AJAL.A.J Assistant Professor –Dept of ECE,

Federal Institute of Science And Technology (FISAT) TM  MAIL: ec2reach@gmail.com

CONCEPTS OF JAMMING

Bats are jammed by moths•Echolocation: by emitting high-pitched sounds and listening to the echoes, the microbats locate nearby objects. •A few moths have exploited the bat's senses:

•In one group (the tiger moths), the moths produce ultrasonic signals to warn the bats that the moths are chemically-protected (aposematism); •In the other group (Noctuidae) the moths have a type of hearing organ called a tympanum which responds to an incoming bat signal by causing the moth's flight muscles to twitch erratically, sending the moth into random evasive maneuvers.

History of Jamming? During World War II a variation of radio jamming was used where ground

operators would attempt to mislead pilots by false instructions in their own language.

Jamming of foreign radio broadcast stations has often been used in wartime to prevent or deter citizens from listening to broadcasts from enemy countries.

Jamming has also occasionally been used by the Governments of Germany (during WW2), Cuba, Iran, China, Korea and several Latin American countries

Jamming has also occasionally been attempted by the authorities against pirate radio stations including Radio Nova in Ireland and Radio Northsea International off the coast of Britain.

Saddam's government obtained special electronic jamming equipment from Russia that was set up around several sites in Iraq. The jammers attempted to disrupt the signals sent by U.S. GPS satellites that are used to guide joint direct attack munitions, the military's premier satellite-guided bombs.

In 2004, China acquired radio jamming technology and technical support from French state-owned company, Thales Group. It is used for jamming foreign radio stations broadcasting to China.

“Over the Air”

Threats due to wireless communication

AttacksEavesdropping, jamming, spoofing, “message attacks” Sleep deprivation torture

Counter measuresFirst attacks are not specific to ad hoc networks, well

researched in military context:frequency hopping, spread spectrum

First Mobile Radio Telephone1924

Electronic Counter Measure(ECM)

• Further advances in what became known as Electronic warfare were made during the First World War, primarily in the fields of Radio Direction Finding and signal intelligence. The sailing of the Royal Navy’s Home Fleet before the Battle of Jutland, for example, was initiated by the interception of German transmissions that indicated the German High Seas Fleet was preparing to leave port. By the end of the war, the Royal Navy had an extensive chain of RDF stations covering the North Sea.

Dr. Reginald V. Jones 1911 – 1997

-Commissioned in Officer Training Corps 1928

-PhD in Physics 1934

-Assistant Director of Scientific intelligence 1939

-Outstanding work in all aspects of Scientific Intelligence.

-Professor Emeritus

-“Most Secret War” published as “The Wizard War” in United States

HISTORICAL BACKGROUND• As Jones figures quite prominently in our story, an introduction is in order.• Reginald Victor Jones was born in London in 1911, the son of a career officer in the Grenadier

Guards. As a boy he built many crystal radios, and in 1928 built a “thermonic valve” radio to receive a test transmission from Australia, receiving a QSL card in confirmation. He entered the Officer Training Corps and was commissioned in 1928. He received his doctorate in physics in 1934 at the age of 22. In the 1930s he worked on Infra-Red detection of aircraft, and at the start of the war he was appointed Assistant Director of Scientific Intelligence at the British Air Ministry.

• In addition to his work with the Battle of the Beams, he discovered the tactical and technical details of the German radar-controlled night defences, correctly analyzed intelligence on V1 and V2 rockets, and conceived of chaff, the most widely used method to jam and deceive radar. In 1946 he was appointed Director of Scientific Intelligence, and later Chair of Natural Philosophy at the University of Aberdeen. He was described as a superb lecturer, interesting and amusing, and a great practical joker. He retired as a professor emeritus in 1981, and passed away in 1997 at age 86.

• His awards include CBE 1942, CB 1945, US Medal for Merit and the US Medal for Freedom, honourary member of the USAF, and he was the 1st foreigner ever to speak in the CIA auditorium. In 1993 the CIA created an award in his name, and CIA Director James Woolsey described him as a “one-man, all source intelligence evaluation, collection and analysis section”. In 1994 he was appointed “Companion of Honour”, one of Britain’s highest awards, and it was declared “a national scandal” that his wartime work was not honoured with a knighthood. His book Most Secret War was published as The Wizard War in the United States.

Electronic Counter Measure

• An electronic countermeasure (ECM) is an electrical or electronic device designed to trick or deceive radar, sonar or other detection systems, like infrared (IR) or lasers. It may be used both offensively and defensively to deny targeting information to an enemy.

(ECM)

Aircraft ECMRadar ECMShipboard ECM

German Luftwaffe Tornado ECR.

"Official“ jamming should more aptly be called Concealment or Masking

Jammer

• A GSM Jammer is a device that transmit signal on the same frequency at which the GSM system operates.

• The jamming is success when the mobile phones in the area where the jammer is located are disabled.

US$150.00

Real TargetReal Target

Multiple False TargetsMultiple False Targets

Jamming

TGT FreqTGT Freq

True NoiseTrue Noise

Ideal Ideal JammerJammer

Actual Spot Actual Spot JammerJammer

Noise Jamming

Definition:

Noise jamming is the deliberate radiation, re-radiation, or reflection of electromagnetic energy with the purpose of impairing the use of electronic devices, equipment, or systems being used by the enemy.

Mobile Phone Jamming. What is it?

• Cell phone jamming is the use of an electronic device to prevent the transferring of data through a wireless phone

Is Jamming useful?

• Jammers can be used practically anywhere

• Jammers are used primarily where silence is necessary or data transfer might be destructive

• Jammers are simple to build and use

If you’re a jammer, how If you’re a jammer, how would you jam the channel?would you jam the channel?

Jamming attack modelsJamming attack models

• Constant jammer– Always emit random bits of radio signal

• Deceptive jammer– Always emit preamble bits

• Random jammer– Alternate between sleeping and jamming

states -> Conserve Energy• Reactive jammer

– Transmit signal when jammer senses channel activity -> Harder to detect

Signal strength spectral Signal strength spectral discriminationdiscrimination

How do they work?

• Jammers simply overflow the frequency used by wireless phones with radio waves

• Enough interference caused by these waves will prevent communication between a wireless phone and a base tower

• Some Jammers are small, hand-held sized devices while others can be very large

• Smaller Jammers interfere mostly with the wireless phones themselves while devices with larger radii may interfere with the towers directly

Some Quick Numbers…• Wireless phone network ranges generally

from 800-1900Mhz

• Small Jammers block all communication in this range for a 30 ft radius

• Commercial size Jammers can block all communication for 5 miles

Disgruntled Contractor

PLC PLC

Plant

Rogue Radio

• Originally much of the technology associated with jamming was developed for military purposes

• A huge part of security in the military is data security; Jamming communications signals locally can prevent the loss of data

• Some Law Enforcement agencies use Jammers to prevent criminals from communicating

• Law Enforcement and Military both use Jammers for preventing signals from certain kinds of remote explosive detonation devices

Can I have one?• Of course not (legally)! Jammers are highly illegal to

civilians in the US• Worldwide they are used in Libraries, Banks, Prisons,

Hospitals, Churches, Movie theaters, and other places where locals or govt. have deemed wireless phone use more of a problem than a plus

Jam Proof Microwave link

Jamming of the Digital Microwave link

A Jamming attack could be conducted from the land or from the sea by using directional antennas

Jamming attack from a moving platform ( Car or a boat ) is almost impossible to locate

A land based low power jamming source ( in 10s of Watts) with a directional antenna can bring down the land based Radio terminal easily.

The commercially available modems employing QAM, OFDM or similar techniques are highly vulnerable to signal jamming. Even a low level of jamming is able to break the link completely.

OFDM based WiFi / WiMAX links and Proprietary ( QAM, QPSK ) links are extremely vulnerable

These links are not designed for anti Jamming. Simple Transmitters in the same frequency can break the links easily

High level of vulnerability to the signal jamming threat

Needs a Jam Proof back up link for withstanding a jamming threat

•Jamming the Troposcater & VHF links

Troposcater links are highly vulnerable

VHF, HFIP , Troposcater links are not designed to withstand interference

Low power jammers can bring down these links

38

Wireless jamming

● blocking of the wireless channel due to interference, noise or collision at the receiver side

wireless nodes

XXXX

Jamming Attacks Wireless Networks

• Definitions and Characteristics

– A jammer is an entity who is purposefully trying to interfere with the physical transmission and reception of wireless communications

– A jammer continuously emits RF signals to fill a wireless channel so that legitimate traffic will be completely blocked

– Common characteristics for all jamming attacks is that their communications are not compliant with MAC protocols

Jamming Attacks Wireless Networks

• Jamming Attack Models

– Constant Jammer– Deceptive Jammer– Random Jammer– Reactive Jammer

Jammer Attack Models

Constant jammer: Continuously emits a radio signal

Deceptive jammer: Constantly injects regular packets to the channel without any gap between consecutive

packet transmissions A normal communicator will be deceived into the receive state

&F*(SDJFFD(*MC*(^%&^*&(%*)(*)_*^&*FS…….

Payload …

Preamble CRC

PayloadPayload Payload Payload

Jammer Attack Models

Random jammer: Alternates between sleeping and jamming

Sleeping period: turn off the radio Jamming period: either a constant jammer or deceptive jammer

Reactive jammer: Stays quiet when the channel is idle, starts transmitting a radio

signal as soon as it senses activity on the channel. Targets the reception of a message

&F*(SDJF ^F&*D( D*KC*I^ …

…

Underling normal traffic

&F*(SDJ

Payload

^%^*&

Payload

CD*(&FG

Payload

Jamming Attacks Wireless Networks

Jamming Attacks Wireless Networks

• Constant Jammer

– Continuously emits a radio signal– Sends out random bits to the channel– Does not follow any MAC layer etiquette– Does not wait for the channel to become idle

Jamming Attacks Wireless Networks

• Deceptive Jammer

– Constantly injects regular packets to the channel– Normal nodes will be deceived by the packets– Normal nodes just check the preamble and remain

silent– Jammer can only send out preambles

Jamming Attacks Wireless Networks

• Random Jammer– Alternates between sleeping and jamming

– After jamming for tj units of time, it turns off its radio and enters sleeping mode

– After sleeping for ts units of time, it wakes up and resumes jamming (constant or deceptive)

– tj and ts may be random or fixed intervals-energy conservation

Jamming Attacks Wireless Networks

• Reactive Jammer

– Jammer stays quiet when the channel is idle– Jammer starts transmitting a radio signal as soon as

it senses activity on the channel– Does not conserve energy because the jammer’s

radio must be continuously on in order to sense the channel

– However, it is harder to detect

Jamming Attacks Wireless Networks

• Level of Interference

– Distance between jammer and nodes– Relative transmission power of the jammer and

nodes– MAC protocol employed by the nodes

49

Defend Against Jamming Attacks Wireless Local Area Networks

• Wireless Jamming Attacks– RTS Jamming– CTS Jamming

• Solution– Cumulative-Sum-based (CUSUM) Detection Method

Defend Against Jamming Attacks Wireless Local Area Networks

• RTS Jamming

– Jammer occupies channel by continuously sending RTS frames with large NAV to AP

– AP replies with CTS which can be heard by nearby nodes

– Neighbor nodes will keep silent for a period of time indicated by NAV

– Neighbor nodes can hardly occupy the channel

50

Defend Against Jamming Attacks Wireless Local Area Networks

Defend Against Jamming Attacks Wireless Local Area Networks

• CTS Jamming

– Jammer sends CTS frames with spoofed ID which is as same as AP

– AP unaware of this behavior • Jammer uses directional antenna• Jammer remains far away from the AP

– Neighbor nodes assume AP is busy (hidden node problem) and will remain silent

– Neighbor nodes never get a chance to occupy the channel

52

Defend Against Jamming Attacks Wireless Local Area Networks

• Defending against RTS/CTS attacks

– Two separate data windows for RTS & CTS– Size of the window is fixed– Source ID information of the frame is recorded– Source ID of the CTS frame is checked in the CTS

window– Source ID also checked in the RTS window– Different score given to each frame using a function– Smallest index gains the highest score

53

Defend Against Jamming Attacks Wireless Local Area Networks

• CUSUM Method

– Sequential Detection Change Point methodMean value of some variable under surveillance will change from negative to positive whenever a change occurs.

54

Defend Against Jamming Attacks Wireless Local Area Networks

• Channel is nearly fairly shared among nodes• Source ID distribution of CTS / RTS frames is

uniform• If a node constantly occupies the channel,

uniform distribution will change• CUSUM is applied to detect changes in CTS

window• When a change point is detected,

corresponding CTS frames are suspicious

55

Defend Against Jamming Attacks Wireless Local Area Networks

• Conclusion– CUSUM can accurately detect RTS/CTS jamming

attacks with little computation and storage cost– Although these attacks cannot totally prevent other

nodes from communication, they can seriously degrade the network throughput

– These attacks have lower traffic rates than normal jamming attack and are more difficult to detect

56

57

Adversarial physical layer jamming

● a jammer listens to the open medium and broadcasts in the same frequency band as the network– no special hardware required– can lead to significant disruption of communication at

low cost for the jammer

honest nodesjammer

58

Single-hop wireless network

● n reliable honest nodes and one jammer; all nodes within transmission range of each other and of the jammer

jammer

59

Wireless communication model

● at each time step, a node may decide to transmit a packet (nodes continuously contend to send packets)

● a node may transmit or sense the channel at any time step (half-duplex)

● when sensing the channel a node v may– sense an idle channel– receive a packet– sense a busy channel

v

How would you detect How would you detect jamming?jamming?

Measurements to detect jamming attacks

– Signal strength• Match jam signals with legitimate signal pattern

– Carrier sensing time• Jamming incurs long carrier sensing time (skip)

– Packet delivery ratio (PDR)• Jamming incurs lower PDR

Attacks Attacks at various layers

--- Physical layer: jamming

– MAC layer: greedy sender and receiver

– Network layer: routing attacks

– Transport layer: cross layer attacks

Questions?

Questions?Questions?