FELK 19: Security of Wireless Networks Mario Čagalj University of Split 2013/2014. Adversarial interference: radio jamming Adversarial interference: jamming (1/4) • Transmitting a signals on the same frequency/band on which the honest parties communicate • Blocks the reception of the message at the receiver B S (original signal) A B J (jamming signal) M 3 3 Jamming - physical layer (2/4) Modification (e.g. bit flipping) Can cause the message to change or become undecodable Can be (partially) addressed by Error Correction Codes Overshadowing The attacker's signal is dominant, the original seems like noise, i.e., mSource+mAttacker= mAttacker Jamming (Interference) The attacker's signal makes it impossible for the radio to decode (demodulate) the message, i.e., mSource+mAttacker= random/cannot be decoded (low SINR, low Eb/N, implies high BER) Jamming and overshadowing can be (partially) addressed by spread spectrum and similar communication techniques 4 Jamming - physical layer (3/4) http://eprint.iacr.org/2013/581.pdf 5 Jamming parameters (4/4) Jamming-to-signal (J/S) ratio: The ratio of the power of the two received signals within the frequency passband of the receiver. S = PT + GT - const. - 20log(RS)+ GR Power speactral density (W/Hz) J = PJ + GJ - const. - 20log(RJ)+ GRJ (free-space model) J/S J/S = J-S (dB) Example: – For effective jamming J/S = 0 to 40dB (typically 10dB). – Jammer uses 100W (50dBm), antenna gain 10dB, distance 30km – Transmitter uses 1W (30dBm), antenna gain 3dB, distance 10km – J/S ≈ 17dB > probably successful jamming ©D. Adamy, A First Course on Electronic Warfare Jamming Signal Desired Signal Frequency Receiver Passband 6 The importance of jammer’s location • Antenna gain: The ratio of the intensity, in a given direction, to the radiation intensity that would be obtained if the power accepted by antenna were radiated isotropically Antenna Gain Pattern To Desired Signal Transmitter GR GRJ To Jammer • If the receiving antenna is not omnidirectional, its gain to the jamming signal will be different (usually less) than its gain to the desired signal ©D. Adamy, A First Course on Electronic Warfare 7 7 Parameters influencing J/S The Effect of Each Parameter in the Jamming Situation on J/S Parameter (increasing) Effect on J/S Jammer transmit power Directly increases on J/S dB for dB Jammer antenna gain Directly increases J/S dB for dB Jammer-to-receiver distance Decreases J/S as the distance2 Signal transmit power Directly decreases J/S db for dB Transmitter-to-receiver distance Increases J/S as the distance2 Transmit antenna gain Directly decreases J/S db for dB (Directional) receiver antenna gain Directly decreases J/S db for dB 8 Implications on jamming (example): Attacks on Skyhook localization system • Skyhook – utilizes public WiFi access points and cellular towers to provide an accurate information about the user’s location http://www.skyhookwireless.com/howitworks/loader_howitworks.swf http://www.skyhookwireless.com 9 Implications on jamming (example): Attacks on Skyhook localization system • • • Attack goal: device displays an incorrect location Attack: jam signals from legitimate APs and insert messages with MAC addresses corresponding to other APs More attacks: database poisoning, ... 10 www.syssec.ethz.ch Implications on jamming - example: Stealing bandwidth in WiFi networks Station 1 gets all the bandwidth Station 2 jams (a directional antenna) 11 Implications on jamming - example: The case of GPS Used not only for possitioning, but also for fine synchronization of communication systems Mobile networks Pagers ATMs 12 Implications on jamming - example: The case of GSM, UMTS It is possible to mount a man-in-the-middle attack on your mobile phone voice/data communication We will see this in the lab :) 13 Implications on jamming - example: Jamming for good or friendly jamming Securing implantable devices “They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices“ http://groups.csail.mit.edu/netmit/IMDShield/paper.pdf Cool, but one should exercise caution “On Limitations of Friendly Jamming for Confidentiality” http://www.syssec.ethz.ch/research/sp2013_tippenhauer.pdf 14 Anti-jamming communication Basic Anti-jamming Communication Basic principle: “If you cannot beat them – run and hide” Spread Spectrum techniques: FHSS (Frequency Hopping Spread Spectrum) DSSS (Direct Sequence Spread Spectrum) FHSS/DSSS (combination) Power Narrowband (High Peak Power) Spread Spectrum (Low Peak Power) Frequency 16 Anti-jamming Communication • We need an advantage over the attacker • Secret key (K) shared between the sender and receiver provides this advantage • If time permits, we will show how to provide anti-jamming communication without the shared key (Uncoordinated Frequency Hopping) K A B 17 Frequency Hopping Spread Spectrum FHSS Synchronized sender and receiver Share a key – from the key a sequence of frequencies is derived E.g., used in Bluetooth (79 x 1MHz channels) Frequency Hopping Range Hop Period Time ©D. Adamy, A First Course on Electronic Warfare 18 Power Spectral Density Frequency spectrum for FHSS Bandwidth … HOP #34 … HOP HOP #3 #34 HOP #1 HOP #56 Frequency 19 Jamming FHSS signals: follower jammer (1) Detect the frequency and (2) jamm Bluetooth: 79 channels, 1MHz each 1600 hops/second Jaguar V system: 2320 channels 20 ©D. Adamy, A First Course on Electronic Warfare Jamming FHSS signals: partial band jammer A partial band jammer distributes its available power to achieve 0 dB J/S in each jammed channel at the jammed receiver E.g., J/S=0 dB sufficient to achieve high bit error rate (BER) Optimizes the available jamming power to successfully jam as many channels as possible RS XMTR RJ RCVR JMR J/S Hopping channels Evenly spread Jammer power For 0dB J/S per channel 21 ©D. Adamy, A First Course on Electronic Warfare 21 Finding FHSS transmitters Detection of signal direction: When colleted data shows multiple frequencies at one angle of arrival, a frequency hopper is identified. 22 ©D. Adamy, A First Course on Electronic Warfare Direct Sequence Spread Spectrum (DSSS) Secret spreading code – DSSS hides the signal Signal detection is now more difficult Signal “hidden” in the noise Signal interception/modification difficult Jamming Narrowband jamming now requires much higher power Broadband jamming still effective Motivation: Shannon channel capacity (C) C = B × log2 (1 + S/N), or C/B ≈ 1.433 × S/N (for small S/N<<1) B is the available channel bandwith For S/N << 1, it is still possible to communicate in an error-free manner given sufficiently large B! 23 Direct Sequence Spread Spectrum (DSSS) DSSS Signal (RF link) Spreading Modulator Spreading Demodulator Spreading Code Spreading Code 24 Example: DSSS with BPSK modulation 25 Example: DSSS with BPSK modulation Original BPSK modulated signal s(t) = b(t)·cos(ω0t), with b(t)={-1,+1} being input data 0 1 DS spread spectrum signal ss(t) = a(t)·s(t) = a(t)·b(t)·cos(ω0t), with a(t)={-1,+1} being the spreading code The bit rate of b(t) denoted Rb, and of a(t) denoted Ra Rb << Ra (the spreading effect) b(t) a(t) a(t)·b(t) 26 Example: Spreading effect The resulting signal similar to g(t) Bandwith of s(t) is 2Rb and of ss(t) is 2Ra The spectrum is spread by the ratio Ra/Rb The power of s(t) and ss(t) is the same, so the Power Spectral Density Power Spectral Density reduced by Ra/Rb spectrum of original signal s(t) 2Rb 2Ra spectrum of spread signal ss(t) Frequency 27 Example: DSSS with BPSK demodulation Incoming signal at the receiver r(t)=AS·ss(t) is first multiplied by a(t), then by cos(ω0t), integrated for the duration of the bit and finally low-pass filtered Spreading code a(t) has impuls like autocorrelation function a(t) a(t ) 1, 0 and a(t) a(t ) 1, 0 After multiplying the incoming signal with a(t), we despread r(t) a(t) AS ss(t) a(t) A S a(t) b(t)· cos (ω 0t) a(t) AS b(t)· cos (ω0t) s( t ) s( t ) After multiplying with cos(ω0t) AS b(t)· cos (ω0t)· cos (ω0t) As A b(t) s b(t) cos (2ω0t) 2 2 low-pass filtered 28 Why spreading? Spreading Modulator Spreading Demodulator Spreading Code Spreading Code DATA BEFORE SPREAD Noise floor 2Rb Frequency Power Spectral Density Power Spectral Density DSSS Signal (RF link) Noise floor DATA SPREAD 2Ra 29 DSSS Signal (RF link) Why spreading? Spreading Modulator Spreading Demodulator Spreading Code Spreading Code Imunitiy to interfering (narrowband) signals Suppose a jamming signal present at ω0 Input to the receiver r(t) AS ss(t) A J· cos (ω 0t) Power Spectral Density jamming signal INTERFERER Noise floor DATA SPREAD 30 Why spreading? Imunitiy to interfering (narrowband) signals Suppose a jamming signal present at ω0 After multiplying the incoming signal with spreading code a(t) we have r(t) a(t) AS b(t) cos (ω0t) A J a(t) cos (ω0t) Power Spectral Density wanted signal gets despread jamming signal gets spread! DATA DESPREAD AND LOWPASS FILTERED Noise floor INTERFERER SPREAD Frequency 31 Why spreading? By lowpass filtering the resulting signal, the effective power of the interference is reduced by factor Ra/Rb Power Spectral Density The processing gain DATA DESPREAD AND LOWPASS FILTERED Noise floor INTERFERER SPREAD Frequency 2Rb 2Ra 32 Processing gain (PG) • The ratio (in dB) between the spread bandwidth and the original (unspread) bandwidth • E.g., if a 1 kHz signal is spread to 100 kHz, the processing gain is 100,000/1,000 = 100, or 10log10(100) = 20 dB • The PG is a signal to jammer (interference) ratio at the receiver after the despreading operation (removal of pseudo noise) • PG increases the jamming margin: MJ = PG – (SNRrequired + Losssystem) • The level of interference that a system is able to accept and still maintain a specified level of performace (e.g., BER) Example: A spread spectrum system with a 30 dB process gain, a minimum required output signal to noise of 10 dB and system implementation loss of 3 dB would have a jamming margin of 30 - (10+3) dB which is 17 dB. The spread spectrum system in this example could not be expected to work in an environment with interference more than 17 dB above the desired signal (50 times stronger signal). 33 DSSS narrowband jamming immunity 34 Recapitulation: DSSS signal spreading (1/3) Spreading Modulator Spreading Demodulator Spreading Code Spreading Code DATA BEFORE SPREAD Noise floor Power Spectral Density Power Spectral Density DSSS Signal (RF link) Noise floor DATA SPREAD Frequency Frequency 35 35 Recapitulation: DSSS signal and narrowband interferer (2/3) DSSS Signal (RF link) Spreading Demodulator Spreading Code Spreading Code Power Spectral Density Spreading Modulator INTERFERER Noise floor DATA SPREAD Frequency 36 36 Recapitulation: antijamming advantage (3/3) Spreading Modulator Spreading Demodulator Spreading Code Spreading Code DATA DESPREAD Noise floor INTERFERER SPREAD Power Spectral Density Power Spectral Density DSSS Signal (RF link) DATA DESPREAD AND LOWPASS FILTERED Noise floor INTERFERER SPREAD Frequency Frequency 37 37 CDMA: Code Division Multiple Access Multiplexing users by distinct (orthogonal) PN codes Transmitters use low correlation PN codes Use the same RF bandwidth Transmit simultaneously http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf 38 CDMA: Code Division Multiple Access Correlation of the received baseband spread spectrum signal with PN code of user 1 only despreads the signal of user 1 PN have impuls like autocorrelation Low crosscorrelation http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf 39 Jamming impact on current systems IEEE 802.11a/b/g (DSSS, known codes) > to be covered in the lectures GPS (DSSS, known codes, low power) GSM/UMTS (TDMA/CDMA, known code sets) AM/FM radios ... 40 40