Challenges in the Implementation and Simulation for Wireless Side-Channel based on Intentionally Corrupted FCS

AbstractWe report on the challenges faced in the implementation and simulation of a side-channel communication based on frames with an intentionally corrupted Frame Check Sequence (FCS). Systematically corrupted FCSs can be used to enable covert communications between nodes that share the same algorithm for deciphering the FCS. In order to assess the possibility in detecting this side-channel communication it is necessary to have the ability to simulate it as well as to implement it on actual devices. Nearly all simulators drop corrupted frames before they reach their destination, making it impossible to simulate any side-channel communication based on intentionally corrupted FCS. We present an example of the modifications required to prevent this as applied to a well-known simulator called Sinalgo. We also discuss problems encountered when trying to intentionally corrupt the FCS on actual devices

Evaluating Hamming Distance as a Metric for the Detection of CRC-based Side-channel Communications in MANETs

AbstractSide-channel communication is a form of traffic in which malicious parties communicate secretly over a wireless network. This is often established through the modification of Ethernet frame header fields, such as the Frame Check Sequence (FCS). The FCS is responsible for determining whether or not a frame has been corrupted in transmission, and contains a value calculated through the use of a predetermined polynomial. A malicious party may send messages that appear as nothing more than naturally corrupted noise on a network to those who are not the intended recipient. We use a metric known as Hamming distance in an attempt to differentiate purposely corrupted frames from naturally corrupted ones. In theory, it should be possible to recognize purposely corrupted frames based on how high this Hamming distance value is, as it signifies how many bits are different between the expected and the received FCS values. It is hypothesized that a range of threshold values based off of this metric exist, which may allow for the detection of side-channel communication across all scenarios. We ran an experiment with human subjects in a foot platoon formation and analyzed the data using a support vector machine. Our results show promise on the use of Hamming distance for side-channel detection in MANETs

"The Good, The Bad And The Ugly": Evaluation of Wi-Fi Steganography

In this paper we propose a new method for the evaluation of network steganography algorithms based on the new concept of "the moving observer". We considered three levels of undetectability named: "good", "bad", and "ugly". To illustrate this method we chose Wi-Fi steganography as a solid family of information hiding protocols. We present the state of the art in this area covering well-known hiding techniques for 802.11 networks. "The moving observer" approach could help not only in the evaluation of steganographic algorithms, but also might be a starting point for a new detection system of network steganography. The concept of a new detection system, called MoveSteg, is explained in detail.Comment: 6 pages, 6 figures, to appear in Proc. of: ICNIT 2015 - 6th International Conference on Networking and Information Technology, Tokyo, Japan, November 5-6, 201

Comparison of proposals for the future aeronautical communication system LDACS

Um zukünftigen Kapazitätsbedarf in aeronautischer Navigation abzudecken, werden neue Bord und Boden Kommunikationsdienste gebraucht. Die europäische Organisation für Sicherheit und Luftnavigation, Eurocontrol, unterstützte die Entwicklung zweier Vorschläge für ein solches System. Der erste Vorschlag, genannt LDACS1, ist ein digitales Breitband OFDM basiertes System, welches vom Institut für Kommunikation und Navigation, DLR entwickelt wurde. Der zweite Vorschlag, LDACS2 wird von einem Projektteam bestehend aus EGIS ASVIA, Helios SWEDAVIA und anderen entwickelt. LDACS2 folgt einem single carrier Steuerung mit einer GMSK Modulation. Beide Systeme sind für das Bedienen des aeronautischen Teils des L-Band (960-1164 MHz) gedacht. Diese Frequenz wird jedoch bereits von verschiedenen aeronautischen alte Systemen wie z.B. zivile Luftfahrtnavigation DME oder militärische Kommunikationssystemen (vereinigtes taktisches Informationsverteilungssystem JTIDS) eingesetzt. Darüber hinaus, LDACS ist offen für in der Luft befindlich Empfangsstörungen. Ein entscheidender Punkt im Auswahlprozess für eine der LDACS Systeme ist die Gewährleistung für das Nebeneinander von LDACS und des legacy Systems. Einerseits muss bewiesen werden, dass LDACS nur einen geringen Einfluss auf das legacy System hat. Andererseits muss eine verlässliche Funktion trotz Empfangsstörung (Beeinträchtigung) gewährleistet werden. In dieser Masterarbeit ist die Leistung von LDACS2 analysiert. Die Aufgabe umfasst einige theoretische Überlegungen für Ermittlungen von Kapazität, spektrale Leistungsfähigkeit, Skalierbarkeit und die mögliche Zahl gleichzeitiger Nutzer. Das Ergebnis zeigt die Beschränkung der angebotenen bit rates pro Nutzer gemäß der limitierten Bandbreite. Jedoch für gering bis mittelmäßigen Inanspruchnahme von Anwendern, die angebotenen bit rates sind innerhalb einer akzeptablen Reichweite. Der Hauptteil dieser Arbeit befasst sich mit der Anwendung des LDACS2 Systems gemäß der Simulations-Software. Das umfasst die gesamte physikalische Schichtung und die grundlegenden Teile der höheren Schichtung. Besonderer Schwerpunkt ist auf die Anwendung und Beurteilung von wirksamen Kanal Entzerrung Algorithms, Analyse und Auswertung. Neben AWGN Kanälen wurden auch praxisbezogenen Luftfahrtfrequenzen angewandt. Es stellte sich heraus, dass das Kanalkodierung in dieser Ausführung nicht genügend.Ilmenau, Techn. Univ., Masterarbeit, 201

Security protocols suite for machine-to-machine systems

Nowadays, the great diffusion of advanced devices, such as smart-phones, has shown that there is a growing trend to rely on new technologies to generate and/or support progress; the society is clearly ready to trust on next-generation communication systems to face today’s concerns on economic and social fields. The reason for this sociological change is represented by the fact that the technologies have been open to all users, even if the latter do not necessarily have a specific knowledge in this field, and therefore the introduction of new user-friendly applications has now appeared as a business opportunity and a key factor to increase the general cohesion among all citizens. Within the actors of this technological evolution, wireless machine-to-machine (M2M) networks are becoming of great importance. These wireless networks are made up of interconnected low-power devices that are able to provide a great variety of services with little or even no user intervention. Examples of these services can be fleet management, fire detection, utilities consumption (water and energy distribution, etc.) or patients monitoring. However, since any arising technology goes together with its security threats, which have to be faced, further studies are necessary to secure wireless M2M technology. In this context, main threats are those related to attacks to the services availability and to the privacy of both the subscribers’ and the services providers’ data. Taking into account the often limited resources of the M2M devices at the hardware level, ensuring the availability and privacy requirements in the range of M2M applications while minimizing the waste of valuable resources is even more challenging. Based on the above facts, this Ph. D. thesis is aimed at providing efficient security solutions for wireless M2M networks that effectively reduce energy consumption of the network while not affecting the overall security services of the system. With this goal, we first propose a coherent taxonomy of M2M network that allows us to identify which security topics deserve special attention and which entities or specific services are particularly threatened. Second, we define an efficient, secure-data aggregation scheme that is able to increase the network lifetime by optimizing the energy consumption of the devices. Third, we propose a novel physical authenticator or frame checker that minimizes the communication costs in wireless channels and that successfully faces exhaustion attacks. Fourth, we study specific aspects of typical key management schemes to provide a novel protocol which ensures the distribution of secret keys for all the cryptographic methods used in this system. Fifth, we describe the collaboration with the WAVE2M community in order to define a proper frame format actually able to support the necessary security services, including the ones that we have already proposed; WAVE2M was funded to promote the global use of an emerging wireless communication technology for ultra-low and long-range services. And finally sixth, we provide with an accurate analysis of privacy solutions that actually fit M2M-networks services’ requirements. All the analyses along this thesis are corroborated by simulations that confirm significant improvements in terms of efficiency while supporting the necessary security requirements for M2M networks

Improving Performance of IEEE 802.11p MAC Layer for Emergency Message Dissemination

Vehicular ad-hoc networking is the most promising subfield of mobile ad-hoc networks, which may become the ad-hoc networking technology in near future for vehicles communicating amongst themselves on road. It uses IEEE 802.11p MAC protocol as wireless networking technology. The IEEE 802.11p MAC protocol has inherent problems in wireless ad-hoc networking environment due its heterogeneous, infrastructureless and highly dynamic nature. The performance of IEEE 802.11p MAC layer for vehicular ad-hoc networking is based on performance of one-hop broadcasting. The performance of IEEE 802.11p one-hop broadcasting is of major concern regarding emergency message dissemination. The CSMA/CA protocol used in IEEE 802.11p is far from optimal solution for emergency message dissemination due to inherent properties of random access, higher delivery delays and retransmissions. Techniques to improve emergency message dissemination delivery rate and minimize time latency of message dissemination, such as, disabling backoff and synchronous transmission, have been mentioned in this thesis out of which one technique such as disabling backoff is being evaluated through simulation results. The goal of this thesis work is to evaluate a technique, modifying the IEEE 802.11p MAC layer protocol using Network Simulator 3 (NS3). The technique is based on introducing a separate EDCA queue and a separate EDCAF function for emergency messages in QoS EDCA priority queues, disabling backoff for emergency messages and giving highest priority to emergency messages in a station having different AC queues seeking for transmission opportunity. Disabling backoff for emergency messages may reduce time latency arising from exponential backoff algorithm. As the backoff is disabled, more than one station may start transmitting emergency message at the same time. So, it can be deduced that such technique could be beneficial for simple emergency applications. The simulation results show that this technique could be useful for emergency applications utilizing a buzz signal for hazardous warnings on road

Radio Frequency Fingerprinting Techniques through Preamble Modification in IEEE 802.11b

Wireless local area networks are particularly vulnerable to cyber attacks due to their contested transmission medium. Access point spoofing, route poisoning, and cryptographic attacks are some of the many mature threats faced by wireless networks. Recent work investigates physical-layer features such as received signal strength or radio frequency fingerprinting to identify and localize malicious devices. This thesis demonstrates a novel and complementary approach to exploiting physical-layer differences among wireless devices that is more energy efficient and invariant with respect to the environment than traditional fingerprinting techniques. Specifically, this methodology exploits subtle design differences among different transceiver hardware types. A software defined radio captures packets with standard-length IEEE 802.11b preambles, manipulates the recorded preambles by shortening their length, then replays the altered packets toward the transceivers under test. Wireless transceivers vary in their ability to receive packets with preambles shorter than the standard. By analyzing differences in packet reception with respect to preamble length, this methodology distinguishes amongst eight transceiver types from three manufacturers. All tests to successfully enumerate the transceivers achieve accuracy rates greater than 99%, while transmitting less than 60 test packets. This research extends previous work illustrating RF fingerprinting techniques through IEEE 802.15.4 wireless protocols. The results demonstrate that preamble manipulation is effective for multi-factor device authentication, network intrusion detection, and remote transceiver type fingerprinting in IEEE 802.11b

Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications

Smartphones come with a variety of sensors and communication interfaces, which make them perfect candidates for mobile communication testbeds. Nevertheless, proprietary firmwares hinder us from accessing the full capabilities of the underlying hardware platform which impedes innovation. Focusing on FullMAC Wi-Fi chips, we present Nexmon, a C-based firmware modification framework. It gives access to raw Wi-Fi frames and advanced capabilities that we found by reverse engineering chips and their firmware. As firmware modifications pose security risks, we discuss how to secure firmware handling without impeding experimentation on Wi-Fi chips. To present and evaluate our findings in the field, we developed the following applications. We start by presenting a ping-offloading application that handles ping requests in the firmware instead of the operating system. It significantly reduces energy consumption and processing delays. Then, we present a software-defined wireless networking application that enhances scalable video streaming by setting flow-based requirements on physical-layer parameters. As security application, we present a reactive Wi-Fi jammer that analyses incoming frames during reception and transmits arbitrary jamming waveforms by operating Wi-Fi chips as software-defined radios (SDRs). We further introduce an acknowledging jammer to ensure the flow of non-targeted frames and an adaptive power-control jammer to adjust transmission powers based on measured jamming successes. Additionally, we discovered how to extract channel state information (CSI) on a per-frame basis. Using both SDR and CSI-extraction capabilities, we present a physical-layer covert channel. It hides covert symbols in phase changes of selected OFDM subcarriers. Those manipulations can be extracted from CSI measurements at a receiver. To ease the analysis of firmware binaries, we created a debugging application that supports single stepping and runs as firmware patch on the Wi-Fi chip. We published the source code of our framework and our applications to ensure reproducibility of our results and to enable other researchers to extend our work. Our framework and the applications emphasize the need for freely modifiable firmware and detailed hardware documentation to create novel and exciting applications on commercial off-the-shelf devices

Protection of mobile and wireless networks against service availability attacks

Cellular and wireless communications are widely used as preferred technology for accessing network services due to their flexibility and cost-effective deployment. 4G (4th Generation) networks have been gradually substituting legacy systems, relying on the existing commercial and private Wireless Local Area Network (WLAN) infrastructures, mainly based on the IEEE 802.11 standard, to provide mobile data offloading and reduce congestion on the valuable limited spectrum. Such predominant position on the market makes cellular and wireless communications a profitable target for malicious users and hackers, justifying the constant effort on protecting them from existing and future security threats. [Continues.