Detecting WiFi jamming used to knock out security systems

[5U4GB]

Just a thought experiment, inspired by yet another story about burglars using WiFi jamming to knock out security systems.  These stories tend to pop up from time to time, this is just the latest one. Unfortunately the reports don't mention what type of jammer is being used or even whether it's just an older story that's been recycled yet again, whether the tech is just a dumb blanket-the-frequency-range-with-noise or a smarter WiFi-knowledgeable one that sends dummy traffic or deauth packets.  The Aliexpress ones just seem to be dumb interference-generators, e.g. this sort (later photos show the spectrum plot) which presumably you plug into a USB power bank. 

For deauth jammers, the operation is described here.

So how would to detect this in a non-false-positive manner?  For the simpler blanket-with-noise style I was thinking an ESP32 that periodically scans each channel and reports possible jamming if every channel is saturated with noise.

Identifying deauth attacks seems a lot more difficult since you'd have to be listening in when the deauth happens, I assume that'd need to be done on the AP since that'll always see the deauth packets as they're targeted at it.

And yes, I'm aware of 802.11w but that seems to be implemented in a hit-and-miss fashion, in particular there's a vast amount of IoT gunk around that doesn't support it so won't be able to connect if the AP forces its use and so most APs that do support it disable it by default, also this question is more of a thought experiment about how you'd reliably detect something like this.

[ddosegov]

For jamming, best solution is usuall simplest one... Z-comm vco driven by NE555 and amplified with some MMIC, all powered from 9V battery fits cigarette-box sized case and does not require any user interaction after flipping on-off switch. Detection can be made with spectrum analyzer or SDR... or any recorder that have video loss detection.

[jonpaul]

True security require Ethernet or wired connections, NO WiFi and airgap to net.

Anything else is vulenrable.

j

[Berni]

And this is why actual professional security camera systems use twisted pair or coax cables.

But yeah home users are too lazy to run some CAT5 (Even tho they have to run power anyway), so everyone ends up using WiFi.

One possible solution is to also record to a SD card so you at least still have footage in case of failure. Even modern professional security cameras tend to use this. They both send live video back to the security server over Ethernet while at the same time loop recording on a SD card inside the camera. That way if intruders start cutting wires or disable the server, the cameras are still recording as long as they still have power from the separate UPS backed up power circuit. So to destroy the security footage you need to both destroy the server and camera.

[nctnico]

For protocol attacks, an ESP32 could be a good option as this has all the radio & demodulation hardware + software stack. To check for wideband noise, you'll need an SDR. Maybe an ESP32 can be used to counter protocol attacks to by drawing the protocol attacks towards it so the actual Wifi signals are left alone.

[thm_w]

For jamming, best solution is usuall simplest one... Z-comm vco driven by NE555 and amplified with some MMIC, all powered from 9V battery fits cigarette-box sized case and does not require any user interaction after flipping on-off switch. Detection can be made with spectrum analyzer or SDR... or any recorder that have video loss detection.

As stated above, any decent security camera system has a video loss/tamper detection alert. Because yes, even on hardwired camera setups, the camera can still fail or can be spray painted and you want to be able to detect that.

Many wifi cams will also have an internal SD card, so it will record there as well as stream the footage.

[nctnico]

Many wifi cams will also have an internal SD card, so it will record there as well as stream the footage.

IMHO that is pretty useless as people who have entered a building, can easely and quietly remove the SD card. The best camera setup is hardwired and streams the video off-site directly. That way the footage is out of reach of people who enter a building.

[thm_w]

IMHO that is pretty useless as people who have entered a building, can easely and quietly remove the SD card. The best camera setup is hardwired and streams the video off-site directly. That way the footage is out of reach of people who enter a building.

The SD card on hikvision cameras is inside the waterproof enclosure so is not easily removable. Especially when the camera is mounted high up on a wall as shown in the article.

[NiHaoMike]

But yeah home users are too lazy to run some CAT5 (Even tho they have to run power anyway), so everyone ends up using WiFi.

Most often they reuse the outdoor outlet or outdoor lighting circuit, so lots of work saved. Homeplug would be a great solution but Homeplug cameras aren't very common.

[Someone]

So how would to detect this in a non-false-positive manner?

Why overcomplicate it: is the video camera returning images and sound?
yes) all good
no) go and investigate

What can you do if you detect interference?

[Andy Chee]

So how would to detect this in a non-false-positive manner?

If you are getting frequent false-positive signal dropouts, then you need to improve your installation.  Either use a few more WiFi repeaters, or use wired cameras.

[NiHaoMike]

I wonder if deauth attacks could be rendered ineffective with a few ESP32 generating packets to simulate lots of networks with devices, so that the deauther spends a lot of time deauthing devices that don't even exist.

[JoeyG]

https://www.rcmodelreviews.com/wispy24i.shtml

[nctnico]

IMHO that is pretty useless as people who have entered a building, can easely and quietly remove the SD card. The best camera setup is hardwired and streams the video off-site directly. That way the footage is out of reach of people who enter a building.

The SD card on hikvision cameras is inside the waterproof enclosure so is not easily removable. Especially when the camera is mounted high up on a wall as shown in the article.

A camera mounted high up is useless as criminals wear hats or hoodies. A high mounted camera won't catch their faces.

[5U4GB]

For protocol attacks, an ESP32 could be a good option as this has all the radio & demodulation hardware + software stack. To check for wideband noise, you'll need an SDR. Maybe an ESP32 can be used to counter protocol attacks to by drawing the protocol attacks towards it so the actual Wifi signals are left alone.

Ah, good point, you could use them to tarpit attackers, or alternatively just to act as canaries to detect attacks.

[5U4GB]

https://www.rcmodelreviews.com/wispy24i.shtml

Good idea, that would work, you can drive those from Linux using spectool so plug one into whatever Linux box you've got lying around and use spectool to pull the data off it.

An update, it looks like it's even simpler than that, nmcli will do this with

Code: [Select]

sudo nmcli dev wifi
Well, that took all the fun out of it, instead of playing with cool hardware it's just a few minutes of scripting an already-existing setup, and since it can act as a WiFi client it'll detect disassociation attacks as well.

[ddosegov]

Just thinking what would microwave oven without mesh on the door mounted in car roof box do to nearby wireless devices? I fried wireless card in my laptop at 15ft (did that few times to be sure  ) with less than 10W... ofc, powering microwave oven would require at least 1500W DC to AC converter, but that is not a rocket science....

[5U4GB]

Followup to my earlier post, looks like the best command is:

Code: [Select]

nmcli -t -f chan,signal dev wifiwhich shows the channel and signal strength in machine-processable format.  Since most places will be surrounded by a 3-degree background radiation of neighbouring APs, detecting WiFi jamming should just require detecting a sudden change in the steady state as all the surrounding APs vanish.

Now I just need to figure out how to test this without access to the sort of WiFi jammer that it's meant to counter.  Is anyone in a country where you're allowed to run one of these for testing able to post what it does to surrounding WiFi signals?

[jonovid]

if its Illegal to have or use a jammer and so is burglary , what defence does it matter to a criminal?
US news video- wireless signal jammers are used in breaking & entering burglarys to disable wireless CCTV and mobile phone calls to US 911 emergency
this video shows the vulnerability of wireless networking technology to radio jammers.



https://www.usatoday.com/story/tech/columnist/komando/2024/02/29/thieves-using-wifi-jammer/72758559007/

[Halcyon]

IMHO that is pretty useless as people who have entered a building, can easely and quietly remove the SD card. The best camera setup is hardwired and streams the video off-site directly. That way the footage is out of reach of people who enter a building.

The SD card on hikvision cameras is inside the waterproof enclosure so is not easily removable. Especially when the camera is mounted high up on a wall as shown in the article.

It wouldn't matter anyway on the Hikvisions, the Chinese government will have a backup of your footage, just ask them for a copy. 

[fcb]

There's been a series of car burglaries near my home.  No ones RING doorbells (including mine & at least 6 others) have any footage.

My first thought was crims are jamming WiFi.  My next thought is how easy would it be to detect the jamming and create an alert? I'm guessing that this problem is only going to get worse in the future.

[radiolistener]

True security require Ethernet or wired connections, NO WiFi and airgap to net.

True security require no network connections, neither ethernet nor the WiFi... 

[pdenisowski]

My next thought is how easy would it be to detect the jamming and create an alert?

I spent years hunting down jammers and other interference sources in the field as part of my job.  The short answer is that in order to be effective, a jammer has to be (a) loud, (b) wide, and (c) on most of the time*.  Detecting and radiolocating jammers is therefore usually very easy.

The issue is what do you do if a jammer is detected?  And what is the backhaul (so to speak)?  If a WiFi connected camera detects jamming and it's link back to the system is being jammed, it has no way to communicate this in-band.

I agree this is a (potentially) serious problem, but building jamming detection into devices that use a wireless connection doesn't seem like a solution to me.

*Yes, there are some sophisticated jammers (reactive, etc.) that don't necessarily meet these criteria, but these are extremely rare in non mil/gov applications.

[iMo]

There's been a series of car burglaries near my home.  No ones RING doorbells (including mine & at least 6 others) have any footage.

My first thought was crims are jamming WiFi.  My next thought is how easy would it be to detect the jamming and create an alert? I'm guessing that this problem is only going to get worse in the future.

It is real, I had detected a strong jamming after a turmoil on our parking place when my neighbors where unable to close the doors of their cars with their remotes, it was long back and at 433 MHz (today perhaps different frequencies). They called police afterwards, afaik. No more jamming here since then.
Jamming could be easily detected as a strong broadbanded signal at the frequencies of interest, an SDR usb stick (working at the frequencies of interest, perhaps there are some up to wifi bands today) with proper antenna and a small computer (like Rpi-like one) watching the frequencies and evaluating the signal strength, based on that sending an SMS or an email with an alert, for example.
A weekend project for talented SDR people here, imho 

[Ranayna]

As long as we are talking about networked cameras, the easiest way to detect something like that would be on a higher level in the network stack.
Have something monitor the network reachability of the camera. Something that perodically pings the cam can already be enough.
Have that alert you if the camera does not respond.

Doing it like that you do not need to care about why the camera lost the connection, be it a cut cable, power loss, someone smashing the camera, wifi jamming or deauth attacks. If the camera goes offline you get alerted.
If you use an NVR i would think that those have such a monitoring built in, though i have to say i do not have personal experiences with NVRs.