[Dshield] Blaster / Power Outages Follow up
superc at visuallink.com
Fri Sep 5 17:17:55 GMT 2003
Durn it. I was hoping mine was the only mind that thought of that
particular scenario. Actually it's not that bad outside of the cities.
As you say, antenna wavelength, construction, shielding and SWR become
critical for the operator holding it. :)
Also you forgot about the cube of the distance rule. There might be 1K
watts at source, but if the transmission source is a half mile or more away
and the antenna is omnidirectional (who is the volunteer manning this
device?) the received power is a whole lot less.
We can see a real world example of this in the CB world. Normal 4 watt CBs
have a half to two mile range, putting an illegal amplifier (amp) on your
rig can give you much greater range. Many Interstate truckers use them so
they can get live warnings about road conditions 5 - 10 or even 20 miles
away on the busiest of channels (19). Although the most common size is
about 150 - 350 watts illicit 500 to one Kwatt transmitters on CB radios
are not uncommon and easy enough to fabricate (vehicle alternator size
becomes an issue as the big rigs can suck some amperage and noticeably dim
your headlights or even stall your engine when operating, if your vehicle's
generator is small) and while they get good reach and temporarily overload
other radio receivers nearby, transceivers a mile or more away often
continue to function normally. 9999 times out of 10000 when the big rig
operator stops talking the radio in the truck right next to him comes right
back to life with no discernible damage. I know, if you measured its
performance in a lab before and after the experience you would eventually
detect some degradation in signal sensitivity. But not enough for the
owner to notice. After four or five years of this the owners eventually
notice some degradation of sensitivity and either swap out some resistors
or replace the transceiver with a new one. The hazards are greater for the
operator running the illegal amp as if the length of his antenna is wrong a
standing wave will run out of room and literally pick a place to burn its
way out. Usually either by frying a front end resistor (at which point the
radio goes dead until a new resistor is soldered in) or by arcing through
the not so shielded antenna cable (good cable to body chassis sparks can be
viewed when this happens), or by cooking the antenna to toast if it is a
fiberglass one, or by altering its properties so nearby AM/FM radios
suddenly start hearing the CB talk. What happens when the illegal
amplifier runs in a home? If the antenna is wrong and frequency control is
poor, splatter will result and the neighbors complain about hearing the
talker on their television. Granted this is the effects at 27 megacycles
and you are talking about 2.5 gigs.
The device you describe would be most damaging if the device is very close
to the receiver. A hammer would be faster and cheaper. (Good physical
security of the facility comes to mind, with controlled parking lots as a
deterrent.) Otherwise its effects would only be noise/static on the band.
You can jam with static and noise although there are ways of filtering it
and doing so becomes easier the further away from the source. Squelching
comes to mind in the analog world. In the digital world some packets would
probably be lost and the effect would probably be like trying to watch
satellite television during a storm. If all your target receivers were in
one building you could probably jam most by putting your device in a room
of the building. Sooner or later building maintenance would probably
notice it though, especially if you goofed on the antenna and things start
to smoke. But if your targets were spread around a city, you would need
hundreds or thousands of your oven jammers operating before anyone even
noticed an overall effect.
This is a lot like someone else's paper a few years ago on trying to see
stealth bombers coming by looking for lost and degraded cell phone signals.
Sounds plausible, but it doesn't work well enough to be usable.
Subject: RE: [Dshield] Blaster / Power Outages Follow up
From: "Bernie, CTA" <cta at hcsin.net>
Date: Thu, 04 Sep 2003 20:15:16 -0400
To: "'General DShield Discussion List'" <list at dshield.org>
CC: Andre Ludwig <ALudwig at Calfingroup.com>
How true. Now we need to expose the vulnerabilities in the
wireless telemetry and data acquisition topology utilized in the
monitoring subsystems employed in control systems of the Power,
Water, Gas generation/processing and distribution
infrastructures. While some of the radios utilize proprietary
protocols, most are based on 802.11b/g and operate in the
microwave spectrum. Nonetheless, these wireless systems /
transceivers are vulnerable to DOS/availability and integrity
attacks, which could be accomplished using a home-made portable
high power pulse mode Microwave jamming device constructed from
components of a standard microwave oven.
Microwave ovens are tuned to operate at 2450 Mhz, and can be
heterodyned to produce pulses of between 900 to 1200 Mhz,
covering the old 80211b spectrum and other wireless devices.
However, with just a bit of hacking your trusty popcorn maker
has enough killing power (500w to 1000w typically) to take out
most 802.11g receivers. Such threat can destroy receiver input
amplifiers, degrade the integrity of data or at minimum impede
I wrote a theoretical paper about 12 or so years ago, on such a
security threat concerning jamming of Tactical Air Navigation
"TACAN" systems used for aircraft navigation in the US using a
modified radar magnetron (available from Army Navy surplus) and
waveguide to pierce the 962 - 1213 Mhz operating frequency
range. Consequently, safeguards have yet to be erected.
Ok, there is a down side to building one of these jammers. That
is, if your antenna (waveguide) is improperly designed or tuned,
and/or your electron ejection methodology fails to blast the
little critters from the magnetron's cathode, well then your
body parts might fry.
Still, I am sure a we will see these jammers developed and
deployed. For those of us in security engineering, our problem
becomes how can we prevent, divert or abate an attack, or
otherwise mitigate the effects of the potential threat to the
integrity or availability of wireless data communications do to
the inherent vulnerability of WiFi.
On 4 Sep 2003 at 12:28, Andre Ludwig wrote:
>> Guess we were right all along.
>> Andre Ludwig, CISSP
More information about the list