Jamming WiFi by Jumping on the ACK

As we fill our airwaves with more and more wirelessly connected devices the question of what could disrupt this systems becomes more and more important. Here’s a particularly interesting example because the proof of concept shows that you don’t need specialized hardware to pull it off. [Bastian Bloessl] found an interesting tweak to previous research that allows an Atheros WiFi card to jam WiFi by obscuring ACK frames.

The WiFi protocol specifies an Acknowledgement Frame (ACK) which is sent by the receiving device after error correction has been performed. It basically says: “yep, I got that data frame and it checks out”. This error correcting process turns out to be the key to [Bastian’s] technique as it provides time for the attack hardware to decide if it’s going to jam the ACK or not.

The jamming technique presented by [Mathy Vanhoef] at the end 2014 outlined both constant and selective jamming. The selective part involved listening for data packets and analyzing them to determine if they are headed to a MAC the attacker wishes to jam. The problem is that by the time your commodity hardware has decoded that address it’s too late to jam the packet. [Bastian] isn’t trying to jam the data frame, he’s jamming the ACK that the receiver sends back. Without that acknowledgement, the sender will not transmit any new data frames as it assumes there is a problem on the receiving end.

Is The Arduino Yun Open Hardware?

According to [Squonk42], nope. And we think he’s probably right.

The Yun is an Arduino Leonardo with an Atheros AR9331 WiFi SoC built in. It’s a great idea, pairing the Arduino with a tiny WiFi router that’s capable of running OpenWRT.  But how is this no longer Open Source Hardware? Try getting an editable board layout. You can’t.

Or at least [Squonk42] couldn’t. In Sept. 2013, [Squonk42] posted up on the Arduino forums requesting the schematics and editable design files for the Arduino Yun, and he still hasn’t received them or even a response.

Now this dude’s no slouch. He’s responsible for the most complete reverse-engineering of the TP-Link TL-WR703N pocket router, which is, not coincidentally, an Atheros AR9331-based reference design. And this is where the Arduini ran into trouble, [Squonk42] contends.

[Squonk42]’s hypothesis is that Arduino must have done what any “sane” engineer would do in this case when presented with a super-complex piece of hardware and a potentially tricky radio layout: just use the reference design (Atheros AP-121). That’s what everyone else in the industry did. And that’s smart, only the rest of the consumer electronics industry isn’t claiming to be Open Source Hardware while the reference design is protected by an NDA.

So it looks like Arduino’s hands are tied. They, or their partner Dog Hunter, either signed the NDA or downloaded the PDF of the reference design that’s floating around on the Interwebs. Either way, it’s going to be tough to publish the design files under a Creative Commons Attribution Share-Alike license.

Is this a change of strategy for the Arduino folks or did they just make a mistake? We won’t know until they respond, and that answer’s a year and a half in coming. Let’s see what we can do about that. And who knows, maybe Arduino can lean on Atheros to open up their reference design? It’s already an open secret at best.

But before you go out lighting up your righteous Open Source Hardware pitchforks and sharpening up your torches, read through [Squonk42]’s case and then dig through the primary sources that he’s linked to make up your own mind. You’ll make your case more eloquently if you’re making it yourself.

Good luck, [Squonk42]! We hope you at least get your answer. Even if you already know it.

Eye-Fi teardown


[les robots] had a defective Eye-Fi card on his hands and when a replacement was sent, he was told to destroy the original. What better way to ‘destroy’ something than opening the case? The Eye-Fi is an SD card with a builtin WiFi radio so it can upload images while remaining in camera. One version uses Skyhook’s location service to geotag photos. You can see a few photos of the dismantled card on Flickr. The board is manufactured by Wintec. The wireless side is handled by Atheros’ ROCm, the same low power Radio-on-Chip module you would find in a mobile phone. The flash memory comes from Samsung and the antenna is along the back edge, where it has the best chance of getting signal.