Wenyuan Xu,Timothy Wood,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1023646.1023661

2004-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch denial of service (DoS) attacks. One form of denial of service is targeted at preventing sources from communicating. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this paper we present two strategies that may be employed by wireless devices to evade a MAC/PHY-layer jamming-style wireless denial of service attack. The first strategy, channel surfing, is a form of spectral evasion that involves legitimate wireless devices changing the channel that they are operating on. The second strategy, spatial retreats, is a form of spatial evasion whereby legitimate mobile devices move away from the locality of the DoS emitter. We study both of these strategies for three broad wireless communication scenarios: two-party radio communication, an infrastructured wireless network, and an ad hoc wireless network. We evaluate several of our proposed strategies and protocols through ns-2 simulations and experiments on the Berkeley mote platform.

Wade Trappe,Wenyuan Xu

DOI: https://doi.org/10.7282/t3rj4jw7

2007-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming attacks, which effectively cause a denial of service (DoS) of either transmission or reception functionalities. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this thesis, we examine the issue of jamming wireless networks, and sensor networks in particular, by studying both the attack and defense side of the problem. On the attack side, we present four different jamming attack models that can be used by an adversary to disable the operation of a wireless network, and evaluate their effectiveness in terms of how each method affects the ability of a wireless node to send and receive packets. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. For detection, we show that single measurement statistics are not enough to reliably classify the presence of a jamming attack, and propose multimodal detection methods. To cope with jamming, we propose a technique, channel surfing, which involves evading the interferer in the spectral domain. Several different channel surfing models are presented, and we evaluate their effectiveness using a testbed of MICA2 motes. Beyond channel surfing, we overview a second defense strategy whereby it is possible to establish a low data rate jamming resistant communication channel by modulating the interarrival times between jammed packets.

Ruiwen He,Yushi Cheng,Zhicong Zheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/jiot.2024.3406962

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Due to the open nature of voice and voice interface, an adversary can spoof voice recognition systems by replaying pre-recorded voice commands from legitimate users, known as the voice replay attack. Existing detection methods against voice replay attacks mainly rely on extra hardware to determine the sound source or require excessive computing resources to train a classifier with abundant acoustic features. In this paper, we propose Anti-Replay, a fast and lightweight detection system for voice replay attacks. To overcome the challenge of redundant classification features and complex calculation, we first investigate the time-frequency spectrum difference between the genuine human voice and the replayed audio caused by the non-linear distortion of the attacker’s microphones and speakers. Then, we design 5 types with a total of 77 features in both the time and frequency domains and propose a convolutional neural network classifier SE-ResNet50 for attack detection. Evaluations against the datasets of ASVspoof2017, ASVspoof2019, and ASVspoof2021 demonstrate that Anti-Replay can achieve an average equal error rate (EER) of 1.36% across three datasets. Meanwhile, Anti-Replay decreases the training time by 52.3% and 90.2% and decreases the model size by 83.5% and 99.9% compared with the baseline model CQCC-GMM and the state-of-the-art method Res2Net. We have also confirmed that our system is effective in detecting the adaptive replay attack.

Rony Komissarov,Sharon Vaisman,Avishai Wool

DOI: https://doi.org/10.1007/s13389-023-00321-5

2023-05-23

Journal of Cryptographic Engineering

Abstract:The safety and security of the passengers in vehicles in the face of cyber attacks is a key concern in the automotive industry, especially with the emergence of the Advanced driver assistance systems and the vast improvement in autonomous vehicles. Such platforms use various sensors, including cameras, LiDAR and mmWave radar. These sensors themselves may present a potential security hazard if exploited by an attacker. In this paper we propose a system to attack an automotive FMCW mmWave radar, that uses fast chirp modulation. Using a single rogue radar, our attack system is capable of spoofing the distance and velocity measured by the victim vehicle simultaneously, presenting phantom measurements coherent with the laws of physics governing vehicle motion. The attacking radar controls the delay in order to spoof its distance, and uses phase compensation and control in order to spoof its velocity. After developing the attack theory, we demonstrate the spoofing attack by building a proof-of-concept hardware-based system, using a Software Defined Radio. We successfully demonstrate two real-world scenarios in which the victim radar is spoofed to detect either a phantom emergency stop or a phantom acceleration, while measuring coherent range and velocity. We also discuss several countermeasures that can mitigate the described attack.

computer science, theory & methods

Tao Chen,Lei Wang,Xiaoqiang Ren,Zhitao Liu,Hongye Su

DOI: https://doi.org/10.1109/cdc49753.2023.10383555

2023-01-01

Abstract:In cyber-physical systems, replay attacks are a type of deception attacks that involve replaying previously recorded sensor data while injecting attack signals into the physical plant. The replay attacks are difficult to detect because the data being replayed is normal. To detect replay attacks, authentication signals are commonly used. However, injecting authentication signals may affect the performance of system states that are sensitive to noise or disturbance. To address this issue, the effect of authentication signals on sensitive states is measured in the sense of mean square error, and conditions that the authentication signal has a limited effect or even no effect on sensitive states are presented. Combining these conditions, optimization problems are constructed to design the authentication signal. Finally, the proposed method is validated through simulation results.

Paul Staat,Harald Elders-Boll,Markus Heinrichs,Christian Zenger,Christof Paar

DOI: https://doi.org/10.48550/arXiv.2107.01709

2021-08-03

Abstract:The intelligent reflecting surface (IRS) is a promising new paradigm in wireless communications for meeting the growing connectivity demands in next-generation mobile networks. IRS, also known as software-controlled metasurfaces, consist of an array of adjustable radio wave reflectors, enabling smart radio environments, e.g., for enhancing the signal-to-noise ratio (SNR) and spatial diversity of wireless channels. Research on IRS to date has been largely focused on constructive applications. In this work, we demonstrate for the first time that the IRS provides a practical low-cost toolkit for attackers to easily perform complex signal manipulation attacks on the physical layer in real time. We introduce the environment reconfiguration attack (ERA) as a novel class of jamming attacks in wireless radio networks. Here, an adversary leverages the IRS to rapidly vary the electromagnetic propagation environment to disturb legitimate receivers. The IRS gives the adversary a key advantage over traditional jamming: It no longer has to actively emit jamming signals, instead the IRS reflects existing legitimate signals. In addition, the adversary doesn't need any knowledge about the legitimate channel. We thoroughly investigate the ERA in wireless systems based on the widely employed orthogonal frequency division multiplexing (OFDM) modulation. We present insights into the attack through analytical analysis, simulations, as well as experiments. Our results show that the ERA allows to severely degrade the available data rates even with reasonably small IRS sizes. Finally, we implement an attacker setup and demonstrate a practical ERA to slow down an entire Wi-Fi network.

Cryptography and Security

Shu Wang,Jiahao Cao,Xu He,Kun Sun,Qi Li

DOI: https://doi.org/10.1145/3372297.3417254

2020-09-02

Abstract:Automatic speech recognition (ASR) systems have been widely deployed in modern smart devices to provide convenient and diverse voice-controlled services. Since ASR systems are vulnerable to audio replay attacks that can spoof and mislead ASR systems, a number of defense systems have been proposed to identify replayed audio signals based on the speakers' unique acoustic features in the frequency domain. In this paper, we uncover a new type of replay attack called modulated replay attack, which can bypass the existing frequency domain based defense systems. The basic idea is to compensate for the frequency distortion of a given electronic speaker using an inverse filter that is customized to the speaker's transform characteristics. Our experiments on real smart devices confirm the modulated replay attacks can successfully escape the existing detection mechanisms that rely on identifying suspicious features in the frequency domain. To defeat modulated replay attacks, we design and implement a countermeasure named DualGuard. We discover and formally prove that no matter how the replay audio signals could be modulated, the replay attacks will either leave ringing artifacts in the time domain or cause spectrum distortion in the frequency domain. Therefore, by jointly checking suspicious features in both frequency and time domains, DualGuard can successfully detect various replay attacks including the modulated replay attacks. We implement a prototype of DualGuard on a popular voice interactive platform, ReSpeaker Core v2. The experimental results show DualGuard can achieve 98% accuracy on detecting modulated replay attacks.

Cryptography and Security

Zhi Sun,Sarankumar Balakrishnan,Lu Su,Arupjyoti Bhuyan,Pu Wang,Chunming Qiao

DOI: https://doi.org/10.48550/arXiv.2011.10947

2020-11-22

Abstract:With the wide bandwidths in millimeter wave (mmWave) frequency band that results in unprecedented accuracy, mmWave sensing has become vital for many applications, especially in autonomous vehicles (AVs). In addition, mmWave sensing has superior reliability compared to other sensing counterparts such as camera and LiDAR, which is essential for safety-critical driving. Therefore, it is critical to understand the security vulnerabilities and improve the security and reliability of mmWave sensing in AVs. To this end, we perform the end-to-end security analysis of a mmWave-based sensing system in AVs, by designing and implementing practical physical layer attack and defense strategies in a state-of-the-art mmWave testbed and an AV testbed in real-world settings. Various strategies are developed to take control of the victim AV by spoofing its mmWave sensing module, including adding fake obstacles at arbitrary locations and faking the locations of existing obstacles. Five real-world attack scenarios are constructed to spoof the victim AV and force it to make dangerous driving decisions leading to a fatal crash. Field experiments are conducted to study the impact of the various attack scenarios using a Lincoln MKZ-based AV testbed, which validate that the attacker can indeed assume control of the victim AV to compromise its security and safety. To defend the attacks, we design and implement a challenge-response authentication scheme and a RF fingerprinting scheme to reliably detect aforementioned spoofing attacks.

Cryptography and Security,Signal Processing

Jiaqi Li,Li Wang,Liumeng Xue,Lei Wang,Zhizheng Wu

2024-01-03

Abstract:Deep Learning has advanced Automatic Speaker Verification (ASV) in the past few years. Although it is known that deep learning-based ASV systems are vulnerable to adversarial examples in digital access, there are few studies on adversarial attacks in the context of physical access, where a replay process (i.e., over the air) is involved. An over-the-air attack involves a loudspeaker, a microphone, and a replaying environment that impacts the movement of the sound wave. Our initial experiment confirms that the replay process impacts the effectiveness of the over-the-air attack performance. This study performs an initial investigation towards utilizing a neural replay simulator to improve over-the-air adversarial attack robustness. This is achieved by using a neural waveform synthesizer to simulate the replay process when estimating the adversarial perturbations. Experiments conducted on the ASVspoof2019 dataset confirm that the neural replay simulator can considerably increase the success rates of over-the-air adversarial attacks. This raises the concern for adversarial attacks on speaker verification in physical access applications.

Sound,Audio and Speech Processing

Huan Huang,Hongliang Zhang,Weidong Mei,Jun Li,Yi Cai,A. Lee Swindlehurst,Zhu Han

2024-07-12

Abstract:Integrated sensing and communication (ISAC) systems traditionally presuppose that sensing and communication (S&C) channels remain approximately constant during their coherence time. However, a "DISCO" reconfigurable intelligent surface (DRIS), i.e., an illegitimate RIS with random, time-varying reflection properties that acts like a "disco ball," introduces a paradigm shift that enables active channel aging more rapidly during the channel coherence time. In this letter, we investigate the impact of DISCO jamming attacks launched by a DRISbased fully-passive jammer (FPJ) on an ISAC system. Specifically, an ISAC problem formulation and a corresponding waveform optimization are presented in which the ISAC waveform design considers the trade-off between the S&C performance and is formulated as a Pareto optimization problem. Moreover, a theoretical analysis is conducted to quantify the impact of DISCO jamming attacks. Numerical results are presented to evaluate the S&C performance under DISCO jamming attacks and to validate the derived theoretical analysis.

Signal Processing

Haoyu Wang,Zhu Han,A. Lee Swindlehurst

2024-01-01

Abstract:While reconfigurable intelligent surface (RIS) technology has been shown to provide numerous benefits to wireless systems, in the hands of an adversary such technology can also be used to disrupt communication links. This paper describes and analyzes an RIS-based attack on multi-antenna wireless systems that operate in time-division duplex mode under the assumption of channel reciprocity. In particular, we show how an RIS with a non-diagonal (ND) phase shift matrix (referred to here as an ND-RIS) can be deployed to maliciously break the channel reciprocity and hence degrade the downlink network performance. Such an attack is entirely passive and difficult to detect and counteract. We provide a theoretical analysis of the degradation in the sum ergodic rate that results when an arbitrary malicious ND-RIS is deployed and design an approach based on the genetic algorithm for optimizing the ND structure under partial knowledge of the available channel state information. Our simulation results validate the analysis and demonstrate that an ND-RIS channel reciprocity attack can dramatically reduce the downlink throughput.

Signal Processing

Shuo Feng,Simon Haykin

DOI: https://doi.org/10.1109/icc.2019.8761101

2019-01-01

Abstract:Connected and autonomous vehicles (CAVs) and unmanned aerial vehicles (UAVs) are viewed as revolutionary technologies in the era of Internet of Things (IoT). However, both CAV and UAV can be exploited by potential adversaries and pose serious threats to the intelligent transportation system (ITS), such as damaging the vehicle-to-vehicle (V2V) communication. In this paper, we investigate the anti-jamming V2V communication in an integrated UAV-CAV network with hybrid attackers, which consist of a malicious CAV with intelligent jamming capability and a malicious UAV without. To solve this problem, we propose to use a unique research tool named cognitive dynamic system (CDS), and apply its function of cognitive risk control (CRC) to develop an effective countermeasure. In each perception-action cycle (PAC), the power control will always be performed by a legitimate transmitting vehicle; meanwhile, the process of channel selection only takes place if the risk level is evaluated as high after completing the power control. This kind of design that involves task-switching is inspired by the predictive-adaptation feature of the human brain. Simulation results have shown that the proposed method based on CRC is able to defend hybrid attackers effectively under various settings.

Beiyuan Liu,Jinjing Jiang,Qian Liu,Jiajia Liu,Sai Xu

DOI: https://doi.org/10.1109/tifs.2024.3390621

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Dual-functional radar and communication (DFRC) system is capable of sensing potential eavesdroppers close to the DFRC base station (BS) and further ensuring secure transmission using physical layer security technologies based on the obtained location information of eavesdroppers. However, such security can be threatened by a malicious intelligent reflecting surface (IRS) that simultaneously changes both radar and communication channels. To reveal this threat, an IRS-based active attack scheme is proposed in this paper under the assumption of a prevalent DFRC framework. In this scheme, the attacker, equipped with a malicious IRS, carefully controls and optimizes the IRS phase shifts in each stage of the DFRC framework to reduce its reflected radar echo power to the BS and/or strength the wiretap link gain for pilot spoofing attack according to the statistical channel state information. Numerical results show that our proposed attack scheme can significantly reduce the secrecy rate of the legitimate user, while avoid being detected by the DFRC BS.

computer science, theory & methods,engineering, electrical & electronic

Simon Erni,Martin Kotuliak,Patrick Leu,Marc Roeschlin,Srdjan Capkun

DOI: https://doi.org/10.1145/3495243.3560525

2022-09-08

Abstract:In cellular networks, attacks on the communication link between a mobile device and the core network significantly impact privacy and availability. Up until now, fake base stations have been required to execute such attacks. Since they require a continuously high output power to attract victims, they are limited in range and can be easily detected both by operators and dedicated apps on users' smartphones. This paper introduces AdaptOver - a MITM attack system designed for cellular networks, specifically for LTE and 5G-NSA. AdaptOver allows an adversary to decode, overshadow (replace) and inject arbitrary messages over the air in either direction between the network and the mobile device. Using overshadowing, AdaptOver can cause a persistent ($\geq$ 12h) DoS or a privacy leak by triggering a UE to transmit its persistent identifier (IMSI) in plain text. These attacks can be launched against all users within a cell or specifically target a victim based on its phone number. We implement AdaptOver using a software-defined radio and a low-cost amplification setup. We demonstrate the effects and practicality of the attacks on a live operational LTE and 5G-NSA network with a wide range of smartphones. Our experiments show that AdaptOver can launch an attack on a victim more than 3.8km away from the attacker. Given its practicability and efficiency, AdaptOver shows that existing countermeasures that are focused on fake base stations are no longer sufficient, marking a paradigm shift for designing security mechanisms in cellular networks.

Cryptography and Security

Deepanramkumar Pari,Jaisankar Natarajan

DOI: https://doi.org/10.3390/sym14122472

2022-11-22

Symmetry

Abstract:The Internet of Vehicles (IoV) is witnessed to play the leading role in the future of Intelligent Transportation Systems (ITS). Though many works have focused on IoV improvement, there is still a lack of performance due to insufficient spectrum availability, lower data rates, and the involvement of attackers. This paper considers all three issues by developing a novel mmWave-assisted Cognitive Radio based IoV (CR-IoV) model. The integration of CR in IoV resolves the issue of spectrum management, while mmWave technology ensures symmetry in acquiring higher data rates for Secondary Users (SUs). With the proposed mmWave-assisted CR-IoV model, symmetric improvements in network performance were achieved in three main areas: security, beamforming, and routing. Optimum detection mechanisms isolate malicious Secondary Users (SUs) in the overall network. First, Spectrum Sensing Data Falsification (SSDF) attack is detected by a Hybrid Kernel-based Support Vector Machine (HK-SVM), which is the lightweight Machine Learning (ML) technique. Then, the Primary User Emulation (PUE) attack is detected by a hybrid approach, namely the Fang Algorithm-based Time Difference of Arrival (FA-TDoA) method. Further, security is assured by validating the legitimacy of each SU through a Lightweight ID-based Certificate Validation mechanism. To accomplish this, we employed the Four Q-curve asymmetric cryptographic algorithm. Overall, the proposed dual-step security provisioning approach assures that the network is free from attackers. Next, beamforming is performed for legitimate SUs by a 3D-Beamforming algorithm that relies on Array Factor (AF) and Beampattern Function. Finally, routing is enabled by formulating Forwarding Zone (FZ) based on the forwarding angle. In the forwarding zone, optimal forwarders are selected by the Multi-Objective Whale Optimization (MOWO) algorithm. Here, a new potential score is formulated for fitness evaluation. Finally, the proposed mmWave-assisted CR-IoV model is validated through extensive simulations in the ns-3.26 simulation tool. The evaluation shows better performance in terms of throughput, packet delivery ratio, delay, bit error rate, and detection accuracy.

Philipp Mackensen,Paul Staat,Stefan Roth,Aydin Sezgin,Christof Paar,Veelasha Moonsamy

2024-07-14

Abstract:Wireless communication infrastructure is a cornerstone of modern digital society, yet it remains vulnerable to the persistent threat of wireless jamming. Attackers can easily create radio interference to overshadow legitimate signals, leading to denial of service. The broadcast nature of radio signal propagation makes such attacks possible in the first place, but at the same time poses a challenge for the attacker: The jamming signal does not only reach the victim device but also other neighboring devices, preventing precise attack targeting. In this work, we solve this challenge by leveraging the emerging RIS technology, for the first time, for precise delivery of jamming signals. In particular, we propose a novel approach that allows for environment-adaptive spatial control of wireless jamming signals, granting a new degree of freedom to perform jamming attacks. We explore this novel method with extensive experimentation and demonstrate that our approach can disable the wireless communication of one or multiple victim devices while leaving neighboring devices unaffected. Notably, our method extends to challenging scenarios where wireless devices are very close to each other: We demonstrate complete denial-of-service of a Wi-Fi device while a second device located at a distance as close as 5 mm remains unaffected, sustaining wireless communication at a data rate of 25 Mbit/s. Lastly, we conclude by proposing potential countermeasures to thwart RIS-based spatial domain wireless jamming attacks.

Cryptography and Security

Jiaqi Zou,Christos Masouros,Fan Liu,Songlin Sun

2023-12-02

Abstract:Integrated sensing and communications (ISAC) systems employ dual-functional signals to simultaneously accomplish radar sensing and wireless communication tasks. However, ISAC systems open up new sensing security vulnerabilities to malicious illegitimate eavesdroppers (Eves) that can also exploit the transmitted waveform to extract sensing information from the environment. In this paper, we investigate the beamforming design to enhance the sensing security of an ISAC system, where the communication user (CU) serves as a sensing Eve. Our objective is to maximize the mutual information (MI) for the legitimate radar sensing receiver while considering the constraint of the MI for the Eve and the quality of service to the CUs. Then, we consider the artificial noise (AN)-aided beamforming to further enhance the sensing security. Simulation results demonstrate that our proposed methods achieve MI improvement of the legitimate receiver while limiting the sensing MI of the Eve, compared with the baseline scheme, and that the utilization of AN further contributes to sensing security.

Signal Processing

Antonios Argyriou

DOI: https://doi.org/10.48550/arXiv.2303.06600

2023-03-12

Abstract:Passive emitter tracking (PET) algorithms can estimate both the range and Doppler of a wireless emitter when it uses orthogonal frequency division multiplexing (OFDM). In this paper we are interested to prevent this from happening by an unauthorized receiver (URx). To accomplish that we introduce in the transmitted signal a \textit{spoofing signal} that varies across subcarriers and successive OFDM symbols. With this technique the emitter is not only able to spoof its actual range and Doppler (allowing covert communication in terms of these two parameters), but is also capable of producing additional false emitter signatures to further confuse the URx. To evaluate the performance of our approach we calculate the range-Doppler response at the URx for different system configurations of an 802.11-based system.

Signal Processing

Hasan Can Yildirim,Musa Furkan Keskin,Henk Wymeersch,François Horlin

2024-01-02

Abstract:Joint Communication and Sensing (JCAS) is taking its first shape in WLAN sensing under IEEE 802.11bf, where standardized WLAN signals and protocols are exploited to enable radar-like sensing. However, an overlooked problem in JCAS, and specifically in WLAN Sensing, is the sensitivity of the system to a deceptive jammer, which introduces phantom targets to mislead the victim radar receiver. Standardized waveforms and sensing parameters make the system vulnerable to physical layer attacks. Moreover, orthogonal frequency-division multiplexing (OFDM) makes deceptive jamming even easier as it allows digitally generated artificial range/Doppler maps. This paper studies deceptive jamming in JCAS, with a special focus on WLAN Sensing. The provided mathematical models give insights into how to design jamming signals and their impact on the sensing system. Numerical analyses illustrate various distortions caused by deceptive jamming, while the experimental results validate the need for meticulous JCAS design to protect the system against physical layer attacks in the form of deceptive jamming.

Signal Processing

Weijie Yuan,Lin Zhou,Saeid K. Dehkordi,Shuangyang Li,Pingzhi Fan,Giuseppe Caire,H. Vincent Poor

2023-11-26

Abstract:Next-generation vehicular networks are expected to provide the capability of robust environmental sensing in addition to reliable communications to meet intelligence requirements. A promising solution is the integrated sensing and communication (ISAC) technology, which performs both functionalities using the same spectrum and hardware resources. Most existing works on ISAC consider the Orthogonal Frequency Division Multiplexing (OFDM) waveform. Nevertheless, vehicle motion introduces Doppler shift, which breaks the subcarrier orthogonality and leads to performance degradation. The recently proposed Orthogonal Time Frequency Space (OTFS) modulation, which exploits various advantages of Delay Doppler (DD) channels, has been shown to support reliable communication in high-mobility scenarios. Moreover, the DD waveform can directly interact with radar sensing parameters, which are actually delay and Doppler shifts. This paper investigates the advantages of applying the DD communication waveform to ISAC. Specifically, we first provide a comprehensive overview of implementing DD communications, based on which several advantages of DD-ISAC over OFDM-based ISAC are revealed, including transceiver designs and the ambiguity function. Furthermore, a detailed performance comparison are presented, where the target detection probability and the mean squared error (MSE) performance are also studied. Finally, some challenges and opportunities of DD-ISAC are also provided.

Signal Processing,Systems and Control