Yang,Yanjiao Chen,Wei Wang,Gang Yang

DOI: https://doi.org/10.1109/twc.2020.2970412

IF: 10.4

2020-01-01

IEEE Transactions on Wireless Communications

Abstract:The potential of multiuser MIMO (MU-MIMO) to increase network capacity has been intensively studied. To enable concurrent transmission in Frequency-Division Duplex (FDD) systems with limited feedback, users have to report the estimated channel state information (CSI) to the base station (BS) for interference elimination, which however has been proven to be vulnerable. In this paper, we reveal how to utilize the CSI feedbacks to launch sniffing attacks in a deterministic way, where the sniffing attack enables the attackers to eavesdrop other users in the same transmission group. We conduct a rigorous theoretical analysis on the construction of the forged CSI. In the proposed sniffing attacks, the malicious users can successfully sniff other users’ messages without knowing their own messages for signal cancellation. To make sniffing attacks more practical, we explore the possibilities of sniffing multiple users by a coalition of malicious users or a single malicious user. To thwart sniffing attacks, we design a novel secure CSI feedback (SCF) protocol based on the random masking technique, which requires simple modifications at the BS and incurs a little additional workload. Extensive theoretical analysis and experimental results are provided to further validate the effectiveness of our proposed sniffing attacks and the corresponding countermeasure.

Yanlong Qiu,Jiaxi Zhang,Tao Sun,Yanjiao Chen,Jin Zhang,Bo Ji

DOI: https://doi.org/10.1109/tdsc.2024.3418038

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Radar spoofing attacks mislead victim radars by injecting false information. Successful attacks require prior knowledge of the victim radar's mode and parameters, and existing works obtain this critical information with expensive equipment, e.g., software-defined radio or spectrum analyzer. In this paper, we propose WASTON, a low-cost system for radar mode detection and parameter estimation using commercial off-the-shelf (COTS) mmWave radars. To overcome the disadvantage of low sampling frequency of COTS mmWave radars, we design two special local signals to detect frequency points and spectral shapes for radar mode detection. We propose a novel parameter estimation algorithm to estimate frequency- and time-domain parameters for spoofing different radars. We have implemented a prototype on the TI AWR1843 platform and conducted extensive experiments to evaluate the performance of WASTON. Our experimental results demonstrate that WASTON achieves an accuracy of 100% for mode detection and 99% for parameter estimation. Furthermore, we demonstrate that the estimated parameters can be used to launch a successful spoofing attack against the victim radar.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Wade Trappe,Wenyuan Xu

DOI: https://doi.org/10.7282/t3rj4jw7

2007-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming attacks, which effectively cause a denial of service (DoS) of either transmission or reception functionalities. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this thesis, we examine the issue of jamming wireless networks, and sensor networks in particular, by studying both the attack and defense side of the problem. On the attack side, we present four different jamming attack models that can be used by an adversary to disable the operation of a wireless network, and evaluate their effectiveness in terms of how each method affects the ability of a wireless node to send and receive packets. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. For detection, we show that single measurement statistics are not enough to reliably classify the presence of a jamming attack, and propose multimodal detection methods. To cope with jamming, we propose a technique, channel surfing, which involves evading the interferer in the spectral domain. Several different channel surfing models are presented, and we evaluate their effectiveness using a testbed of MICA2 motes. Beyond channel surfing, we overview a second defense strategy whereby it is possible to establish a low data rate jamming resistant communication channel by modulating the interarrival times between jammed packets.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Xiaoyu Ji,Chaohao Li,Xinyan Zhou,Juchuan Zhang,Yanmiao Zhang,Wenyuan Xu

DOI: https://doi.org/10.1145/3399432

2020-01-01

ACM Transactions on Internet of Things

Abstract:Nowadays, most Internet of Things devices in smart homes rely on radio frequency channels for communication, making them exposed to various attacks such as spoofing and eavesdropping attacks. Existing methods using encryption keys may be inapplicable on these resource-constrained devices that cannot afford the computationally expensive encryption operations. Thus, in this article, we design a key-free communication method for such devices in a smart home. In particular, we introduce the Home-limited Channel (HLC) that can be accessed only within a house yet inaccessible for outside-house attackers. Utilizing HLCs, we propose HlcAuth, a challenge-response mechanism to authenticate the communications between smart devices without keys. The advantages of HlcAuth are low cost, lightweight as well as key-free, and requiring no human intervention. According to the security analysis, HlcAuth can defeat replay attacks, message-forgery attacks, and man-in-the-middle (MiTM) attacks, among others. We further evaluate HlcAuth in four different physical scenarios, and results show that HlcAuth achieves 100% true positive rate (TPR) within 4.2m for in-house devices while 0% false positive rate (FPR) for outside attackers, i.e., guaranteeing a high-level usability and security for in-house communications. Finally, we implement HlcAuth in both single-room and multi-room scenarios.

Rong Fan,Dao-jing He,Xue-zeng Pan,Ling-di Ping

DOI: https://doi.org/10.1631/jzus.c1000377

2011-01-01

Abstract:Wireless sensor networks (WSNs) are vulnerable to security attacks due to their deployment and resource constraints. Considering that most large-scale WSNs follow a two-tiered architecture, we propose an efficient and denial-of-service (DoS)-resistant user authentication scheme for two-tiered WSNs. The proposed approach reduces the computational load, since it performs only simple operations, such as exclusive-OR and a one-way hash function. This feature is more suitable for the resource-limited sensor nodes and mobile devices. And it is unnecessary for master nodes to forward login request messages to the base station, or maintain a long user list. In addition, pseudonym identity is introduced to preserve user anonymity. Through clever design, our proposed scheme can prevent smart card breaches. Finally, security and performance analysis demonstrates the effectiveness and robustness of the proposed scheme.

Zang Li,Wenyuan Xu,Robert D. Miller,Wade Trappe

DOI: https://doi.org/10.1145/1161289.1161297

2006-01-01

Abstract:Although conventional cryptographic security mechanisms are essential to the overall problem of securing wireless networks, these techniques do not directly leverage the unique properties of the wireless domain to address security threats. The properties of the wireless medium are a powerful source of domain-specific information that can complement and enhance traditional security mechanisms. In this paper, we propose to utilize the fact that the radio channel decorre-lates rapidly in space, time and frequency in order to to establish new forms of authentication and confidentiality that operate at the physical layer and can be used to facilitate cross-layer security paradigms. Specifically, for authentication services, we illustrate two channel probing techniques that can be used to verify the authenticity of a transmitter. Similarly, for confidentiality, we examine several strategies for establishing shared secrets/keys between two communicators using the wireless medium. These strategies range from extracting keys from channel state information, to utilizing the channel variability to secretly disseminate keys. We then validate the feasibility of using physical layer techniques for securing wireless systems by presenting results from experiments involving the USRP/GNURadio software defined radio platform.

Yanfei Fan,Bin Lin,Yixin Jiang,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2008.ecp.891

2008-01-01

Abstract:In this paper, we propose an efficient privacy-preserving scheme for secure packet transmission at wireless link layer. The proposed scheme is constructed by using hash values in reverse hash chains as interface identifiers. It can successfully and efficiently resist the Media Access Control (MAC) address based attacks, such as flow tracking and traffic analysis, which are launched by either outside or even inside attackers. In addition, some optimization techniques are also introduced to further improve the efficiency of the proposed scheme. The extensive analysis and simulations demonstrate the enhanced security and efficiency of the proposed scheme.

Linyuan Zhang,Guangming Nie,Guoru Ding,Qihui Wu,Zhaoyang Zhang,Zhu Han

DOI: https://doi.org/10.1109/tmc.2018.2869390

IF: 6.075

2018-01-01

IEEE Transactions on Mobile Computing

Abstract:The problem of Byzantine attack in collaborative spectrum sensing (CSS) is considered in this paper. To defend against Byzantine attack, a robust defense framework is proposed to efficiently identify the Byzantine attackers. Specifically, we first propose a robust defense framework, where a reference is built based on the extended sensing, and the transmit results and sensors are continuously evaluated via the reference and identified at intervals. In the framework, except of data falsification, multiple practical factors are considered, including the variation characteristic of sensors’ attributes, reporting channel imperfection, and inference errors based on the transmit results. Further, we derive the closed-form expressions of the reference and the identification performance and make optimization of the identification threshold in two cases: with and without the prior knowledge of attack behaviors, where the probability of correctly detecting Byzantine attackers is maximized under the constraint of the probability of falsely identifying honest sensors as attackers. In particular, when the prior knowledge is unavailable, maximized likelihood estimation is made based on the reference to achieve the optimization. Furthermore, we present in-depth simulations to demonstrate the high robustness of the proposed defence framework to multiple practical factors under a homogeneous scenario and a heterogeneous scenario.

Hongbo Liu,Yan Wang,Jian Liu,Jie Yang,Yingying Chen

DOI: https://doi.org/10.1145/2590296.2590321

2014-06-04

Abstract:User authentication is the critical first step to detect identity-based attacks and prevent subsequent malicious attacks. However, the increasingly dynamic mobile environments make it harder to always apply the cryptographic-based methods for user authentication due to their infrastructural and key management overhead. Exploiting non-cryptographic based techniques grounded on physical layer properties to perform user authentication appears promising. In this work, we explore to use channel state information (CSI), which is available from off-the-shelf WiFi devices, to conduct fine-grained user authentication. We propose an user-authentication framework that has the capability to build the user profile resilient to the presence of the spoofer. Our machine learning based user-authentication techniques can distinguish two users even when they possess similar signal fingerprints and detect the existence of the spoofer. Our experiments in both office building and apartment environments show that our framework can filter out the signal outliers and achieve higher authentication accuracy compared with existing approaches using received signal strength (RSS).

Yubo Song,Bing Chen,Tianqi Wu,Tianyu Zheng,Hongyuan Chen,Junbo Wang

DOI: https://doi.org/10.1155/2021/2993019

2021-11-17

Wireless Communications and Mobile Computing

Abstract:Wi-Fi device authentication is crucial for defending against impersonation attacks and information forgery attacks. Most of the existing authentication technologies rely on complex cryptographic algorithms. However, they cannot be supported well on the devices with limited hardware resources. A fine-grained device authentication technology based on channel state information (CSI) provides a noncryptographic method, which uses the CSI fingerprints for authentication since CSI can uniquely identify the devices. But long-term authentication based on CSI fingerprints is a challenging work. First, the CSI fingerprints are environment-sensitive, which means that the local authenticator should be updated to adapt to the changing channel state. Second, the local authenticator trained with old CSI fingerprints is outdated when users reconnect to the network after being offline for a long time, thus, it needs to be retrained in the access phase with new fingerprints. To tackle these challenges, we propose a CSI-based enhancing Wi-Fi device authentication protocol and an authentication framework. The protocol helps to collect new CSI fingerprints for authenticator’s training in access phase and performs the fingerprints’ dispersion analysis for authentication. In the association phase, it provides packet-level authentication and updates the authenticator with valid CSI fingerprints. The authenticator consists of an ensemble of small-scale autoencoders, which has high enough time efficiency for packet-level authentication and authenticator’s update. Experiments show that the accuracy of the framework is up to 98.7%, and the authenticator updating method can help the framework maintains high accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Manesh Thankappan,Helena Rifà-Pous,Carles Garrigues

DOI: https://doi.org/10.1109/access.2024.3362803

IF: 3.9

2024-02-20

IEEE Access

Abstract:One of the advanced Man-in-the-Middle (MitM) attacks is the Multi-Channel MitM (MC-MitM) attack, which is capable of manipulating encrypted wireless frames between clients and the Access Point (AP) in a Wireless LAN (WLAN). MC-MitM attacks are possible on any client no matter how the client authenticates with the AP. Key reinstallation attacks (KRACK) in 2017-18, and the latest FragAttacks in 2021 are frontline MC-MitM attacks that widely impacted millions of Wi-Fi systems, especially those with Internet of Things (IoT) devices. Although there are security patches against some attacks, they are not applicable to every Wi-Fi or IoT device. In addition, existing defense mechanisms to combat MC-MitM attacks are not feasible for two reasons: they either require severe firmware modifications on all the devices in a system, or they require the use of several advanced hardware and software for deployment. On top of that, high technical overhead is imposed on users in terms of network setup and maintenance. This paper presents the first plug-and-play system to detect MC-MitM attacks. Our solution is a lightweight, signature-based, and centralized online passive intrusion detection system that can be easily integrated into Wi-Fi-based IoT environments without modifying any network settings or existing devices. The evaluation results show that our proposed framework can detect MC-MitM attacks with a maximum detection time of 60 seconds and a minimum TPR (true positive rate) of 90% by short-distance detectors and 84% by long-distance detectors in real Wi-Fi or IoT environments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ruiqi Kong,He Chen

2023-08-01

Abstract:This paper presents a new radiometric fingerprint that is revealed by micro-signals in the channel state information (CSI) curves extracted from commodity Wi-Fi devices. We refer to this new fingerprint as "micro-CSI". Our experiments show that micro-CSI is likely to be caused by imperfections in the radio-frequency circuitry and is present in Wi-Fi 4/5/6 network interface cards (NICs). We conducted further experiments to determine the most effective CSI collection configuration to stabilize micro-CSI. To extract micro-CSI from varying CSI curves, we developed a signal space-based extraction algorithm that effectively separates distortions caused by wireless channels and hardware imperfections under line-of-sight (LoS) scenarios. Finally, we implemented a micro-CSI-based device authentication algorithm that uses the k-Nearest Neighbors (KNN) method to identify 11 COTS Wi-Fi NICs from the same manufacturer in typical indoor environments. Our experimental results demonstrate that the micro-CSI-based authentication algorithm can achieve an average attack detection rate of over 99% with a false alarm rate of 0%.

Signal Processing,Cryptography and Security

Xufei Li,Shuiguang Zeng,Yangyang Liu

DOI: https://doi.org/10.3390/s23156948

IF: 3.9

2023-08-05

Sensors

Abstract:Utilizing a multi-frame signal (MFS) rather than a single-frame signal (SFS) for radio frequency fingerprint authentication (RFFA) shows the advantage of higher accuracy. However, previous studies have often overlooked the associated security threats in MFS-based RFFA. In this paper, we focus on the carrier-sense multiple access with collision avoidance channel and identify a potential security threat, in that an attacker may inject a forged frame into valid traffic, making it more likely to be accepted alongside legitimate frames. To counter such a security threat, we propose an innovative design called the inter-frame-relationship protected signal (IfrPS), which enables the receiver to determine whether two consecutively received frames originate from the same transmitter to safeguard the MFS-based RFFA. To demonstrate the applicability of our proposition, we analyze and numerically evaluate two important properties: its impact on message demodulation and the accuracy gain in IfrPS-aided, MFS-based RFFA compared with the SFS-based RFFA. Our results show that the proposed scheme has a minimal impact of only −0.5 dB on message demodulation, while achieving up to 5 dB gain for RFFA accuracy.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Le Wang,Alexander M. Wyglinski

DOI: https://doi.org/10.1002/wcm.2527

2014-10-01

Wireless Communications and Mobile Computing

Abstract:Abstract Compared with a wired network, a wireless network is not protected by the cable transmission medium. Information is broadcasted over the air and it can be intercepted by anyone within the transmission range. Even though the transmissions could potentially be protected by security authentication mechanisms, malicious users can still intercept the information by mimicking the characteristics of normal user or a legitimate access point. This scenario is referred as a man‐in‐the‐middle (MITM) attack. In the MITM attack, the attackers can bypass the security mechanisms, intercept the unprotected transmission packets, and sniff the information. Because of several vulnerabilities in the IEEE 802.11 protocol, it is difficult to defend against a wireless MITM attack. In this paper, a received signal strength indicator (RSSI)‐based detection mechanism for MITM attacks is proposed. RSSI information is an arbitrary integer that indicates the power level being received by the antenna. The random RSSI values are processed via a sliding window, yielding statistic information about the signal characteristics such as mean and standard deviation profiles. By analyzing those profiles, the detection mechanism can detect if a rogue access point, the key component of an MITM attack, is launched. Our proposed approach has been validated via hardware experimentation using Backtrack 5 tools and MATLAB software suite. Copyright © 2014 John Wiley & Sons, Ltd.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ruiqi Kong,He Chen

DOI: https://doi.org/10.1109/tifs.2024.3396375

IF: 7.231

2024-05-14

IEEE Transactions on Information Forensics and Security

Abstract:This paper introduces CSI-RFF, a new framework that leverages micro-signals embedded within Channel State Information (CSI) curves to realize Radio-Frequency Fingerprinting of commodity off-the-shelf (COTS) WiFi devices for open-set authentication. The micro-signals that serve as RF fingerprints are termed "micro-CSI". Through experimentation, we have found that the presence of micro-CSI can primarily be attributed to imperfections in the RF circuitry. Furthermore, this characteristic signal is detectable in WiFi 4/5/6 network interface cards (NICs). We have conducted further experiments to determine the most effective CSI collection configurations to stabilize micro-CSI. Yet, extracting micro-CSI for authentication purposes poses a significant challenge. This complexity arises from the fact that CSI measurements inherently include both micro-CSI and the distortions introduced by wireless channels. These two elements are intricately intertwined, making their separation non-trivial. To tackle this challenge, we have developed a signal space-based extraction technique for line-of-sight (LoS) scenarios, which can effectively separate the distortions caused by wireless channels and micro-CSI. Over the course of our comprehensive CSI data collection period extending beyond one year, we found that the extracted micro-CSI displays unique characteristics specific to each WiFi device and remains invariant over time. This establishes micro-CSI as a suitable candidate for device fingerprinting. Finally, we conduct a case study focusing on area access control for mobile robots. In particular, we applied our CSI-RFF framework to identify mobile robots operating in real-world indoor LoS environments based on their transmitted WiFi signals. To accomplish this, we have compared and employed anomaly detection algorithms for the authentication of 15 COTS WiFi 4/5/6 NICs that were carried by a mobile robot under both static and mobile conditions, maintaining an average signal-to-noise ratio (SNR) of 34 dB. Our experimental results demonstrate that the micro-CSI-based authentication algorithm can achieve an average attack detection rate close to 99% with a false alarm rate of 0% in both static and mobile conditions when using 20 CSI measurements to construct one fingerprint.

computer science, theory & methods,engineering, electrical & electronic

Sulei Wang,Zhe Chen,Yuedong Xu,Qiben Yan,Chongbin Xu,Xin Wang

DOI: https://doi.org/10.1109/infocom.2019.8737412

2019-01-01

Abstract:Multiuser MIMO (MU-MIMO) empowers access points (APs) with multiple antennas to transmit multiple data streams concurrently to users by exploiting spatial multiplexing. In MU-MIMO, users need to estimate channel state information (CSI) and report it to APs, thus opening a backdoor to attackers who may forge CSI to eavesdrop the content of victims. In this paper, we explore the eavesdropping attack in a novel and practical context in which CSI forgery entangles MU-MIMO user selection in a many-users regime. The attacker hopes to optimize both the eavesdropping opportunity of being selected with the victim and the corresponding decoding quality. We propose new attack and defense mechanisms: (1) USE Attack that enables attackers to achieve near optimal eavesdropping opportunity and high decoding quality through constructing orthogonal CSI against victims followed by stepwise refinements; (2) AngleSec that exploits channel reciprocity for attacker detection without any modification to legacy CSI feedback in which CSI forgery induces a mismatching of downlink and uplink angular spectra at the AP. We implement and evaluate USE Attack and AngleSec in a software defined radio platform WARPv3. Extensive experiments manifest that USE Attack significantly improves the overall eaves-dropping quality compared with state-of-the-art counterparts and AngleSec is able to detect CSI forgery attackers almost for sure.

Demin Gao,Shuai Wang,Yunhuai Liu,Wenchao Jiang,Zhijun Li,Tian He

DOI: https://doi.org/10.1016/j.comcom.2021.06.017

IF: 5.047

2021-09-01

Computer Communications

Abstract:<p>Cross-Technology Communication(CTC) enables that WiFi devices can talk to ZigBee devices directly without any hardware changes or gateway equipment, and WiFi occupies a much wider bandwidth (20MHz) than ZigBee (2MHz), which sheds the light on spoofing-jamming attack based on CTC, where a WiFi device, as a sophisticated attacker spoofs or jams an area in which multiple-channels sensor network operating. In this work, we attempt to emulate two ZigBee frames under different frequencies within a single WiFi frame by controlling non-continuous bands of subcarriers. In other words, a WiFi device can independently communicate with the ZigBee devices operating in two channels. In a different perspective, the application based on CTC will be significantly impaired when CTC suffers from malicious attacks such as spoofing or jamming. In our work, we implement a parallel spoofing system, called SamBee, that can spoof the ZigBee devices operating in two different channels or jam the ZigBee devices operating in five distinct channels simultaneously only using a single WiFi frame, which causes maximum damage to the network in term of corrupted communication links with low cost. We implement our design based on a USRP-N210 and MICAz hybrid platform, the results show that parallel spoofing attacks and multiple-channels jamming attacks based on CTC is feasible, and our results also provide valuable insights about the associated defense mechanisms on achieving desirable performance.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic

Jingyu Hua,Hongyi Sun,Zhenyu Shen,Zhiyun Qian,Sheng Zhong

DOI: https://doi.org/10.1109/INFOCOM.2018.8485917

2018-01-01

Abstract:Due to the loose authentication requirement between access points (APs) and clients, it is notoriously known that WLANs face long-standing threats such as rogue APs and network freeloading. Take the rogue AP problem as an example, unfortunately encryption alone does not provide authentication. APs need to be equipped with certificates that are trusted by clients ahead of time. This requires either the presence of PKI for APs or other forms of pre-established trust (e.g., distributing the certificates offline), none of which is widely used. Before any strong security solution is deployed, we still need a practical solution that can mitigate the problem. In this paper, we explore a non-cryptographic solution that is readily deployable today on end hosts (e.g., smartphones and laptops) without requiring any changes to the APs or the network infrastructure. The solution infers the Carrier Frequency Offsets (CFOs) of wireless devices from Channel State Information (CSI) as their hardware fingerprints without any special hardware requirement. CFO is attributed to the oscillator drift, which is a fundamental physical property that cannot be manipulated easily and remains fairly consistent over time but varies significantly across devices. The real experiments on 23 smartphones and 34 APs (with both identical and different brands) in different scenarios demonstrate that the detection rate could exceed 94%.