FELK 19: Security of Wireless Networks
Mario Čagalj
University of Split
2013/2014.
Adversarial interference:
radio jamming
Adversarial interference: jamming (1/4)
• Transmitting a signals on the same frequency/band on which
the honest parties communicate
• Blocks the reception of the message at the receiver B
S (original signal)
A
B
J (jamming signal)
M
3
3
Jamming - physical layer (2/4)
 Modification (e.g. bit flipping)
 Can cause the message to change or become undecodable
 Can be (partially) addressed by Error Correction Codes
 Overshadowing
 The attacker's signal is dominant, the original seems like noise,
i.e., mSource+mAttacker= mAttacker
 Jamming (Interference)
 The attacker's signal makes it impossible for the radio to decode
(demodulate) the message, i.e., mSource+mAttacker= random/cannot be decoded
(low SINR, low Eb/N, implies high BER)
 Jamming and overshadowing can be (partially) addressed by spread
spectrum and similar communication techniques
4
Jamming - physical layer (3/4)
http://eprint.iacr.org/2013/581.pdf
5
Jamming parameters (4/4)
 Jamming-to-signal (J/S) ratio:

The ratio of the power of the two received signals within the frequency passband
of the receiver.
S = PT + GT - const. - 20log(RS)+ GR
Power speactral density (W/Hz)
J = PJ + GJ - const. - 20log(RJ)+ GRJ
(free-space model)
J/S
J/S = J-S (dB)
Example:
–
For effective jamming J/S = 0 to 40dB
(typically 10dB).
–
Jammer uses 100W (50dBm), antenna gain
10dB, distance 30km
–
Transmitter uses 1W (30dBm), antenna
gain 3dB, distance 10km
–
J/S ≈ 17dB > probably successful jamming
©D. Adamy, A First Course on Electronic Warfare
Jamming Signal
Desired Signal
Frequency
Receiver
Passband
6
The importance of jammer’s location
•
Antenna gain: The ratio of the intensity, in a given direction, to the radiation
intensity that would be obtained if the power accepted by antenna were
radiated isotropically
Antenna Gain Pattern
To Desired
Signal
Transmitter
GR
GRJ
To
Jammer
•
If the receiving antenna is not omnidirectional, its gain to the jamming signal
will be different (usually less) than its gain to the desired signal
©D. Adamy, A First Course on Electronic Warfare
7
7
Parameters influencing J/S
The Effect of Each Parameter in the Jamming Situation on J/S
Parameter (increasing)
Effect on J/S
Jammer transmit power
Directly increases on J/S dB for dB
Jammer antenna gain
Directly increases J/S dB for dB
Jammer-to-receiver distance
Decreases J/S as the distance2
Signal transmit power
Directly decreases J/S db for dB
Transmitter-to-receiver distance
Increases J/S as the distance2
Transmit antenna gain
Directly decreases J/S db for dB
(Directional) receiver antenna gain
Directly decreases J/S db for dB
8
Implications on jamming (example):
Attacks on Skyhook localization system
• Skyhook – utilizes public WiFi access points and cellular towers to
provide an accurate information about the user’s location
http://www.skyhookwireless.com/howitworks/loader_howitworks.swf
http://www.skyhookwireless.com
9
Implications on jamming (example):
Attacks on Skyhook localization system
•
•
•
Attack goal: device displays an incorrect location
Attack: jam signals from legitimate APs and insert messages with MAC addresses
corresponding to other APs
More attacks:
database poisoning, ...
10
www.syssec.ethz.ch
Implications on jamming - example:
Stealing bandwidth in WiFi networks
Station 1
gets all the
bandwidth
Station 2 jams
(a directional
antenna)
11
Implications on jamming - example:
The case of GPS
 Used not only for possitioning, but also for fine synchronization
of communication systems
 Mobile networks
 Pagers
 ATMs
12
Implications on jamming - example:
The case of GSM, UMTS
 It is possible to mount a man-in-the-middle attack on your mobile
phone voice/data communication
 We will see this in the lab :)
13
Implications on jamming - example:
Jamming for good or friendly jamming
 Securing implantable devices
 “They Can Hear Your Heartbeats: Non-Invasive Security for Implantable
Medical Devices“
 http://groups.csail.mit.edu/netmit/IMDShield/paper.pdf
 Cool, but one should exercise caution
 “On Limitations of Friendly Jamming for Confidentiality”
 http://www.syssec.ethz.ch/research/sp2013_tippenhauer.pdf
14
Anti-jamming communication
Basic Anti-jamming Communication
 Basic principle: “If you cannot beat them – run and hide”
 Spread Spectrum techniques:
 FHSS (Frequency Hopping Spread Spectrum)
 DSSS (Direct Sequence Spread Spectrum)
 FHSS/DSSS (combination)
Power
Narrowband
(High Peak Power)
Spread Spectrum
(Low Peak Power)
Frequency
16
Anti-jamming Communication
• We need an advantage over the attacker
• Secret key (K) shared between the sender and receiver provides
this advantage
•
If time permits, we will show how to provide anti-jamming communication
without the shared key (Uncoordinated Frequency Hopping)
K
A
B
17
Frequency Hopping Spread Spectrum
 FHSS
Synchronized sender and receiver
 Share a key – from the key a sequence of frequencies is derived


E.g., used in Bluetooth (79 x 1MHz channels)
Frequency
Hopping Range
Hop
Period
Time
©D. Adamy, A First Course on Electronic Warfare
18
Power Spectral Density
Frequency spectrum for FHSS
Bandwidth
…
HOP
#34
…
HOP HOP
#3
#34
HOP
#1
HOP
#56
Frequency
19
Jamming FHSS signals: follower jammer
(1) Detect the frequency and (2) jamm
Bluetooth:
79 channels, 1MHz each
1600 hops/second
Jaguar V system:
2320 channels
20
©D. Adamy, A First Course on Electronic Warfare
Jamming FHSS signals: partial band jammer
 A partial band jammer distributes its available power to achieve 0 dB
J/S in each jammed channel at the jammed receiver
 E.g., J/S=0 dB sufficient to achieve high bit error rate (BER)
 Optimizes the available jamming power to successfully jam as many
channels as possible
RS
XMTR
RJ
RCVR
JMR
J/S
Hopping channels
Evenly spread
Jammer power
For 0dB J/S per channel
21
©D. Adamy, A First Course on Electronic Warfare
21
Finding FHSS transmitters
Detection of signal direction: When colleted data shows multiple frequencies at one
angle of arrival, a frequency hopper is identified.
22
©D. Adamy, A First Course on Electronic Warfare
Direct Sequence Spread Spectrum (DSSS)
 Secret spreading code – DSSS hides the signal
 Signal detection is now more difficult
 Signal “hidden” in the noise
 Signal interception/modification difficult
 Jamming
 Narrowband jamming now requires much higher power
 Broadband jamming still effective
 Motivation: Shannon channel capacity (C)
 C = B × log2 (1 + S/N), or C/B ≈ 1.433 × S/N (for small S/N<<1)
 B is the available channel bandwith
 For S/N << 1, it is still possible to communicate in an error-free manner
given sufficiently large B!
23
Direct Sequence Spread Spectrum (DSSS)
DSSS Signal
(RF link)
Spreading
Modulator
Spreading
Demodulator
Spreading Code
Spreading Code
24
Example: DSSS with BPSK modulation
25
Example: DSSS with BPSK modulation
 Original BPSK modulated signal
 s(t) = b(t)·cos(ω0t), with b(t)={-1,+1} being input data
0
1
 DS spread spectrum signal
 ss(t) = a(t)·s(t) = a(t)·b(t)·cos(ω0t), with a(t)={-1,+1} being the spreading code
 The bit rate of b(t) denoted Rb, and of a(t) denoted Ra
 Rb << Ra (the spreading effect)
b(t)
a(t)
a(t)·b(t)
26
Example: Spreading effect
 The resulting signal similar to g(t)
 Bandwith of s(t) is 2Rb and of ss(t) is 2Ra
 The spectrum is spread by the ratio Ra/Rb
 The power of s(t) and ss(t) is the same, so the Power Spectral Density
Power Spectral Density
reduced by Ra/Rb
spectrum of
original signal s(t)
2Rb
2Ra
spectrum of
spread signal
ss(t)
Frequency
27
Example: DSSS with BPSK demodulation
 Incoming signal at the receiver r(t)=AS·ss(t) is first multiplied by
a(t), then by cos(ω0t), integrated for the duration of the bit and
finally low-pass filtered
 Spreading code a(t) has impuls like autocorrelation function
a(t)  a(t  )  1,   0 and a(t)  a(t  )  1,   0
 After multiplying the incoming signal with a(t), we despread
r(t)  a(t)  AS  ss(t)  a(t)  A S  a(t)  b(t)· cos (ω 0t)  a(t)  AS  b(t)· cos (ω0t)






s( t )
s( t )
 After multiplying with cos(ω0t)
AS  b(t)· cos (ω0t)· cos (ω0t) 
As
A
 b(t)  s  b(t)  cos (2ω0t)
2
2
low-pass filtered
28
Why spreading?
Spreading
Modulator
Spreading
Demodulator
Spreading Code
Spreading Code
DATA BEFORE
SPREAD
Noise floor
2Rb
Frequency
Power Spectral Density
Power Spectral Density
DSSS Signal
(RF link)
Noise floor
DATA SPREAD
2Ra
29
DSSS Signal
(RF link)
Why spreading?
Spreading
Modulator
Spreading
Demodulator
Spreading Code
Spreading Code
 Imunitiy to interfering (narrowband) signals
 Suppose a jamming signal present at ω0
 Input to the receiver
r(t)  AS  ss(t)  A J· cos (ω 0t)

 

Power Spectral Density
jamming signal
INTERFERER
Noise floor
DATA SPREAD
30
Why spreading?
 Imunitiy to interfering (narrowband) signals
 Suppose a jamming signal present at ω0
 After multiplying the incoming signal with spreading code a(t) we have
r(t)  a(t)  AS  b(t)  cos (ω0t)  A J  a(t)  cos (ω0t)


 


Power Spectral Density
wanted signal
gets despread
jamming signal
gets spread!
DATA
DESPREAD AND
LOWPASS FILTERED
Noise floor
INTERFERER
SPREAD
Frequency
31
Why spreading?
 By lowpass filtering the resulting signal, the effective power of
the interference is reduced by factor Ra/Rb
Power Spectral Density
 The processing gain
DATA
DESPREAD AND
LOWPASS FILTERED
Noise floor
INTERFERER
SPREAD
Frequency
2Rb
2Ra
32
Processing gain (PG)
• The ratio (in dB) between the spread bandwidth and the original
(unspread) bandwidth
•
E.g., if a 1 kHz signal is spread to 100 kHz, the processing gain is
100,000/1,000 = 100, or 10log10(100) = 20 dB
•
The PG is a signal to jammer (interference) ratio at the receiver after the
despreading operation (removal of pseudo noise)
• PG increases the jamming margin: MJ = PG – (SNRrequired + Losssystem)
• The level of interference that a system is able to accept and still maintain a specified
level of performace (e.g., BER)
Example: A spread spectrum system with a 30 dB process gain, a minimum required
output signal to noise of 10 dB and system implementation loss of 3 dB would have a
jamming margin of 30 - (10+3) dB which is 17 dB. The spread spectrum system in this
example could not be expected to work in an environment with interference more
than 17 dB above the desired signal (50 times stronger signal).
33
DSSS narrowband jamming immunity
34
Recapitulation: DSSS signal spreading (1/3)
Spreading
Modulator
Spreading
Demodulator
Spreading Code
Spreading Code
DATA BEFORE
SPREAD
Noise floor
Power Spectral Density
Power Spectral Density
DSSS Signal
(RF link)
Noise floor
DATA SPREAD
Frequency
Frequency
35
35
Recapitulation: DSSS signal and narrowband interferer (2/3)
DSSS Signal
(RF link)
Spreading
Demodulator
Spreading Code
Spreading Code
Power Spectral Density
Spreading
Modulator
INTERFERER
Noise floor
DATA SPREAD
Frequency
36
36
Recapitulation: antijamming advantage (3/3)
Spreading
Modulator
Spreading
Demodulator
Spreading Code
Spreading Code
DATA
DESPREAD
Noise floor
INTERFERER
SPREAD
Power Spectral Density
Power Spectral Density
DSSS Signal
(RF link)
DATA
DESPREAD AND
LOWPASS FILTERED
Noise floor
INTERFERER
SPREAD
Frequency
Frequency
37
37
CDMA: Code Division Multiple Access
 Multiplexing users by distinct (orthogonal) PN codes
 Transmitters use low correlation PN codes
 Use the same RF bandwidth
 Transmit simultaneously
http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf
38
CDMA: Code Division Multiple Access
 Correlation of the received baseband spread spectrum signal
with PN code of user 1 only despreads the signal of user 1
 PN have impuls like autocorrelation
 Low crosscorrelation
http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf
39
Jamming impact on current systems
 IEEE 802.11a/b/g (DSSS, known codes) > to be covered in the
lectures
 GPS (DSSS, known codes, low power)
 GSM/UMTS (TDMA/CDMA, known code sets)
 AM/FM radios
 ...
40
40