SlideShare une entreprise Scribd logo

Virginia Tech's response to FirstNet NOI

Lenin Nair
Lenin Nair

The document describes the vulnerabilities of LTE 4G network in terms of network jamming.

Technologie
1  sur  8
Télécharger pour lire hors ligne
Wireless @ Virginia Tech 432 Durham Hall (0350) College of Engineering Blacksburg, Virginia 24061 540/231-2958 Fax: 540/231-2968 www.wireless.vt.edu November 8, 2012 Lawrence Strickling Assistant Secretary for Communications and Information Department of Commerce 1401 Constitution Avenue NW HCHB Room 7324 Washington DC 20230 rg Att: FirstNet Conceptual Network NOI .o Enclosed we provide a brief response to the FirstNet NOI regarding the conceptual network architecture. The focus on our comments is on the information assurance aspects of LTE and le contains a summary of some of our preliminary analysis. This work is still in progress and we would be pleased to share details of our current and future findings on this issue. Sincerely, ug eb Dr. Jeffrey H. Reed lu Director, Wireless@ Virginia Tech .b w w w Invent the Fut ur e V I R G I N I A P O L Y T E C H N I C I N S T IT U T E A N D S T A T E U N I V E R S IT Y An equ al op port unity, affirm ative actio n institu tion
BEFORE THE DEPARTMENT OF COMMERCE In the Matter of ) ) National Telecommunications and ) Information Administration ) Docket No. 120928505–2505–01 ) RIN 0660–XC002 Development of the Nationwide ) Interoperable Public Safety Broadband ) rg Network ) .o COMMENTS OF WIRELESS @ VIRGINIA TECH le Dr. Jeffrey H. Reed Marc Lichtman Willis G. Worcester Professor Graduate Research Assistant Director of Wireless @ Virginia Tech 432 Durham Hall, MC0350 1145 Perry Street ug Virginia Tech marcll@vt.edu Blacksburg, VA 24061 eb reedjh@vt.edu (540) 231 2972 lu .b INTRODUCTION AND EXECUTIVE SUMMARY w The Wireless @ Virginia Tech research group appreciates the opportunity to respond to the National Telecommunications and Information Administration (NTIA) request for comments w on the Development of the Nationwide Interoperable Public Safety Broadband Network. This w comment is regarding the vulnerability of LTE to intentional and sophisticated jamming attacks. If LTE technology is to be used for the air interface of the public safety network, then we should consider the types of jamming attacks that could occur five or ten years from now. It is very possible for radio jamming to accompany a terrorist attack, for the purpose of preventing communications and increasing destruction. Likewise it is possible for criminal organizations to
create mayhem among public safety personnel by jamming. In addition, it is possible for a jammer to increase its effectiveness by employing a sophisticated strategy. This is especially likely when every technical aspect of the target signal is known. An example strategy would be to target specific control or synchronization signals, in order to increase the geographic range of the jammer and better avoid detection. The availability of low-cost and easy to use software- defined radios makes this threat even more realistic. rg Preliminary research has been performed to show the extent to which LTE is vulnerable .o to jamming. It was shown that extremely effective attacks can be realized, using fairly low complexity. It would be in the interest of public safety to put forth an effort to find solutions to le the described problem, and ultimately improve the wireless interface of Public Safety LTE. ug Preliminary Research eb In order to show the vulnerability of the LTE wireless interface to jamming, we present a lu series of efficient attacks that are designed to cause denial of service to one or more LTE cells. .b Each attack targets one or more LTE subsystems, either in the downlink or uplink signal. The selected attacks described below represent a balance between effectiveness and complexity. w w Synchronization Signal Jamming (SSJ): When a UE wants to connect to an eNodeB, it has to w first go through a series of synchronization steps. First, it detects the Primary Synchronization Signal (PSS) which allows the UE to synchronize to each slot and gives it the cell ID. Next, it detects the Secondary Synchronization Signal (SSS) which tells the UE the cell ID group, which method of duplexing is used, and the cyclic prefix length. The SSS also allows the UE to detect when each radio frame starts. Both the PSS and SSS are mapped to the central 62 subcarriers
(not including the DC subcarrier). After synchronizing with the PSS and SSS, the UE receives more information about the cell by decoding the Master Information Block (MIB). The MIB contains information essential for initial access to a cell [1]. It consists of 14 bits that contain the downlink system bandwidth, the Physical Control Format Indicator Channel (PHICH) size, and information allowing frame synchronization. It is mapped to the central 72 subcarriers, and appears in slot 1 of each frame. The three signals are not present in all ten subframes, but they rg are always mapped to the same subcarriers. .o The Synchronization Signal Jamming (SSJ) attack is designed to deny the UE access to the PSS, SSS, and MIB. The jamming waveform used for the SSJ attack is noise that spans the le center 73 subcarriers. The DC subcarrier is included for the sake of complexity, even though it ug does not contain information. The SSJ attack does not involve jamming specific symbols (it uses a 100% duty cycle), so the jammer does not have to be synchronized to the eNodeB. The SSJ eb attack is simply a brute force method of denying the UE three different mechanisms that it needs lu to access a cell. The act of only jamming certain subcarriers allows the SSJ attack to have roughly a 3 dB gain over traditional barrage jamming, which can be thought of as an increase in .b jamming radius for a jammer that is power constrained. w w Primary Synchronization Signal Jamming: Detecting the PSS is the first step a UE takes in w accessing a cell. The PSS uses a sequence length of 63, and the center element is nulled because the downlink DC subcarrier is never used for transmission. There are three PSS sequences used in LTE, and each one corresponds to one of the three sectors. The UE must detect the PSS without any knowledge of the channel, so it finds the timing offset that corresponds to the
maximum cross-correlation for each of the three sequences, and uses it to synchronize in the time domain. For FDD, the PSS only occurs in slots 0 and 10 (there are 20 total slots per frame). The SSJ attack discussed previously injects noise into the subcarriers that contain the PSS. An attack that only targets the PSS can be realized by only jamming the symbols that contain the PSS. However, the jammer would have to cause a fairly high jammer-to-signal ratio, because the PSS is designed to be detected at high interference levels, so that the UE can also rg detect neighboring cells. .o A more effective method of causing a PSS attack would be to simply transmit one of the three PSS sequences, and thus create a bogus PSS. If the jammers received power at the UE is le greater than the eNodeB's, then the UE is most likely going to synchronize to the bogus PSS. ug This is because a cross-correlation process is used to detect the PSS non-coherently. A jammer using this method would not need receiving capability, because it would simply start the bogus eb PSS transmission at a random time, leading to uniformly distributed timing relative to the correct lu PSS signal. If the UE synchronized to the bogus PSS, then is not synchronized in time to the eNodeB, and it will not know when each OFDM symbol starts, and hence will not be able to .b detect the SSS or decode the MIB. w This attack appears to work, until considering the cell reselection procedure. If a cell w does not provide a certain level of quality, then the UE begins the cell reselection procedure, w where it tries to access the cell with the next strongest signal. The solution is to spoof all three PSS sequences. A jammer transmitting three bogus PSSs only has to transmit six symbols in every frame, on 62 subcarriers. A downside to PSS jamming is that it will not immediately cause Denial of Service (DOS). It will prevent new UEs from accessing the cell(s), and cause UEs in idle mode to reselect a bogus cell. Therefore PSS jamming is not effective for an attack
intended on causing immediate DOS. However, it is sufficient for an attack that will last a long period of time. Because the jammer barely has to transmit anything, the PSS jamming attack offers roughly 20 dB of gain relative to the barrage jamming attack. This results in an extremely efficient jammer. Fortunately, this type of attack can be prevented by employing a cell reselection implementation that is able to blacklist “bogus synchronization signals”, by keeping track of the rg time-delay in the cross-correlation. Although this is not required by the LTE specifications, .o adding this type of mitigation may be worthwhile in Public Safety UE. le Physical Uplink Control Channel Jamming: The Physical Uplink Control Channel (PUCCH) ug is used to send the eNodeB a variety of control information, including scheduling requests, Hybrid Automatic Repeat Request (HARQ) acknowledgements, and channel quality indicators. eb The PUCCH is mapped to the resource blocks on the edges of the system bandwidth. These lu resource blocks are evenly split between the two edges of the system bandwidth, and the UE rapidly alternates between the two sets of resource blocks, for the purpose of frequency diversity. .b When a UE is transmitting on the PUCCH it is not transmitting anything else [2]. This allows w PUCCH jamming to be feasible, even with SC-FDMA in use. PUCCH jamming is possible w when the only a priori knowledge is the system bandwidth and location in the uplink signal in the w frequency domain. The signal sent on the PUCCH by the UE depends on the type of information it wants to send. For scheduling requests, all the UE has to do is transmit energy in its assigned slot. This causes the eNodeB to assign the specific UE additional uplink resources. This means PUCCH jamming will cause the eNodeB to assign every active UE additional uplink resources (which
they probably do not need), and cause degradation of service. The signal transmitted by the UE for ACK and NACK responses is not as straightforward; it involves modulating the ACK or NACK indicator onto a predefined sequence which is then cyclically shifted and scrambled. This system is meant to allow multiple PUCCH transmissions to exist in the same time and frequency slot. Successful PUCCH jamming will cause ACKs to not reach the eNodeB, resulting in retransmissions and further degradation of service. The last type of control rg information sent on the PUCCH is channel state information, which is used by the UEs to send .o the eNodeB information about the channel quality. The eNodeB uses this information to assign subcarriers to users that experience better channel conditions on the corresponding frequencies, le as well as choose which modulation scheme to use. As in the ACK indicators, the information is ug sent to the eNodeB through modulation with a UE-specific sequence, which is then scrambled and cyclically shifted. The corruption of channel quality information is not as detrimental to the eb LTE service as missed ACKs, but it is likely to help accelerate the process of causing DOS. lu PUCCH jamming offers roughly 5 dB of gain compared to barrage jamming, because the jammer can focus its energy into the control channel subcarriers. .b w Conclusion w These comments describe extremely effective attacks can be realized, using fairly low w complexity. It would be in the interest of public safety to take measures to reduce the vulnerability of Public Safety LTE, and lower the likelihood of an effective jamming attack. Certainly there are important cost advantage of keeping the public safety LTE system compatible with commercial devices and systems. Seeking solutions that achieve this compatibility while
providing protection are desirable. We thank you for considering our views, and are eager to address any subsequent questions. References [1] Matthew Baker and Tim Moulsley. Downlink physical data and control channels. In Stefania Sesia, Issam Toufik, and Matthew Baker, editors, LTE, The UMTS Long Term Evolution: From rg Theory to Practice, chapter 9. John Wiley & Sons Ltd, Chichester, West Sussex, United .o Kingdom, second edition, 2011. [2] 3GPP Technical Report 36.211, “Physical Channels and Modulation”, www.3gpp.org. le ug eb Dr. Jeffrey H. Reed Marc Lichtman Willis G. Worcester Professor Graduate Research Assistant lu Director of Wireless @ Virginia Tech Virginia Tech Virginia Tech .b w w w

Recommandé

4 G Paper Presentation
4 G Paper Presentation4 G Paper Presentation
4 G Paper Presentationguestac67362
 
Wireless Presentation for UT in Silicon Valley 2013
Wireless Presentation for UT in Silicon Valley 2013Wireless Presentation for UT in Silicon Valley 2013
Wireless Presentation for UT in Silicon Valley 2013Cockrell School
 
Bluetooth Technology In Wireless Communications
Bluetooth Technology In Wireless CommunicationsBluetooth Technology In Wireless Communications
Bluetooth Technology In Wireless Communicationsguestac67362
 
Network design for_ip_convergence[1]
Network design for_ip_convergence[1]Network design for_ip_convergence[1]
Network design for_ip_convergence[1]Jaison
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...journalBEEI
 
Suman Jlt
Suman JltSuman Jlt
Suman JltShahab Shahid
 
Cognitive Radio Networks
Cognitive Radio NetworksCognitive Radio Networks
Cognitive Radio NetworksSeshagiri Rao Kornepati
 
Bluetooth global-technology 170
Bluetooth global-technology 170Bluetooth global-technology 170
Bluetooth global-technology 170manasanreddy
 

Recommandé

4 G Paper Presentation
4 G Paper Presentation4 G Paper Presentation
4 G Paper Presentationguestac67362
 
Wireless Presentation for UT in Silicon Valley 2013
Wireless Presentation for UT in Silicon Valley 2013Wireless Presentation for UT in Silicon Valley 2013
Wireless Presentation for UT in Silicon Valley 2013Cockrell School
 
Bluetooth Technology In Wireless Communications
Bluetooth Technology In Wireless CommunicationsBluetooth Technology In Wireless Communications
Bluetooth Technology In Wireless Communicationsguestac67362
 
Network design for_ip_convergence[1]
Network design for_ip_convergence[1]Network design for_ip_convergence[1]
Network design for_ip_convergence[1]Jaison
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...journalBEEI
 
Suman Jlt
Suman JltSuman Jlt
Suman JltShahab Shahid
 
Cognitive Radio Networks
Cognitive Radio NetworksCognitive Radio Networks
Cognitive Radio NetworksSeshagiri Rao Kornepati
 
Bluetooth global-technology 170
Bluetooth global-technology 170Bluetooth global-technology 170
Bluetooth global-technology 170manasanreddy
 
Ite pc v40_chapter13
Ite pc v40_chapter13Ite pc v40_chapter13
Ite pc v40_chapter13Nada Ariff
 
ece1543_project
ece1543_projectece1543_project
ece1543_projectZhenyuan Bo, P.Eng., M.Eng., B.A.Sc.
 
Machine learning based lightweight interference mitigation scheme for wireles...
Machine learning based lightweight interference mitigation scheme for wireles...Machine learning based lightweight interference mitigation scheme for wireles...
Machine learning based lightweight interference mitigation scheme for wireles...TELKOMNIKA JOURNAL
 
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...IRJET- Device for Location Finder and Text Reader for Visually Impaired P...
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...IRJET Journal
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
X25119123
X25119123X25119123
X25119123IJERA Editor
 
Lecture1
Lecture1Lecture1
Lecture1sameena29
 
Session6 Security Emidio
Session6 Security EmidioSession6 Security Emidio
Session6 Security EmidioISSGC Summer School
 
Report
ReportReport
ReportSaikiran Gorti
 
Takeshi kato
Takeshi katoTakeshi kato
Takeshi katosafaeinfo
 
Colocube 56 Marietta Facility Specs
Colocube 56 Marietta Facility SpecsColocube 56 Marietta Facility Specs
Colocube 56 Marietta Facility Specslynnkuroski
 
Jh2516461655
Jh2516461655Jh2516461655
Jh2516461655IJERA Editor
 
report
reportreport
reportRishabh Hastu
 
Wi fi bestpractice
Wi fi bestpracticeWi fi bestpractice
Wi fi bestpracticebospl
 
Nokia lumia 920 apology
Nokia lumia 920 apologyNokia lumia 920 apology
Nokia lumia 920 apologyLenin Nair
 
Helping you to help me
Helping you to help meHelping you to help me
Helping you to help meKat Chuang
 
Google apologizes jews
Google apologizes jewsGoogle apologizes jews
Google apologizes jewsLenin Nair
 
Steve jobs about iphone
Steve jobs about iphoneSteve jobs about iphone
Steve jobs about iphoneLenin Nair
 
Zuckerburg about beacon
Zuckerburg about beaconZuckerburg about beacon
Zuckerburg about beaconLenin Nair
 
Iayf (provided by bluebugle.org)
Iayf (provided by bluebugle.org)Iayf (provided by bluebugle.org)
Iayf (provided by bluebugle.org)Lenin Nair
 
The adventure of red circle
The adventure of red circleThe adventure of red circle
The adventure of red circleLenin Nair
 
Interference Revelation in Mobile Ad-hoc Networks and Confrontation
Interference Revelation in Mobile Ad-hoc Networks and ConfrontationInterference Revelation in Mobile Ad-hoc Networks and Confrontation
Interference Revelation in Mobile Ad-hoc Networks and Confrontationirjes
 

Contenu connexe

Tendances

Ite pc v40_chapter13
Ite pc v40_chapter13Ite pc v40_chapter13
Ite pc v40_chapter13Nada Ariff
 
Machine learning based lightweight interference mitigation scheme for wireles...
Machine learning based lightweight interference mitigation scheme for wireles...Machine learning based lightweight interference mitigation scheme for wireles...
Machine learning based lightweight interference mitigation scheme for wireles...TELKOMNIKA JOURNAL
 
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...IRJET- Device for Location Finder and Text Reader for Visually Impaired P...
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...IRJET Journal
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Takeshi kato
Takeshi katoTakeshi kato
Takeshi katosafaeinfo
 
Colocube 56 Marietta Facility Specs
Colocube 56 Marietta Facility SpecsColocube 56 Marietta Facility Specs
Colocube 56 Marietta Facility Specslynnkuroski
 
Wi fi bestpractice
Wi fi bestpracticeWi fi bestpractice
Wi fi bestpracticebospl
 

Tendances (14)

Ite pc v40_chapter13
Ite pc v40_chapter13Ite pc v40_chapter13
Ite pc v40_chapter13
 
ece1543_project
ece1543_projectece1543_project
ece1543_project
 
Machine learning based lightweight interference mitigation scheme for wireles...
Machine learning based lightweight interference mitigation scheme for wireles...Machine learning based lightweight interference mitigation scheme for wireles...
Machine learning based lightweight interference mitigation scheme for wireles...
 
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...IRJET- Device for Location Finder and Text Reader for Visually Impaired P...
IRJET- Device for Location Finder and Text Reader for Visually Impaired P...
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
X25119123
X25119123X25119123
X25119123
 
Lecture1
Lecture1Lecture1
Lecture1
 
Session6 Security Emidio
Session6 Security EmidioSession6 Security Emidio
Session6 Security Emidio
 
Report
ReportReport
Report
 
Takeshi kato
Takeshi katoTakeshi kato
Takeshi kato
 
Colocube 56 Marietta Facility Specs
Colocube 56 Marietta Facility SpecsColocube 56 Marietta Facility Specs
Colocube 56 Marietta Facility Specs
 
Jh2516461655
Jh2516461655Jh2516461655
Jh2516461655
 
report
reportreport
report
 
Wi fi bestpractice
Wi fi bestpracticeWi fi bestpractice
Wi fi bestpractice
 

En vedette

Nokia lumia 920 apology
Nokia lumia 920 apologyNokia lumia 920 apology
Nokia lumia 920 apologyLenin Nair
 
Helping you to help me
Helping you to help meHelping you to help me
Helping you to help meKat Chuang
 
Google apologizes jews
Google apologizes jewsGoogle apologizes jews
Google apologizes jewsLenin Nair
 
Steve jobs about iphone
Steve jobs about iphoneSteve jobs about iphone
Steve jobs about iphoneLenin Nair
 
Zuckerburg about beacon
Zuckerburg about beaconZuckerburg about beacon
Zuckerburg about beaconLenin Nair
 
Iayf (provided by bluebugle.org)
Iayf (provided by bluebugle.org)Iayf (provided by bluebugle.org)
Iayf (provided by bluebugle.org)Lenin Nair
 
The adventure of red circle
The adventure of red circleThe adventure of red circle
The adventure of red circleLenin Nair
 

En vedette (7)

Nokia lumia 920 apology
Nokia lumia 920 apologyNokia lumia 920 apology
Nokia lumia 920 apology
 
Helping you to help me
Helping you to help meHelping you to help me
Helping you to help me
 
Google apologizes jews
Google apologizes jewsGoogle apologizes jews
Google apologizes jews
 
Steve jobs about iphone
Steve jobs about iphoneSteve jobs about iphone
Steve jobs about iphone
 
Zuckerburg about beacon
Zuckerburg about beaconZuckerburg about beacon
Zuckerburg about beacon
 
Iayf (provided by bluebugle.org)
Iayf (provided by bluebugle.org)Iayf (provided by bluebugle.org)
Iayf (provided by bluebugle.org)
 
The adventure of red circle
The adventure of red circleThe adventure of red circle
The adventure of red circle
 

Similaire à Virginia Tech's response to FirstNet NOI

Interference Revelation in Mobile Ad-hoc Networks and Confrontation
Interference Revelation in Mobile Ad-hoc Networks and ConfrontationInterference Revelation in Mobile Ad-hoc Networks and Confrontation
Interference Revelation in Mobile Ad-hoc Networks and Confrontationirjes
 
A Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc Networks
A Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc NetworksA Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc Networks
A Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc Networkscscpconf
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 
A Study And Analysis On Computer Network Topology For Data Communication
A Study And Analysis On Computer Network Topology For Data CommunicationA Study And Analysis On Computer Network Topology For Data Communication
A Study And Analysis On Computer Network Topology For Data CommunicationAmy Roman
 
PHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdf
PHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdfPHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdf
PHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdfadeel paracha
 
Performance of symmetric and asymmetric links in wireless networks
Performance of symmetric and asymmetric links in wireless networks Performance of symmetric and asymmetric links in wireless networks
Performance of symmetric and asymmetric links in wireless networks IJECEIAES
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Routing security in ad hoc wireless network
Routing security in ad hoc wireless networkRouting security in ad hoc wireless network
Routing security in ad hoc wireless networkElanthendral Mariappan
 
Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...
Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...
Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...IRJET Journal
 
Dr2645024509
Dr2645024509Dr2645024509
Dr2645024509IJMER
 
A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...
A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...
A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...pharmaindexing
 
Brill Torts Outline
Brill Torts OutlineBrill Torts Outline
Brill Torts OutlineAmy Moore
 
Black hole and greyhole attack in wireless mesh network
Black hole and greyhole attack in wireless mesh networkBlack hole and greyhole attack in wireless mesh network
Black hole and greyhole attack in wireless mesh networkAnbarasu S
 
A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...
A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...
A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...inventionjournals
 
Introduction to Mobile adhoc-network
Introduction to Mobile adhoc-networkIntroduction to Mobile adhoc-network
Introduction to Mobile adhoc-networkSanjeev Kumar Jaiswal
 

Similaire à Virginia Tech's response to FirstNet NOI (20)

Interference Revelation in Mobile Ad-hoc Networks and Confrontation
Interference Revelation in Mobile Ad-hoc Networks and ConfrontationInterference Revelation in Mobile Ad-hoc Networks and Confrontation
Interference Revelation in Mobile Ad-hoc Networks and Confrontation
 
A Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc Networks
A Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc NetworksA Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc Networks
A Review on - Comparative Study of Issues in Cellular, Sensor and Adhoc Networks
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
A Study And Analysis On Computer Network Topology For Data Communication
A Study And Analysis On Computer Network Topology For Data CommunicationA Study And Analysis On Computer Network Topology For Data Communication
A Study And Analysis On Computer Network Topology For Data Communication
 
PHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdf
PHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdfPHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdf
PHYSICAL LAYER SECURITY OF OPTICAL NETWORKS.pdf
 
Performance of symmetric and asymmetric links in wireless networks
Performance of symmetric and asymmetric links in wireless networks Performance of symmetric and asymmetric links in wireless networks
Performance of symmetric and asymmetric links in wireless networks
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
Routing security in ad hoc wireless network
Routing security in ad hoc wireless networkRouting security in ad hoc wireless network
Routing security in ad hoc wireless network
 
Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...
Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...
Data Rates Performance Analysis of Point to Multi-Point Wireless Link in Univ...
 
Dr2645024509
Dr2645024509Dr2645024509
Dr2645024509
 
A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...
A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...
A STRATEGY FOR DEFENDING PACKETS AGAINST RECOGNIZED INTERNAL JAMMERS IN WIREL...
 
Topology
TopologyTopology
Topology
 
E42043640
E42043640E42043640
E42043640
 
Brill Torts Outline
Brill Torts OutlineBrill Torts Outline
Brill Torts Outline
 
Md ux mza5mtg=14
Md ux mza5mtg=14Md ux mza5mtg=14
Md ux mza5mtg=14
 
Black hole and greyhole attack in wireless mesh network
Black hole and greyhole attack in wireless mesh networkBlack hole and greyhole attack in wireless mesh network
Black hole and greyhole attack in wireless mesh network
 
A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...
A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...
A Comprehensive Study on Vehicular Ad-Hoc Delay Tolerant Networking for Infra...
 
A Survey of Security Approaches for Wireless Adhoc Networks
A Survey of Security Approaches for Wireless Adhoc NetworksA Survey of Security Approaches for Wireless Adhoc Networks
A Survey of Security Approaches for Wireless Adhoc Networks
 
331 340
331 340331 340
331 340
 
Introduction to Mobile adhoc-network
Introduction to Mobile adhoc-networkIntroduction to Mobile adhoc-network
Introduction to Mobile adhoc-network
 

Dernier

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Dernier (20)

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 

Virginia Tech's response to FirstNet NOI

  • 1. Wireless @ Virginia Tech 432 Durham Hall (0350) College of Engineering Blacksburg, Virginia 24061 540/231-2958 Fax: 540/231-2968 www.wireless.vt.edu November 8, 2012 Lawrence Strickling Assistant Secretary for Communications and Information Department of Commerce 1401 Constitution Avenue NW HCHB Room 7324 Washington DC 20230 rg Att: FirstNet Conceptual Network NOI .o Enclosed we provide a brief response to the FirstNet NOI regarding the conceptual network architecture. The focus on our comments is on the information assurance aspects of LTE and le contains a summary of some of our preliminary analysis. This work is still in progress and we would be pleased to share details of our current and future findings on this issue. Sincerely, ug eb Dr. Jeffrey H. Reed lu Director, Wireless@ Virginia Tech .b w w w Invent the Fut ur e V I R G I N I A P O L Y T E C H N I C I N S T IT U T E A N D S T A T E U N I V E R S IT Y An equ al op port unity, affirm ative actio n institu tion
  • 2. BEFORE THE DEPARTMENT OF COMMERCE In the Matter of ) ) National Telecommunications and ) Information Administration ) Docket No. 120928505–2505–01 ) RIN 0660–XC002 Development of the Nationwide ) Interoperable Public Safety Broadband ) rg Network ) .o COMMENTS OF WIRELESS @ VIRGINIA TECH le Dr. Jeffrey H. Reed Marc Lichtman Willis G. Worcester Professor Graduate Research Assistant Director of Wireless @ Virginia Tech 432 Durham Hall, MC0350 1145 Perry Street ug Virginia Tech marcll@vt.edu Blacksburg, VA 24061 eb reedjh@vt.edu (540) 231 2972 lu .b INTRODUCTION AND EXECUTIVE SUMMARY w The Wireless @ Virginia Tech research group appreciates the opportunity to respond to the National Telecommunications and Information Administration (NTIA) request for comments w on the Development of the Nationwide Interoperable Public Safety Broadband Network. This w comment is regarding the vulnerability of LTE to intentional and sophisticated jamming attacks. If LTE technology is to be used for the air interface of the public safety network, then we should consider the types of jamming attacks that could occur five or ten years from now. It is very possible for radio jamming to accompany a terrorist attack, for the purpose of preventing communications and increasing destruction. Likewise it is possible for criminal organizations to
  • 3. create mayhem among public safety personnel by jamming. In addition, it is possible for a jammer to increase its effectiveness by employing a sophisticated strategy. This is especially likely when every technical aspect of the target signal is known. An example strategy would be to target specific control or synchronization signals, in order to increase the geographic range of the jammer and better avoid detection. The availability of low-cost and easy to use software- defined radios makes this threat even more realistic. rg Preliminary research has been performed to show the extent to which LTE is vulnerable .o to jamming. It was shown that extremely effective attacks can be realized, using fairly low complexity. It would be in the interest of public safety to put forth an effort to find solutions to le the described problem, and ultimately improve the wireless interface of Public Safety LTE. ug Preliminary Research eb In order to show the vulnerability of the LTE wireless interface to jamming, we present a lu series of efficient attacks that are designed to cause denial of service to one or more LTE cells. .b Each attack targets one or more LTE subsystems, either in the downlink or uplink signal. The selected attacks described below represent a balance between effectiveness and complexity. w w Synchronization Signal Jamming (SSJ): When a UE wants to connect to an eNodeB, it has to w first go through a series of synchronization steps. First, it detects the Primary Synchronization Signal (PSS) which allows the UE to synchronize to each slot and gives it the cell ID. Next, it detects the Secondary Synchronization Signal (SSS) which tells the UE the cell ID group, which method of duplexing is used, and the cyclic prefix length. The SSS also allows the UE to detect when each radio frame starts. Both the PSS and SSS are mapped to the central 62 subcarriers
  • 4. (not including the DC subcarrier). After synchronizing with the PSS and SSS, the UE receives more information about the cell by decoding the Master Information Block (MIB). The MIB contains information essential for initial access to a cell [1]. It consists of 14 bits that contain the downlink system bandwidth, the Physical Control Format Indicator Channel (PHICH) size, and information allowing frame synchronization. It is mapped to the central 72 subcarriers, and appears in slot 1 of each frame. The three signals are not present in all ten subframes, but they rg are always mapped to the same subcarriers. .o The Synchronization Signal Jamming (SSJ) attack is designed to deny the UE access to the PSS, SSS, and MIB. The jamming waveform used for the SSJ attack is noise that spans the le center 73 subcarriers. The DC subcarrier is included for the sake of complexity, even though it ug does not contain information. The SSJ attack does not involve jamming specific symbols (it uses a 100% duty cycle), so the jammer does not have to be synchronized to the eNodeB. The SSJ eb attack is simply a brute force method of denying the UE three different mechanisms that it needs lu to access a cell. The act of only jamming certain subcarriers allows the SSJ attack to have roughly a 3 dB gain over traditional barrage jamming, which can be thought of as an increase in .b jamming radius for a jammer that is power constrained. w w Primary Synchronization Signal Jamming: Detecting the PSS is the first step a UE takes in w accessing a cell. The PSS uses a sequence length of 63, and the center element is nulled because the downlink DC subcarrier is never used for transmission. There are three PSS sequences used in LTE, and each one corresponds to one of the three sectors. The UE must detect the PSS without any knowledge of the channel, so it finds the timing offset that corresponds to the
  • 5. maximum cross-correlation for each of the three sequences, and uses it to synchronize in the time domain. For FDD, the PSS only occurs in slots 0 and 10 (there are 20 total slots per frame). The SSJ attack discussed previously injects noise into the subcarriers that contain the PSS. An attack that only targets the PSS can be realized by only jamming the symbols that contain the PSS. However, the jammer would have to cause a fairly high jammer-to-signal ratio, because the PSS is designed to be detected at high interference levels, so that the UE can also rg detect neighboring cells. .o A more effective method of causing a PSS attack would be to simply transmit one of the three PSS sequences, and thus create a bogus PSS. If the jammers received power at the UE is le greater than the eNodeB's, then the UE is most likely going to synchronize to the bogus PSS. ug This is because a cross-correlation process is used to detect the PSS non-coherently. A jammer using this method would not need receiving capability, because it would simply start the bogus eb PSS transmission at a random time, leading to uniformly distributed timing relative to the correct lu PSS signal. If the UE synchronized to the bogus PSS, then is not synchronized in time to the eNodeB, and it will not know when each OFDM symbol starts, and hence will not be able to .b detect the SSS or decode the MIB. w This attack appears to work, until considering the cell reselection procedure. If a cell w does not provide a certain level of quality, then the UE begins the cell reselection procedure, w where it tries to access the cell with the next strongest signal. The solution is to spoof all three PSS sequences. A jammer transmitting three bogus PSSs only has to transmit six symbols in every frame, on 62 subcarriers. A downside to PSS jamming is that it will not immediately cause Denial of Service (DOS). It will prevent new UEs from accessing the cell(s), and cause UEs in idle mode to reselect a bogus cell. Therefore PSS jamming is not effective for an attack
  • 6. intended on causing immediate DOS. However, it is sufficient for an attack that will last a long period of time. Because the jammer barely has to transmit anything, the PSS jamming attack offers roughly 20 dB of gain relative to the barrage jamming attack. This results in an extremely efficient jammer. Fortunately, this type of attack can be prevented by employing a cell reselection implementation that is able to blacklist “bogus synchronization signals”, by keeping track of the rg time-delay in the cross-correlation. Although this is not required by the LTE specifications, .o adding this type of mitigation may be worthwhile in Public Safety UE. le Physical Uplink Control Channel Jamming: The Physical Uplink Control Channel (PUCCH) ug is used to send the eNodeB a variety of control information, including scheduling requests, Hybrid Automatic Repeat Request (HARQ) acknowledgements, and channel quality indicators. eb The PUCCH is mapped to the resource blocks on the edges of the system bandwidth. These lu resource blocks are evenly split between the two edges of the system bandwidth, and the UE rapidly alternates between the two sets of resource blocks, for the purpose of frequency diversity. .b When a UE is transmitting on the PUCCH it is not transmitting anything else [2]. This allows w PUCCH jamming to be feasible, even with SC-FDMA in use. PUCCH jamming is possible w when the only a priori knowledge is the system bandwidth and location in the uplink signal in the w frequency domain. The signal sent on the PUCCH by the UE depends on the type of information it wants to send. For scheduling requests, all the UE has to do is transmit energy in its assigned slot. This causes the eNodeB to assign the specific UE additional uplink resources. This means PUCCH jamming will cause the eNodeB to assign every active UE additional uplink resources (which
  • 7. they probably do not need), and cause degradation of service. The signal transmitted by the UE for ACK and NACK responses is not as straightforward; it involves modulating the ACK or NACK indicator onto a predefined sequence which is then cyclically shifted and scrambled. This system is meant to allow multiple PUCCH transmissions to exist in the same time and frequency slot. Successful PUCCH jamming will cause ACKs to not reach the eNodeB, resulting in retransmissions and further degradation of service. The last type of control rg information sent on the PUCCH is channel state information, which is used by the UEs to send .o the eNodeB information about the channel quality. The eNodeB uses this information to assign subcarriers to users that experience better channel conditions on the corresponding frequencies, le as well as choose which modulation scheme to use. As in the ACK indicators, the information is ug sent to the eNodeB through modulation with a UE-specific sequence, which is then scrambled and cyclically shifted. The corruption of channel quality information is not as detrimental to the eb LTE service as missed ACKs, but it is likely to help accelerate the process of causing DOS. lu PUCCH jamming offers roughly 5 dB of gain compared to barrage jamming, because the jammer can focus its energy into the control channel subcarriers. .b w Conclusion w These comments describe extremely effective attacks can be realized, using fairly low w complexity. It would be in the interest of public safety to take measures to reduce the vulnerability of Public Safety LTE, and lower the likelihood of an effective jamming attack. Certainly there are important cost advantage of keeping the public safety LTE system compatible with commercial devices and systems. Seeking solutions that achieve this compatibility while
  • 8. providing protection are desirable. We thank you for considering our views, and are eager to address any subsequent questions. References [1] Matthew Baker and Tim Moulsley. Downlink physical data and control channels. In Stefania Sesia, Issam Toufik, and Matthew Baker, editors, LTE, The UMTS Long Term Evolution: From rg Theory to Practice, chapter 9. John Wiley & Sons Ltd, Chichester, West Sussex, United .o Kingdom, second edition, 2011. [2] 3GPP Technical Report 36.211, “Physical Channels and Modulation”, www.3gpp.org. le ug eb Dr. Jeffrey H. Reed Marc Lichtman Willis G. Worcester Professor Graduate Research Assistant lu Director of Wireless @ Virginia Tech Virginia Tech Virginia Tech .b w w w