RAPID: Retrofitting IEEE 802.11ay Access Points for Indoor Human Detection and Sensing

In this work we present RAPID, a joint communication and radar (JCR) system based on next-generation IEEE 802.11ay WiFi networks operating in the 60 GHz band. In contrast to most existing approaches for human sensing at millimeter-waves, which employ special-purpose radars to retrieve the small-scale Doppler effect (micro-Doppler) caused by human motion, RAPID achieves radar-level sensing accuracy by retrofitting IEEE 802.11ay access points. For this, it leverages the IEEE 802.11ay beam training mechanism to accurately localize and track multiple individuals, while the in-packet beam tracking fields are exploited to extract the desired micro-Doppler signatures from the time-varying phase of the channel impulse response (CIR). The proposed approach enables activity recognition and person identification with IEEE 802.11ay wireless networks without requiring modifications to the packet structure specified by the standard. RAPID is implemented on an IEEE 802.11ay-compatible FPGA platform with phased antenna arrays, which estimates the CIR from the reflections of transmitted packets. The proposed system is evaluated on a large dataset of CIR measurements, proving robustness across different environments and subjects, and outperforming state-of-the-art sub-6 GHz WiFi sensing techniques. Using two access points, RAPID reliably tracks multiple subjects, reaching activity recognition and person identification accuracies of 94% and 90%, respectively.Comment: 16 pages, 18 figures, 4 table

DeepCSI: Rethinking Wi-Fi Radio Fingerprinting Through MU-MIMO CSI Feedback Deep Learning

We present DeepCSI, a novel approach to Wi-Fi radio fingerprinting (RFP) which leverages standard-compliant beamforming feedback matrices to authenticate MU-MIMO Wi-Fi devices on the move. By capturing unique imperfections in off-the-shelf radio circuitry, RFP techniques can identify wireless devices directly at the physical layer, allowing low-latency low-energy cryptography-free authentication. However, existing Wi-Fi RFP techniques are based on software-defined radio (SDRs), which may ultimately prevent their widespread adoption. Moreover, it is unclear whether existing strategies can work in the presence of MU-MIMO transmitters - a key technology in modern Wi-Fi standards. Conversely from prior work, DeepCSI does not require SDR technologies and can be run on any low-cost Wi-Fi device to authenticate MU-MIMO transmitters. Our key intuition is that imperfections in the transmitter's radio circuitry percolate onto the beamforming feedback matrix, and thus RFP can be performed without explicit channel state information (CSI) computation. DeepCSI is robust to inter-stream and inter-user interference being the beamforming feedback not affected by those phenomena. We extensively evaluate the performance of DeepCSI through a massive data collection campaign performed in the wild with off-the-shelf equipment, where 10 MU-MIMO Wi-Fi radios emit signals in different positions. Experimental results indicate that DeepCSI correctly identifies the transmitter with an accuracy of up to 98%. The identification accuracy remains above 82% when the device moves within the environment. To allow replicability and provide a performance benchmark, we pledge to share the 800 GB datasets - collected in static and, for the first time, dynamic conditions - and the code database with the community.Comment: To be presented at the 42nd IEEE International Conference on Distributed Computing Systems (ICDCS), Bologna, Italy, July 10-13, 202

Sub-Nanosecond Time of Flight on Commercial Wi-Fi Cards

Time-of-flight, i.e., the time incurred by a signal to travel from transmitter to receiver, is perhaps the most intuitive way to measure distances using wireless signals. It is used in major positioning systems such as GPS, RADAR, and SONAR. However, attempts at using time-of-flight for indoor localization have failed to deliver acceptable accuracy due to fundamental limitations in measuring time on Wi-Fi and other RF consumer technologies. While the research community has developed alternatives for RF-based indoor localization that do not require time-of-flight, those approaches have their own limitations that hamper their use in practice. In particular, many existing approaches need receivers with large antenna arrays while commercial Wi-Fi nodes have two or three antennas. Other systems require fingerprinting the environment to create signal maps. More fundamentally, none of these methods support indoor positioning between a pair of Wi-Fi devices without~third~party~support. In this paper, we present a set of algorithms that measure the time-of-flight to sub-nanosecond accuracy on commercial Wi-Fi cards. We implement these algorithms and demonstrate a system that achieves accurate device-to-device localization, i.e. enables a pair of Wi-Fi devices to locate each other without any support from the infrastructure, not even the location of the access points.Comment: 14 page

Surface MIMO: Using Conductive Surfaces For MIMO Between Small Devices

As connected devices continue to decrease in size, we explore the idea of leveraging everyday surfaces such as tabletops and walls to augment the wireless capabilities of devices. Specifically, we introduce Surface MIMO, a technique that enables MIMO communication between small devices via surfaces coated with conductive paint or covered with conductive cloth. These surfaces act as an additional spatial path that enables MIMO capabilities without increasing the physical size of the devices themselves. We provide an extensive characterization of these surfaces that reveal their effect on the propagation of EM waves. Our evaluation shows that we can enable additional spatial streams using the conductive surface and achieve average throughput gains of 2.6-3x for small devices. Finally, we also leverage the wideband characteristics of these conductive surfaces to demonstrate the first Gbps surface communication system that can directly transfer bits through the surface at up to 1.3 Gbps.Comment: MobiCom '1

Securearray: Improving WiFi security with fine-grained physical-layer information

Despite the important role that WiFi networks play in home and enterprise networks they are relatively weak from a security standpoint. With easily available directional antennas, attackers can be physically located off-site, yet compromise WiFi security protocols such as WEP, WPA, and even to some extent WPA2 through a range of exploits specific to those protocols, or simply by running dictionary and human-factors attacks on users' poorly-chosen passwords. This presents a security risk to the entire home or enterprise network. To mitigate this ongoing problem, we propose SecureArray, a system designed to operate alongside existing wireless security protocols, adding defense in depth against active attacks. SecureArray's novel signal processing techniques leverage multi-antenna access point (AP) to profile the directions at which a client's signals arrive, using this angle-of-arrival (AoA) information to construct highly sensitive signatures that with very high probability uniquely identify each client. Upon overhearing a suspicious transmission, the client and AP initiate an AoA signature-based challenge-response protocol to confirm and mitigate the threat. We also discuss how SecureArray can mitigate direct denial-of-service attacks on the latest 802.11 wireless security protocol. We have implemented SecureArray with an eight-antenna WARP hardware radio acting as the AP. Our experimental results show that in a busy office environment, SecureArray is orders of magnitude more accurate than current techniques, mitigating 100% of WiFi spoofing attack attempts while at the same time triggering false alarms on just 0.6% of legitimate traffic. Detection rate remains high when the attacker is located only five centimeters away from the legitimate client, for AP with fewer numbers of antennas and when client is mobile

Stay Connected, Leave no Trace: Enhancing Security and Privacy in WiFi via Obfuscating Radiometric Fingerprints

The intrinsic hardware imperfection of WiFi chipsets manifests itself in the transmitted signal, leading to a unique radiometric fingerprint. This fingerprint can be used as an additional means of authentication to enhance security. In fact, recent works propose practical fingerprinting solutions that can be readily implemented in commercial-off-the-shelf devices. In this paper, we prove analytically and experimentally that these solutions are highly vulnerable to impersonation attacks. We also demonstrate that such a unique device-based signature can be abused to violate privacy by tracking the user device, and, as of today, users do not have any means to prevent such privacy attacks other than turning off the device. We propose RF-Veil, a radiometric fingerprinting solution that not only is robust against impersonation attacks but also protects user privacy by obfuscating the radiometric fingerprint of the transmitter for non-legitimate receivers. Specifically, we introduce a randomized pattern of phase errors to the transmitted signal such that only the intended receiver can extract the original fingerprint of the transmitter. In a series of experiments and analyses, we expose the vulnerability of adopting naive randomization to statistical attacks and introduce countermeasures. Finally, we show the efficacy of RF-Veil experimentally in protecting user privacy and enhancing security. More importantly, our proposed solution allows communicating with other devices, which do not employ RF-Veil.Comment: ACM Sigmetrics 2021 / In Proc. ACM Meas. Anal. Comput. Syst., Vol. 4, 3, Article 44 (December 2020

Feedback Mechanisms for Centralized and Distributed Mobile Systems

The wireless communication market is expected to witness considerable growth in the immediate future due to increasing smart device usage to access real-time data. Mobile devices become the predominant method of Internet access via cellular networks (4G/5G) and the onset of virtual reality (VR), ushering in the wide deployment of multiple bands, ranging from TVWhite Spaces to cellular/WiFi bands and on to mmWave. Multi-antenna techniques have been considered to be promising approaches in telecommunication to optimize the utilization of radio spectrum and minimize the cost of system construction. The performance of multiple antenna technology depends on the utilization of radio propagation properties and feedback of such information in a timely manner. However, when a signal is transmitted, it is usually dispersed over time coming over different paths of different lengths due to reflections from obstacles or affected by Doppler shift in mobile environments. This motivates the design of novel feedback mechanisms that improve the performance of multi-antenna systems. Accurate channel state information (CSI) is essential to increasing throughput in multiinput, multi-output (MIMO) systems with digital beamforming. Channel-state information for the operation of MIMO schemes (such as transmit diversity or spatial multiplexing) can be acquired by feedback of CSI reports in the downlink direction, or inferred from uplink measurements assuming perfect channel reciprocity (CR). However, most works make the assumption that channels are perfectly reciprocal. This assumption is often incorrect in practice due to poor channel estimation and imperfect channel feedback. Instead, experiments have demonstrated that channel reciprocity can be easily broken by multiple factors. Specifically, channel reciprocity error (CRE) introduced by transmitter-receiver imbalance have been widely studied by both simulations and experiments, and the impact of mobility and estimation error have been fully investigated in this thesis. In particular, unmanned aerial vehicles (UAVs) have asymmetric behavior when communicating with one another and to the ground, due to differences in altitude that frequently occur. Feedback mechanisms are also affected by channel differences caused by the user’s body. While there has been work to specifically quantify the losses in signal reception, there has been little work on how these channel differences affect feedback mechanisms. In this dissertation, we perform system-level simulations, implement design with a software defined radio platform, conduct in-field experiments for various wireless communication systems to analyze different channel feedback mechanisms. To explore the feedback mechanism, we then explore two specific real world scenarios, including UAV-based beamforming communications, and user-induced feedback systems

Towards Integrated Sensing and Communications in IEEE 802.11bf Wi-Fi Networks

As Wi-Fi becomes ubiquitous in public and private spaces, it becomes natural to leverage its intrinsic ability to sense the surrounding environment to implement groundbreaking wireless sensing applications such as human presence detection, activity recognition, and object tracking. For this reason, the IEEE 802.11bf Task Group is defining the appropriate modifications to existing Wi-Fi standards to enhance sensing capabilities through 802.11-compliant devices. However, the new standard is expected to leave the specific sensing algorithms open to implementation. To fill this gap, this article explores the practical implications of integrating sensing and communications into Wi-Fi networks. We provide an overview of the support that will enable sensing applications, together with an in-depth analysis of the role of different devices in a Wi-Fi sensing system and a description of the open research challenges. Moreover, an experimental evaluation with off-the-shelf devices provides suggestions about the parameters to be considered when designing Wi-Fi sensing systems. To make such an evaluation replicable, we pledge to release all of our dataset and code to the community