Jamming LTE Signals
Rafał Krenz, Soumya Brahma
Abstract—In a majority of European countries a digital trunk-
ing TETRA system is used for Public Safety communication.
This system offer voice communication and narrowband data
services only. Since the introduction of first LTE commercial
networks, LTE is rapidly gaining momentum within the Public
Safety industry as well. Therefore it is important to verify the
immunity of the system, originally designed for civil applications,
to intentional jamming. In this paper some potential ways
of attacks are discussed and an easy-to-implement method is
analyzed in details. The results suggest that jamming LTE signals
is relatively easy and can be done using low cost off-the-shelf
equipment.
Index Terms—public safety communication, LTE, jamming
I. I NTRODUCTION
Public safety and security services require reliable and
interoperable communication to respond effectively to an
emergency or natural disaster situations. In many European
countries public safety communication is based on TETRA
trunking system. The standard has proven its usefulness for
many years, however, it offers primarily voice connections
and narrowband data services (max. 28.8 kbps) [1]. There are
situations where wideband data services would bring benefits,
e.g. to fire brigades checking floor plans of burning building
or checking database of hazardous chemicals and ambulance
teams transmitting an ECG trace from ambulance to doctor
in hospital or transmitting pictures from scene so doctors can
predict injury and make more accurate predictions.
Critical communications users such as Public Safety and
Security and Public Protection and Disaster Relief agencies
are currently evaluating their own needs for future wireless
wideband services, with LTE and its future extensions emerg-
ing to be the favoured technology. So far, LTE networks have
been implemented in many countries for commercial use but
the technology must be adapted to provide services like push-
to-talk, one-to-one and one-to-many group-based calls with
inherent fast call setup times as well as a range of other
features important to critical communications applications.
Currently, such vendor-specific solutions are available on the
market and a number of Public Safety LTE trials are already
underway in regions like Middle East, Asia Pacific and Latin
America [2], [3].
But does the current LTE standard provide sufficiently
robust, resilient, secure and reliable services to meet the
demanding needs of critical communications users? Having
in mind the terrorist attack threat, which has been increasing
in recent years all over the world, one can imagine an ’elec-
tronic attack’ on public safety communication infrastructure,
resulting in service disruption e.g. during a serious bomb
attack rescue operation. National Telecommunications and
Information Administration (NTIA), which advises the White
House on telecom and information policy, issued in 2012 a
Request For Comment on the Development of the Nationwide
Interoperable Public Safety Broadband Network. One of the
responses was prepared by the wireless research group at
Virginia Tech, led by Dr. Jeffrey H. Reed, who described the
vulnerabilities of LTE system to intentional jamming attacks
[4]. In fact the issue has been studied in many papers recently,
however some of them use analytical approach only [5, 8, 9,
10, 11] while the others present results based on simulations
[6, 7]. This was a motivation to analyse the problem more
deeply and the original experimental results of this study are
described in this work.
In order to understand the possible methods of attacks, some
important aspects of LTE physical layer are desribed in Section
II. Section III identifies a few scenarios of efficient attacks that
are designed to cause denial of service. Laboratory setup used
for the experiments is discussed in Section IV. The results of
laboratory experiments are presented in Section V. Finally, the
conclusions are drawn in Section VI.
II. LTE P HYSICAL L AYER [12]
A. Transmission in the downlink
Transmission in the LTE downlink is based on OFDM
modulation and OFDMA multiplexing scheme. OFDM is well
known from its immunity to multipath fading, which is very
important property in mobile systems. Due to the serial-to-
parallel conversion, which extends symbol duration, the trans-
mitted signal over a frequency-selective (i.e. multipath) chan-
nel is converted into a transmission over many parallel flat-
fading channels in the frequency domain and the equalization
is much simpler than for single-carrier systems and consists
of just one complex multiplication per subcarrier. OFDMA
adds the ability of adaptive user-to-subcarrier assignment,
based on feedback information about the frequency-selective
channel conditions from each user. Additionally, the downlink
resources may be easily partitioned to meet the bandwidth
requirements of each individual user.
The LTE subcarrier spacing has been set to 15 kHz with
a cyclix prefix length of approximately 5 us. Subcarriers are
grouped in 180 kHz blocks, consisting of 12 subcarriers. In
the time domain 7 consecutive OFDM symbols (6 in case of
the extended cyclic prefix) are transmitted in 0.5 ms slot. Two
slots form a 1 ms subframe and 10 subframes constitutes a 10
ms frame (Fig. 1 for FDD mode). All the symbols transmitted
in a single slot on all subcarriers in a block form a Resource
Block, thus comprised of 84 (72) resource elements (Fig.
2). Within certain resource blocks, some resource elements
are reserved for special purposes: synchronization signals,
reference signals, control signalling and critical broadcast
system information. The remaining resource elements are used
for user data transmission.
The system was designed to allow operation in channels
with bandwidth varying from 1.4 MHz to 20 MHz. For
different channel bandwidth the number of resource blocks
available in a single slot varies from 6 (1.4 MHz channel) to
110 (20 MHz channel).
Figure 1. Frame Structure Type 1 for FDD
Figure 2. Downlink resource grid
B. Physical channels and signals in the downlink
Before the terminal can access the network it has to find
the cell, synchronize and get important system information. In
LTE downlink there are several physical signals and channels
to assist in performing those tasks, namely, synchronization
signals, reference signals and broadcast physical channel.
Synchronization signals are used for initial synchronization
and new cell search procedures. Both make use of two
specially designed physical signals which are broadcast in
each cell: the Primary Synchronization Signal (PSS) and
the Secondary Synchronization Signal (SSS). The detection
of these two signals not only enables time and frequency
synchronization, but also provides the UE with the physical
layer identity of the cell and the cyclic prefix length, and
informs the UE whether the cell uses FDD or TDD mode.
The PSS is constructed from a frequency-domain Zadoff-Chu
sequence of length 63 (3 for each group of cells/sectors) and
the SSS is constructed by interleaving two lenght-31 maximum
lenght sequences (M-sequences). Both synchronisation signals
are sent twice per frame (Fig. 3).
Figure 3. PSS and SSS location in FDD downlink frame
An important thing to note is that the synchronisation
signals are transmitted in the central six resource blocks only
(Fig. 4), the position independent with respect to the system
bandwidth, which allows the terminal to synchronize to the
network without any a priori knowledge of the allocated
bandwidth. Since only 62 subcarriers are used, an FFT of size
64 may be used to process the signals efficiently.
Figure 4. PSS and SSS location on the FDD downlink resource grid
The same resource blocks are used for transmitting Physical
Broadcast Channel (PBCH), see Fig. 5. This carries the Master
Information Block (MIB), which consists of a limited number
of the most frequently transmitted parameters essential for
initial access to the cell.
 Channel estimation, necessary for coherent detection of all
physical channels, requires transmittion of some reference
signals. This signals are common to all terminals in a cell
and consist of the reference orthogonal symbols spread evenly
on the LTE resource grid (Fig. 6). The exact location of the
reference symbols is specific to cell ID as well as antenna port
number (MIMO transmission) to avoid inter-cell interference
and enables the terminal to derive a channel estimate for each
antenna port.
The presented list of physical downlink channels and signals
is not exhaustive, however sufficient for the purpose of this
paper.
Figure 5. Location of PBCH in 10 MHz channel
Figure 6. Cell-specific reference symbol arrangement for one antenna port.
III. LTE S IGNAL JAMMING
Wireless communication systems are, in general, prone
to different kind off attacks. From the point of view of
public safety communication, it is crucial that the network
is available to all involved parties in the emergency situations.
Therefore, it is possible that the perpetrator wants to disrupt
the communication rather than intercept the messages. This
type of attack is known as Denial-of-Service (DoS) and may
be executed in LTE network in different ways [4]. Below some
efficient and simple to implement DoS attacks are discussed.
• Jamming synchronization signals and PBCH channel in
the downlink is the simplest, brut-force method. Those
signals are transmitted in ~1 MHz bandwidth (as diss-
cussed in Chapter 3), irrespective of the LTE channel
bandwidth used in the network, and may be jammed
by a narrow-band, continuous jammer, transmitting at
the desired frequency. As explained below, this strategy
requires the highest power of the jamming signal, and,
therefore, it is relatively easy to detect the jammer and
neutralize it.
• Jamming selectively Primary Synchronization Signal in
the downlink is a more sophisticated technique. Since
detecting the PSS is the first step a mobile terminal
takes in accessing a cell, it is possible to jamm only
those symbols used to transmit the PSS (see Fig. 3).
However, this method requires the jammer to synchronize
to the network to find the proper timing and to cause
a fairly high jammer-to-signal ratio, because the PSS is
designed to be detected at high interference levels, so that
the terminal can also detect neighboring cells. A more
effective method would be to simply transmit a bogus
PSS, preventing the terminal from detecting the SSS or
decoding the MIB of its own network. A jammer only has
to transmit six symbols in every frame, on 62 subcarriers,
giving 20 dB of gain relative to the barrage jamming
attack.
• Jamming Physical Uplink Control Channel (PUCCH) is
another possibility. This physical channel is used to send
the eNodeB a variety of control information, including
scheduling requests, HARQ acknowledgements, and CQI
information and is mapped to the resource blocks on the
edges of the LTE channel []. PUCCH jamming is possible
when the only a priori knowledge is the system bandwidth
and location of the uplink signal in the frequency domain.
In the following only the first of the above listed methods is
investigated due to the simple implementation. Other potential
ways of attacks have been identified e.g. in [5] and [8].
IV. L ABORATORY SETUP
The immunity of LTE system to intentional jamming was
verified using a laboratory setup comprising LTE base station,
quadrature signal generator, spectrum analyser and test termi-
nal.
A software defined radio implementation of eNodeB, de-
veloped by Amarisoft and conforming to 3GPP Rel. 9 speci-
fication was used [13]. The Amari LTE 100 software runs on
regular i7 PC and uses a USRP-N210 from Ettus Research as
a RF front-end. The software implements all eNodeB protocol
stack (LTEENB module) as well as main EPC features,
including MME, SGW, PGW and HSS (MME module), and,
therefore, may be used to run a standalone LTE network (with
possible connection to the internet). To connect to the network,
a LTE terminal must be equipped with a SIM card with a
known IMSI and a secret key.
A quadrature signal generator SMBV100A from Ro-
hde&Schwarz was used to generate the jamming signal.
SMBV100A allows for generating RF signals with a variety of
quadrature modulations and configurable parameters. The LTE
and jamming signals parameters were measured using FSL6
spectrum analyser from Rohde&Schwarz.
The quality of connection was tested using Nemo Handy
software from Anite, installed on Samsung Galaxy Note 10.1
LTE (N8020) tablet. Nemo Handy is a drive test tool used for
testing GSM, UMTS and LTE networks [14]. The tool uses a
modified firmware installed on the tablet, which together with
the Nemo Handy application allows for analysing PHY, MAC,
RLC, RRC and NAS parameters. Some measurements are
presented in real-time on the tablet screen, while the others can
be displayed and analysed off-line on a PC, using a dedicated
software.
Figure 7. Power spectral density of the received 5 MHz LTE signal jammed
V. R ESULTS by a 465 kHz jammer
To verify the immunity of LTE system to intentional jam-
ming a series of experiments was conducted in the Wire-
less Communication Laboratory, Faculty of Electronics and
Telecommunications at the Poznań University of Technology
[15]. To the best knowledge of the authors no such experi-
mental results of LTE signal jamming in the field have been
presented so far.
To avoid interference to and from external LTE networks,
a carrier frequency of 2.68 GHz (Band 7) was selected (Band
7 is currently not used in Poland). LTE channel bandwidth
of 5 MHz, 10 MHz, 15 MHz and 20 MHz were tested. The
signal generator transmitted a jamming signal modulated by
a pseudo-noise M-sequence of length 215 − 1, using QPSK
modulation. The bandwidth of the jamming signal was set
to 945 kHz, 690 kHz, 465 kHz and 240 kHz to jam 100%,
75%, 50% and 25% of the subcarriers used to transmit Figure 8. Connection parameters for 5 MHz LTE signal jammed by a 690
synchronization signals and PBCH channel, respectively. A kHz jammer
power spectral density of the received 5 MHz LTE signal
jammed by a 465 kHz jammer is shown in Fig. 7.
The measurement procedure was the following. First, an The results obtained for 5 MHz LTE channel are sumarized
FTP session was established on the measurement terminal in Tab. 1. The table shows useful signal power levels as well
and a download of several GB file located on a local FTP as jamming signal power levels at which the connection was
server was started. During the download the power level of dropped. The results presented in this paper are limited to
the jamming signal was increased in several steps until the 5 MHz case, since such channel bandwidth will be used in
connection between the terminal and the base station was public safety communication systems based on LTE [2].
dropped. The parameters of the connection were logged in
the Nemo file and analyzed off-line. For each combination of Table I
the LTE channel bandwidth and jamming signal bandwidth M EASUREMENT RESULTS IN 5 MH Z LTE CHANNEL
(4x4=16) the tests were repeated five times and the resulting Bandwidth of Received Received
% of jammed
power levels were averaged. The example set of results for jamming signal useful signal jamming signal
subcarriers
[kHz] power [dBm] power [dBm]
5 MHz LTE channel and 690 kHz jammer is ilustrated in 100 945 -80 -59
Fig. 8, where the following parameters are displayed (starting 75 690 -80 -77
from the top): Physical Downlink Shared Channel (PDSCH) 50 465 -80 -69
throughput, received SNR, PDSCH & PBCH BLER, timing 25 240 -80 -69
advance, PUCCH & PUSCH transmit power level.
 VI. C ONCLUSIONS
The topics analyzed in this paper are extremy important
when the application of LTE air interface for public safety
communication is considered. The results show that LTE is
vulnerable to jamming and DOS attacks may by realized
extremely effectively using fairly low complexity, leading to
communication disruption. If the jamming signal received
power is 3 dB higher than the useful signal received power
the connection may be dropped. The jamming signal may
be easily generated using e.g. a low cost SDR platform like
USRP, equipped with a several watts power amplifier. Such
jammer may be build by a communication engineer for a few
hundred US$. Therefore, it may be necessary to develop a
modified ’special’ version of LTE standard for public safety
communication networks.
The other jamming strategies described in Chapter 3 will
be investigated thoroughly in a near future.
ACKNOWLEGMENT
The presented work has been funded by the Polish Ministry
of Science and Higher Education within the status activity task
“...” in 2014.
R EFERENCES
[1] T. Grey, “LTE for Critical Communications - Drivers, Benefits and
Challenges”, P3 Communications GmbH White Paper, 2011
[2] www.motorolasolutions.com/US-EN/Business+Solutions/Industry+ So-
lutions/Government/Government+Services+-+Public+Administration+
Solutions/LTE+for+Government+and+Public+Safety, as on 29.12.2014
[3] www2.alcatel-lucent.com/blogs/lifetalk/blog_posts/four-4g-lte-trials-
with-cassidian/, as on 29.12.2014
[4] www.ntia.doc.gov/files/ntia/va_tech_response.pdf, as on 29.12.2014
[5] F. Aziz, J. Shamma, G. Stuber, “Resilience of LTE networks
against smart jamming attacks”, in Global Communications Conference
(GLOBECOM), 2014, pp. 734-739
[6] G. Philippe, et al. “LTE resistance to jamming capability: To which
extend a standard LTE system is able to resist to intentional jammers”, in
Military Communications and Information Systems Conference (MCC),
2013, pp. 1-4
[7] M. Lichtman et al. “Detection and Mitigation of Uplink Control Channel
Jamming in LTE:, in Military Communications Conference (MILCOM),
2014, pp. 1187-1194
[8] M. Lichtman et al. “Vulnerability of LTE to hostile interference”, in
Global Conference on Signal and Information Processing (GlobalSIP),
2013, pp. 285-288
[9] R. Jover, “Security attacks against the availability of LTE mobility
networks: Overview and research directions”, in Wireless Personal Mul-
timedia Communications (WPMC), 2013, 16th International Symposium
on, pp. 1-9
[10] C. Shahriar et al. “PHY-Layer Resiliency in OFDM Communications: A
Tutorial”, Communications Surveys & Tutorials, IEEE, Vol.: PP , Issue:
99, pp. 1-22
[11] T. Clancy, M. Norton, M. Lichtman, “Security Challenges with LTE-
Advanced Systems and Military Spectrum”, in Military Communications
Conference (MILCOM), 2013, pp. 375-381
[12] S. Sesia, I. Toufik, M. Baker, LTE – The UMTS Long Term Evolution:
From Theory to Practice, John Wiley & Sons, 2009
[13] www.amarisoft.com/?p=amarilte, as on 29.12.2014
[14] www.anite.com/businesses/network-testing/products/nemo-handy-
world’s-most-widely-used-handheld-drive-test-tool, as on 29.12.2014
[15] S. Brahma, Effective Jamming of LTE Signal, MSc Thesis, Politechnika
Poznańska, Poznań 2013