Detecting WiFi jamming used to knock out security systems

[5U4GB]

Just a thought experiment, inspired by yet another story about burglars using WiFi jamming to knock out security systems.  These stories tend to pop up from time to time, this is just the latest one. Unfortunately the reports don't mention what type of jammer is being used or even whether it's just an older story that's been recycled yet again, whether the tech is just a dumb blanket-the-frequency-range-with-noise or a smarter WiFi-knowledgeable one that sends dummy traffic or deauth packets.  The Aliexpress ones just seem to be dumb interference-generators, e.g. this sort (later photos show the spectrum plot) which presumably you plug into a USB power bank. 

For deauth jammers, the operation is described here.

So how would to detect this in a non-false-positive manner?  For the simpler blanket-with-noise style I was thinking an ESP32 that periodically scans each channel and reports possible jamming if every channel is saturated with noise.

Identifying deauth attacks seems a lot more difficult since you'd have to be listening in when the deauth happens, I assume that'd need to be done on the AP since that'll always see the deauth packets as they're targeted at it.

And yes, I'm aware of 802.11w but that seems to be implemented in a hit-and-miss fashion, in particular there's a vast amount of IoT gunk around that doesn't support it so won't be able to connect if the AP forces its use and so most APs that do support it disable it by default, also this question is more of a thought experiment about how you'd reliably detect something like this.

[ddosegov]

For jamming, best solution is usuall simplest one... Z-comm vco driven by NE555 and amplified with some MMIC, all powered from 9V battery fits cigarette-box sized case and does not require any user interaction after flipping on-off switch. Detection can be made with spectrum analyzer or SDR... or any recorder that have video loss detection.

[jonpaul]

True security require Ethernet or wired connections, NO WiFi and airgap to net.

Anything else is vulenrable.

j

[Berni]

And this is why actual professional security camera systems use twisted pair or coax cables.

But yeah home users are too lazy to run some CAT5 (Even tho they have to run power anyway), so everyone ends up using WiFi.

One possible solution is to also record to a SD card so you at least still have footage in case of failure. Even modern professional security cameras tend to use this. They both send live video back to the security server over Ethernet while at the same time loop recording on a SD card inside the camera. That way if intruders start cutting wires or disable the server, the cameras are still recording as long as they still have power from the separate UPS backed up power circuit. So to destroy the security footage you need to both destroy the server and camera.

[nctnico]

For protocol attacks, an ESP32 could be a good option as this has all the radio & demodulation hardware + software stack. To check for wideband noise, you'll need an SDR. Maybe an ESP32 can be used to counter protocol attacks to by drawing the protocol attacks towards it so the actual Wifi signals are left alone.

[thm_w]

For jamming, best solution is usuall simplest one... Z-comm vco driven by NE555 and amplified with some MMIC, all powered from 9V battery fits cigarette-box sized case and does not require any user interaction after flipping on-off switch. Detection can be made with spectrum analyzer or SDR... or any recorder that have video loss detection.

As stated above, any decent security camera system has a video loss/tamper detection alert. Because yes, even on hardwired camera setups, the camera can still fail or can be spray painted and you want to be able to detect that.

Many wifi cams will also have an internal SD card, so it will record there as well as stream the footage.

[nctnico]

Many wifi cams will also have an internal SD card, so it will record there as well as stream the footage.

IMHO that is pretty useless as people who have entered a building, can easely and quietly remove the SD card. The best camera setup is hardwired and streams the video off-site directly. That way the footage is out of reach of people who enter a building.

[thm_w]

IMHO that is pretty useless as people who have entered a building, can easely and quietly remove the SD card. The best camera setup is hardwired and streams the video off-site directly. That way the footage is out of reach of people who enter a building.

The SD card on hikvision cameras is inside the waterproof enclosure so is not easily removable. Especially when the camera is mounted high up on a wall as shown in the article.

[NiHaoMike]

But yeah home users are too lazy to run some CAT5 (Even tho they have to run power anyway), so everyone ends up using WiFi.

Most often they reuse the outdoor outlet or outdoor lighting circuit, so lots of work saved. Homeplug would be a great solution but Homeplug cameras aren't very common.

[Someone]

So how would to detect this in a non-false-positive manner?

Why overcomplicate it: is the video camera returning images and sound?
yes) all good
no) go and investigate

What can you do if you detect interference?

[Andy Chee]

So how would to detect this in a non-false-positive manner?

If you are getting frequent false-positive signal dropouts, then you need to improve your installation.  Either use a few more WiFi repeaters, or use wired cameras.

[NiHaoMike]

I wonder if deauth attacks could be rendered ineffective with a few ESP32 generating packets to simulate lots of networks with devices, so that the deauther spends a lot of time deauthing devices that don't even exist.

[JoeyG]

https://www.rcmodelreviews.com/wispy24i.shtml

[nctnico]

IMHO that is pretty useless as people who have entered a building, can easely and quietly remove the SD card. The best camera setup is hardwired and streams the video off-site directly. That way the footage is out of reach of people who enter a building.

The SD card on hikvision cameras is inside the waterproof enclosure so is not easily removable. Especially when the camera is mounted high up on a wall as shown in the article.

A camera mounted high up is useless as criminals wear hats or hoodies. A high mounted camera won't catch their faces.

[5U4GB]

For protocol attacks, an ESP32 could be a good option as this has all the radio & demodulation hardware + software stack. To check for wideband noise, you'll need an SDR. Maybe an ESP32 can be used to counter protocol attacks to by drawing the protocol attacks towards it so the actual Wifi signals are left alone.

Ah, good point, you could use them to tarpit attackers, or alternatively just to act as canaries to detect attacks.

[5U4GB]

https://www.rcmodelreviews.com/wispy24i.shtml

Good idea, that would work, you can drive those from Linux using spectool so plug one into whatever Linux box you've got lying around and use spectool to pull the data off it.

An update, it looks like it's even simpler than that, nmcli will do this with

Code: [Select]

sudo nmcli dev wifi
Well, that took all the fun out of it, instead of playing with cool hardware it's just a few minutes of scripting an already-existing setup, and since it can act as a WiFi client it'll detect disassociation attacks as well.

[ddosegov]

Just thinking what would microwave oven without mesh on the door mounted in car roof box do to nearby wireless devices? I fried wireless card in my laptop at 15ft (did that few times to be sure  ) with less than 10W... ofc, powering microwave oven would require at least 1500W DC to AC converter, but that is not a rocket science....

[5U4GB]

Followup to my earlier post, looks like the best command is:

Code: [Select]

nmcli -t -f chan,signal dev wifiwhich shows the channel and signal strength in machine-processable format.  Since most places will be surrounded by a 3-degree background radiation of neighbouring APs, detecting WiFi jamming should just require detecting a sudden change in the steady state as all the surrounding APs vanish.

Now I just need to figure out how to test this without access to the sort of WiFi jammer that it's meant to counter.  Is anyone in a country where you're allowed to run one of these for testing able to post what it does to surrounding WiFi signals?