On fast and accurate detection of unauthorized wireless access points using clock skews

Journal ArticleWe explore the use of clock skew of a wireless local area network access point (AP) as its fingerprint to detect unauthorized APs quickly and accurately. The main goal behind using clock skews is to overcome one of the major limitations of existing solutions-the inability to effectively detect Medium Access Control (MAC) address spoofing. We calculate the clock skew of an AP from the IEEE 802.11 Time Synchronization Function (TSF) time stamps sent out in the beacon/probe response frames. We use two different methods for this purpose-one based on linear programming and the other based on least-square fit. We supplement these methods with a heuristic for differentiating original packets from those sent by the fake APs. We collect TSF time stamp data from several APs in three different residential settings. Using our measurement data as well as data obtained from a large conference setting, we find that clock skews remain consistent over time for the same AP but vary significantly across APs. Furthermore, we improve the resolution of received time stamp of the frames and show that with this enhancement, our methodology can find clock skews very quickly, using 50-100 packets in most of the cases. We also discuss and quantify the impact of various external factors including temperature variation, virtualization, clock source selection, and NTP synchronization on clock skews. Our results indicate that the use of clock skews appears to be an efficient and robust method for detecting fake APs in wireless local area networks

Detecting receiver attacks in VRTI-based device free localization

pre-printVariance-based Radio Tomographic Imaging (VRTI) is an emerging technology that locates moving objects in areas surrounded by simple and inexpensive wireless sensor nodes. VRTI uses human motion induced variation in RSS and spatial correlation between link variations to locate and track people. An artificially induced power variations in the deployed network by an adversary can introduce unprecedented errors in localization process of VRTI and, given the critical applications of VRTI, can potentially lead to serious consequences including loss of human lives. In this paper, we tackle the problem of detecting malicious receivers that report false RSS values to induce artificial power variations in a VRTI system. We use the term "Receiver Attack" to refer to such malicious power changes. We use a combination of statistical hypothesis testing and heuristics to develop real-time methods to detect receiver attack in a VRTI system. Our results show that we can detect receiver attacks of reasonable intensity and identify the source(s) of malicious activity with very high accuracy

Enhancing covert communications with multiple colluding receivers

posterTraditional (single receiver) system setup: ? Choose exploit field (e.g. last byte of TCP Timestamp) ? Alice: probabilistically inject parts of coded message into field ? Bob: extract symbols from field, decode to correct errors ?Warden: assume full knowledge of system and keys Can we create undetectable system? Previous detection work: ? Signatures - published exploits thwart easily ? Anomaly - qualitative arguments until statistical methods in [1] ? Brute-Force - never mentioned in literature, significant oversight Thwarting Brute-Force Detection: ? Propose multiple colluding receiver design ? Verify possibility of brute-force in single receiver system ? Show our design's resilience to threat Thwarting Anomaly Detection: ? Propose better quantification technique ? Provide fast approximatio

High-rate uncorrelated bit extraction for shared secret key generation from channel measurements

Journal ArticleSecret keys can be generated and shared between two wireless nodes by measuring and encoding radio channel characteristics without ever revealing the secret key to an eavesdropper at a third location. This paper addresses bit extraction, i.e., the extraction of secret key bits from noisy radio channel measurements at two nodes such that the two secret keys reliably agree. Problems include 1) nonsimultaneous directional measurements, 2) correlated bit streams, and 3) low bit rate of secret key generation. This paper introduces high-rate uncorrelated bit extraction (HRUBE), a framework for interpolating, transforming for decorrelation, and encoding channel measurements using a multibit adaptive quantization scheme which allows multiple bits per component. We present an analysis of the probability of bit disagreement in generated secret keys, and we use experimental data to demonstrate the HRUBE scheme and to quantify its experimental performance. As two examples, the implemented HRUBE system can achieve 22 bits per second at a bit disagreement rate of 2.2 percent, or 10 bits per second at a bit disagreement rate of 0.54 percent

Violating privacy through walls by passive monitoring of radio windows

pre-printWe investigate the ability of an attacker to passively use an otherwise secure wireless network to detect moving people through walls. We call this attack on privacy of people a "monitoring radio windows" (MRW) attack. We design and implement the MRW attack methodology to reliably detect when a person crosses the link lines between the legitimate transmitters and the attack receivers, by using physical layer measurements. We also develop a method to estimate the direction of movement of a person from the sequence of link lines crossed during a short time interval. Additionally, we describe how an attacker may estimate any artificial changes in transmit power (used as a countermeasure), compensate for these power changes using measurements from sufficient number of links, and still detect line crossings. We implement our methodology on WiFi and ZigBee nodes and experimentally evaluate the MRW attack by passively monitoring human movements through external walls in two real-world settings. We find that achieve close to 100% accuracy in detecting line crossings and determining direction of motion, even through reinforced concrete walls

Energy efficient radio tomographic imaging

pre-printIn this paper, our goal is to develop approaches to reduce the energy consumption in Radio Tomographic Imaging (RTI)-based methods for device free localization without giving up localization accuracy. Our key idea is to only measure those links that are near the current location of the moving object being tracked. We propose two approaches to find the most effective links near the tracked object. In our first approach, we only consider links that are in an ellipse around the current velocity vector of the moving object. In our second approach, we only consider links that cross through a circle with radius r from the current position of the moving object. Thus, rather than creating an attenuation image of the whole area in RTI, we only create the attenuation image for effective links in a small area close to the current location of the moving object. We also develop an adaptive algorithm for determining r. We evaluate the proposed approaches in terms of energy consumption and localization error in three different test areas. Our experimental results show that using our approach, we are able to save 50% to 80% of energy. Interestingly, we find that our radius-based approach actually increases the accuracy of localization

Monitoring breathing via signal strength in wireless networks

pre-printThis paper shows experimentally that standard wireless networks which measure received signal strength (RSS) can be used to reliably detect human breathing and estimate the breathing rate, an application we call "BreathTaking". We present analysis showing that, as a first order approximation, breathing induces sinusoidal variation in the measured RSS on a link, with amplitude a function of the relative amplitude and phase of the breathing-affected multipath. We show that although an individual link may not reliably detect breathing, the collective spectral content of a network of devices reliably indicates the presence and rate of breathing. We present a maximum likelihood estimator (MLE) of breathing rate, amplitude, and phase, which uses the RSS data from many links simultaneously. We show experimental results which demonstrate that reliable detection and frequency estimation is possible with 30 seconds of data, within 0.07 to 0.42 breaths per minute (bpm) RMS error in several experiments. The experiments also indicate that the use of directional antennas may improve the systems robustness to external motion

Secret key extraction using Bluetooth wireless signal strength measurements

pre-printBluetooth has found widespread adoption in phones, wireless headsets, stethoscopes, glucose monitors, and oximeters for communication of, at times, very critical information. However, the link keys and encryption keys in Bluetooth are ultimately generated from a short 4 digit PIN, which can be cracked off-line. We develop an alternative for secure communication between Bluetooth devices using the symmetric wireless channel characteristics. Existing approaches to secret key extraction primarily use measurements from a fixed, single channel (e.g., a 20 MHzWiFi channel); however in the presence of heavy WiFi traffic, the packet exchange rate in such approaches can reduce as much as 200. We build and evaluate a new method, which is robust to heavy WiFi traffic, using a very wide bandwidth (B 20 MHz) in conjunction with random frequency hopping. We implement our secret key extraction on two Google Nexus One smartphones and conduct numerous experiments in indoor-hallway and outdoor settings. Using extensive real-world measurements, we show that outdoor settings are best suited for secret key extraction using Bluetooth. We also show that even in the absence of heavy WiFi traffic, the performance of secret key generation using Bluetooth is comparable to that of WiFi while using much lower transmit power

Mobility Assisted Secret Key Generation

posterSignature Based Key Generation. Wireless link signature; multiple paths caused by radio waves; their measurements are good signatures of links; link signatures measured almost symmetrically at two ends of wireless link, but cannot be measured from another location; use for secret key establishment; wireless devices sample link signature space in physical area; collect measurements at different unpredictable locations; combine them to produce strong keys

Exploiting altruism in social networks for friend-to-friend malware detection

pre-printWe propose a novel malware detection application- SocialScan-which enables friend-to-friend (f2f) malware scanning services among social peers, with scanning resource sharing governed by levels of social altruism. We show that with f2f sharing of resources, SocialScan achieves a 65% increase in the detection rate of 0- to 1-day-old malware among social peers as compared to the the detection rates of individual scanners. We also show that SocialScan provides greatly enhanced malware protection to social hubs