Attack and Defence in Radio and Communication Warfare Akib Sayyed akibsayyed@gmail.com (electronic)Communication • Used by most of population in world • Used by Law Enforcement ,Defence in every mission • Plays most important role at time of WAR • We are blind without communication What are we looking at • Radio Communication – – – – Communication Jamming Anti Jamming Communication Locating Signal Source Smart Radio Grid • Core Network – What's there is core network? – Disrupting Core Network • Threat of Imported Telco Equipments Radio Communication • Its Communication using electro magnetic waves through atmosphere or free space. • Information is sent over radio waves using changing property of these waves such as pulse , phase , amplitude , frequency • Consist of transmitter and receiver (TRX) Types of Radio Frequency (Short Version) • Very high frequency – VHF – 30–300 MHz – 10 m – 1 m • Ultra high frequency – UHF – 300–3000 MHz – 1 m – 100 mm • Super high frequency – SHF – 3–30 GHz – 100 mm – 10 mm Usages • VHF – FM ,Television ,Amateur radio , Aircraft Communication • UHF – Television ,Microwave ,Mobile Communication ,GPS ,Bluetooth • SHF – Radio astronomy, microwave devices/communications, wireless LAN, most modern radars How data is sent via Radio Waves Different Ways to Send Receive Radio Waves • Commercial Radios – Cellphones – Walky Talkie • SDR – Blade RF – HackRF – USRP Series • Signal Generators • Spectrum Analyzer How to block /Protect Signals • It is not possible to stop one from sending or receiving signals • Best way is jam , scramble , encrypt ,Hopping Jamming VS Overlapping signals with more power so that signal becomes garbage Scrambling VS Transposing or inverting signals making it unintelligible for receiver without descrambler Performed in Analog Domain Encryption Digital Domain Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged VS uliAAg/XBrwuyJLBt9DkGqY4ZV EqXQ1uud+lczuh3C4RyJR1aOL 4/WBpQszWidjdqbZEN/lKVnSgt FpuNWGkD5u0t38R6XWO5xeU HMeeULvY9Ua51xQTx0f+uBZx J7uN6VMyv0+gMs3SnmR+6vSv ShYO6sjoZRV917ASKYJMh6LV FubxYCTjG4aWpfwG00PYYRZe PAKBpJrfrKo8ivc7VJpcHVRTLr CO8RwR47FsYxXr6m/3PSOQH CSSieb7iVA+t9ZPkaFMpLBYipD JrLKpvDbdxAXgNybf4FFgmcnM MDuvUhfafsKhD4UPFlFQ2SiZN gPXJBLjLfDon2n7yjyMfpxqMCX npVFhajzVNunha7OESzzfv6GM 0ucWe0u6DV7bLk/lNn9b+34FZ k1m Hopping Protecting Signals • Should have following qualities – Low Probability of Detection – Low Probability of Intercept – Low Probability of Exploitation Low probability of Detection • Goal is to hide signal somehow such that unintended receiver has difficulty to determine that signal even present Low probability of Intercept • If signal is not LPD type then unintended receiver can receive it • So to reduce probability of intercept one can use frequency hopping • Due to frequency one cannot easily receive signal which is hopping on different frequency unless he knows pattern of hopping Low Probability of Exploitation • In case signal is not LPD/LPI or attacker finds out way to receive signal properly then getting meaningful information from that signal should be difficult • Encryption is example of LPE Electronic warfare • Activities taken to accomplish the intercept or denial of communication • 3 main components – Electronic attack(EA) – Electronic support(ES) – Electronic protect(EP) Electronic Attack (EA) • Using active signals to deny communication system from actively exchanging information • It could be – Jamming • Transmit noise on those freq – Deception • Send wrong information to mislead – Directed energy • Similar to jamming but goal is to permanently harm or destroy equipment Electronic Support (ES) • Supporting function for EA • Its more like spectrum sensing and find signal with specific characteristics • Cause if jamming is being performed on non utilized frequency then time and energy is wasted Electronic Protect (EP) • Protecting friendly communication from EA and ES attacks • In case both are using same frequency then one should transmit signals towards target and away from friendly units AntiJam Communication • Communication with ability to fight jamming of communication system • Type of Anti Jamming signals – Direct-Sequence Spread Spectrum – Frequency-Hopping Spread Spectrum – Time-Hopping Spread Spectrum Direct-Sequence Spread Spectrum • Technique involves spreading signal across a wider bandwidth and entire bandwidth is occupied instantly • Due wider band, energy present at particular frequency is low • Causing less probability of detection as unintended receiver mistake it as noise Frequency Hopping Spread Spectrum • Based on concept of hopping • Occupies single channel at given instant • Bandwidth about be from +-10khz to +-200khz • Signal hops in predefined hopping sequence called hop set • 2 types – SFHSS (Slow Frequency Hopping SS) – FFHSS (Fast Frequency Hopping SS) Time Hopping Spread Spectrum • TH changes time of transmission randomly causing receive noise most of time • Best example is PTT used by military and law enforcement SDR Connections for DEMO Demo of Anti Jam Signals Jamming Anti-Jam Signals • Partial Dwell Jamming of FHSS Systems • Noise Jamming • Tone Jamming • Pulse Jamming • Follower Jamming • Smart Jamming Partial Dwell Jamming of FHSS • Portion of Signal is jammed • There is finite amount of time to insert jam signal if detect energy belongs to correct signal to jam • One cannot jam whole spectrum but partial is possible Noise Jamming • Carrier Signal is modulates with Noise Waveform • Main aim is to insert noise at receiver end • Types – Broadband Noise Jamming (Entire Spectrum) – Partial Band Noise Jamming (Partial Spectrum) Tone Jamming • Continuous Tone is generated on spectrum in narrowband • Could be single or multiple • In case of multiple tones power is distributed among all tones • Type – Single Tone – Multiple Tones Pulse Jamming • Similar to Partial Band Noise jamming • Its partial band noise jamming with no continuous transmission • Have low avg power than some of other jamming technique Follower Jamming • Follow hopping path and predict hopping sequence • Once predicted jam next possible hopping channel • Jamming could be in tones or modulated tones • AKA responsive jamming , repeater jamming ,repeat back jamming Smart Jamming • Block the food supply • Means only block part which is important for sync • As most of sync channel are not spread or hopping (e.g. GSM FCCH or C0) • One can simply jam main sync source SDR Connections for DEMO Demo of Jamming Signals Smart Radio Grid • For whom ? • Why we need this? • Applications • SDR arch For Whom? • Metro Cities • Air Port • Borders Why We need this? • Signal generators are easy to get and use • Imagine case: – Airport security radios are jammed – Terrorist using satellite phone to communicate in Metro Cities – Law enforcement radio are picking up misleading signals • Tracking such case is nearly impossible in real time (at least in India) Applications • Detect Jamming Signals • Find Illegal Transmitters – Fake cell towers – Illegal broadcast stations • Locate signalling source • Smart Jamming • Intercept Communication SDR Arch Core Network • Traditional Telecom Protocol • Less scrutinized for security flaws for both protocol and implementation • Uses custom distro using collecting bits and pieces Awareness in Telco Security • Telcos are testing there network for security flaws lately • Awareness is taking place in telco people as only gentlemen network is now open to all • But vendors co-operations is lacking due to contracts and money Threat of imported equipments • Recently researchers found – Hidden commands in equipments – Some default password – Trojan horse embedded which sends data back to device manufacturer Steps Taken by Indian Government • Setup Telecom Equipment Testing Lab • Which will – Test equipments for protocol implementation flaw and for security flaws – Certify equipment • Pilot lab was setup in banglore under Prof. N. Balakrishnan Questions