Phase warping and differential scrambling attacks against OFDM frequency synchronization

Abstract: Orthogonal Frequency Division Multiplexing (OFDM) is used in many modern communications systems. Timing and frequency synchronization in an OFDM system are critical to performance and must be carried out early and often. Current synchronization methods, such as those developed by Schmidl and Cox [1], were not designed to be robust to adversarial signals. A series of attacks against the preamble synchronization stage have been developed and demonstrated to debilitate OFDM receivers. Multiple attacks against the… Show more

“…In contrast to previous attacks on the frame preamble, ours in essence does not aim at necessarily causing ICI. It is also different from the attacks in [7], [9], [10] in that it is channel-independent and energy-efficient, i.e., only a small portion of the preamble is jammed irrespective of the jammer's location. This short-lived attack lasts for less than 3 µs per frame (equivalent to, for example, about 0.5% of 802.11a's maximum frame duration when the data rate is at its highest value).…”

“…A few jamming schemes have been proposed in the literature (e.g., [7], [9], [10]) with the goal of inflicting ICI. Phase warping and differential scrambling attacks [10] consider the preamble structure of Schmidl and Cox [15], which is different from the one used in 802.11 OFDM-based standards, and in essence try to alter preamble symbols in a heuristic fashion without providing any success guarantees.…”

“…Phase warping and differential scrambling attacks [10] consider the preamble structure of Schmidl and Cox [15], which is different from the one used in 802.11 OFDM-based standards, and in essence try to alter preamble symbols in a heuristic fashion without providing any success guarantees. Gummadi et al [9] showed the vulnerability of 802.11a clock (frequency) synchronization to a certain narrow-band jamming pattern that interferes with the entire preamble.…”

“…, 2L can take any arbitrary value as long as the signal conforms to the protocol bandwidth requirement. The preamble phase warping attack in [10] is a special case of this approach, where the jamming signal is a random frequency-shifted version of an arbitrary fake preamble. The advantage of having identical halves is that we can control and carefully calculate a desired FO for u based on how Bob estimates ∆f ab .…”

“…Constant, deceptive, and random jamming models achieve a high level of DoS by excessively transmitting over the channel, but exhibit poor energy efficiency and high detection probability [22]. On the other hand, energy-efficient reactive jamming attacks select and target a (part of a) packet based on traffic analysis, protocol semantics, or publicity of some fields [3], [4], [8]- [10], [20]. These attacks may fail to significantly corrupt ongoing transmissions if, for example, channel hopping, randomization, and coding are used to hide the transmission features.…”

Swift Jamming Attack on Frequency Offset Estimation: The Achilles’ Heel of OFDM Systems

“…In contrast to previous attacks on the frame preamble, ours in essence does not aim at necessarily causing ICI. It is also different from the attacks in [7], [9], [10] in that it is channel-independent and energy-efficient, i.e., only a small portion of the preamble is jammed irrespective of the jammer's location. This short-lived attack lasts for less than 3 µs per frame (equivalent to, for example, about 0.5% of 802.11a's maximum frame duration when the data rate is at its highest value).…”

“…A few jamming schemes have been proposed in the literature (e.g., [7], [9], [10]) with the goal of inflicting ICI. Phase warping and differential scrambling attacks [10] consider the preamble structure of Schmidl and Cox [15], which is different from the one used in 802.11 OFDM-based standards, and in essence try to alter preamble symbols in a heuristic fashion without providing any success guarantees.…”

“…Phase warping and differential scrambling attacks [10] consider the preamble structure of Schmidl and Cox [15], which is different from the one used in 802.11 OFDM-based standards, and in essence try to alter preamble symbols in a heuristic fashion without providing any success guarantees. Gummadi et al [9] showed the vulnerability of 802.11a clock (frequency) synchronization to a certain narrow-band jamming pattern that interferes with the entire preamble.…”

“…, 2L can take any arbitrary value as long as the signal conforms to the protocol bandwidth requirement. The preamble phase warping attack in [10] is a special case of this approach, where the jamming signal is a random frequency-shifted version of an arbitrary fake preamble. The advantage of having identical halves is that we can control and carefully calculate a desired FO for u based on how Bob estimates ∆f ab .…”

“…Constant, deceptive, and random jamming models achieve a high level of DoS by excessively transmitting over the channel, but exhibit poor energy efficiency and high detection probability [22]. On the other hand, energy-efficient reactive jamming attacks select and target a (part of a) packet based on traffic analysis, protocol semantics, or publicity of some fields [3], [4], [8]- [10], [20]. These attacks may fail to significantly corrupt ongoing transmissions if, for example, channel hopping, randomization, and coding are used to hide the transmission features.…”

Swift Jamming Attack on Frequency Offset Estimation: The Achilles’ Heel of OFDM Systems

The BER analysis of OFDMA and SC‐FDMA under pilot‐assisted channel estimation and pilot jamming in rayleigh slow‐fading channel

Performance Analysis of Chaotic DSSS-CDMA Synchronization Under Jamming Attack