A Game of One/Two Strategic Friendly Jammers Versus a Malicious Strategic Node

We present a game-theoretic analysis of the interaction between a malicious node, attempting to perform unauthorized radio transmission, and friendly jammers trying to disrupt the malicious communications. We investigate the strategic behavior of the jammers against a rational malicious node and highlight counterintuitive results for this conflict. We also analyze the impact of multiple friendly jammers sharing the same goal but acting without coordination; we find out that this scenario offers a better payoff for the jammers, which has some strong implications on how to implement friendly jamming

μ\muNap: Practical Micro-Sleeps for 802.11 WLANs

In this paper, we revisit the idea of putting interfaces to sleep during 'packet overhearing' (i.e., when there are ongoing transmissions addressed to other stations) from a practical standpoint. To this aim, we perform a robust experimental characterisation of the timing and consumption behaviour of a commercial 802.11 card. We design $\mu$Nap, a local standard-compliant energy-saving mechanism that leverages micro-sleep opportunities inherent to the CSMA operation of 802.11 WLANs. This mechanism is backwards compatible and incrementally deployable, and takes into account the timing limitations of existing hardware, as well as practical CSMA-related issues (e.g., capture effect). According to the performance assessment carried out through trace-based simulation, the use of our scheme would result in a 57% reduction in the time spent in overhearing, thus leading to an energy saving of 15.8% of the activity time.Comment: 15 pages, 12 figure

Maximising the Utility of Enterprise Millimetre-Wave Networks

Millimetre-wave (mmWave) technology is a promising candidate for meeting the intensifying demand for ultra fast wireless connectivity, especially in high-end enterprise networks. Very narrow beam forming is mandatory to mitigate the severe attenuation specific to the extremely high frequency (EHF) bands exploited. Simultaneously, this greatly reduces interference, but generates problematic communication blockages. As a consequence, client association control and scheduling in scenarios with densely deployed mmWave access points become particularly challenging, while policies designed for traditional wireless networks remain inappropriate. In this paper we formulate and solve these tasks as utility maximisation problems under different traffic regimes, for the first time in the mmWave context. We specify a set of low-complexity algorithms that capture distinctive terminal deafness and user demand constraints, while providing near-optimal client associations and airtime allocations, despite the problems' inherent NP-completeness. To evaluate our solutions, we develop an NS-3 implementation of the IEEE 802.11ad protocol, which we construct upon preliminary 60GHz channel measurements. Simulation results demonstrate that our schemes provide up to 60% higher throughput as compared to the commonly used signal strength based association policy for mmWave networks, and outperform recently proposed load-balancing oriented solutions, as we accommodate the demand of 33% more clients in both static and mobile scenarios.Comment: 22 pages, 12 figures, accepted for publication in Computer Communication

Dead on Arrival: An Empirical Study of The Bluetooth 5.1 Positioning System

The recently released Bluetooth 5.1 specification introduces fine-grained positioning capabilities in this wireless technology, which is deemed essential to context-/location-based Internet of Things (IoT) applications. In this paper, we evaluate experimentally, for the first time, the accuracy of a positioning system based on the Angle of Arrival (AoA) mechanism adopted by the Bluetooth standard. We first scrutinize the fidelity of angular detection and then assess the feasibility of using angle information from multiple fixed receivers to determine the position of a device. Our results reveal that angular detection is limited to a restricted range. On the other hand, even in a simple deployment with only two antennas per receiver, the AoA-based positioning technique can achieve sub-meter accuracy; yet attaining localization within a few centimeters remains a difficult endeavor. We then demonstrate that a malicious device may be able to easily alter the truthfulness of the measured AoA, by tampering with the packet structure. To counter this protocol weakness, we propose simple remedies that are missing in the standard, but which can be adopted with little effort by manufacturers, to secure the Bluetooth 5.1 positioning system.Comment: 8 pages, 11 figure

Implementation and Experimental Evaluation of a Collision-Free MAC Protocol for WLANs

Collisions are a main cause of throughput degradation in Wireless LANs. The current contention mechanism for these networks is based on a random backoff strategy to avoid collisions with other transmitters. Even though it can reduce the probability of collisions, the random backoff prevents users from achieving Collision-Free schedules, where the channel would be used more efficiently. Modifying the contention mechanism by waiting for a deterministic timer after successful transmissions, users would be able to construct a Collision-Free schedule among successful contenders. This work shows the experimental results of a Collision-Free MAC (CF-MAC) protocol for WLANs using commercial hardware and open firmware for wireless network cards which is able to support many users. Testbed results show that the proposed CF-MAC protocol leads to a better distribution of the available bandwidth among users, higher throughput and lower losses than the unmodified WLANs clients using a legacy firmware.Comment: This paper was submitted to the IEEE International Conference on Communications 2015 and it is waiting for approva

Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

Wireless communication standards and implementations have a troubled history regarding security. Since most implementations and firmwares are closed-source, fuzzing remains one of the main methods to uncover Remote Code Execution (RCE) vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from several shortcomings, such as constrained speed, limited repeatability, and restricted ability to debug. In this paper, we present Frankenstein, a fuzzing framework based on advanced firmware emulation, which addresses these shortcomings. Frankenstein brings firmware dumps "back to life", and provides fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing method is sufficient to maintain interoperability with the attached operating system, hence triggering realistic full-stack behavior. We demonstrate the potential of Frankenstein by finding three zero-click vulnerabilities in the Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many Samsung smartphones, the Raspberry Pis, and many others. Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that crashes multiple operating system kernels and a design flaw in the Bluetooth 5.2 specification that allows link key extraction from the host. Turning off Bluetooth will not fully disable the chip, making it hard to defend against RCE attacks. Moreover, when testing our chip-based vulnerabilities on those devices, we find BlueFrag, a chip-independent Android RCE.Comment: To be published at USENIX Securit

Looking for Criminal Intents in JavaScript Obfuscated Code

The majority of websites incorporate JavaScript for client-side execution in a supposedly protected environment. Unfortunately, JavaScript has also proven to be a critical attack vector for both independent and state-sponsored groups of hackers. On the one hand, defenders need to analyze scripts to ensure that no threat is delivered and to respond to potential security incidents. On the other, attackers aim to obfuscate the source code in order to disorient the defenders or even to make code analysis practically impossible. Since code obfuscation may also be adopted by companies for legitimate intellectual-property protection, a dilemma remains on whether a script is harmless or malignant, if not criminal. To help analysts deal with such a dilemma, a methodology is proposed, called JACOB, which is based on five steps, namely: (1) source code parsing, (2) control flow graph recovery, (3) region identification, (4) code structuring, and (5) partial evaluation. These steps implement a sort of decompilation for control flow flattened code, which is progressively transformed into something that is close to the original JavaScript source, thereby making eventual code analysis possible. Most relevantly, JACOB has been successfully applied to uncover unwanted user tracking and fingerprinting in e-commerce websites operated by a well-known Chinese company