COVERT COMMUNICATIONS IN CONTINUOUS-TIME SYSTEMS

This dissertation studies covert wireless communications where a transmitter (Alice) intends to transmit messages to a legitimate receiver (Bob) such that the presence of the message is hidden from an attentive warden (Willie). Here we consider pertinent aspects of covert communications that focus on moving such systems closer to implementation. For example, previous studies use the standard discrete-time communication model when analyzing covert communications, since this is commonly assumed without loss of generality in standard communication theory. However, it is not clear that such a model captures the salient aspects of the continuous-time covert communications problem. A power detector that is optimal for the warden in a discrete-time covert communications scenario may not be optimal on a continuous- time model. Thus, it is of interest to consider this more realistic model for physical channels. After analyzing a power optimization problem using the standard discrete-time model, we move to the key part of system implementation: the instantiation in true continuous-time systems of the discrete-time models studied to this point in the literature. A key goal is to examine Willie’s detection capability on a continuous-time model and study how the limits of covert communications change from the discrete-time case. In particular, we show that detectors for Willie can benefit from the continuous-time setting and outperform detectors based on the discrete-time model; not surprisingly, this has a significant impact on the true covert throughput of the system. Nevertheless, we establish constructions such that efficient covert communications can still be achieved in a continuous-time model, and prove the fundamental limit on the covert communication rate. After considering the continuous-time problem in detail, we then turn to addressing another limitation of previous work - the requirement for an intentional jammer to facilitate efficient covert communication. Instead, we consider how to exploit a pre-existing interference source – a radar - to achieve covert communication. We establish a covert communication scheme in such an environment, and analyze the corresponding covert rate. Finally, we consider the use of a detection technique similar to that in the covert communications problem, in the area of quantized signal detection

Achieving Covert Wireless Communications Using a Full-Duplex Receiver

Covert communications hide the transmission of a message from a watchful adversary while ensuring a certain decoding performance at the receiver. In this work, a wireless communication system under fading channels is considered where covertness is achieved by using a full-duplex (FD) receiver. More precisely, the receiver of covert information generates artificial noise with a varying power causing uncertainty at the adversary, Willie, regarding the statistics of the received signals. Given that Willie's optimal detector is a threshold test on the received power, we derive a closed-form expression for the optimal detection performance of Willie averaged over the fading channel realizations. Furthermore, we provide guidelines for the optimal choice of artificial noise power range, and the optimal transmission probability of covert information to maximize the detection errors at Willie. Our analysis shows that the transmission of artificial noise, although causes self-interference, provides the opportunity of achieving covertness but its transmit power levels need to be managed carefully. We also demonstrate that the prior transmission probability of 0.5 is not always the best choice for achieving the maximum possible covertness, when the covert transmission probability and artificial noise power can be jointly optimized.Comment: 13 pages, 11 figures, Accepted for publication in IEEE Transactions on Wireless Communication

Selective Jamming of LoRaWAN using Commodity Hardware

Long range, low power networks are rapidly gaining acceptance in the Internet of Things (IoT) due to their ability to economically support long-range sensing and control applications while providing multi-year battery life. LoRa is a key example of this new class of network and is being deployed at large scale in several countries worldwide. As these networks move out of the lab and into the real world, they expose a large cyber-physical attack surface. Securing these networks is therefore both critical and urgent. This paper highlights security issues in LoRa and LoRaWAN that arise due to the choice of a robust but slow modulation type in the protocol. We exploit these issues to develop a suite of practical attacks based around selective jamming. These attacks are conducted and evaluated using commodity hardware. The paper concludes by suggesting a range of countermeasures that can be used to mitigate the attacks.Comment: Mobiquitous 2017, November 7-10, 2017, Melbourne, VIC, Australi

Achieving Covert Communication With A Probabilistic Jamming Strategy

In this work, we consider a covert communication scenario, where a transmitter Alice communicates to a receiver Bob with the aid of a probabilistic and uninformed jammer against an adversary warden's detection. The transmission status and power of the jammer are random and follow some priori probabilities. We first analyze the warden's detection performance as a function of the jammer's transmission probability, transmit power distribution, and Alice's transmit power. We then maximize the covert throughput from Alice to Bob subject to a covertness constraint, by designing the covert communication strategies from three different perspectives: Alice's perspective, the jammer's perspective, and the global perspective. Our analysis reveals that the minimum jamming power should not always be zero in the probabilistic jamming strategy, which is different from that in the continuous jamming strategy presented in the literature. In addition, we prove that the minimum jamming power should be the same as Alice's covert transmit power, depending on the covertness and average jamming power constraints. Furthermore, our results show that the probabilistic jamming can outperform the continuous jamming in terms of achieving a higher covert throughput under the same covertness and average jamming power constraints

POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers

It is known that attackers can exfiltrate data from air-gapped computers through their speakers via sonic and ultrasonic waves. To eliminate the threat of such acoustic covert channels in sensitive systems, audio hardware can be disabled and the use of loudspeakers can be strictly forbidden. Such audio-less systems are considered to be \textit{audio-gapped}, and hence immune to acoustic covert channels. In this paper, we introduce a technique that enable attackers leak data acoustically from air-gapped and audio-gapped systems. Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities. The malicious code manipulates the internal \textit{switching frequency} of the power supply and hence controls the sound waveforms generated from its capacitors and transformers. Our technique enables producing audio tones in a frequency band of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply without the need for audio hardware or speakers. Binary data (files, keylogging, encryption keys, etc.) can be modulated over the acoustic signals and sent to a nearby receiver (e.g., smartphone). We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware at all. We provide technical background and discuss implementation details such as signal generation and data modulation. We show that the POWER-SUPPLaY code can operate from an ordinary user-mode process and doesn't need any hardware access or special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive data can be exfiltrated from air-gapped and audio-gapped systems from a distance of five meters away at a maximal bit rates of 50 bit/sec