Mathy Vanhoef, Phd student at KU Leuven has defied conventional wireless security theory by creating continual, targeted and virtually indefensible stealth jamming attacks on WiFi and Bluetooth networks which allow for tampering with encrypted traffic.
Presenting his work at the BruCon conference last week, he revealed his weapon of choice is a widely available WiFi dongle bought off Amazon. Paired with a Raspberry Pi and a small amplifier, it can block 2.4Ghz transmissions for up to 120 metres.
“You do not need expensive devices – you can use a very cheap Wi-Fi dongle,” Vanhoef says.
He went on to explain there are plenty of devices this can affect including “...home automation systems, home security systems, sometimes industrial control systems, fancy baby monitors, car locks.”
The weakness lies in the fact that the WiFi protocol assumes all devices will wait for transmissions to clear before sending packets in response. This means that devices bombarded with packets won't be able to take action until the attack has stopped.
The targeted and continuous WiFi jamming requires a few steps. Attackers must first disable their dongle's backoff wait time (SIFS) designed to give WiFi devices time to re-enter transmission mode, avoiding packet collisions.
This is possible by tinkering memory mapped registers within the firmware. Changes to their packet bit-rate can also be made, if lowered to a rate lower than the device being attacked they could be processed first.
Vanhoef then went on to explain that continual jamming is possible using the dongles, if carrier sense is disabled and a frame is set to be continually re-sent. This means that devices will wait for the attacker's initial frame to be sent, when in fact it simply infinitely loops. This means the attack cannot be stopped.
Vanhoef says he will not release the code to the public but is happy to supply it to legitimate researchers.