Download Jamming Wireless 101

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Document related concepts

Islanding wikipedia , lookup

Stage monitor system wikipedia , lookup

Resistive opto-isolator wikipedia , lookup

Decibel wikipedia , lookup

Spectral density wikipedia , lookup

Pulse-width modulation wikipedia , lookup

MIMO wikipedia , lookup

Opto-isolator wikipedia , lookup

Regenerative circuit wikipedia , lookup

FM broadcasting wikipedia , lookup

Heterodyne wikipedia , lookup

Single-sideband modulation wikipedia , lookup

Transcript 
Jamming Zigbee for
Under $100
Jacob Brodsky, PE
Control Systems Engineer
WHY?
Need Test Equipment to Validate Path
 Include built in diagnostics
 Denials of service will happen

 What
will a control system do?
 Can you figure out why it happened?

Would you rather find out the hard way?
ISM Band
Industrial Scientific Medical use
 47 CFR 15.5 (b)

 Must
shut down if interferes with licensed
service
 Must accept interference from anywhere
No legal recourse if it fails
 If you want legal recourse, contact UTC

 Get
a License!
Just Zigbee?

Zigbee physical layer is IEEE 802.15.4
 Used
by 6LoWPAN
 Used by ISA-100.11a
Same band includes 802.11b/g
 Bluetooth
 Lots of other proprietary stuff

Protocols for This Experiment
Not designing production devices
 47 CFR 15.23 “Home Built Devices”

 Good
Engineering Practice
 47 CFR 15.247 (a) (3) & (4)
Keep This REALLY simple
 Descriptions herein are prototypes

 Could
be made for about $50 in quantity
 Not giving explicit details
Definitions

dBm: Decibels referenced to 1 milliWatt
 dBm
= 10 log (Pmw/1mw)
0 dBm = 1 mW
 +6 dBm = 4 mW
 +30 dBm = 1 Watt


One Decibel Compression Point (P1db)
 Power
Output amplifier gain begins to limit
Frequency Modulation



For large modulation
indexes sidebands
appear over wider
and wider spectra
Sidebands are
modulation
frequency apart
Some will null out
How Jam Everything On 2.4 GHz
Make a sideband on every channel
Channels are 5 MHz apart
IEEE 802.15.4 Passband is only 2 MHz wide
Requires frequency accuracy
May have a null on channel
Guarantee a sideband in each passband
More sidebands required
Slightly less power per sideband
Use modulating frequency of around 1 MHz
Wide Deviation/High Index
Voltage Controlled Oscillator
A Low Noise/Medium Power
Amplifier: P1db > +20 dBm
Our High Tech Soldering
Our First Test Rigs

Purchased
prefabricated units
 Could
build our own,
but let’s keep this
simple
 Connectors make
prototyping easy

SMD soldering not
hard with a toaster
oven
Our First Portable Jammer
The Portable Jammer Spectra
Results: Very Effective
Works against 802.11b/g
 Works against Zigbee and 802.15.4
 Can even jam ISA-100

 Channel hopping
may offer some resiliency
 Communications statistics not easily read
 As long as our noise is comparable strength,
it will fail

Works against Bluetooth
Clear Channel Availability

Play Nice:
 If
energy present on channel above minimal
threshold, inhibit transmitter
What you hear may not be what the
receiver hears
 “Dusty” networks can be jammed

 If

you don’t talk, nobody will hear you
Questionable Efficacy –especially in
control applications
Why CCA Doesn’t Always Work
Receiving
Antenna
Transmitting
Signal
Other signals
Other Types of Jammers
Noise makers are easy to find if you
know what you’re looking for
 Repeater jammers are NOT

 They only
radiate when there is a signal
 Re-radiated signal can be offset by some
frequency to confuse receiver
 Very Effective and efficient with power
 Good Luck finding it
An Oversimplified Repeating Jammer
TX antenna
Receiver
Antenna
LPF
I/Q
Split
Voltage
Controlled
Oscillator
Still more methods

Listen for specific address and transmit
on top of it
 This
has been done with Zigbee already
 Also very difficult to find

Use three 802.11 transmitters and
broadcast continuous trash on the band
 Who
would know the difference?
What Is Needed:
RSSI and Signal to Noise in every node
 A “Wireless” Service Monitor

 Monitor
signals on the air
 Monitor signal strength
 Generate known good interrogations

If in a mesh, keep track of signal
propagation path
 Beware
of critical nodes
Do Not Assume the Signal Will Get
Through!

Channel Hopping is more robust, HOWEVER
 Data
rate will drop significantly while hunting for
new channels
 Jammers can be adaptive too

Retries are incredibly inefficient
 Forward



Error Correction codes are better
LDPC
Turbo Codes
Cryptography can authenticate messages,
but…
 It
can’t do much if it never gets the message
Questions?
Related documents
product brochure
product brochure
SP3801 - Skypatrol Tracking Solutions
SP3801 - Skypatrol Tracking Solutions
Welcome to Database Marketing Course MKTG 6229
Welcome to Database Marketing Course MKTG 6229
Chapter 3.
Chapter 3.
PINAMP Mini-DIL Optical Receivers
PINAMP Mini-DIL Optical Receivers
Decibels Made Simple
Decibels Made Simple
NS-200AFT-T/AFC-T/AFCS-T/ AFCS-60T
NS-200AFT-T/AFC-T/AFCS-T/ AFCS-60T
2.7GHz, 60dB Mean-Squared Power Detector Responds in 500ns
2.7GHz, 60dB Mean-Squared Power Detector Responds in 500ns
ER-1000HG Spec Sheet Cover Page.ai
ER-1000HG Spec Sheet Cover Page.ai
SENSOR NODE FAILURE DETECTION BASED ON ROUND TRIP
SENSOR NODE FAILURE DETECTION BASED ON ROUND TRIP
A Single Board No-Tuning 23
A Single Board No-Tuning 23
Datasheet
Datasheet