[Dshield] Blaster / Power Outages Follow up

Kenneth Coney superc at visuallink.com
Fri Sep 5 17:17:55 GMT 2003

Durn it.  I was hoping mine was the only mind that thought of that 
particular scenario.  Actually it's not that bad outside of the cities.

As you say, antenna wavelength, construction, shielding and SWR become 
critical for the operator holding it.  :)

Also you forgot about the cube of the distance rule.  There might be 1K 
watts at source, but if the transmission source is a half mile or more away 
and the antenna is omnidirectional (who is the volunteer manning this 
device?) the received power is a whole lot less.

We can see a real world example of this in the CB world.  Normal 4 watt CBs 
have a half to two mile range, putting an illegal amplifier (amp) on your 
rig can give you much greater range.  Many Interstate truckers use them so 
they can get live warnings about road conditions 5 - 10 or even 20 miles 
away on the busiest of channels (19).  Although the most common size is 
about 150 - 350 watts illicit 500 to one Kwatt transmitters on CB radios 
are not uncommon and easy enough to fabricate (vehicle alternator size 
becomes an issue as the big rigs can suck some amperage and noticeably dim 
your headlights or even stall your engine when operating, if your vehicle's 
generator is small) and while they get good reach and temporarily overload 
other radio receivers nearby, transceivers a mile or more away often 
continue to function normally.  9999 times out of 10000 when the big rig 
operator stops talking the radio in the truck right next to him comes right 
back to life with no discernible damage.  I know, if you measured its 
performance in a lab before and after the experience you would eventually 
detect some degradation in signal sensitivity.  But not enough for the 
owner to notice.  After four or five years of this the owners eventually 
notice some degradation of sensitivity and either swap out some resistors 
or replace the transceiver with a new one.  The hazards are greater for the 
operator running the illegal amp as if the length of his antenna is wrong a 
standing wave will run out of room and literally pick a place to burn its 
way out.  Usually either by frying a front end resistor (at which point the 
radio goes dead until a new resistor is soldered in) or by arcing through 
the not so shielded antenna cable (good cable to body chassis sparks can be 
viewed when this happens), or by cooking the antenna to toast if it is a 
fiberglass one, or by altering its properties so nearby AM/FM radios 
suddenly start hearing the CB talk.  What happens when the illegal 
amplifier runs in a home?  If the antenna is wrong and frequency control is 
poor, splatter will result and the neighbors complain about hearing the 
talker on their television.  Granted this is the effects at 27 megacycles 
and you are talking about 2.5 gigs.

The device you describe would be most damaging if the device is very close 
to the receiver.  A hammer would be faster and cheaper.  (Good physical 
security of the facility comes to mind, with controlled parking lots as a 
deterrent.)  Otherwise its effects would only be noise/static on the band. 
  You can jam with static and noise although there are ways of filtering it 
and doing so becomes easier the further away from the source.  Squelching 
comes to mind in the analog world.  In the digital world some packets would 
probably be lost and the effect would probably be like trying to watch 
satellite television during a storm.  If all your target receivers were in 
one building you could probably jam most by putting your device in a room 
of the building.  Sooner or later building maintenance would probably 
notice it though, especially if you goofed on the antenna and things start 
to smoke.  But if your targets were spread around a city, you would need 
hundreds or thousands of your oven jammers operating before anyone even 
noticed an overall effect.

This is a lot like someone else's paper a few years ago on trying to see 
stealth bombers coming by looking for lost and degraded cell phone signals. 
    Sounds plausible, but it doesn't work well enough to be usable.

Subject: RE: [Dshield] Blaster / Power Outages Follow up
From: "Bernie, CTA" <cta at hcsin.net>
Date: Thu, 04 Sep 2003 20:15:16 -0400
To: "'General DShield Discussion List'" <list at dshield.org>
CC: Andre Ludwig <ALudwig at Calfingroup.com>

How true. Now we need to expose the vulnerabilities in the
wireless telemetry and data acquisition topology utilized in the
monitoring subsystems employed in control systems of the Power,
Water, Gas generation/processing and distribution
infrastructures. While some of the radios utilize proprietary
protocols, most are based on 802.11b/g and operate in the
microwave spectrum. Nonetheless, these wireless systems /
transceivers are vulnerable to DOS/availability and integrity
attacks, which could be accomplished using a home-made portable
high power pulse mode Microwave jamming device constructed from
components of a standard microwave oven.

Microwave ovens are tuned to operate at 2450 Mhz, and can be
heterodyned to produce pulses of between 900 to 1200 Mhz,
covering the old 80211b spectrum and other wireless devices.
However, with just a bit of hacking your trusty popcorn maker
has enough killing power (500w to 1000w typically) to take out
most 802.11g receivers.  Such threat can destroy receiver input
amplifiers, degrade the integrity of data or at minimum impede
its flow.

I wrote a theoretical paper about 12 or so years ago, on such a
security threat concerning jamming of Tactical Air Navigation
"TACAN" systems used for aircraft navigation in the US using a
modified radar magnetron (available from Army Navy surplus) and
waveguide to pierce the 962 - 1213 Mhz operating frequency
range. Consequently, safeguards have yet to be erected.

Ok, there is a down side to building one of these jammers. That
is, if your antenna (waveguide) is improperly designed or tuned,
and/or your electron ejection methodology fails to blast the
little critters from the magnetron's cathode, well then your
body parts might fry.

Still, I am sure a we will see these jammers developed and
deployed. For those of us in security engineering, our problem
becomes how can we prevent, divert or abate an attack, or
otherwise mitigate the effects of the potential threat to the
integrity or availability of wireless data communications do to
the inherent vulnerability of WiFi.

On 4 Sep 2003 at 12:28, Andre Ludwig wrote:

 >> Guess we were right all along.
 >> Andre Ludwig, CISSP

More information about the list mailing list