Matthias Schulz
ABSTRACT
It is not commonly known that off-the-shelf smartphones can be converted into versatile jammers. To understand how those jammers work and how well they perform, we implemented a jamming firmware for the Nexus 5 smartphone. The firmware runs on the real-time processor of the Wi-Fi chip and allows to reactively jam Wi-Fi networks in the 2.4 and 5 GHz bands using arbitrary waveforms stored in IQ sample buffers. This allows us to generate a pilot-tone jammer on off-the-shelf hardware. Besides a simple reactive jammer, we implemented a new acknowledging jammer that selectively jams only targeted data streams of a node while keeping other data streams of the same node flowing. To lower the increased power consumption of this jammer, we implemented an adaptive power control algorithm. We evaluated our implementations in friendly jamming scenarios to oppress non-compliant Wi-Fi transmissions and to protect otherwise vulnerable devices in industrial setups. Our results show that we can selectively hinder Wi-Fi transmissions in the vicinity of our jamming smartphone leading to an increased throughput for other nodes or no blockage of non-targeted streams on a jammed node. Consuming less than 300 mW when operating the reactive jammer allows mobile operation for more than 29 hours. Our implementation demonstrates that jamming communications was never that simple and available for every smartphone owner, while still allowing surgical jamming precision and energy efficiency. Nevertheless, it involves the danger of abuse by malicious attackers that may take over hundreds of devices to massively jam Wi-Fi networks in wide areas.
- Narendra Anand, Sung-Ju Lee, and Edward W. Knightly. 2012. Strobe: Actively securing wireless communications using zero-forcing beamforming. In IEEE International Conference on Computer Communications (INFOCOM) 2012. IEEE, 720--728.Google Scholar
- Emrah Bayraktaroglu, Christopher King, Xin Liu, Guevara Noubir, Rajmohan Rajaraman, and Bishal Thapa. On the Performance of IEEE 802.11 under Jamming. In IEEE Conference on Computer Communications (INFOCOM) 2008. IEEE, 1265--1273.Google ScholarCross Ref
- Gal Beniamini. 2017. Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1). (2017). https://googleprojectzero.blogspot.de/2017/04/over-air-exploiting-broadcoms-wi-fi_4.htmlGoogle Scholar
- Daniel S. Berger, Francesco Gringoli, Nicolò Facchi, and Ivan Martinovic. 2014. Gaining insight on friendly jamming in a real-world IEEE 802.11 network. In ACM Conference on Security and Privacy in Wireless & Mobile Networks (WiSec) 2014. Oxford, United Kingdom. Google ScholarDigital Library
- Daniel S. Berger, Francesco Gringoli, Nicolò Facchi, Ivan Martinovic, and Jens B. Schmitt. 2016 Friendly Jamming on Access Points: Analysis and Real-World Measurements. IEEE Transactions on Wireless Communications 15, 9 (2016), 6189--6202. Google ScholarDigital Library
- James Brown, Ibrahim Ethem Bagci, Alex King, and Utz Roedig. 2013. Defend your home!: jamming unsolicited messages in the smart home. In ACM Workshop on Hot Topics on Wireless Network Security and Privacy (HotWiSec) 2013. ACM, New York, New York, USA, 1--6. Google ScholarDigital Library
- Yifeng Cai, Kunjie Xu, Yijun Mo, Bang Wang, and Mu Zhou. 2013. Improving WLAN throughput via reactive jamming in the presence of hidden terminals. In IEEE Wireless Communications and Networking Conference (WCNC) 2013. IEEE, 1085--1090.Google ScholarCross Ref
- T Charles Clancy. 2011. Efficient OFDM denial: Pilot jamming and pilot nulling. In IEEE International Conference on Communications (ICC) 2011. IEEE, 1--5.Google ScholarCross Ref
- Federal Communications Commission. 2017. Jammer Enforcement. (2017). https://www.fcc.gov/general/jammer-enforcementGoogle Scholar
- CYPRESS 16. Single-Chip 5G WiFi IEEE 802.11ac MAC/Baseband/Radio with Integrated Bluetooth 4.1 and FM Receiver. CYPRESS. Document No. 002-14784 Rev. *G.Google Scholar
- Bruce DeBruhl, Christian Kroer, Anupam Datta, Tuomas Sandholm, and Patrick Tague. 2014. Power napping with loud neighbors - optimal energy-constrained jamming and anti-jamming. ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec) 2013 (2014), 117--128. Google ScholarDigital Library
- Shyamnath Gollakota, Haitham Hassanieh, Benjamin Ransford, Dina Katabi, and Kevin Fu. 2011. They can hear your heartbeats: non-invasive security for implantable medical devices. In ACM Conf. of the Special Interest Group on Data Communication (SIGCOMM) 2011. Toronto, Canada. Google ScholarDigital Library
- Shyamnath Gollakota and Dina Katabi. 2011. Physical layer wireless security made fast and channel independent. In IEEE International Conference on Computer Communications (INFOCOM) 2011. IEEE, 1125--1133.Google ScholarCross Ref
- Francesco Gringoli and Lorenzo Nava. 2009. OpenFWWF: Open FirmWare for WiFi networks. (2009). http://netweb.ing.unibs.it/~openfwwf/Google Scholar
- Myeongsu Han, Takki Yu, Jihyung Kim, Kyungchul Kwak, and Sungeun Lee. 2008. OFDM channel estimation with jammed pilot detector under narrow-band jamming. IEEE Transactions on Vehicular Technology 57, 3 (2008), 1934--1939.Google ScholarCross Ref
- Morten Lisborg Jorgensen, Boyan Radkov Yanakiev, Gunvor Elisabeth Kirkelund, Petar Popovski, Hiroyuki Yomo, and Torben Larsen. 2007. Shout to Secure: Physical-Layer Wireless Security with Known Interference. In IEEE Global Telecommunications Conference (GLOBECOM) 2007. IEEE, 33--38.Google ScholarCross Ref
- Yu Seung Kim, Patrick Tague, Heejo Lee, and Hyogon Kim. 2012. Carving secure wi-fi zones with defensive jamming. In ACM Symposium on Information, Computer and Communications Security (ASIACCS) 2012. ACM, New York, New York, USA, 53--54. Google ScholarDigital Library
- Guolong Lin and Guevara Noubir. 2005. On link layer denial of service in data wireless LANs: Research Articles. Wireless Communications & Mobile Computing 5, 3 (May 2005), 273--284. Google ScholarDigital Library
- Ivan Martinovic, Paul Pichota, and Jens B. Schmitt. 2009. Jamming for good: a fresh approach to authentic communication in WSNs. In ACM Conference on Wireless Network Security (WiSec) 2009. ACM, New York, USA, 161--168. Google ScholarDigital Library
- Aristides Mpitziopoulos, Damianos Gavalas, Grammati Pantziou, and Charalampos Konstantopoulos. 2007. Defending Wireless Sensor Networks from Jamming Attacks. In IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC) 2007. IEEE, 1--5.Google ScholarCross Ref
- Konstantinos Pelechrinis, Marios Iliofotou, and Srikanth V. Krishnamurthy. 2011. Denial of Service Attacks in Wireless Networks: The Case of Jammers. IEEE Communications Surveys & Tutorials 13, 2 (2011), 245--257.Google ScholarCross Ref
- Alejandro Proano and Loukas Lazos. 2010. Selective Jamming Attacks in Wireless Networks. In IEEE International Conference on Communications (ICC) 2010. IEEE, 1--6.Google Scholar
- Matthias Schulz, Daniel Wegemer, and Matthias Hollick. 2016. DEMO: Using NexMon, the C-based WiFi firmware modification framework. In ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) 2016. ACM, Darmstadt, Germany, 213--215. Google ScholarDigital Library
- Matthias Schulz, Daniel Wegemer, and Matthias Hollick. 2017. Nexmon: The C-based Firmware Patching Framework. (2017). https://nexmon.orgGoogle ScholarDigital Library
- Chowdhury Shahriar, Shabnam Sodagari, Robert McGwier, and T Charles Clancy. 2013. Performance impact of asynchronous off-tone jamming attacks against OFDM. In IEEE International Conference on Communications (ICC) 2013. IEEE, 2177--2182.Google ScholarCross Ref
- Wenbo Shen, Peng Ning, Xiaofan He, and Huaiyu Dai. 2013. Ally Friendly Jamming: How to Jam Your Enemy and Maintain Your Own Wireless Connectivity at the Same Time. In IEEE Symp. on Security and Privacy (S&P) 2013. IEEE, 174--188. Google ScholarDigital Library
- Mathy Vanhoef and Frank Piessens. 2014. Advanced Wi-Fi attacks using commodity hardware. In Annual Computer Security Applications Conference (ACSAC) 2014. ACM, New York, New York, USA, 256--265. Google ScholarDigital Library
- Triet D. Vo-Huu, Guevara Noubir, and Tien D. Vo-Huu. 2016. Interleaving Jamming in Wi-Fi Networks. ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec) 2016 (2016), 31--42. Google ScholarDigital Library
- Matthias Wilhelm, Ivan Martinovic, Jens B. Schmitt, and Vincent Lenders. 2011. Short paper: reactive jamming in wireless networks: how realistic is the threat?. In ACM Conference on Wireless Network Security (WiSec) 2011. ACM Request Permissions, New York, New York, USA, 47. Google ScholarDigital Library
- Matthias Wilhelm, Ivan Martinovic, Jens B. Schmitt, and Vincent Lenders. 2011. WiFire: a firewall for wireless networks.. In ACM Conf. of the Special Interest Group on Data Communication (SIGCOMM) 2011. ACM Press, New York, New York, USA, 456--457. Google ScholarDigital Library
- Fengyuan Xu, Zhengrui Qin, Chiu C Tan, Baosheng Wang, and Qun Li. IMD-Guard: Securing implantable medical devices with the external wearable guardian. In IEEE Conference on Computer Communications (INFOCOM) 2011. IEEE, 1862--1870.Google Scholar
- Wenyuan Xu, Wade Trappe, Yanyong Zhang, and Timothy Wood. 2005. The feasibility of launching and detecting jamming attacks in wireless networks. In ACM International Symposium on Mobile ad hoc Networking and Computing (MobiHoc) 2005. ACM Request Permissions, New York, USA, 46--57. Google ScholarDigital Library
- Qiben Yan, Huacheng Zeng, Tingting Jiang, Ming Li, Wenjing Lou, and Y T Hou. 2014. MIMO-based jamming resilient communication in wireless networks. In IEEE International Conference on Computer Communications (INFOCOM) 2014. IEEE, 2697--2706.Google ScholarCross Ref
- Qiben Yan, Huacheng Zeng, Tingting Jiang, Ming Li, Wenjing Lou, and Y. Thomas Hou. 2016. Jamming resilient communication using MIMO interference cancellation. IEEE Transactions on Information Forensics and Security 11, 7 (July 2016). Google ScholarDigital Library
- Massive reactive smartphone-based jamming using arbitrary waveforms and adaptive power control
Recommendations
Demonstrating reactive smartphone-based jamming: demo
WiSec '17: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile NetworksReactive Wi-Fi jammers on off-the-shelf hardware that may facilitate mobile friendly jamming applications have only been shown recently. Until now, no demonstrators existed to reproduce the results obtained with these systems, hence, inhibiting re-use ...
Power Control as an Effective Method against Low Power Jamming
CICSYN '14: Proceedings of the 2014 Sixth International Conference on Computational Intelligence, Communication Systems and NetworksWireless networks are built upon a shared medium which makes it easy for an adversary to launch a Denial of Service (DoS) attack. Jamming, as a part of DoS attacks at physical layer, is one of the main security considerations within the wireless ...
Detecting and Mitigating Smart Insider Jamming Attacks in MANETs Using Reputation-Based Coalition Game
Security in mobile ad hoc networks MANETs is challenging due to the ability of adversaries to gather necessary intelligence to launch insider jamming attacks. The solutions to prevent external attacks on MANET are not applicable for defense against ...
Comments