Keynote on Massive and Ultra-Reliable Access at IEEE ICC Workshops

I have given a keynote speech at the IEEE MASSAP Workshop at ICC 2015 in London. The talk is on wireless massive and ultra-reliable communications, which are seen as two new modes that will be featured in 5G. There is, of course, a technical part in the talk, but there is also a part which argues why the research on wireless and communication theory is still vital. The slides can be found here:

Wireless Lowband Communications: Massive and Ultra-Reliable Access

Ultra-Reliable Communication in 5G Wireless Systems

Wireless 5G systems will not only be “4G, but faster”. One of the novel features discussed in relation to 5G is Ultra-Reliable Communication (URC), an operation mode not present in today’s wireless systems. URC refers to provision of certain level of communication service almost 100 % of the time. Example URC applications include reliable cloud connectivity, critical connections for industrial automation and reliable wireless coordination among vehicles. This paper puts forward a systematic view on URC in 5G wireless systems. It starts by analyzing the fundamental mechanisms that constitute a wireless connection and concludes that one of the key steps towards enabling URC is revision of the methods for encoding control information (metadata) and data. It introduces the key concept of Reliable Service Composition, where a service is designed to adapt its requirements to the level of reliability that can be attained. The problem of URC is analyzed across two different dimensions. The first dimension is the type of URC problem that is defined based on the time frame used to measure the reliability of the packet transmission. Two types of URC problems are identified: long-term URC (URC-L) and short-term URC (URC-S). The second dimension is represented by the type of reliability impairment that can affect the communication reliability in a given scenario. The main objective of this initial work on URC is to create the context for defining and solving the new engineering problems posed by URC in 5G.

The full article is available here.


More on the jamming hypothesis for MH370

Today there was an article in the Danish engineering newspaper Ingeniøren, following my blog post on the jamming hypothesis in order to explain the disappearance of the Malaysian Airlines flight MH370. As the original article is in Danish, I am summarizing the main points that are supplementing the information provided in the previous blog.

There are a couple of questions that can challenge the jamming hypothesis.

1. Why was the satellite communication link not jammed?

As explained in the previous blog, the satellite communication takes place in a different frequency band, higher than 1.5 Ghz, and the easiest explanation is that the jammer simply did not have a sufficiently large bandwidth. Namely, the larger the bandwidth, the more difficult and expensive is to make a a jammer that will radiate in the whole frequency region.

Another explanation could be that the jammer was put in a position where it could jam the antennas at the bottom of the airplane, but not on the top, see this post for placement of antennas.

2. If we assume that the satellite communication link was jammed, how could the airplane send ping?

That could have happened if the transmission of the ping message does not follow the carrier sense multiple access protocol and transmits the ping or “I am alive” message regularly (in this case every hour). This is hard to confirm, as it depends on the details of the protocol implementation and that seems not to be available publicly.

3. If the VHF link was jammed and the satellite communication was not, why did not ACARS switch seamlessly to satellite communication, as explained in this post?

That depends on which criterion the system implementation uses to switch. Here are two possibilities:

  • The ACARS protocol switches from VHF to satellite communication based on the GPS coordinates. As the pilot explained here, if the airplane goes far away where there is no VHF coverage, then it should switch seamlessly. First of all, the airplane did not seem to be far away from VHF when the communication stopped, so perhaps this GPS criterion was not put in place at all. On the other hand, if the plane went later on towards south, then it entered a region where only satellite coverage is available, so the GPS criterion must have been activated. What could have happened? One option is that GPS could have been jammed and no valid GPS coordinates could have been received. However, this is hard to accept consistently with the assumption that satellite communication link was not jammed. Another option is that GPS spoofing was used, which had recently been indicated as a extremely serious threat. The GPS spoofing hypothesis could also be used to explain the route taken by the airplane. Conversely, if GPS spoofing was not used and there is a credible information that GPS coordinates are used in the criterion to switch ACARS from VHF to satellite, then this could also hint that the airplane went north, close to land, rather than south.
  • The ACARS protocol switches from VHF to satellite communication based on the bad quality of the VHF link. This really depends which is the exact criterion used to switch. I can think of at least one criterion that could not be activated due to jamming. Let assume that ACARS switches from VHF to satcom if it measures a weak VHF signal; in that case the power received from the jammer would not have allowed such switching, as it would never measure a weak signal and thus never switch. Again, the final word on this is by those who implemented the system.

Let me summarize the jamming hypothesis.

  1. Assuming that VHF, the transponder, the satellite link and the GPS were jammed, then this can only hold true if the “I am alive” message is sent by the airplane regularly and unconditionally, without following carrier sensing protocol.
  2. Assuming that VHF and the transponder were jammed, but GPS and the satellite link not, then we need to explain why ACARS did not switch to satellite communication. One reason can be that the switching has been disabled by the jammer. The other reason can be that switching has been disabled by providing false GPS coordinates through a device that does GPS spoofing. And in that case, this could also contribute to the explanation of the route taken by the airplane.




What could have disabled the communication links on the missing flight MH370?

This is not exactly an M2M topic, but rather in the more general area of communication engineering and is related to the dramatic event of disappearance of MH370. I would just like to put another explanation as an alternative to the leading hypothesis, which states that  the pilots disabled the communication systems on the plane. A disclaimer: I have not been involved with specification or implementation of the communication protocols relevant in this case, but I could infer conclusions based on information that is publicly available (see the references below).

The two communication systems that had been disabled are ACARS (Aircraft Communications Addressing and Reporting System) and the transponder. Let us look first at the ACARS. It is based on a VHF link in the range of 130 MHz. The communication protocol used by ACARS to send messages is called carrier sense multiple access (CSMA) [REF1] which means that the message can be sent only if the communicating device at the airplane senses that there is nobody else transmitting. But this means that, if there is a malicious jamming device attached to the Boeing 777 plane (or even more wildly, on another plane flying very closely to the Boeing 777 plane), which transmits continuously at the same frequency used by ACARS, then the ACARS message would not have been sent. For the ground control it would look as if the ACARS is disabled by the pilots, which is the leading hypothesis at the moment. Note that there is a study [REF2] that already points out the vulnerability of the VHF protocol to jamming.

In a similar way, putting a jammer at 1030 MHz would block the transponder of the plane, as the transponder would not be able to receive message from the ground and would therefore not respond. Jamming of the transponder has also happened before [REF3].

The ping messages received through the satellite link are transmitted/received in frequencies higher than 1500 MHz, hence it is plausible to have a jammer that blocks ACARS at 130 MHz and the transponder at 1030 MHz, but not the satellite link.

Therefore, a probable explanation of what has been observed about the communication systems on MH370 is that ACARS and the transponder have been disabled by jamming.  At first the jammer at 130 MHz was activated and shortly after the one at 1030 MHz. A supplementary element of the above “theory” is the possible use of spoofing techniques. Namely, in addition to jamming the usual ACARS communication, there could have been a device that provides false information to the airplane by capturing the ACARS link and creating an illusion for the pilots that they are communicating with the ground control.  In the same report [REF2], spoofing is mentioned as a plausible attack on the VHF system.

I cannot say that this explanation is totally accurate, since I do not have access to the actual way in which the protocols are implemented, but for the investigators that do have the access, it provides a hint and a possible direction of investigation. On the other hand, it is a plausible alternative to the explanation that the people in the cockpit deliberately turned off the transponder and the ACARS communication system and expand the investigation also towards all the people that had access to the airplane before the takeoff.

Dr. Petar Popovski

Follow-up on this post, with further analysis, can be found here.


[REF1] SITA, “AIRCOM New Generation Services“, position paper,, retrieved March 16, 2014.

[REF2] EUROCONTROL, “VHF security study“, available at‎ 

[REF3] T. Cabannes, “Transponder Jamming”, available at

WiFi Wake-up Receiver

The best way to reduce energy consumption of wireless device is to turn it on only when necessary. This is easy to realize if the transmitter and receiver know the exact timing of their communications, that is, if a complete rendez-vous can be accomplished between them. But of course, this is not the case most of the time since the traffic pattern over communications network is bursty and unpredictable: the receiver does not know when the transmitter wants to send packets to it.

Then, the transmitter can somehow poke a sleeping receiver when it needs to communicate. This is called wake-up signaling, and a lot of studies have been (and are being) done for sensor networks where the energy-efficiency of devices is one of the most important requirements. In general, the wake-up signaling is done through secondary channel. Here, the primary channel is the channel for data transmission/reception which consumes relatively high amount of energy. On the other hand, the secondary channel is only for sending wake-up message, which is realized by very simple and low-power radio. When there is no communications demand, only secondary channel is active, and radio interface for primary channel is completely turned off. Since the secondary radio consumes little amount of energy, we can significantly reduce the energy consumed in an idle state. That is, the gap of energy consumption between primary and secondary channels is exploited for energy saving.

We have been applying the concept of wake-up signaling to reduce the energy wastefully consumed by WiFi routers in a research project funded by Japanese government. The active duration of WiFi routers is much shorter than the idle duration. For example, WiFi router at your home is automatically powered-on/off according to your communications demands. A very simple wake-up receiver, which operates with non-coherent on-off-keying (OOK) detection, is installed into WiFi router. The energy gap between WiFi and such a simple receiver is so large that we can have a huge gain in terms of energy saving. But, one problem was the need for WiFi station (e.g. your laptop or smatphone) to have an additional device to transmit a wake-up signal.

Our solution to this problem was to reuse WiFi transmitter already installed into WiFi station. The simple, OOK wake-up receiver at WiFi router is designed to be able to detect the length of WiFi frames observed over 2.4 GHz ISM band. The WiFi station embeds information (e.g. wake-up ID) into the length of transmitted WiFi frames (you can imagine Morse code where the length of WiFi frame corresponds to dot and dash). The wake-up receiver turns on WiFi router if the detected length matches with its registered ID. The detailed information on wake-up mechanisms and receiver can be found in [1] and [2].

Basically, we have realized information exchange between WiFi transmitter and a very simple, low-cost, and low-power receiver which has completely different physical layer from WiFi. The layering concept has been developed to offer communications capabilities between devices having a common communications protocols. We have shown that, in a particular setting and scenario, communications between devices implementing different protocols are possible and useful. We are now seeking for scenarios in M2M where this type of communications and device can be exploited.

[1] Y. Kondo, H. Yomo, S. Tang, M. Iwai, T. Tanaka, H. Tsusui, and S. Obana,” Energy-efficient WLAN with on-demand AP wake-up using IEEE 802.11 frame length modulation,” Elsevier Computer Communications, Vol. 35, Issue 14, pp. 1725–1735, August 2012.

[2] H. Yomo, Y. Kondo, N. Miyamoto, S. Tang, M. Iwai, and T. Ito, “Receiver Design for Realizing On-Demand WiFi Wake-up using WLAN Signals,” in Proc. of IEEE Globecom 2012, Dec. 2012.

M2M workshop at FTW in Vienna, September 26, 2012

Our research group was represented at the 1-way workshop on M2M communications arranged by FTW in Vienna. The program can be found here:

Petar’s presentation was about “Communication protocols for mass M2M access” and the slides can be found here.