The ups and downs and ins and outs of spread spectrum

It’s becoming increasingly common to see the terms “spread spectrum“, “frequency hopping” or “FHSS” on the spec speets for wireless alarm systems.

The question is, what does it mean and how does it improve a wireless alarm system?

We might as well start with the wikipedia definition:

Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.

A diagram is a clear way of showing this:

Time vs channel

Time vs channel

This is a really basic example with only 5 channels. The channel changes for each time slot, and the hopping pattern is a rather predictable 4, 1, 5, 2 3. Both the transmitter and receiver know this hopping pattern and hop at the same interval.

Practical systems tend to use large numbers of channels (50 upwards) and hop frequently (hundreds of times a second).

This technique is used by Bluetooth and other technologies.

There is another form of spread spectrum called Direct Sequence Spread Spectrum, where the hops are faster than the data rate. This is rarely used in small embedded systems, but is used in WiFi.

What are the advantages of FHSS?

Resistance to jamming and interference

The most obvious advantage is that narrowband interference or jamming (jamming is really just intentional interference) will only cause a problem for one of the channels, so a signal can still make it through.

Jamming, I hope you like jamming too

Jamming, I hope you like jamming too

In the image above, there is interference on channel 2. None of the signal on channel 2 will be received, but all of the other channels are still fine. Even if you continue to use channel 2, 80% of packets will make it through.

Resistance to eavesdropping

At least at a superficial level, you could conceive that an eavesdropper would have to know the hopping pattern to be able to listen it to a FHSS signal. For this reason, some think the FHSS provides added security.

Transmitting with higher power

This is not intrinsic to the technique of FHSS, it is more related to regulatory requirements. A big problem with most ISM band radio systems is contention for channel access. The most common technique to avoid problems (without using spread spectrum) is to limit the duty cycle to 1% or below. This gives other devices a chance to use the channel.

FHSS avoids this issue as you are only using one of a number of channels in a group. Multiple devices can be using the same group of channels and it is unlikely they will want to use the same channel at the same time. Contention is less of an issue for this reason.

This is turn means that more devices can operate in a given area. The area a transmitter operates in is defined by it’s output power – a higher power can transmit further.

The lower chance of contention means that FHSS devices are allowed to transmit with a higher power, and hence tend to have longer range.

What are the problems?

It sounds like FHSS is a great idea. But, as always, the devil is in the detail.

You cannot rely on FHSS to provide protection from eavesdropping

If we take a practical example of one alarm system – this hops over 50 frequencies in the US version (which is the FCC’s minimum number) at a rate of 64 hops per second. This might sound fast, but it really isn’t.

The CC1110 RF SoC has built in support for FHSS. Using a technique whereby you pre-calibrate the frequency synthesiser, a hop time of ~75uS can easily be achieved. You can essentially turn it into a scanner – scanning all 50 frequencies as quickly as you can. This takes 3.75ms, a lot less than the dwell time of 15.625ms (1/64).

I might not be able to receive all of the packet – I’m going to miss at least some of the start of it – but I can receive some.

More to the point, I can record the hopping pattern. The design of most wireless systems means that this will never change.

The CCxxxx chips are used in a lot of alarm systems – from the low-end Friedland SL series to the high-end Texecom Ricochet. When they are used in alarm systems, they tend to be used conservatively – they need to work correctly all of the time. As a reverse engineer and hacker, I can push these chips to their limits and just hope that they work well enough to meet my goals once.

The same system mentioned above is sold in the UK but only hops over 4 frequencies. I don’t think this even meets regulatory requirements (another downside to self-certification), but it provides no protection against eavesdropping or even interference.

Predictable or simple pseudo-random hopping patterns

Both transmitter and receiver need to decide on a hopping pattern ahead of time. There are a number of techniques used to do this – you can store a predefined pattern in memory, or generate one using built in hardware or software.

A cold hard fact of pseudo-random number generation though is that the pattern will repeat at some point. This could be after 127bits or 32767bits or anything really depending on how it is implemented. Small embedded systems tend to use patterns that repeat after short periods though – PN9 (i.e. 511bits) is common.

This means it is entirely feasible to record the hopping pattern. It’s very likely this pattern will be re-used.

Some systems make it possible to look at the firmware and see the code that generates the hopping pattern.

Sequences are the same across all equipment

It’s hard to make every single device “custom”. This isn’t really a manufacturing concern – most devices are programmed at some point with a unique serial number. It’s more a protocol design issue – communicating a secret between devices ahead of time is hard work, especially on a one-way radio system. It’s also hard to work with 10 different transmitters using 10 different hopping patterns.

This means all detectors and all panels across every system made might use the same sequence. It only takes a small amount of effort for an attacker to determine this sequence and reuse it time and time again.

FHSS is complicated by other functionality

One of the advantages of FHSS is resistance to interference. As shown in the diagram above, if channel 2 is interfered with, we will only lose 20% of packets.

This is still a 20% packet loss – if other layers of the protocol aren’t designed to take account of this, it could totally cripple the system.

For this reason, many FHSS systems also employ adaptive frequency agility (AFA). If they detect a problem on a given channel, that channel will be taken out of use.

Adaptive frequency agility

Adaptive frequency agility

How could this be a problem? Well, how long do I take that channel out of use for? What happens if more than 50% of my channels are taken out of use? There needs to be some kind of mechanism to bring the channels back into use at some point.

The design of AFA algorithms is complex, and mistakes are made. It can be possible to game them into a state where they believe that most channels are unusable. A parallel to this is mesh networking routing algorithms  – you can sometimes game the system into believing there are no valid routes with only a few carefully crafted packets.


Whilst FHSS is a useful technique to improve interference and jamming immunity, it should never be relied on for security – that is what encryption and MAC is for.

One thought on “The ups and downs and ins and outs of spread spectrum

Leave a Reply

Your email will not be published. Name and Email fields are required.