attack and defence in radio and communication warfare akib sayyed [email protected]
TRANSCRIPT
(electronic)Communication
• Used by most of population in world
• Used by Law Enforcement ,Defence in every mission
• Plays most important role at time of WAR
• We are blind without communication
What are we looking at
• Radio Communication– Communication Jamming– Anti Jamming Communication– Locating Signal Source– Smart Radio Grid
• Core Network– What's there is core network?– Disrupting Core Network
• Threat of Imported Telco Equipments
Radio Communication
• Its Communication using electro magnetic waves through atmosphere or free space.
• Information is sent over radio waves using changing property of these waves such as pulse , phase , amplitude , frequency
• Consist of transmitter and receiver (TRX)
Types of Radio Frequency (Short Version)
• Very high frequency
– VHF
– 30–300 MHz
– 10 m – 1 m
• Ultra high frequency
– UHF
– 300–3000 MHz
– 1 m – 100 mm
• Super high frequency
– SHF
– 3–30 GHz
– 100 mm – 10 mm
Usages
• VHF– FM ,Television ,Amateur radio , Aircraft
Communication
• UHF– Television ,Microwave ,Mobile
Communication ,GPS ,Bluetooth
• SHF– Radio astronomy, microwave devices/communications,
wireless LAN, most modern radars
How data is sent via Radio Waves
Different Ways to Send Receive Radio Waves
• Commercial Radios– Cellphones – Walky Talkie
• SDR – Blade RF– HackRF– USRP Series
• Signal Generators• Spectrum Analyzer
How to block /Protect Signals
• It is not possible to stop one from sending or receiving signals
• Best way is jam , scramble , encrypt ,Hopping
Jamming
VS
Overlapping signals with more power so that signal becomes garbage
Scrambling
VS
Transposing or inverting signals making it unintelligible for receiver without descrambler
Performed in Analog Domain
EncryptionDigital Domain
Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged
uliAAg/XBrwuyJLBt9DkGqY4ZVEqXQ1uud+lczuh3C4RyJR1aOL4/WBpQszWidjdqbZEN/lKVnSgtFpuNWGkD5u0t38R6XWO5xeUHMeeULvY9Ua51xQTx0f+uBZxJ7uN6VMyv0+gMs3SnmR+6vSvShYO6sjoZRV917ASKYJMh6LVFubxYCTjG4aWpfwG00PYYRZePAKBpJrfrKo8ivc7VJpcHVRTLrCO8RwR47FsYxXr6m/3PSOQHCSSieb7iVA+t9ZPkaFMpLBYipDJrLKpvDbdxAXgNybf4FFgmcnMMDuvUhfafsKhD4UPFlFQ2SiZNgPXJBLjLfDon2n7yjyMfpxqMCXnpVFhajzVNunha7OESzzfv6GM0ucWe0u6DV7bLk/lNn9b+34FZk1m
VS
Hopping
Protecting Signals
• Should have following qualities
– Low Probability of Detection
– Low Probability of Intercept
– Low Probability of Exploitation
Low probability of Detection
• Goal is to hide signal somehow such that unintended receiver has difficulty to determine that signal even present
Low probability of Intercept
• If signal is not LPD type then unintended receiver can receive it
• So to reduce probability of intercept one can use frequency hopping
• Due to frequency one cannot easily receive signal which is hopping on different frequency unless he knows pattern of hopping
Low Probability of Exploitation
• In case signal is not LPD/LPI or attacker finds out way to receive signal properly then getting meaningful information from that signal should be difficult
• Encryption is example of LPE
Electronic warfare
• Activities taken to accomplish the intercept or denial of communication
• 3 main components
– Electronic attack(EA)
– Electronic support(ES)
– Electronic protect(EP)
Electronic Attack (EA)
• Using active signals to deny communication system from actively exchanging information
• It could be– Jamming
• Transmit noise on those freq– Deception
• Send wrong information to mislead – Directed energy
• Similar to jamming but goal is to permanently harm or destroy equipment
Electronic Support (ES)
• Supporting function for EA
• Its more like spectrum sensing and find signal with specific characteristics
• Cause if jamming is being performed on non utilized frequency then time and energy is wasted
Electronic Protect (EP)
• Protecting friendly communication from EA and ES attacks
• In case both are using same frequency then one should transmit signals towards target and away from friendly units
AntiJam Communication
• Communication with ability to fight jamming of communication system
• Type of Anti Jamming signals
– Direct-Sequence Spread Spectrum
– Frequency-Hopping Spread Spectrum
– Time-Hopping Spread Spectrum
Direct-Sequence Spread Spectrum
• Technique involves spreading signal across a wider bandwidth and entire bandwidth is occupied instantly
• Due wider band, energy present at particular frequency is low
• Causing less probability of detection as unintended receiver mistake it as noise
Frequency Hopping Spread Spectrum
• Based on concept of hopping
• Occupies single channel at given instant
• Bandwidth about be from +-10khz to +-200khz
• Signal hops in predefined hopping sequence called hop set
• 2 types
– SFHSS (Slow Frequency Hopping SS)
– FFHSS (Fast Frequency Hopping SS)
Time Hopping Spread Spectrum
• TH changes time of transmission randomly causing receive noise most of time
• Best example is PTT used by military and law enforcement
SDR Connections for DEMO
Demo of Anti Jam Signals
Jamming Anti-Jam Signals
• Partial Dwell Jamming of FHSS Systems
• Noise Jamming
• Tone Jamming
• Pulse Jamming
• Follower Jamming
• Smart Jamming
Partial Dwell Jamming of FHSS
• Portion of Signal is jammed
• There is finite amount of time to insert jam signal if detect energy belongs to correct signal to jam
• One cannot jam whole spectrum but partial is possible
Noise Jamming
• Carrier Signal is modulates with Noise Waveform
• Main aim is to insert noise at receiver end
• Types
– Broadband Noise Jamming (Entire Spectrum)
– Partial Band Noise Jamming (Partial Spectrum)
Tone Jamming
• Continuous Tone is generated on spectrum in narrowband
• Could be single or multiple
• In case of multiple tones power is distributed among all tones
• Type
– Single Tone
– Multiple Tones
Pulse Jamming
• Similar to Partial Band Noise jamming
• Its partial band noise jamming with no continuous transmission
• Have low avg power than some of other jamming technique
Follower Jamming
• Follow hopping path and predict hopping sequence
• Once predicted jam next possible hopping channel
• Jamming could be in tones or modulated tones
• AKA responsive jamming , repeater jamming ,repeat back jamming
Smart Jamming
• Block the food supply • Means only block part which is important for
sync
• As most of sync channel are not spread or hopping (e.g. GSM FCCH or C0)
• One can simply jam main sync source
SDR Connections for DEMO
Demo of Jamming Signals
Smart Radio Grid
• For whom ?
• Why we need this?
• Applications
• SDR arch
For Whom?
• Metro Cities
• Air Port
• Borders
Why We need this?
• Signal generators are easy to get and use• Imagine case:– Airport security radios are jammed– Terrorist using satellite phone to communicate in
Metro Cities– Law enforcement radio are picking up misleading
signals
• Tracking such case is nearly impossible in real time (at least in India)
Applications
• Detect Jamming Signals
• Find Illegal Transmitters
– Fake cell towers
– Illegal broadcast stations
• Locate signalling source
• Smart Jamming
• Intercept Communication
SDR Arch
Core Network
• Traditional Telecom Protocol
• Less scrutinized for security flaws for both protocol and implementation
• Uses custom distro using collecting bits and pieces
Awareness in Telco Security
• Telcos are testing there network for security flaws lately
• Awareness is taking place in telco people as only gentlemen network is now open to all
• But vendors co-operations is lacking due to contracts and money
Threat of imported equipments
• Recently researchers found
– Hidden commands in equipments
– Some default password
– Trojan horse embedded which sends data back to device manufacturer
Steps Taken by Indian Government
• Setup Telecom Equipment Testing Lab
• Which will
– Test equipments for protocol implementation flaw and for security flaws
– Certify equipment
• Pilot lab was setup in banglore under Prof. N. Balakrishnan
Questions
?