Stories‎ > ‎

Physical Layer Jamming Threats

posted May 21, 2016, 9:13 PM by Michael Lenart   [ updated Jun 2, 2016, 4:24 PM ]
Michael Senft

Introduction

With the intense focus on application layer cyberattacks such as Stuxnet, it is easy to overlook that the foundation of communications is the physical layer. Unhindered access to the Radio Frequency (RF) spectrum is critical to a wide range of both commercial and military communications systems. The threat to wireless communications from jamming has dramatically increased due to jammers that incorporate Digital Radio Frequency Memory (DRFM) and Software Defined Radio (SDR) technologies. Recent advances in computing power, memory capacity, and memory speed have produced effective, low-cost DRFM and SDR systems capable of capturing, manipulating, and replaying RF signals, greatly facilitating intelligent jamming.

Intelligent Jamming

Jamming is the process of "placing a signal into the receiver that interferes with the reception or processing of the desired signal". [1] Traditional jamming targets the physical layer to interfere with reception of transmitted signals, while intelligent or smart jamming targets specific parts of the signal to interfere with the reception and/or processing of the desired signal by impacting the logical layers of the receiver. [2] Intelligent jamming is able to achieve the denial or degradation of desired signal reception at significantly lower power levels compared to traditional jamming techniques. It does this by using modified signals based off of captured waveforms or a priori knowledge of waveform or protocol implementation details. [3] These modified signals may have nearly the same attributes as valid signals that could allow them to overcome techniques such as processing gain that would otherwise reduce jamming effectiveness. [4

Jamming digital RF signals requires achieving a Jamming-to-Signal ratio sufficient to raise the Bit Error Rate (BER) above the threshold required to disrupt communication, which varies depending on waveform and modulation used, as well as the information/data being sent. [5] As a rough generalization, digital RF signals only need to be jammed a small fraction of the time (maybe one-third) to introduce sufficient errors to prevent the targeted receiver from performing correct demodulation and digital data extraction (that is, processing) of the signal. [6] The ability of DRF and SDR systems to capture, manipulate and replay RF signals is a powerful capability that significantly enhances jamming effectiveness, while reducing the power required for jamming.

Digital Radio Frequency Memory (DRFM)

DRFM systems digitally capture RF signals using fast digital memory and high-speed sampling to store the information required to replicate these signals. [7] DRFM systems are capable of generating precise and coherent replicas of captured signals, making them useful for radar and communications jamming. [8] The double sideband DRFM system as illustrated in Figure 1 creates digitization of both the in-phase (I) and quadrature (Q) attributes of the signal, enabling more complex processing and analysis. [9] At a high level, in-phase (I) and quadrature (Q) are two components of a signal, that when captured allow the original signal to be replicated. Double sideband DRFM systems are those that can capture both the in-phase (I) and quadrature (Q) components of a signal, enabling near perfect replication of the original signal. DRFM systems function by down converting received signals to a frequency compatible with the analog to digital converter (ADC), which is typically achieved through the use of a superheterodyne receiver. [10] Down-conversion is the translation of signals at a higher frequency into a signal at a frequency where the components of the DRFM system are designed to operate. This DRFM system uses a bandpass filter and low pass filters (LPF) to deliver only the desired signal to the ADC for digitization into bits. [11] Once the signal is digitized, it is strobed into memory. [12] Strobing is a technique that enables data to be quickly recorded to computer memory. Dual-ported memory allows the simultaneous recording and replay of captured signals. [13] The replayed signals are sent to the digital to analog converter (DAC) for conversion into an analog signal, which is then sent to a frequency up converter to convert the signal back to the original frequency for transmission. [14



Figure 1. Block Diagram of a Double Sideband DRFM
(Reprinted from Advanced Techniques for Digital Receivers by P. Pace, 2000)


Current commercial off-the-shelf (COTS) DRFM systems are capable of receiving analog signals, converting the analog signal to a digital signal, processing and manipulating the digitized signal, and converting the modified signal back to an analog signal for transmission in less than 39 nanoseconds. [15] DRFM systems have the ability to manipulate captured signals at the bit level once the signal has been converted from analog to digital by the ADC. This ability to manipulate individual bits inside of a signal is a potent capability that wasn't feasible a decade ago when many current radio communications systems were developed. 

DRFM Intelligent Jamming Via Man-in-the-Middle Attack

DRFM systems significantly enhance the probability of disrupting wireless communications because they are able to capture precise and coherent replicas of signals, manipulate these signals, and then retransmit these modified signals- all within tens of nanoseconds. In this scenario a DRFM system is used to conduct a so-called man-in-the-middle attack (MITM) against a targeted RF receiver. In an MITM attack, an attacker has the ability to alter traffic in a communications channel by injecting themselves into the communications channel between the transmitter and intended receiver. With wireless communication, an attacker does not need to be between the original transmitter and desired receiver to conduct an MITM attack. The attacker needs only to be located in a position that allows them to transmit jamming signals with total delay less than the signal reception time window and at a given power level sufficient to be processed by the target receiver.

There is a non-trivial increase in delay between the MITM attack and the direct path delay. Delays are increased in the MITM attack compared to the direct path delay due to the propagation delay between the transmitter and the DRFM receiver, processing delay introduced by the DRFM components, and propagation delay from the DRFM transmitter to the targeted receiver. Transmission delay within the DRFM transmitter is assumed to be negligible. Propagation delay is calculated by dividing the distance covered by the speed of light, which is roughly 3 x 108 meters per second.  Processing delays in current COTS DRFM systems are less than 0.04 microseconds. [16] The 0.04 microsecond delay introduced by processing is equivalent to increasing the propagation length by 12 meters, making its impact nearly negligible for total delay calculations.

The jamming geometry has the greatest impact on the total delay of an MITM attack compared with the delay of an original, intended signal. If the path of the original, intended signal is 5000 meters, the propagation delay is approximately 16.67 microseconds. If the location of the DRFM jammer is 3000 meters from the original transmitter and 3000 meters from the intended receiver, the total path distance increases to 6000 meters. This would increase the propagation delay to 20 microseconds, a nearly 20% increase over the original path. Location and timing are two parameters used by Digital Signal Processors (DSP) to detect and select signals that cannot be copied by DRFM systems, unlike the frequency, amplitude and other, phase and polarization parameters of signals. As such, jamming geometry presents a challenge to an adversary attempting to conduct an MITM attack. The exact nature and difficulty of overcoming the challenges are dependent on the radio and waveform used.

Message preambles are critical to the function of nearly all digital communications systems. A preamble is the first part of a transmission that contains information about the data being transmitted to allow the receiver to correctly process the data payload. An adversary may want to leave the preambles unchanged to maximize successful reception of signals transmitted by the DRFM system and instead focus on manipulation of the data payload in the signal. A transmission with a manipulated data payload would be almost indistinguishable from a poor signal. Testing would be required to determine the number of bits in the payload portion that need to be changed to prevent the payload from being decrypted due the number or errors exceeding the ability of forward error correction codes to recover from them.

Alternatively, an adversary could choose to manipulate the preamble. Because the preamble contains information such as time synchronization and digital modulation, it may be possible to modify a very small portion of the preamble to make the signal payload unreadable. In a signal modulated with an 8 Phase Shift Keying (PSK) technique, the preamble will contain the modulation information to allow the receiving terminal to correctly demodulate the signal. PSK is a modulation technique to allow more data to be transmitted in a signal, with 16 PSK transmitting more data than 8 PSK. The receiver must know what modulation is being used to be able to correctly demodulate and process the signal. The flipping of one or more bits in the preamble could modify the modulation technique to 16 PSK. If a modified preamble is received by the targeted terminal, it would be unable to demodulate the signal because it would use the incorrect 16 PSK modulation instead of the actual correct modulation of 8 PSK. Minimizing modification of the captured signal has the benefit of retaining much of the coding responsible for processing gain in some waveforms.

Software Defined Radio

An SDR is a "radio in which some or all of the physical layer functions are software defined". [17] Unlike hardware based radios, which require physical modification to alter function of the radio, SDRs are reprogrammable, requiring only updated programming code to accommodate a new waveform or add new functionality. An SDR, like a DRFM system, requires a frequency down converter and up converter to obtain the digital signal from the analog carrier so it can be manipulated and injected back into the analog carrier for transmission. An SDR receiver works by 1) capturing a signal, 2) converting the signal to an intermediate frequency (IF), 3) converting the analog to digital using an ADC, 4) down converting the signal to a baseband signal, and 5) sending the signal to a DSP for conversion into a data stream. [18] This data stream can then be analyzed to identify the preamble and payload in the signal.

In an SDR transmitter, the input signal generated by a DSP or field programmable gate array (FPGA) is sent to a DAC to convert the signal to an analog IF signal, and then is upconverted to an RF frequency and sent to the antenna as illustrated in Figure 2. The input signal feeding into the base band processing segment can be: a) unaltered replay of the same originally captured signal (perhaps with added delay), or b) completely generated by the DSP (i.e., of the intelligent jammer’s choosing), or c) a partial/selective modification of the originally captured signal.




Figure 2 SDR Transmitter Diagram [19]


SDR systems lack the ability to manipulate signals as rapidly as hardware-based DRFM systems because software-based systems are inherently slower than purpose-built hardware systems. However, having radio functions defined in software enables an SDR to be rapidly reconfigured to perform additional roles, making them highly flexible for a wide range of applications. Popular SDRs include the Universal Software Radio Peripheral (USRP) line sold by Ettus Research, HackRF made by Great Scott Gadgets, and AirSpy sold by AirSpy.com. Most of these are available for less than $500. These SDRs are able to use GNU Radio software, SDR# software or other SDR software for configuration and control of these devices. The wide availability of COTS SDR equipment makes it likely that these systems will appear on future battlefields as their low cost enables even non-state actors to acquire these devices. SDR systems have already been used by hobbyists to conduct eavesdropping attacks against baby monitors, disabling and tampering with RF-based home alarm systems, and defeating automobile keyless entry systems. [20]

SDR Intelligent Jamming

SDRs lack the processing speed to conduct MITM attacks like DRFM systems. As such, SDRs are better suited to conduct more traditional reactive jamming, since they are unable to manipulate signals in near real-time like DRFM systems in the previous MITM example. In traditional reactive jamming, a jammer sends out signals to jam the targeted receiver only when it detects pre-defined activity in a communications channel. [21] Sending jamming signals only in the presence of a signal of interest makes determining the location of the jammer much more difficult as it minimizes the transmissions of the jammer. Reuse of the data portion of previously transmitted signals for the basis of the jamming may provide more effective jamming depending on the radio and waveform. While SDR intelligent jamming isn't as responsive as intelligent jamming with DRFM systems, SDRs can be easily modified using updated software to detect an ever-changing variety of signals of interest and create new signals based upon mission requirements for use in jamming attacks.

Conclusion

The threat posed by jammers incorporating DRFM and SDR technologies will increase as these systems proliferate on the battlefield due to low system costs, increased system performance, and demonstrated operational effectiveness of these adaptable systems. Cyber, Electronic Warfare and Signal professionals alike need to be aware of the capabilities of DRFM and SDR systems and their potential impact on tactical, operational and strategic communications systems. The Army Operating Concept, Win in a Complex World, highlights that state and nonstate actors will use technology to disrupt U.S. advantages in communications and surveillance. [22] DRFM and SDR are two such technologies and are therefore worthy of greater awareness.



MAJ Michael Senft is a Functional Area 24 (FA24) officer currently assigned to the Office of the Chief of Signal as the FA24 Career Program Manager. Michael has completed multiple deployments as a Network Engineer supporting Joint and Special Operations units. He holds a Master's Degree in Computer Science from the Naval Postgraduate School, a Master's Degree in Engineering Management from Washington State University, and a Bachelor's Degree in Mining Engineering from Virginia Tech.





[1] Adamy, D. (2006). Introduction to electronic warfare modeling and simulation. Boston, MA: Artech House.

[2] Poisel, R. (2011). Modern communications jamming principles and techniques (2nd ed.). Boston, MA: Artech House.

[3] Proaño, A., & Lazos, L. (2010). Selective jamming attacks in wireless networks. Proceedings of the 2010 IEEE International Conference on Communications, 1-6. doi: 10.1109/ICC.2010.5502322

[4] Adamy, D. (2004). EW 102: A second course in electronic warfare. Boston, MA: Artech House.

[5] Poisel, R. (2011).
 
[6] Adamy, D. (2004).

[7] Pace, P. (2000). Advanced techniques for digital receivers. Boston, MA: Artech House.

[8] Ibid.

[9] Ibid.

[10] Ibid.

[11] Ibid.

[12] Ibid.

[13] Ibid.

[14] Ibid.

[15] Annapolis Micro Systems (2014). Annapolis announces delivery of DRFM-optimized 24ns latency 1.5Gsps mezzanine card. Retrieved from http://www.annapmicro.com/annapolis-announces-delivery-of-drfm-optimized-24ns-latency-1–5gsps-mezzanine-card/

[16] Ibid.

[17] Wirelessinnovation.org. (n.d.). What is software defined radio. Retrieved from http://www.wirelessinnovation.org/assets/documents/SoftwareDefinedRadio.pdf

[18] Hosking, R. (2010). Software defined radio handbook. Upper Saddle River, NJ: Pentek, Inc.

[19] Topituuk, T. (Artist). (2009). Software Defined Radio Scheme [Picture]. Retrieved from https://upload.wikimedia.org/wikipedia/commons/2/22/SDR_et_WF.svg

[20] Cesare, S. (2014). Breaking the security of physical devices. Retrieved from http://regmedia.co.uk/2014/08/06/dfgvhbhjkui867ujk5ytghj.pdf

[21] Stavrou, A., Bos, H. & Portokalidis, G. (2014). Research in attacks, intrusions and defenses: 17th International Symposium. New York, NY: Springer.

[22] U.S. Department of the Army. (2014). The Army Operating Concept, Win in a Complex World. TRADOC Pamphlet 525-3-1. Washington, DC: U.S. Department of the Army. Retrieved from http://www.tradoc.army.mil/tpubs/pams/tp525-3-1.pdf