Mario Čagalj

University of Split

2013/2014.

FELK 19: Security of Wireless Networks

Adversarial interference: radio jamming

3

Adversarial interference: jamming (1/4) • Transmitting a signals on the same frequency/band on which

the honest parties communicate • Blocks the reception of the message at the receiver B

S (original signal)

J (jamming signal)

3

A B

M

Jamming - physical layer (2/4) Modification (e.g. bit flipping)

Can cause the message to change or become undecodableCan be (partially) addressed by Error Correction Codes

OvershadowingThe attacker's signal is dominant, the original seems like noise,

i.e., mSource+mAttacker= mAttacker

Jamming (Interference)The attacker's signal makes it impossible for the radio to decode

(demodulate) the message, i.e., mSource+mAttacker= random/cannot be decoded (low SINR, low Eb/N, implies high BER)

Jamming and overshadowing can be (partially) addressed by spread spectrum and similar communication techniques

4

Jamming - physical layer (3/4)

5http://eprint.iacr.org/2013/581.pdf

Jamming parameters (4/4) Jamming-to-signal (J/S) ratio:

The ratio of the power of the two received signals within the frequency passband of the receiver.

6©D. Adamy, A First Course on Electronic Warfare

Frequency

Receiver Passband

Jamming Signal

Desired Signal

J/S

S = PT + GT - const. - 20log(RS)+ GR

J = PJ + GJ - const. - 20log(RJ)+ GRJ

(free-space model)

J/S = J-S (dB)Example:– For effective jamming J/S = 0 to 40dB

(typically 10dB).

– Jammer uses 100W (50dBm), antenna gain 10dB, distance 30km

– Transmitter uses 1W (30dBm), antenna gain 3dB, distance 10km

– J/S ≈ 17dB > probably successful jamming

Power speactral density (W/Hz)

7

The importance of jammer’s location

©D. Adamy, A First Course on Electronic Warfare

Antenna Gain Pattern

To DesiredSignal

Transmitter

To Jammer

GR

GRJ

7

• Antenna gain: The ratio of the intensity, in a given direction, to the radiation intensity that would be obtained if the power accepted by antenna were radiated isotropically

• If the receiving antenna is not omnidirectional, its gain to the jamming signal will be different (usually less) than its gain to the desired signal

Parameters influencing J/S

8

The Effect of Each Parameter in the Jamming Situation on J/S

Parameter (increasing) Effect on J/S

Jammer transmit power Directly increases on J/S dB for dB

Jammer antenna gain Directly increases J/S dB for dB

Jammer-to-receiver distance Decreases J/S as the distance2

Signal transmit power Directly decreases J/S db for dB

Transmitter-to-receiver distance Increases J/S as the distance2

Transmit antenna gain Directly decreases J/S db for dB

(Directional) receiver antenna gain Directly decreases J/S db for dB

Implications on jamming (example): Attacks on Skyhook localization system

http://www.skyhookwireless.com

• Skyhook – utilizes public WiFi access points and cellular towers to provide an accurate information about the user’s location

http://www.skyhookwireless.com/howitworks/loader_howitworks.swf

9

10

• Attack goal: device displays an incorrect location • Attack: jam signals from legitimate APs and insert messages with MAC addresses

corresponding to other APs

• More attacks:database poisoning, ... www.syssec.ethz.ch

Implications on jamming (example): Attacks on Skyhook localization system

11

Implications on jamming - example: Stealing bandwidth in WiFi networks

Station 1 gets all the bandwidth

Station 2 jams (a directional

antenna)

Implications on jamming - example: The case of GPSUsed not only for possitioning, but also for fine synchronization

of communication systemsMobile networksPagersATMs

12

Implications on jamming - example: The case of GSM, UMTSIt is possible to mount a man-in-the-middle attack on your

mobile phone voice/data communication We will see this in the lab :)

13

Implications on jamming - example: Jamming for good or friendly jammingSecuring implantable devices

“They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices“

http://groups.csail.mit.edu/netmit/IMDShield/paper.pdf

Cool, but one should exercise caution“On Limitations of Friendly Jamming for Confidentiality”http://www.syssec.ethz.ch/research/sp2013_tippenhauer.pdf

14

Anti-jamming communication

Basic Anti-jamming Communication Basic principle: “If you cannot beat them – run and hide”

Spread Spectrum techniques: FHSS (Frequency Hopping Spread Spectrum) DSSS (Direct Sequence Spread Spectrum) FHSS/DSSS (combination)

16Frequency

Power

Spread Spectrum(Low Peak Power)

Narrowband(High Peak Power)

Anti-jamming Communication• We need an advantage over the attacker• Secret key (K) shared between the sender and receiver provides

this advantage • If time permits, we will show how to provide anti-jamming communication

without the shared key (Uncoordinated Frequency Hopping)

17

K

A B

Frequency Hopping Spread Spectrum FHSS Synchronized sender and receiver Share a key – from the key a sequence of frequencies is derived

E.g., used in Bluetooth (79 x 1MHz channels)

18©D. Adamy, A First Course on Electronic Warfare

Time

Freq

uenc

y

Hop

ping

Ran

ge

Hop Period

Frequency spectrum for FHSS

19

Frequency

Pow

er S

pect

ral D

ensi

ty

HOP#34

HOP#3

HOP#34

HOP#1

HOP#56

… …

Bandwidth

Jamming FHSS signals: follower jammer

(1) Detect the frequency and (2) jamm

20©D. Adamy, A First Course on Electronic Warfare

Bluetooth: 79 channels, 1MHz each1600 hops/second

Jaguar V system: 2320 channels

Jamming FHSS signals: partial band jammer

A partial band jammer distributes its available power to achieve 0 dB J/S in each jammed channel at the jammed receiverE.g., J/S=0 dB sufficient to achieve high bit error rate (BER)Optimizes the available jamming power to successfully jam as many

channels as possible

2121©D. Adamy, A First Course on Electronic Warfare

Hopping channels

Evenly spread

For 0dB J/S per channel

Jammer power

XMTR

RCVR

JMR

RS

RJ J/S

Finding FHSS transmitters

22

Detection of signal direction: When colleted data shows multiple frequencies at one angle of arrival, a frequency hopper is identified.

©D. Adamy, A First Course on Electronic Warfare

Direct Sequence Spread Spectrum (DSSS) Secret spreading code – DSSS hides the signal Signal detection is now more difficult

Signal “hidden” in the noise Signal interception/modification difficult Jamming

Narrowband jamming now requires much higher power Broadband jamming still effective

Motivation: Shannon channel capacity (C) C = B × log2 (1 + S/N), or C/B ≈ 1.433 × S/N (for small S/N<<1) B is the available channel bandwith For S/N << 1, it is still possible to communicate in an error-free manner

given sufficiently large B! 23

Direct Sequence Spread Spectrum (DSSS)

Spreading Modulator

Spreading Code

Spreading Demodulator

Spreading Code

DSSS Signal(RF link)

24

Example: DSSS with BPSK modulation

25

Example: DSSS with BPSK modulationOriginal BPSK modulated signal

s(t) = b(t)·cos(ω0t), with b(t)={-1,+1} being input data

DS spread spectrum signal ss(t) = a(t)·s(t) = a(t)·b(t)·cos(ω0t), with a(t)={-1,+1} being the spreading code

The bit rate of b(t) denoted Rb, and of a(t) denoted Ra

Rb << Ra (the spreading effect)

26

0 1

b(t)

a(t)

a(t)·b(t)

Example: Spreading effectThe resulting signal similar to g(t)Bandwith of s(t) is 2Rb and of ss(t) is 2Ra

The spectrum is spread by the ratio Ra/Rb

The power of s(t) and ss(t) is the same, so the Power Spectral Density reduced by Ra/Rb

27Frequency

Pow

er S

pect

ral D

ensi

ty

spectrum of original signal s(t)

2Rb

2Ra

spectrum of spread signal ss(t)

Example: DSSS with BPSK demodulationIncoming signal at the receiver r(t)=AS·ss(t) is first multiplied by

a(t), then by cos(ω0t), integrated for the duration of the bit and finally low-pass filteredSpreading code a(t) has impuls like autocorrelation function

After multiplying the incoming signal with a(t), we despread

After multiplying with cos(ω0t)

28

0 and 0 ,)t(aa(t),)t(aa(t) 11

)t(s

S

)t(s

SS t)(ωcosb(t)·Aa(t)t)(ωcosb(t)·a(t)A)t(a)t(ssA)t(ar(t) 00

t)ω(cos)t(bA

b(t)A

t)(ωcost)·(ωcosb(t)·A ssS 000 2

22

low-pass filtered

Frequency

Pow

er S

pect

ral D

ensi

ty

DATA BEFORE SPREAD

Noise floor

Pow

er S

pect

ral D

ensi

ty

DATA SPREAD

Noise floor

Spreading Modulator

Spreading Code

Spreading Demodulator

Spreading Code

DSSS Signal(RF link)

29

Why spreading?

2Rb 2Ra

Why spreading?Imunitiy to interfering (narrowband) signalsSuppose a jamming signal present at ω0

Input to the receiver

30

signal jamming

t)(ωcos·A)t(ssAr(t) JS 0Po

wer

Spe

ctra

l Den

sity

DATA SPREAD

Noise floor

INTERFERER

Spreading Modulator

Spreading Code

Spreading Demodulator

Spreading Code

DSSS Signal(RF link)

Why spreading?Imunitiy to interfering (narrowband) signalsSuppose a jamming signal present at ω0

After multiplying the incoming signal with spreading code a(t) we have

31

spread! gets

signal jammingdespread gets

signal wanted

t)(ωcos)t(aAt)(ωcos)t(bA)t(ar(t) JS 00

Frequency

Pow

er S

pect

ral D

ensi

ty DATA DESPREAD AND

LOWPASS FILTERED

Noise floor

INTERFERER SPREAD

Why spreading?By lowpass filtering the resulting signal, the effective power of

the interference is reduced by factor Ra/Rb

The processing gain

32

Frequency

Pow

er S

pect

ral D

ensi

ty DATA DESPREAD AND

LOWPASS FILTERED

Noise floor

INTERFERER SPREAD

2Rb

2Ra

33

Processing gain (PG)

• The ratio (in dB) between the spread bandwidth and the original (unspread) bandwidth• E.g., if a 1 kHz signal is spread to 100 kHz, the processing gain is

100,000/1,000 = 100, or 10log10(100) = 20 dB

• The PG is a signal to jammer (interference) ratio at the receiver after the despreading operation (removal of pseudo noise)

• PG increases the jamming margin: MJ = PG – (SNRrequired + Losssystem)• The level of interference that a system is able to accept and still maintain a

specified level of performace (e.g., BER)

Example: A spread spectrum system with a 30 dB process gain, a minimum required output signal to noise of 10 dB and system implementation loss of 3 dB would have a jamming margin of 30 - (10+3) dB which is 17 dB. The spread spectrum system in this example could not be expected to work in an environment with interference more than 17 dB above the desired signal (50 times stronger signal).

DSSS narrowband jamming immunity

34

35

Recapitulation: DSSS signal spreading (1/3)

Frequency

Pow

er S

pect

ral D

ensi

ty

DATA BEFORE SPREAD

Noise floor

Frequency

Pow

er S

pect

ral D

ensi

ty

DATA SPREAD

Noise floor

Spreading Modulator

Spreading Code

Spreading Demodulator

Spreading Code

DSSS Signal(RF link)

35

36

Recapitulation: DSSS signal and narrowband interferer (2/3)

Frequency

Pow

er S

pect

ral D

ensi

ty

DATA SPREAD

Noise floor

INTERFERER

36

Spreading Modulator

Spreading Code

Spreading Demodulator

Spreading Code

DSSS Signal(RF link)

37

Recapitulation: antijamming advantage (3/3)

Spreading Modulator

Spreading Code

Spreading Demodulator

Spreading Code

DSSS Signal(RF link)

Frequency

Pow

er S

pect

ral D

ensi

ty DATA DESPREAD

Noise floor

INTERFERER SPREAD

37

Frequency

Pow

er S

pect

ral D

ensi

ty DATA DESPREAD AND

LOWPASS FILTERED

Noise floor

INTERFERER SPREAD

CDMA: Code Division Multiple AccessMultiplexing users by distinct (orthogonal) PN codes

Transmitters use low correlation PN codesUse the same RF bandwidthTransmit simultaneously

38http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf

CDMA: Code Division Multiple AccessCorrelation of the received baseband spread spectrum signal

with PN code of user 1 only despreads the signal of user 1PN have impuls like autocorrelationLow crosscorrelation

39http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf

40

Jamming impact on current systems IEEE 802.11a/b/g (DSSS, known codes) > to be covered in the

lectures GPS (DSSS, known codes, low power) GSM/UMTS (TDMA/CDMA, known code sets) AM/FM radios ...

40