A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection:
Oliver notes on the product’s website that its so-called “All Out Mode”—which prevents surveillance devices from connecting to any Wi-Fi network in the area—is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public areas and wreaking a bit of havoc.
Nova • September 9, 2014 2:59 PM
So they send forged disconnect packets, and as this first poster noted, it likely can be wild carded on “All Out Mode”…
Wouldn’t be hard to replicate this on whatever router, including wifi pineapples.
It would be nice to see a decent, inexpensive router (wifi and wired) security system (software & hardware)… if vendors made more phones with promiscuous capability or hackable to, that would be very viable. So to catch forged packets doing something like this… or many of the other attacks possible, including the reliance of forging packets for many core wifi and wired router attacks.
Such a system could also well supplant general smartphone/handset security.
…
I do think there are uses for this piece of hardware, but also one could be subject to fines under FAA existing rules as it effectively does block said signals. There are the remaining problems with this sort of problem. Including damage possible from systems that rely on secure wifi. Though won’t work, of course, on cell networks (just wherein the phone is using wifi instead of the cellular network).
Gra • September 9, 2014 3:00 PM
Well, this device only put in evidence the insecurity that 802.11 management frames have. Since all of them are unencrypted, this device works. But, I don’t really think it can prevent every unwanted device from joining any wifi near it. Unless it has a forbidden transmit power and effectively can out range the other devices. Even then I believe it won’t be able to block devices that are on fringe cases. Nevertheless, the idea is interesting. And this can be done using any wireless device in monitor mode. If you can inject frames, you can disconnect any device from any network in the vicinity by just issuing a deauth frame. Of course this must be repeated in a loop to effectively prevent the devices from reconnecting.
Nick P • September 9, 2014 3:32 PM
Then the attacker Googles “bypass MAC address filtering” and lives happily ever after.
Clive Robinson • September 9, 2014 4:45 PM
I see they have plans to break Bluetooth pairing to stop other types of data export. I wonder how long it will be before people realise it’s almost as easy to kill GSM and other mobile phone systems and produce devices to do it.
The article is not quite correct when it says the device it is not a jammer (the definition of which is broad and boils down to “denying viable communications to an opponent”).
The old view of a jammer is a device that continuously transmits a signal and compeates on ERP, and it is not the prefered way to do it these days. Especialy as various wide band transmission systems are designed to work with strong interferance, and some even auto configure around it thus “Old School” CW type jamming is often ineffective even with a significant ERP advantage (for instance the coding gain on a Direct Sequence Spread Spectrum system could be 60dB or more, which would require a CW jammer with about a million times the power at the receiver for the same range, which is mostly impractical even with high gain antennas).
Thus most modern jammers work by attacking the baseband in some way. This can be either at a low level attack on the modulation type such as transmitting high energy very narrow pulses at the data clock frequency, or twisting the data phase or amplitude in MPSK or or MAM systems, or some combination of low level methods. There is also high level jamming that works by injecting valid data into a device which is what this device does. Communications systems that use “ping-pong” as opposed to continuous carrier data communications are exceptionaly vulnerable to this as the jamming transmitter only needs an ERP sufficient to get above the receiver data noise floor threshold which would need just a tiny fraction (ie considerably less than a millionth of the ERP of a CW jammer at the same range).
Even encrypted communications are susceptible to baseband jamming it only needs just a few bits to be flipped to render the communicarions invalid, especially if the wrong type of encryption or encryption mode is used.
Evan • September 9, 2014 4:47 PM
I am always amazed at how little security exists in the 802.11 protocol.
DER • September 9, 2014 4:52 PM
@nova are you working in aviation? I think you meant the FCC 😉
Erik Carlseen • September 9, 2014 5:57 PM
Perfect for disabling 802.11-based security cameras, for people insane enough to rely on those.
Gra • September 9, 2014 6:15 PM
@Nick P These devices need rooting for being able to change MAC addresses. Not only it voids the warranty (in most cases), but depending on the device it’s hard to root. Your everyday perv isn’t technical enough to do this. But if they change the MAC they indeed can bypass the jammer. That’s where some kind of firewalling in your wifi network can come in handy. I believe that these hardwares have specific network fingerprints that can be matched and blocked. At least on your own network.
Nick P • September 9, 2014 6:48 PM
@ Gra
I’ll play the cat and mouse game. So, another company knows what you say is true for certain products or people. They create a new product called Cyber Replugged that acts as a wired or wireless (non-802) access point for your mobile device. It then does all the technical work for you to access the real network and counter jamming. If both products become popular, vendors of products like Google Glass might support easier ways for their products to connect to antijamming devices.
Note: device makers might also handle the problem themselves by changing how their devices react to such commands in public spaces. Might include an “ignore termination attempts” option with functionality to see if main access point really disconnected or it was forged.
Andrew Hilborne • September 9, 2014 6:55 PM
Disconnecting clients of third-party APs isn’t hard and is used widely in commercial wifi systems to force disconnect “rogue APs,” where rogue is usually defined as unauthorised APs which have been connected to the corporate LAN (clearly a security risk.) However the same systems can also be configured to send disconnect frames for any chosen SSID; the “legitimate use case” for this behaviour is generally deemed to be disconnecting clients which have connected to an AP which is masquerading using the same SSID as a legitimate corporate network.
Finally, the same systems (e.g. Meru) can be configured to prevent wireless tethering with mobile devices in the vicinity.
Anura • September 9, 2014 9:00 PM
@Nick P
Or you can just use Bluetooth teathering, which Google Glass and smartphones already support.
Nick P • September 9, 2014 9:56 PM
@ Anura
Nice. The counter product is already half built. 🙂
Unrelated sidenote: What’s the significance of your alias? I know of a few well-known people with that name from Sri Lanka. I rarely see it on the sites I frequent. Literally just you haha.
Gra • September 10, 2014 12:08 AM
@Nick P Come on? Really? Anti Jamming device? Google would manufacture one of these? If the devices would ignore deauth frames, them they wouldn’t get certified. Simple as that. The problem here is that 802.11 management frames are unencrypted. So you can change your MAC address. But this device will work for 99% of the population.
Clive Robinson • September 10, 2014 1:02 AM
@ Anura, Nick P,
What many forget is Software Defined Radio (SDR) is a two way street, it works not just for receiving but transmiting as well (something that has realy scared the European Regulatory bodies, and by the looks of it the FCC and a few others as well).
When you also consider all comercial devices currently have a “functional signiture” that can be enumerated at various levels it opens up interesting possibilities.
Take the much hated or much loved Google Glass (GG) it’s success as a product will depend not just on it’s “Cool Features” but rather more on the reliability of those features and the reliability of the device it’s self.
Thus the easiest way for the GG haters to kill it is to make it unreliable. Thus the looking for GG over Bluetooth that just so happens to work in the same ISM band that older WiFi does, is practical for the SoCs that could be used in a device like this jammer.
What do Google and the GG lovers do well GG2 might use a different WiFi band or GSM or other Mobile technology depending on the SoC they decide to use. Thus a new jamming device would have to be brought out for the GG haters.
Thus a slow cat&mouse game between GG lovers and GG haters starts up (likewise for any other device that people dislike that works in the ISM band using WiFi or Bluetooth).
But what if the jammer instead of using an efficient SoC –that GG has to use for battery saving– decide to go for a wide band SDR solution instead?…
Well one consiquence would be that the jammer would not need to be hardware upgraded in it’s half of the cat&mouse game, just a new software module for both detection and jamming of any new hardware release of GG… Thus the advantage in the game moves over to the GG haters.
But once the jammer has gone down the SDR route, almost anybody could write detection and jamming modules for any device and others could also load it with just a download. Thus mobile phones could be jammed in theatres, restaurants and other social venues, police and or other first responder “digital” radios could be jammed by various types of criminal, and those wirless Internet of Things (IoT) and implanted medical devices would all be fair game as well.
So far so peachy, a fun little game for journalists to write about.
But such an SDR device would also make a usefull protocol converting AP thus if would be able to replace your smart phone at home enabaling you to use the likes of your bluetooth headset with whatever service you wanted to use. Again all very peachy.
But with a more sinister use in mind such a SDR device could also act as a universal evesdropping device that could passivly or activly use any radio enabled device within range as a sensor.
Obviously such a SDR device would replace quite a large chunk of the TAO catalogue devices…
Are we as a society ready for such wholesale intrusion in our lives…
Anura • September 10, 2014 1:10 AM
A long time ago I was learning cryptography, and started playing with a cipher design for fun (which wasn’t that great), and I called it Bullfrog (Because of Jeremiah, you could never understand a single word he said). A while later when coming up with network names for my machines I wanted a theme, and I settled on amphibian related stuff (even though I have no particular interest in amphibians). Anura (which basically translates from Latin into “without tail”) is the order that frogs and toads belong to, also the name of my desktop. I’ve also been using it for pet projects I’ve been working on even though I have only uploaded one. My newest laptop is acris, my old laptop is bufo, my router is rana, the DNS name I gave to my Xbox is frogger, and my domain is swamp 🙂
Peter T • September 10, 2014 1:21 AM
“Oliver notes on the product’s website that its so-called “All Out Mode” — which prevents surveillance devices from connecting to any Wi-Fi network in the area — is likely illegal, and he advises against its use”
Why would it be illegal? For attack purposes it surely is, but what if I just want to protect my home or business by prohibiting the use of wifi on the premises?
Clive Robinson • September 10, 2014 5:09 AM
@ Peter T,
As to “why would it be illegal?”, it rather depends on where you are in the world.
After WWII there was a lot of surplus military radio equipment, and due to the fact that prior to WWII few people outside of mariners and experimenters had any use for radio due to it’s unreliable nature, there where few laws regulating radio usage, mainly based on the notion of “non interferance” within a national boarder. One aspect of this was the idea that you could do whatever you wished as long as it was constrained within the bounds of your property.
The result was a mess and still is in quite a few parts of the world.
This mess was seen as undesirable primarily in industrialized nations and individual nations chose to licence / alow broadcasters to work in effect against each other, so under the auspices of the United Nations the ITU drew up band plans and other standards to give a degree of harmony in the various ITU Regions.
The 1960s however brought changes, in Britain Harold Wilson blaimed part of his lack of political success on the Off Shore “Pirates” (he later blaimed MI5 and other “security services). When he did get power he brought in amongst other legislation the “Marine Offenses Act” which was a draconian piece of legislation that in effect alowed the UK Gov against international law to board, impound and sell / destroy any ship in home or international waters engaged in Pirate radio or the support of pirate radio and prosecute anyone involved with supplying goods, services, or revenue to Pirates. And as was usuall with such Acts it brought changes to other existing Acts and Statutes, one of which was the Wireless Telegraphy Act. These changes became the basis for many other nations later legislation.
However the “golden thread” running through most legislation was “Non interferance” followed by “Harmonisation / Standardization”, but the notion of “do as you please within your own property” was not enshrined in law.
The licencing in the UK and other nations has distinct oddities, for instance the differences in maritime communication for on shore and vessel based stations, it causes problems for vessels in port especially inland ports like the Port of London. Likewise for aircraft and civil airports and landing strips. There are also oddities with the use of space based communications systems, although this is rather more harmonized across nations due in the main to international treaties including those for nuclear non proliferation.
The 1980s saw the start of a change in licensing brought about by commercial intrest specificaly mobile phones. Prior to this there were (and still are) unlicensed but regulated parts of the spectrum called the Industrial Scientific and Medical (ISM) allocations. This allowed the unrestricted use of low power devices such as garage door openers, but not “voice communications” one portend of what was to come was TV remote controls that interfered a lot with similarly equiped neighbours…
The idea of mobile phones and the revenue they created opened greedy eyes in various national Treasuries, there was big income to be made from commercial licensing. And the “if you don’t use it you lose it” mentality followed and large chunks of both the Broadcast and Military spectrums were reasigned, later bands that were in use but “poorly defended” such as ths Ham / Amateur bands got carved up to give more spectrum for commercial interests.
The problem has arisen of both interferance and geographical usage with the commercial intrests and the result is a mess.
It would appear that as a property owner you have no rights to the use of the spectrum above your property and you do not have the authority to prevent others using it irrespective of if that use is legal or not, because the principle of “non interferance” is considered primary. Further most if not all commercial items you can purchase –that are not “professional” radio equipment– are in effect legal as long as they are type approved. The use of such equipment for spying / eavesdropping is not actually a crime in many jurisdictions but a tort / civil offence of trespass… However the processes you might consider to gather evidence of the trespass may well be crimes…
Andrew_K • September 10, 2014 7:01 AM
For this very purpose I have an old wireless video transmission system. It was sold around 2003 for about 50 Euros. It makes heavy use of 2.4GHz spectrum, effectivly jamming about 5 WiFi channels at once. The manufacturer embedded a switch allowing the use of 4 “Channels”, together covering the whole frequency range used for WiFi in the 2,4GHz band. I don’t know the details of Bluetooth protocol, but it will probably get into trouble, too.
Bonus: No incriminating hardware…
Nick P • September 10, 2014 9:41 AM
@ Gra
“Come on? Really? Anti Jamming device? Google would manufacture one of these? If the devices would ignore deauth frames, them they wouldn’t get certified. Simple as that. ”
That problem is easy to deal with. Anyway, that you ignored my main approach (proxy products) and focused on the less likely suggestion I’ll take as support that the other is quite possible. I agree, though, that this will work for most users at least until it’s popular (demanding counter attacks) or challenged in court.
Nick P • September 10, 2014 10:15 AM
FCC on Jammers
http://www.fcc.gov/document/consumer-alert-using-or-importing-jammers-illegal
They’re extremely clear on that page. The definition of jammer is: “type of device that blocks, jams or interferes with authorized communications.” They say jammers can only be used by certain government personnel. They cannot even be used on private property. You can’t “advertise” or “sell” such a device in the U.S. either. So, the people making it can already be hit with a $100,000+ fine for advertising it with intent to sell. Sounds open and shut to me.
So, if users are ignorant, your device will serve its purpose. If they’re smart, then your kids college savings is going to the court that handles your case. I’d be careful with this thing and not buy it with my name/card.
Anoni • September 10, 2014 12:17 PM
We can also jam WIFI by nuking junkfood in the microwave: http://xkcd.com/654/ Something about the FCC rules saying that WIFI cannot cause interference and must accept any interference from other devices. It’s a major issue in our house now due to chromecast & netflix while cooking dinner.
I can see where this could get used heavily in college, where students are graded on a curve, and taking out the network for a few hours before a deadline could significantly raise your grade. Or with a portable battery pack, where a few innocuous junk items casually littered around could take out your competing business’s WIFI. Or student apartment buildings where the WIFI spectrum is overloaded and someone decides they’ve had enough.
Lotta ways to abuse this that cannot easily be tracked back to the perpetrator.
Anura • September 10, 2014 12:42 PM
@Anoni
I don’t have any problems with my microwave. Perhaps yours is not as well shielded. I’d recommend playing with different channels to find a band that your microwave doesn’t interfere with… Or upgrade all your devices and switch to 5Ghz. Or buy a better microwave.
Nova • September 10, 2014 1:43 PM
@DER
“nova are you working in aviation? I think you meant the FCC ;-)”
Ah hah, yes… ^_^ …
“FCC”. 🙂
Good catch. 🙂
vas pup • September 10, 2014 1:48 PM
@Nick P • September 10, 2014 10:15 AM
Do you know FCC regulation which restricted bug detector for particular band (used by feds bugs only) meaning it is illegal to have such detector in US? Link would be great.
Nick P • September 10, 2014 2:18 PM
@ vas pup
I’m not aware of any such restriction. The main issue I ran into back in the day was that certain detection equipment actively emits signals. If it emits a signal, it’s considered a transmitter or radio station to them. What frequencies and power levels a transmitter can use are regulated, hence it might be illegal entirely or at least without a license. Some frequencies and power levels can be used without a license, though. One example is you can use empty AM/FM frequencies long as your transmission power doesn’t exceed (100mw?). You can Google FCC restrictions with words like “unlicensed” to find those. Surely hobbyist sites will have the information on both unlicensed and licensed cases.
The bug detection providers will also usually tell you if you need a license to operate a particular piece of equipment and might even have (or design) equipment that strictly uses unrestricted spectrum. If in doubt, just ask them. Even better, ask a radio expert as there’s plenty of them.
Clive Robinson • September 10, 2014 3:16 PM
@ Nick P,
. The definition of jammer is: “type of device that blocks, jams or interferes with authorized communications”
The weasel word in that definition is “authorized”…
That is by whom?
Under that definition if this device tells an “initiator” to cease and desist it’s communication attempts, that is not jamming if the “responder” rules indicate the initiator transmission is not “authorized”. However it would be a jammer, if it told an initiator to cease and desist and there was an AP that did not have the rules…
Thus it’s a bit of a “hair splitting definition” and it also lacks the word “intentional” which is awkward because unintentional jamming occurs rather frequently especially in shared service bands. That is if I establish a communications with another party I may well unintentionally and without knowledge interfere with a third party communication that is also authorized. That is if my WiFi AP stomps all over your Bluetooth headset comms with your smart phone, am I jamming you?…
Nick P • September 10, 2014 5:01 PM
@ Clive Robinson
“Authorized” is the only word that can potentially make the device legal. Yet, it’s clear by federal law & even the article what its meaning is: everyone is unauthorized to operate a jammer by default as they’re illegal for private use, then specific exemptions by FCC “authorize” use. Main exemption is LEO and military.
The page specifically lists preventing wifi connections via a signal as an example. So, unless an exemption exists that applies, this device is straightup illegal. Good news is using alternative protocols or WiFi security tech is legal.
Note: I knew one guy that used 802.11j (Japan) for obfuscation. The wardrivers couldn’t figure out why their script kiddie tools kept failing.
Andrew • September 10, 2014 5:43 PM
@Nick P re: FCC and Jamming
Most enterprise wireless lan controllers, at least from Cisco and Aruba, for the past handful of years provide wIPS/wDoS services, as raised by Andrew_K earlier in the blog. A couple months ago an organization I was advising opened a new site in a dense metro area and an adjacent building’s WLAN was de-authing all their clients based on that other business’ wIPS policy. I don’t think it’s quite open/shut. Cisco does give a nice pop-up advising you to look up legality in your jurisdiction when you activate these features
And yes the J channels are nice but also against regulation in US. I can certainly attest that using some DD-WRT firmware and certain Atheros-based wireless NICs made it pretty easy to do regardless 🙂
Nick P • September 10, 2014 7:43 PM
@ Andrew
re WIPS/WIDS
FCC might have an internal policy of look the other way in such situations. This may help products like this avoid liability initiated by the FCC itself. However, if someone takes them to court over the regulation such a protection might not exist. That’s how I’m seeing the legal risk right now.
re 802.11j
Yeah, it’s quite illegal and quite easy to implement. My pal used DD-WRT on the Linksys 54G model. We both used the combo for many nifty wireless exploration. I didn’t mess with the j band, though. My experiments on protocol obfuscation often included attempts to max range. I figured my signals might get noticed by someone. He didn’t have any problems while he used it, though.
vas pup • September 11, 2014 11:18 AM
@Nick P • September 10, 2014 2:18 PM.
Thank you!
I guess that is the answer:”Synthesized transceiver provides frequency stability and agility to automatically search for clean operating frequencies (Frequency range 902-928 MHz for US models and 880 MHz to 1,000 MHz for export models).” Source:
http://www.tscm.com/orion.html That is non linear junction detector (aka high level bug detector). It is considered kind of dual-usage technology. The interesting thing is that export model has wider range than US meaning that if LEA/Intel could utilize bug outside US range allowed, you’ll never find it (at least legally), but if somebody could modify US version for range of export model, then you ok for your own usage (and keep your mouth shut!), but not to help anybody else for bug detection.
Somebody • September 11, 2014 12:13 PM
With regards to Wi-Fi.
Wi-Fi operates in unlicensed bands. Are there any “Authorized” users? As far as I can remember all the FCC cares about in this band is various aspects of the transmitted power. They don’t care about the protocol, just the physical layer.
There are radios that use these bands with completely different protocols. I can see no legal reason why a radio with a just slightly different protocol that happens to interfere with Wi-Fi would be against the FCC regulations.
The FCC warning (http://www.fcc.gov/document/consumer-alert-using-or-importing-jammers-illegal) specifically mentions cell phones and GPS, which use protected spectrum. They do not mention Wi-Fi. Extending this to Wi-Fi jammers (that are within the power limits) looks like FUD, not sure if it’s FCC FUD or somebody else’s FUD.
Nick P • September 11, 2014 3:41 PM
@ Somebody
You’re confusing band use authorization with jammer use authorization. You can receive and send signals on wifi band. You can’t operate a jammer on any band if your a private party unless your circumstances are covered by one of their exceptions. I don’t know what they are, though, past TLA’s doing it.
“The FCC warning (http://www.fcc.gov/document/consumer-alert-using-or-importing-jammers-illegal) specifically mentions cell phones and GPS, which use protected spectrum. They do not mention Wi-Fi. Extending this to Wi-Fi jammers (that are within the power limits) looks like FUD, not sure if it’s FCC FUD or somebody else’s FUD.”
Quite the opposite. The page you link to, in its “How do jammers work?” section, says the following: “prevent your Wi-Fi enabled device from connecting to the Internet.” So, a jammer that blocks a WiFi device from connecting is specifically mentioned as illegal.
Further, the jammer definition itself says “transmitters that are designed to block, jam, or otherwise interfere with authorized radio communications.”
As Clive pointed out, the word authorized is where lawyers would fight it out if it went to court. If the access point is open, I’d say the user is implicitly authorized. If it requires authentication, then they’re not. Yet, it meets every criteria of a jammer.
@ Clive Robinson
I just found the bigger legal issue that side-steps the authorized weasel word. The article says this:
“you can even show those “Glassholes” who’s boss by preventing all surveillance devices near your Cyborg Unplug from connecting to any Wi-Fi network.”
That’s clearly a jammer as it blocks any WiFi device in the area from operating on any network. Thing is, the FCC link I gave shows anti-jamming laws say you can’t “import, advertise, sell, or ship” a jammer. By including that feature and describing it, they will be violating three of the four with their product. So, their product can be shut down under federal law due to that feature. If they remove that feature, then the discussion goes back to “are they jamming authorized or unauthorized radio communication? What’s the FCC’s definition of authorized radio comms?”
If it’s authorized by them, the product might be screwed. If it’s authorized by users, I have an idea for legal protection: serve up a page by default saying use of the access point is only authorized for (specific criteria such as people or content). Might make a nice loophole. I’m considering asking FCC about it.
_Jim • September 16, 2014 4:52 PM
Clive, you would be hard pressed to provide documentation or cites supporting more than half the assertions you make.
Nota Bene to others: Double check any of his assertions before blindly accepting any of it as being anywhere near ‘the trvth’.
_Jim
Clive Robinson • September 17, 2014 12:56 AM
@ jim,
If you are going to make a statment such as,
you would be hard pressed to provide documentation or cites supporting more than half the assertions you make.
Nearly a weak after the thread has seen any activity, you had better be prepared to backup your nebulous claims.
Especialy as your post appears to be a form of link spam to a site with questionable view points (some of which others can see at http://www.freerepublic.com/tag/by:jim/index?tab=comments;brevity=full;options=no-change ).
So I suggest you make a list of what you consider my “assertions” on this page and why you question them or consider them to be not as you put it ‘the trvth’ (which by the way makes you sound like a “conspiracy theorist” which I suspect others will have their own opinions on how it reflects on you). Oh and don’t forget to include your links to reputable scientific documentation that is available freely for others to verify to support any claims, opinions or assertions you make.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Chelloveck • September 9, 2014 2:44 PM
It’s not a jammer per se. It downloads a list of unwanted MAC addresses (presumably wildcarded by OUI) and denies them access to the network. Non-blocked devices still have network access. Furthermore, if I’m reading this correctly, when an unwanted device is connected to a different access point this unit can spoof a message forcing the device to disconnect.
IMHO this device isn’t very useful. It’s fine if you want to block access to your own network, but if that’s the case you’re really going to be better off whitelisting the few approved MACs instead of blacklisting the bad. If you’re disconnecting people from other networks you’re much more of a “glasshole” than anyone wearing Google Glass or streaming video from their phone.