Efficient and Unrecognizable OFDM Jamming By

Failing the Cyclic Prefix Functionality

Li Li, Shulin Tian, Jianguo Huang and Peng Zhang

School of Automation Engineering

University of Electronic Science and Technology of China
Chengdu, Sichuan, P.R.China

Abstract—In order to counteract hostile communication based and added on top of synchronization training symbols of
on the advanced Orthogonal Frequency Division Multiplexing the target OFDM communication system [2]–[4]. Also, the
(OFDM) technology, an efficient and unrecognizable jamming jammer was developed to disturb the channel equalization in
technique by failing the OFDM cyclic prefix (CP) functionality
is developed in the paper. CP is introduced into OFDM systems to a target OFDM system to destroy its subcarrier orthogonality.
prevent interference caused by the multipath fading, as long as it This was achieved by obfuscating the OFDM pilot tones that
is no shorter than the channel delay spread. The basic principle were used for the channel estimation [5], [6]. Although the
of the proposed approach is to destroy this CP validity condition synchronization attacks and equalization attacks are effective,
by constructing a path of the target signal with a delay larger they are conditioned on the detailed frame structure of the tar-
than the CP length. Specifically, the jammer captures the ongoing
OFDM signal and then forwards it with an intended delay. The get OFDM system and synchronization between the jamming
aggregation of the target and jamming signals is thus equivalent and target signals. OFDM jamming schemes without the these
to a faded target signal suffering a multipath channel of an implementation constraints are worthy of being investigated.
overlong delay spread that cannot be absorbed by the CP. Both OFDM that sends multiple data bits simultaneously over
inter-symbol interference (ISI) and inter-carrier interference orthogonal subcarriers is susceptible to both inter-symbol
(ICI) are induced. The OFDM transmission can therefore be
disrupted due to the loss of subcarrier orthogonality. Moreover, interference (ISI) and inter-carrier interference (ICI) caused
as the jamming signal is actually a delayed version of the target by the delay spread of wireless channels. Cyclic prefix (CP),
signal, the jamming attack is hard to be detected. Compared which acts as a guard interval between two adjacent OFDM
with the existing OFDM jamming methods, the proposed scheme signals, is thus introduced into OFDM systems to absorb the
can be easily implemented without synchronization to the target channel delay spread. The basic idea of CP is to repeat the end
signal or detailed frame structure of the target system.
part of a transmitted signal at its beginning and to discard this
cyclic extension at the receiver end. As long as the CP is no
I. I NTRODUCTION
less than the channel delay spread, it is able to eliminate the
Orthogonal Frequency Division Multiplexing (OFDM) is a ISI and prevent one subcarrier from interfering with another.
multicarrier transmission scheme that has been widely em- Meanwhile, CP with a sufficient length can convert the linear
ployed in modern wireless communication networks, because convolution of a frequency-selective multipath channel into
of its spectrum efficiency, achievable data rates and robustness a circular convolution, which enables a simple frequency-
in multipath fading environments [1]. Wireless Local Area domain channel estimation and equalization. Oppositely, the
Network (WLAN) like WiFi, Wireless Metropolitan Area OFDM transmission could be denied by the ISI and ICI if the
Network (WMAN) like WiMAX and cellular network like CP’s validity condition cannot be met. Efficient and effective
LTE all rely on OFDM for their air-interfaces. While people jamming scheme can thus be developed by exploiting the CP
are enjoying the fast and reliable radio communication brought length requirement.
by OFDM, it is noteworthy that this advanced technology In this paper, an efficient and unrecognizable OFDM jam-
could also be exploited by adversaries for their communication ming technique by failing the OFDM CP validity is proposed.
requirements in conducting malicious actions. Hence, jamming The fundamental of the developed scheme is to construct
against OFDM transmission needs to be addressed. a virtual wireless channel with a delay spread longer than
Besides the power-inefficient barrage jamming that contin- the CP of the target OFDM system. Technically, the jammer
uously injects noise into the entire band of the target signal, captures the ongoing OFDM signal and then forwards it
several sophisticated jamming strategies targeting on OFDM with an intended delay. The aggregation of the target and
transmission have been developed in light of its requirement jamming signals is equivalent to the result of the target signal
of subcarrier orthogonality. As synchronization between the propagated through a multipath channel of an excess delay
transmitter and receiver is a prerequisite to maintain the spread. Once the equivalent multipath channel is longer than
OFDM subcarrier orthogonality, the jammer was designed the CP of the target OFDM system, the functionality of the
to disturb either the time or frequency synchronization at CP is disabled. The OFDM transmission can therefore be
the receiver terminal. Technically, interference was generated denied. As the jamming signal is actually a delayed version

978-1-5386-2062-5/17/$31.00 ©2017 IEEE

 where w represents the white additional Gaussian noise
(AWGN) at the receiver terminal, which has a mean of
zero and variance of σo2 . For the signal yT R that is directly
Transmitter Receiver
received from the transmitter through the transmitter-receiver
link channel hT R with a length of LhT R , it can be given by

yT R = hT R ∗ x̃s , (4)

where ∗ denotes the convolution. Similarly, the signals re-

ceived from the jammer, yJR , can be expressed as
Jammer

yJR = hJR ∗ j, (5)

Fig. 1. OFDM transmission pair under the jamming attack.
where hJR with a length of LhJR is the channel impulse
response of the jammer-receiver link channel, and j denotes
of the target signal, the jamming attack is hard to be detected.
the vector of the jamming signal sent out by the jammer.
Compared with the existing OFDM jamming methods, no
synchronization to the target signal or detailed knowledge of
III. P ROPOSED OFDM JAMMING A PPROACH
the target system is needed. In addition, the proposed approach
can be easily implemented using analog circuits without any In OFDM systems, cyclic prefix is inserted in the front of
signal processing. each OFDM signal as a guard interval to eliminate ISI and ICI
The remainder of this paper is organized as follows. Section [7] and to facilitate a simple frequency-domain equalization
II introduces the system model of this study. The proposed [8]. However, the functionalities of CP are conditioned on a
OFDM jamming scheme is described in Section III, followed requirement that the CP is no shorter than the channel delay
by a performance evaluation in Section IV. Simulation results spread. In practice, OFDM systems are designed to meet this
to validate the proposed jamming technique are provided in requirement but the CP length is also constrained to minimize
Section V. Finally, conclusions are drawn in Section VI. the system-throughput and bandwidth-efficiency cost. As a
result, the violation of the CP validity condition can result
II. S YSTEM M ODEL into both ISI and ICI on the received OFDM signal as well as
A system model that consists of a transmitter, a receiver disrupt the frequency-domain channel equalization, leading to
and a jammer is considered in the study. The transmitter severe signal recovery errors at the receiver end.
communicates with the receiver following an OFDM-based An efficient and unrecognizable OFDM jamming technique
communication standard. The jammer at a third location, exploiting the CP validity condition is developed in this study.
which has the capability to receive and transmit wireless The principle behind the design is to construct a path of the
signals, attempts to injects signals to disrupt the data reception target signal with an excess delay, leading to a virtual wireless
at the target receiver. An illustration of the system model is channel of a delay spread longer than the CP. In the operation,
illustrated in Fig. 1. the jammer only needs to capture the target OFDM signals and
For an OFDM signal with N subcarriers, the time-domain then forward them to the OFDM receiver with an intended
symbol after the inverse discrete Fourier transform (IDFT), delay Δ. Mathematically, the jamming signal sent out by the
xs = [xs (0), xs (1), . . . , xs (N − 1)], can be written as jammer takes the form
N
 −1
j = hT J ∗ x̃s + wj , (6)
xs (n) = X(k)ej2πkn/N , n = 0, 1, · · · , N − 1, (1)
k=0
where
where X(k) denotes the modulated data transmitted at the kth
subcarrier, and s is the symbol index. After the insertion of x̃s = [xs−1 (N − Δ), xs−1 (N − Δ + 1), · · · , xs−1 (N − 1),
the cyclic prefix with a length of Lcp , an entire OFDM signal xs (N − Lcp ), xs (N − Lcp + 1), · · · , xs (N − 1),
sent out by the transmitter can be given by xs (0), xs (1), · · · , xs (N − Δ − 1)] . (7)
x̃s = [xs (N − Lcp ), xs (N − Lcp + 1) · · · , xs (N − 1),
hT J represents the channel between the transmitter and jam-
xs (0), xs (1), · · · , xs (N − 1)] . (2) mer with a length of LhT J , and wj is the noise at the jammer
At the receiver end, a combination of the signal from the with a variance of σj2 . Substituting (6) into (5), the jamming
transmitter, yT R , and that from the jammer, yJR , is received. signal arrives at the receiver can be rewritten as
The received signal that is going to be demodulated at the
yJR = hJR ∗ (hT J ∗ x̃s + wj )
receiver terminal can be written as
= hJR ∗ hT J ∗x̃s + hJR ∗ wj . (8)
     
ys = yT R + yJR + w, (3) hT JR wT JR
Therefore, the total signals received at the receiver can be ICI, leading to vicious data recovery errors. Similarly, channel
expressed as estimation based on this kind of data matrix would also be
disrupted by the induced ISI and ICI.
ys = yT R + yJR + w (9)
= (hT R ∗ x̃s + hT JR ∗ x̃s ) + wT JR + w, A. Induced ISI and ICI
     
ĥ∗x̃s ŵ
Substituting (11) into (10), the ISI in the received OFDM
where ĥ denotes the equivalent channel response acting on signal after the CP removal, which comes from the signal
the signals captured at the receiver end, with a length of components from the previous signal s − 1, can be derived as
L̂ = max{LhT R , LhT J + LhJR + Δ − 1}. ŵ is the total L̂−1

noise added on top of the received signals, which could not rISI (n) = ĥ(l)xs−1 [N − (l − LCP − n)] ,
be white noise after the relay processing. In order to simplify l=LCP +n+1
the mathematical analysis, we approximate ŵ as AWGN with
0  n  L̂ − LCP − 2. (12)
a distribution CN (0, σ 2 ).
In the design, an intended delay Δ is selected to make After a DFT, the ISI acting on the kth subcarrier of the current
the delay spread of the equivalent multipath channel longer OFDM signal can be calculated as [9]
than the CP of the target OFDM system, i.e. L̂ =
max{LhT R , LhT J + LhJR + Δ − 1} > Lcp . Meanwhile, the L̂−L
 CP −2
2π
intended delay Δ must be less than an OFDM signal period IISI (k) = rISI (n)e−j N nk
so that the jamming signal can act on the correlated target n=0
signal, i.e. Δ < N + Lcp . Otherwise, the jamming signal is L̂−1
 2π
independent of the target OFDM signal. It is degraded into = xs−1 (N + Lcp − m)ej N mk
a general interference signal, which has a higher probability m=LCP +1
to betray the presence of the jamming attack. Once the L̂−1
 2π
validity condition of cyclic prefix in the OFDM transmission × h(u)e−j N uk . (13)
is destroyed, ISI and ICI are induced. The loss of subcarrier u=m
orthogonality would lead to a high BER of the data recovery.
Meanwhile, as the jamming signal is technically the target Meanwhile, the ICI in the received OFDM signal after
OFDM signal itself, it would be hard for the transmission pair the CP removal, which is caused by the loss of subcarrier
to detect the existence of the jamming attack. More likely, orthogonality, can be written as
the target OFDM communication system would think that it L̂−1

is experiencing a severely hostile transmission environment. rICI (n) = − ĥ(l)xs [N − (l − LCP − n)] ,
In addition, the proposed jamming approach can be simply l=LCP +n+1
implemented by analog circuits without any digital signal
0  n  L̂ − LCP − 2. (14)
processing. Its implementation complexity is quite low.
IV. JAMMING P ERFORMANCE A NALYSIS Similarly, the ICI acting on the kth subcarrier of the current
OFDM signal after the DFT can be calculated as
In OFDM-based communication systems, the receiver
would first discard the cyclic prefix of each OFDM signal, L̂−1
 2π
i.e. the first Lcp samples, and then conduct discrete Fourier IICI (k) = − xs (N + Lcp − m)ej N mk
transform (DFT) on the remaining N samples to perform the m=LCP +1
OFDM demodulation. In the case of L̂ > Lcp , the received L̂−1
 2π
“data” part of an OFDM signal after removing the CP, rs , × h(u)e−j N uk . (15)
would contain signal components from both the previous and u=m
current symbols. It can be mathematically expressed as
Referring to the analysis in [9], the power spectrum density
rs = ĥ · ds + ŵ, (10) of the ISI and ICI at the kth subcarrier can be evaluated as
 2
where ds is an L̂ × N matrix that represents the data elements   L̂−1
L̂−1  

NISI (k) = NICI (k) = σx 2  ĥ(u)e −j N uk 
2π

 ,
that would contribute to the received OFDM signal after the

CP removal, as detailed in (11). The first LCP + 1 rows of m=LCP +1 u=m 
ds is a cyclic shift of the current OFDM symbol xs . It would (16)
form a circular convolution with the first LCP + 1 taps of the where σx2 is the variance of the OFDM signal. The power
equivalent channel ĥ. This part would thus not degrade the spectrum density of the interference is a function of the
data demodulation after the channel equalization. In contrast, difference between the channel delay and CP length, the
the left bottom part of the matrix ds , which comes from attenuation factor of the channel paths, as well as the power
the previous OFDM symbol s − 1, would cause the ISI and of the data that is transmitted at the subcarrier.
 ⎡ ⎤
xs (0), xs (1), xs (2), , ··· , xs (N − 2), xs (N − 1)
⎢ xs (N − 1), xs (0), xs (1), ··· , xs (N − 3), xs (N − 2) ⎥
⎢ ⎥
⎢ .. .. .. .. .. .. ⎥
⎢ . . . . . . ⎥
⎢ ⎥
ds = ⎢
⎢ xs (N − LCP ), ··· xs (N − 1), xs (0), ··· , xs (N − LCP − 1) ⎥
⎥
⎢ xs−1 (N − 1), xs (N − LCP ), ··· ··· , ··· , xs (N − LCP − 2) ⎥
⎢ ⎥
⎢ .. .. .. .. .. ⎥
⎣ . . . ··· . . ⎦
xs−1 (N − L̂ + LCP + 1), ··· xs−1 (N − 1), xs (N − LCP ), ··· , xs (N − L̂)
(11)

0
B. Distortion of the Frequency-domain Channel Estimate 10

If the receiver performs the frequency-domain channel es-

timation when the proposed jamming attack is performed, the í1
10
channel estimates would also be distorted by the ISI and ICI.
Given the training signal T (k), the frequency-domain observed
training signal at the receiver can be expressed as í2
10

BER
Y (k) = Ĥ(k)T (k) + IISI (k) + IICI (k) + W (k). (17)
í3 No Jamming attack
The channel estimates following the least-square (LS) channel 10
Δ =5
estimation algorithm can be then derived as Δ = 10
Δ = 20
IISI (k) IICI (k) W (k) í4
10 Δ = 50
He (k) = Ĥ(k)T (k) + + + . (18)
T (k) T (k) T (k) Δ = 80
Δ = 100
Compared with the scenario that has no jamming attack, the í5
10
channel estimates are now distorted by the induced ISI and 0 5 10 15 20 25 30
SNR (dB)
ICI. Data recovery error would then be caused if this channel
estimate is used for the channel equalization. Please note
Fig. 2. BER of the Wi-Fi transmission under a Rayleigh fading channel of
that the level of the channel estimation distortion would also 8 taps when the proposed jamming scheme is launched.
depends on the adopted channel estimation algorithm.

V. S IMULATION R ESULTS channel under this scenario is Δ + 15. A higher BER can be
The OFDM-based WiFi transmission is implemented in achieved when there is a larger intended delay Δ. However,
the simulation to validate the proposed jamming scheme. no further degradation of the OFDM transmission reliability
Following the specifications of the IEEE standard 802.11, each can be observed once the equivalent delay spread L̂ is larger
OFDM signal that consists of 48 data subcarriers and 4 pilot than the OFDM signal period, which is 80 samples in the
subcarriers is generated using a 64-point IDFT. A cyclic prefix simulated WiFi system. This is because that the jamming
with a length of 16 samples is inserted at the beginning of each signal is independent of the OFDM signal that it acts on when
signal. The data rate in the simulations is set to 12 Mbps, L̂ > 80. As independent interference, it functions in the same
which means that data subcarriers are quadrature phase shift way no matter which signal it is attacking. It is also noteworthy
keying (QPSK) modulated. Moreover, the standard defined that though a longer delay could result into a better jamming
preamble is inserted in the front of each packet frame and used performance, the jamming attack is easier to be detected since
for the channel estimation at the receiver terminal. Rayleigh the jamming signal looks more like independent interference.
fading channels with different delay spreads will be considered There is thus a trade-off between the jamming effectiveness
in the simulations. The channels between the transmitter and and anti-detection capability, which needs to be addressed in
receiver, between the transmitter and jammer and between the practical implementation.
the jammer and receiver are assumed to be independent of The delay spread of the constructed virtual multipath chan-
each other but follow an identical statistical model, while nel is not only determined by the intended delay introduced at
the channel responses are normalized to have unit energy. In the jamming device but also the delay spread of the actual
addition, the noise levels at the WiFi receiver and jammer are physical channel in the propagation. Therefore, the perfor-
assumed to be the same. mance of the proposed jamming scheme under a different
Figure 2 presents the bit-error-rate (BER) of the WiFi channel condition, a Rayleigh fading channel with a delay
transmission under the attack of the proposed jamming scheme of 16 taps, is also evaluated. This is a more hostile channel
when the Rayleigh fading channel has a delay spread of 8 taps. environment that has a delay spread equal to the cyclic prefix
Please note that the delay spread of the constructed virtual length. As demonstrated in Fig. 3, the OFDM transmission can
 0
10

í1
10

MSE
BER

í2
10

No Jamming attack
No Jamming attack Δ =5
í3 Δ =5 Δ = 10
10 0
Δ = 10 10 Δ = 20
Δ = 20 Δ = 50
Δ = 50 Δ = 80
í4
Δ = 80
10
0 5 10 15 20 25 30 0 5 10 15 20 25 30
SNR (dB) SNR (dB)

Fig. 3. BER of the Wi-Fi transmission under a Rayleigh fading channel of Fig. 4. MSE of the channel estimate at the WiFi receiver under a Rayleigh
16 taps when the proposed jamming scheme is launched. fading channel of 8 taps when the proposed jamming scheme is launched.

0
10

now be distorted with a shorter intended delay at the jamming

device. It is able to cause a BER higher than 0.1 with an í1
10
intended delay of 20 samples.
In addition to the BER of data recovery at the WiFi receiver,
the effect of the proposed OFDM jamming approach on the í2
10
WiFi channel estimation is also evaluated. In general, a WiFi
BER

receiver would estimate the channel responses based on the

preamble of each received packet frame. It has been discussed í3
10
No Jamming attack
in (18), the channel estimation would be distorted by the ISI
Δ =5
and ICI caused by the proposed jamming scheme. A numerical Δ = 10
í4
evaluation, in terms of the mean squared error (MSE) of the 10 Δ = 20
channel estimate at the WiFi receiver, is provided in Fig. 4. Δ = 50
Δ = 80
LS channel estimation algorithm is considered. As shown in í5
10
the figure, the MSE of the channel estimate has a significant 0 5 10 15 20 25 30
increase when the WiFi transmission is attacked by the pro- SNR (dB)
posed jamming scheme, particularly when the equivalent delay
spread L̂ is about half of an OFDM signal period. Fig. 5. BER of the Wi-Fi transmission under a Rayleigh fading channel of
8 taps when the proposed approach avoids attacking the packet preamble.
All the above evaluations are under the assumption that
the frame structure of the target communication system is
unknown to the jamming device. However, frame structures performance when the data subcarriers are modulated with a
of most communication systems like the WiFi system are higher order modulation scheme that is more vulnerable to the
normally disclosed to the public. A jamming device following ISI and ICI.
the proposed jamming method can thus exploit the knowledge
of the target OFDM communication system to perform a more VI. C ONCLUDING R EMARKS
sophisticated attack. As an illustration, the jamming device In this paper, an efficient and unrecognizable OFDM jam-
could tactfully avoid attacking the preamble of each WiFi ming technique that targets on the OFDM CP validity con-
packet frame to let the target receiver have an out-of-date dition is developed. The principle of the proposed scheme
channel estimate. The simulation results are plotted in Fig. 5. is to construct a path of the target OFDM signal with an
The jamming effectiveness is greatly improved, in comparison excess delay, leading to a virtual wireless channel of a delay
with the results shown in Fig. 2. The BER can be close to 50% spread longer than its CP. Technically, the jammer captures the
even the intended delay is only 5 samples. ongoing OFDM signal and then forwards it with an intended
It is worthy to note that all the presented BER simulation delay. As a result, the aggregation of the target and jamming
results are for the WiFi transmission with a date rate of 12 signals is equivalent to a faded target signal experiencing a
Mbps, in which the data subcarriers are QPSK modulated. multipath channel of an overlong delay spread. Both ISI and
The proposed jamming approach is able to have a better ICI are then induced and the subcarrier orthogonality of the
target OFDM system is destroyed. The OFDM transmission
can therefore be denied. Since the jamming signal is actually a
delayed version of the target signal, the jamming attack is hard
to be detected. Compared with the existing OFDM jamming
methods, no synchronization to the target signal or detailed
frame structure of the target system is needed.
R EFERENCES
[1] T. Hwang and et al., “OFDM and its wireless applications: a survey,”
IEEE Transactions on Vehicular Technology, vol. 58, no. 4, pp. 1673-
1694, May 2009.
[2] M. J. L. Pan, C. Clancy, and R. W. McGwier, “Jamming attacks against
OFDM timing synchronization and signal acquisition,” in Proc. IEEE
Military Communications Conference, Oct. 2012, pp. 1-7.
[3] H. Rahbari, M. Krunz and L. Lazos, “Swift jamming attack on frequency
offset estimation: the Achilles heel of OFDM systems,” in IEEE Trans.
Mobile Computing, vol. 15, no. 5, pp. 1264-1278, Jul. 2015.
[4] M. J. L. Pan, C. Clancy, and R. W. McGwier, “Phase warping and dif-
ferential scrambling attacks against OFDM frequency synchronization,”
in Proc. IEEE Int. Conf. Acoustics, Speech and Signal Processing, May
2013, pp. 2886-2890.
[5] C. Mueller-Smith and W. Trappe, “Efficient OFDM denial in the absence
of channel information,” in Proc. IEEE Military Communications Con-
ference, Nov. 2013, pp. 89-94.
[6] T. C. Clancy, “Efficient OFDM denial: pilot jamming and pilot nulling,”
in Proc. IEEE Int. Conf. Communications, Jun. 2011, pp. 1-5.
[7] B. Muquet, Z. Wang, G. Giannakis, M. de Courville, and P. Duhamel,
“Cyclic Prefixing or Zero Padding for Wireless Multicarrier Transmis-
sions?,” IEEE Trans. Commun., vol. 50, pp. 2136-2148, Dec. 2002.
[8] M. Nisar, W. Utschick, H. Nottensteiner, and T. Hindelang, “On Channel
Estimation and Equalization of OFDM Systems with Insufficient Cyclic
Prefix,” in Proc. IEEE Veh. Technol. Conf., Apr. 2007, pp. 1445-1449.
[9] W. Henkel and et al., “The Cyclic Prefix of OFDM/DMT - An Analysis,”
in Proc. IEEE Int. Zurich Seminar on Broadband Communications, Feb.
2002, pp. 1-3.