This weekend, I also spent some time looking into applied signal disruption. It is my firm belief that many security “professionals” talk too much shit about presumably easy things, but couldn’t change their MAC address without half an hour of Google. In my ongoing effort to avoid this, I spent some time trying some things out.
Remember kids, be ethical. Don’t be unethical. Thanks. Also happy Easter.
Unsurprisingly, building a generic jammer in GNURadio is rather easy (in practice: don’t forget to raise the sample rate because bladeRF won’t do 32k samples. 80k or no play):
To modify this to work on a Raspberry Pi (or similar handheld device) is an exercise in simplicity itself. This works on the principle of raising the noise floor: that is, typically, your computer’s WiFi baseband expects a signal similar to the following:
We simply overpower the signal with a random one of our own, to the point where the computer can no longer tell what’s a legitimate signal:
It is here that the power of the bladeRF device becomes apparent, with the device being able to comfortably disrupt a glorious 28Mhz of bandwidth around a central frequency.
After gaining the express written consent of everyone in my vicnity using my WiFi (and choosing a band I can’t see anyone else using), I then proceeded to test the effective range of this jamming, using GQRX on another laptop to detect to which point this would be effective. My test setup is as follows:
- A bladeRF (the jamming device), using the above flow graph and a relative gain of 50 in gnuradio, using a low-gain omnidirectional 2.4Ghz antenna, purchased with the bladeRF.
- It should be noted that the bladeRF has an extremely low transmit power (+6dBm), where a wifi router might transmit up to 20dBm.
- It should also be noted that a commercial amplifier is available for the bladeRF (XB300) offering a tremendous +33dBm gain over 2.4Ghz.
- The USRP B-series has significantly higher transmit power (10dbm). The prospect of using a B205-mini and a Raspberry Pi is tantalizing, to say the least.
- It is apparently possible to raise this with a Low Noise Amplifier. I don’t have one, I wouldn’t know where to start with such a device.
- A USRP B200 (the testing device), running gqrx to visually inspect the spectrum
- An iPad (secondary testing device), using the interface to connect as usual
- A laptop (secondary testing device, using iw’s scanning capability to detect the AP)
Some of my initial results (for brevity) are as follows:
- At approximately 10M, with line of sight, jamming works. Devices almost instantly disconnect from WiFi.
- At approximately 10M with two brick walls (within 5M of the broadcasting AP, with an iPad) between the jammer and the target, this no longer works. At this point, the SNR of the wifi connection is poor, but it’s a functioning connection.
To progress this, I’d also like to investigate the effectiveness of ad-hoc antennas, as well as the impact of various not-completely-random modes of signal disruption against traditional WiFi (as well as other low-powered devices) – there’s surprisingly little literature on the topic, even from overseas.
One day, I hope to be as excellent as this glorious gentleman:
The practical application of this are limitless – but the simplest is that in cases where you are attacking a system with a hardened WiFi stack, which ignores and reports active deauthentication (if you’re reading this – you know who you are, this one’s for you :P), you can still force the target to disconnect and re-authenticate.