Vulnerability Development mailing list archives
RE: Wireless device vulnerability?
From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Sat, 23 Mar 2002 18:30:41 +0200
Please excuse the search for a low-tech vulnerability to a high-tech implementation. How susceptible are various wireless networking implementations to jamming (as a means to a DoS)? Thank you. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
That depends wholly on the transmission technology used. Almost all wireless technologies today don't transmit their information through a normal narrowband transmission, but instead use spread spectrum transmission. Mobile phones have used spread spectrum since GSM. WLANs and Bluetooths also use spread spectrum. Instead of transmitting on a narrow band of frequencies loudly, transmit with less power, but on a wider spectrum. Thereby even VERY LOUD jamming on a given frequency (normally narrowband) will not disturb the signal. See below, the transmitted signal, and jamming with Xs. Narrowband: S t r| __ e| || n| || g| || t| || h+--------------- Frequency Narrowband with jamming: S t XX r| _XX e| |XX n| |XX g| |XX t| |XX h+--------------- Frequency The signal is nearly drowned with normal jamming, when narrowband transmission is used. Spread spectrum: S t r| e| n| g| ____________ t| | | h+--------------- Frequency Spread spectrum with jamming: S t r| XX e| XX n| XX g| ___XX_______ t| | XX | h+--------------- Frequency So as we can see, spread spectrum transmission, even while jammed with regular methods, is very robust. Jamming on a wider spectrum is not only less common than regular, dumb, jamming, but also more difficult. Besides spread spectrum transmission, additional transmission tricks are also used not only for security but also for more robust communications, not only because of being less vulnerable to jamming but to ordinary noise, too. The two main schools here are frequency hopping (with spread spectrum, FHSS) and direct sequence (with spread spectrum, DSSS). Bluetooth is FHSS, UMTS networks are DSSS (kind of), there are two WLAN types, one that transmits using FHSS and one that transmits using DSSS. However, practically no one uses or manufacturs the FHSS WLANs and they are dying out. Frequency Hopping Spread Spectrum (FHSS), as seen in Bluetooth, changes the base frequency of the spread spectrum transmission ever so often. For instance, in bluetooth, the frequency is switched every 400 milliseconds or two and a half times every second. If the jamming is happening on a single, narrow band, Bluetooth transmission will only be jammed for that given 400 milliseconds and then the devices will switch to another frequency again. Of course, if the malicious radio activist is using more advanced jamming devices, the devices can send jamming garbage on a really wide band. After all, even the frequency band that the bluetooth devices hop WITHIN is narrow, so basically you could jam that whole band and no matter what frequency the devices hopped to next, it would be crowded with garbage. Finally, Bluetooth devices agree upon the hopping sequence and it's repetitive, meaning you could simply eavesdrop the hopping sequence and synchronize your jamming equipment to hop on the next used frequency and jam right before the other devices started talking. In direct sequence transmission, each bit is instead encoded to a bunch of bits. Both parties agree on a 'chip', which is used for each 1 transmitted. That chip might be 10010110, for instance. Both WLANs and UMTS use a sort of chipping, although technically UMTS isn't a DSSS technology. Now everytime A wants to send the bit 1 to B, A sends 10010110 instead. Everytime anyone wants to send a zero, they send the chip inverted, i.e. 01101001. In UMTS for example, the chip size might vary from 8 bits to 512 bits. If only one of those bits makes it to the other side, the other side will know what the sender wanted to send. In our example, B need only hear XXXX1XXX and B will know that because the fifth bit of the sent chip was 1, it was the chip inverted and thus the other side sent a zero. Then there's of course the bigger question of signal behaviour. Regular broadcast antennas can always be drowned, but jamming directed signals is a lot harder. Whereas it would be almost impossible to jam a laser beam or even a hefty microwave link, such as those often used to interjoin two local area networks, it still might be possible to jam a direct-antenna WLAN transmission with enough garbage. As to today's GSM networks, they simply use a wideband transmission, but if the phone and base station find noise in their frequency of choice, they will change to another frequency. Executive summary: broadcast antennas are worse than directional, and to effectively jam communications between WLAN or UMTS parties you will need a very high power transmitter with a wide, wide band and you will need to jam each and every bit, if even one bit of the chip makes it to the other side the message will be intelligible. With bluetooth, you also have to simply jam on a very wide band (you need a very advanced and smart jamming device) or you can have a very smart jamming device that jams on the right frequencies on any given time. After all, you'll never be safe from jamming or eavesdropping on a shared media. You'll never get 100 % security, but with today's wireless networks, jamming is very hard and will require sophisticated equipment. TONI HEINONEN, CISSP TELEWARE OY Telephone +358 (9) 3434 9123 * Fax +358 (9) 3431 321 Wireless +358 40 836 1815 Kauppakartanonkatu 7, 00930 Helsinki toni.heinonen () teleware fi * www.teleware.fi
Current thread:
- RE: Wireless device vulnerability? Toni Heinonen (Mar 23)
- Re: Wireless device vulnerability? John Lampe (Mar 23)
- RE: Wireless device vulnerability? J Edgar Hoover (Mar 24)
- <Possible follow-ups>
- RE: Wireless device vulnerability? Toni Heinonen (Mar 25)
- RE: Wireless device vulnerability? J Edgar Hoover (Mar 25)
- Re: Wireless device vulnerability? Bill Pennington (Mar 25)
- Re: Wireless device vulnerability? Kurt Seifried (Mar 26)
- RE: Wireless device vulnerability? J Edgar Hoover (Mar 25)
- RE: Wireless device vulnerability? Toni Heinonen (Mar 25)
- RE: Wireless device vulnerability? J Edgar Hoover (Mar 25)
- RE: Wireless device vulnerability? Toni Heinonen (Mar 25)
- RE: Wireless device vulnerability? Toni Heinonen (Mar 26)