On Practical Selective Jamming of Bluetooth Low Energy Advertising

Similar documents
Understanding and Mitigating the Impact of Interference on Networks. By Gulzar Ahmad Sanjay Bhatt Morteza Kheirkhah Adam Kral Jannik Sundø

UNDERSTANDING AND MITIGATING

IoT. Indoor Positioning with BLE Beacons. Author: Uday Agarwal

CSRmesh Beacon management and Asset Tracking Muhammad Ulislam Field Applications Engineer, Staff, Qualcomm Atheros, Inc.

By Ryan Winfield Woodings and Mark Gerrior, Cypress Semiconductor

INTRODUCTION TO WIRELESS SENSOR NETWORKS. CHAPTER 3: RADIO COMMUNICATIONS Anna Förster

Overview. Cognitive Radio: Definitions. Cognitive Radio. Multidimensional Spectrum Awareness: Radio Space

Jamming-resistant Broadcast Communication without Shared Keys

Simple Algorithm in (older) Selection Diversity. Receiver Diversity Can we Do Better? Receiver Diversity Optimization.

Advertising position with battery-less Bluetooth Low Energy

AN4392 Application note

Wireless replacement for cables in CAN Network Pros and Cons. by Derek Sum

Application Note AN041

Catalog

ZigBee Propagation Testing

CS263: Wireless Communications and Sensor Networks

A Wireless Communication System using Multicasting with an Acknowledgement Mark

Wireless Sensor Networks

DEEJAM: Defeating Energy-Efficient Jamming in IEEE based Wireless Networks

A White Paper from Laird Technologies

Reading and working through Learn Networking Basics before this document will help you with some of the concepts used in wireless networks.

UWB for Sensor Networks:

Automatic Gain Control Scheme for Bursty Point-to- Multipoint Wireless Communication System

Digi-Wave Technology Williams Sound Digi-Wave White Paper

Wireless Networked Systems

AN0509 swarm API Country Settings

Performance Evaluation of Beacons for Indoor Localization in Smart Buildings

RECOMMENDATION ITU-R M.1652 *

Project: IEEE P Working Group for Wireless Personal Area Networks N

Experimental Evaluation of Precision of a Proximity-based Indoor Positioning System

ARUBA LOCATION SERVICES

ANTI-JAMMING PERFORMANCE OF COGNITIVE RADIO NETWORKS. Xiaohua Li and Wednel Cadeau

Wireless LAN Applications LAN Extension Cross building interconnection Nomadic access Ad hoc networks Single Cell Wireless LAN

DUAL BAND FM WIRELESS TRANSCEIVER RXQ1. Applications

Chapter XIII Short Range Wireless Devices - Building a global license-free system at frequencies below 1GHz By Austin Harney and Conor O Mahony

Round shape, white case with 3M adhesive sticker, including 2pcs ER12450 battery and industrial package, special for indoor location, RoHS

An Opportunistic Frequency Channels Selection Scheme for Interference Minimization

Access Methods and Spectral Efficiency

Detecting Intra-Room Mobility with Signal Strength Descriptors

AAA. Figure 1: Test setup for output power measurement

Wi-Fi. Wireless Fidelity. Spread Spectrum CSMA. Ad-hoc Networks. Engr. Mian Shahzad Iqbal Lecturer Department of Telecommunication Engineering

The Design and Realization of PKE System Based on ARM9

Lower Layers PART1: IEEE and the ZOLERTIA Z1 Radio

When Electromagnetic Side Channels Meet Radio Transceivers

AS-MAC: An Asynchronous Scheduled MAC Protocol for Wireless Sensor Networks

Real-World Range Testing By Christopher Hofmeister August, 2011

Keysight Technologies P-Series and EPM-P Power Meters for Bluetooth Testing. Technical Overview and Self-Guided Demonstration

AN0503 Using swarm bee LE for Collision Avoidance Systems (CAS)

DYNAMIC BLUETOOTH BEACONS FOR PEOPLE WITH DISABILITIES

AEROHIVE NETWORKS ax DAVID SIMON, SENIOR SYSTEMS ENGINEER Aerohive Networks. All Rights Reserved.

Comparative Use of Unlicensed Spectrum. Training materials for wireless trainers

Wireless Network Security Spring 2015

path loss, multi-path, fading, and polarization loss. The transmission characteristics of the devices such as carrier frequencies, channel bandwidth,

Backscatter and Ambient Communication. Yifei Liu

IT-24 RigExpert. 2.4 GHz ISM Band Universal Tester. User s manual

ALPS: A Bluetooth and Ultrasound Platform for Mapping and Localization

Wireless Networks (PHY): Design for Diversity

Vulnerability modelling of ad hoc routing protocols a comparison of OLSR and DSR

Cricket: Location- Support For Wireless Mobile Networks

ESP8266 Wi-Fi Channel Selection Guidelines

Multiple access techniques

Multiple Access Techniques

1 UAT Test Procedure and Report

Jamming Wireless Networks: Attack and Defense Strategies

Wireless Network Security Spring 2016

Wireless Network Security Spring 2012

Prevention of Selective Jamming Attack Using Cryptographic Packet Hiding Methods

Transmitting Multiple HD Video Streams over UWB Links

Chapter 2 Overview. Duplexing, Multiple Access - 1 -

Simplified Reference Model

Evaluation of the 6TiSCH Network Formation

Achieving Network Consistency. Octav Chipara

Project = An Adventure : Wireless Networks. Lecture 4: More Physical Layer. What is an Antenna? Outline. Page 1

1 Interference Cancellation

Multiple Receiver Strategies for Minimizing Packet Loss in Dense Sensor Networks

Medium Access Control Protocol for WBANS

Comparison of RSSI-Based Indoor Localization for Smart Buildings with Internet of Things

CHAPTER 10 CONCLUSIONS AND FUTURE WORK 10.1 Conclusions

Wireless hands-free using nrf24e1

Wireless Network Security Spring 2014

Wireless Communication in Embedded System. Prof. Prabhat Ranjan

Multiple Access Schemes

LoRa Scalability: A Simulation Model Based on Interference Measurements

Bluetooth Low Energy Evolving: New BLE Modules Enable Long- Range Applications

Wireless TDMA Mesh Networks

SMARTALPHA RF TRANSCEIVER

Applied to Wireless Sensor Networks. Objectives

FAQs about OFDMA-Enabled Wi-Fi backscatter

Adrian Loch, Hany Assasa, Joan Palacios, and Joerg Widmer IMDEA Networks Institute. Hans Suys and Björn Debaillie Imec Belgium

AN4378 Application note

Comparing the energy requirements of current Bluetooth Smart solutions

CE693: Adv. Computer Networking

Ultra Wideband Signal Impact on IEEE802.11b and Bluetooth Performances

NIST Activities in Wireless Coexistence

Channel selection for IEEE based wireless LANs using 2.4 GHz band

Applications. Operating Modes. Description. Part Number Description Package. Many to one. One to one Broadcast One to many

REGULATORY GUILDELINES FOR DEPLOYMENT OF BROADBAND SERVICES ON THE GHz BAND

An Empirical Study of UHF RFID Performance. Michael Buettner and David Wetherall Presented by Qian (Steve) He CS Prof.

Mobile & Wireless Networking. Lecture 2: Wireless Transmission (2/2)

LOCALIZATION AND ROUTING AGAINST JAMMERS IN WIRELESS NETWORKS

Transcription:

On Practical Selective Jamming of Bluetooth Low Energy Advertising S. Brauer, A. Zubow, S. Zehl, M. Roshandel, S. M. Sohi Technical University Berlin & Deutsche Telekom Labs Germany

Outline Motivation, Problem Statement, System Model, Bluetooth LE Advertising Primer, Proposed Jamming Solution, Evaluation, Countermeasures, Conclusion & Future Work.

Motivation The Bluetooth Low Energy (BLE) protocol stack gave rise to whole new class of devices: BLE beacons Beacons are small, often battery-powered devices, that continuously broadcast information by using the BLE Advertising process Despite their limited functionality they can be used to implement complex services, e.g.: Targeted advertisement Mobile Payment authentication (e.g. PayPal) Indoor Navigation

Motivation (II) BLE beacons have seen a steady rise in popularity: 72% of all retailers are expected to have beacon technology installed until 2019, Hence the security of BLE beacons is worth investigating. BLE is prone to jamming attacks like any wireless technology, Purpose of this work is to discuss the risk of such a jamming attack on BLE beacons, Common definition for risk: Risk = Likelihood x Impact

Problem Statement We devised five criteria to evaluate the risk of a jammer: Jamming success (impact), Energy-efficiency (impact), Cost (likelihood), Possible countermeasures/detection methods (likelihood & impact), Ability to selectively jam targets (impact). Can we build a jammer that is optimized for this criteria? A low-cost, energy-efficient selective jammer

System Model We consider the basic scenario consisting of: A BLE beacon source emitting BLE advertisement packets, A receiver which performs passive scanning for BLE adv packets, A single jammer node. sensing Jammer d sj Beacon source d jr interference d sr Receiver

Bluetooth LE Advertising Primer BLE operates in 2.4 GHz ISM band, Bit rate: 1 Mbit/s -> 1 bit = 1 µs air time 40 channels, 2 MHz each:

Bluetooth LE Advertising Primer (II) Advertising channel: channels 37, 38 and 39 (yellow), Advertising Channel are spread across the spectrum to avoid interference (Wi-Fi), Advertising uses a frequency hopping scheme to improve robustness, i.e. a beacon is transmitted on different adv. channels.

Bluetooth LE Advertising Primer (III) Advertising takes place at a regular interval advinterval (>20ms) with an added pseudo-random delay advdelay (between 0.625ms and 20ms) for collision avoidance. Advertising Event T_advEvent advinterval Advertising Event T_advEvent advinterval Advertising Event Advertising state entered advdelay advdelay Note: During each Advertising Event the beacon is transmitted on all (!) three advertising channels.

Bluetooth LE Advertising Primer (IV) During each Advertising Event a beacon hops through all used advertising channels (mostly all 3) in ascending order. ADV_IND ADV_IND ADV_IND 10ms Adv_idx = 37 10ms Adv_idx = 38 Adv_idx = 39 Advertising event entered Advertising event closed Two subsequent advertising packets within one Adv. Event must be less than 10 ms apart. A mimimum time is not specified.

Bluetooth LE Advertising Primer (V) Basic BLE framing: Preamble + Access Address used as correlation code, No Forward Error Correction (FEC), so every bit error results in a corrupted packet (detected using CRC)

Jammer Design Principles We use commercially off-the-shelf (COTS) hardware that is BLE capable Minimizes the cost, This hardware is often already optimized for low energy consumption To save energy we employ a narrow-band jamming scheme with frequency hopping Doesn t waste energy on unused bandwidth, Makes our jammer harder to detect. The duration of the jamming signal can be kept at a minimum (no FEC in BLE)

Proposed Jamming Solution Selective, reactive narrow-band jammer: Because we can only jam a single BLE channel at a time (-> narrowband) fast channel hopping has to be applied, The jammer is pre-programmed using an API: Two options: white list or black list of device addresses to be jammed, Configuration of the BLE adv. channels being used.

Proposed Jamming Solution (II) Jammer consists of two components: 1. Detection: jammer decodes packets onthe-fly to decide whether to jam this particular packet based on the device address, 2. Jamming: on successful detection the jammer emits a short jamming signal.

Selective, Reactive Narrow-band Jammer FSM of jammer w/ all 3 Adv channels used: Listen CH37 BTAddr match (in BL or not in WL) Jamming CH37 channel switch timeout (10mus) Listen CH38 BTAddr match Jamming CH38 channel switch Listen CH38 BTAddr match finished Jamming CH38

Implementation Details Jammer node: RedBearLab BLE Nano BLE devkit equipped with a Nordic nrf51822 SoC and an integrated antenna, nrf51822 is equipped with a BLE capable transceiver, Max TX power: +4dBm, Cheap: ca. 20, Fast turn-around time (time needed to switch from receiving to transmitting): 140 µs, Easily programmable

Evaluation Methodology Primary performance metric is Advertising Success Rate: ASR = # correctly received BLE adv. events total number of transmitted BLE adv. events Objective: min. ASR, i.e. ASR=0 is perfect jamming. Another metric is the area covered by the jammer: Spatial area around the jammer with ASR < τ sensing Jammer d sj Beacon source d jr interference d sr Experiment setup. Receiver

Evaluation Methodology (II) Receiver: Optimal receiver, i.e. dedicated Rf receiver (BLE Nano) for each BLE Adv. channel, Every packet is logged (+CRC packets) using Nordic Sniffer and written to PCAP file for post-analysis in MATLAB, Sender: Commercial beacon (Gigaset G-Tag) Adv. interval of 1 sec + all 3 Adv channels

Evaluation Methodology (III) We set-up an outdoor experiment: Beacon source, jammer and receiver are put on a line elevated by 1 m from the ground (grass field), Distance between beacon source and the receiver was set to d_sr=3.7 m, The distance between the jammer and receiver (d_jr) nodes were varied from 1 to 10 meters.

Results At d=76 cm the ASR is zero, i.e. jammer successfully jam each transmitted BLE adv. frame transmitted on each channel (37, 38 and 39), At d=100 cm the ASR=3%, Note: TX power of jammer was just 4 dbm.

Countermeasures We can divide countermeasures into two categories 1. Attack Detection Detect the presence of the jammer to allow further actions to be taken, e.g. removal of jammer, Decoy packets & K-mean clustering 2. Attack Mitigation Actions that limit the impact of the jammer.

Countermeasures Attack Mitigation Use random channel hopping Our jammer cannot adapt to random hopping pattern, i.e. adv. channels are used in random order, But, we can use three jammer nodes, each configured to listen on a particular channel => no hopping required. Use randomized device addresses for BLE beacons, Use of short BLE frames Our jammer s ability to jam is limited by its reaction time, i.e. 174 µs, => BLE payloads > 19 bytes, But, the two most popular beacon protocols ibeacon and Eddystone both have larger payloads.

Conclusions & Future Work Can we build a low-cost, energy-efficient selective BLE jammer? Yes, we can (with some limitations) Due to the low effort necessary, potential victims should anticipate jamming attacks Especially if they have a commercial interest in their beacon network (e.g. retailers) Ongoing research: how to deal with BLE beacons whose device addresses is randomized.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback