Could We Blow Up the Internet?
Is it possible to take down the internet by physically attacking its infrastructure?
Image: Cathryn Virginia
About six years ago, when I told people I was writing a novel about a group of activists destroying the internet, they would always ask me two questions. The first was always “why?”
Tellingly, that’s not a question I get asked anymore. More often than not I’m met with a “nice,” a “right on,” or just a knowing, appreciative nod. It seems like everybody has their own reasons for destroying the internet: Trump, gamergate, Brexit, Facebook, the alt-right, revenge porn. Take your pick, it’s been a wild six years.
The second question remains the same though: “how?”
It’s a valid one, if only because for decades we’ve been told the internet is basically indestructible, that its core foundation was ARPANET, the military computer network originally designed to survive a nuclear war. And it’s a question I was deliberately vague about answering in my book Infinite Detail; ultimately the internet is wiped out by a kind of uber-virus, a cyber weapon that’s somewhere between the Stuxnet worm and the WannaCry ransomware, that infects everything connected to the net, bricking it as it goes.
But before—and after—this happens, various characters and groups in the book are using more physical methods to attack and disrupt the internet. Electromagnetic pulse (EMP) devices are used to disrupt technology at protests, a revolutionary group sets out to wipe clean entire data centers, and an urban community cuts itself off completely from the internet by jamming wireless and cellphone connections. It’s both an exciting and frightening idea, that activists and protest groups—rather than military, paramilitary, or nation state forces—might be able to cause disruption and chaos via DIY methods of attacking internet infrastructure, but how realistic is it really?
Attacking the physical internet itself—the actual network cables, the data centers, and internet exchanges—is probably the hardest strategy of all. Unsurprisingly, they’re pretty secure sites. If, for argument's sake, you wanted to heavily disrupt internet usage in New York City, your best bet would be to target Internet Exchanges, which wouldn’t be easy. Internet Exchanges (known as IXs or IXPs) are physical locations where internet infrastructure companies like Internet Service Providers (ISPs) and Content Delivery Networks (CDNs) come together. While most people have some idea what ISPs like Comcast and AT&T do, CDNs are less familiar. By combining strategically placed proxy servers and data centers, CDNs like CloudFlare and Amazon CloudFront are designed to deliver content as smoothly and efficiently as possible, whether that’s your Facebook feed, your Spotify stream, or whatever you’re binge watching on Netflix this weekend.
NYC has a few major and important IXs. For example, there’s one in the sprawling, city block-sized Google building in Chelsea.
But the most familiar one to New Yorkers , even though most of them probably don’t realize it, is at 33 Thomas Street. It’s a huge, windowless building that dominates the skyline between the landing points of the Brooklyn and Manhattan bridges. Originally an AT&T telephone exchange, it was designed to be self-sufficient with its own electricity generators, gas, and water supplies and to be able to survive fallout for up to two weeks after a nuclear blast. It is also, according to a 2016 investigation by The Intercept, home to a secret NSA surveillance facility.
“If you actually wanted to really take out the Eastern seaboard’s communication systems, you would have to be hitting four or five internet exchanges, three of which are in Manhattan, simultaneously,” Ingrid Burrington, a journalist, artist, and author of Networks of New York: An Illustrated Field Guide To Urban Internet Infrastructure, told me over Skype. “If you just hit one, all you're going to do is slow some [internet traffic] down in some places. It would be bad but it wouldn't be devastating.”
Burrington said this would be beyond the scope of your average protest group because “it requires a level of coordination and resources that [means] you're probably dealing with a nation state actor. Or if you have a terrorist organization that has the resources of a nation state actor, you have bigger problems.”
What about hitting data centers? If IXs and CDNs deliver internet content and services, data centers are where that content is stored or generated. Couldn’t a group just force their way into one, and set fire to the servers or something?
“Again, it might slow things down for a bit,” Burrington said. “Whether it actually destroyed or erased any information seems pretty unlikely because there are enough data centers—and data is distributed enough and backed up enough—that in theory that probably would not be a major concern.”
It would however make for an audacious stunt, Burrington said, especially if you’re trying to target or protest against individual companies rather than the internet as a whole.
“On a symbolic, sort of optics level it might be compelling,” she said, “because data centers have become this fetishized, lionized, architectural artifact by companies, right? Like Facebook publishes glamor shots of their data centers and Google gets artists to paint murals on them.”
The other problem with data centers and internet exchanges is getting access to them. “They're large, very well-constructed buildings. They have security. They're not necessarily bomb-proof or entirely fireproof but they are designed to withstand harm,” she said. In fact, data center marketing campaigns regularly boast about how tough they are to get into. Google produced a slick video about its data center security, and even published a white paper on data center security that describes how it “conduct[s] disaster recovery drills in which we assume that individual data centers—including our corporate headquarters—won’t be available for 30 days. We regularly test our readiness for plausible scenarios as well as more imaginative crises, like alien and zombie invasions.”
I reached out to the usual large tech and hosting companies to get their viewpoints on data centre security and physical threats to the internet, but perhaps unsurprisingly they were a little reluctant to talk. Most of them, like Google, just pointed me towards their brochures, marketing materials, and corporate videos. I also tried to contact the FCC, but didn't hear back. The most willing to talk was Amazon Web Services (AWS), the infrastructure and hosting arm of Jeff Bezos’ online empire. After a brief chat they also pointed me towards its marketing materials, including this page on how its global infrastructure is organised in ‘zones’ and ‘regions’ to ensure multiple levels of back-ups and redundancy.
As I talk to Burrington I’m reminded of the first time we met, on a tour of data centers in New Jersey back in 2014, which felt like it involved as much time going through security checkpoints and waiting for background checks as it did looking at server racks. When visiting corporate hosting service Io’s (now known as Iron Mountain) intimidating corporate data centre the whole group had to agree to having their individual photos taken for the company’s records. Then we were led through a series of airlock style ‘man-traps’—choke points in the building’s corridors where invading forces could be sealed between two heavily armored doors. It’s clear if you wanted to do harm to a data center or it’s contents you’d need to get past all this first, and that would involve much more social engineering than brute force. You’d really have to get your cover story together.
“I think generally the way it seems to work well with data centers is posing as a potential client,” Burrington explained. “Going in as press means that they're going to be more attentive to what you're doing and what questions you're asking. Going in as a potential client means they're going to want to please you. They’ll defer to things that you do. If you're like, 'Excuse me. I'm going to go to the restroom,' they probably won't follow you in and will still be waiting as you [sneak] down another corridor.”
Okay, so breaking into data centers might make for an interesting political stunt or protest, but isn’t going to do a lot of long term damage. What about cutting undersea fibre optic cables, thousands of miles of which link the world together? There’s been plenty of rumours and reports about Russian plans to attack these if a major war were to break out, but Burrington said the logistics involved with doing this would, again, be out of the reach of most protest groups. That said, she does point to how Houthi rebels in Yemen allegedly managed to do enough damage to internet cables in 2018 that 80 percent of the country lost internet access. While the Houthis have seized control of the country’s ISPs in the past and enforced censorship, it’s not clear exactly what happened but it appears that this was unintentional, and may have just happened while they were digging defensive trenches.
"On a symbolic, sort of optics level it might be compelling.”
What about more immediate, direct action approaches? Protests themselves are obvious targets for digital surveillance and data collection by law enforcement agencies, is there anything activists could do to disrupt these technologies?
According to AKA, an MIT alum and artist-technologist from New York City, jamming technologies are actually pretty “easy to make from available supplies—to jam something, all you need to do is decide what channel (a range of the RF spectrum) and then do whatever it takes to be the loudest transmitter (transmitting noise, or whatever else you want) on that channel,” they tell me over email.
“That's for narrow-band jammers—basically, things you can point at a very specific channel of communications and then say ‘suppress communications on this channel’—usually the objective there is for the jammer to be able to use those same frequencies (or functionally equivalent ones, like switching Wi-Fi channels to reduce neighbors' interference). Many open-source boards are available that would facilitate this on various bands,” they said.
They point me to a handful of projects detailing how to do this, including one that comes with its own smartphone app, as well as this wonderful art project called Log Jammer by Allison Burtch—literally a wooden log with a jammer installed—which she designed to jam cell phone signals and “provides a safe space in the woods, a right to be alone.”
“People at a site of protest would probably select which channels they would like to disrupt and carry small, hobby-level devices concealed on their person,” AKA tells me over email. “This is real and happens now.”
According to AKA it’s even easier to disrupt communication channels in general by blacking out all Wi-Fi and cell signals at an event. “[If you want] to make sure no comms at all can take place, more simple techniques and setups will do the trick, with the caveat that they will suppress friendly comms as well,”—which of course would be fine if we’re on a mission to cause as much disruption as possible.
“Spark plugs (which are electrically equivalent to spark-gap transmitters) emit very powerful, wide-band noise and, if operated continually (at, say, 2Hz), will fuck up most communications that carry any data.” AKA explained. “A walkie-talkie - would still work, but you'd hear a loud pop every time the spark fired. Try it sometime! That's ostensibly why only diesel vehicles, which use glow plugs and don't emit a spark, are allowed inside the US National Radio Quiet Zone.”
All of this sounded a little too good or easy to be true, so I wanted to run it past another expert. Jeremy Hong is a defence contractor in Dayton, OH specialising in RF technologies, and who also gives talks at hacker conferences on electronic warfare. “Yes, in 2019, it is definitely possible to block all frequencies operating from DC (0 Hz) - 6 GHz inexpensively and thus blocking out basically all frequencies that consumer devices use,” he told me over email. He points me to the Wave Bubble Jammer, a DIY system, saying that it’s “possible to expand that design to cover all consumer cell, Wi-Fi, GPS, two-way radio, L-Band Satellite phones (Ex. Iridium), and other forms of communications under 6 GHz."
Generally speaking, most consumer devices that people have operate anywhere from DC - 6 GHz, so using a combination of SDRs and Wave Bubble-like jammers over these frequencies should cover pretty much everything.
"Communications beyond 6 GHz may be out of scope, because the communications equipment gets exorbitantly and exponentially more expensive beyond this frequency (Relative to the consumer)," Hong said. "It is highly unlikely that someone in this event of interest would have a satellite phone or radios capable of working above 6 GHz or have access to military/high-end research communications equipment to transmit on those frequencies.”
“A cyber attack is much easier in the sense of potential collateral and cost.”
So DIY jamming technologies can be effective. But what about the improvised Electromagnetic Pulse (EMP) grenades, designed to wreak more permanent and physical damage by overwhelming electrical circuits? EMP weapons have been a standard device in science fiction since the beginning of the Cold War, when testing showed that nuclear bombs could release an EMP big enough to disrupt and even permanently damage electrical systems on a city wide scale. Last month, they re-entered the public consciousness in a big way when President Trump signed an executive order aimed at preparing the US to withstand an EMP attack. This folllows a congressional report claiming that North Korea could detonate them over America, and the resulting chaos would lead to the death of 90 percent of the US population. It’s a bold claim that was dismissed as alarmist propaganda by some defense experts, who don’t see North Korea having anywhere near that capability at present—and say that if they did we should be more worried about a conventional nuclear attack—but the science seems sound.
The theory, known as the Compton effect after physicist Arthur Compton, is that photons of electromagnetic energy from something like the gamma blast from a nuclear bomb can knock loose electrons from oxygen and nitrogen atoms in the atmosphere. When these interact with the Earth’s magnetic field they create a fluctuating electromagnetic pulse that can induce electrical currents strong enough to overwhelm and burn out electrical circuits. It does, however, need access to a nuclear weapon for it to work, something that’s luckily out of the reach of most political protest groups.
Not that a nuclear bomb is the only way of creating an EMP. Go and search YouTube and you’ll easily find dozens of videos like this one showing you how to, apparently, make a small EMP device from off the shelf components that will disrupt something like a smartphone. How easy would it be to scale something like this up to cause more widespread damage?
Not so easy, according to AKA, as the amount of power required would be huge. “For a jerry-rigged EMP to even approach the power needed to take out, say, the hardware on a phone pole or switch box, you'd need a really large and noticeable apparatus—like a cyclotron [a kind of large, powerful particle accelerator] or an industrial transformer or smelter.”
There are other options though, they suggest, but most of them are too dangerous to be realistic. “[You could use] an extremely dangerous radiation source, like a cathode-ray tube or x-ray tube (very easily available on eBay, unregulated). [Or the] the guts of a microwave, which just emits microwave radiation everywhere—this will also start an exciting fire and hurt everyone very badly, and will destroy itself pretty quickly.”
So it seems that while temporarily jamming Wi-Fi, radio, and cell signals might be easily within the reach of protest groups, doing more long term damage and physical destruction to the internet itself seems to be something only nation states—or incredibly powerful terrorist organizations would have the power to do. And if you’re one of them, why would you bother? What would you hope to achieve that you couldn’t do with cyber warfare? Or even just conventional attacks on major infrastructure?
“[If] you're at the point where you need to do physical attacks you've also just kind of portrayed that you don't have the capability to just do a cyber attack.” Burrington said. “A cyber attack is much easier in the sense of potential collateral and cost.”
“Also at a certain point with that you probably might also just create a condition where you create a power outage, which achieves your ends in the same way. There’s [little] difference between knocking out the internet and just like knocking out the power grid, they do the same thing.”