Spatial-Domain Wireless Jamming with Reconfigurable Intelligent Surfaces

TL;DR

The paper addresses the threat of wireless jamming by enabling precise, device-level selective disruption using Reconfigurable Intelligent Surfaces (RIS). It introduces a two-step RIS-based attack: passive RIS configuration discovery via eavesdropping and active jamming with the configured RIS, optimizing the RIS to maximize jamming toward targets while minimizing impact on non-targets. Thorough experiments with commodity Wi-Fi devices demonstrate selective disruption even at sub-wavelength separations and under environmental variation, and compare RIS against directional antennas, showing superior selectivity and efficiency. The work highlights real-world security implications and proposes countermeasures such as MAC randomization, transmit-power randomization, randomized beamforming, avoiding channel reciprocity, and attack detection, underscoring the need for defense in RIS-enabled wireless ecosystems.

Abstract

Wireless communication infrastructure is a cornerstone of modern digital society, yet it remains vulnerable to the persistent threat of wireless jamming. Attackers can easily create radio interference to overshadow legitimate signals, leading to denial of service. The broadcast nature of radio signal propagation makes such attacks possible in the first place, but at the same time poses a challenge for the attacker: The jamming signal does not only reach the victim device but also other neighboring devices, preventing precise attack targeting. In this work, we solve this challenge by leveraging the emerging RIS technology, for the first time, for precise delivery of jamming signals. In particular, we propose a novel approach that allows for environment-adaptive spatial control of wireless jamming signals, granting a new degree of freedom to perform jamming attacks. We explore this novel method with extensive experimentation and demonstrate that our approach can disable the wireless communication of one or multiple victim devices while leaving neighboring devices unaffected. Notably, our method extends to challenging scenarios where wireless devices are very close to each other: We demonstrate complete denial-of-service of a Wi-Fi device while a second device located at a distance as close as 5 mm remains unaffected, sustaining wireless communication at a data rate of 25 Mbit/s. Lastly, we conclude by proposing potential countermeasures to thwart RIS-based spatial domain wireless jamming attacks.

Figures (24)

• Figure 1: Illustration of the RIS operation principle along with photos of the RIS hardware implementation heinrichsOpenSourceReconfigurable2023, where the configuration vector $c$ determines the radiation behavior.
• Figure 2: Illustration of the assumed system model.
• Figure 3: Two-step attack strategy of the jamming attack using the RIS. (a) Step 1: Passive channel optimization. (b) Step 2: Active wireless jamming attack.
• Figure 4: Floorplan of the environment used for experiments, indicating the positions of all wireless devices and the attacker.
• Figure 5: (a) RIS optimization process for targeting device $D_1$ while excluding all other devices. (b) Measurement of packet reception rates on the considered devices over jamming signal power using the previously optimized RIS configuration.