Carriers Everywhere

WiFi / Jamming

Recently, I came across Mathy Vanhoef’s amazing work on advanced WiFi attacks. He modified the firmware of off-the-shell WiFi cards from Atheros to implement constant and reactive jamming.

Fortunately, Mathy released the code under an Open Source license and even prepared a VM with everything pre-installed. The firmware modifications are compatible with three different types of WiFi cards, two out of which are available on Amazon and Ebay. Of all things, the only card that supports both the 2.4GHz band and the 5GHz band seems to be very hard to get.

To implement reactive jamming he had to use a little trick: The WiFi card consists of a transceiver chip and micro controller. When the transceiver receives a frame it writes it to memory that is shared with the micro controller. For reactive jamming, firmware of the micro controller is changed to busy wait for decoded data from the transceiver.

Once the first bytes are decoded, the firmware matches fields like the frame type or the MAC address to predefined patterns. If the frame is supposed to be jammed, the firmware aborts reception and triggers transmission of an interfering frame, jamming the signal.

Of course, there is some delay between detection of the frame to sending the jam signal. And, in fact, it turns out to be too high to jam, for example, acknowledgment frames (ACKs). Anyhow, I found it pretty amazing that it is possible in the first place. Furthermore, if you have fixed sized frames, it is possible to work around the limitation by detecting the data frame and delaying the jam signal until the ACK is sent. That worked surprisingly well.

Mathy Vanhoef and Frank Piessens, “Advanced Wi-Fi Attacks Using Commodity Hardware,” Proceedings of 30th Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, LA, December 2014, pp. 256-265. [DOI, BibTeX, Details…]