Jamming LTE Signals

Rafał Krenz, Soumya Brahma

Abstract—In a majority of European countries a digital trunk- House on telecom and information policy, issued in 2012 a
ing TETRA system is used for Public Safety communication. Request For Comment on the Development of the Nationwide
This system offer voice communication and narrowband data Interoperable Public Safety Broadband Network. One of the
services only. Since the introduction of first LTE commercial
networks, LTE is rapidly gaining momentum within the Public responses was prepared by the wireless research group at
Safety industry as well. Therefore it is important to verify the Virginia Tech, led by Dr. Jeffrey H. Reed, who described the
immunity of the system, originally designed for civil applications, vulnerabilities of LTE system to intentional jamming attacks
to intentional jamming. In this paper some potential ways [4]. In fact the issue has been studied in many papers recently,
of attacks are discussed and an easy-to-implement method is however some of them use analytical approach only [5, 8, 9,
analyzed in details. The results suggest that jamming LTE signals
is relatively easy and can be done using low cost off-the-shelf 10, 11] while the others present results based on simulations
equipment. [6, 7]. This was a motivation to analyse the problem more
Index Terms—public safety communication, LTE, jamming deeply and the original experimental results of this study are
described in this work.
I. I NTRODUCTION In order to understand the possible methods of attacks, some
Public safety and security services require reliable and important aspects of LTE physical layer are desribed in Section
interoperable communication to respond effectively to an II. Section III identifies a few scenarios of efficient attacks that
emergency or natural disaster situations. In many European are designed to cause denial of service. Laboratory setup used
countries public safety communication is based on TETRA for the experiments is discussed in Section IV. The results of
trunking system. The standard has proven its usefulness for laboratory experiments are presented in Section V. Finally, the
many years, however, it offers primarily voice connections conclusions are drawn in Section VI.
and narrowband data services (max. 28.8 kbps) [1]. There are
II. LTE P HYSICAL L AYER [12]
situations where wideband data services would bring benefits,
e.g. to fire brigades checking floor plans of burning building A. Transmission in the downlink
or checking database of hazardous chemicals and ambulance Transmission in the LTE downlink is based on OFDM
teams transmitting an ECG trace from ambulance to doctor modulation and OFDMA multiplexing scheme. OFDM is well
in hospital or transmitting pictures from scene so doctors can known from its immunity to multipath fading, which is very
predict injury and make more accurate predictions. important property in mobile systems. Due to the serial-to-
Critical communications users such as Public Safety and parallel conversion, which extends symbol duration, the trans-
Security and Public Protection and Disaster Relief agencies mitted signal over a frequency-selective (i.e. multipath) chan-
are currently evaluating their own needs for future wireless nel is converted into a transmission over many parallel flat-
wideband services, with LTE and its future extensions emerg- fading channels in the frequency domain and the equalization
ing to be the favoured technology. So far, LTE networks have is much simpler than for single-carrier systems and consists
been implemented in many countries for commercial use but of just one complex multiplication per subcarrier. OFDMA
the technology must be adapted to provide services like push- adds the ability of adaptive user-to-subcarrier assignment,
to-talk, one-to-one and one-to-many group-based calls with based on feedback information about the frequency-selective
inherent fast call setup times as well as a range of other channel conditions from each user. Additionally, the downlink
features important to critical communications applications. resources may be easily partitioned to meet the bandwidth
Currently, such vendor-specific solutions are available on the requirements of each individual user.
market and a number of Public Safety LTE trials are already The LTE subcarrier spacing has been set to 15 kHz with
underway in regions like Middle East, Asia Pacific and Latin a cyclix prefix length of approximately 5 us. Subcarriers are
America [2], [3]. grouped in 180 kHz blocks, consisting of 12 subcarriers. In
But does the current LTE standard provide sufficiently the time domain 7 consecutive OFDM symbols (6 in case of
robust, resilient, secure and reliable services to meet the the extended cyclic prefix) are transmitted in 0.5 ms slot. Two
demanding needs of critical communications users? Having slots form a 1 ms subframe and 10 subframes constitutes a 10
in mind the terrorist attack threat, which has been increasing ms frame (Fig. 1 for FDD mode). All the symbols transmitted
in recent years all over the world, one can imagine an ’elec- in a single slot on all subcarriers in a block form a Resource
tronic attack’ on public safety communication infrastructure, Block, thus comprised of 84 (72) resource elements (Fig.
resulting in service disruption e.g. during a serious bomb 2). Within certain resource blocks, some resource elements
attack rescue operation. National Telecommunications and are reserved for special purposes: synchronization signals,
Information Administration (NTIA), which advises the White reference signals, control signalling and critical broadcast
system information. The remaining resource elements are used synchronization, but also provides the UE with the physical
for user data transmission. layer identity of the cell and the cyclic prefix length, and
The system was designed to allow operation in channels informs the UE whether the cell uses FDD or TDD mode.
with bandwidth varying from 1.4 MHz to 20 MHz. For The PSS is constructed from a frequency-domain Zadoff-Chu
different channel bandwidth the number of resource blocks sequence of length 63 (3 for each group of cells/sectors) and
available in a single slot varies from 6 (1.4 MHz channel) to the SSS is constructed by interleaving two lenght-31 maximum
110 (20 MHz channel). lenght sequences (M-sequences). Both synchronisation signals
are sent twice per frame (Fig. 3).

Figure 1. Frame Structure Type 1 for FDD

Figure 3. PSS and SSS location in FDD downlink frame

An important thing to note is that the synchronisation

signals are transmitted in the central six resource blocks only
(Fig. 4), the position independent with respect to the system
bandwidth, which allows the terminal to synchronize to the
network without any a priori knowledge of the allocated
bandwidth. Since only 62 subcarriers are used, an FFT of size
64 may be used to process the signals efficiently.

Figure 2. Downlink resource grid

B. Physical channels and signals in the downlink

Before the terminal can access the network it has to find
the cell, synchronize and get important system information. In
LTE downlink there are several physical signals and channels
to assist in performing those tasks, namely, synchronization
signals, reference signals and broadcast physical channel. Figure 4. PSS and SSS location on the FDD downlink resource grid
Synchronization signals are used for initial synchronization
and new cell search procedures. Both make use of two The same resource blocks are used for transmitting Physical
specially designed physical signals which are broadcast in Broadcast Channel (PBCH), see Fig. 5. This carries the Master
each cell: the Primary Synchronization Signal (PSS) and Information Block (MIB), which consists of a limited number
the Secondary Synchronization Signal (SSS). The detection of the most frequently transmitted parameters essential for
of these two signals not only enables time and frequency initial access to the cell.
 Channel estimation, necessary for coherent detection of all Therefore, it is possible that the perpetrator wants to disrupt
physical channels, requires transmittion of some reference the communication rather than intercept the messages. This
signals. This signals are common to all terminals in a cell type of attack is known as Denial-of-Service (DoS) and may
and consist of the reference orthogonal symbols spread evenly be executed in LTE network in different ways [4]. Below some
on the LTE resource grid (Fig. 6). The exact location of the efficient and simple to implement DoS attacks are discussed.
reference symbols is specific to cell ID as well as antenna port • Jamming synchronization signals and PBCH channel in
number (MIMO transmission) to avoid inter-cell interference the downlink is the simplest, brut-force method. Those
and enables the terminal to derive a channel estimate for each signals are transmitted in ~1 MHz bandwidth (as diss-
antenna port. cussed in Chapter 3), irrespective of the LTE channel
The presented list of physical downlink channels and signals bandwidth used in the network, and may be jammed
is not exhaustive, however sufficient for the purpose of this by a narrow-band, continuous jammer, transmitting at
paper. the desired frequency. As explained below, this strategy
requires the highest power of the jamming signal, and,
therefore, it is relatively easy to detect the jammer and
neutralize it.
• Jamming selectively Primary Synchronization Signal in
the downlink is a more sophisticated technique. Since
detecting the PSS is the first step a mobile terminal
takes in accessing a cell, it is possible to jamm only
those symbols used to transmit the PSS (see Fig. 3).
However, this method requires the jammer to synchronize
to the network to find the proper timing and to cause
a fairly high jammer-to-signal ratio, because the PSS is
designed to be detected at high interference levels, so that
the terminal can also detect neighboring cells. A more
effective method would be to simply transmit a bogus
PSS, preventing the terminal from detecting the SSS or
decoding the MIB of its own network. A jammer only has
to transmit six symbols in every frame, on 62 subcarriers,
Figure 5. Location of PBCH in 10 MHz channel giving 20 dB of gain relative to the barrage jamming
attack.
• Jamming Physical Uplink Control Channel (PUCCH) is
another possibility. This physical channel is used to send
the eNodeB a variety of control information, including
scheduling requests, HARQ acknowledgements, and CQI
information and is mapped to the resource blocks on the
edges of the LTE channel []. PUCCH jamming is possible
when the only a priori knowledge is the system bandwidth
and location of the uplink signal in the frequency domain.
In the following only the first of the above listed methods is
investigated due to the simple implementation. Other potential
ways of attacks have been identified e.g. in [5] and [8].
IV. L ABORATORY SETUP
The immunity of LTE system to intentional jamming was
verified using a laboratory setup comprising LTE base station,
quadrature signal generator, spectrum analyser and test termi-
nal.
Figure 6. Cell-specific reference symbol arrangement for one antenna port. A software defined radio implementation of eNodeB, de-
veloped by Amarisoft and conforming to 3GPP Rel. 9 speci-
fication was used [13]. The Amari LTE 100 software runs on
III. LTE S IGNAL JAMMING regular i7 PC and uses a USRP-N210 from Ettus Research as
Wireless communication systems are, in general, prone a RF front-end. The software implements all eNodeB protocol
to different kind off attacks. From the point of view of stack (LTEENB module) as well as main EPC features,
public safety communication, it is crucial that the network including MME, SGW, PGW and HSS (MME module), and,
is available to all involved parties in the emergency situations. therefore, may be used to run a standalone LTE network (with
possible connection to the internet). To connect to the network,
a LTE terminal must be equipped with a SIM card with a
known IMSI and a secret key.
A quadrature signal generator SMBV100A from Ro-
hde&Schwarz was used to generate the jamming signal.
SMBV100A allows for generating RF signals with a variety of
quadrature modulations and configurable parameters. The LTE
and jamming signals parameters were measured using FSL6
spectrum analyser from Rohde&Schwarz.
The quality of connection was tested using Nemo Handy
software from Anite, installed on Samsung Galaxy Note 10.1
LTE (N8020) tablet. Nemo Handy is a drive test tool used for
testing GSM, UMTS and LTE networks [14]. The tool uses a
modified firmware installed on the tablet, which together with
the Nemo Handy application allows for analysing PHY, MAC,
RLC, RRC and NAS parameters. Some measurements are
presented in real-time on the tablet screen, while the others can
be displayed and analysed off-line on a PC, using a dedicated
software.
Figure 7. Power spectral density of the received 5 MHz LTE signal jammed
V. R ESULTS by a 465 kHz jammer
To verify the immunity of LTE system to intentional jam-
ming a series of experiments was conducted in the Wire-
less Communication Laboratory, Faculty of Electronics and
Telecommunications at the Poznań University of Technology
[15]. To the best knowledge of the authors no such experi-
mental results of LTE signal jamming in the field have been
presented so far.
To avoid interference to and from external LTE networks,
a carrier frequency of 2.68 GHz (Band 7) was selected (Band
7 is currently not used in Poland). LTE channel bandwidth
of 5 MHz, 10 MHz, 15 MHz and 20 MHz were tested. The
signal generator transmitted a jamming signal modulated by
a pseudo-noise M-sequence of length 215 − 1, using QPSK
modulation. The bandwidth of the jamming signal was set
to 945 kHz, 690 kHz, 465 kHz and 240 kHz to jam 100%,
75%, 50% and 25% of the subcarriers used to transmit Figure 8. Connection parameters for 5 MHz LTE signal jammed by a 690
synchronization signals and PBCH channel, respectively. A kHz jammer
power spectral density of the received 5 MHz LTE signal
jammed by a 465 kHz jammer is shown in Fig. 7.
The measurement procedure was the following. First, an The results obtained for 5 MHz LTE channel are sumarized
FTP session was established on the measurement terminal in Tab. 1. The table shows useful signal power levels as well
and a download of several GB file located on a local FTP as jamming signal power levels at which the connection was
server was started. During the download the power level of dropped. The results presented in this paper are limited to
the jamming signal was increased in several steps until the 5 MHz case, since such channel bandwidth will be used in
connection between the terminal and the base station was public safety communication systems based on LTE [2].
dropped. The parameters of the connection were logged in
the Nemo file and analyzed off-line. For each combination of Table I
the LTE channel bandwidth and jamming signal bandwidth M EASUREMENT RESULTS IN 5 MH Z LTE CHANNEL
(4x4=16) the tests were repeated five times and the resulting Bandwidth of Received Received
% of jammed
power levels were averaged. The example set of results for jamming signal useful signal jamming signal
subcarriers
[kHz] power [dBm] power [dBm]
5 MHz LTE channel and 690 kHz jammer is ilustrated in 100 945 -80 -59
Fig. 8, where the following parameters are displayed (starting 75 690 -80 -77
from the top): Physical Downlink Shared Channel (PDSCH) 50 465 -80 -69
throughput, received SNR, PDSCH & PBCH BLER, timing 25 240 -80 -69
advance, PUCCH & PUSCH transmit power level.
 VI. C ONCLUSIONS
The topics analyzed in this paper are extremy important
when the application of LTE air interface for public safety
communication is considered. The results show that LTE is
vulnerable to jamming and DOS attacks may by realized
extremely effectively using fairly low complexity, leading to
communication disruption. If the jamming signal received
power is 3 dB higher than the useful signal received power
the connection may be dropped. The jamming signal may
be easily generated using e.g. a low cost SDR platform like
USRP, equipped with a several watts power amplifier. Such
jammer may be build by a communication engineer for a few
hundred US$. Therefore, it may be necessary to develop a
modified ’special’ version of LTE standard for public safety
communication networks.
The other jamming strategies described in Chapter 3 will
be investigated thoroughly in a near future.
ACKNOWLEGMENT
The presented work has been funded by the Polish Ministry
of Science and Higher Education within the status activity task
“...” in 2014.
R EFERENCES
[1] T. Grey, “LTE for Critical Communications - Drivers, Benefits and
Challenges”, P3 Communications GmbH White Paper, 2011
[2] www.motorolasolutions.com/US-EN/Business+Solutions/Industry+ So-
lutions/Government/Government+Services+-+Public+Administration+
Solutions/LTE+for+Government+and+Public+Safety, as on 29.12.2014
[3] www2.alcatel-lucent.com/blogs/lifetalk/blog_posts/four-4g-lte-trials-
with-cassidian/, as on 29.12.2014
[4] www.ntia.doc.gov/files/ntia/va_tech_response.pdf, as on 29.12.2014
[5] F. Aziz, J. Shamma, G. Stuber, “Resilience of LTE networks
against smart jamming attacks”, in Global Communications Conference
(GLOBECOM), 2014, pp. 734-739
[6] G. Philippe, et al. “LTE resistance to jamming capability: To which
extend a standard LTE system is able to resist to intentional jammers”, in
Military Communications and Information Systems Conference (MCC),
2013, pp. 1-4
[7] M. Lichtman et al. “Detection and Mitigation of Uplink Control Channel
Jamming in LTE:, in Military Communications Conference (MILCOM),
2014, pp. 1187-1194
[8] M. Lichtman et al. “Vulnerability of LTE to hostile interference”, in
Global Conference on Signal and Information Processing (GlobalSIP),
2013, pp. 285-288
[9] R. Jover, “Security attacks against the availability of LTE mobility
networks: Overview and research directions”, in Wireless Personal Mul-
timedia Communications (WPMC), 2013, 16th International Symposium
on, pp. 1-9
[10] C. Shahriar et al. “PHY-Layer Resiliency in OFDM Communications: A
Tutorial”, Communications Surveys & Tutorials, IEEE, Vol.: PP , Issue:
99, pp. 1-22
[11] T. Clancy, M. Norton, M. Lichtman, “Security Challenges with LTE-
Advanced Systems and Military Spectrum”, in Military Communications
Conference (MILCOM), 2013, pp. 375-381
[12] S. Sesia, I. Toufik, M. Baker, LTE – The UMTS Long Term Evolution:
From Theory to Practice, John Wiley & Sons, 2009
[13] www.amarisoft.com/?p=amarilte, as on 29.12.2014
[14] www.anite.com/businesses/network-testing/products/nemo-handy-
world’s-most-widely-used-handheld-drive-test-tool, as on 29.12.2014
[15] S. Brahma, Effective Jamming of LTE Signal, MSc Thesis, Politechnika
Poznańska, Poznań 2013