RE: Wireless device vulnerability?

["Toni Heinonen" <Toni.Heinonen () teleware fi>]

> Please excuse the search for a low-tech vulnerability to a high-tech
> implementation.
>
> How susceptible are various wireless networking implementations to
> jamming (as a means to a DoS)?
>
> Thank you.
> -- 
> James W. Meritt CISSP, CISA
> Booz | Allen | Hamilton
> phone: (410) 684-6566

That depends wholly on the transmission technology used. Almost all wireless technologies today don't transmit their 
information through a normal narrowband transmission, but instead use spread spectrum transmission. Mobile phones have 
used spread spectrum since GSM. WLANs and Bluetooths also use spread spectrum. Instead of transmitting on a narrow band 
of frequencies loudly, transmit with less power, but on a wider spectrum. Thereby even VERY LOUD jamming on a given 
frequency (normally narrowband) will not disturb the signal. See below, the transmitted signal, and jamming with Xs.

Narrowband:

S
t
r|      __
e|      ||
n|      ||
g|      ||
t|      ||
h+---------------
   Frequency

Narrowband with jamming:

S
t        XX
r|      _XX
e|      |XX
n|      |XX
g|      |XX
t|      |XX
h+---------------
   Frequency

The signal is nearly drowned with normal jamming, when narrowband transmission is used.

Spread spectrum:

S
t
r|
e|
n|
g| ____________
t| |          |
h+---------------
   Frequency

Spread spectrum with jamming:

S
t
r|    XX
e|    XX
n|    XX
g| ___XX_______
t| |  XX      |
h+---------------
   Frequency

So as we can see, spread spectrum transmission, even while jammed with regular methods, is very robust. Jamming on a 
wider spectrum is not only less common than regular, dumb, jamming, but also more difficult.

Besides spread spectrum transmission, additional transmission tricks are also used not only for security but also for 
more robust communications, not only because of being less vulnerable to jamming but to ordinary noise, too.

The two main schools here are frequency hopping (with spread spectrum, FHSS) and direct sequence (with spread spectrum, 
DSSS). Bluetooth is FHSS, UMTS networks are DSSS (kind of), there are two WLAN types, one that transmits using FHSS and 
one that transmits using DSSS. However, practically no one uses or manufacturs the FHSS WLANs and they are dying out.

Frequency Hopping Spread Spectrum (FHSS), as seen in Bluetooth, changes the base frequency of the spread spectrum 
transmission ever so often. For instance, in bluetooth, the frequency is switched every 400 milliseconds or two and a 
half times every second.

If the jamming is happening on a single, narrow band, Bluetooth transmission will only be jammed for that given 400 
milliseconds and then the devices will switch to another frequency again. Of course, if the malicious radio activist is 
using more advanced jamming devices, the devices can send jamming garbage on a really wide band. After all, even the 
frequency band that the bluetooth devices hop WITHIN is narrow, so basically you could jam that whole band and no 
matter what frequency the devices hopped to next, it would be crowded with garbage.

Finally, Bluetooth devices agree upon the hopping sequence and it's repetitive, meaning you could simply eavesdrop the 
hopping sequence and synchronize your jamming equipment to hop on the next used frequency and jam right before the 
other devices started talking.

In direct sequence transmission, each bit is instead encoded to a bunch of bits. Both parties agree on a 'chip', which 
is used for each 1 transmitted. That chip might be 10010110, for instance. Both WLANs and UMTS use a sort of chipping, 
although technically UMTS isn't a DSSS technology. Now everytime A wants to send the bit 1 to B, A sends 10010110 
instead. Everytime anyone wants to send a zero, they send the chip inverted, i.e. 01101001. In UMTS for example, the 
chip size might vary from 8 bits to 512 bits. If only one of those bits makes it to the other side, the other side will 
know what the sender wanted to send. In our example, B need only hear XXXX1XXX and B will know that because the fifth 
bit of the sent chip was 1, it was the chip inverted and thus the other side sent a zero.

Then there's of course the bigger question of signal behaviour. Regular broadcast antennas can always be drowned, but 
jamming directed signals is a lot harder. Whereas it would be almost impossible to jam a laser beam or even a hefty 
microwave link, such as those often used to interjoin two local area networks, it still might be possible to jam a 
direct-antenna WLAN transmission with enough garbage.

As to today's GSM networks, they simply use a wideband transmission, but if the phone and base station find noise in 
their frequency of choice, they will change to another frequency.

Executive summary: broadcast antennas are worse than directional, and to effectively jam communications between WLAN or 
UMTS parties you will need a very high power transmitter with a wide, wide band and you will need to jam each and every 
bit, if even one bit of the chip makes it to the other side the message will be intelligible. With bluetooth, you also 
have to simply jam on a very wide band (you need a very advanced and smart jamming device) or you can have a very smart 
jamming device that jams on the right frequencies on any given time.

After all, you'll never be safe from jamming or eavesdropping on a shared media. You'll never get 100 % security, but 
with today's wireless networks, jamming is very hard and will require sophisticated equipment.

TONI HEINONEN, CISSP
   TELEWARE OY
   Telephone  +358 (9) 3434 9123  *  Fax  +358 (9) 3431 321
   Wireless  +358 40 836 1815
   Kauppakartanonkatu 7, 00930 Helsinki
   toni.heinonen () teleware fi  *  www.teleware.fi