Breaking will always be easier than making. A 'jammer' is about the easiest kind of transmitter to make, you don't care about signal quality at all (you want the worst signal quality).
For an analogue: you can take a length of steel chain to the nearest powerstation and lob it over the fence. Likely you'll spend a lot less than $650 and do substantial damage.
That doesn't mean that the powerstation is badly designed, it just means that we expect people to behave in a non-destructive way and we use the law against those that can't seem to live by the rules.
Society is a fragile thing, a few hundred dedicated jerks can undo the work of hundreds of thousands.
Breaking things is dead easy.
edit: credit for the powerline + chain idea in this thread goes to ghshephard, score one for parallel invention.
If you read the paper, the authors discovered ways to make LTE jamming 20 dB more efficient than brute force; arguably this is a legitimate weakness in LTE. IIRC other protocols are just as bad, so I am skeptical that these vulnerabilities are relevant when designing a public safety network.
In radio transmission there is no substitute for power, both on the jamming side as well as on the side that wants to get their message through.
20 dB is a big deal because it would make the jammer a lot harder to locate, especially if it times its interruption well and can get away with extremely short bursts of activity followed by relatively long periods of silence.
Other tricks of the trade: jam from multiple locations with short bursts, slap the jammer right under the nose of the receiver that you want to jam (that way you need a minimal signal and are almost impossible to detect at range until you're right up to it).
This is the way TV pirates in Amsterdam would broadcast their signals in the 80's to the receiving dishes on Hotel Okura. They were so low power and right up close to the dishes that they could push legitimate broadcasts (mostly German TV) right out of their slot. KTA (the then monopolist on Cable TV in Amsterdam) had the un-enviable task to come up with a solution and finally settled on a system where if one antenna was flooded with a rogue signal they would switch to antennae mounted on a chimney of the electricity plant on the other side of the city (Amsterdam had very little high buildings).
Of course, pirate TV stations found out about this quickly enough and located another transmitter near there and so on.
This paper really looks like sensationalist attention grabbing material, and I'm kind of disappointed to read this in the MIT review without any context or critical analysis.
The synchronization signals in LTE are split in two parts, the PSS (P for Primary) and SSS (S for secondary). Both are using 62 LTE carriers, each one being 15 kHz, so cover 0.93 MHz. For comparison, a 3G channel is 5 MHz and a CDMA channel is 1.25 MHz. 2G is even narrower (memory fails me there...). So not widely different. And not using the whole channel bandwidth in LTE has very nice consequences: the phone doesn't need to know the channel size to synchronize (not the case in WiMAX for example), and the implementation can be lighter and more power efficient.
Then the paper pretends that transmitting a fake PSS would fool LTE devices. Nonsense. Any PSS detection algorithm has plenty of false detection already, and detecting a PSS is nothing until the matching SSS is also detected, with good quality. But then it's not so simple, the jammer don't transmit noise anymore: you have to transmit a true PSS/SSS pair. That won't get you very far, the UE will try this, won't find a matching BCCH and move on.
And did I mention that this part is very robust? A UE can detect a cell well below the noise floor. That's required because in a real network with TD-LTE (and even for FD-LTE in the future) all the cells are synchronized and transmit PSS/SSS at (roughly) the same time. So it is expected that PSS/SSS will be interfered, and the device can deal with this. So you really have to transmit at a strong level to mess things.
But in the end, the point is that any public cellular technology is sensitive to jamming, and jamming is dead easy. To protect against this there are well known techniques used in military applications. But guess what? The whole system because way less efficient in capacity and much more complex. And capacity is key.
Optimizing a public system, where capacity is key, for typically non existing threats is just not practical. Everybody should realize this. If you want robustness to jamming use a military grade system, and pay the price.
If you give 50 engineers the task to come up with ideas for breaking a countries infrastructure on a budget I'm pretty sure 45 of them will go for the electricity plants and will look for the most vulnerable place to cause a dead short in a high voltage circuit. There aren't that many of them, they're our Achilles heel. I'm not at all surprised that the military has taken this idea into their arsenal.
I remember reading somewhere that in Total War scenarios you should poison the water source if you are not able to capture and control it. I think it was Art of War by Sun Tzu.
Basically the idea is to short the two sides of the electrical wires so that you end up breaking the transformers. This means that lots of things at the substation will have to be replaced before it can be put back into action. A few well placed attacks like that and you can easily take out an entire city's power or more.
transformers, generators, motors and power lines have protection relays which sense conditions such as short circuits and isolate the short circuited part of the ... circuit before equipment can be damaged. see http://www.selinc.com
As you say this would cause a power outage, but not necessarily break any equipment as the protection is quite robust and moreso the more critical the facility.
Regarding the power and substation vulnerability to a simple steel chain, the power companies in my area picked up on this around 5 or 6 years ago and have upgraded the security at every power and substation in this area and beyond.
Previously the substations had a small fence around them. There have been work crews working on each station one at a time to completely overhaul the security. They placed a much larger electrified fence around the station, placed most of the transformers into small brick buildings and have a chain link fence covering the entire complex (a fence that is easily collapsed back for emergency access).
You can tell that they spend a lot of money on these security improvements, there are large alarms, big warning signs, they sat the fences a dozen yards or so further back so you can't get closer.
It didn't need a security incident for this power company to figure out that they had a simple vulnerability and to fix it.
That said, there is no equivalent easy improvement that could be made to LTE networks to secure them. The flaw is in the protocols, and fixing it would require a new network stack and new phones, not just a bigger fence.
There is a nice story in Ross Anderson's computer security book about how kids in Soweto discovered that a bike on the substation reset all the electricity meters to zero.
I think the main thrust of the article is that many systems are vulnerable to control channel interruptions. In those scenarios, a jammer can be far less powerful and much harder to detect.
In many cases, the underlying encryption system for communications is particularly vulnerable to disruption. In those cases, individual bit flips caused by intelligent jammers can cause the loss of entire frames.
BTW, the public safety standard for digital radios (P25) is also vulnerable to this sort of attack. IIRC, jamming the digital system often had the side effect of getting users to switch to less-secure (unencrypted) analog modes that were vulnerable to interception.
Indeed. More amusingly though (but still on the control channel), the open p25 group found that you could remotely brick responder radios, without authentication: http://risky.biz/RB178
I think slashdot (of all sites) had a important snippet why this is important news:
> This information comes from research carried out in the U.S. into the possibility of using LTE networks as the basis for a next-generation emergency response communications system.
I can agree that "civilian" systems can except people to behave in a non-destructive way. But a law-enforcement/emergency system should be reasonably resilient (of course not immune, but resilient) against interference. Thus the value of this study is that it exposes that LTE is not suitable for such use.
The current law enforcement/public safety system (P25) is even worse than LTE on many metrics -- it's easy to jam AND fails open/insecure due to both protocol and radio UI/UX problems. Matt Blaze, Perry Metzger, et al. found a bunch of crazy problems with it and have done talks for the past couple years.
Such behavior is criminal in nature. And the FCC will find you, and they will crack down on you.
"Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi)."
47 U.S.C. § 301, § 302a(b), § 333 all make it clear that this activity is illegal.
Once you've decided to be a criminal, you don't need a $650 device to do a lot of damage. A $20 container of gasoline, or, heck, a $5 piece of chain link at the right electrical substation can cause tens of millions of dollars of damage.
> a $5 piece of chain link at the right electrical substation
Hah! I see I used the exact same example you did, this is funny because I swear I had not looked at your text before writing mine. Low tech sabotage is an interesting subject, and I think it is almost impossible to defend against.
Have an upvote.
A long time ago around a campfire in Colorado this subject came up, how much damage could you do with $5? Gasoline came up quite a few times, the water supply and electrical utility were the main targets of opportunity.
My $5 would be spent on a large wrench to undo the foundation nuts of power line towers.
The next storm would do the actual work and would take down half the grid. I don't think the power companies are in the habit of checking those nuts to see if they're still there.
And you wouldn't have to hit all of them either, just a few choice ones.
A breaker bar is actually a non-ratcheting socket driver. Not something you fit over a wrench (for that you could use any chunk of pipe). Since a breaker bar (or actually the torque measuring version of it) is what is usually used to tighten such nuts I'd imagine it could be used to loosen them as well.
> Since a breaker bar (or actually the torque measuring version of it)
You're thinking of a torque wrench.
The pipe extension trick won't work for torque values far exceeding the rating of the breaker bar. I've snapped the head off a breaker bar with a pipe on it. Generally, I've needed a breaker bar with a 30% higher torque limit than the torque specs of a bolt/nut in order to loosen said fastener after it's settled (generally a few days). Change that to about 50% higher once the fastener has fused to its shaft/bolt/socket (months to years, depending on environment too).
If you could get a torque wrench for $5 that would torque down power line tower fasteners to spec, then yes, I'd agree that a $5 breaker bar would do the job. It should only be stronger than a torque wrench of similar price.
The thing is that the fasteners for power line towers are huge, way bigger than the fasteners I've encountered working on cars. Fasteners that large aren't practical to lay down with mechanical tools that amplify human strength. They'll require pneumatic or hydraulic power equipment.
I still agree with your basic premise that cheap equipment can easily destroy expensive setups with some creativity. Perhaps a fuel source like thermite or magnesium would work.
> I swear I had not looked at your text before writing mine
I'm asking this out of curiosity, rather than to imply either that it is the case or that if it were the case it would somehow be a bad thing. Is it at all possible that your eye might have caught what he said without actively reading it, and planted a seed in your subconscious?
No, I've already related that particular trick on several occasions to various people. I even remember the very first time I talked about it with a guy named Nick (who worked for me at the time) while walking in Toronto, we came across a utility plant (basically nothing but a very large transformer) on the edge of downtown that was so exposed that I thought it was unsafe and remarked how easy it would be to throw some chain over the wires.
The station wasn't particularly big and I'm not sure how much damage such a move would have made but I still felt quite weird given that there ought to be at least a fair sized fence around an installation like that if only for safety.
Low $ sabotage is an interesting subject, it shows well how asymmetry works to the advantage of an attacker, not unlike how our computer security is arranged for. Attackers only need to get through once, defenders have to succeed all the time.
You by yourself could undo the work of many more people of a similar skill level. It's quite sobering to realize just how fragile all this stuff is.
While jamming is criminal behavior, the fcc won't be able to find you, in fact, the FCC have yet to even prosecute a single person for cell phone jamming since it's very hard to find and it's very easy hide jammers because people just think they're in a dead zone or their phone is malfunctioning
Theoretically, it is possible to triangulate the jamming signal by pinging cell phones and finding which ones aren't in the dark, mapping it to find the guy but it could take hours and the damage would have already been done.
oh, and sales of jammers have been going on for years on craigslist, I'm surprised they've just shut it down this year.
No - I totally get the point. But, if you are going to engage in criminal activity, the bar to your destructive behavior isn't a $650 transmitter. It's a $20 containers of gasoline.
If you want to hurt people, it's pretty much impossible to stop you from doing so (or even slowing you down) - all we can do is catch you, and put you in prison after you do so so that you can't hurt more people.
I'm not suggesting we ignore security (I like SSL, and passwords on my accounts) - but we can't create a world where everyone has to treat the populace as though they are intent on creating destruction. This is the mindset of the TSA and "Search everyone, because any one of them might be carrying a bomb." At a certain point, we have to trust that the vast, vast majority of people are good.
And, in the whole scope of things, jamming an LTE radio transmission system has pretty big penalties, and very little financial payoff, and a pretty good chance of being caught. It's one of those asymmetric criminal activities that is balanced in favor of society, and against the criminal.
Where you want to put your attention in enhancing defenses, is places where there is a strong incentive to commit the crime, and less chance of being caught. Guarding against petty thieves, lots of safeguards/fraud alerts around things like credit cards, or your paypal account. That's where attention needs to be spent.
You know where it's important to spend a lot of money on counter-jamming? Life Safety systems like Nuclear Power Plants, or Plane/Car navigation systems. Where lives are on the line, I totally agree that we need to harden, harden, harden those systems. Also, SCADA systems - that control large amounts of underlying infrastructure. And the Stock Exchange. Spend a fortune on ensuring that the bad guys can't cause havoc, kill people, or create large economic damage.
Perhaps your LTE/Cellular coverage is better than mine, but I'm pretty used to having to track down a WiFi connection to get any serious work done, or make a reliable Skype call. I don't put LTE coverage in the "Mission Critical" category of infrastructure.
Also, if you are in a situation (Prison, battlefield) where the vast majority of your opponents are intent on doing you harm, you also harden the crap out of everything. And pay the price - because you need to.
But, all else equal, I'd rather have the money/resources that might have gone into putting MILSPEC anti-jamming capabilities into my LTE NIC, instead be spent on making it cost less, draw less battery, and give me more bandwidth.
Let the FCC catch the 3-5 jammers at year intent on doing harm, and put them in prison to consider the wisdom of their behavior.
I think you're arguing at cross-purposes. You are quite right in relation to crime or vandalism by a member of US society carried out for mere profit or malice. But consider the more troubling case of terrorism or similar organized attack. If one can disrupt cellular communications on a large scale parallel to an attack on physical infrastructure (eg a bomb or...), the immediate and economic damage could be significantly multiplied. Likewise, consider temporary but coordinated outages in 10 or 20 major metros. It would be difficult to catch the perpetrators but would impose considerable economic costs.
I think the key is to understand what should be considered part of our "critical infrastructure" and ensure that is reliable.
For example, when I was managing the IT organization for our company, despite the fact that everyone in the office has a cell phone, and despite the fact that they also have a VOIP phone (Polycom Soundpoint IP 501 SIP), that is driven of of POE connections, and we have a generator with 36 hours of diesel supplying the routers/switches that supply those phone - Every conference room had a POTS (Plain Old Telephone Systems) analog phone line that was cross-connected with a piece of copper at our punch-down block, directly to the 300 pair coming into our MPOE - no active electronics (on site) required. Those land lines are the critical infrastructure, that need to be defended (along with COs backing them up).
If someone comes up with a good (cheap) attack against them, that will get my attention.
I guess another way of approaching this is, if Police/Fire/Medical organization start relying on LTE systems, and those LTE systems become a critical part of our infrastructure for economic/infrastructure/life safety systems, then yes, we need to start focussing on hardening them.
This is my way of saying yes, when we wargame this out, we should consider "What happens if there is an extended LTE outage during a disaster, does this impact our first responders significantly? And if so, we need to take steps to protect ourselves there."
Important to note - it's highly unlikely that any group of people will be able to establish a coordinated attack on 20 major metros. That level of conspiracy would be stopped by the time planning got to the 3-5 city attack.
And that's another point - let's not spend large sums of money trying to harden the LTE system (though, reasonable investment makes sense, so the research presented is good) - but instead, let's direct those resources to tracking (and stopping) the bad guys that would do this sort of thing in the first place. That, then, protects us from all of their attacks, not just the LTE wireless system.
I agree that the primary focus should be on critical infrastructure. But an important part of asymmetrical warfare is also to cause destabilization through uncertainty. If 4g is the norm 2 years from now and older technologies are being phased out, then disrupting the cellphone network in DC during the morning rush hour, for example, is likely to set off sufficient alarms and panic reactions that the response outweighs the disrupting incident itself. When I was younger I lived in London and the IRA was still conducting a terrorist campaign of bombing civilians as well as government targets in that city. They didn't set off bombs that frequently, but they issued bomb threats against the subway network on a near-weekly basis, and of course the authorities couldn't just blow off a bomb threat, so people's day-to-day travel routines would be disrupted at least once a month as one or other subway line were threatened.Nobody dies, but over time it adds up to a significant economic drain, to say nothing of the psychological burden it inflicts on the populace.
Important to note - it's highly unlikely that any group of people will be able to establish a coordinated attack on 20 major metros. That level of conspiracy would be stopped by the time planning got to the 3-5 city attack.
The beauty of such an attack (from an asymmetrical PoV - obviously I don't endorse such things) is that the you don't have to deal with proscribed or highly controlled things like explosives. This means that the stakes are low and you can afford redundancy. If you disrupt the LTE system for an hour at a time on a random weekday using a mobile transmission source, you could probably get away with doing so for a while. Again, the public perception that even consumer information (rather than critical) infrastructure can be disrupted at some malicious actor's pleasure is an implicit win for a hostile organization or state actor.
I'm not even sure that is possible to harden a wireless system to the point where an attacker can't bring it down for many orders of magnitude less investment than what it cost to put it up in the first place. The more sophisticated the more likely it can be brought down. If you want to get through use CW (Morse) and plenty of juice.
Actually such systems can be built, I saw a demo of one based on UWB tranceivers, it was proposed replacement for the JSTARS system. The reason it worked was that 'dumb' jammers needed to raise the entire noise floor, and 'smart' radios were using singletons (single pulses of RF energy across a wide spectrum of possible frequencies) so a small transmitter could use kilowatt nanosecond pulses which always landed above the noise floor.
If I get you right this beat on the 'dumb' jammer because the power imbalance worked to the advantage of the defender: knowing when to listen for the very short pulse at high power level coming from the transmitter and ignoring its input the rest of the time other than to establish a baseline noise level, whereas the jammer would have to blanket the whole spectrum not knowing when the next pulse would be until it came?
So essentially the only way to break the system would then be to figure out ahead of time when a pulse would be transmitted and presumably the sequence of intervals between pulses was sufficiently hard to predict that this would take much longer than it took to get to the point of the next transmitted burst?
That was pretty much the way I understood it to work, I didn't get to see 'behind the curtain' sadly. Two bits of the 'secret sauce' were keying sequencing / syncing and basically a frequency agile transceiver that operated at really high frequencies across a very wide chunk of spectrum.
The claim was that the only "known" way to jam the system was to raise the noise floor to the point where the pulses could not be distinguished, and they showed a number of scenarios that didn't work.
> Important to note - it's highly unlikely that any group of people will be able to establish a coordinated attack on 20 major metros. That level of conspiracy would be stopped by the time planning got to the 3-5 city attack.
It's trivial to do. Make a bunch of jammers on timers, and plant them around dozens of major cities at your leisure. One disaffected person working alone could do it.
P.S. Magnetrons are tunable by simply changing the magnets, and microwave ovens can be had for $20 apiece if you buy in large quantity. It does not cost $650 to make a very powerful jammer.
> I don't put LTE coverage in the "Mission Critical" category of infrastructure.
The problem here is that officials are considering using LTE for communication between emergency responders. And that would make LTE very much "mission critical".
I think if you are doing a terrorist attack then FCC fines probably are least of your concerns.
The authors are obviously not worried about some kids doing a prank with jammers or anything like that. They are worried that criminals would use jammers to execute their crimes.
I see the fact that you don't ever hear of people doing this, or chucking things into substations or off roadbridges and so on, as the ultimate evidence that international terrorist networks, to a first approximation, do not exist.
If there really were highly organised terrorists everywhere plotting against us, wreaking substantial havoc across society would be pretty easy for them. The actual attacks that do occasionally happen are more in line with politically irrelevant rogue lunatics, placing grandiosity over efficacy.
Terrorists try to create fear and have a major impact on the populace, most often through bombings and death. Jamming a small (for now) part of our communications infrastructure could be a major detriment to people functioning but no one will fear for their lives.
That does not preclude, however, a Gotham city like scenario where an organization just makes a ton of stuff go wrong all at the same time.
I agree with your first point because if you were to do a cursory glance at what could efficiently kill us in biology you would see how little effort is actually required. Anyone with a little knowledge could pull off a devastating attack using just DMSO and a few toxic compounds.
Would it not induce terror if Al Qaeda started interfering with vast swaths of people's daily lives?
Power keeps going out for a few hours, cell phones go down at the same time, water is shut down because of bacterial contamination.. People wouldn't directly die, but living in a less stable environment is going to worry people.
It's pretty inexpensive to buy a laser you can shoot at a helicopter or airplane, temporarily blinding the pilot.
With no equipment whatsoever, you can go to your local grocery store and start opening bottles of cooking oil and dumping them on the floor. Besides costing the store money in lost inventory and cleanup, you can easily cause hundreds of thousands of dollars worth of damage in medical costs from people slipping on the oil.
You can also buy a cheap car for around $700 and use it to start running down pedestrians.
What all of these have in common is that they are inexpensive and easy to do, they are virtually impossible to defend against, and they leave the perpetrator holding the bag. And the bag I'm talking about is huge and glowing. It has big flashing neon letters on it that alternate "I'M THE HUGE ASSHOLE YOU'RE LOOKING FOR!" and "COME ARREST ME!"
Look at it that way, and this hardly even seems like news. It's just another addition to the staggeringly long list of easy ways to disrupt society that have near 100% odds of landing you in jail.
For contrast: http://en.wikipedia.org/wiki/2007_Boston_bomb_scare There nobody was trying to be an asshole (or failed to appreciate how their little art project would be interpreted), but by putting it near a prominent transit artery it wound up being significantly disruptive due to the resulting anxiety.
A key difference from your examples is that they're all localized, and the effects don't ripple very far. Another is that they're easily explicable - some violent person vandalizing a store or mowing people down in a car is frightening but also easily comprehensible. The litebrite bomb scare described above didn't involve any actual attack, but the confusion led many people to imagine the worst.
I'm confused. Are you saying that the media sensationalism surrounding fear of terrorism is simply accidental, and that the government has just naively bought into it and reacted accordingly?
Because if so, no, I don't think that's an adequate explanation. Obviously not malice, but just greed. The media is greedy and likes to air stories that sell, even if they are irresponsible. Politicians and government agencies are greedy for power and know that taking advantage of people's fear of terrorism is an easy way to grab that power. It's not evil for the sake of evil; it's evil for the sake of money and political gain.
But you'll have to start running pretty fast, as it is very easy to pinpoint the exact location of the sender/jammer. This is also true for any network, not just LTE. WiFi, GSM, HDSPA, etc. Many military vehicles have jammers like this to block mobile connectivity in order to prevent IEDs.
Sure, if you're expecting the attack. But most areas aren't expecting such an attack, so when you do, then as long as they turn it off in time and run away, the authorities probably won't be able to mobilize in time in take the measures to find the source.
This would change if it started to become a common occurrence.
I can see two problems with disabling communications city-wide with such an approach. First - any cell phone, not in the line-of-sight with the jammer is not going to be disabled. And second - FCC and network ops would locate the jammer and disable it.
To make this attack successful, one need to put the transmitter sufficiently high, and make it mobile. Flying it on a conventional airplane wouldn't work, because air force, FAA and police would be on such high profile case in no time. Flying it on the UAV RC helicopter could be a solution, but given the weight of the transmitter, antenna and fuel, that makes the resulting setup rather heavy and expensive to make and operate - well above 10k. A large tethered balloon also wouldn't work, because it would be spotted in no time.
All and all, this attack just wouldn't work city-wide.
Unrelated but why can't I pinch zoom on bgr.com's site? They must be severing up a mobile version. I really wish these sites would just serve up the normal non-mobile version.
Governments are more likely to use something like this. For example to block an area (protestors) to communicate from outside. Share photos or videos that might damaging, etc.
This is dangerously close to the point where a shiny new EA-18G Growler from NAS Patuxent River will track down whoever is using such a device. Even though EA-18 crew probably wont shoot at the rouge transmitter, they can still pinpoint the exact location. Unlike more typical FCC investigator using a radio direction finder, the EA-18 is quite fast, both getting there and searching.
The EA-18 is capable of working around cell towers for locating phones in the area.
For an analogue: you can take a length of steel chain to the nearest powerstation and lob it over the fence. Likely you'll spend a lot less than $650 and do substantial damage.
That doesn't mean that the powerstation is badly designed, it just means that we expect people to behave in a non-destructive way and we use the law against those that can't seem to live by the rules.
Society is a fragile thing, a few hundred dedicated jerks can undo the work of hundreds of thousands.
Breaking things is dead easy.
edit: credit for the powerline + chain idea in this thread goes to ghshephard, score one for parallel invention.