Jamming Zigbee for Under $100 Jacob Brodsky, PE Control Systems Engineer
WHY? • Need Test Equipment to Validate Path • Include built in diagnostics • Denials of service will happen • What will a control system do? • Can you figure out why it happened? • Would you rather find out the hard way?
ISM Band • Industrial Scientific Medical use • 47 CFR 15.5 (b) • Must shut down if interferes with licensed service • Must accept interference from anywhere • No legal recourse if it fails • If you want legal recourse, contact UTC • Get a License!
Just Zigbee? • Zigbee physical layer is IEEE 802.15.4 • Used by 6LoWPAN • Used by ISA-100.11a • Same band includes 802.11b/g • Bluetooth • Lots of other proprietary stuff
Protocols for This Experiment • Not designing production devices • 47 CFR 15.23 “Home Built Devices” • Good Engineering Practice • 47 CFR 15.247 (a) (3) & (4) • Keep This REALLY simple • Descriptions herein are prototypes • Could be made for about $50 in quantity • Not giving explicit details
Definitions • dBm: Decibels referenced to 1 milliWatt • dBm = 10 log (Pmw/1mw) • 0 dBm = 1 mW • +6 dBm = 4 mW • +30 dBm = 1 Watt • One Decibel Compression Point (P1db) • Power Output amplifier gain begins to limit
Frequency Modulation • For large modulation indexes sidebands appear over wider and wider spectra • Sidebands are modulation frequency apart • Some will null out
How Jam Everything On 2.4 GHz • Make a sideband on every channel • Channels are 5 MHz apart • IEEE 802.15.4 Passband is only 2 MHz wide • Requires frequency accuracy • May have a null on channel • Guarantee a sideband in each passband • More sidebands required • Slightly less power per sideband • Use modulating frequency of around 1 MHz
Our First Test Rigs • Purchased prefabricated units • Could build our own, but let’s keep this simple • Connectors make prototyping easy • SMD soldering not hard with a toaster oven
Results: Very Effective • Works against 802.11b/g • Works against Zigbee and 802.15.4 • Can even jam ISA-100 • Channel hopping may offer some resiliency • Communications statistics not easily read • As long as our noise is comparable strength, it will fail • Works against Bluetooth
Clear Channel Availability • Play Nice: • If energy present on channel above minimal threshold, inhibit transmitter • What you hear may not be what the receiver hears • “Dusty” networks can be jammed • If you don’t talk, nobody will hear you • Questionable Efficacy –especially in control applications
Why CCA Doesn’t Always Work Receiving Antenna Transmitting Signal Other signals
Other Types of Jammers • Noise makers are easy to find if you know what you’re looking for • Repeater jammers are NOT • They only radiate when there is a signal • Re-radiated signal can be offset by some frequency to confuse receiver • Very Effective and efficient with power • Good Luck finding it
An Oversimplified Repeating Jammer TX antenna Receiver Antenna LPF I/Q Split Voltage Controlled Oscillator
Still more methods • Listen for specific address and transmit on top of it • This has been done with Zigbee already • Also very difficult to find • Use three 802.11 transmitters and broadcast continuous trash on the band • Who would know the difference?
What Is Needed: • RSSI and Signal to Noise in every node • A “Wireless” Service Monitor • Monitor signals on the air • Monitor signal strength • Generate known good interrogations • If in a mesh, keep track of signal propagation path • Beware of critical nodes
Do Not Assume the Signal Will Get Through! • Channel Hopping is more robust, HOWEVER • Data rate will drop significantly while hunting for new channels • Jammers can be adaptive too • Retries are incredibly inefficient • Forward Error Correction codes are better • LDPC • Turbo Codes • Cryptography can authenticate messages, but… • It can’t do much if it never gets the message