Jamming 4G Cell Networks
MikeA • November 16, 2012 12:49 PM
Looks like the run-up to outlawing Software Defined Radio is go.
And I love the traffic signal analogy. Perhaps the bad guys will hire Benny Hill to do just that, until a large woman passes by…
Regis • November 16, 2012 1:02 PM
Oh my God! This cell network — it’s MADE OF RADIO!
Why were we not informed?
Dman • November 16, 2012 1:19 PM
“But unconventional security aspects, such as preventing signal jamming, have been largely overlooked.” Since when is jamming unconventional? Also I don’t see anything especially surprising about this other than the level of resiliency in the specification.
Matt • November 16, 2012 1:19 PM
But how will the government get all the new cool phones? Make them use (and carry) SINCGARS.
Mark • November 16, 2012 2:04 PM
I always thought SINCGARS was kind of a pain in the ass.
Jeff H • November 16, 2012 2:58 PM
I’m no communications engineer, but I was under the impression that jamming had always been feasible for pretty much any radio signal – it’s merely a question of outputting more signal power than the target over enough of the frequency range. It just so happens in this case that it seems that not much power is needed in a small frequency range.
I’m not terribly surprised that LTE designers didn’t consider jamming. After all, we got wireless LAN and Bluetooth signals sharing the same frequency space as various household appliances. Consideration of EM interference and compatibility is rarely sexy enough for companies to invest heavily in it – then someone thinks ‘hey this is nifty; lets’ carpet a city in this’.
Dom De Vitto • November 16, 2012 3:52 PM
This is why DECT phones are frequency hopping – so the control/data channels don’t clash for long.
Something less obvious is that jammers can be traced instantly if a couple of basestations can pick up the signal….how phone tracking works.
RobertT • November 16, 2012 4:16 PM
Nice little FUD piece, makes me wonder who paid for the research. I guess this means we all need need to get used to paying he QCOM tax on an ever larger array of devices.
moo • November 16, 2012 4:20 PM
Cory Doctorow has been predicting for a few years now that “the copyright wars” were just a small warmup for what he calls “the coming war on general purpose computation”: when other industries and/or government regulators, start trying to regulate or otherwise control the usage of general-purpose computers for things like software-defined radios, self-driving cars, implanted medical devices, 3d-printing technologies, and so on and so forth. He thinks the RIAA and MPAA are kind of puny compared to the other interests that are sooner or later going to be alarmed by the capabilities of general-purpose computers and the general-purpose network (the Internet) and start demanding that we put DRM into everything so that users can’t e.g. accidentally or intentionally turn a baby monitor into an air-traffic-control jammer just by loading different software onto it.
He’s given several talks like this one: http://www.youtube.com/watch?v=HUEvRyemKSg
moo • November 16, 2012 4:24 PM
@ Jeff H:
CDMA is spread-spectrum, which apparently makes it pretty difficult to jam (I thought that was actually the whole point of it). Too bad the LTE designers didn’t opt for that.
Clive Robinson • November 16, 2012 9:13 PM
Hmm, “Terrorist Jamming” not exactly a new idea, but has not happened as far as we know…
Have you ever wondered why?
Simple answer if you have the brains and skill to perform this type of trick you can be a lot more creative. And your creativity will get you a better bang for your buck.
That is 650USD will get you more explosives, weapons, etc all of which will provide rather visceral feedback via news reports very rapidly providing a high impact for the expenditure.
Jamming the emergancy responder comms won’t provide any more visceral feedback, and it might be weeks or months before it actually becomes news by which time it won’t effect the initial shock the terrorist is looking for.
So from a terrorist point of view it has a rather low ROI. Which is made worse by the fact that you will need skilled personnel to do the jamming over any kind of wide area. And other things such as area jammed is more related to the hight of the jammer not it’s power adds needless complexity and risk to the whole operation.
So what about high value crime not terrorism? here there might well be an advantage to jamming the first responder networks. But again only for a skilled and well disciplined team.
So what about techno-vandals such as groups of hackers doing a DoS style of attack. They certainly have the skills but in general such people have little or no funds so the 650USD cost of entry would in all likelyhood act as a deterant. Plus
as noted above if jamming becomes a problem the source can be fairly easily traced, it’s a question of response time which would after the first one or two attacks become very rapid. And then there is the tracable physical evidence, and the prosecuters and courts are not going to see this as anything other than a direct attack on society equivalent to a serial killer etc so they are going to be looking at handing out multiple life sentances with no hope of remission to enssure the point got across to others.
But there is a catch, if you have the brains to do it and a little skill with a soldering iron and a bit of experiance building amateur radio equipment you could probably make a jammer for a lot lot less than 650USD. Possibly as little as 10-20USD with parts from “other projects” including broken phone parts.
Now there might even be a market for such devices, you can already buy cheap jammers for other cell/mobile technologies which have (supposadly) been used by restaurants, theaters and other entertainment venues where mobile phone use is considered inappropriate by the venue operators for various reasons.
If such devices do become available fairly cheaply and effectivly anonymously and local LEO’s do switch to using 4G then yes you might find petty criminals using them to improve their get away chances.
Of interest in this respect is the UK’s Met Police in London after 7/7 there was a whole load of political time wasted over the fact that first responders could not talk to each other especialy underground etc.
Well part of the fallout from this is TETRA which is a trunked PMR system. Unfortunatly it’s not workiing out at all well for various reasons and you will see very many Met Police officers with two or even three mobile phones they use in prefrence to the TETRA system for a whole host of reasons.
Now thiss “add hoc” network via mobile phones has a significant problem which it appears nobody in authority has picked up on yet. Which is what happens when we have another 7/7 and the mobile networks stop operating (as happened on 7/7). Many officers have got so used to not using TETRA that come such an event as 7/7 then they won’t be able to use TETRA effectivly or at all.
Oh and as it happens TETRA and other trunked PMR systems are possibly even easier to jam for similar reasons to those given in the 4G article…
The real issue is actually “penny pinching” in the name of “efficiency” by those who hold the purse strings of LEO’s and other emergancy services. They are not realy interested in robust communications for emergancy services if they can do things on the cheap. In the UK we have seen this mentality with the Ministry of Defence not supplying UK troops in Afghanistan and Iraq with appropriate and necessary equipment with the result that people on the ground have died needlessly on repeated occasions. But that’s OK as long as the procurement people at the MOD get their bonuses and cushy jobs as lobbyists and directors of defence contractors.
I would fully expect exactly the same issues to occurre with the idea of using mobile phones for first responder critical communications. After all if it goes wrong what will happen? the politicos will hold an enquiry to exonerate themselves and others and make statments like “this should never happen again” and then through lots of money at some other boondongle solution (just as we do with body scanners).
As was once observed about NASA astronauts, they were very brave people put into space by the lowest bidders…
Steven Hoober • November 16, 2012 10:08 PM
Without getting more details, I am not sure this is new. There are all sorts of dangerous sounding things that are just the way cellular mobile radio works. Of course the signalling channels takes up less than 1% of the bandwith; it’s probably taking 100x less than that, as there’s not much to it, and LTE has a lot of data.
Digital cellular mobile radio, whatever type it is, is all very, very, very low power. Locally, almost any jammer should work. And, they are also very narrow band devices, so anything that jams can easily block the whole range of channels.
I don’t get the “whole city” comments, though, as cellular radio is, well, celluar. Lots of transmitters. A single jammer is in one place so pretty basic physics shows how the power drops off real fast.
I have seen cleverer exploits involving power control. To make sure everyone can talk and your battery lasts all day, the signalling channel info (sometimes with a “pilot signal”) also is used to determine the power level the phone and BTS (baste tower station) need to be using. Lower is better of course.
So, there are ways to trick the device into using too low power, and dropping, or too high power and both burning through the battery and blocking out everyone else. I haven’t seen these in the wild but THAT’s the exploit I am waiting on. A sort of DDOS attack using some fairly simple trickery to make many of the mobiles in an area gets confused on power management, all others are blocked from the network due to this, etc. Might even be possible without something like infecting the devices with software to try to control the radio directly.
moz • November 17, 2012 2:33 PM
1) a single base station is irrelevant and they are lying to blow it out of proportion; Coverage of “many miles” will only happen in unpopulated countryside. (Steven: I guess this is where the “whole city” misunderstanding comes from)
2) attacks on signalling channels are old hat, have taken place and have even been publicised in the media.
There are two things in the article which seem to me to give away what it’s all about
no immediate reaction from the NTIA, which had sought comments from experts on the feasibility of using LTE for emergency responder communications
but those standards—unlike military ones—are openly published
I’d guess someone is afraid of losing a valuable DHS contract.
This becomes especially interesting when you find out that one of the authors was published in “Military Embedded Systems” (http://mil-embedded.com/article-id/?2065) which suggests he was strongly involved in JTRS, the US military’s failed future communication system http://en.wikipedia.org/wiki/Joint_Tactical_Radio_System and so some of his “private consultancy” is presumably for those companies.
Figureitout • November 19, 2012 12:59 AM
It may be easy but when’s the last time your cell service was jammed?
but those standards—unlike military ones—are openly published.
–hmmm wonder why?!
Imagine blocking all traffic lights…Cars hit each other and nobody gets through.
–Uh no, we don’t all spontaneously become imbeciles. It’s a traffic JAM, an inconvenience not pure chaos. (don’t worry though, traffic lights are being networked and assigned IP’s) I think a better analogy is trying to talk to someone face-to-face, and some a$$clown standing right next screams whenever either of you open your mouths. The reasonable person would punch said “jammer” in the face.
TRX • November 22, 2012 6:28 AM
It may be easy but when’s the last time
your cell service was jammed?
With the last three local providers, the QOS has been so poor it’s hard to tell.
Dropped calls are normal, and occasional one-way calls, and a few times, being switched (listen only) to an entirely different call.
Frankly, the old analog “brick” phone worked much better… call quality doesn’t seem to be an issue any more, since few people seem to actually talk on a cellular phone.
moo • November 16, 2012 4:24 PM
“CDMA is spread-spectrum, which apparently makes it pretty difficult to jam (I thought that was actually the whole point of it). Too bad the LTE designers didn’t opt for that.”
To get the same through-put, the spreading-rate would have to be JUST that much faster, on the order of say 100x. So, figure a 5 MHz BW channel for a LTE/WiMAX style TDMA signal then translates to 500 MHz for the CDMA (Code Division) spread spectrum signal …
Clive Robinson • November 16, 2012 9:13 PM
Well part of the fallout from this is TETRA which is a trunked PMR system. Unfortunatly it’s not workiing out at all well for various reasons and you will see very many Met Police officers with two or even three mobile phones they use in prefrence to the TETRA system for a whole host of reasons.”
This might be due to the low-efficiency of the Tetra ‘subscriber’ equipment used (it could also come from an insufficiently-engineered Tetra system from a trunking or traffic-handling perspective); rather than a well-sized brick capable of a full 5 Watts of RF from a fairly efficient radiating form-factor (BIGGER is BETTER) such as a Motorola MTS2000 2-way radio Tetra can make use of little ‘flip phone’ sized plastic jobbies that result in signal levels 10 dB down from a REAL PMR e.g. EF Johnson (5100 series) or Motorola produces for First Responder use on this side of the Atlantic …
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment