So when I saw the article in the MIT Technology Review yesterday, I knew there would be some hype around it. Fast forward about 24 hours and the hysteria machine has really started up, see for yourself in Engadget and Fierce Wireless posts.
Their hysteria is that LTE networks are easy to jam, using easily procured equipment, the number thrown out was $650. See this quote:
According to the research group’s director, Jeff Reed, a single malicious operative with a hot briefcase and a bit of know-how could take down “miles of LTE signals.” If the attacker splashed out on an amplifier, they could cut off reception for thousands of people across a whole city or region.
Addendum: This paper was created as a submission to NTIA regarding Public Safety LTE. It is here.
Well that’s easy to take out of context. Any electromagnetic transmission is easy to block/jam when you think about it. So this type of hype brings out a huge irritation with me, and that’s the blogosphere’s copy/paste system to fill their site and help generate page views. If a LASER is Light Amplified by Stimulated Emissons of Radiation, then HypASER blasts are due to Hype Amplification by Stimulated Emission of Ridiculousness.
OK, I’ll stop nagging…but the blogosphere is not helpful here.
I’ll explain my logic.
It’s not far fetched to imagine hackers or terrorists or criminals whatever actually doing this. The parts required are mostly off the shelf and the knowledge is easily obtainable. This same approach as described for LTE works the same way with GSM, although CDMA/WCDMA is a bit more resistant but not immune. Creating noise in the RF domain, particularly in the channel of interest happens all the time. For example, an anti N order passive modulation (PIM) war, caused by shoddy work, bad cables, antennae or RF equipment, rusty bolts etc… is being fought now because operators realize the generated noise reduces throughput and thus reducing data capacity and therefore limiting revenue.
For LTE networks though, the laws of Physics still prevail (in our universe) and a bad person with a jammer will be likely using low power, or having low effective gain (hard to carry around a 9′ antenna all the time), if they are low to the ground (where maximum effect could be achieved.) Again not impossible at low power/gain so you could say the sphere of influence is going to be very narrow if they target the eNB TX band. If they target the eNB RX band they may have more success but it’s effectiveness is wholly dependent on the location of the UE’s trying to communicate to the eNB. THIS IS NOT THOUSANDS UNLESS IN A WELL DEFINED/CONTROLLED ENVIRONMENT/VENUE LIKE STADIUM POSSIBLY AND IS VERY LIMITED IN SCOPE.
Let’s go further and say that the perpetrators have now worked out how to maximize their gain to compete with the nearly 1KW ERP from the base stations. Got to find a favorable (high) location and have lots of gain, so huge antenna or high power or both. What spectrum are they broadcasting in?
700MHz rogue transmitters may affect larger areas due to propagation characteristics than say 2100MHz. Either way, there is redundancy in most of the mobile world as networks are generally overlaid on a technology basis, so a failed 4G connection moves back to 3G.
So I thought it would be fun to review the many existing countermeasures that could be useful in defeating the perps. Firstly there is physical redundancy. Multiple networks, multiple LTE carriers, multiple sites more MIMO (antennae.) More spectrum to cover increases the perp’s setup complexity. They would need to deny 3G networks too. In most cases mobiles could search and find another network to serve them. More sites include wifi and small cells. Small cells alone could be a very very effective countermeasure. They don’t have to be at the same channel bandwidths, MIMO ranks (ex 4×2, 4×4, 8×8 etc…) or could/should operate in different channels or even utilize TDD modes instead of FDD modes or vice versa. This in an of itself would be very difficult to overcome.
It should also be noted a good defense would be detection. Sudden noise rises are reported in the link prior to all out failure. Beyond that it is wise for operators to have monitoring equipment placed in the link to guard against interference anyway. These external monitors help reduce site visits and so on for common unintentional interference could be the canary in the coal mine for intentional interferers. SON could also help. SON controllers would detect changes in noise and traffic levels, if a suitable outage threshold can be defined, then once the threshold is met, SON could automagically change tilts/increase gains/power in neighboring sectors or sites to help mitigate for the subscribers.
Not out of the question but a little more resource intensive would be doing things like manual intervention. Examples include turning the cells in affected area off, alternative bandwidths/growing multiple channels or switching modes to TDD mode so as to be able to manually locate the noise sources. A more passive but effective countermeasure would be to implement LTE Roaming such that mobiles always have an alternative.
Let’s not forget that Release 10+ specifications (LTE Advanced) include a feature called Carrier Aggregation that allows operators to operate a virtual large channel over multiple smaller ones. This by very definition is more robust to interference than less bandwidth. Your milage will vary of course but it’s helpful.
Interference cancellation techniques are going to become widespread on UE and eNB to dramatically improve performance and this approach could help a lot.
If the perps are capable of ultra wide band, ultra high gain interference then they are probably more like nation-states and you have a much bigger problem on your hands than just the wireless communication interruption…although those small cells are probably still carrying traffic close by…
Thinking through this for Public Safety, heck this story could be created by a large operator trying to prevent Public Safety from operating their own LTE networks but I digress…the standards could be improved to allow for improved control channel redundancy/resiliency beyond a doubt.
I guess I refute the numbers but not the principles of the original article. It’s going to take a lot more than $650 to effectively take out thousands of LTE users. LTE networks are probably more susceptible to IP hacks than RF hacks. However the blogospheric focus is on the (hot) air portion. Hopefully the hysteria will die down soon. Ugh…