Wi-attack: Cross-technology Impersonation Attack against iBeacon Services

iBeacon protocol is widely deployed to provide location-based services. By receiving its BLE advertisements, nearby devices can estimate the proximity to the iBeacon or calculate indoor positions. However, the open nature of these advertisements brings vulnerability to impersonation attacks. Such attacks could lead to spam, unreliable positioning, and even security breaches. In this paper, we propose Wi-attack, revealing the feasibility of using WiFi devices to conduct impersonation attacks on iBeacon services. Different from impersonation attacks using BLE compatible hardware, Wi-attack is not restricted by broadcasting intervals and is able to impersonate multiple iBeacons at the same time. Effective attacks can be launched on iBeacon services without modifications to WiFi hardware or firmware. To enable direct communication from WiFi to BLE, we use the digital emulation technique of cross technology communication. To enhance the packet reception along with its stability, we add redundant packets to eliminate cyclic prefix error entirely. The emulation provides an iBeacon packet reception rate up to 66.2%. We conduct attacks on three iBeacon services scenarios, point deployment, multilateration, and fingerprint-based localization. The evaluation results show that Wi-attack can bring an average distance error of more than 20 meters on fingerprint-based localization using only 3 APs.Comment: 9 pages; 26 figures; 2021 18th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON), 202

Physical Layer Challenges and Solutions in Seamless Positioning via GNSS, Cellular and WLAN Systems

As different positioning applications have started to be a common part of our lives, positioning methods have to cope with increasing demands. Global Navigation Satellite System (GNSS) can offer accurate location estimate outdoors, but achieving seamless large-scale indoor localization remains still a challenging topic. The requirements for simple and cost-effective indoor positioning system have led to the utilization of wireless systems already available, such as cellular networks and Wireless Local Area Network (WLAN). One common approach with the advantage of a large-scale standard-independent implementation is based on the Received Signal Strength (RSS) measurements.This thesis addresses both GNSS and non-GNSS positioning algorithms and aims to offer a compact overview of the wireless localization issues, concentrating on some of the major challenges and solutions in GNSS and RSS-based positioning. The GNSS-related challenges addressed here refer to the channel modelling part for indoor GNSS and to the acquisition part in High Sensitivity (HS)-GNSS. The RSSrelated challenges addressed here refer to the data collection and calibration, channel effects such as path loss and shadowing, and three-dimensional indoor positioning estimation.This thesis presents a measurement-based analysis of indoor channel models for GNSS signals and of path loss and shadowing models for WLAN and cellular signals. Novel low-complexity acquisition algorithms are developed for HS-GNSS. In addition, a solution to transmitter topology evaluation and database reduction solutions for large-scale mobile-centric RSS-based positioning are proposed. This thesis also studies the effect of RSS offsets in the calibration phase and various floor estimators, and offers an extensive comparison of different RSS-based positioning algorithms