As we fill our airwaves with more and more wirelessly connected devices the question of what could disrupt this systems becomes more and more important. Here’s a particularly interesting example because the proof of concept shows that you don’t need specialized hardware to pull it off. [Bastian Bloessl] found an interesting tweak to previous research that allows an Atheros WiFi card to jam WiFi by obscuring ACK frames.
The WiFi protocol specifies an Acknowledgement Frame (ACK) which is sent by the receiving device after error correction has been performed. It basically says: “yep, I got that data frame and it checks out”. This error correcting process turns out to be the key to [Bastian’s] technique as it provides time for the attack hardware to decide if it’s going to jam the ACK or not.
The jamming technique presented by [Mathy Vanhoef] at the end 2014 outlined both constant and selective jamming. The selective part involved listening for data packets and analyzing them to determine if they are headed to a MAC the attacker wishes to jam. The problem is that by the time your commodity hardware has decoded that address it’s too late to jam the packet. [Bastian] isn’t trying to jam the data frame, he’s jamming the ACK that the receiver sends back. Without that acknowledgement, the sender will not transmit any new data frames as it assumes there is a problem on the receiving end.
Remember when it was laser pointers? Well, now it’s drones.
[Thinkerer] sent us this link to what’s essentially a press release for a company called Sensofusion that makes a UAV detector and (they claim) smart jammer, and apparently one is being installed at Denver International airport.
We buy that the “Airfence” system will be able to detect known systems by signature, and possibly even take them over. We’ve seen two exploits of quadcopter radio protocols (one a timing attack and the other a controller ID spoof) that would allow them to do just that. But is that the problem? Don’t most of the major manufacturers fence off airports in software these days anyway? And are drones really the droids that you’re looking for?
They also make some claims about being able to detect and stop DIY copters, but we don’t see how. Imagine that your copter ran encrypted on 2.4 GHz. How is this different from any other WiFi signal? Or imagine that it sends and receives infrequent data in the congested pager bands? And short of jamming, we don’t see how they’re going to take down anything that they don’t already understand.
So, commenteers, how would you do it? Detect and even take over an arbitrary drone? Possible or snakeoil?
It’s been said that the best defense is a good offense. When aloft and en route to deliver a harmful payload to the enemy, the best defense is to plan your approach and your exit carefully, and to interfere with their methods of detection. If they can’t find you, they can’t shoot you.
As of May 1962, the United States military was using three major classifications of radar jamming technology as described in this week’s film: the AN/ALQ-35 multiple target repeater, the AN/ALQ-55 communications link disrupter, and the AN/ALQ-41 and -51 track breakers. The most important role of these pieces of equipment is to buy time, a precious resource in all kinds of warfare.
The AN/ALQ-35 target repeater consists of a tuner, pulse generator, transmitter, and control panel working in concert to display multiple false positives on the enemy’s PPI scopes. The unit receives the incoming enemy pulse, amplifies it greatly, repeats it, and sends them back with random delays.
The AN/ALQ-55 comm disrupter operates in the 100-210MHz band. It distinguishes the threatening enemy communication bands from those of beacons and civilians, evaluates them, and jams them with a signal that’s non-continuous, which helps avoid detection.
Finally, the AN/ALQ-41 and -51 track breakers are designed to break enemy lock-on and to give false information. It provides simultaneous protection against pulse ranging, FM-CW, conical, and monopulse radar in different ways, based on each method’s angle and range.
Continue reading “Retrotechtacular: Radar Jamming”
Wandering the aisles of Eureka Park, the startup area of the Consumer Electronics Show, I spotted a mob of people and sauntered over to see what the excitement was all about. Peeking over this gentleman’s shoulder I realized he was getting spanked at Beer Pong… by a robot!
Those in the know will recognize that the bot has only 3 cups left and so the guy definitely was giving it run for its money. But the bot’s ability to swish the ball on nearly every throw accounts for the scoreboard which read Robot: 116, Humans: 11. Unlike the ping pong robot hoax from last March, we can vouch for this one being real!
If you’re trying to attract the geek demographic, this must be one of the best offerings ever shown at a trade show. Empire Robotics manufactures the VERSABALL gripper. We know this as a jamming gripper and have been looking at the tech progress for many years now. Looking back to this Cornell research video from 2010 we realize it is based on the white paper which [John Amend, PhD] co-authored. He’s now CTO and Co-Founder of the company and was one of the people running the booth. We love it when trade show booths are staffed by the engineers!
Join me after the break for a rundown of how the system works along with a video clip of it hitting the target.
Continue reading “Jamming Robot will Destroy You at Beer Pong”
This jamming gripper design is the simplest we’ve seen so far. It uses a syringe to generate the suction necessary for the orange appendage to grip an object.
As with previous offerings this uses coffee grounds inside of a balloon. When pressed against an object the grounds flow around it. When a vacuum is applied to the balloon those grounds are locked in place, jamming themselves around the item for a firm grip. About a year ago we saw a hardware-store grade design which used a vacuum pump for suction and a shower head as the gripper body. This time around the plastic syringe serves as both.
The plastic tip was cut away and the resulting hole covered with a cloth to keep the coffee in place. After installing the coffee-filled balloon the grip can be operated by pulling the plunger to lock the grounds in place. It’s not going to be as easy to automate as a pump-based rig. But if you just want to toy with the concept this is the way to go.
Continue reading “Dead simple jamming gripper design”
This is the simplest version of a jamming gripper that we’ve seen yet. The only component that might not be readily available is the pump in the upper left, but the rest is all hardware or grocery store stuff. It’s based on the concept we saw from a research video where the air in a bladder full of coffee grounds is removed to grip an item. In this case the bladder is a party balloon which is held in place by parts from a cheap shower head. A theaded-to-barbed right angle connector makes it easy to connect the vinyl tubing up to the pump.
The video after the break shows that this works quite well for small items. But we see a lot of downward force is exerted to firmly embed them in the grounds. We’re not sure if this is par for the course, or if it would work a bit better if more air were in the bladder initially. This other jamming gripper build uses a servo to release pressure from the system, and we think that might be of help here too.
Continue reading “Jamming gripper that’s super easy to build”
[Elliot] put together an intriguing proof-of-concept script that uses repeated deauthentication packet bursts to jam WiFi access points. From what we can tell it’s a new way to use an old tool. Aircrack-ng is a package often seen in WiFi hacking. It includes a deauthentication command which causes WiFi clients to stop using an access point and attempt to reauthenticate themselves. [Elliot’s] attack involves sending repeated deauthenitcation packets which in essence never allows a client to pass any data because they will always be tied up with authentication.
After the break you can see a video demonstration of how this works. The script detects access points in the area. The attacker selects which ones to jam and the script then calls the Aircrack-ng command. If you’ve got an idea on how to protect against this type of thing, we’d love to hear about. Leave your thoughts in the comments.
Continue reading “WiFi jamming via deauthentication packets”