Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Chenhao Liu,Peng Zhao,Kaigui Bian,Tong Zhao,Yan Wei

DOI: https://doi.org/10.1109/iwqos.2016.7590453

2016-01-01

Abstract:iBeacon is a new technology proposed by Apple using Bluetooth Low Energy (BLE), which helps mobile devices understand their position on a micro-local scale, and facilitates the delivery of location-based content to mobile users. According to the iBeacon protocol, iBeacon transmitters only do one-way broadcast communication, and thus it is difficult to authenticate the legitimacy of the transmitters. In this paper, we focus on detecting the physical attacks against iBeacon transmitters-iBeacon transmitters can be stolen, tampered, faked and reused, which interfere with the legitimate iBeacon transmission, reduce the quality of service and ultimately degrade the user experience. We develop a detection system based on Hidden Markov Model running on the server-side to detect the misbehaving iBeacon transmitters without more energy consuming. Our system achieves 85% detection accuracy on average for all physical attack actions; meanwhile it has a 5 % false alarm rate for non-attack situations in our designated trace experiments, and 100 % correct binary judgements in the random-trace experiments. To the best of our knowledge, this is the first work that focuses on the iBeacon physical attack problem.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Yeming Li,Hailong Lin,Jiamei Lv,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/infocom52122.2024.10621247

2024-01-01

Abstract:In recent years, Bluetooth Low Energy (BLE) has become one of the most wildly used wireless protocols and it is common that users carry one or more BLE devices. With the extensive deployment of BLE devices, there is a significant privacy risk if these BLE devices can be tracked. However, the common wisdom suggests that the risk of BLE location tracking is negligible. The reason is that researchers believe there are no stable BLE fingerprints that are stable across different scenarios (e.g., temperatures) for different BLE devices with the same model. In this paper, we introduce a novel physical-layer fingerprint named Transient Dynamic Fingerprint (TDF), which originated from the negative feedback control process of the frequency synthesizer. Because of the hardware imperfection, the dynamic features of the frequency synthesizer are different, making TDF unique among different devices, even with the same model. Furthermore, TDF keeps stable under different thermal conditions. Based on TDF, we propose BTrack, a practical BLE device tracking system and evaluate its tracking performance in different environments. The results show BTrack works well once BLE beacons are effectively received. The identification accuracy is 35.38%-57.41% higher than the existing method, and stable over temperatures, distances, and locations.

Wenyuan Xu,Timothy Wood,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1023646.1023661

2004-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch denial of service (DoS) attacks. One form of denial of service is targeted at preventing sources from communicating. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this paper we present two strategies that may be employed by wireless devices to evade a MAC/PHY-layer jamming-style wireless denial of service attack. The first strategy, channel surfing, is a form of spectral evasion that involves legitimate wireless devices changing the channel that they are operating on. The second strategy, spatial retreats, is a form of spatial evasion whereby legitimate mobile devices move away from the locality of the DoS emitter. We study both of these strategies for three broad wireless communication scenarios: two-party radio communication, an infrastructured wireless network, and an ad hoc wireless network. We evaluate several of our proposed strategies and protocols through ns-2 simulations and experiments on the Berkeley mote platform.

Tian Hao,Ruogu Zhou,Guoliang Xing,Matt W. Mutka,Jiming Chen

DOI: https://doi.org/10.1109/TMC.2013.43

2014-01-01

Abstract:Time synchronization is a fundamental service for wireless sensor networks (WSNs). Although a number of message passing protocols can achieve satisfactory synchronization accuracy, they suffer poor scalability and high transmission overhead. An alternative approach is to utilize the global time references such as those induced by GPS and timekeeping radios. However, they require the hardware receiver to decode the out of band clock signal, which introduces extra cost and design complexity. This paper proposes a novel WSN time synchronization approach by exploiting the existing Wi-Fi infrastructure. Our approach leverages the fact that 802.15.4 sensors and Wi-Fi nodes often occupy the same or overlapping radio frequency bands in the 2.4 GHz unlicensed spectrum. As a result, a 802.15.4 node can detect and synchronize to the periodic beacons broadcasted by Wi-Fi access points (APs). A key advantage of our approach is that, due to the long communication range of Wi-Fi, a large number of 802.15.4 sensors can synchronize clock rates to the same beacons without any message exchange. This paper makes several key contributions. First, we experimentally characterize the spatial and temporal characteristics of Wi-Fi beacons in an enterprise Wi-Fi network consisting of over 50 APs deployed in a 300,000 square foot office building. Motivated by our measurement results, we design a novel synchronization protocol called WizSync. WizSync employs digital signal processing (DSP) techniques to detect periodic Wi-Fi beacons and use them to calibrate the frequency of native clocks. WizSync can intelligently predict the clock skew and adaptively schedules nodes to sleep to conserve energy. We implement WizSync in TinyOS 2.1.1 and conduct extensive evaluation on a testbed consisting of 19 TelosB motes. Our results show that WizSync can achieve an average synchronization error of 0.12 milliseconds over a period of 10 days with radio power consumption of 50.9 microwatts/node.

Demin Gao,Shuai Wang,Yunhuai Liu,Wenchao Jiang,Zhijun Li,Tian He

DOI: https://doi.org/10.1016/j.comcom.2021.06.017

IF: 5.047

2021-09-01

Computer Communications

Abstract:<p>Cross-Technology Communication(CTC) enables that WiFi devices can talk to ZigBee devices directly without any hardware changes or gateway equipment, and WiFi occupies a much wider bandwidth (20MHz) than ZigBee (2MHz), which sheds the light on spoofing-jamming attack based on CTC, where a WiFi device, as a sophisticated attacker spoofs or jams an area in which multiple-channels sensor network operating. In this work, we attempt to emulate two ZigBee frames under different frequencies within a single WiFi frame by controlling non-continuous bands of subcarriers. In other words, a WiFi device can independently communicate with the ZigBee devices operating in two channels. In a different perspective, the application based on CTC will be significantly impaired when CTC suffers from malicious attacks such as spoofing or jamming. In our work, we implement a parallel spoofing system, called SamBee, that can spoof the ZigBee devices operating in two different channels or jam the ZigBee devices operating in five distinct channels simultaneously only using a single WiFi frame, which causes maximum damage to the network in term of corrupted communication links with low cost. We implement our design based on a USRP-N210 and MICAz hybrid platform, the results show that parallel spoofing attacks and multiple-channels jamming attacks based on CTC is feasible, and our results also provide valuable insights about the associated defense mechanisms on achieving desirable performance.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Le Cheng,Kui Ren

DOI: https://doi.org/10.1109/INFOCOM48880.2022.9796920

2022-01-01

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while neglecting the security aspects. In this paper, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also propose three methods to mitigate the hazard of such attacks.

Honglong Chen,Wendong Chen,Zhibo Wang,Zhi Wang,Yanjun Li

DOI: https://doi.org/10.1155/2014/910242

IF: 1.938

2014-01-01

International Journal of Distributed Sensor Networks

Abstract:Wormhole attack is a severe attack that can be easily launched by a pair of external attackers in hostile wireless sensor networks. In the wormhole attack, an attacker sniffs packets at one point in the network, and tunnels them through the wormhole link to the other attacker at another point of the network, which broadcasts them to its neighbors. Such kind of procedure can easily deteriorate the normal functionality of the networks. In this paper, we propose a novel wormhole attackers detection and positioning scheme based on mobile beacon, which can not only detect the existence of wormhole attacks, but also accurately localize the attackers for the system to eliminate them out of the network. The main idea is to detect whether the communication between the mobile beacon and each of the static beacons violates the communication properties and then the attacker can be estimated as the center of its communication area by determining the intersection point of the chords’ perpendicular bisector. The simulation results illustrate that our proposed scheme can obtain a high wormhole attack detection probability as well as a high attackers positioning accuracy.

Tao Peng,Xinhong Wang,Chao Wang,Danqing Shi

DOI: https://doi.org/10.1049/cp.2015.0684

2015-01-01

Abstract:The fingerprint of location can reach high precision and high accuracy with the assistance of complex positioning algorithms. However, the indoor environment is complex so that the accuracy of indoor positioning is affected easily and seriously by several kinds of signal interference. In this paper, we use iBeacon as anchor method to help WiFi positioning algorithms. In the hybrid algorithms, iBeacon divides the space into different parts, with the combined iBeacon and Wi-Fi offline fingerprint data, and then it locates partly. Compared to the single Wi-Fi indoor positioning algorithms, it can significantly reduce the amount of calculation and the error of positioning.

Yanzi Zhu,Zhujun Xiao,Yuxin Chen,Zhijing Li,Max Liu,Ben Y. Zhao,Haitao Zheng

2018-01-01

Abstract:Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

Xiao Han,Junjie Xiong,Wenbo Shen,Mingkui Wei,Shangqing Zhao,Zhuo Lu,Yao Liu

DOI: https://doi.org/10.1109/tdsc.2024.3352981

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Location spoofing attack deceiving a Wi-Fi positioning system has been studied for over a decade. However, it has been challenging to construct a practical spoofing attack in urban areas with dense coverage of legitimate Wi-Fi APs. This paper identifies the vulnerability of the Google Geolocation API, which returns the location of a mobile device based on the information of the Wi-Fi access points that the device can detect. We show that this vulnerability can be exploited by the attacker to reveal the black-box localization algorithms adopted by the Google Wi-Fi positioning system and easily launch the location spoofing attack in dense urban areas with a high success rate. Furthermore, we find that this vulnerability can also lead to severe consequences that hurt user privacy, including the leakage of sensitive information like precise locations, daily activities, and demographics. Ultimately, we discuss the potential countermeasures that may be used to mitigate this vulnerability and location spoofing attack.

Jingyu Hua,Shaoyong Du,Sheng Zhong

DOI: https://doi.org/10.1007/978-3-319-24177-7_21

2015-01-01

Abstract:Peer-assisted smartphone localization, which leverages pairwise acoustic ranging among nearby peer phones to refine location estimation, significantly pushes the accuracy limit of WiFi-based indoor localization. Unfortunately, this technique is designed for non-adversarial settings. Dishonest peers may cheat in their distance measurements. Outside attackers may interfere with the acoustic ranging by continually broadcasting interference signals. In this paper, we propose counter-measures against each of these attacks. We first present an algorithm that can identify peers that are not cheating in the current localization, by searching for devices that can be embedded into the same plane according to their pairwise distances. We also design a robust acoustic ranging method exploiting signal modulation, which can defend effectively against intentional interference of outside attackers. Experimental results demonstrate that our countermeasures can greatly improve the robustness of peer-assisted localization.

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3261328

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while rarely studying the security aspects. In this article, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also show that our attack approaches can be generalized to other WiFi-based sensing applications, such as user authentication.

Arijit Banerjee,Dustin Maas,Maurizio Bocca,Neal Patwari,Sneha Kasera

DOI: https://doi.org/10.48550/arXiv.1307.7233

2013-07-27

Abstract:We introduce and investigate the ability of an attacker to surreptitiously use an otherwise secure wireless network to detect moving people through walls, in an area in which people expect their location to be private. We call this attack on location privacy of people an "exploiting radio windows" (ERW) attack. We design and implement the ERW attack methodology for through wall people localization that relies on reliably detecting when people cross the link lines by using physical layer measurements between the legitimate transmitters and the attack receivers. We also develop a method to estimate the direction of movement of a person from the sequence of link lines crossed during a short time interval. Additionally, we describe how an attacker may estimate any artificial changes in transmit power (used as a countermeasure), compensate for these power changes using measurements from sufficient number of links, and still detect line crossings. We implement our methodology on WiFi and ZigBee nodes and experimentally evaluate the ERW attack by monitoring people movements through walls in two real-world settings. We find that our methods achieve very high accuracy in detecting line crossings and determining direction of motion.

Cryptography and Security

Weiyan Shi,Xuanzhi Wang,Kai Niu,Leye Wang,Daqing Zhang

DOI: https://doi.org/10.1145/3594739.3610706

2023-01-01

Abstract:Detecting whether a target crosses the given zone (e.g., a door) can enable various practical applications in smart homes, including intelligent security and people counting. The traditional infrared-based approach only covers a line and can be easily cracked. In contrast, reusing the ubiquitous WiFi devices deployed in homes has the potential to cover a larger area of interest as WiFi signals are scattered throughout the entire space. By detecting the walking direction (i.e., approaching and moving away) with WiFi signal strength change, existing work can identify the behavior of crossing between WiFi transceiver pair. However, this method mistakenly classifies the turn-back behavior as crossing behavior, resulting in a high false alarm rate. In this paper, we propose WiCross, which can accurately distinguish the turn-back behavior with the phase statistics pattern of WiFi signals and thus robustly identify whether the target crosses the area between the WiFi transceiver pair. We implement WiCross with commercial WiFi devices and extensive experiments demonstrate that WiCross can achieve an accuracy higher than 95% with a false alarm rate of less than 5%.

Ronghua Li,Haibo Hu,Qingqing Ye

DOI: https://doi.org/10.1109/tifs.2024.3404810

IF: 7.231

2024-06-04

IEEE Transactions on Information Forensics and Security

Abstract:We present RFTrack, a new indoor location inference attack on Wi-Fi devices. This attack differs from existing Wi-Fi localization methods as it does not need bulky appliance deployment or inner physical access to the place of interest. RFTrack distinguishes itself by leveraging the temporal sequence of unlabeled Received Signal Strength Indicator (RSSI) values to deduce location labels. To achieve this, we deploy a Reinforcement Learning (RL) agent to model the most likely path of device movement and utilize these modeled trajectories to construct an RSSI fingerprint map. To enhance the accuracy of trajectory reconstruction, our technique exploits certain stationary Wi-Fi devices within the target area as reference points, facilitating the assessment of whether the mobile devices have traversed near specific zones with a newly proposed metric, the RSSI difference. The experimental results demonstrate that our system can accurately recover the trends of moving trajectories and successfully associate the unlabeled RSSI values with positions inside the place of interest to build a fingerprint map for real-time device tracking.

computer science, theory & methods,engineering, electrical & electronic

Erik Rye,Dave Levin

2024-05-24

Abstract:Wi-Fi-based Positioning Systems (WPSes) are used by modern mobile devices to learn their position using nearby Wi-Fi access points as landmarks. In this work, we show that Apple's WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space. Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world.

Cryptography and Security,Networking and Internet Architecture

Ian Lowe,William J Buchanan,Richard J Macfarlane,Owen Lo

DOI: https://doi.org/10.6025/jnt/2019/10/4/124-155

2020-02-13

Abstract:Bluetooth is a short-range wireless technology that provides audio and data links between personal smartphones and playback devices, such as speakers, headsets and car entertainment systems. Since its introduction in 2001, security researchers have suggested that the protocol is weak, and prone to a variety of attacks against its authentication, link management and encryption schemes. Key researchers in the field have suggested that reliable passive sniffing of Bluetooth traffic would enable the practical application of a range of currently hypothesised attacks. Restricting Bluetooth's frequency hopping behaviour by manipulation of the available channels, in order to make brute force attacks more effective has been a frequently proposed avenue of future research from the literature. This paper has evaluated the proposed approach in a series of experiments using the software defined radio tools and custom hardware developed by the Ubertooth project. The work concludes that the mechanism suggested by previous researchers may not deliver the proposed improvements, but describes an as yet undocumented interaction between Bluetooth and Wi-Fi technologies which may provide a Denial of Service attack mechanism.

Cryptography and Security

Quan Sun,Xinyu Miao,Zhihao Guan,Jin Wang,Demin Gao

DOI: https://doi.org/10.1155/2021/3314595

IF: 1.968

2021-08-27

Security and Communication Networks

Abstract:Cross-technology communication (CTC) technique can realize direct communication among heterogeneous wireless devices (e.g., WiFi, ZigBee, and Bluetooth in the 2.4 G ISM band) without gateway equipment for forwarding, which makes heterogeneous wireless communication more convenient and greatly reduces communication costs. However, compared with the traditional homogeneous network model, CTC technique also makes it easier to implement spoofing attacks in heterogeneous networks. WiFi devices with long communication distances and sufficient energy supply can directly launch spoofing attacks against ZigBee devices, which brings severe security concerns for heterogeneous wireless communications. In this paper, we focus on the CTC spoofing attack, especially spoofing attacks from WiFi to ZigBee and propose a machine learning-based method to detect spoofing attacks for heterogeneous wireless networks by using physical-layer information. First, we model the received signal strength (RSS) data of legitimate ZigBee devices to construct a one-class support vector machine (OSVM) classifier for detecting CTC spoofing attacks depending on the obtained training samples. Then, we simulated CTC spoofing attacks in a live testbed and evaluated the performance of our detection method. Results show that our approach is highly effective in spoofing detection. Even if the distance between the legitimate ZigBee device and WiFi attacker is near each other (i.e., less than 2 m) and does not require a large number of samples, the detection rate and precision of our method are both over 90%. Finally, we employ the OSVM classifier to obtain samples of spoofing attacks and then explore using SVM to further improve the performance of the classifier.

computer science, information systems,telecommunications