Attack and Defence in Radio and Communication Warfare

1
Attack and Defence in Radio and Communication
Warfare

• Akib Sayyed
• akibsayyed_at_gmail.com

2
(electronic)Communication

• Used by most of population in world
• Used by Law Enforcement ,Defence in every mission
  
• Plays most important role at time of WAR
• We are blind without communication

3
What are we looking at

• Radio Communication
• Communication Jamming
• Anti Jamming Communication
• Locating Signal Source
• Smart Radio Grid
• Core Network
• What's there is core network?
• Disrupting Core Network
• Threat of Imported Telco Equipments

4
Radio Communication

• Its Communication using electro magnetic waves
  through atmosphere or free space.
• Information is sent over radio waves using
  changing property of these waves such as pulse ,
  phase , amplitude , frequency
• Consist of transmitter and receiver (TRX)

5
Types of Radio Frequency (Short Version)

• Very high frequency
• VHF
• 30300 MHz
• 10 m 1 m
• Ultra high frequency
• UHF
• 3003000 MHz
• 1 m 100 mm
• Super high frequency
• SHF
• 330 GHz
• 100 mm 10 mm

6
Usages

• VHF
• FM ,Television ,Amateur radio , Aircraft
  Communication
• UHF
• Television ,Microwave ,Mobile Communication ,GPS
  ,Bluetooth
• SHF
• Radio astronomy, microwave devices/communications,
  wireless LAN, most modern radars

7
How data is sent via Radio Waves
8
Different Ways to Send Receive Radio Waves

• Commercial Radios
• Cellphones
• Walky Talkie
• SDR
• Blade RF
• HackRF
• USRP Series
• Signal Generators
• Spectrum Analyzer

9
How to block /Protect Signals

• It is not possible to stop one from sending or
  receiving signals
• Best way is jam , scramble , encrypt ,Hopping

10
Jamming
VS
Overlapping signals with more power so that
signal becomes garbage
11
Scrambling
VS
Transposing or inverting signals making it
unintelligible for receiver without
descrambler Performed in Analog Domain
12
EncryptionDigital Domain
Lorem Ipsum is simply dummy text of the printing
and typesetting industry. Lorem Ipsum has been
the industry's standard dummy text ever since the
1500s, when an unknown printer took a galley of
type and scrambled it to make a type specimen
book. It has survived not only five centuries,
but also the leap into electronic typesetting,
remaining essentially unchanged
uliAAg/XBrwuyJLBt9DkGqY4ZVEqXQ1uudlczuh3C4RyJR1aO
L4/WBpQszWidjdqbZEN/lKVnSgtFpuNWGkD5u0t38R6XWO5xeU
HMeeULvY9Ua51xQTx0fuBZxJ7uN6VMyv0gMs3SnmR6vSvSh
YO6sjoZRV917ASKYJMh6LVFubxYCTjG4aWpfwG00PYYRZePAKB
pJrfrKo8ivc7VJpcHVRTLrCO8RwR47FsYxXr6m/3PSOQHCSSie
b7iVAt9ZPkaFMpLBYipDJrLKpvDbdxAXgNybf4FFgmcnMMDuv
UhfafsKhD4UPFlFQ2SiZNgPXJBLjLfDon2n7yjyMfpxqMCXnpV
FhajzVNunha7OESzzfv6GM0ucWe0u6DV7bLk/lNn9b34FZk1m
VS
13
Hopping
14
Protecting Signals

• Should have following qualities
• Low Probability of Detection
• Low Probability of Intercept
• Low Probability of Exploitation

15
Low probability of Detection

• Goal is to hide signal somehow such that
  unintended receiver has difficulty to determine
  that signal even present

16
Low probability of Intercept

• If signal is not LPD type then unintended
  receiver can receive it
• So to reduce probability of intercept one can use
  frequency hopping
• Due to frequency one cannot easily receive signal
  which is hopping on different frequency unless he
  knows pattern of hopping

17
Low Probability of Exploitation

• In case signal is not LPD/LPI or attacker finds
  out way to receive signal properly then getting
  meaningful information from that signal should be
  difficult
• Encryption is example of LPE

18
Electronic warfare

• Activities taken to accomplish the intercept or
  denial of communication
• 3 main components
• Electronic attack(EA)
• Electronic support(ES)
• Electronic protect(EP)

19
Electronic Attack (EA)

• Using active signals to deny communication system
  from actively exchanging information
• It could be
• Jamming
• Transmit noise on those freq
• Deception
• Send wrong information to mislead
• Directed energy
• Similar to jamming but goal is to permanently
  harm or destroy equipment

20
Electronic Support (ES)

• Supporting function for EA
• Its more like spectrum sensing and find signal
  with specific characteristics
• Cause if jamming is being performed on non
  utilized frequency then time and energy is wasted

21
Electronic Protect (EP)

• Protecting friendly communication from EA and ES
  attacks
• In case both are using same frequency then one
  should transmit signals towards target and away
  from friendly units

22
AntiJam Communication

• Communication with ability to fight jamming of
  communication system
• Type of Anti Jamming signals
• Direct-Sequence Spread Spectrum
• Frequency-Hopping Spread Spectrum
• Time-Hopping Spread Spectrum

23
Direct-Sequence Spread Spectrum

• Technique involves spreading signal across a
  wider bandwidth and entire bandwidth is occupied
  instantly
• Due wider band, energy present at particular
  frequency is low
• Causing less probability of detection as
  unintended receiver mistake it as noise

24
Frequency Hopping Spread Spectrum

• Based on concept of hopping
• Occupies single channel at given instant
• Bandwidth about be from -10khz to -200khz
• Signal hops in predefined hopping sequence called
  hop set
• 2 types
• SFHSS (Slow Frequency Hopping SS)
• FFHSS (Fast Frequency Hopping SS)

25
Time Hopping Spread Spectrum

• TH changes time of transmission randomly causing
  receive noise most of time
• Best example is PTT used by military and law
  enforcement

26
SDR Connections for DEMO
27
Demo of Anti Jam Signals
28
Jamming Anti-Jam Signals

• Partial Dwell Jamming of FHSS Systems
• Noise Jamming
• Tone Jamming
• Pulse Jamming
• Follower Jamming
• Smart Jamming

29
Partial Dwell Jamming of FHSS

• Portion of Signal is jammed
• There is finite amount of time to insert jam
  signal if detect energy belongs to correct signal
  to jam
• One cannot jam whole spectrum but partial is
  possible

30
Noise Jamming

• Carrier Signal is modulates with Noise Waveform
• Main aim is to insert noise at receiver end
• Types
• Broadband Noise Jamming (Entire Spectrum)
• Partial Band Noise Jamming (Partial Spectrum)

31
Tone Jamming

• Continuous Tone is generated on spectrum in
  narrowband
• Could be single or multiple
• In case of multiple tones power is distributed
  among all tones
• Type
• Single Tone
• Multiple Tones

32
Pulse Jamming

• Similar to Partial Band Noise jamming
• Its partial band noise jamming with no continuous
  transmission
• Have low avg power than some of other jamming
  technique

33
Follower Jamming

• Follow hopping path and predict hopping sequence
• Once predicted jam next possible hopping channel
• Jamming could be in tones or modulated tones
• AKA responsive jamming , repeater jamming ,repeat
  back jamming

34
Smart Jamming

• Block the food supply ?
• Means only block part which is important for sync
• As most of sync channel are not spread or hopping
  (e.g. GSM FCCH or C0)
• One can simply jam main sync source

35
SDR Connections for DEMO
36
Demo of Jamming Signals
37
Smart Radio Grid

• For whom ?
• Why we need this?
• Applications
• SDR arch

38
For Whom?

• Metro Cities
• Air Port
• Borders

39
Why We need this?

• Signal generators are easy to get and use
• Imagine case
• Airport security radios are jammed
• Terrorist using satellite phone to communicate in
  Metro Cities
• Law enforcement radio are picking up misleading
  signals
• Tracking such case is nearly impossible in real
  time (at least in India)

40
Applications

• Detect Jamming Signals
• Find Illegal Transmitters
• Fake cell towers
• Illegal broadcast stations
• Locate signalling source
• Smart Jamming
• Intercept Communication

41
SDR Arch
42
Core Network

• Traditional Telecom Protocol
• Less scrutinized for security flaws for both
  protocol and implementation
• Uses custom distro using collecting bits and
  pieces

43
Awareness in Telco Security

• Telcos are testing there network for security
  flaws lately
• Awareness is taking place in telco people as only
  gentlemen network is now open to all
• But vendors co-operations is lacking due to
  contracts and money

44
Threat of imported equipments

• Recently researchers found
• Hidden commands in equipments
• Some default password
• Trojan horse embedded which sends data back to
  device manufacturer

45
Steps Taken by Indian Government

• Setup Telecom Equipment Testing Lab
• Which will
• Test equipments for protocol implementation flaw
  and for security flaws
• Certify equipment
• Pilot lab was setup in banglore under Prof. N.
  Balakrishnan

46
Questions

• ?