Download Jamming Wireless 101

Jamming Zigbee for
Under $100
Jacob Brodsky, PE
Control Systems Engineer
WHY?
Need Test Equipment to Validate Path
 Include built in diagnostics
 Denials of service will happen

 What
will a control system do?
 Can you figure out why it happened?

Would you rather find out the hard way?
ISM Band
Industrial Scientific Medical use
 47 CFR 15.5 (b)

 Must
shut down if interferes with licensed
service
 Must accept interference from anywhere
No legal recourse if it fails
 If you want legal recourse, contact UTC

 Get
a License!
Just Zigbee?

Zigbee physical layer is IEEE 802.15.4
 Used
by 6LoWPAN
 Used by ISA-100.11a
Same band includes 802.11b/g
 Bluetooth
 Lots of other proprietary stuff

Protocols for This Experiment
Not designing production devices
 47 CFR 15.23 “Home Built Devices”

 Good
Engineering Practice
 47 CFR 15.247 (a) (3) & (4)
Keep This REALLY simple
 Descriptions herein are prototypes

 Could
be made for about $50 in quantity
 Not giving explicit details
Definitions

dBm: Decibels referenced to 1 milliWatt
 dBm
= 10 log (Pmw/1mw)
0 dBm = 1 mW
 +6 dBm = 4 mW
 +30 dBm = 1 Watt


One Decibel Compression Point (P1db)
 Power
Output amplifier gain begins to limit
Frequency Modulation



For large modulation
indexes sidebands
appear over wider
and wider spectra
Sidebands are
modulation
frequency apart
Some will null out
How Jam Everything On 2.4 GHz
Make a sideband on every channel
Channels are 5 MHz apart
IEEE 802.15.4 Passband is only 2 MHz wide
Requires frequency accuracy
May have a null on channel
Guarantee a sideband in each passband
More sidebands required
Slightly less power per sideband
Use modulating frequency of around 1 MHz
Wide Deviation/High Index
Voltage Controlled Oscillator
A Low Noise/Medium Power
Amplifier: P1db > +20 dBm
Our High Tech Soldering
Our First Test Rigs

Purchased
prefabricated units
 Could
build our own,
but let’s keep this
simple
 Connectors make
prototyping easy

SMD soldering not
hard with a toaster
oven
Our First Portable Jammer
The Portable Jammer Spectra
Results: Very Effective
Works against 802.11b/g
 Works against Zigbee and 802.15.4
 Can even jam ISA-100

 Channel hopping
may offer some resiliency
 Communications statistics not easily read
 As long as our noise is comparable strength,
it will fail

Works against Bluetooth
Clear Channel Availability

Play Nice:
 If
energy present on channel above minimal
threshold, inhibit transmitter
What you hear may not be what the
receiver hears
 “Dusty” networks can be jammed

 If

you don’t talk, nobody will hear you
Questionable Efficacy –especially in
control applications
Why CCA Doesn’t Always Work
Receiving
Antenna
Transmitting
Signal
Other signals
Other Types of Jammers
Noise makers are easy to find if you
know what you’re looking for
 Repeater jammers are NOT

 They only
radiate when there is a signal
 Re-radiated signal can be offset by some
frequency to confuse receiver
 Very Effective and efficient with power
 Good Luck finding it
An Oversimplified Repeating Jammer
TX antenna
Receiver
Antenna
LPF
I/Q
Split
Voltage
Controlled
Oscillator
Still more methods

Listen for specific address and transmit
on top of it
 This
has been done with Zigbee already
 Also very difficult to find

Use three 802.11 transmitters and
broadcast continuous trash on the band
 Who
would know the difference?
What Is Needed:
RSSI and Signal to Noise in every node
 A “Wireless” Service Monitor

 Monitor
signals on the air
 Monitor signal strength
 Generate known good interrogations

If in a mesh, keep track of signal
propagation path
 Beware
of critical nodes
Do Not Assume the Signal Will Get
Through!

Channel Hopping is more robust, HOWEVER
 Data
rate will drop significantly while hunting for
new channels
 Jammers can be adaptive too

Retries are incredibly inefficient
 Forward



Error Correction codes are better
LDPC
Turbo Codes
Cryptography can authenticate messages,
but…
 It
can’t do much if it never gets the message
Questions?