Attack and Defence in Radio and Communication Warfare

advertisement
Attack and Defence in Radio and
Communication Warfare
Akib Sayyed
akibsayyed@gmail.com
(electronic)Communication
• Used by most of population in world
• Used by Law Enforcement ,Defence in every
mission
• Plays most important role at time of WAR
• We are blind without communication
What are we looking at
• Radio Communication
–
–
–
–
Communication Jamming
Anti Jamming Communication
Locating Signal Source
Smart Radio Grid
• Core Network
– What's there is core network?
– Disrupting Core Network
• Threat of Imported Telco Equipments
Radio Communication
• Its Communication using electro magnetic
waves through atmosphere or free space.
• Information is sent over radio waves using
changing property of these waves such as
pulse , phase , amplitude , frequency
• Consist of transmitter and receiver (TRX)
Types of Radio Frequency (Short Version)
• Very high frequency
– VHF
– 30–300 MHz
– 10 m – 1 m
• Ultra high frequency
– UHF
– 300–3000 MHz
– 1 m – 100 mm
• Super high frequency
– SHF
– 3–30 GHz
– 100 mm – 10 mm
Usages
• VHF
– FM ,Television ,Amateur radio , Aircraft
Communication
• UHF
– Television ,Microwave ,Mobile Communication ,GPS
,Bluetooth
• SHF
– Radio astronomy, microwave devices/communications,
wireless LAN, most modern radars
How data is sent via Radio Waves
Different Ways to Send Receive Radio Waves
• Commercial Radios
– Cellphones
– Walky Talkie
• SDR
– Blade RF
– HackRF
– USRP Series
• Signal Generators
• Spectrum Analyzer
How to block /Protect Signals
• It is not possible to stop one from sending or
receiving signals
• Best way is jam , scramble , encrypt ,Hopping
Jamming
VS
Overlapping signals with more power so that
signal becomes garbage
Scrambling
VS
Transposing or inverting signals making it unintelligible for receiver without descrambler
Performed in Analog Domain
Encryption
Digital Domain
Lorem Ipsum is simply
dummy text of the printing
and typesetting industry.
Lorem Ipsum has been the
industry's standard dummy
text ever since the 1500s,
when an unknown printer
took a galley of type and
scrambled it to make a type
specimen book. It has
survived not only five
centuries, but also the leap
into electronic typesetting,
remaining essentially
unchanged
VS
uliAAg/XBrwuyJLBt9DkGqY4ZV
EqXQ1uud+lczuh3C4RyJR1aOL
4/WBpQszWidjdqbZEN/lKVnSgt
FpuNWGkD5u0t38R6XWO5xeU
HMeeULvY9Ua51xQTx0f+uBZx
J7uN6VMyv0+gMs3SnmR+6vSv
ShYO6sjoZRV917ASKYJMh6LV
FubxYCTjG4aWpfwG00PYYRZe
PAKBpJrfrKo8ivc7VJpcHVRTLr
CO8RwR47FsYxXr6m/3PSOQH
CSSieb7iVA+t9ZPkaFMpLBYipD
JrLKpvDbdxAXgNybf4FFgmcnM
MDuvUhfafsKhD4UPFlFQ2SiZN
gPXJBLjLfDon2n7yjyMfpxqMCX
npVFhajzVNunha7OESzzfv6GM
0ucWe0u6DV7bLk/lNn9b+34FZ
k1m
Hopping
Protecting Signals
• Should have following qualities
– Low Probability of Detection
– Low Probability of Intercept
– Low Probability of Exploitation
Low probability of Detection
• Goal is to hide signal somehow such that
unintended receiver has difficulty to determine
that signal even present
Low probability of Intercept
• If signal is not LPD type then unintended
receiver can receive it
• So to reduce probability of intercept one can
use frequency hopping
• Due to frequency one cannot easily receive
signal which is hopping on different frequency
unless he knows pattern of hopping
Low Probability of Exploitation
• In case signal is not LPD/LPI or attacker finds
out way to receive signal properly then getting
meaningful information from that signal should
be difficult
• Encryption is example of LPE
Electronic warfare
• Activities taken to accomplish the intercept or
denial of communication
• 3 main components
– Electronic attack(EA)
– Electronic support(ES)
– Electronic protect(EP)
Electronic Attack (EA)
• Using active signals to deny communication
system from actively exchanging information
• It could be
– Jamming
• Transmit noise on those freq
– Deception
• Send wrong information to mislead
– Directed energy
• Similar to jamming but goal is to permanently harm or destroy
equipment
Electronic Support (ES)
• Supporting function for EA
• Its more like spectrum sensing and find signal
with specific characteristics
• Cause if jamming is being performed on non
utilized frequency then time and energy is
wasted
Electronic Protect (EP)
• Protecting friendly communication from EA and
ES attacks
• In case both are using same frequency then
one should transmit signals towards target and
away from friendly units
AntiJam Communication
• Communication with ability to fight jamming of
communication system
• Type of Anti Jamming signals
– Direct-Sequence Spread Spectrum
– Frequency-Hopping Spread Spectrum
– Time-Hopping Spread Spectrum
Direct-Sequence Spread Spectrum
• Technique involves spreading signal across a
wider bandwidth and entire bandwidth is
occupied instantly
• Due wider band, energy present at particular
frequency is low
• Causing less probability of detection as
unintended receiver mistake it as noise
Frequency Hopping Spread Spectrum
• Based on concept of hopping
• Occupies single channel at given instant
• Bandwidth about be from +-10khz to +-200khz
• Signal hops in predefined hopping sequence
called hop set
• 2 types
– SFHSS (Slow Frequency Hopping SS)
– FFHSS (Fast Frequency Hopping SS)
Time Hopping Spread Spectrum
• TH changes time of transmission randomly
causing receive noise most of time
• Best example is PTT used by military and law
enforcement
SDR Connections for DEMO
Demo of Anti Jam Signals
Jamming Anti-Jam Signals
• Partial Dwell Jamming of FHSS Systems
• Noise Jamming
• Tone Jamming
• Pulse Jamming
• Follower Jamming
• Smart Jamming
Partial Dwell Jamming of FHSS
• Portion of Signal is jammed
• There is finite amount of time to insert jam
signal if detect energy belongs to correct signal
to jam
• One cannot jam whole spectrum but partial is
possible
Noise Jamming
• Carrier Signal is modulates with Noise
Waveform
• Main aim is to insert noise at receiver end
• Types
– Broadband Noise Jamming (Entire Spectrum)
– Partial Band Noise Jamming (Partial Spectrum)
Tone Jamming
• Continuous Tone is generated on spectrum in
narrowband
• Could be single or multiple
• In case of multiple tones power is distributed
among all tones
• Type
– Single Tone
– Multiple Tones
Pulse Jamming
• Similar to Partial Band Noise jamming
• Its partial band noise jamming with no
continuous transmission
• Have low avg power than some of other
jamming technique
Follower Jamming
• Follow hopping path and predict hopping
sequence
• Once predicted jam next possible hopping
channel
• Jamming could be in tones or modulated tones
• AKA responsive jamming , repeater jamming
,repeat back jamming
Smart Jamming
• Block the food supply 
• Means only block part which is important for
sync
• As most of sync channel are not spread or
hopping (e.g. GSM FCCH or C0)
• One can simply jam main sync source
SDR Connections for DEMO
Demo of Jamming Signals
Smart Radio Grid
• For whom ?
• Why we need this?
• Applications
• SDR arch
For Whom?
• Metro Cities
• Air Port
• Borders
Why We need this?
• Signal generators are easy to get and use
• Imagine case:
– Airport security radios are jammed
– Terrorist using satellite phone to communicate in
Metro Cities
– Law enforcement radio are picking up misleading
signals
• Tracking such case is nearly impossible in real
time (at least in India)
Applications
• Detect Jamming Signals
• Find Illegal Transmitters
– Fake cell towers
– Illegal broadcast stations
• Locate signalling source
• Smart Jamming
• Intercept Communication
SDR Arch
Core Network
• Traditional Telecom Protocol
• Less scrutinized for security flaws for both
protocol and implementation
• Uses custom distro using collecting bits and
pieces
Awareness in Telco Security
• Telcos are testing there network for security
flaws lately
• Awareness is taking place in telco people as
only gentlemen network is now open to all
• But vendors co-operations is lacking due to
contracts and money
Threat of imported equipments
• Recently researchers found
– Hidden commands in equipments
– Some default password
– Trojan horse embedded which sends data back to
device manufacturer
Steps Taken by Indian Government
• Setup Telecom Equipment Testing Lab
• Which will
– Test equipments for protocol implementation flaw
and for security flaws
– Certify equipment
• Pilot lab was setup in banglore under Prof. N.
Balakrishnan
Questions
Download