The Camera That Killed the Jeep – Part 2

In which Craig and Mike get closer to understanding how a Wi-Fi camera can fake out the sophisticated electronics in a 2014 Jeep. And this ain’t pretty.

So you may recall from my last posting on this subject that I have a Wi-Fi camera that can drain the battery in Donna Diamond's brand new Jeep Cherokee simply by being powered up nearby the car. All I have to do it turn the camera on and the instrument panel lights up; a few hours later, the huge battery in the car is dead. Weird, to say the least, and last Friday I had the opportunity to find out why.

My friend and colleague Mike Craig of Cracom Engineering, whom you met during our haunted-house adventure back in 2009, is a wireless engineer with a very deep background in the issues here - as well as a mountain of test equipment, including a couple of high-end spectrum analyzers just perfect for figuring out what's going on in this case. So I stopped by Mike's lab with the camera and the key fob from the Jeep, and we ran a few tests

The first of these was to see what the fob is putting out, on the assumption that the camera is in some way mimicking this signal. It could very well be that some other signal, for example, the Wi-Fi from the camera, might be the source of the problem. But you may recall that the camera involved here was never set up and the Wi-Fi adapter in it never configured, so this was doubtful. And the 2.4 GHz. band was found to be clean when the camera was on, so that wasn't it regardless.

Anyway, a little digging found the key fob operating at approximately 433.92 MHz., a bit unusual for such devices; my Hyundai's fob, for example, operates at 315 MHz., which is more common in my experience. Anyway, no matter; 433 MHz. is a very popular band for short-range communications - and Mike did note that there seem to be a lot of wireless devices operating at this frequency.

Anyway, imagine my lack of surprise when we found that the camera was putting out a similar (in bandwidth and amplitude) signal at approximately 434.068 MHz. The modulation was totally different, and the camera's waveform varied with video input (moving a hand in front of the lens, for example). I'm assuming that, like the fob, the camera is permitted to emit in this band (likely unintentionally in this case, a byproduct of some internal processing rather than intentional communications), although I'm not sure why it does. Regardless, we have a pretty good understanding of what's likely going on here at this point.

And that is that the Jeep's radio is likely responding to a signal that looks like the fob's, but isn't. If so, this is just plain sloppy engineering. The radio receiver in the Jeep should indeed respond to such signals, even allowing for a little offset in frequency if necessary, but should absolutely authenticate the signal before powering up anything else. What we have here is actually a classic electronic warfare (EW) problem, in that a foreign agent is causing harm via electronic means because appropriate and adequate defenses are lacking. This in fact is quite surprising given the potential for harm, which we've of course seen already. I can't say absolutely, again, that this really is the mechanism at work here; there might indeed be another failure mode involved. But what we learned during this testing seems like a promising direction towards a solution.

Donna's Jeep dealer, Dan's Jeep, who have been more than interested in solving this problem from the beginning, have offered to replace the radio "hub", as it's known, in the car, along with the fobs. I really don't think this is a good direction, though; I have seen and heard of other anecdotal reports of similar and related problems with Jeeps, so I think the solution here, which I personally believe to be a software issue, needs to come from Jeep in the form of a general recall or update. In the meantime, further research is indicated, although, without detailed technical info on the Jeep itself, such won't involve me. But I will let you know if and when Jeep provides a fix, which I think they really need to pursue with all due priority.

And many, many thanks once again to Mike Craig and Cracom Engineering.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022