Jamming Wireless 101
Download
Report
Transcript Jamming Wireless 101
Jamming Zigbee for
Under $100
Jacob Brodsky, PE
Control Systems Engineer
WHY?
Need Test Equipment to Validate Path
Include built in diagnostics
Denials of service will happen
What
will a control system do?
Can you figure out why it happened?
Would you rather find out the hard way?
ISM Band
Industrial Scientific Medical use
47 CFR 15.5 (b)
Must
shut down if interferes with licensed
service
Must accept interference from anywhere
No legal recourse if it fails
If you want legal recourse, contact UTC
Get
a License!
Just Zigbee?
Zigbee physical layer is IEEE 802.15.4
Used
by 6LoWPAN
Used by ISA-100.11a
Same band includes 802.11b/g
Bluetooth
Lots of other proprietary stuff
Protocols for This Experiment
Not designing production devices
47 CFR 15.23 “Home Built Devices”
Good
Engineering Practice
47 CFR 15.247 (a) (3) & (4)
Keep This REALLY simple
Descriptions herein are prototypes
Could
be made for about $50 in quantity
Not giving explicit details
Definitions
dBm: Decibels referenced to 1 milliWatt
dBm
= 10 log (Pmw/1mw)
0 dBm = 1 mW
+6 dBm = 4 mW
+30 dBm = 1 Watt
One Decibel Compression Point (P1db)
Power
Output amplifier gain begins to limit
Frequency Modulation
For large modulation
indexes sidebands
appear over wider
and wider spectra
Sidebands are
modulation
frequency apart
Some will null out
How Jam Everything On 2.4 GHz
Make a sideband on every channel
Channels are 5 MHz apart
IEEE 802.15.4 Passband is only 2 MHz wide
Requires frequency accuracy
May have a null on channel
Guarantee a sideband in each passband
More sidebands required
Slightly less power per sideband
Use modulating frequency of around 1 MHz
Wide Deviation/High Index
Voltage Controlled Oscillator
A Low Noise/Medium Power
Amplifier: P1db > +20 dBm
Our High Tech Soldering
Our First Test Rigs
Purchased
prefabricated units
Could
build our own,
but let’s keep this
simple
Connectors make
prototyping easy
SMD soldering not
hard with a toaster
oven
Our First Portable Jammer
The Portable Jammer Spectra
Results: Very Effective
Works against 802.11b/g
Works against Zigbee and 802.15.4
Can even jam ISA-100
Channel hopping
may offer some resiliency
Communications statistics not easily read
As long as our noise is comparable strength,
it will fail
Works against Bluetooth
Clear Channel Availability
Play Nice:
If
energy present on channel above minimal
threshold, inhibit transmitter
What you hear may not be what the
receiver hears
“Dusty” networks can be jammed
If
you don’t talk, nobody will hear you
Questionable Efficacy –especially in
control applications
Why CCA Doesn’t Always Work
Receiving
Antenna
Transmitting
Signal
Other signals
Other Types of Jammers
Noise makers are easy to find if you
know what you’re looking for
Repeater jammers are NOT
They only
radiate when there is a signal
Re-radiated signal can be offset by some
frequency to confuse receiver
Very Effective and efficient with power
Good Luck finding it
An Oversimplified Repeating Jammer
TX antenna
Receiver
Antenna
LPF
I/Q
Split
Voltage
Controlled
Oscillator
Still more methods
Listen for specific address and transmit
on top of it
This
has been done with Zigbee already
Also very difficult to find
Use three 802.11 transmitters and
broadcast continuous trash on the band
Who
would know the difference?
What Is Needed:
RSSI and Signal to Noise in every node
A “Wireless” Service Monitor
Monitor
signals on the air
Monitor signal strength
Generate known good interrogations
If in a mesh, keep track of signal
propagation path
Beware
of critical nodes
Do Not Assume the Signal Will Get
Through!
Channel Hopping is more robust, HOWEVER
Data
rate will drop significantly while hunting for
new channels
Jammers can be adaptive too
Retries are incredibly inefficient
Forward
Error Correction codes are better
LDPC
Turbo Codes
Cryptography can authenticate messages,
but…
It
can’t do much if it never gets the message
Questions?