Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Jonathan Andersson, attacking IoT with SDR pacsec 2015 english

2,412 views

Published on

PacSec 2015 speaker

Published in: Internet
  • If you’re looking for a great essay service then you should check out ⇒ www.WritePaper.info ⇐. A friend of mine asked them to write a whole dissertation for him and he said it turned out great! Afterwards I also ordered an essay from them and I was very happy with the work I got too.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Check the source ⇒ www.HelpWriting.net ⇐ This site is really helped me out gave me relief from headaches. Good luck!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Writing a good research paper isn't easy and it's the fruit of hard work. For help you can check writing expert. Check out, please ⇒ HelpWriting.net ⇐ I think they are the best
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Jonathan Andersson, attacking IoT with SDR pacsec 2015 english

  1. 1. __ LEM m EL E m m M. “
  2. 2. Attacking The Internet of Things with Software Defined Radio Jonathan Andersson Research Group Manager HP (Trend Micro) TippingPoint DVLabs
  3. 3. About Me 20 years of experience in software development, electronic design, FPGA & PCB design, reverse engineering My first computer -“"””" Domain expertise: -embedded systems -optics & pattern recognition systems -information security -image processing -real-time transaction processing -USB storage & media card technology -vulnerability & malware analysis -solar technology -product development & manufacturing -vehicle diagnostic technology -credit card & check processing -mobile & wireless technologies -software defined radio
  4. 4. Overview -M2M / IoT / //; E;¥£§: -SDR -Attacks -Mitigations
  5. 5. Machine to | Machine Communication -Term M2M popularized in the embedded system community in the late '90s -Technologies which allowed embedded systems to communicate with each other -Vision to connect diverse systems, collect data and perform control -Key challenges included cost and complexity of implementation
  6. 6. M2lVl Goes Wireless -Cellular MZM communication industry emerged in 1995 mmm GSM -Siemens created dedicated Mwmm department within mobile phone BU -GSM data module — "M1" for M2M <; :: industrial applications enabled 9 communication over wireless mm, cellular networks
  7. 7. M2M Cellular Modules -Use 'AT' commands popularized by the Hayes Smartmodem in 1981 -AT command set extended to support -Data can be passed transparently in -Similar modules are still used in SMS and GSM configuration and control a passthrough mode and later PPP became common IoT and cellphones today
  8. 8. MZM Convergence = loT
  9. 9. 2.4GHz (Worldwide) 5MHz Channel spacing 2MHz Bandwidth DSSS Encoding OQPSK Modulation 250Kb/ s ' 868/915MHz (Europe, USA) 2MHz Channel spacing DSSS Encoding BPSK Modulation 20Kb/ s,40Kb/ s Internet of Things: Home Automation (HA) 868.40/869.85MHz (Europe) 908.40/916MHz (USA) x @*‘*£)vs; %‘s, :; 300/400KHz Bandwidth ””§§§“%® Manchester Encoding 9” GFSK Modulation ‘ %*2NM“ 9600b/ S,40Kb/ S,l00Kb/ S 7‘ . ®= ‘3%* c". ‘ _. /‘ . -" “W3 2.4GHz (b/ g/n) ‘D75 5MHz Channel spacing 22,20,40MHz Bandwidth (b, g,n) DSSS,0FDM Encoding (b, g/n) DBPSK/ DQPSK, BPSK/0PSK/ l6- 0AM/64- QAM Modulation (b, g/n) 11Mb/ s,54Mb/ s,4x150Mb/ s (b, g,n)
  10. 10. _-('3 ‘ 1- _ ~. . . .,i , ... ... . r. .“. .., _ , ... ... ._. m , ... —,. ... —_—. ——~. -., .. ... ... ,.—_ , .._. ., . ._. ~.. ... .._ _. .. .. .-I"‘<', , ‘“ ’ ~ "‘: >:~': —-. .--, _~»/ sf . .;_~_ . ~ '. '_ . . ~ . "’ 3" . ,, 7 . , .': '*. _‘. .'}"’-. .‘. “»‘1.n. v-‘—~"*«t- - : _--4.’ - mi-. . . - -' ‘I E I3. '3 l {E "9 L3 3;? ‘ wpe CG-46115 "V . C 5 "Software—defined radio (SDR) is a radio communication 3system where components that have been typically implemented in hardware (e. g. mixers, filters, amplifiers, modulators/ demodulators, detectors, etc. ) are instead implemented by means of software on a ' personal computer or embedded system. While the concept of SDR is not new, the rapidly evolving capabilities of digital electronics render practical many processes which used to be only theoretically possible. ” -wikipedia
  11. 11. fin _ 6 jun as ‘~‘. ':[l. ‘Hrl (Elli '. :.’. ?":3.l. '.". (*‘: *” - €247» ' — - -Applications date back to the late 1970's : —-—" - mfirr-' " I -SDR technology is advancing rapidly (emerging technology). - : —1 “. ;__ ___ . . —————— -Analog to Digital Conversion (ADC) technology (dynamic range, noise & interference immunity) *7 i > V C r I I. 1 . fi. I . r*—- I I2 : _ . ..¢-—-' . r ,7- -Increasing FPGA performance and reduced cost : "I . u'. __’. —{i"_, _?— 17.7‘ " I. - T5 -Increasing PC interface speeds (USB3 @ 5Gb/ s) . ‘ ; rt*rzr /7 ___ -Results in reduced cost and dramatic increase in (:77 performance of modern SDR systems “T-. (:‘—: r—-. "% 1 . 'K‘: ff‘? ' I . . s__, . % —‘. I I ‘ ~- ‘ 1 _“ . I A I’ I
  12. 12. .. ~£ IE? ’ ,5‘; ii I ; F if) C l_T_l -Most cellular base stations use SDR technology -Nearly 1 billion software-defined cell phones were shipped in 2011 -Almost all tactical radios for military purposes use SDR technology -The transition to software radios during the past 10 years is largely unknown to the public
  13. 13. SDR Benefits -Reduced Complexity -Flexibility °Re”‘°‘abi1i‘W The downside. .. Malicious actors can now explore baseband level wireless attack vectors by sharing software and attaching a particular antenna to an SDR— a significant advance in offensive capabilities within the wireless arena.
  14. 14. Typical SDR Receiver Antenna Direct Conversion, Homodyne, Synchrodyne, or Zero-IF One IC Low Pass FPGA Filter Band Pass Low Noise Filter Amplifier
  15. 15. I"! r m Fl . ... .. .. . ... .- . .. mum ML 1245 ‘ -4 2‘L -63 ; :“: ‘:" CLK . of, ‘ c ll nu Sc: 1 I = l3.=3 unu dnloilio I . I I "~13. J (f .9; K" E W . . . -«'-= ~12bit I/0 Rxii USB3; «--A §/ __ H :2. . ..u nnp / /nudndcan T. » and Aneuled (A v-Mutt Calulornu -$: G‘. .a1_I| Cfllbztifllnllllll
  16. 16. .-fig . .U5$ L47 V " v-'3 0 P91 (JO! L52 '5'; 0-: cm E, '; V‘. C22! ‘* ' ~ on rho u-o ‘22z o-I-I . °"° ‘ L K case A I--n 91 R254 ‘ ‘I 333-. 33 431 . , | ____H . __ “'3
  17. 17. Silicon Labs Si5338 Programmable Clock Generator -Enables SDR arbitrary sample rate (FM -High—precision synthesis -Oppm frequency accuracy -Low phase jitter (0.7ps RMS) -Glitchless lppm frequency adjustment M
  18. 18. . «E ,9 ” lwn I"! W" C)? ’-A . . ‘.4’ “:3: cm L» ~ 1: ; . ' “V - -. = : . V . . -_ '1 uiol moo §’= '.'7.. ' ‘I U"~| a‘l'.2‘-'»3_a . _‘& -4055 L52.‘ I‘ ‘I 3x Uigaiss I (1 (“ F ” . ":2 T-. 5: : -.- H m» - #3:’ ‘--’--°-in . . , » . = ~. . '3 . 7‘ *1 : “' -'-nos 9-: g-_ A : |"'”'T'-. I"! C217 2 -. 7"" In MLC12-l5 W, =: :5 ~( , ,¢, :t3_ . ~.: ,“i’. . on 2%; --n c221 ( , - . .~ All. ‘ __: “- ‘402VlL - .3 3: C: '3 -, -nun -, "o; 4 v ' ~- —~ "‘ . }.'. I In .1! A ___, - n a . . n. ,« . U‘-I E _. ' u u trxu @ A «gene I-v 222 g’ I5 J | :‘ 5 . .,"—J . . . . (J40 12370 _ A9‘ (.5 ' ' 11-‘ 7:’: nos ' 3 ‘ - 3.2’ I U54 r ' of, " +1 :1 uzu ' °‘ i. ':'7;3 , 3'. - , . , - . -. SCC -JUJ '1‘ " ‘ ( -l : '3'-'1‘ 43976 L‘; .‘9:V3-0 an . .—. 't. - : I tn V ‘ I . _ ‘ __j_____‘__ I ll ‘'‘"‘‘°‘'‘ “N uzs [s'| ]_: n ILU ‘_’__CJ_ _‘ “ “ V ' Q ‘ m» . .V. .. 5-_-v um mu‘ —- -- 1 l J 0} g} ' 1 CV51": "5u:1 2 ‘° -«; W4 | ‘’ <z. u ‘ '~- 1 V Z A s4 1: I-’ J --I U ’<( Z ‘I , . s . ‘I190 U. -1 r 3 I ’- . ~ 4- L * [g 3’ r: <H*H': ‘_ “:5 '1': L‘ 7 I'M '-‘H73 . ' _’ _ . :, E ; _ O? ‘ D , . 32b1t ». .-x. .., ... ..<: -,. .:: :': :.'; .-: ~x, 1‘ 12b11I I/ Q RX 1‘: ._i. ~ , ! '2): ,3‘, . . III” I , ..‘ v--1 l (Int (7 L J ; _ n ~«- ~ . -—. ;. 12b't I/ TX: "'” """ W“ 1 : ,-11,1 -11,- II ‘pr E E ”“ 1 . :r: '. «'-1'. ’ o u . . 3- 3 3 2 R” -, - L_: '-i :32? " 0 -oo FH R2” ‘-'5’ A F 0 " . . . . . 430 [ J- 53 525‘ ~ v 4‘! {£20 7. in .5 u. . _"~ 1 v ((4 ‘ * 1' -; -.- . - = -.. -.': - - A —- 3: . . r I v. :cm-‘ - I , '~ N a 01- -- 0- "‘ "" " , _ * . . 3 :3 R57 LII : -*""’ ‘. "“" I "" " " ‘ "cue ' nu '-pa o. ..—_, '68 , _ (J.6 uh lj———j_—_: —-——: -j _ _ _ _. ‘ ‘O i ll? 0 . __ ________ - _ -«I E -v v 3 E I‘ '1 R2-«c. L2E? .[1)s2i.2n1 -W: 7' " R” T "' '3': u l ""' "W V’ . . : - «.4 "'ru "5." r1-1
  19. 19. Cypress CYUSB3014 FX3 Microcontroller »% I ‘W ‘; .~, , ,,, , , , I0 " ER; /:t|1:gt¢: rs3 '35‘: as‘: D°b“9 ‘V100’/7} P Bojqoml ‘oil we I ‘ GPIO "' ower ‘ Modes RAM ‘TOM — ARM CPU ‘W ’ DTCM ‘ITACHE DCACHE ¢W, ,.c,5 ‘—+*‘ - 200MHz ARM926EJ COTE W/512KB SRAM If ‘ Q m j A - 5Gbps Superspeed PHY (USB 3.1 Genl) (D 5 ' —— D 1 g [ 2 D. H) t d 2 ea -100MHz 32bit Programmable GPIF II K I IS [I ue CLK CE‘; %1 USB H DMAContro| |er iGP| F”‘—j’ 8 ID a cofimsn SDR Functionality: :3 3. 3 ‘H _ 1 - FPGA Loading & Firmware Update ~ J T ~ T — — L T -RF I/ Q Data Link (USB3 <-> GPIF II) Ezmed |2C UART SPI :2s I RAM ‘M ‘'3 ‘'3 + , ,,, ,, , ,_ Eiiiiii
  20. 20. . «E ,9 ” lwn I"! W" C)? ’-A . . ‘.4’ “:3: cm 5 ~ 1: ; . ' «y - -. = : . V . . -_ '1 uJ'o| moo §’= '.'7.. ' ‘I U"~| a‘l'.2‘-'»3_a . _‘& -4055 L52.‘ I‘ ‘I 3x Uigatss I .1 ; “ F ” i ":2 T-. 5: : -.- H m» - #3:’ ‘--’--°-‘n1 . . r » . = ~. . '3 . 7‘ *1 : “' -'-nos 9-: g-_ A : |"'”'fi'-. I"! C217 2 -. 7"" In MLC12-15 W, =: :5 ~( L, ¢,: t3_ . ~.: 3.. uof 2%; --n c221 , - -. ~ an __: “- ‘402.'V1L - .3 3: C: '3 -, -nun -, ". ; 4 v ' ~- —~ "‘ . }.'. I In .1! A ___, - n a . . n. ,« . U‘-I E _. ' u u trxu @ A «gene I-v 222 g’ I5 J | :‘ 5 . .,"—J . . . . (J40 12370 _ A9‘ U5 ' ' 11-‘ 7:’: nos ' 3 ‘ - 3.2’ ' U54 r ' of, " +1 :1 uzu ' °‘ i, ':'7;3 , 3'. - , . . - . -. SCC -JUJ '1‘ " ‘ I -1 : '3'-'1‘ 43976 L‘; ."a: V3-0 an . .—"4.- : I tn V ‘ I , _ ‘ __j_____‘__ I ! ] ‘'‘"‘‘°‘'‘ “N uzs [s'| ]_: n ILU ‘_’__CJ_ _‘ “ “ V ' Q ‘ my . .V. .4 5-_-v um mu‘ —- -- 1 l J 0} x, }_ ' 1 CV51": "5u:1 2 ‘° -«; W4 | ‘’ <z. u ‘ '~- 1 V Z A s4 1: I-’ J --I U ’<( Z ‘I , . a . ‘H90 U. -1 r 3 I ’- . ~ 4- L * [g 3’ r: <H*H': ‘_ “:5 '1': L‘ 7 I'M '-‘H73 . ' _’ _ . :, E ; _ O? ‘ D , . 32b1t ». .-A. .., .., ..<: -,. .:: :': :.'; .-: ~x, -04“ 12b11I I/ Q RX 6: . _g. ~ , ! '2‘: ,3‘, . . nu: I , ..‘ v--1 l (Int (7 L J ; _ H ~«- ~ 5-2;. 12b't I/ TX: "'” """ M‘ 1 : ,-1!! -11,- II ‘pr E E ”“ 1 . :r: '. «'-1'. ’ o u . . 3- 3 3 2 R” -, - L_: '-'1 :32? " 0 -oo FH R2” ‘-'5’ A F 0 " . . . . . 430 [ J- 53 525‘ ~ v 4‘! {£20 7. in .5 u. . _"~ 1 v ((4 ‘ * 1' -; -.- . - I-. .-. ';, ''‘ - . ~ —- 3: . . r I v. :cm-‘ - w , '~ N a 01- -- 0- "‘ "" " , _ * . . 3 :3 R57 LN : -*""’ ‘. "“" I "" " " ‘ "‘uu ' nu '-pa o. ..—_, '68 , _ (J.6 gnu lj———j_—_: —-——: -j _ _ _ _. ‘ ‘O ‘ H? 0 . __ ________ - _ -«I E -v v 3 E I‘ '1 R2-«c. L2E? .[1)s2i.2n1 -W: 7' " R” ' "' '3': u I ""' "W V’ . . : - «.4 "'ru "5." r1-1
  21. 21. Resources Logic elements (LE3) Embedded memory (Kbits) Embedded 18 x 18 multipliers General-purpose PLLs Global Clock Networks User I/ O Banks - Cypress FX3 loads FPGA from SPI Flash or via USB -HDL - general logic & signal processing: - Embedded soft NIOS II processor controls: - VCTCXO Trim DAC - Si5338 Clock Generator PLL - LMS6002D Transceiver - UART for FX3 command & control of NIOS II -Clock domain transfer FIFO (I/ Q Data path): - FX3's 100MHz GPIF II clock - LMS60E)2D ADC/ DAC arbitrary clock (Si5338)
  22. 22. U r :51 I-1 ‘N? H _ . . -1 : G ; .,-‘“j " l 3' S’ A p ‘ l 4 use "' 03', " -v :1 llzu ““ ' ‘ : u‘ I‘: 5' -. '- 43976 L‘? SPI ‘ta-I l 35 I 5, Io’! 0'1 _ cu [9 u] _ __ J C. y - H ( 1- __-, - '- 7 1 4‘ N Lib “ ‘ F3 - V 2; J U(: ; .. —«»~»«»w2:, .:7:1': ::.2:. “.: :~.1 12bit I/ Q ll 9 l n as 12bit I/ Q TXi: m ya: (PIS ' - cc: _, F PI 7;. ‘ v. .. ' 5 5 ‘7' ”“ 1. am 51-‘ 3° ll '! SPIv% =9:"5 f I use ", ‘° "' ") 3.“ ‘ r- 4'“: £. - -. ' ' l J3 cue : X E E; 55 w I %| 7 3 1 : E: :‘: f? n C ‘ Om - -Kvc ' : 5-" = : 53-’ . , "‘ , ,,. .'. .; ¢. ..‘"', '~, ' ’ LED2 uzao <3"? 75'} L ___, _____'_____ . __: - ,1 nu. -1215 -12:17 "P 7_' " I H ‘ U-; -NU-3:‘: -V-_ 0' _: H 5 .4 "'. _c35r ‘ , . . ." ‘($4.1 ': '5 C’; :" ‘I: rB|3.; ' '” E C -7». u -Isl " '<“#<“*‘*‘*‘# “’ u ues, __‘ u-‘ ; u-: a. —.. (J41 v . ',w LED] LED3 ‘ cus : : --‘I w ' ' J54 F 7"‘ can :7; "1 H I a 2‘--‘ : _ y. -.. ‘ s hfto-/ /runnd, com H3 95V-O . _____- s —_. - . _____— _____. — __. ___. ~. ___ ~ ("-' - - 0 ' uu o--. _. _l, .n _u ‘I
  23. 23. Lime Microsystems LMS6002D Transceiver TXINI TXNO PLLCLKOUT PLLCLK V -2,7 The world's first field programmable W‘ ’”°“‘ noun RF (FPRF) transceiver IC replaces 2 12 12 . **°"'= °1 / -El *D¥ 7 . . . . . rx_uo_ssL (2 *°‘””“‘““ ‘ mm several individual transceiver chips ‘ ¢ DAC ‘ I TXVGA2 and allows equipment to be reconfigured rapidly and simply TX CLK RX_CLK_OUT LMS6002D ax, cu< X n a o 2 r: W LNA, PA driver, RX/ TX mixers, RX/ ‘ nxmz TX filters, synthesizers, RX gain nxvw RM mm mm a mu: cont rol, and TX power cont rol with w Rxoutsw very few external components RX IO SEL “*°W= °1 12 ‘ Io Ancs HXOUTI RXOUTO
  24. 24. . H . .. . . . I I . _ _ U27 was in " ‘ cut ‘ c. .J H ‘snag I 4, , ... . , . _ _. _ ~ 1 ‘ n V ', > " Q‘ | n.w)| . '4: 3'5‘ 21"" (' . 'l§: §a -'« 'u“” ‘,3. '31: has 1 T‘ ’ ' l‘—' 7- Q ' non--o 3:‘-‘ L U"__ Q 921$ . . Lu £120., “a” “ , '5 ' ‘V-" ‘.1 -‘ E5 5.. --nos K «*4 .3‘ our‘. ‘[1 ' 3' '-'. ... '“" -.1 —'""”' “E3351” —~ s”= 55 '2 » ~‘= =‘i *'; ’ L 5 -: .~' = : ca ‘ 3 " - - v -q u: : fun-.5 "- ~ 4’ 0:: 3 Gociwzfit ED — - ~ - . . . @ an , P! u “ @ NI 3 I . ~>‘ nae wn 12370 H5 L5 I , t". 332 . rm "“ 0 , " . R X g --- ’. :. nu)‘ E 2 ‘ | —| " : - ‘ 7 ‘Er. :3 0sJ$7cI I-‘3-o: v5-o 4” _ __Nn, ‘—J’ I‘ ‘I Ef= 'C: C‘ t 1] D. 7. S ‘ . ._ . - : _ ». ‘ J_ I _ H . _ . ‘W I‘ 'I ““‘°“ cm uzi lrqrjn -EU __LJ -1 “I I-. . 5. . ..~ -~ 2 l . 1 cusl": "’u, , 5 “' 3 ‘ - p -:4 5 _. use an , ._ +— “I L ‘ . §:"'-°-. :*l‘. "" . . . 3- 3 ®'__¢' 2 32bit12bit I/0 RX -"~ GPIF ' ' I ‘ 0 12bit I/0 Txizm , : : I ’u‘ 6 I 3 3 :1 S x ‘. I -' 3 Lun . _ . .n — ~. '' , ‘in . . 3 : :: -- HI @ g. ’ . . . . H : § -5 ‘air , . 7 . . I W __ "” “L. _‘ ""3! I lZuLlE2[1)I2I2I'I Pu” ‘:2’! '“ J. .': J.7:. Z.'~ - ‘ - 5 " ' "” ~ - - , _ . . -. -3 _ . » =9 ' ~ . s;. as; .2s: == -- ""3 ,1,‘ “ S in . Qua: LED3 m. ‘’‘’ C I ' ‘ ' ’ ' ' ' ‘ ‘ ‘ »<" V. V» ‘ 7 J55» '5 7”‘ (:11 z_ ‘A ‘ . K , 2-‘ ; _ . ,., ‘ WE hftp / /nuond, com 3‘ I )_ '5; 1"‘ = __ . ., Du: ned and Assembled In" L W: , _ L - . 1 i we can San rnncuu, calilornie w i 23'? . ‘film r‘ ? ,l. Z'. ‘«‘: ¢3$-'rlI| I|| L§'
  25. 25. RF Attack Techniques Jamming. ..
  26. 26. How to Jam? Talk louder: -Transmission of radio signals that disrupt communications by decreasing the signal-to- noise ratio (SNR) at the receiver Use confusing words: -Transmission of radio signals using knowledge of the RF protocol in use to disrupt communications (channel access, sync, packet contents, receiver design, etc) Eiiii:
  27. 27. Distance & Power 10+] 09 -Radiation from point source follows Inverse Square Law as > 07 -Battlefield jamming at >10 kilometers ‘§ 0.5 g 05 -Homes are small (relatively) E 04 -IoT HA protocols are low power § 03 0.2 0.1 Distance from point source
  28. 28. Jamming Techniques #55 Non-intelligent (Goal to reduce SNR) Spot / Continuous wave Sweep Barrage / Broadband (BNJ) Base Intelligent (Goal specific to protocol) Partial-Band (PBJ) Multitone Network Access (Preamble) Packet Corruption
  29. 29. Encoding, Modulation, and Frequency To create an RF signal for transmission, typically data is first Encoded and the result Modulated onto a carrier wave of a specific Frequency. Modulated RF Signals Carrier at Fc . iii'Ifil‘l= :§i Frequency J Encoded . i§iia! .i! '.iIi$iAiuE. iu" dig . :. , = Amplitude Phase lffY/ iJJ‘“ TIME T» EEEEEEEEEEEEEE Eiiii:
  30. 30. Why Encode? 1 1 I I C1°CkEX“"aCt1°“ Clock -I. III; I.IIIIIIIII Manchester Encoding: 4444 444 III I Every falling edge clock transition Data ea L44 ‘ ‘ is reflected in encoded data 1 0 1 0 0 1 1 1 0 0 1 Receiver uses packet preamble Manchester ‘ I I I II I II I II I ' (1010101) to sync its clock . . 0 1 0 0 1 0 'NOlSe Immunity Dan I“-I___I“““‘L___I“‘L Direct Sequence Spread Spectrum: (_ 1,, O11010010110101101010011O Data XOR'd with Pseudorandom Noise pN seq II I I I II I I II I II II I I I bits called 'chips' +TC<- O110011001101011101000111 Additional encoded transitions DSSS I I I I I II II II I I I spread data bit over a wider spectrum I
  31. 31. Carrier Moduiation amplitude
  32. 32. cnnngurauunflsurlmd Vlrlalfles n ave ‘ ' 1 1 -. .¢_ 1-. .. 4? 1-. ... ..1 My 1.. ... .» 1.. ... . . > . ... ... -.~- ~. .. A} I 1.. ... . Man I: 1. . . . . <. ..mu. .;. . ‘__‘___ 5 ». ..u. <-. . but no sin ‘ ‘I. -1.2: > : ... ... :-.1. 4» mm. .. 1.. ... . u. ... m . .. M. .. 1.. .. um. um». vmu-1 11.. s. ... ..u. ... ... .,. ... . I’ > F ~11-nu-1hn— s-um. _» 9.. .-unzm-. -.. . . . . ... .. .. . .. .. . ... .. . >1 ve--1-»-- Ln 0.. ... . _ >~_. ... ..'. :. - >. .. ... ... .. . ... ... . . . . .. . vauméanunll . ... . . ... ... ... ... muuen noduiat , ,,_, ,,, ____, .. ... v. .._. ... . s. ... ... ... .. . . . ... ... .. . . ~. . , .,. ... ... ,.. ., . . 1> . ... ... .. . : ». ~ . “*4.. . L +. ... ... ... ... ... .- . ... ... — . .. . ... ..-. . m n= ..1m 1 Mn otllun-in» . -1. in , en. nun . so-at-uy-own — 1.. ... .-. .- .1, -14" ‘W i---- in 5. mertaID1ux . ... ... 1.. ... . 1.. o. ... u.. ... .«. 1 . ... ., u-.1.-.1. 1»- u-—. ... ..-. -1 1,‘ / ... ... .-. .. . , . wl am. ..-1.. .. an »-. ... mv-1 . .. . m. can -V-. :..1.. -.1 mu. -u-. ... .. V‘ mm ; ... n.. . : .M . ... ... ... ... ... .- ; -1 >: ... ... ... ... ... ... .. .. _'____, . ... ..; n. ... ... ... ... .. ~- . ... ... .. VII 1 . ... .. . . . ..= ... ... . . . o. ... ... ... . . ... ... .. on I! am my , no nu-11-I1 868.40/869.85MHz (Europe) 908.40/916MHz (USA) 300/400KHz Bandwidth Manchester Encoding GFSK Modulation 9600b/ s,40Kb/ s,100Kb/ s
  33. 33. L’§IlIl’l*: IQlllf‘: iij: iIlIL“ ¢| II_Ifl / Options I013 ‘-', ‘ tn Title: 2.‘. :. -. 7' r‘xuthor: _, " , Ge-nrrntr Options: .‘. I M Variable ID: ‘-: . . r " '. ' V«| ue: L~w! ,'«’‘L 1 P. sr. smct¢-r .02 , : ' . , '1’! V»1|uI, ':1C" Variable '02’. ""5." , Valutz :12" Variable ID: 1 - . . Valuri V‘ Parameter ID: ’ - " amoil Vl= .I‘r‘: r=. |fuI1.-.5,-. ‘Fur Mrtlva-. .~ Random Source Mummum: 7 Virtual SIM; Stream ID: F- f. ‘ ' Maxlmqmz . ' . Num S1-nmp'cs: ‘. ‘ Rep: at: L'4!= .luc2‘u; I-. 'i'i Con xtnnt Sourte 1 ' —§-fi Short 1 Ch. = 6 Constant: 3 1» 0 " Virtual Sourtc I Map ! Unpack K Bits I Slreamlbz P . C «'2 Mapzl 3 K: 2‘ Sue Vlrtunl Sourte ! Repeat I Throttie Stu-am IO: "« , ', C Int: -vpo1aUon: Ei Sm-wplr. Ratezl Virtual Somuu ~ Add Cons! hi 1’ Fl . Stu-.1mlO: r: t ' ' kn. uc " O on F’ Constant:
  34. 34. ables for Zwave Vlttuol Sunk Strlnll ID: Raw Data Manchester encoding Data = 01010101. . . Virtual Soon: Hap Unpack K flu Vlttunl Slut Stream ID: Raw Data Moo: 1 2 K: 2 Stream ID: Manchester Data Vlnual Sumac layout I Yhruttlc Virtual Sink Stroom ID: Manmestev Data Interpolation: 50 ‘ Sunk late: 1094 Stnuu I0: nqmsxream i L Ilchnr ‘lb float Vlrtud Source swoon lo: oo_onmreavn Constant: »$00rn Controlled Oscillator = r _ § come: y Modulatlon (FSK) _ ; °"“"'” -J vtoceunpux) Esonunnuun vmuu scum. L _ nan. Inln: mu _ _ .1 Hum _ - _' an: In-mu
  35. 35. iltafl-,1? gun I? ! Random Source Minimum: u Mnflmumv ‘ A» Virtual Sink ~ums. mg“u'_ V” 1 Streamlbzl-‘. uEJ»'-. Repeat: lil= m-I‘u= a.<r‘r= rr = nmn'iI I . Ir= .-‘in. = aI_leI_laI_lel_l. . Constant Souree Constant: L .1 ‘ ; ' —)-1 ShoI1To Char 4 Virtual Source Map , Unpack K bits Virtual Siriir 9" ' 911. ‘flail i" - - . - V‘ - w F - "' -- V . v. ~ 2-uni‘: -rl cllr ru- SlreamID. ~ ‘. l3«: I-lap. l . K.2 Slreamll): 2. 1,, -,vCv: ,: ll-. I ~-. ||l‘. ‘ -. -ll Virtual Sourre ‘ Repeat - Throttle Virtual Sink -F -F’ -9* Stream I0: '-' v V-: ‘-' L‘ -'- Interpolation: SC Sample Rate: Ii” Stream ID: It _! ' '-- vv Virtual Source Strc-zmlll: r-r : ' Add Const ‘ 1 Multiply Const Virtual Sink -fi Afi- Constant: ">14" Constant: I Stream IO: r ‘ . 'v we : - -. hr-’ uciwrorum pa- osmocom Sink Dtvice Arqumentr r~ - ‘« rm; VCO (complex) Sample Rate (spa): ‘. ” Virtual Source v Sample Rate: 12” Valve - (ho: Irequen<y (Hz): .<1Z‘«' , , M 4» . ———— ~———a~+ - ~~+ . .. ream I0. . N’, u Svruntivnty. .513. ~ v Open. 1, Che. freq. Corr. (pom). Arnpimpdezl ChD: RF Gainldliz CV00: II Gnlnhib): Z. Note (V90: 86 Gain (68): 5] Note: PSI '»'tA' . ‘ ' Virtual Source GFSK Mod Stream II): U, V’. '~' - Sarnplcxisymbolz SE Sonitlv.1y:25 US" 61’: 1'; -vr WI Gui FF? sink :3: .5. . r.1igri'-g. -‘igll :1 . uL. .u'. .
  36. 36. X Virtual Soune r Repeal I v Throttle I Virtual Sink ‘ Sucunlm V-" , 'v C -'~ Interpolation: 5‘, Sample Rclc:1C'-' Slvevn IO: U , ' ' ‘v Vlrtual Source v t l ‘ Add Conn Multiply Coos! Vlnu-II Slnk UCPI ‘I’ Fl K v - 1 Streumloz M . ’-’''V' " k 1 M 0 M Constant: L/ ><. ‘F' l Constant: I * Stnan-MD: r “J! .'r'“ : y < l osmocom Sink ‘ D1-vke Argun-wan: rv - -r r. ..; 7‘lH! [l. (’sIIIgVfl fllu I I VCO (complex) ‘ Sample Rule (ups): IL" Virtual Sourte - Sample Rule: ‘. C‘«' Valve (ho: Irequocnxy (Hz): 112” StvnmlD: ( ' ‘' vw . 'v ' ‘ Somnhmyz :5 132*‘ loptn: T (M): F11-q. Cur1. lp9m): f ‘ Amplitude: Z CNO: RF Gain (ca): CM): IF Gain (db): ' . Note Ch0:BBGain (dB):3J Non: Est, '-'3» .1 ' 1 Vlrhul Source GISK Mod Stream I0: u, ~_: ' Sampkvsymbolz 51.‘ ‘ Sontktrvrtyz 25 11$" 31’: .'w" W1 W''FT 5'“ PP‘! .3. r.1m'uu~'r. Ir;1 Fkoii osmocom Source hue: ‘ Device Arqumenu: tl 2': -‘: <,~; Sample Run: 112" ‘ Sample Rate laps): IE" Baseband freq: .-X2‘-' WX GUI Seq O00: Fnqurncy nu): ". ."-' Vprr ON: 2" ‘ ‘Mb: (110: freq. Corr, (ppm): L‘ VDNI: I72 WX fosphor sink “nun ‘mute ‘ Sunple Rule: CM): DCOHSEC Mode: C“ ? Rdlzvel ldfllzl -fl Center frcquenty (R1): .«'. Il»‘ s"E. m'°: 1"“. IV _ I": V Stakzl 4‘! cm: I0 Balance Mode: C" Rclscalr (929): 2 Soon lH1):1 " ' ‘ ' ‘I’ Scale: Ix. ->. (ho: Gain Moor: N ' FFT 5ur:1.T. ‘4c Tnqorv Mode: (100: R} Gain ldl " Refresh Rltez‘; V Axis label: C ‘F’ Chozlf Goinldfl . Peak No| d:C’ ChO: BB can-s(aB): i Windowzf ~_u- -v Mu-, Freq Set Vanume: '. "r
  37. 37. ,_®, _nJ_, r a— mu «W. » I . V
  38. 38. 2-0 I / ‘X (unl1guralluIImlI. nd Varilhle ' n xgaee I O e e _ F . r -4' 2.4GHz (worldwide) 5MHz Channel spacing 2MHz Bandwidth . ... .. DSSS Encoding . .—. ..-c. .-. .n. n.. -4.. .; n-u-n. ..m- . . v: ;:: ..: ‘_. .~ i>u. ::. u>: :.w: ::: *.; :‘ OQPSK Modulation --~-~ = -== '== ' a‘t: »:= a«: -:: ~: zsexb/ s M r_ _ Sm __ 868/915MHz (Europe, USA) ‘°‘‘‘° ‘' ' '‘‘'‘‘''m‘* C 2MHz Channel spacing §2s§"§‘s'3.‘3.. X§£“uc3lK3‘qE'. , D555 Encoding BPSK Modulation 5.. .“. .. JV . ”.: ‘;: ‘?: 20Kb/ s,40Kb/ s V. .. U . ... ... .-. ... >3 . .m. ..4.. . (. ... ... ... -.. -.. ; . .m. ..4.a. .. u. ..-. . . . o. .. ... ... . . .. m. .. 1 9.. . m. ... ... . -. ... ... .. » (Muir. -.1-Iv . um. .. Ocolltnh-Lil: -». ... .y. .—. v-. n-. n.w. ... . ». ., Channel Hovnin, um: um. . <. ... ... .. mp. ..-. , , , 1-. ... . I-47!- : ... ... - In cm sun-< um _u_m_ ms. nun mi. ., ... -. ... .s. ... -u. ... :r Ih<nr. ..E: .‘ bin n-mo , . . . up o-. . -«. m.n. <.. u Mac-an mrum n. ..n. .-um -um -» “""“‘ c. -um -- u. ..‘ . u mu. nun . "*“"“‘ -. -um-or . ,. may s. ... . ~»«-um. .. -ma v. .z. ~uv* (uni-vliicwxu at. W. ‘ hr : ... ... .. w. u. .. l I-rut . _ ». .mM. ... . - mm. ..‘-u. .. . .. n. .-. um . . gig
  39. 39. tjiolnifflullu ‘um. fill! ) ly Opt! out 3:0: . > : - §Ti(le: Z 7- Aulhor: _' " Ge-nerntr Options: v 4 : Pnrnmrtrr N! H f"'___, , o 2.. 4 . ' . ' . Valuetj“ ' C Variable | DZ:2.-: "L-. ': _, Variable Variable | D:'. ‘,‘. | D:‘. ’ c_; -. J Vvlluri *' % V-Il. u': 5'-' WX GUI Check Box Vnnable | D:>. iv. II IDIII ". ..: Lib: -I: E’ ’- 7' D('hultV. Iu¢':1 u_____ n V-I'm‘: I ¥7': ~ -1 mil VI. -tnr'1L. :lTolL. -+7» ‘Flour’ : f‘: _lu| 't; Ia ll. -ndom Scurv- PSK Mod Nun-. t>o-r of Conttrllaflon Po, H nlmum: 1 G cod r. a «:2 M. ,unrn. :m: I35 —§To- y Hum Snmpfis: 2'. " Sv-mp! -s Symbol: 3 R: -peat: Encru ow: . ilylflgla aolulrcxa osmocom Souvcr Device Arqumcntszr — ‘ >3 1 p___. _ n. .. . ___. _ 1:1 Drlterenusl Encodmq: '. . In. ('6. Tilt Sum
  40. 40. Hopping. .. T Noise source « ounocun llnl ‘ Dovko Mullahs: bl -debug , South lots (spa): )4 film ‘ Q0: lnqucnzy (Mn: 2 4756 Out: 1 Ch0:lnq. corr. (pp-I20 J: IF GODIICI: 1) ‘on: If cu-cap: go out no coma): so Quadrature Phase Shift Key Modulation (0, 90, 180, or 270 degrees) um»: « to: new-: e_szvmg l Vain: blamrh oury-debug K 7 ’—**—"“‘j"—"‘ Ill GUI FIT Slut olnouvn Sauna Yuk: Device Atjuuulu: bl -at-oug Sowh late: 304 Santa loco (Ian): 30! Iuoboul Inn: 2 4756 O0:FnQuonty0h):247SG Ypovfinoa O0:hoq. Con. |"n):0 VDu:10 cnmoconmuunzoer IorI. cvcI(C): o 3: lo Iohnco Iona: on Io! lab (up): 2 00:6-oh| |o¢o: Nu-ual lflshoz 1020: 00: I! 6oh(C):1O Idiom Into: 5 On: II can (O): 20 hot Moi: On 00: II Ooh (CI: 20 Ilium Blatlrmanuam Inc Sol haunt: None No encoding (we do not know the DSSS Pseudorandom Noise sequence! ) ( - | a:1
  41. 41. Variable c Variable ID: I-/ u - v». Valur: 25 lyl‘-tn; osrnoeom Source Sample Rate (ups): zfrequency (Mn: 2 4754 : Fr-q. Corr. (ppm): M : X Oflset Mode: C“ : lO Balance Mode: C" : Caln Mode: " «‘ . : RF Gala (63): ! :1! Cam (d5): . :1!! ! Galn (an): .‘ Constant Sourte comum: 25 Prob: Signal knnr Source Vector‘. ll 15 33 15 Valve 7 : : "" op" 1 submn nope-1: Vector Souree Vrctorz I11 12 13 14 15 l Constant Sourtr ‘fnqx: ‘ Constant: ll Repeat: '~-. ‘ WX GUI FFT Slnk TR»: Sample Rate: " baseband freq: 2‘ Hi‘; Yperbvv Vbwo: 2’ ReII. eveI(d8): L Rel Scale (929): 2 PF? SI1e: l ""- Ilrrrrth Ilatrzs Peak Mold: Or Wlndovui mar"-' r--v. Freq Set Varnarv-e: ‘.4 - Multiply Cons! ‘ Constant: 5'-' WX losphor slnlx Center Frequenty (Hz): 2 -USA’. Span (Rx): Z‘-' Add (oust Constant: 2 ~“': r. Throttle Sample Rate: 1‘- mii {mom ‘ I-)1-as :14-. m,uu-1-. If I Probe Signal
  42. 42. 20Kb/ s,40Kb/ s
  43. 43. cunugnmlanlsuxflnu variable - V 1M on». .. Iran. um . .—v Luna . .. . . c. ... .uo-n-— ; .. l 2.4GHz (b/9/n) "“ " --~ mu. ..-.3. 5MHz Channel spacing -_>_f*_7f', ;g 22,20,40MHz Bandwidth (b, g,n) W, __, , ’ . . , DSSS,0FDM Encoding (b, g/n) 1’: '<-"*”"' , -_—, « DBPSK/ DQPSK, BPSK/ QPSK/16-QAM/ . :'. °.“if. *-"- ' . ... ... ... . 64-0AM Modulation (b, g/n) $43" 11Mb/ s , 54Mb/ s , 4x150Mb/ s (b, g, n) n. r an : ... >.- u. .. u. .. 1 our. ..- >-" eacnruvnntvlfln . ~.. ,r. I-. ..m. . . .-. c-a nun-Iur ; oa u¢. .-um . ~ on --«-. -m. . cnanneflwnin ¢. ... ... .. ... . 9.. ... . . was mm um. -: ; », . unv- mp. 5-. .. ! ‘,? z—; ‘-‘Fr 3 I , “““T. , . . J}: x ’“'v<»aas~. -.; ‘ia.4. an. .. on . . n. .«-. . 9.. . v-an: -mu ; .
  44. 44. CE9III‘f‘: _ nu Optlons ID: .‘ 1- Tlil-_': .‘. " T- Autnor: _‘ 'v Ge-neratr Opt‘-ans: .'. I f, ‘ P. r. sme(rr IO: '. :~ ; . - Value: 22" : ‘r Variable '02:! 2' "r. ~: Vn| ue: Z 21:»: - Variable ID: : ~ Value: >1 7 r fill] . . ‘. v‘. lIlIi| Vlilrj. Vnrlnble ‘DEVI ' >. _.; ' , , V-vlue: .‘ 5'. -». ~ Variable ID: U Vnl. H': 3"’ WX GUI Check Box I012 {- Ldbrliis ' T Dehu It Value: . Yrve: Z Las. 3?9l‘r ll'F_l. F"l Random Source _ PSK Mod Mw_m‘m_ _ Pwmbrr or Comte‘ rutso Maximum: . -{“’. as— any cod’: Nam S. sn“D| es: IE" Dm”u“m| lncodlqqz . Sample s. ’Syrnbol: 2 Repeat: L EI<rss BW: ,'-'; 'f- Variable ID: 1- - — V"“"' 31 llonisle s'i! ||_I’r'C: ‘g‘ Variable Fm : ‘ Vtrlublr ID: r ' ~ Va'ue: l ‘ L , c ‘ WX G osmocom Sourer Ymr: Device Arqumentszr — '2' 1 Sample I Sample Rate 4505): 21" Bageban
  45. 45. Random Source Minimum: Maximum: .“u*. Num Sampks: 11'’ Repeat: -5- PSK Mod Number cIConnr'1ol| on Points: Gray (ode: n Dvflerennal lncodn-mg: ‘. : Samples/ Symbol: 3 {Ion aw: ‘ - -' ‘ S-nmplv R-«Kt (am): 2 osrnocom Sink I Dcvkr Aroumtnh: LA ‘ 010: Frequency (MI): .‘ -1' . ’ . Open: L ‘ O-0: freq. Con. (ppm): L‘ lCh0: Rf Gain (:16): EC‘ (ho: Ir Cn| n(dIl): .~~ Valve —-hr "' ‘chozaa c. un(aa): IF=4 COL. _3l0L, Variable ID: ‘.1 K. ’ 2 '9 V“'"‘—" 31 lVlu1.1= = lII| .Ir‘K= Il Variable ID: !I_"~. ' 1 Value: 2 4: 3:} Vnrublr ID: ‘* » ‘ r, Valuezt —~ ‘- ', '- . .:: . _|; m‘ fir gm» o, l=u| fl;l; |:'.2I "7 '''-'"1 I . . " 51;: .5] {(4') | 'A[mjIIIh' ‘Imn MI» = uumII[IIl! l I'M: Ijlon mii {umv, vI ‘ili| ¢.- ! E1-$‘- ? S‘I'alllIIOII‘: IIlIIlo)I| I k‘IIl}1‘s' ; I=, u,1I. r.Iu-(a1 1 A 4 WX GUI FFT Sink osrnocom Sourtr Device Arqumennz r -r»: .,; S-: mp| e Rate (595): 3:" 0:0: Frequency (Hz): 2 iv L 3 C30: Freq. (on. (ppm): V‘ OI0: DC Offset Mode-: C“ CVIO: IO Balance Mode: C" (ho: can In Modc: 'v' ‘ O-0: RF Cain (ca): 1' (no: If Gain (as): (310: BB Gall-n (db): CL‘ Consunt Sourtr Conshnlt *, Probe Slqnal Tnk: S-ampic Rate: 11” Baseband Freq: I JFI'C~ V per ow: ‘ ' Vows: 1: Rellevel (03): L- Re! Scale lp2p): 2 Ff? 5112:2313- Rrrrrsh Rate: 5 Peak Mold: C’ Windowzi ~ n ~ ~ vw- Freq Sc! Varnamc: 'V~ < WX tosphor sink vfb Center Frequency (MI): I 3* .1’. Span(Nz): 32" ilflllllm
  46. 46. -‘| ;r—w| uq| I- ; q Ytavr " lo: IZI= L:| l=l6I-1) Variable ID: I-fr: —-'-. ; V*'“'= 1 "35- V-""">" Nu - um ‘I‘_IIl9I I'M: silo u-I”: ' lam ‘Iii: ' ,1-A. ,&n; Iu-_‘lnm fly)! -1: . -I; u_u(; Iuuq-.1! s r ‘ T"? G ' WX GUI FF‘! Sink csmocom Sounr True: Devke Arguments: r« -rtr-bu; Sample line: 2)” Snmpk Rate (I91): 2.“-' baseband Iraq: 2 4- 2!} ¢h0:Frequen¢ylN1):2lf1C- Yper ow: 1‘. ‘: 00: Fun. Cort. (ppm): 4" Y DNIZ U. ‘ W! losphor sink OI0: DC Oflsrt Mode: C“ Ref Level (as): U rfv Crntev Fnquenzy mu: 3 4* in’. (NJ: IO Bnlance Modczo“ R¢lScA| ¢lp1;2): .‘ Span (Ml): 2."~' Chozcaln Mode: v.v_ ‘ FFYSIR: 2 '22- G50: RF Gain (an Rt-fresh Rule: '3 C1001” Gain (dl) Pelk No| d:C' Ch0:BBCa)n(dB): .C Window-:5 n - u -wv-i Freq Set Vunune: I. _ ~ 35!‘ Constant Soon» Cansuntt ‘: Pmbe sign. ‘ Vrdor Soon: Vottovzl 6 12 Va-lvr _ Tags: Open: Mumpty Conn Add Coast Thmtue Repeat: '--A Sunni. “ (mutant: 5" Constant: 2 -1136 $amp| e Rate: Probe “on” Vt-not Sauna Vector: I1 . ‘ 3 ~1 S 0. [tonstnnt Source Tog»: ‘ Constant 1 Repeat: W
  47. 47. SIlMSUI. 'G Iinqlh [dam] 9 is Signal 51 2'1 "wmIIlllI! r1Ir7mTV*""""""‘”'
  48. 48. -SPI interface -142—1050MHz -(G)FSK & 4(G)FSK, 00K & ASK -+20dBm Max output power -10mA active, 13mA RX -30nA shutdown, 50nA standby -0.l23kbps to 1Mbps qty 1 -Fast wake and hop times. .. SDR too big and expensive? + 85mA at +20dBm 225mAh 20min of jamtime (915 MHZ) HIIIIUII 77 IIIIII
  49. 49. Nlitigations Start with data integrity. Use known ACID database techniques. Fundamentally, in consumer frequency bands where power is limited by law, it is difficult to prevent or overcome jamming. Jamming should instead be detected and considered a breach or impending breach. Wireless networks should be designed with consideration for malicious actors of this nature. Spread Spectrum techniques such as DSSS and FHSS help but current consumer focused implementations have not shown to be immune. Device network access under jamming or high noise conditions should be more aggressive. Complete holdoff (politeness) will always make DoS easy (and more power efficient! ). Malicious actors will not be polite. . *"-2.’ x - WV-‘ +" / / : “‘o *7 / i Hedy Lamarr & George Anthiel Inventors of Spread Spectrum Technology I
  50. 50. Data Integrity Transmit and forget is simply not good enough. Timestamp at the sensor. Encrypt the network end to end, sensor to cellphone. (sensor <—> hub <—> cloud <—> mobile phone) Use ACID (Atomicity, Consistency, Isolation, Durability). All data should eventually arrive, even if delayed by jamming. ..
  51. 51. l _| r L « my in st fiisffiali‘ ): i., r.r-T. -f. r;ui , r_r: ;§; ’ Hubs & sensors could measure and record noise floor over time. This is the first step to detect Barrage Noise Jamming events. Network participants could listen to their own transmissions to detect talkover. Detect and record network babblers. Overlong preambles or packets at minimum. Nodes that completely saturate a network should also be suspect. Just because a hub isn't receiving valid packets doesn't mean sensors are not trying to talk. Analyze network flow. If data isn't flowing, jam may be in progress. Create sentinels which are mains powered with battery backup containing both wired and wireless interfaces. Place the wireless hub in the center of the installation with sentinels radiating to the perimeter. Sentinels periodically transmit and analyze wireless network condition and report to hub via wired interface. Direction of jammer could even be determined.
  52. 52. Conclusions Make the jammer use as much bandwidth and as many radios as possible. Use multiple frequencies that are spread far apart. Spread using FHDSS/ DSSS. wiFi is a highly scrutinized enterprise protocol and solutions are becoming more power efficient. Other HA protocols do not have the same contributing ecosystem. wireless and batteries are convenient in Home Automation, but security is not about convenience. SDR will continue to enable increasingly sophisticated attacks. I

×