Violating privacy through walls by passive monitoring of radio windows

pre-printWe investigate the ability of an attacker to passively use an otherwise secure wireless network to detect moving people through walls. We call this attack on privacy of people a "monitoring radio windows" (MRW) attack. We design and implement the MRW attack methodology to reliably detect when a person crosses the link lines between the legitimate transmitters and the attack receivers, by using physical layer measurements. We also develop a method to estimate the direction of movement of a person from the sequence of link lines crossed during a short time interval. Additionally, we describe how an attacker may estimate any artificial changes in transmit power (used as a countermeasure), compensate for these power changes using measurements from sufficient number of links, and still detect line crossings. We implement our methodology on WiFi and ZigBee nodes and experimentally evaluate the MRW attack by passively monitoring human movements through external walls in two real-world settings. We find that achieve close to 100% accuracy in detecting line crossings and determining direction of motion, even through reinforced concrete walls

Convergent Communication, Sensing and Localization in 6G Systems: An Overview of Technologies, Opportunities and Challenges

Herein, we focus on convergent 6G communication, localization and sensing systems by identifying key technology enablers, discussing their underlying challenges, implementation issues, and recommending potential solutions. Moreover, we discuss exciting new opportunities for integrated localization and sensing applications, which will disrupt traditional design principles and revolutionize the way we live, interact with our environment, and do business. Regarding potential enabling technologies, 6G will continue to develop towards even higher frequency ranges, wider bandwidths, and massive antenna arrays. In turn, this will enable sensing solutions with very fine range, Doppler, and angular resolutions, as well as localization to cm-level degree of accuracy. Besides, new materials, device types, and reconfigurable surfaces will allow network operators to reshape and control the electromagnetic response of the environment. At the same time, machine learning and artificial intelligence will leverage the unprecedented availability of data and computing resources to tackle the biggest and hardest problems in wireless communication systems. As a result, 6G will be truly intelligent wireless systems that will provide not only ubiquitous communication but also empower high accuracy localization and high-resolution sensing services. They will become the catalyst for this revolution by bringing about a unique new set of features and service capabilities, where localization and sensing will coexist with communication, continuously sharing the available resources in time, frequency, and space. This work concludes by highlighting foundational research challenges, as well as implications and opportunities related to privacy, security, and trust

Doctor of Philosophy

dissertationThe wireless radio channel is typically thought of as a means to move information from transmitter to receiver, but the radio channel can also be used to detect changes in the environment of the radio link. This dissertation is focused on the measurements we can make at the physical layer of wireless networks, and how we can use those measurements to obtain information about the locations of transceivers and people. The first contribution of this work is the development and testing of an open source, 802.11b sounder and receiver, which is capable of decoding packets and using them to estimate the channel impulse response (CIR) of a radio link at a fraction of the cost of traditional channel sounders. This receiver improves on previous implementations by performing optimized matched filtering on the field-programmable gate array (FPGA) of the Universal Software Radio Peripheral (USRP), allowing it to operate at full bandwidth. The second contribution of this work is an extensive experimental evaluation of a technology called location distinction, i.e., the ability to identify changes in radio transceiver position, via CIR measurements. Previous location distinction work has focused on single-input single-output (SISO) radio links. We extend this work to the context of multiple-input multiple-output (MIMO) radio links, and study system design trade-offs which affect the performance of MIMO location distinction. The third contribution of this work introduces the "exploiting radio windows" (ERW) attack, in which an attacker outside of a building surreptitiously uses the transmissions of an otherwise secure wireless network inside of the building to infer location information about people inside the building. This is possible because of the relative transparency of external walls to radio transmissions. The final contribution of this dissertation is a feasibility study for building a rapidly deployable radio tomographic (RTI) imaging system for special operations forces (SOF). We show that it is possible to obtain valuable tracking information using as few as 10 radios over a single floor of a typical suburban home, even without precise radio location measurements

Convergent communication, sensing and localization in 6g systems: An overview of technologies, opportunities and challenges

Herein, we focus on convergent 6G communication, localization and sensing systems by identifying key technology enablers, discussing their underlying challenges, implementation issues, and recommending potential solutions. Moreover, we discuss exciting new opportunities for integrated localization and sensing applications, which will disrupt traditional design principles and revolutionize the way we live, interact with our environment, and do business. Regarding potential enabling technologies, 6G will continue to develop towards even higher frequency ranges, wider bandwidths, and massive antenna arrays. In turn, this will enable sensing solutions with very fine range, Doppler, and angular resolutions, as well as localization to cm-level degree of accuracy. Besides, new materials, device types, and reconfigurable surfaces will allow network operators to reshape and control the electromagnetic response of the environment. At the same time, machine learning and artificial intelligence will leverage the unprecedented availability of data and computing resources to tackle the biggest and hardest problems in wireless communication systems. As a result, 6G will be truly intelligent wireless systems that will provide not only ubiquitous communication but also empower high accuracy localization and high-resolution sensing services. They will become the catalyst for this revolution by bringing about a unique new set of features and service capabilities, where localization and sensing will coexist with communication, continuously sharing the available resources in time, frequency, and space. This work concludes by highlighting foundational research challenges, as well as implications and opportunities related to privacy, security, and trust

A Review of Indoor Millimeter Wave Device-based Localization and Device-free Sensing Technologies and Applications

The commercial availability of low-cost millimeter wave (mmWave) communication and radar devices is starting to improve the penetration of such technologies in consumer markets, paving the way for large-scale and dense deployments in fifth-generation (5G)-and-beyond as well as 6G networks. At the same time, pervasive mmWave access will enable device localization and device-free sensing with unprecedented accuracy, especially with respect to sub-6 GHz commercial-grade devices. This paper surveys the state of the art in device-based localization and device-free sensing using mmWave communication and radar devices, with a focus on indoor deployments. We first overview key concepts about mmWave signal propagation and system design. Then, we provide a detailed account of approaches and algorithms for localization and sensing enabled by mmWaves. We consider several dimensions in our analysis, including the main objectives, techniques, and performance of each work, whether each research reached some degree of implementation, and which hardware platforms were used for this purpose. We conclude by discussing that better algorithms for consumer-grade devices, data fusion methods for dense deployments, as well as an educated application of machine learning methods are promising, relevant and timely research directions.Comment: 43 pages, 13 figures. Accepted in IEEE Communications Surveys & Tutorials (IEEE COMST

Single-Anchor Localization and Orientation Performance Limits Using Massive Arrays: MIMO vs. Beamforming

In the next generation of cellular networks, it is desirable to use single access points both for communication and localization. This could be made possible thanks to the combination of femtocells, mm-wave technology and massive antenna arrays, and would overcome the problem of having an over-sized infrastructure for positioning which is, nowadays, the bottleneck for the widespread diffusion of indoor localization systems. In this context, our paper aims at investigating the localization and orientation performance limits employing massive arrays both at the access point and mobile side. To this end, we first asymptotically demonstrate the tightness of the Cram\ue9r-Rao bound (CRB) in the massive array regime and that the effect of multipath can be made negligible even for practical values of SNR levels. Successively, we propose a comparison between two different transmitter configurations, namely multiple-input multiple-output (MIMO), where orthogonal waveforms are sent, and beamforming, which takes advantage of highly correlated waveforms and directive array patterns. We also consider random weighting as a trade-off between the diversity gain of MIMO and the high directivity guaranteed by the beamforming. CRB results show the interplay between diversity and beamforming gain as well as the benefits achievable by varying the number of antennas in terms of localization accuracy and multipath mitigation

A Survey on Fundamental Limits of Integrated Sensing and Communication

The integrated sensing and communication (ISAC), in which the sensing and communication share the same frequency band and hardware, has emerged as a key technology in future wireless systems due to two main reasons. First, many important application scenarios in fifth generation (5G) and beyond, such as autonomous vehicles, Wi-Fi sensing and extended reality, requires both high-performance sensing and wireless communications. Second, with millimeter wave and massive multiple-input multiple-output (MIMO) technologies widely employed in 5G and beyond, the future communication signals tend to have high-resolution in both time and angular domain, opening up the possibility for ISAC. As such, ISAC has attracted tremendous research interest and attentions in both academia and industry. Early works on ISAC have been focused on the design, analysis and optimization of practical ISAC technologies for various ISAC systems. While this line of works are necessary, it is equally important to study the fundamental limits of ISAC in order to understand the gap between the current state-of-the-art technologies and the performance limits, and provide useful insights and guidance for the development of better ISAC technologies that can approach the performance limits. In this paper, we aim to provide a comprehensive survey for the current research progress on the fundamental limits of ISAC. Particularly, we first propose a systematic classification method for both traditional radio sensing (such as radar sensing and wireless localization) and ISAC so that they can be naturally incorporated into a unified framework. Then we summarize the major performance metrics and bounds used in sensing, communications and ISAC, respectively. After that, we present the current research progresses on fundamental limits of each class of the traditional sensing and ISAC systems. Finally, the open problems and future research directions are discussed

Bistatic radar signature of buried landmines

With the proliferation of low-intensity conflict, landmines have proven to be one of the weapons of choice for both government and guerrilla forces around the world. Recent improvements to mine technology pose increasingly significant problems for demining operations, requiring the constant upgrading of countermine technologies. Ground Penetrating Radar (GPR) is one of the most exhaustively researched topics in the detection of buried mines as it can be used to detect non-metallic and plastic mines. However, identification and recognition are still unsolved problems, due to the scattering similarity between mines and clutter objects. This study provides an experimental evaluation of the improvements that a bistatic approach could yield and what can be gained from investigating the angular dependencies of the landmine radar signature

1-D broadside-radiating leaky-wave antenna based on a numerically synthesized impedance surface

A newly-developed deterministic numerical technique for the automated design of metasurface antennas is applied here for the first time to the design of a 1-D printed Leaky-Wave Antenna (LWA) for broadside radiation. The surface impedance synthesis process does not require any a priori knowledge on the impedance pattern, and starts from a mask constraint on the desired far-field and practical bounds on the unit cell impedance values. The designed reactance surface for broadside radiation exhibits a non conventional patterning; this highlights the merit of using an automated design process for a design well known to be challenging for analytical methods. The antenna is physically implemented with an array of metal strips with varying gap widths and simulation results show very good agreement with the predicted performance

Beam scanning by liquid-crystal biasing in a modified SIW structure

A fixed-frequency beam-scanning 1D antenna based on Liquid Crystals (LCs) is designed for application in 2D scanning with lateral alignment. The 2D array environment imposes full decoupling of adjacent 1D antennas, which often conflicts with the LC requirement of DC biasing: the proposed design accommodates both. The LC medium is placed inside a Substrate Integrated Waveguide (SIW) modified to work as a Groove Gap Waveguide, with radiating slots etched on the upper broad wall, that radiates as a Leaky-Wave Antenna (LWA). This allows effective application of the DC bias voltage needed for tuning the LCs. At the same time, the RF field remains laterally confined, enabling the possibility to lay several antennas in parallel and achieve 2D beam scanning. The design is validated by simulation employing the actual properties of a commercial LC medium