Analog Cancellation of a Known Remote Interference: Hardware Realization and Analysis

The onset of quantum computing threatens commonly used schemes for information secrecy across wireless communication channels, particularly key-based data-level encryption. This calls for secrecy schemes that can provide everlasting secrecy resistant to increased computational power of an adversary. One novel physical layer scheme proposes that an intended receiver capable of performing analog cancellation of a known key-based interference would hold a significant advantage in recovering small underlying messages versus an eavesdropper performing cancellation after analog-to-digital conversion. This advantage holds even in the event that an eavesdropper can recover and use the original key in their digital cancellation. Inspired by this scheme, a flexible software-defined radio receiver design capable of maintaining analog cancellation ratios consistently over 40 dB, reaching up to and over 50 dB, is implemented in this thesis. Maintaining this analog cancellation requires very precise time-frequency synchronization along with accurate modeling and simulation of the channel effects on the interference. The key sources of synchronization error preventing this test bed from achieving and maintaining perfect interference cancellation, sub-sample period timing errors and limited radio frequency stability, are explored for possible improvements. To further prove robustness of the implemented secrecy scheme, the testbed is shown to operate with both phase-shift keying and frequency-modulated waveforms. Differences in the synchronization algorithm used for the two waveforms are highlighted. Interference cancellation performance is measured for increasing interference bandwidth and shown to decrease with such. The implications this testbed has on security approaches based on intentional interference employed to confuse eavesdroppers is approached from the framework proposed in the motivating everlasting secrecy scheme. Using analog cancellation levels from the hardware testbed, it is calculated that secrecy rates up to 2.3 bits/symbol are gained by receivers (intended or not) performing interference cancellation in analog rather than on a digital signal processor. Inspired by the positive gains in secrecy over systems not performing analog cancellation prior to signal reception, a novel secrecy scheme that focuses on the advantage an analog canceller holds in receiver amplifier compression is proposed here. The adversary amplifier is assumed to perform linear cancellation after the interference has passed through their nonlinear amplifier. This is accomplished by deriving the distribution of the interference residual after undergoing an inverse tangent transfer function and perfect linear cancellation. Parameters of this scheme are fit for the radios and cancellation ratios observed in the testbed, resulting in a secrecy gain of 0.95 bits/symbol. The model shows that larger message powers can still be kept secure for the achieved levels of cancellation, thus providing an even greater secrecy gain with increased message transmission power

Wi-Fi Denial of Service Attack on Wired Analog RF Channel Emulator

This report presents the design and implementation of an analog wireless channel emulator to examine various denial of service attacks in multiple mobile scenarios. The scenarios emulated in this project involve three node topologies of wireless interferers (Wi-Fi radios), including a software defined radio that transmits one of three denial of service (DoS) waveforms. The testbed was functional and met the original specifications. Results from mobile experiments show a clear distinction in performance among the three DoS waveforms depending on the node topology; a digital waveform using binary phase shift keying (BPSK) is most effective at reducing total network throughput at close range while sweep waveforms exhibit minor throughput reduction from a greater distance

Jammers for mobile cellular systems applied to unauthorized UAVs

This research aims to explore jamming on digital mobile systems, with an initial focus towards the 2G and Global System of Mobile Communications (GSM) technologies. The main goal is to develop a jammer with an efficiency and complexity greater than the existent ones, capable to better disrupt digital mobile systems. The study consists of an analysis of the different techniques of jamming, that can disrupt the mobile cellular system’s communication, through a series of simulations using the Software Defined Radio (SDR) and the GNU Radio ecosystem. The same techniques will then be studied and evaluated in real life scenarios in order to select which one is the best regarding spectral efficiency, energy and complexity. Finally, the jammer returning the best results will be the one chosen to contribute sustainably for the issue with flying drones on restrict areas, such as airports and residential zones, and thus, decrease the number of accidents which nowadays happen usually with this kind of aircrafts.Neste estudo será feita uma abordagem ao jamming em sistemas móveis digitais, dando um maior foco inicial à tecnologia 2G, Sistema Global para Comunicações Móveis (GSM). O objetivo principal será o desenvolvimento de um sinal jammer, diferente dos já existentes em termos de eficiência e complexidade, capaz de causar interferência em sistemas móveis celulares. Será feito então uma análise às diferentes técnicas de interferência de sinal, capazes de perturbar a comunicação em sistemas móveis celulares, através da realização de simulações a partir da tecnologia Software Defined Radio (SDR) nomeadamente, a plataforma GNU Radio. As mesmas técnicas também serão estudadas e avaliadas num cenário real, de forma a fazer-se a seleção da melhor em termos de eficiência espectral, energia e complexidade. Finalmente, a técnica de jamming que demonstrar melhores resultados, irá representar o jammer que poderá contribuir de forma sustentável para a problemática da circulação de drones em zonas restritas, como aeroportos e zonas residenciais, para a diminuição dos acidentes, atualmente registados, com este tipo de aeronaves

POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers

It is known that attackers can exfiltrate data from air-gapped computers through their speakers via sonic and ultrasonic waves. To eliminate the threat of such acoustic covert channels in sensitive systems, audio hardware can be disabled and the use of loudspeakers can be strictly forbidden. Such audio-less systems are considered to be \textit{audio-gapped}, and hence immune to acoustic covert channels. In this paper, we introduce a technique that enable attackers leak data acoustically from air-gapped and audio-gapped systems. Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities. The malicious code manipulates the internal \textit{switching frequency} of the power supply and hence controls the sound waveforms generated from its capacitors and transformers. Our technique enables producing audio tones in a frequency band of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply without the need for audio hardware or speakers. Binary data (files, keylogging, encryption keys, etc.) can be modulated over the acoustic signals and sent to a nearby receiver (e.g., smartphone). We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware at all. We provide technical background and discuss implementation details such as signal generation and data modulation. We show that the POWER-SUPPLaY code can operate from an ordinary user-mode process and doesn't need any hardware access or special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive data can be exfiltrated from air-gapped and audio-gapped systems from a distance of five meters away at a maximal bit rates of 50 bit/sec

Bit error rate analysis of different digital modulation schemes in orthogonal frequency division multiplexing systems

This study presents the design of an orthogonal frequency division multiplexing (OFDM) system and analyses the performance of the different digital modulation techniques employed in the system. The OFDM system was modelled and different modulation schemes: M-ary phase shift keying (M-PSK) and M-ary quadrature amplitude modulation (M-QAM) were employed over two different channels: additive white Gaussian noise (AWGN), and Rayleigh multipath fading channels. Bit error rate (BER) analysis was carried out for the different digital modulation schemes over the two channels, and the number of fast Fourier transform (FFT) points used during the transmission was examined. Generally, results showed that over both AWGN and Rayleigh fading channels, lower order modulation schemes perform better than the higher order schemes. This comes at the detriment of the data rate, as lower order schemes have lower data rates compared with their higher order counterparts. In addition, it was observed that the system performed better over AWGN channel than Rayleigh fading channel for all modulation schemes used. On the number of FFT points used during the transmission, findings revealed that the performance of the system is more or less not really affected by the number of FFT points employed during transmission.Key words: Digital modulation, bit error rate, orthogonal frequency division multiplexing, additive white Gaussian noise, modulation schemes, fast Fourier transform

Investigation on the Actual Robustness of GNSS-based Timing Distribution Under Meaconing and Spoofing Interferences

Long-term stability and accurate time synchronization are at the core of timing network facilities in several critical infrastructures, such as in telecommunication networks. In these applications, timing signals disciplined by Global Navigation Satellite Systems (GNSS) receivers, i.e., One Pulse-per-Second (1-PPS), complement Primary Reference Time Clocks (PRTCs) by compensating for long-term drifts of their embedded atomic clocks. However, GNSS receivers may expose timing distribution networks to Radio Frequency (RF) vulnerabilities being the cause of possible degraded or disrupted synchronization among the nodes. This paper presents a test methodology assessing the resilience of new GNSS timing receivers to different classes of intentional RF interferences. The analysis of the results compares the effects of practicable spoofing and meaconing attacks on the 1-PPS generated by three Commercial off-the-shelf (COTS) GNSS timing receivers, currently employed in timing applications. On one hand, the results emphasised the robustness of State-of-the-Art (SoA) mitigation technologies compared to previous generations’ devices. On the other hand, the vulnerability of SoA receivers to meaconing attacks highlights the limits of such mitigation solutions that may turn to severe effects on telecommunication networks’ performance

Study of spread spectrum multiple access systems for satellite communications with overlay on current services

The feasibility of using spread spectrum techniques to provide a low-cost multiple access system for a very large number of low data terminals was investigated. Two applications of spread spectrum technology to very small aperture terminal (VSAT) satellite communication networks are presented. Two spread spectrum multiple access systems which use a form of noncoherent M-ary FSK (MFSK) as the primary modulation are described and the throughput analyzed. The analysis considers such factors as satellite power constraints and adjacent satellite interference. Also considered is the effect of on-board processing on the multiple access efficiency and the feasibility of overlaying low data rate spread spectrum signals on existing satellite traffic as a form of frequency reuse is investigated. The use of chirp is examined for spread spectrum communications. In a chirp communication system, each data bit is converted into one or more up or down sweeps of frequency, which spread the RF energy across a broad range of frequencies. Several different forms of chirp communication systems are considered, and a multiple-chirp coded system is proposed for overlay service. The mutual interference problem is examined in detail and a performance analysis undertaken for the case of a chirp data channel overlaid on a video channel

Full-Duplex Constant-Envelope Jamceiver and Self-interference Suppression by Highpass Filter : Experimental Validation for Wi-Fi Security

Unauthorized access to data has been a recognized risk of wireless systems for many decades. While security solutions in communications engineering have typically revolved around cryptography in the higher layers, a semi-recent development is the elevating interest into security in the physical layer, namely by utilizing jamming for protection. In this paper, we present an experimental study into a full-duplex jammer–receiver (i.e., “jamceiver”) that is able to simultaneously interfere with the same radio resources it is actively receiving from. The radio architecture is loosely based on frequency-modulated continuous-wave radars that are constant-envelope radio transceivers, which benefit from simple-but-efficient self-interference suppression in the analog baseband domain by using a passive highpass filter. Its limitation to constant-envelope transmission is not an issue for efficient jamming waveforms unlike it would be with conventional direct-conversion transceivers in full-duplex communications. To show the performance limits of a practical jamceiver, we present comprehensive measurement results from a laboratory environment as well as a jamming case study from an open park area with actual Wi-Fi signals. Especially, the experiments validate the feasibility of preventing eavesdropping with continuous low-power jamming in a large area around a full-duplex jamceiver that acts as an access point for simultaneously offering decent Wi-Fi service to an off-the-shelf laptop.Peer reviewe