Solving the Mystery of a Keyless Vehicle Entry RF Deadspot in a Carpark with a FUNcube Dongle

The Brisbane Times ran a story today that discussed an interesting RF phenomenon that was solved using a FUNcube dongle software defined radio. The Funcube dongle is a SDR similar to the RTL-SDR. The issue was that vehicle wireless entry keyfobs would not work at a particular location within an outdoor shopping centre car park.

The story goes like this – First a user on a local Brisbane subreddit message board posted about how he had noticed that his cars wireless entry keyfob would not work when he parked in a certain area of the shopping area car park. The user wrote:

I walked out to my car from Bunnings, and there was a new HSW Maloo parked in front of me with the owner staring at his key fob and shaking his head.

I said “let me guess, car won’t open?” and he said yeah, and he’d been trying for about 5 minutes. I said that I’d had the same thing happen to me a few months back in the same spot, and then went to open my car.

Nothing. No beep, door stayed locked. Looked around and there was another couple trying to get into their car as well (late model C Class).

It took about 5 minutes of me trying the door every 20 seconds or so before it opened. HSV owner was still there when I left. The only thing he and I could think of causing it was the mobile phone tower in front of Aldi.

After reading the post, user u/riumplus decided to go out to the same spot with his Funcube dongle SDR and see if there was any interference that might explain the issues. But he found no such interference. However, when he pressed the wireless entry on his own keyfob he noticed reflections from the main transmission that were coming from the buildings walls. He wrote:

So I pulled out my SDR and I did a complete frequency sweep from 100kHz to 2.2GHz and… also nothing. Everything completely normal. Nothing on that frequency, nor anything odd anywhere else on the spectrum. Couldn’t see any of the usual potential harmonics from RFID or standard WiFi gear. Here’s the output at 433.3MHz(forgot to grab a screenshot centred right at 433.92Mhz but it was also empty, as was 315MHz).

Here’s where it gets interesting – I noticed that that location is almost in the middle of the car park between the three buildings, and they all have large amounts of metal flashing on their fronts. On a whim I watched the output when I pressed my own keyfob. And what do you know, I could see distorted reflections from my own signal bouncing off these buildings right back at me. My guess is that this is what was causing you issues!

It may sound counter-intuitive, but next time it happens try cupping the keyfob in your hand to weaken the signal. It should still be strong enough to trigger your car to open, but then the reflections will be weak enough they won’t cause you trouble.

So it seems that the layout of the buildings caused a focal point for reflections at that particular location which affected some wireless keyfobs.

The location in the carpark of the deadzone.
The location in the carpark of the deadzone.
Subscribe
Notify of
guest

6 Comments
Inline Feedbacks
View all comments
zombieregime

So, I quickly threw the image into GIMP, and assuming 1′ per pixel, which looks about right based on the lengths of vehicles I have come to the conclusion that the checksums are being clobbered by the reflected waves.

I did the math-ish: transmitting frequency ~315MHz, about 1.5ft wave length, distance between L shaped building and other building about 276 pixels ergo about 276 feet, the center line between the two is 138 feet and runs through about where the seat would be in the two vehicles are inline on the side of the car were another car occupies a space next to the two inline (i rotated it and flipped it in my analysis to make the rulers line up, sue me. Interestingly, the third walls equidistant point is in the center of the next driving row closer to the building).

Now, given the wavelength and distance to the reflector (276 ft) there is space for 207 cycles (138 * 1.5 = 207), or 414 cycles there and back (207 * 2). Assuming OOK encoding, and 15 cycles per bit that is a total of 27.6 bits (or 3.45 bytes) (414 / 15 = 27.6 & 27.6 / 8 = 3.45) in the air between initial transmission and arrival of the reflection. If the keyfobs are transmitting the lower bound of a 32 bit string then by the time the keyfob transmits the last of the total packet the last 5 bits or so are getting clobbered by the reflection. Typically the last handful of bits is where the checksum bits live. For a 128 bit key its effectively scrambling itself mid-transmission.

Thus if the reflections are strong enough then they are causing the transmission to fail their checksum and being rejected by the receiver.

Yes, I am fun at parties.

…I mean, Im pretty sure I would be fun at a party…

…Id have to actually be invited to one first to know for sure…

Believer

Aliens designed the building in this way! I can see it with my FunCubeDigliDiDingDong! No prrof needed, believe me!

SF01

Its interesting to note that if your fob doesn’t work and you are in expected range you could be victim of a “Jam, Record and Steal” rolling code attack…. Id only be concerned parked out front of Defcon or in a major city but its something to think about…

hackaday.com/2014/03/17/hacking-rolling-code-keyfobs

Pat Barthelow

“After reading the post, user u/riumplus decided to go out to the same spot with his Funcube dongle SDR and see if there was any interference that might explain the issues. But he found no such interference. However, when he pressed the wireless entry on his own keyfob he noticed reflections from the main transmission that were coming from the buildings walls.”
******************
Can u/riumplus provide us with a short video clip or screen shots, of what displays the Funcube software produced that he correctly diagnosed as multipath reflections from the buildings? Such a video would be very interesting to see and interpret for most of us.—Thanks very much.

Tom

“he’d been trying for about 5 minutes”, really? I would have used the key after 3 failed tries.

James

You’d be surprised how many people don’t know there’s an actual physical key inside their fob.