Joshua Smailes,Sebastian Köhler,Simon Birnbach,Martin Strohmeier,Ivan Martinovic

DOI: https://doi.org/10.1145/3576915.3623135

2023-09-07

Abstract:Due to an increase in the availability of cheap off-the-shelf radio hardware, spoofing and replay attacks on satellite ground systems have become more accessible than ever. This is particularly a problem for legacy systems, many of which do not offer cryptographic security and cannot be patched to support novel security measures. In this paper we explore radio transmitter fingerprinting in satellite systems. We introduce the SatIQ system, proposing novel techniques for authenticating transmissions using characteristics of transmitter hardware expressed as impairments on the downlinked signal. We look in particular at high sample rate fingerprinting, making fingerprints difficult to forge without similarly high sample rate transmitting hardware, thus raising the budget for attacks. We also examine the difficulty of this approach with high levels of atmospheric noise and multipath scattering, and analyze potential solutions to this problem. We focus on the Iridium satellite constellation, for which we collected 1705202 messages at a sample rate of 25 MS/s. We use this data to train a fingerprinting model consisting of an autoencoder combined with a Siamese neural network, enabling the model to learn an efficient encoding of message headers that preserves identifying information. We demonstrate the system's robustness under attack by replaying messages using a Software-Defined Radio, achieving an Equal Error Rate of 0.120, and ROC AUC of 0.946. Finally, we analyze its stability over time by introducing a time gap between training and testing data, and its extensibility by introducing new transmitters which have not been seen before. We conclude that our techniques are useful for building systems that are stable over time, can be used immediately with new transmitters without retraining, and provide robustness against spoofing and replay by raising the required budget for attacks.

Cryptography and Security,Signal Processing

Ping Dong,Namin Hou,Yuting Tang,Yushi Cheng,Xiaoyu Ji

DOI: https://doi.org/10.1016/j.hcc.2024.100222

2024-01-01

High-Confidence Computing

Abstract:The development of wireless communication network technology has provided people with diversified and convenient services. However, with the expansion of network scale and the increase in the number of devices, malicious attacks on wireless communication are becoming increasingly prevalent, causing significant losses. Currently, wireless communication systems authenticate identities through certain data identifiers. However, this software-based data information can be forged or replicated. This article proposes the authentication of device identity using the hardware fingerprint of the terminal’s Radio Frequency (RF) components, which possesses properties of being genuine, unique, and stable, holding significant implications for wireless communication security. Through the collection and processing of raw data, extraction of various features including time-domain and frequency-domain features, and utilizing machine learning algorithms for training and constructing a legal fingerprint database, it is possible to achieve close to a 97% recognition accuracy for Fifth Generation (5G) terminals of the same model. This provides an additional and robust hardware-based security layer for 5G communication security, enhancing monitoring capability and reliability.

Shinan Liu,Xiang Cheng,Hanchao Yang,Yuanchao Shu,Xiaoran Weng,Ping Guo,Kexiong (Curtis) Zeng,Gang Wang,Yaling Yang

2021-01-01

Abstract:The GPS has empowered billions of users and various critical infrastructures with its positioning and time services. However, GPS spoofing attacks also become a growing threat to GPS-dependent systems. Existing detection methods either require expensive hardware modifications to current GPS devices or lack the basic robustness against sophisticated attacks, hurting their adoption and usage in practice. In this paper, we propose a novel GPS spoofing detection framework that works with off-the-shelf GPS chipsets. Our basic idea is to rotate a one-side-blocked GPS receiver to derive the angle-of-arrival (AoAs) of received signals and compare them with the GPS constellation (consists of tens of GPS satellites). We first demonstrate the effectiveness of this idea by implementing a smartphone prototype and evaluating it against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%-100%) in 5 seconds. Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method and actively modulates the spoofing signals accordingly. We study this adaptive attack and propose enhancement methods (using the rotation speed as the "secret key") to fortify the defense. Further experiments are conducted to validate the effectiveness of the enhanced defense.

Wenyuan Xu,Wade Trappe,Yanyong Zhang,Timothy Wood

DOI: https://doi.org/10.1145/1062689.1062697

2005-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch jamming-style attacks. These attacks can be easily accomplished by an adversary emitting radio frequency signals that do not follow an underlying MAC protocol. Jamming attacks can severely interfere with the normal operation of wireless networks and, consequently, mechanisms are needed that can cope with jamming attacks. In this paper, we examine radio interference attacks from both sides of the issue: first, we study the problem of conducting radio interference attacks on wireless networks, and second we examine the critical issue of diagnosing the presence of jamming attacks. Specifically, we propose four different jamming attack models that can be used by an adversary to disable the operation of a wireless network, and evaluate their effectiveness in terms of how each method affects the ability of a wireless node to send and receive packets. We then discuss different measurements that serve as the basis for detecting a jamming attack, and explore scenarios where each measurement by itself is not enough to reliably classify the presence of a jamming attack. In particular, we observe that signal strength and carrier sensing time are unable to conclusively detect the presence of a jammer. Further, we observe that although by using packet delivery ratio we may differentiate between congested and jammed scenarios, we are nonetheless unable to conclude whether poor link utility is due to jamming or the mobility of nodes. The fact that no single measurement is sufficient for reliably classifying the presence of a jammer is an important observation, and necessitates the development of enhanced detection schemes that can remove ambiguity when detecting a jammer. To address this need, we propose two enhanced detection protocols that employ consistency checking. The first scheme employs signal strength measurements as a reactive consistency check for poor packet delivery ratios, while the second scheme employs location information to serve as the consistency check. Throughout our discussions, we examine the feasibility and effectiveness of jamming attacks and detection schemes using the MICA2 Mote platform.

Wade Trappe,Wenyuan Xu

DOI: https://doi.org/10.7282/t3rj4jw7

2007-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming attacks, which effectively cause a denial of service (DoS) of either transmission or reception functionalities. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this thesis, we examine the issue of jamming wireless networks, and sensor networks in particular, by studying both the attack and defense side of the problem. On the attack side, we present four different jamming attack models that can be used by an adversary to disable the operation of a wireless network, and evaluate their effectiveness in terms of how each method affects the ability of a wireless node to send and receive packets. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. For detection, we show that single measurement statistics are not enough to reliably classify the presence of a jamming attack, and propose multimodal detection methods. To cope with jamming, we propose a technique, channel surfing, which involves evading the interferer in the spectral domain. Several different channel surfing models are presented, and we evaluate their effectiveness using a testbed of MICA2 motes. Beyond channel surfing, we overview a second defense strategy whereby it is possible to establish a low data rate jamming resistant communication channel by modulating the interarrival times between jammed packets.

Wenyuan Xu,Ke Ma,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1109/mnet.2006.1637931

IF: 10.294

2006-01-01

IEEE Network

Abstract:Wireless sensor networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming, attacks that effectively cause a denial of service of either transmission or reception functionalities. These attacks can easily be accomplished by an adversary by either bypassing MAC-layer protocols or emitting a radio signal targeted at jamming a particular channel. In this article we survey different jamming attacks that may be employed against a sensor network. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. We highlight the challenges associated with detecting jamming. To cope with jamming, we propose two different but complementary approaches. One approach is to simply retreat from the interferer which may be accomplished by either spectral evasion (channel surfing) or spatial evasion (spatial retreats). The second approach aims to compete more actively with the interferer by adjusting resources, such as power levels and communication coding, to achieve communication in the presence of the jammer.

Namin Hou,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ICCCS61882.2024.10603286

2024-01-01

Abstract:The advancement of Fifth-Generation (5G) technology has greatly enriched individuals' access to a broad array of convenient services, offering significant benefits in mobile communications, autonomous driving, smart homes, and the Internet of Things. However, with the increase in the number of network access devices, large and frequent data interactions have brought potential security risks to wireless networks, which are related to user privacy security, traffic safety, and even social security. Malicious intrusions targeting wireless communications have resulted in significant disruptions and incurred substantial losses. Presently, user identities in wireless communications rely on software-based data identifiers, which can be forged easily. This paper proposes a hardware-level device authentication mechanism that uses the intrinsic hardware characteristics of the transmitter (shown as impairments in the radio signal of the transmission link) for identity authentication. The resulting fingerprint is naturally distinctive and highly resistant to counterfeiting attempts. We use 5 devices across different models and 10 devices of the same model for experimental evaluation. Then we apply machine learning algorithms to construct a fingerprint database and device authentication, achieving an average of 82.4% precision, 89.9% recall, and 85.9% F1-score, which can help to safeguard the security of 5G communication.

Muhammad Irfan,Savio Sciancalepore,Gabriele Oligeri

2024-07-11

Abstract:Radio Frequency fingerprinting enables a passive receiver to recognize and authenticate a transmitter without the need for cryptographic tools. Authentication is achieved by isolating specific features of the transmitted signal that are unique to the transmitter's hardware. Much research has focused on improving the effectiveness and efficiency of radio frequency fingerprinting to maximize its performance in various scenarios and conditions, while little research examined how to protect devices from being subject to radio fingerprinting in the wild. In this paper, we explore a novel point of view. We examine the hostile usage of radio frequency fingerprinting, which facilitates the unauthorized tracking of wireless devices in the field by malicious entities. We also suggest a method to sanitize the transmitted signal of its fingerprint using a jammer, deployed on purpose to improve devices' anonymity on the channel while still guaranteeing the link's quality of service. Our experimental results and subsequent analysis demonstrate that a friendly jammer can effectively block a malicious eavesdropper from recognizing and tracking a device without affecting the quality of the wireless link, thereby restoring the privacy of the user when accessing the radio spectrum.

Cryptography and Security

Wenyuan Xu,Timothy Wood,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1023646.1023661

2004-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch denial of service (DoS) attacks. One form of denial of service is targeted at preventing sources from communicating. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this paper we present two strategies that may be employed by wireless devices to evade a MAC/PHY-layer jamming-style wireless denial of service attack. The first strategy, channel surfing, is a form of spectral evasion that involves legitimate wireless devices changing the channel that they are operating on. The second strategy, spatial retreats, is a form of spatial evasion whereby legitimate mobile devices move away from the locality of the DoS emitter. We study both of these strategies for three broad wireless communication scenarios: two-party radio communication, an infrastructured wireless network, and an ad hoc wireless network. We evaluate several of our proposed strategies and protocols through ns-2 simulations and experiments on the Berkeley mote platform.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Francisco Gallardo,Antonio Pérez-Yuste,Andriy Konovaltsev

DOI: https://doi.org/10.3390/s24237698

IF: 3.9

2024-12-02

Sensors

Abstract:Spoofing attacks pose a significant security risk for organizations and systems relying on global navigation satellite systems (GNSS) for their operations. While the existing spoofing detection methods have shown some effectiveness, these can be vulnerable to certain attacks, such as secure code estimation and replay (SCER) attacks, among others.This paper analyzes the potential of satellite fingerprinting methods for GNSS spoofing detection and benchmarks their performance using real (in realistic scenarios by using GPS and Galileo signals generated and recorded in the advanced GNSS simulation facility of DLR) GNSS signals and scenarios. Our results show that our proposed fingerprinting methods can improve the detection accuracy of the existing methods and can be coupled with other techniques to enhance the overall performance of the detection systems, all based on relatively simple metrics. In this paper, we compare the performance of several fingerprinting methods, including those from the existing literature (based on signal Gaussian properties of the signal complex envelope, energy and in-phase symbol dispersion) and one proposed in this paper, based on the satellite instrumental delay. The innovation of this work is a new jamming and spoofing complementary detection technique, based on fingerprinting and machine learning, including a new fingerprinting metric (based on the satellite instrumental delay).

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Di Lin,Su Hu,Weiwei Wu,Gang Wu

DOI: https://doi.org/10.1007/s11432-022-3672-7

2023-01-01

Science China Information Sciences

Abstract:We consider the security issues in a satellite remote sensing（SRS） and image processing system. Specifically, we present a novel architecture of a secure SRS image recognition system by using a radio frequency（RF） fingerprint to identify whether a satellite user is authenticated or not.For unauthenticated users, we address the method of adding perturbation into their received SRS images,

Sekhar Rajendran,Zhi Sun,Feng Lin,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2006.06895

2020-12-06

Abstract:In Internet of Things, where billions of devices with limited resources are communicating with each other, security has become a major stumbling block affecting the progress of this technology. Existing authentication schemes-based on digital signatures have overhead costs associated with them in terms of computation time, battery power, bandwidth, memory, and related hardware costs. Radio frequency fingerprint (RFF), utilizing the unique device-based information, can be a promising solution for IoT. However, traditional RFFs have become obsolete because of low reliability and reduced user capability. Our proposed solution, Metasurface RF-Fingerprinting Injection (MeRFFI), is to inject a carefully-designed radio frequency fingerprint into the wireless physical layer that can increase the security of a stationary IoT device with minimal overhead. The injection of fingerprint is implemented using a low cost metasurface developed and fabricated in our lab, which is designed to make small but detectable perturbations in the specific frequency band in which the IoT devices are communicating. We have conducted comprehensive system evaluations including distance, orientation, multiple channels where the feasibility, effectiveness, and reliability of these fingerprints are validated. The proposed MeRFFI system can be easily integrated into the existing authentication schemes. The security vulnerabilities are analyzed for some of the most threatening wireless physical layer-based attacks.

Signal Processing,Cryptography and Security,Systems and Control

Luis F. Abanto-Leon,Andreas Baeuml,Gek Hong,Matthias Hollick,Arash Asadi

DOI: https://doi.org/10.1145/3428329

2020-11-27

Abstract:The intrinsic hardware imperfection of WiFi chipsets manifests itself in the transmitted signal, leading to a unique radiometric fingerprint. This fingerprint can be used as an additional means of authentication to enhance security. In fact, recent works propose practical fingerprinting solutions that can be readily implemented in commercial-off-the-shelf devices. In this paper, we prove analytically and experimentally that these solutions are highly vulnerable to impersonation attacks. We also demonstrate that such a unique device-based signature can be abused to violate privacy by tracking the user device, and, as of today, users do not have any means to prevent such privacy attacks other than turning off the device. We propose RF-Veil, a radiometric fingerprinting solution that not only is robust against impersonation attacks but also protects user privacy by obfuscating the radiometric fingerprint of the transmitter for non-legitimate receivers. Specifically, we introduce a randomized pattern of phase errors to the transmitted signal such that only the intended receiver can extract the original fingerprint of the transmitter. In a series of experiments and analyses, we expose the vulnerability of adopting naive randomization to statistical attacks and introduce countermeasures. Finally, we show the efficacy of RF-Veil experimentally in protecting user privacy and enhancing security. More importantly, our proposed solution allows communicating with other devices, which do not employ RF-Veil.

Cryptography and Security,Computers and Society,Networking and Internet Architecture,Performance

Maha Sliti,Manel Mrabet,Lassaad Ben Ammar

DOI: https://doi.org/10.1007/s11082-024-06356-0

IF: 3

2024-02-19

Optical and Quantum Electronics

Abstract:Free-space optical (FSO) communication systems are a promising technology for future smart cities due to their cost-effective installation, high data throughput, extensive reach, and minimal latency. However, these systems are vulnerable to potential intrusions, particularly jamming. The limited wavelengths of FSO systems, typically around 1300 nm or 1550 nm, make them accessible to potential adversaries. The wide field-of-view (FoV) of FSO receivers is important for dealing with changing weather conditions. However, jammers can use this to their advantage, lowering security or stopping FSO links from working. Even in terrestrial applications, FSO transceivers, often situated at significant heights, are vulnerable to jamming. A jammer can transmit disruptive optical pulses to the FSO receiver, making it difficult to distinguish between legitimate signals and jammed interference, posing a significant risk to communication integrity. Addressing jamming in FSO communication systems is crucial, especially in scenarios demanding secure and reliable communication, such as military applications. Understanding jamming and developing effective countermeasures is essential to ensuring the security and reliability of future communication networks as FSO technology continues to evolve.

engineering, electrical & electronic,optics,quantum science & technology

Haojin Zhu,Chenliaohui Fang,Yao Liu,Cailian Chen,Mengyuan Li,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/jsac.2016.2605799

IF: 16.4

2016-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The emerging paradigm for dynamic spectrum sharing is based on allowing secondary users (SUs) to exploit white space frequency that is not occupied by primary users. White space database provides an opportunity for SUs to obtain spectrum availability information by submitting a location-based query. However, this new paradigm can also be exploited by the attackers to significantly enhance their jamming capability due to the available channel information from spectrum queries, which is expected to increasingly block SUs. The challenge is that the unique characteristics (e.g., lack of the wide range frequencies or continuous broadband) make existing anti-jamming techniques (e.g., direct-sequence spread spectrum and frequency hopping spread spectrum) difficult to be applied. In this paper, we present a novel Jammer Inference-based Jamming Defense (jDefender) framework. The main idea of jDefender is inferring the likelihood of a user being a jammer based on the observed jamming events and then utilizing the inferred attack likelihood to enhance the effectiveness of a series of the proposed anti-jamming strategies. Specifically, we first propose the Channel Allocation-based Jammer Inference scheme to infer the likelihood of an SU being a jammer based on the channels occupied by SUs even under the collusion attack performed by multiple jammers. The strength of the anti-jamming strategies (e.g., puzzle difficulties, available spectrum resources) will be correlated with the possibility of an SU being a jammer to achieve the tradeoff between system performance and jamming tolerance. We then implement the proposed scheme on Universal Software Radio Peripheral and PC. Extensive evaluations are performed to validate the effectiveness of the attacks and countermeasures.

Katarina Radoš,Marta Brkić,Dinko Begušić

DOI: https://doi.org/10.3390/s24134210

2024-06-28

Abstract:Increased interest in the development and integration of navigation and positioning services into a wide range of receivers makes them susceptible to a variety of security attacks such as Global Navigation Satellite Systems (GNSS) jamming and spoofing attacks. The availability of low-cost devices including software-defined radios (SDRs) provides a wide accessibility of affordable platforms that can be used to perform these attacks. Early detection of jamming and spoofing interferences is essential for mitigation and avoidance of service degradation. For these reasons, the development of efficient detection methods has become an important research topic and a number of effective methods has been reported in the literature. This survey offers the reader a comprehensive and systematic review of methods for detection of GNSS jamming and spoofing interferences. The categorization and classification of selected methods according to specific parameters and features is provided with a focus on recent advances in the field. Although many different detection methods have been reported, significant research efforts toward developing new and more efficient methods remain ongoing. These efforts are driven by the rapid development and increased number of attacks that pose high-security risks. The presented review of GNSS jamming and spoofing detection methods may be used for the selection of the most appropriate solution for specific purposes and constraints and also to provide a reference for future research.

Zhiqing Luo,Wei Wang,Qianyi Huang,Tao Jiang,Qian Zhang

DOI: https://doi.org/10.1109/tmc.2021.3084754

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:The low-power radio technologies open up many opportunities to facilitate Internet-of-Things (IoT) into our daily life, while their minimalist design also makes IoT devices vulnerable to many active attacks. Recent advances use an antenna array to extract fine-grained physical-layer signatures to identify the attackers, which adds burdens in terms of energy and hardware cost to IoT devices. In this paper, we present ShieldScatter, a lightweight system that attaches low-cost tags to single-antenna devices to shield the system from active attacks. The key insight of ShieldScatter is to intentionally create multi-path propagation signatures with the careful deployment of tags. These signatures can be used to construct a sensitive profile to identify the location of the signals' arrival, and thus detect the threat. In addition, we also design a tag-random scheme and a multiple receivers combination approach to detect a powerful attacker who has the strong priori knowledge of the legitimate user. We prototype ShieldScatter with USRPs and tags to evaluate our system in various environments. The results show that even when the powerful attacker is close to the legitimate device, ShieldScatter can mitigate 95 percent of attack attempts while triggering false alarms on just 7 percent of legitimate traffic.

computer science, information systems,telecommunications

Naeimeh Soltanieh,Yaser Norouzi,Yang Yang,Nemai Chandra Karmakar

DOI: https://doi.org/10.1109/jrfid.2020.2968369

2020-09-01

IEEE Journal of Radio Frequency Identification

Abstract:Radio frequency (RF) fingerprinting techniques have been used as an extra security layer for wireless devices. Unique fingerprints are used to identify wireless devices in order to avoid spoofing or impersonating attacks. These unique features can be extracted from imperfections of analog components during the manufacturing. This paper presents a general review of recent progress on RF fingerprinting techniques. Several studies are investigated for RF fingerprinting using different parts of a signal. The majority of these studies have been focused on the transient part of the signal. For this purpose, the transient signal must be extracted precisely. A number of common techniques of transient extraction are theoretically analyzed in this review. Then, some other approaches using the modulated part of the signal are also discussed. For all these approaches, the applied methodologies, the classification algorithms and a taxonomy of features are described. A comprehensive overview of the methods in RF fingerprinting is presented to demonstrate the state-of-the-art works.

English Else