Run Away If You Can: Persistent Jamming Attacks against Channel Hopping Wi-Fi Devices in Dense Networks

  • Il-Gu Lee
  • Hyunwoo Choi
  • Yongdae Kim
  • Seungwon Shin
  • Myungchul Kim
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)


Wireless local area networks (WLANs) can adopt channel hopping technologies in order to avoid unintentional interferences such as radars or microwaves, which function as proactive jamming signals. Even though channel hopping technologies are effective against proactive types of jamming, it has been reported that reactive jammers could attack the targets through scanning busy channels. In this paper, we demonstrate that reactive jamming is only effective against channel hopping Wi-Fi devices in non-dense networks and that it is not effective in dense networks. Then, we propose a new jamming attack called “persistent jamming”, which is a modified reactive jamming that is effective in dense networks. The proposed persistent jamming attack can track a device that switches channels using the following two features, and it can attack the specific target or a target group of devices. The first feature is that the proposed attack can use the partial association ID (PAID), which is included for power saving in the IEEE 802.11ac/af/ah frame headers, to track and jam the targets. The second feature is that it is possible to attack persistently based on device fingerprints in IEEE 802.11a/b/g/n legacy devices. Our evaluation results demonstrate that the proposed persistent jamming can improve the attack efficiency by approximately 80% in dense networks compared with the reactive jamming scheme, and it can also shut down the communication link of the target nodes using 20 dBm of jamming power and a 125 ms response time.


WLAN jamming channel hopping device tracking ID fingerprint security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IEEE Standard 802.11h (2003)Google Scholar
  2. 2.
    IEEE Standard 802.11n (2009)Google Scholar
  3. 3.
  4. 4.
    IEEE P802.11ac, Draft 7.0 (2013)Google Scholar
  5. 5.
    IEEE P802.11af, Draft 4.0 (2013)Google Scholar
  6. 6.
    IEEE P802.11ah, Draft 1.0 (2013)Google Scholar
  7. 7.
    Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M.: Privacy through pseudonymity in mobile telephony systems. In: Network and Distributed System Security Symposium, NDSS (2014)Google Scholar
  8. 8.
    Benslimane, A., Bouhorma, M., et al.: Analysis of jamming effects on IEEE 802.11 wireless networks. In: International Conference on Communications (ICC), pp. 1–5. IEEE (2011)Google Scholar
  9. 9.
    Carious, L.: High-efficiency WLAN. IEEE 802.11-13/033lr5 (2013)Google Scholar
  10. 10.
    Chen, Y., Xu, W., Zhang, Y., Trappe, W.: Securing Emerging Wireless Systems. Springer (2008)Google Scholar
  11. 11.
    Fang, S.H., Hsu, Y.T., Kuo, W.H.: Dynamic fingerprinting combination for improved mobile localization. IEEE Transactions on Wireless Communications 10(12), 4018–4022 (2011)CrossRefGoogle Scholar
  12. 12.
    Fang, S.H., Lin, T.N., Lee, K.C.: A novel algorithm for multipath fingerprinting in indoor WLAN environments. IEEE Transactions on Wireless Communications 7(9), 3579–3588 (2008)CrossRefGoogle Scholar
  13. 13.
    Gaikwad, R.V., Moorti, R.T.: Apparatus and method for sampling frequency offset estimation and correction in a wireless communication system (2007), US Patent 7,177,374Google Scholar
  14. 14.
    Golmie, N., Rebala, O., Chevrollier, N.: Bluetooth adaptive frequency hopping and scheduling. In: Military Communications Conference (MILCOM), vol. 2, pp. 1138–1142. IEEE (2003)Google Scholar
  15. 15.
    Goth, G.: Next-generation Wi-Fi: As fast as we’ll need? IEEE Internet Computing 16(6), 7–9 (2012)CrossRefGoogle Scholar
  16. 16.
    Gummadi, R., Wetherall, D., Greenstein, B., Seshan, S.: Understanding and mitigating the impact of RF interference on 802.11 networks. In: Special Interest Group on Data Communication (SIGCOMM), pp. 385–396. ACM (2007)Google Scholar
  17. 17.
    Harjula, I., Pinola, J., Prokkola, J.: Performance of IEEE 802.11 based WLAN devices under various jamming signals. In: Military Communications Conference (MILCOM), pp. 2129–2135. IEEE (2011)Google Scholar
  18. 18.
    Jensen, T.L., Larsen, T.: Robust computation of error vector magnitude for wireless standards. IEEE Transactions on Communications 61(2), 648–657 (2013)CrossRefGoogle Scholar
  19. 19.
    Jeung, J., Jeong, S., Lim, J.: Adaptive rapid channel-hopping scheme mitigating smart jammer attacks in secure WLAN. In: Military Communications Conference (MILCOM), pp. 1231–1236. IEEE (2011)Google Scholar
  20. 20.
    Lee, I.G., Choi, E., Lee, S.K., Jeon, T.: High accuracy and low complexity timing offset estimation for MIMO-OFDM receivers. In: Wireless Communications and Networking Conference (WCNC), vol. 3, pp. 1439–1443. IEEE (2006)Google Scholar
  21. 21.
    Mahmoud, H.A., Arslan, H.: Error vector magnitude to SNR conversion for nondata-aided receivers. IEEE Transactions on Wireless Communications 8(5), 2694–2704 (2009)CrossRefGoogle Scholar
  22. 22.
    Makhlouf, A., Hamdi, M.: Practical rate adaptation for very high throughput WLANs. IEEE Transactions on Wireless Communications 12(2), 908–916 (2013)CrossRefGoogle Scholar
  23. 23.
    Navda, V., Bohra, A., Ganguly, S., Rubenstein, D.: Using channel hopping to increase 802.11 resilience to jamming attacks. In: International Conference on Computer Communications (INFOCOM), pp. 2526–2530. IEEE (2007)Google Scholar
  24. 24.
    Pelechrinis, K., Broustis, I., Krishnamurthy, S.V., Gkantsidis, C.: A measurement-driven anti-jamming system for 802.11 networks. IEEE/ACM Transactions on Networking 19(4), 1208–1222 (2011)CrossRefGoogle Scholar
  25. 25.
    Tippenhauer, N.O., Malisa, L., Ranganathan, A., Capkun, S.: On limitations of friendly jamming for confidentiality. In: Symposium on Security and Privacy (SSP), pp. 160–173. IEEE (2013)Google Scholar
  26. 26.
    Wilhelm, M., Martinovic, I., Schmitt, J.B., Lenders, V.: Short paper: Reactive jamming in wireless networks: How realistic is the threat? In: Proceedings on Wireless Network Security (WiSec), pp. 47–52. ACM (2011)Google Scholar
  27. 27.
    Xiao, L., Greenstein, L.J., Mandayam, N.B., Trappe, W.: Using the physical layer for wireless authentication in time-variant channels. IEEE Transactions on Wireless Communications 7(7), 2571–2579 (2008)CrossRefGoogle Scholar
  28. 28.
    Xu, W., Trappe, W., Zhang, Y.: Channel surfing: Defending wireless sensor networks from interference. In: Proceedings on Information Processing in Sensor Networks (IPSN), pp. 499–508. ACM (2007)Google Scholar
  29. 29.
    Xu, W., Trappe, W., Zhang, Y., Wood, T.: The feasibility of launching and detecting jamming attacks in wireless networks. In: Proceedings on Mobile Ad Hoc Networking and Computing (MobiHoc), pp. 46–57. ACM (2005)Google Scholar
  30. 30.
    Yang, F., Zhang, X., Zhang, Z.P.: Time-domain preamble-based SNR estimation for OFDM systems in doubly selective channels. In: Military Communications Conference (MILCOM), pp. 1–5. IEEE (2012)Google Scholar
  31. 31.
    Zhang, J., Tan, K., Zhao, J., Wu, H., Zhang, Y.: A practical SNR-guided rate adaptation. In: International Conference on Computer Communications (INFOCOM). IEEE (2008)Google Scholar
  32. 32.
    Zhou, M., Tian, Z., Yu, X., Tang, X., Hong, X.: A two-stage fingerprint filtering approach for Wi-Fi RSS-based location matching. Journal of Computers 8(9) (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Il-Gu Lee
    • 1
  • Hyunwoo Choi
    • 1
  • Yongdae Kim
    • 1
  • Seungwon Shin
    • 1
  • Myungchul Kim
    • 1
  1. 1.Graduate School of Information SecurityKorea Advanced Institute of Science and Technology (KAIST)DaejeonRepublic of Korea

Personalised recommendations