S4 Preview: Jamming and Interference on 802.15.4 Wireless
I will be previewing one S4 2009 paper each week. Digital Bond’s SCADA Security Scientific Symposium is Jan 21-22 in Miami Beach with an advanced control system security course on Jan 20th. See the full agenda with detailed paper descriptions and register to be a physical or virtual S4 attendee.
This first preview deals with a subject rarely discussed because it is outside the area of expertise of most IT and control system security professionals.
Jamming and Interference Induced Denial of Service Attacks on IEEE 802.15.4 Based Wireless Networks
Most of the discussion on wireless control system security, whether it be ISA 100, WirelessHART, Zigbee or other 802.15.4 based protocols, has focused on authentication, encryption and other security technologies at layer 3 and above. Jake Brodsky and Anthony McConnell of the Washington Surburban Sanitary Commission will present a paper discussing if all that protection is moot. Can an adversary or unintended broadcast attack the physical layer and jam or interfer with the wireless signal to create a denial of service condition?
It’s hard to believe that there has been very little theoretical work and even less practical testing on this important topic. The intent of the paper is to review the validity of IEEE 802.15.4 Annex E, to verify the performance of an adjacent band carrier interference source, and even an ISM band carrier. Pulsed signal attacks, with the pulse width and repetition rates designed to hit each OFDM carrier on every channel, or to match the spread spectrum chip rate, will also be evaluated. Jamming/interference ranges will be discussed mostly in terms of decibel differences.
Improvements in security and availability when using antennas to focus radio energy toward particular areas of interest and to exclude other areas of interest are discussed. There is at least one particular insight that ought to raise many eyebrows (and no, it’s not about polarization).
This is actually the first of two papers on 802.15.4. The second paper deals with Layer 2 hardware attacks and will be previewed next week.
Author: Dale Peterson
Posted: October 23rd, 2008 under S4.
Comments: 4
Comments
Comment from Ron Southworth
Time: October 27, 2008, 7:00 pm
Hi Dale, Thanks Jake & Anthony for putting together a paper on jamming. Denial of service in an RF PHY is an effective attack that no amount of encryption can mitigate. Look forward to hearing about it post event. I hope you guys can even do a proof of concept!
Comment from Jake Brodsky
Time: October 28, 2008, 12:50 pm
We’ve purchased a handful of parts and we’re testing…
Comment from Ron Southworth
Time: October 28, 2008, 5:53 pm
Good to hear Jake.
Anything that can create a NAV hold off will be an effective demonstration and be fairly sophisticated. I think a crude broadband distruption of the baseband signals would be much more in keeping with what I think you are trying to demonstrate and if it is broadband enough the demonstration device could be used for other frequencies and demonstrations than justg the ISM band technologies.
Any help you need (not that i think you will be looking for any) Just hollar.
Pingback from Digital Bond » S4 Preview: Hardware Vulns in 802.15.4 Implementations
Time: October 30, 2008, 8:24 am
[...] Last week’s preview focused on physical layer vulnerabilities in IEEE 802.15.4, the protocol underlying Zigbee, ISA 100, WirelessHART and other protocols being considered and deployed in control systems. This weeks preview is a companion paper that focuses on IEEE 802.15.4 implementation errors at the data link layer. The two papers lead off S4 Day 2 and should be a very interesting pair. [...]
Write a comment