This article was authored by John C. Tanner, and was originally posted on telecomasia.net.
ITEM: Researchers claim that LTE base stations can be jammed and shut down with a simple trick and a cheap transmitter.
According to a paper [PDF] written by a wireless research group at Virginia Tech and filed with the National Telecommunications and Information Administration last week, someone could effectively shut down a large LTE base station using a laptop and a $650 battery-operated transmitter aimed at small portions of the LTE signal.
The vulnerability exploits the fact that LTE signals rely on control instructions such as time and frequency synchronization that amount to less than 1% of the overall signal, Technology Review reports:
“Your phone is constantly syncing with the base station” in order to effectively carry and assemble bits of information that make up, say, a photo or a video, says [Marc] Lichtman, a graduate research assistant who cowrote the study. “If you can disrupt that synchronization, you will not be able to send or receive data.”
There are seven other such weak points, the researchers say, any one of which could be used to jam an LTE signal with a low-power transmitter. “There are multiple weak spots—about eight different attacks are possible. The LTE signal is very complex, made up of many subsystems, and in each case, if you take out one subsystem, you take out the entire base station.”
The study raises concerns about the vulnerability of public safety networks using LTE, a topic the NTIA has been seeking comments on (and for which the paper was submitted).
The good news for LTE operators is that the attack is not as practical or as easy as media reports might make it sound, according to Extreme Tech:
The authors of the paper note that the UE [i.e. the LTE device] has to detect towers even with high levels of interference, and a jammer being able to overpower a tower’s signal would have to require a lot of power (probably more than it’s worth). Alternatively, sending bogus data could work, except that the user’s device will realize that the signal is worthless and drop it. Once it drops it, it will locate the nearest signal that will work properly. The UE will continue to do this until it gets a working signal. The amount of effort required to pull this off successfully is prohibitively large. However, it would be still doable unless the UE maintains a list of bogus signals and begins ignoring them and filtering them out (which is feasible to implement). Consequently, it would be very hard to do an effective denial of service attack using this vulnerability.
That said, “difficult” doesn't mean “impossible” – the research authors describe the study as “preliminary analysis” of the problem, and recommend further research in order to work out optimal long-term solutions to protect against jamming attacks.