in their suburban enclave – a justifiable fear, as we’ve seen with Samy Kamkar’s keyfob replay attacks – good citizens began calling the local authorities to report the issue.
Exactly which authorities have jurisdiction over key fob issues isn’t clear, but according to the report, everyone from the local utility companies to the city council got involved in the investigation. The cable and phone providers couldn’t locate any faults with their equipment in the affected area, and the electric utility even took the somewhat ham-fisted approach of selectively cutting power to various sections to see if the signal stopped. It didn’t.
Local amateur radio operators were in on the action as well, which is par for the course with a group that has a vested interest in a low noise floor and routinely self-polices the airwaves. It appears that a ham in the area volunteered his expertise and equipment and did a little wardriving, eventually narrowing down the source of emissions to a single block, and then to a single house, which was pumping out a powerful signal at 315 MHz.
At that point, a City Councilman named Chris Glassburn paid a visit and discussed the problem with someone described as “an inventor” with “a fascination with electronics” – one of us, in other words. The problem seemed to lie with a device made by the gentleman to alert him when someone was upstairs while he was down in his basement shop. The device, details of which are not covered in the story, was battery powered, which explains why the electric company’s brute force attacks didn’t reveal the location. Once the battery was removed, the interference stopped, and life in North Olmstead, Ohio returned to normal.
Part 15 Rules
Based on the sketchy accounts offered by the non-technical media, it’s a little hard to piece together exactly how this happened. Councilman Glassburn declined to identify the hapless hacker, for understandable privacy reasons and because there was nothing malicious about the emissions. So unless he happens to be a Hackaday reader and decides to share the technical details of what he built, we’ll just have to make a few guesses as to how this whole thing went down.
The signal that was tracked to the source was a 315 MHz signal, in the part of the UHF band dedicated to “Unlicensed Part 15 Devices” by the US Federal Communications Commission. FCC rules generally require devices that intentionally radiate coherent signals, like ham and public service radios, microwave links, and television and radio stations, to be licensed. But licensing all the millions of devices that intentionally transmit signals would be prohibitive, and so Part 15 rules allow for low-power, unlicensed transmitters, to accommodate devices like WiFi, cordless phones, Bluetooth, and of course, key fobs and garage remotes.
Part 15 rules for unlicensed transmitters control unwanted emissions by having manufacturers submit a sample device for inspection. The device has to meet various requirements and pass a series of lab tests to earn certification and a label that shows the device is up to snuff. Each band has its own requirements with regard to radiated power and spurious emissions. Equipment operating in the 315 MHz band is covered by §15.231.
Assuming the hacker in question was using commonly available transmitters for the 315 MHz band, like these keyfobs from Adafruit, he appears to have violated a couple of parts of §15.231. Paragraph A stipulates that transmitters can only send intermittent control signals, and that the device automatically stops transmitting after five seconds. The reports make it clear that this was a continual problem over a period of weeks, so it seems like the transmitter was modified for continuous operation.
The hacker also seems to have run afoul of paragraph B, which limits the field strength of the device measured at a distance of 3 meters from the antenna to 12.5 mV/meter. Given that remotes for an entire neighborhood of North Olmstead were knocked out, and that there were reports of interference in the community of Fairview, my guess is that the signal was reaching out for a mile (1.6 kilometers) or more. To be able to propagate that far and still have enough power to swamp everyone’s remotes, it seems like the transmitter was overpowered, to say the least.
Mea Culpa
The apparent inadvertent violations of §15.231 assume that the transmitter used was something commercially available and therefore subject to the FCC inspection process prior to being put on the market. The other possibility is that the unnamed hacker built a 315 MHz transmitter from scratch. If that’s the case, then the provisions of §15.23, Home-built devices, would apply. There’s not much in that section other than to say that homebrew devices operating the unlicensed bands must not be marketed or made in quantity, and must follow good engineering practices to adhere to the standards that a commercial device in that band would. So a homebrew device that radiated that much power would probably still run afoul of the rules, but it’s in a much greyer zone.
None of this is to suggest that the Ohio hacker knowingly violated the rules, of course. Modification of stock devices comes naturally to people like us, after all, and we’ll give him the benefit of the doubt that he didn’t know that such modifications were illegal, assuming he did make modifications. I can’t cast any stones, having inadvertently operated a pirate TV station for a few days in the 1980s when the RF modulator on my COSMAC 1802 got a wee bit overpowered and transmitted my blocky one-bit scatology to the neighborhood; thankfully the kindly amateur radio operator across the street paid me a visit before dropping a dime on me with the FCC.
All indications are that the Ohio hacker was eager to take the interfering device down when he was confronted and hasn’t put it back up, which suggests he’s a law-abiding fellow who just made a mistake. But his experience shows how easy it is to run afoul of the rules and have your little pet project get much more attention than you perhaps intended.
Banner image:
“Remote Entry Keyfob – 2013 Volvo XC60”by HighTechDad is licensed under CC BY 2.0
No comments:
Post a Comment