Published
- 7 min read
DECT Jamming with HackRF
“We’re jammin, jammin - And we hope you like jamming, too.” - Bob Marley
Since the wave of a particular new law in Germany doesn’t provide us personally with any good news - for health reasons we can’t join the party - we decided to celebrate along with the things we can do, and at the same time, overcome our personal fear to do things that may cross into legally grey areas.
Signal Jamming Disclaimer
Receiving free airwaves is one thing - sending intentional disruptive signals another. We made this short lab experiment under controlled and well-defined conditions.
Don’t try this at home.
Attempts to jam certain frequencies may easily cause harm to people - including yourself.
Let’s get Jammin
We’re looking at various parameters that define how a jamming attack might be conducted on wireless communications. Understanding these will help in identifying potential attacks and, therefore, in strengthening defenses.
WiFi Jamming
besides the legal aspects (it’s forbidden), Wifi and Bluetooth are very resistant against jamming. The reason is that they use a spread spectrum technology.
This means that the signal is spread over a wide frequency range, making it difficult to jam the entire signal. The spread spectrum technology also allows the receiver to pick up the signal even if parts of it are jammed, channel hopping and channel balancing work actively against such attacks.
DECT Jamming
To keep it as local as possible, DECT is a far better example target.
DECT is a digital communication standard used for cordless phones. DECT operates in the 1.9 GHz frequency range and uses time division multiple access (TDMA) to divide the frequency into time slots. DECT is more susceptible to jamming than WiFi because it uses a fixed frequency and time slot for communication. A jammer can target these specific frequencies and time slots to disrupt DECT communication.
Watch With Audio Enabled
We succesfully jammed a DECT phone for a minute - yet also with a +20dB gain amplifier, and being very close to the target, the connection wasn’t completely interrupted at all attempts, sometimes it worked, sometimes it didn’t.
But it’s a fun learning excercise nevertheless.
General Jamming Settings Explained
again orienting mostly on Wifi, as most people know a little bit about it and it can be used for learning due to it’s strong resistance against disruptive signals.
However most parameters are the same of any type of jamming, and HackRF with the latest Mayham will provide a range of presets for all situations.
Key Parameters:
- Range (Start, Center, Stop, Width kHz):
- Start/Stop: Defines the frequency range over which the jamming will occur.
- Center: The central frequency around which the jamming attack focuses.
- Width: The bandwidth over which the jamming signal is spread. A wider bandwidth means the jammer affects a broader range of frequencies.
- Type:
- RND CW (Random Continuous Wave): Random frequencies are jammed with a constant signal.
- CW SWEEP (Continuous Wave Sweep): A constant signal that sweeps across a range of frequencies.
- FM Tone: Frequency Modulated tone jamming, where the carrier frequency is modulated.
- RND FSK (Random Frequency Shift Keying): Randomly shifts between frequencies, potentially jamming multiple bands unpredictably.
- Speed: The rate at which the jammer changes its operational frequency.
- Hop: The interval before the jamming signal hops to another frequency.
- TX (Transmission Time): How long the jammer actively transmits the jamming signal.
- Sleep: The duration for which the jammer goes inactive between transmission bursts.
- Jitter: Variability in the timing to make detection and counteraction difficult. Expressed as a fraction of the hop time.
Typical Communication Ranges and Potential Jamming Parameters:
For detecting jammers, it’s essential to know the frequency ranges and characteristics of the signals being targeted. Here’s a table outlining typical communication ranges and suggested jamming parameters:
| Comm Range | Frequency Range | Typical Jamming Type | Speed | Hop Time | TX Duration | Sleep Time |
|---|---|---|---|---|---|---|
| WiFi 2.4GHz | 2400-2483.5 MHz | CW SWEEP, RND CW | 100Hz - 10Khz | 50ms - 1s | 10s - 60s | 1s - 30s |
| WiFi 5GHz | 5150-5850 MHz | CW SWEEP, RND CW | 100Hz - 10Khz | 50ms - 1s | 10s - 60s | 1s - 30s |
| GSM | 850/900/1800/1900 MHz | RND FSK, FM Tone | 1Khz - 100Khz | 100ms - 5s | 30s - 180s | 10s - 60s |
| Freenet | 2400-2483.5 MHz (Similar to WiFi 2.4) | RND CW, CW SWEEP | 100Hz - 1Khz | 100ms - 2s | 20s - 120s | 5s - 30s |
Understanding these parameters and how they apply to the frequency ranges and technologies you’re trying to protect is crucial for setting up detection and mitigation strategies. Detection involves looking for anomalies in these parameters that could indicate jamming activities, such as unexpected frequency hopping, continuous transmission over expected idle periods, or signal characteristics that don’t match the expected profiles for legitimate devices.
Jitter, in the context of jamming attacks, introduces variability in timing parameters to make the jammer less predictable and harder to detect or counter. It’s typically applied to the Hop time but can also affect other timing aspects like TX Duration and Sleep Time. Let’s delve a bit deeper:
Understanding Jitter
Jitter: Expressed as a fraction (e.g., 1/60 to 60/60), it represents variability in the timing of the jammer’s actions. If the hop time is set at 1 second with a jitter of 1/60, it means the actual hop time could vary by ±1/60th of a second, making it either slightly faster or slower.
Application in Jamming
The use of jitter in a jamming attack makes the pattern of the jammer’s frequency hopping, transmission times, and sleep intervals irregular. This irregularity is a countermeasure against detection systems that look for consistent patterns or timing intervals to identify malicious activities. By varying these intervals randomly within a defined range, a jammer can avoid creating a detectable pattern.
Impact on Detection and Countermeasures
- Detection: Systems designed to detect jammers need to account for jitter by looking for anomalies over a broader range of timing variations. This complicates detection because the system can’t rely on fixed intervals or patterns.
- Countermeasures: Effective countermeasures must adapt dynamically to detect and mitigate the impact of jammers with jitter. Techniques might include statistical analysis to identify outliers in communication patterns or adaptive filtering methods that can adjust to the variability introduced by jitter.
Example in the Given Context
If you’re trying to detect a jammer in a WiFi 2.4 GHz environment that employs jitter in its hopping pattern, your detection system should not only monitor for the expected hop times (e.g., every 100ms) but also for variations around this value caused by jitter. This means looking for hops that might occur slightly earlier or later than the base interval, recognizing that these variations are part of the jamming strategy.
Jitter makes jamming attacks more sophisticated by adding a layer of unpredictability, requiring more advanced and adaptable detection methods to effectively identify and mitigate these attacks.
Simplified Overview
https://en.wikipedia.org/wiki/List_of_WLAN_channels#2.4_GHz_(802.11b/g/n/ax)
- Channels: There are 14 channels designated in the 2.4 GHz range for Wi-Fi, spaced 5 MHz apart, except before channel 14, where there’s a 12 MHz gap.
- Frequency Usage: Different parts of the world and different devices may use these channels differently. Most of the world can use channels 1-13, but channel 14 is unique to Japan for 802.11b (DSSS/CCK) only.
- Interference: Overlapping channels can cause interference, which may lead to network slowdowns. To avoid this, it’s common to use channels 1, 6, and 11 in many places since they don’t overlap.
- Channel Bonding: In the 2.4 GHz band, two 20 MHz channels can be bonded to form a 40 MHz channel for faster data transmission. The primary 20 MHz channel is used for signaling and backward compatibility; the secondary is used for data at full speed.
Simplified Table for 2.4 GHz Wi-Fi Channels
| Channel | Center Frequency (MHz) | Frequency Range (MHz) | Used in Most of the World | Used in North America | Used in Japan | Notes |
|---|---|---|---|---|---|---|
| 1 | 2412 | 2401–2423 | Yes | Yes | Yes | |
| 2 | 2417 | 2406–2428 | Yes | Yes | Yes | |
| 3 | 2422 | 2411–2433 | Yes | Yes | Yes | |
| … | … | … | … | … | … | |
| 11 | 2462 | 2451–2473 | Yes | Yes | Avoided | Low power in US |
| 12 | 2467 | 2456–2478 | Yes | Avoided | No | Low power in US; Adjacent to restricted band |
| 13 | 2472 | 2461–2483 | Yes | Avoided | No | |
| 14 | 2484 | 2473–2495 | No | No | Yes (11b only) | DSSS/CCK modes only in Japan |
Technical Notes
- Channel Bonding: Denoted by combining channels (e.g., 1+5). Primarily used in the 2.4 GHz band for enhanced speed.
- Interference Management: Channels 1, 6, and 11 are widely used to minimize interference as they do not overlap.
- Regulatory Differences: Regulations vary by country, affecting channel availability and power levels.
Conclusion
We hope that we provided an easy and fun introduction into the world of airwaves - angels live here, so treat carefully.