802.11 Wireless Network Radio Frequency Jamming

Page content

RF Jamming

Radio frequency interference, or RFI, is something that we’ve all encountered at one point in our lives, whether you’ve heard the buzzing noise in your computer speakers moments before your cell phone began to ring or the static on a distant radio station. Radio frequency jamming is the intentional transmission of interference that makes it impossible to interpret radio signals, effectively creating a denial-of-service scenario at the physical communication layer. All wireless networks, regardless of security features, are prone to this type of attack. Intelligent wireless management tools have enabled us to “seek and destroy” devices that are intentionally or accidentally drowning out wireless connectivity, giving IT a new tool to ensure maximum network availability.

Spoofing the Allies

According to WikiPedia, radio frequency jamming may have been first used in World War II. False instructions would be broadcast to enemy pilots to confuse them (easily one of the earliest electronic spoofing examples I’ve heard.) Shipboard RF jammers were installed to sway radio-guided torpedos away from a ship’s hull.

Militaries adjusted to radio jamming using two methods. The first tactic abandoned the use of wireless all together, using spools of wire that would stay connected to projectiles after launch and allow for control through most of it’s course to the target. While this idea may sound rudimentary, the military still uses it on weapons in the field today. The second tactic, a real engineering response to the jamming threat, was the implementation of spread spectrum technology. Spread spectrum is the use of frequency hopping to avoid a jammer from locking on to a single channel or an eavesdropper listening to an entire conversation. Frequencies are changed, at minimum, several times per second. Each transciever has an identical frequency sequence and both change frequencies to the proper frequency at the exact same time. Any potential interference can only “knock out” communication for a fraction of a second. This technology has spread to the commercial world and is found in many popular wireless applications today.

802.11 radios don’t hop frequencies unless a clearer channel (a range of frequencies) is available. Because of this, they’re susceptible to temporary denial of service if an RF jammer is activated on a frequency in use by the access point. As the jammer would drown out one frequency, an access point would promptly move to another channel. It is much more likely that a malicious jammer would blast an area with interference in the entire 802.11a/b/g/n (2.4 GHz and 5.2 GHz unlicensed bands.) Any change in frequency by the access point would be useless and all connected clients would be promptly disassociated.

(Interesting fact: Many governments and organizations wishing to keep communications private, unjammed and untraceable utilize burst communications, in which an entire message is transmitted on a seemingly random frequency in an extremely short period of time. Jamming systems have an extremely difficult time discovering, recording and/or jamming a signal that lasts just a few seconds on an unknown frequency.)

Jamming for Defense

One a side note, jamming is not just for malicious use. One way of controlling rogue access points in an enterprise is the flooding of packets to client devices that are connected to a rogue access point. Some current wireless network vendors include a method for creating a denial-of-service situation for unauthorized wireless implementations by sending packets with the same characteristics as a valid access points with disassociate packets. These packets fool the client into thinking that the rogue access point doesn’t want to communicate with the device anymore, effectively killing network connectivity before it can be established. This is a very powerful feature that must be used carefully, as legal and political repercussions could arise.

Triangulating the Attacker

While the term “triangulation” may conjure thoughts of wild west savagery, it really involves the use of multiple access points to make an educated guess to the location of any device or the source of any object emanating wireless interference. The prefix “tri-” describes the necessity of three access points to accurately find the exact source of the transmission. Airwave’s VisualRF with the Mapping and Location Module installed and Cisco’s Wireless Control Server software include the ability to import floor plans, geographical maps or interface with Google Maps to make more efficient use of the statistics reported by access points. After examining the methods of manually finding rogue devices, you will see the value in such an ability.

With a laptop and a wireless signal meter, your only choice is to rove around the infected area in a game of “hot and cold,” moving towards direction of higher reception as you roam. This method can be frustrating in multi-story buildings, as wireless signals will bleed between floors. Scouting the area can alert attackers and make pin-pointing nearly impossible.

While a wireless client can be used in this crude manner, wireless spectrum analyzers are much more valuable in this instance. A spectrum analyzer can detect and profile a wider range of wireless signals and reveal amazing insight to the waves bouncing through the air. Cisco’s wireless spectrum analyzer can integrate with it’s Wireless Control Server (WCS) product, empowering the software with amazing insight into the airwaves. Spectrum analyzers can quickly tell the difference between an attacker’s RF transmitter and the break room’s microwave oven.

Using two access points, you can easily tell which access point is detecting a stronger signal. This can provide a bit more insight into the location of device without the need to roam, but is still not conclusive. Some wireless management software packages can guesstimate an approximate location based on the signal strength reported on only one or two access points, but can be misleading as the distance of the transmitter can be in any angle to the access points themselves.

The best solution reverts back to triangulation, in which several access points can hear the interference and report its strength to a centralized management station. Because three or more points of reference are used, a very accurate guess can be made on the location of the object. Just as a GPS uses multiple satellites to calculate a position on earth, triangulation uses multiple receivers to find the position of a transmission source. If you change the location of the transmitter on any axis, at least one radio’s signal will change. When this information is compiled and placed on a map that is drawn to scale, the software knows the distance of the access points from each other and the dynamics of the environment in which they’re deployed. The more access points that hear a single transmission, the better the quality of such calculations. Any device that is causing issues on the network can be located and isolated physically. Manual intervention is required, however. There is no way to stop an RF jamming signal other than disabling its source. Despite the desires of Hollywood script writers, there is no way to “jam” a “jammer.”

In Conclusion

If you’re still relying on small tools to administer a large wireless deployment, you should consider the migration to a centralized solution with solid management tools. While the costs may be prohibitive, the benefits are enormous and can typically be implemented in phases. Managing access points independently can be as difficult as juggling them. Get a few too many in the air and everything can get out of hand.