Di Gao,Hao Lin,Zhenhua Li,Feng Qian,Qi Alfred Chen,Zhiyun Qian,Wei Liu,Liangyi Gong,Yunhao Liu

DOI: https://doi.org/10.1145/3447993.3448620

2021-01-01

Abstract:Carrying over 75% of the last-mile mobile Internet traffic, WiFi has inevitably become an enticing target for various security threats. In this work, we characterize a wide variety of real-world WiFi threats at an unprecedented scale, involving 19 million WiFi access points (APs) mostly located in China, by deploying a crowdsourced security checking system on 14 million mobile devices in the wild. Leveraging the collected data, we reveal the landscape of nationwide WiFi threats for the first time. We find that the prevalence, riskiness, and breakdown of WiFi threats deviate significantly from common understandings and prior studies. In particular, we detect attacks at around 4% of all WiFi APs, uncover that most WiFi attacks are driven by an underground economy, and provide strong evidence of web analytics platforms being the bottleneck of its monetization chain. Further, we provide insightful guidance for defending against WiFi attacks at scale, and some of our efforts have already yielded real-world impact---effectively disrupted the WiFi attack ecosystem.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Hossen A. Mustafa,Wenyuan Xu

DOI: https://doi.org/10.1109/CNS.2014.6997491

2014-01-01

Abstract:Wireless hotspots allow users to use Internet via Wi-Fi interface, and many shops, cafés, parks, and airports provide free wireless hotspot services to attract customers. However, there is no authentication mechanism of Wi-Fi access points (APs) available in such hotspots, which makes them vulnerable to evil twin AP attacks. Such attacks are harmful because they allow to steal sensitive data from users. Today, there is no client-side mechanism that can effectively detect an evil twin AP attack without additional infrastructure supports. In this paper, we propose a mechanism CETAD leveraging public servers to detect such attacks. CETAD only requires installing an app at the client device and does not require to change the hotspot APs. CETAD explores the similarities between the legitimate APs and discrepancies between evil twin APs, and legitimate ones to detect an evil twin AP attack. Through our implementation and evaluation, we show that CETAD can detect evil twin AP attacks in various scenarios effectively.

Hangcheng Cao,Wenbin Huang,Guowen Xu,Xianhao Chen,Ziyang He,Jingyang Hu,Hongbo Jiang,Yuguang Fang

2024-04-24

Abstract:Deep learning technologies are pivotal in enhancing the performance of WiFi-based wireless sensing systems. However, they are inherently vulnerable to adversarial perturbation attacks, and regrettably, there is lacking serious attention to this security issue within the WiFi sensing community. In this paper, we elaborate such an attack, called WiIntruder, distinguishing itself with universality, robustness, and stealthiness, which serves as a catalyst to assess the security of existing WiFi-based sensing systems. This attack encompasses the following salient features: (1) Maximizing transferability by differentiating user-state-specific feature spaces across sensing models, leading to a universally effective perturbation attack applicable to common applications; (2) Addressing perturbation signal distortion caused by device synchronization and wireless propagation when critical parameters are optimized through a heuristic particle swarm-driven perturbation generation algorithm; and (3) Enhancing attack pattern diversity and stealthiness through random switching of perturbation surrogates generated by a generative adversarial network. Extensive experimental results confirm the practical threats of perturbation attacks to common WiFi-based services, including user authentication and respiratory monitoring.

Cryptography and Security

Yanzi Zhu,Zhujun Xiao,Yuxin Chen,Zhijing Li,Max Liu,Ben Y. Zhao,Haitao Zheng

2018-01-01

Abstract:Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

Wenqi Bi,Xiang-Yang Li,Panlong Yang,Hao Zhou,Yichang Li,Ning Xiao,Guang Li

DOI: https://doi.org/10.1109/BIGCOM.2018.00007

2018-01-01

Abstract:Recently, WiFi has been the focus of much research on activity recognition, indoor positioning, trajectory tracking. Traditional methods dealing with the research depend on received signal strength (RSS) or signal phase of the channel state information (CSI) of the commercial WiFi chips. But a lot of the research has not been turned into business application because of the instability of RSS and the lack of time synchronized phase between the transmitter and the receiver. Therefore, finding out how the signal propagates affected by the surroundings is the key question. In this paper, we design and implement WFSense, which tracks the direction of signal propagation of commercial WiFi system. WFSense represents the indoor multipath by taking full advantage of the subcarriers in OFDM and the space diversity across multi-antennas in MIMO system to improve MUSIC algorithm to estimate the angle of arrival (AoA) and departure (AoD) of the multipath signals. The minimum description length (MDL) principle is exploited to estimate the number of the multipath signals. WFSense identifies the directpath from the multiple paths with the time of flight (ToF) deduced by sanitizing the phase. The experiment results in different scenarios demonstrate that WFSense achieves a great performance.

Lei Zhang,Liting Zhao,Zhi Wang,Jiangchuan Liu

DOI: https://doi.org/10.1109/mcom.2017.1600262

IF: 9.03

2017-01-01

IEEE Communications Magazine

Abstract:Although WiFi was initially designed for providing local access to the Internet, todays expansive and explosive deployment of WiFi networks has enabled nearly ubiquitous access for mobile users in many urban areas. However, these WiFi networks have been woefully undermeasured and underinstrumented during the wild expansion. We have closely collaborated with a leading network service provider to collect massive information about wireless APs and their users in four metropolises. In this article, based on the large-scale dataset, we attempt to answer the critical questions on how the APs are deployed and how they are utilized in urban areas. At the macro level, we depict the coverage of WiFi networks and the usage patterns, and by carefully classifying the APs, we unveil rich geographical features of todays urban WiFi networks. At the micro level, we identify the implicit social relationships among WiFi users, and uncover the underlying social communities that have great potential for network optimization.

Arun Raghuramu,Parth H. Pathak,Hui Zang,Jinyoung Han,Chang Liu,Chen-Nee Chuah

DOI: https://doi.org/10.1016/j.comcom.2016.04.011

IF: 5.047

2016-01-01

Computer Communications

Abstract:This paper presents a measurement study that analyzes large-scale traffic data gathered from two different wireless scenarios: cellular and Wi-Fi networks. We first analyze packet traces and security event logs generated by over 2 million devices in a major US-based cellular network, and show that 0.17% of mobile devices are affected by security threats. We then analyze the aggregate network footprint of malicious and benign traffic in the cellular network, and demonstrate that statistical network features (e.g., uplink data transfer volume, IP entropy) can be effectively used to distinguish such malicious and benign traffic. We next investigate over 2.4 TB of Wi-Fi traffic data, which are generated by 27 K distinct users, in a university campus network. Based on the lessons learned from a comprehensive exploration of a large feature space consisting of over 500 statistical attributes derived from network traffic to/from malicious and benign domains, we propose a novel, in-house traffic screening method, which has the capability of effectively identifying potential malicious domains. Our method achieves over 90% accuracy with only using a small set of simple statistical network features, without using any additional specialized datasets (e.g., geo-location database) or resource-intensive solutions (e.g., DPI boxes to collect HTTP traffic.). (C) 2016 Elsevier B.V. All rights reserved.

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3261328

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while rarely studying the security aspects. In this article, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also show that our attack approaches can be generalized to other WiFi-based sensing applications, such as user authentication.

Dawei Yan,Yubo Yan,Panlong Yang,Wen-Zhan Song,Xiang-Yang Li,Pengfei Liu

DOI: https://doi.org/10.1109/jiot.2022.3223682

IF: 10.6

2023-03-25

IEEE Internet of Things Journal

Abstract:WiFi connections are vulnerable to simulated attacks from rogue access points (AP) or devices whose SSID and/or MAC/IP address are the same as legitimate devices. This kind of attack is difficult to counter with traditional network security mechanisms. In this paper, we propose a new security mechanism that uses environment-independent features extracted from channel state information (CSI) to detect and identify rogue WiFi devices or APs, and reject their connections. We find that due to the I/Q imbalance and imperfect oscillator of each WiFi network card (NIC), the nonlinear phase error of different subcarriers will vary with the NIC. Through our experimental verification, this cross-subcarrier phase feature is invariant to the location and the environment. We deploy systems on two platforms that can extract constant phase errors from the constantly changing CSI in less than one second, which is at least 8× faster than that of the state-of-the-art solution. Extensive experiments on commercial routers and end devices in different scenarios show that based on the Industral Platform Computer (IPC) platform, where only non-encrypted rogue connections can be detected, the detection accuracy rate reaches 96%, and the false alarm rate is less than 2%. Based on the ASUS router platform (a commercial WiFi router), WiFi channels and smart device types are not restricted, which greatly improved universality, and the accuracy of device connection detection can even reach more than 99%. We improve a device-type identification method based on the communication traffic features of the device when connected to WiFi. Experiments show that even if there are multiple similar devices from the same manufacturer, the accuracy of device type detection exceeds 99%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fangda Cai,Hao Chen,Yuanyi Wu,Yuan Zhang

2014-01-01

Abstract:A fundamental security principle in developing networked applications is end-to-end security, where the confidentiality and integrity of the data transmitted over the network do not rely on the security of the network. In response to the ever increasing traffic from mobile apps, WiFi networks are spreading fast and widely. Since WiFi networks are unregulated, a passive attacker may eavesdrop on the traffic on open WiFi networks, while an active attacker may set up his own WiFi network to modify its traffic at will. In theory, end-to-end security should protect mobile apps from both these attacks; in practice, however, the situation is far less rosy.We examine how the popular, important mobile apps on Chinese Android markets defend themselves against untrusted networks. We select top apps from major categories, such as online shopping, banking, social networks, travel services, and apps from companies with huge market capitalization. We analyze both their code and their network traffic to identify vulnerabilities. We design a mini-language for describing the vulnerabilities and develop a tool, AppCracker, that launches both passive and active attacks on these apps to verify their vulnerabilities. AppCracker has confirmed that 100 apps from 69 companies are vulnerable during their user or session authentication. These vulnerabilities allow an adversary to capture the victim user’s login credentials or to hijack the victim’s session. We describe these diverse types of vulnerabilities, many of which are caused by the misuse of cryptography in their homegrown cryptographic protocols. Finally, we discuss the lessons learned during our investigation to help …

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Le Cheng,Kui Ren

DOI: https://doi.org/10.1109/INFOCOM48880.2022.9796920

2022-01-01

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while neglecting the security aspects. In this paper, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also propose three methods to mitigate the hazard of such attacks.

Changhua Pei,Youjian Zhao,Guo Chen,Ruming Tang,Yuan Meng,Minghua Ma,Ken Ling,Dan Pei

DOI: https://doi.org/10.1109/infocom.2016.7524396

2016-01-01

Abstract:As mobile Internet is now indispensable in our daily lives, WiFi's latency performance has become critical to mobile applications' quality of experience. Unfortunately, WiFi hop latency in the wild remains largely unknown. In this paper, we first propose an effective approach to break down the round trip network latency. Then we provide the first systematic study on WiFi hop latency in the wild based on the latency and WiFi factors collected from 47 APs on T university campus for two months. We observe that WiFi hop can be the weakest link in the round trip network latency: more than 50% (10%) of TCP packets suffer from WiFi hop latency larger than 20ms (100ms), and WiFi hop latency occupies more than 60% in more than half of the round trip network latency. To help understand, troubleshoot, and optimize WiFi hop latency for WiFi APs in general, we train a decision tree model. Based on the model's output, we are able to reduce the median latency by 80% from 50ms to 10ms in one real case, and reduce the maximum latency from 250ms to 50ms in another real case.

Xueheng Hu,Lixing Song,Dirk Van Bruggen,Aaron Striegel

DOI: https://doi.org/10.48550/arXiv.1502.01222

2015-02-04

Abstract:WiFi offloading has emerged as a key component of cellular operator strategy to meet the data needs of rich, mobile devices. As such, mobile devices tend to aggressively seek out WiFi in order to provide improved user Quality of Experience (QoE) and cellular capacity relief. For home and work environments, aggressive WiFi scans can significantly improve the speed on which mobile nodes join the WiFi network. Unfortunately, the same aggressive behavior that excels in the home environment incurs considerable side effects across crowded wireless environments. In this paper, we show through empirical studies at both large (stadium) and small (laboratory) scales how aggressive WiFi scans can have significant implications for energy and throughput, both for the mobile nodes scanning and other nearby mobile nodes. We close with several thoughts on the disjoint incentives for properly balancing WiFi discovery speed and ultra-dense network interactions.

Networking and Internet Architecture

Tian Xie,Guan-Hua Tu,Bangjie Yin,Chi-Yu Li,Chunyi Peng,Mi Zhang,Hui Liu,Xiaoming Liu

DOI: https://doi.org/10.48550/arXiv.1811.11274

2018-11-29

Abstract:Since 2016, all of four major U.S. operators have rolled out nationwide Wi-Fi calling services. They are projected to surpass VoLTE (Voice over LTE) and other VoIP services in terms of mobile IP voice usage minutes in 2018. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS (IP Multimedia Subsystem) technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrustful Wi-Fi networks and the Internet. This exposure to insecure networks may cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA (Authentication and Key Agreement), IPSec (Internet Protocol Security), etc. However, are they sufficient to secure Wi-Fi calling services? Unfortunately, our study yields a negative answer. We conduct the first study of exploring security issues of the operational Wi-Fi calling services in three major U.S. operators' networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof and uncover four vulnerabilities which stem from improper standard designs, device implementation issues and network operation slips. By exploiting the vulnerabilities, together with several state-of-the-art computer visual recognition technologies, we devise two proof-of-concept attacks: user privacy leakage and telephony harassment or denial of voice service (THDoS); both of them can bypass the security defenses deployed on mobile devices and the network infrastructure. We have confirmed their feasibility and simplicity using real-world experiments, as well as assessed their potential damages and proposed recommended solutions.

Cryptography and Security

Xufang Wang,Feng Lin,Yi Wu

DOI: https://doi.org/10.1109/ccnc.2019.8651733

2019-01-01

Abstract:WiFi networks are playing an increasingly important role in the current networks towards the future 5G heterogeneous networks. The pertinence and effectiveness of WiFi network planning and construction, however, is demanding. To solve this problem, a novel positioning system for the potential WiFi hotspots is presented in this paper. The system can analyze the scale of the WiFi users for each site and then locate the potential WiFi hotspots accurately through detecting WiFi network card signals without contact. Accordingly, the WiFi network planning, especially software defined WiFi network planning can be refined and optimized.

Mengyu Zhou,Dan Pei,Kaixin Sui,Thomas Moscibroda

DOI: https://doi.org/10.1145/3123024.3124419

2017-01-01

Abstract:Understanding crowd activities at large-scale and diagnosing existing problems of planning on densely-populated campus are fundamentally hard through traditional ways of measurement and management. In this paper, we demonstrate how to collect data from ubiquitous WiFi networks (WLAN), and further to characterize the mobility of campus residents by exploring time-frequency patterns with spatial context. On the campus of Tsinghua University (where everyday nearly 60, 000 mobile devices appear in the public areas of more than 110 buildings), we obtain large-scale observations on physical activities, and provide insights for better diagnosing of WiFi hotspots.

Fang Qi,Yingkai Zhao,Md Zakirul Alam Bhuiyan,Tao Hai,Monirul Islam,Shaobo Zhang,Zhe Tang

DOI: https://doi.org/10.1002/cpe.7313

2023-01-01

Abstract:Nowadays, wireless radio signals are ubiquitous and are around us; some signals pass through us, and some reflect off us. Substantial advancements in recent years demonstrate that such signals are utilized for diverse emerging applications, including people activity, motion watches, healthcare, and so forth. A few questions would be that may raise severe concerns in future cybersecurity and private domains. For example, what if Wi-Fi signals are utilized to watch a person doings and actions, which are mostly without the person's authorization and authentication. How far such signal utilization can attack privacy intrusively, silently, more particularly, what/where we do, say, command, see, write, draw, go, perform, everything can be known. In this article, we investigate watching human activities by leveraging Wi-Fi signals and discuss a few application prototypes. We attempt to learn whether or not attackers have the ability to passively watch our Internet activity as well as physical activities and motions through Wi-Fi. With all-new advances, one must be aware that cyberattackers may apply unauthorized use of these advances to their benefit. We discuss some of the countermeasures and approaches to mitigate these risks with Wi-Fi signal leveraging.

Zilin Shen,Imtiaz Karim,Elisa Bertino

DOI: https://doi.org/10.48550/arXiv.2312.07877

2023-12-13

Cryptography and Security

Abstract:The IEEE 802.11 family of standards, better known as WiFi, is a widely used protocol utilized by billions of users. Previous works on WiFi formal verification have mostly focused on the four-way handshake and other security aspects. However, recent works have uncovered severe vulnerabilities in functional aspects of WiFi, which can cause information leakage for billions of devices. No formal analysis method exists able to reason on the functional aspects of the WiFi protocol. In this paper, we take the first steps in addressing this gap and present an extensive formal analysis of the functional aspects of the WiFi protocol, more specifically, the fragmentation and the power-save-mode process. To achieve this, we design a novel segment-based formal verification process and introduce a practical threat model (i.e. MAC spoofing) in Tamarin to reason about the various capabilities of the attacker. To this end, we verify 68 properties extracted from WiFi protocol specification, find 3 vulnerabilities from the verification, verify 3 known attacks, and discover 2 new issues. These vulnerabilities and issues affect 14 commercial devices out of 17 tested cases, showing the prevalence and impact of the issues. Apart from this, we show that the proposed countermeasures indeed are sufficient to address the issues. We hope our results and analysis will help vendors adopt the countermeasures and motivate further research into the verification of the functional aspects of the WiFi protocol.

Pengfei Liu,Panlong Yang,Wen-Zhan Song,Yubo Yan,Xiang-Yang Li

DOI: https://doi.org/10.1109/infocom.2019.8737455

2019-01-01

Abstract:WiFi has become a pervasive communication medium in connecting various devices of WLAN and IoT. However, WiFi connections are vulnerable to the impersonation attack from rogue access points (AP) or devices, whose SSID and/or MAC/IP address are identical to the legitimate devices. This kind of attack is difficult to countermeasure with traditional network security mechanisms. In this paper, we present a novel security mechanism to detect and identify rogue WiFi devices or AP using environment-independent characteristics extracted from channel state information (CSI), and refuse their connections. We find that nonlinear phase errors of different subcarriers change with WiFi network interface cards (NIC), due to the I/Q imbalance and imperfect oscillator of each WiFi NIC. Validated by our experiments, this phase feature across subcarriers is consistent and invariant to location and external environment, and can be extracted to build an essential signature of the NIC itself. Such signature of the transmitter can be calculated in real-time by the receiver and cannot be forged by rogue devices. Extensive experiments with dozens of WiFi devices demonstrate that the proposed mechanism can reliably detect the rogue WiFi connections and prevent impersonation in various scenarios. The speed of identification is 8$\times$ faster than that of the state-of-the-art solution. Moreover, the accuracy of rogue connection detection is up to 96% and false alarm rate is shown below 2%.