1 / 25

Jamming Zigbee for Under $100

Jamming Zigbee for Under $100. Jacob Brodsky, PE Control Systems Engineer. WHY?. Need Test Equipment to Validate Path Include built in diagnostics Denials of service will happen What will a control system do? Can you figure out why it happened? Would you rather find out the hard way?.

verdad
Download Presentation

Jamming Zigbee for Under $100

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jamming Zigbee for Under $100 Jacob Brodsky, PE Control Systems Engineer

  2. WHY? • Need Test Equipment to Validate Path • Include built in diagnostics • Denials of service will happen • What will a control system do? • Can you figure out why it happened? • Would you rather find out the hard way?

  3. ISM Band • Industrial Scientific Medical use • 47 CFR 15.5 (b) • Must shut down if interferes with licensed service • Must accept interference from anywhere • No legal recourse if it fails • If you want legal recourse, contact UTC • Get a License!

  4. Just Zigbee? • Zigbee physical layer is IEEE 802.15.4 • Used by 6LoWPAN • Used by ISA-100.11a • Same band includes 802.11b/g • Bluetooth • Lots of other proprietary stuff

  5. Protocols for This Experiment • Not designing production devices • 47 CFR 15.23 “Home Built Devices” • Good Engineering Practice • 47 CFR 15.247 (a) (3) & (4) • Keep This REALLY simple • Descriptions herein are prototypes • Could be made for about $50 in quantity • Not giving explicit details

  6. Definitions • dBm: Decibels referenced to 1 milliWatt • dBm = 10 log (Pmw/1mw) • 0 dBm = 1 mW • +6 dBm = 4 mW • +30 dBm = 1 Watt • One Decibel Compression Point (P1db) • Power Output amplifier gain begins to limit

  7. Frequency Modulation • For large modulation indexes sidebands appear over wider and wider spectra • Sidebands are modulation frequency apart • Some will null out

  8. How Jam Everything On 2.4 GHz • Make a sideband on every channel • Channels are 5 MHz apart • IEEE 802.15.4 Passband is only 2 MHz wide • Requires frequency accuracy • May have a null on channel • Guarantee a sideband in each passband • More sidebands required • Slightly less power per sideband • Use modulating frequency of around 1 MHz

  9. Wide Deviation/High Index

  10. Voltage Controlled Oscillator

  11. A Low Noise/Medium Power Amplifier: P1db > +20 dBm

  12. Our High Tech Soldering

  13. Our First Test Rigs • Purchased prefabricated units • Could build our own, but let’s keep this simple • Connectors make prototyping easy • SMD soldering not hard with a toaster oven

  14. Our First Portable Jammer

  15. The Portable Jammer Spectra

  16. Results: Very Effective • Works against 802.11b/g • Works against Zigbee and 802.15.4 • Can even jam ISA-100 • Channel hopping may offer some resiliency • Communications statistics not easily read • As long as our noise is comparable strength, it will fail • Works against Bluetooth

  17. Clear Channel Availability • Play Nice: • If energy present on channel above minimal threshold, inhibit transmitter • What you hear may not be what the receiver hears • “Dusty” networks can be jammed • If you don’t talk, nobody will hear you • Questionable Efficacy –especially in control applications

  18. Why CCA Doesn’t Always Work Receiving Antenna Transmitting Signal Other signals

  19. Other Types of Jammers • Noise makers are easy to find if you know what you’re looking for • Repeater jammers are NOT • They only radiate when there is a signal • Re-radiated signal can be offset by some frequency to confuse receiver • Very Effective and efficient with power • Good Luck finding it

  20. An Oversimplified Repeating Jammer TX antenna Receiver Antenna LPF I/Q Split Voltage Controlled Oscillator

  21. Still more methods • Listen for specific address and transmit on top of it • This has been done with Zigbee already • Also very difficult to find • Use three 802.11 transmitters and broadcast continuous trash on the band • Who would know the difference?

  22. What Is Needed: • RSSI and Signal to Noise in every node • A “Wireless” Service Monitor • Monitor signals on the air • Monitor signal strength • Generate known good interrogations • If in a mesh, keep track of signal propagation path • Beware of critical nodes

  23. Do Not Assume the Signal Will Get Through! • Channel Hopping is more robust, HOWEVER • Data rate will drop significantly while hunting for new channels • Jammers can be adaptive too • Retries are incredibly inefficient • Forward Error Correction codes are better • LDPC • Turbo Codes • Cryptography can authenticate messages, but… • It can’t do much if it never gets the message

  24. Questions?

More Related