Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Steffen Schulz,Ahmad-Reza Sadeghi,Maria Zhdanova,Hossen A. Mustafa,Wenyuan Xu,Vijay Varadharajan

DOI: https://doi.org/10.1145/2185448.2185468

2012-01-01

Abstract:The rapidly increasing data usage and overload in mobile broadband networks has driven mobile network providers to actively detect and bill customers who tether tablets and laptops to their mobile phone for mobile Internet access. However, users may not be willing to pay additional fees only because they use their bandwidth dierently, and may consider tethering detection as violation of their privacy. Furthermore, accurate tethering detection is becoming harder for providers as many modern smartphones are under full control of the user, running customized, complex software and applications similar to desktop systems. In this work, we analyze the network characteristics available to network providers to detect tethering customers. We present and categorize possible detection mechanisms and derive cost factors based on how well the approach scales with large customer bases. For those characteristics that appear most reasonable and practical to deploy by large providers, we present elimination or obfuscation mechanisms and substantiate our design with a prototype Android App.

Hao Kong,Li Lu,Jiadi Yu,Yingying Chen,Xiangyu Xu,Feng Lyu

DOI: https://doi.org/10.1109/tnet.2023.3237686

2023-01-01

Abstract:User authentication nowadays has become an important support for not only security guarantees but also emerging novel applications. Although WiFi signal-based user authentication has achieved initial success, it works in single-user scenarios while multi-user authentication remains a challenging task. In this paper, we present MultiAuth, a multi-user authentication system that can authenticate multiple users with a single pair of commodity WiFi devices. The basic idea is to profile multipath components of WiFi signals, and leverage the multipath components to characterize each user individually for multi-user authentication. MultiAuth first profiles multipath components of WiFi signals through a proposed MUltipath Time-of-Arrival estimation algorithm (MUTA). Then, after matching corresponding multipath components to each user in complex multi-user scenarios, MultiAuth constructs individual CSI based on the multipath components to characterize each user individually. An AoA-based approach is exploited to further separate individual CSI constructed by the users with same ToA. To identify users through their activities, MultiAuth extracts user behavior profiles based on the individual CSI, and leverages a dual-task neural network for robust user authentication. Extensive experiments involving 3 simultaneously present users demonstrate that MultiAuth is effective in multi-user authentication with 86.2% average accuracy and 9.5% average false accept rate.

Hao Kong,Li Lu,Jiadi Yu,Yingying Chen,Xiangyu Xu,Feilong Tang,Yi-Chao Chen

DOI: https://doi.org/10.1145/3466772.3467032

2021-01-01

Abstract:ABSTRACTWith the increasing integration of humans and the cyber world, user authentication becomes critical to support various emerging application scenarios requiring security guarantees. Existing works utilize Channel State Information (CSI) of WiFi signals to capture single human activities for non-intrusive and device-free user authentication, but multi-user authentication remains a challenging task. In this paper, we present a multi-user authentication system, MultiAuth, which can authenticate multiple users with a single commodity WiFi device. The key idea is to profile multipath components of WiFi signals induced by multiple users, and construct individual CSI from the multipath components to solely characterize each user for user authentication. Specifically, we propose a MUltipath Time-of-Arrival measurement algorithm (MUTA) to profile multipath components of WiFi signals in high resolution. Then, after aggregating and separating the multipath components related to users, MultiAuth constructs individual CSI based on the multipath components to solely characterize each user. To identify users, MultiAuth further extracts user behavior profiles based on the individual CSI of each user through time-frequency analysis, and leverages a dual-task neural network for robust user authentication. Extensive experiments involving 3 simultaneously present users demonstrate that MultiAuth is accurate and reliable for multi-user authentication with 87.6% average accuracy and 8.8% average false accept rate.

Yushi Cheng,Xiaoyu Ji,Tianyang Lu,Wenyuan Xu

DOI: https://doi.org/10.1109/tmc.2019.2900919

IF: 6.075

2019-01-01

IEEE Transactions on Mobile Computing

Abstract:Wireless cameras are widely deployed in surveillance systems for security guarding. However, the privacy concerns associated with unauthorized videotaping, are drawing increasing attention recently. Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices. In this paper, we propose DeWiCam, a lightweight and effective detection mechanism using smartphones. The basic idea of DeWiCam is to utilize the intrinsic traffic patterns of flows from wireless cameras. Compared with traditional traffic pattern analysis, DeWiCam is more challenging because it cannot access the encrypted information in the data packets. Yet, DeWiCam overcomes the difficulty and can detect nearby wireless cameras reliably. To further identify whether a camera is in an interested room, we propose a human-assisted identification model. Extension functions of DeWiCam further enable the video resolution and audio channel inference to provide extra protection. We implemented DeWiCam on the Android platform and evaluated it with extensive experiments on 20 cameras. The evaluation results show that DeWiCam can detect cameras with an accuracy of 99 percent within $2.7\;\mathrm {s}$2.7s.

Eman Ali Metwally,Noha A. Haikal,Hassan Hussein Soliman

DOI: https://doi.org/10.1007/978-981-16-2275-5_3

2021-08-24

Digital Transformation Technology

Abstract:In IEEE 802.11 standard, the management frames are sent unencrypted, so the network name (SSID), MAC address (BSSID), and/or IP address can be easily spoofed. Impersonating existing AP with faked one to steal sensitive information from the connected devices is known as an evil twin attack. The current approaches for detecting Evil-twin AP depends on techniques as clock skew, route option, IP packet header, and data frame statistics. The relevant literature approaches are either outdated, limited in their detection methods, architecture, and/or scope of detection. This research proposed an admin and user tool that can detect the evil twin attack. In this paper, we detect the de-authentication and disassociation packets or both (mixed frames), as it is an essential part of evil twin attack. By using a low-cost microcontroller capability to detect and classify frames and then trigger different lighting alert for each type of frames. The main contribution of this paper does not lie only in its ability to detect different types of attack but also in detecting  them in real-time and determining the attacker’s MAC address. It is prototyped under real attack as it is implemented over two different scenarios, in both admin and user side then compared with other detection method. Experimental results show accuracy rate of 95.30% for the admin side in (DE authentication attack—disassociation attack—mixed attack—normal packets). While it proves accuracy rate of 88.18% for the user side.

Chao Wu,Yike Guo

DOI: https://doi.org/10.1016/j.procs.2011.07.106

2011-01-01

Procedia Computer Science

Abstract:We consider the problem of detecting potential dangerous people (i.e. terrorist) in a crowded but closed environment such as airport (and railway station). Instead of conventional sensor, we proposed to use human (passengers) themselves as sensors to detect and identify the target, processing the information from environment with human brain and their cognitive capability. Passengers report the identified issues as tweets with their mobile phone. The monitoring system collects the tweets and classifies their creditability through semantic analysis and learning. Then a temporal model is applied to compute the overall credibility of event. After the event is identified, photos and text description in tweets are combined with sensors (like camera) to identify and track the target people with range image motion detection algorithm. The work is currently in progress of designing model and prototype system.

Dawei Yan,Yubo Yan,Panlong Yang,Wen-Zhan Song,Xiang-Yang Li,Pengfei Liu

DOI: https://doi.org/10.1109/jiot.2022.3223682

IF: 10.6

2023-03-25

IEEE Internet of Things Journal

Abstract:WiFi connections are vulnerable to simulated attacks from rogue access points (AP) or devices whose SSID and/or MAC/IP address are the same as legitimate devices. This kind of attack is difficult to counter with traditional network security mechanisms. In this paper, we propose a new security mechanism that uses environment-independent features extracted from channel state information (CSI) to detect and identify rogue WiFi devices or APs, and reject their connections. We find that due to the I/Q imbalance and imperfect oscillator of each WiFi network card (NIC), the nonlinear phase error of different subcarriers will vary with the NIC. Through our experimental verification, this cross-subcarrier phase feature is invariant to the location and the environment. We deploy systems on two platforms that can extract constant phase errors from the constantly changing CSI in less than one second, which is at least 8× faster than that of the state-of-the-art solution. Extensive experiments on commercial routers and end devices in different scenarios show that based on the Industral Platform Computer (IPC) platform, where only non-encrypted rogue connections can be detected, the detection accuracy rate reaches 96%, and the false alarm rate is less than 2%. Based on the ASUS router platform (a commercial WiFi router), WiFi channels and smart device types are not restricted, which greatly improved universality, and the accuracy of device connection detection can even reach more than 99%. We improve a device-type identification method based on the communication traffic features of the device when connected to WiFi. Experiments show that even if there are multiple similar devices from the same manufacturer, the accuracy of device type detection exceeds 99%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yousri Daldoul

DOI: https://doi.org/10.48550/arXiv.2302.00338

2023-02-01

Abstract:The evil twin attack is a major security threat to WLANs. An evil twin is a rogue AP installed by a malicious user to impersonate legitimate APs. It intends to attract victims in order to intercept their credentials, to steal their sensitive information, to eavesdrop on their data, etc. In this paper, we study the security mechanisms of wireless networks and we introduce the different authentication methods, including 802.1X authentication. We show that 802.1X has improved security through the use of digital certificates but does not define any practical technique for the user to check the network certificate. Therefore, it remains vulnerable to the evil twin attack. To repair this vulnerability, we introduce Robust Certificate Management System (RCMS) which takes advantage of the digital certificates of 802.1X to protect the users against rogue APs. RCMS defines a new verification code to allow the user device to check the network certificate. This practical verification combined with the reliability of digital certificates provides a perfect protection against rogue APs. RCMS requires a small software update on the user terminal and does not need any modification of IEEE 802.11. It has a significant flexibility since trusting a single AP is enough to trust all the APs of the extended network. This allows the administrators to extend their networks easily without the need to update any database of trusted APs on the user devices.

Cryptography and Security,Networking and Internet Architecture

Linsong Cheng,Jiliang Wang

DOI: https://doi.org/10.1145/2942358.2942373

2016-01-01

Abstract:With the development and popularization of WiFi, surfing on the Internet with mobile devices has become an indispensable part of people's daily life. However, as an infrastructure, WiFi APs are easily connected by some undesired users nearby. In this paper, we propose NiFi, a non-intrusive WiFi user identification system based on WiFi signals that enables AP to automatically identify legitimate users in indoor environment such as home, office and hotel. The core idea is that legitimate and undesired users may have different physical constraints, e.g., moving area, walking path, etc, leading to different signal sequences. NiFi analyzes and exploits the characteristics of signal sequences generated by mobile devices. NiFi proposes a practical and effective method to extract useful features and measure similarity for signal sequences, while not relying on precise user location information. We implement NiFi on Commercial Off-The-Shelf (COTS) APs, and the implementation does not require any modification to user devices. The experiment results demonstrate that NiFi is able to achieve an average identification accuracy at 90.83% with true positive rate at 98.89%.

Linsong Cheng,Jiliang Wang

DOI: https://doi.org/10.1145/2942358.2942373

2016-01-01

Abstract:With the development and popularization of WiFi, surfing on the Internet with mobile devices has become an indispensable part of people's daily life. However, as an infrastructure, WiFi APs are easily connected by some undesired users nearby. In this paper, we propose NiFi, a non-intrusive WiFi user identification system based on WiFi signals that enables AP to automatically identify legitimate users in indoor environment such as home, office and hotel. The core idea is that legitimate and undesired users may have different physical constraints, e.g., moving area, walking path, etc, leading to different signal sequences. NiFi analyzes and exploits the characteristics of signal sequences generated by mobile devices. NiFi proposes a practical and effective method to extract useful features and measure similarity for signal sequences, while not relying on precise user location information. We implement NiFi on Commercial Off-The-Shelf (COTS) APs, and the implementation does not require any modification to user devices. The experiment results demonstrate that NiFi is able to achieve an average identification accuracy at 90.83% with true positive rate at 98.89%.

Linsong Cheng,Jiliang Wang

DOI: https://doi.org/10.1109/tnet.2018.2886411

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:With the development and popularization of WiFi, surfing on the Internet with mobile devices has become an indispensable part of people's daily life. However, as an infrastructure, WiFi access points (APs) are easily connected by some undesired users nearby. In this paper, we propose NiFi, a non-intrusive WiFi user-identification system based on WiFi signals that enable AP to automatically identify legitimate users in indoor environments, such as home, office, and hotel. The core idea is that legitimate and undesired users may have different physical constraints, e.g., moving area, walking path, and so on, leading to different signal sequences. NiFi analyzes and exploits the characteristics of signal sequences generated by mobile devices. NiFi proposes a practical and effective method to extract useful features and measures similarity for signal sequences while not relying on precise user location information. We implement NiFi on Commercial Off-The-Shelf APs, and the implementation does not require any modification to user devices. The experiment results demonstrate that NiFi is able to achieve an average identification accuracy at 90.83% with true positive rate at 98.89%.

Le Wang,Alexander M. Wyglinski

DOI: https://doi.org/10.1002/wcm.2527

2014-10-01

Wireless Communications and Mobile Computing

Abstract:Abstract Compared with a wired network, a wireless network is not protected by the cable transmission medium. Information is broadcasted over the air and it can be intercepted by anyone within the transmission range. Even though the transmissions could potentially be protected by security authentication mechanisms, malicious users can still intercept the information by mimicking the characteristics of normal user or a legitimate access point. This scenario is referred as a man‐in‐the‐middle (MITM) attack. In the MITM attack, the attackers can bypass the security mechanisms, intercept the unprotected transmission packets, and sniff the information. Because of several vulnerabilities in the IEEE 802.11 protocol, it is difficult to defend against a wireless MITM attack. In this paper, a received signal strength indicator (RSSI)‐based detection mechanism for MITM attacks is proposed. RSSI information is an arbitrary integer that indicates the power level being received by the antenna. The random RSSI values are processed via a sliding window, yielding statistic information about the signal characteristics such as mean and standard deviation profiles. By analyzing those profiles, the detection mechanism can detect if a rogue access point, the key component of an MITM attack, is launched. Our proposed approach has been validated via hardware experimentation using Backtrack 5 tools and MATLAB software suite. Copyright © 2014 John Wiley & Sons, Ltd.

computer science, information systems,telecommunications,engineering, electrical & electronic

Pengfei Liu,Panlong Yang,Wen-Zhan Song,Yubo Yan,Xiang-Yang Li

DOI: https://doi.org/10.1109/infocom.2019.8737455

2019-01-01

Abstract:WiFi has become a pervasive communication medium in connecting various devices of WLAN and IoT. However, WiFi connections are vulnerable to the impersonation attack from rogue access points (AP) or devices, whose SSID and/or MAC/IP address are identical to the legitimate devices. This kind of attack is difficult to countermeasure with traditional network security mechanisms. In this paper, we present a novel security mechanism to detect and identify rogue WiFi devices or AP using environment-independent characteristics extracted from channel state information (CSI), and refuse their connections. We find that nonlinear phase errors of different subcarriers change with WiFi network interface cards (NIC), due to the I/Q imbalance and imperfect oscillator of each WiFi NIC. Validated by our experiments, this phase feature across subcarriers is consistent and invariant to location and external environment, and can be extracted to build an essential signature of the NIC itself. Such signature of the transmitter can be calculated in real-time by the receiver and cannot be forged by rogue devices. Extensive experiments with dozens of WiFi devices demonstrate that the proposed mechanism can reliably detect the rogue WiFi connections and prevent impersonation in various scenarios. The speed of identification is 8$\times$ faster than that of the state-of-the-art solution. Moreover, the accuracy of rogue connection detection is up to 96% and false alarm rate is shown below 2%.

Poh Yuen Chan,Alexander I-Chi Lai,Pei-Yuan Wu,Ruey-Beei Wu

DOI: https://doi.org/10.3390/s21165665

IF: 3.9

2021-08-23

Sensors

Abstract:This paper proposes a practical physical tampering detection mechanism using inexpensive commercial off-the-shelf (COTS) Wi-Fi endpoint devices with a deep neural network (DNN) on channel state information (CSI) in the Wi-Fi signals. Attributed to the DNN that identifies physical tampering events due to the multi-subcarrier characteristics in CSI, our methodology takes effect using only one COTS Wi-Fi endpoint with a single embedded antenna to detect changes in the relative orientation between the Wi-Fi infrastructure and the endpoint, in contrast to previous sophisticated, proprietary approaches. Preliminary results show that our detectors manage to achieve a 95.89% true positive rate (TPR) with no worse than a 4.12% false positive rate (FPR) in detecting physical tampering events.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Anand Agrawal,Rajib Ranjan Maiti

DOI: https://doi.org/10.48550/arXiv.2304.12041

2023-04-28

Abstract:Evil twin attack on Wi-Fi network has been a challenging security problem and several solutions have been proposed to this problem. In general, evil twin attack aims to exfiltrate data, like Wi-Fi and service credentials, from the client devices and considered as a serious threat at MAC layer. IoT devices with its companion apps provides different pairing methods for provisioning. The "SmartConfig Mode", the one proposed by Texas Instrument (TI) and the "Access Point pairing mode (AP mode)" are the most common pairing modes provided by the application developer and vendor of the IoT devices. Especially, AP mode use Wi-Fi connectivity to setup IoT devices where a device activates an access point to which the mobile device running the corresponding mobile application is required to connect. In this paper, we have used evil twin attack as a weapon to test the security posture of IoT devices that use Wi-Fi network to set them up. We have designed, implemented and applied a system, called iTieProbe, that can be used in ethical hacking for discovering certain vulnerabilities during such setup. AP mode successfully completes when the mobile device is able to communicate with the IoT device via a home router over a Wi-Fi network. Our proposed system, iTieProbe, is capable of discovering several serious vulnerabilities in the commercial IoT devices that use AP mode or similar approach. We evaluated iTieProbe's efficacy on 9 IoT devices, like IoT cameras, smart plugs, Echo Dot and smart bulbs, and discovered that several of these IoT devices have certain serious threats, like leaking Wi-Fi credential of home router and creating fake IoT device, during the setup of the IoT devices.

Cryptography and Security

Di Gao,Hao Lin,Zhenhua Li,Feng Qian,Qi Alfred Chen,Zhiyun Qian,Wei Liu,Liangyi Gong,Yunhao Liu

DOI: https://doi.org/10.1145/3447993.3448620

2021-01-01

Abstract:Carrying over 75% of the last-mile mobile Internet traffic, WiFi has inevitably become an enticing target for various security threats. In this work, we characterize a wide variety of real-world WiFi threats at an unprecedented scale, involving 19 million WiFi access points (APs) mostly located in China, by deploying a crowdsourced security checking system on 14 million mobile devices in the wild. Leveraging the collected data, we reveal the landscape of nationwide WiFi threats for the first time. We find that the prevalence, riskiness, and breakdown of WiFi threats deviate significantly from common understandings and prior studies. In particular, we detect attacks at around 4% of all WiFi APs, uncover that most WiFi attacks are driven by an underground economy, and provide strong evidence of web analytics platforms being the bottleneck of its monetization chain. Further, we provide insightful guidance for defending against WiFi attacks at scale, and some of our efforts have already yielded real-world impact---effectively disrupted the WiFi attack ecosystem.

Hao Han,Bo Sheng,Chiu C. Tan,Qun Li,Sanglu Lu

DOI: https://doi.org/10.1109/tpds.2011.125

2009-01-01

Abstract:This paper considers a category of rogue access points (APs) that pretend to be legitimate APs to lure users to connect to them. We propose a practical timing based technique that allows the user to avoid connecting to rogue APs. Our method employs the round trip time between the user and the DNS server to independently determine whether an AP is legitimate or not without assistance from the WLAN operator. We implemented our detection technique on commercially available wireless cards to evaluate their performance.

Hao Han,Fengyuan Xu,Chiu Chiang Tan,Yifan Zhang,Qun Li

DOI: https://doi.org/10.1109/INFCOM.2011.5934960

2011-01-01

Abstract:This paper considers vehicular rogue access points (APs) that rogue APs are set up in moving vehicles to mimic legitimate roadside APs to lure users to associate to them. Due to its mobility, a vehicular rogue AP is able to maintain a long connection with users. Thus, the adversary has more time to launch various attacks to steal users' private information. We propose a practical detection scheme based on the comparison of Receive Signal Strength (RSS) to prevent users from connecting to rogue APs. The basic idea of our solution is to force APs (both legitimate and fake) to report their GPS locations and transmission powers in beacons. Based on such information, users can validate whether the measured RSS matches the value estimated from the AP's location, transmission power, and its own GPS location. Furthermore, we consider the impact of path loss and shadowing and propose a method based on rate adaption to deal with advanced rogue APs. We implemented our detection technique on commercial off-the-shelf devices including wireless cards, antennas, and GPS modules to evaluate the efficacy of our scheme.