Boris Danev

Attacks on physical-layer identification

Physical-layer identification of wireless devices, commonly referred to as Radio Frequency (RF) fingerprinting, is the process of identifying a device based on transmission imperfections exhibited by its radio transceiver. It can be used to improve access control in wireless networks, revent device cloning and complement message authentication protocols. This paper studies the feasibility of performing impersonation attacks on the modulation-based and transient-based fingerprinting techniques. Both techniques are vulnerable to impersonation attacks; however, transient-based techniques are more difficult to reproduce due to the effects of the wireless channel and antenna in their recording process. We assess the feasibility of performing impersonation attacks by extensive measurements as well as simulations using collected data from wireless devices. We discuss the implications of our findings and how they affect current device identification techniques and related applications.

On physical-layer identification of wireless devices

Physical-layer device identification aims at identifying wireless devices during radio communication by exploiting unique characteristics of their analog (radio) circuitry. This work systematizes the existing knowledge on this topic in order to enable a better understanding of device identification, its implications on the analysis and design of security solutions in wireless networks and possible applications. We therefore present a systematic review of physical-layer identification systems and provide a summary of current state-of-the-art techniques. We further present a classification of attacks and discuss the feasibility, limitations, and implications in selected applications. We also highlight issues that are still open and need to be addressed in future work.

Detection of reactive jamming in sensor networks

An integral part of most security- and safety-critical applications is a dependable and timely alarm notification. However, owing to the resource constraints of wireless sensor nodes (i.e., their limited power and spectral diversity), ensuring a timely and jamming-resistant delivery of alarm messages in applications that rely on wireless sensor networks is a challenging task. With current alarm forwarding schemes, blocking of an alarm by jamming is straightforward and jamming is very likely to remain unnoticed. In this work, we propose a novel jamming detection scheme as a solution to this problem. Our scheme is able to identify the cause of bit errors for individual packets by looking at the received signal strength during the reception of these bits and is well-suited for the protection of reactive alarm systems with very low network traffic. We present three different techniques for the identification of bit errors based on: predetermined knowledge, error correcting codes, and limited node wiring. We perform a detailed evaluation of the proposed solution and validate our findings experimentally with Chipcon CC1000 radios. The results show that our solution effectively detects sophisticated jamming attacks that cannot be detected with existing techniques and enables the formation of robust sensor networks for dependable delivery of alarm notifications. Our scheme also meets the high demands on the energy efficiency of reactive surveillance applications as it can operate without introducing additional wireless network traffic.

Physical-layer identification of UHF RFID tags

In this work, we study physical-layer identification of passive UHF RFID tags. We collect signals from a population of 70 tags using a purpose-built reader and we analyze time domain and spectral features of the collected signals. We show that, based on timing features of the signals, UHF RFID tags can be classified, independently of the location and distance to the reader (evaluated up to 6 meters), with an accuracy of approx. 71% (within our population). Additionally, we show that is possible to uniquely identify a maximum of approx. 26 UHF RFID tags independently of the population size. We analyze the implications of these results on tag holder privacy. We further show that, in controlled environments, UHF RFID tags can be uniquely identified based on their signal spectral features with an Equal Error Rate of 0% (within our population); we discuss the application of those techniques to cloning detection in RFID-enabled supply chains.

Enabling secure VM-vTPM migration in private clouds

The integration of Trusted Computing technologies into virtualized computing environments enables the hardware-based protection of private information and the detection of malicious software. Their use in virtual platforms, however, requires appropriate virtualization of their main component, the Trusted Platform Module (TPM) by means of virtual TPMs (vTPM). The challenge here is that the use of TPM virtualization should not impede classical platform processes such as virtual machine (VM) migration. In this work, we consider the problem of enabling secure migration of vTPM-based virtual machines in private clouds. We detail the requirements that a secure VM-vTPM migration solution should satisfy in private virtualized environments and propose a vTPM key structure suitable for VM-vTPM migration. We then leverage on this structure to construct a secure VM-vTPM migration protocol. We show that our protocol provides stronger security guarantees when compared to existing solutions for VM-vTPM migration. We evaluate the feasibility of our scheme via an implementation on the Xen hypervisor and we show that it can be directly integrated within existing hypervisors. Our Xen-based implementation can be downloaded as open-source software. Finally, we discuss how our scheme can be extended to support live-migration of vTPM-based VMs.

Investigation of signal and message manipulations on the wireless channel

We explore the suitability of Dolev-Yao-based attacker models for the security analysis of wireless communication. The Dolev-Yao model is commonly used for wireline and wireless networks. It is defined on abstract messages exchanged between entities and includes arbitrary, real-time modification of messages by the attacker. In this work, we aim at understanding and evaluating the conditions under which these real-time, covert low-energy signal modifications can be successful. In particular, we focus on the following signal and message manipulation techniques: symbol flipping and signal annihilation. We analyze these techniques theoretically, by simulations, and experiments and show their feasibility for particular wireless channels and scenarios.

Towards Practical Identification of HF RFID Devices

The deployment of RFID poses a number of security and privacy threats such as cloning, unauthorized tracking, etc. Although the literature contains many investigations of these issues on the logical level, few works have explored the security implications of the physical communication layer. Recently, related studies have shown the feasibility of identifying RFID-enabled devices based on physical-layer fingerprints. In this work, we leverage on these findings and demonstrate that physical-layer identification of HF RFID devices is also practical, that is, can achieve high accuracy and stability. We propose an improved hardware setup and enhanced techniques for fingerprint extraction and matching. Our new system enables device identification with an Equal Error Rate as low as 0.005 (0.5%) on a set 50 HF RFID smart cards of the same manufacturer and type. We further investigate the fingerprint stability over an extended period of time and across different acquisition setups. In the latter case, we propose a solution based on channel equalization that preserves the fingerprint quality across setups. Our results strengthen the practical use of physical-layer identification of RFID devices in product and document anti-counterfeiting solutions.

On the Security of End-to-End Measurements Based on Packet-Pair Dispersions

The packet-pair technique is a widely adopted method to estimate the capacity of a path. The use of the packet-pair technique has been suggested in numerous applications including network management and end-to-end admission control. Recent observations also indicate that this technique can be used to fingerprint Internet paths. However, given that packet-pair measurements are performed in an open environment, end-hosts might try to alter these measurements to increase their gain in the network. In this paper, we explore the security of measurements based on the packet-pair technique. More specifically, we analyze the major threats against bandwidth estimation using the packet-pair technique and we demonstrate empirically that current implementations of this technique are vulnerable to a wide range of bandwidth manipulation attacks-in which end-hosts can accurately modify their claimed bandwidths. We propose lightweight countermeasures to detect attacks on bandwidth measurements; our technique can detect whether delays were inserted within the transmission of a packet-pair (e.g., by bandwidth shapers). We further propose a novel scheme for remote path identification using the distribution of packet-pair dispersions and we evaluate its accuracy, robustness, and potential use. Our findings suggest that the packet-pair technique can reveal valuable information about the identity/locations of remote hosts.

Physical-layer attacks on chirp-based ranging systems

Chirp signals have been extensively used in radar and sonar systems to determine distance, velocity and angular position of objects and in wireless communications as a spread spectrum technique to provide robustness and high processing gain. Recently, several standards have adopted chirp spread spectrum (CSS) as an underlying physical-layer scheme for precise, low-power and low-complexity real-time localization. While CSS-based ranging and localization solutions have been implemented and deployed, their security has so far not been analyzed. In this work, we analyze CSS-based ranging and localization systems. We focus on distance decreasing relay attacks that have proven detrimental for the security of proximity-based access control systems (e.g., passive vehicle keyless entry and start systems). We describe a set of distance decreasing attacks realizations and verify their feasibility by simulations and experiments on a commercial ranging system. Our results demonstrate that an attacker is able to effectively reduce the distance measured by chirp-based ranging systems from 150 m to 600 m depending on chirp configuration. Finally, we discuss possible countermeasures against these attacks.

Proximity Verification for Contactless Access Control and Authentication Systems

Today, contactless smart cards are used to provide physical access control and authentication in a wide variety of applications. Prior research have demonstrated the vulnerability of contactless smart cards to relay attacks. For example, an attacker can relay the communication between the card reader and the smart card to steal a car or pay for goods in a supermarket. To solve this problem, smart cards need to be enhanced with secure proximity verification, i.e., distance bounding, which enables the card reader and the card to verify their mutual distance. However, existing technologies do not support the deployment of distance bounding in such systems: NFC cannot provide sufficient distance resolution, and hardware complexity of the proposed (e.g., UWB-based) distance bounding radios prevents their use in contactless smart cards. In this work, we propose a novel distance bounding system specifically designed for short-range contactless access control and authentication applications. Our system combines frequency modulated continuous wave (FMCW) and backscatter communication. The use of backscatter communication enables low-complexity, power-efficient design of the prover which is critical for contactless smart cards. In addition, our distance bounding system enables the implementation of a majority of distance bounding protocols developed in prior art. We analyze our system against various attack scenarios and show that it offers strong security guarantees. Additionally, we evaluate our systems communication and distance measurement characteristics using a prototype implementation.