May 1st, 2015 – A Primer On Wi-Fi Jamming
Jamming has a negative connotation when used in a wireless context. The FCC has banned jamming, it’s used by repressive regimes, it can shut down facilities and can be used to intercept private communications. Among the wireless networks, Wi-Fi has become so ubiquitous and relied upon that just associating the words Wi-Fi and jamming is unacceptable.
But jamming can also be desirable and even ethical, although a different terminology is used in such instances (spectrum management?). Let’s defer the discussion on whether Wi-Fi jamming is legitimate (yes, it is), and focus on the technical aspects. Here is a sampler of common jamming techniques, and counter-measures.
The poor man’s jammer
In its simplest form, a Wi-Fi signal jammer basically transmits a high power signalin the same band as the Wi-Fi device being targeted. The basic models simply transmit White noise across the spectrum and blind the receiving stations operating in this frequency range. As the Wi-Fi bands are fairly large, a signal jammer often features a set of three to five external antennas of different sizes. Some more elaborate devices do noise shaping to restrict the interference to angle channel, or generate bursts instead of continuous noise.
The main problem with the signal jammers is that they are very accessible, affordable and annoying. They can be obtained for under $30. There are DIY video tutorials on how to build your own! Additionally, there is very little you can do to counter a signal jammer. But there is good news: the source of the signal is fairly easy to locate, e.g. by triangulation. The legitimate Wi-Fi stations can even help in locating the jamming device if they can provide RSSI data.
Management Frames forgery
Forging management frames has long been a popular way to disrupt the operation of an individual station or of an entire Wi-Fi network. Also known as DISASSOC/DEAUTH flooding – named after specific type of management frames which can effectively be forged – the basic principle is to let the victim believe that it has been excluded from the network. To do so, the attacker forges a Disassociation or Deauthentication frame where the source address is the Access point’s and the destination is the victim’s. Disassociation frames are preferred in open networks (unencrypted) while the Deauthentication frames are used in protected networks.
Of course, these frame types do have a legitimate usage: in normal operation, stations use them in order to let the Access Point know that they are about to leave the network, while Access Points use them to disconnect a station for whatever reason. The original intent is to attempt a graceful exit and to free internal resources. Many scenarios have been devised to improve the effectiveness and the stealthiness of the attack, but they all rely on this same basic principle.
Before the 2009 version of the 802.11 standard, management frames were not encrypted, making this kind of attack very simple and effective even on protected networks. The popular hacking suite AirCrack even had a special utility generating this kind of attack with just a command line on a laptop or a hacked smartphone. Then the 802.11w came into play. This amendment brought significant security improvements, especially by encrypting management frames, and providing mechanisms to ensure data integrity and authenticity.
The 802.11w does help, but there’s a catch: even several years after the ratification of the 802.11w amendment, many commercial Wi-Fi devices don’t implement it, or have it turned off by default to preserve interoperability with older stations and/or it(s poorly implemented. This leaves a significant part of the installed base unprotected against management frames forgery.
Needless to say, the 802.11w does nothing to protect open (unencrypted) Access Points. This wouldn’t be a serious concern if open APs were only owned by unwary individuals. But open APs are also an essential part of public Wi-Fi hotspots, free or fee-based, which rely on an open connection portal. The portal is an easy target that, if compromised, can completely block the access to the service.
A better but more difficult way to jam a Wi-Fi network is to prevent one or all the stations on a network from transmitting. Not only is the service halted, but the spectrum becomes quiet and can be re-used for other purposes.
Channel muting is usually done by tricking the victim(s) into believing that a station is about to seize the channel for a specified amount of time and that they should refrain from transmitting. This can be done by crafting special frames with a bogus LENGTH/ID field, or with some hardware assistance at the radio level.
A possible counter-measure for a muted station consists of internally deciding how legitimate every incoming frame is. If a frame is suspicious for whatever reason, the station ignores it and moves on. The decision process can be a difficult one and exposes the risk of mistakenly blocking legitimate frames. Known commercial implementations are limited to a few obvious cases.
Wi-Fi devices – terminal stations and Access Points – come in a variety of chipset, device driver, operating system and application combinations. While it is relatively simple for a skilled professional to identify the one specific jamming tactic which will block one device or network, designing a generic jammer that can jam any configuration is another story (dumb signal jamming apart). Here’s where the Smart Jammers come into play.
A Smart Jammer is a jamming device which implements multiple jamming techniques and combines them into strategic scenarios to maximize both its jamming capacity and stealthiness. It often contains a monitoring interface which silently listens to the traffic, coupled to a stochastic engine which injects an adaptive jamming traffic.
Once configured for a mission, a Smart Jammer will first listen passively to the traffic, then elaborate a jamming scenario, and try it out. It will then continuously adapt the jamming scenario in order to optimize its mission’s results. Here are examples of typical missions for a Smart Jammer:
- entirely block all Wi-Fi channels ;
- entirely block a single channel, or a limited set of
- entirely block the network with a specified SSID ;
- block a host with a specified MAC address ;
- block a host with a specified IP address ;
- and many combinations, depending on external
conditions (like pressing a push-button, acquiring
a remote sensor, etc.)
The adaptive nature of a Smart Jammer makes it difficult to detect: monitoring the spectrum would show normal Wi-Fi traffic, only a deep analysis of every field within every frame can reveal an attempt to jam. For the same reason – adaptivity – Smart Jammers are difficult to neutralize without physically locating and disabling the hardware.