Chi-Yu Li

Energy-based rate adaptation for 802.11n

Rate adaptation (RA) has been used to achieve high goodput. In this work, we explore to use RA for energy efficiency in 802.11n NICs. We show that current MIMO RA algorithms are not energy efficient for NICs despite ensuring high throughput. The fundamental problem is that, the high-throughput setting is not equivalent to the energy-efficient one. Marginal throughput gain may be realized at high energy cost. We propose EERA, an energy-based RA solution that trades off goodput for energy savings at NICs. Our experiments have confirmed its energy savings at NICs while keeping the cost at the device level and across clients acceptable.

Can we pay for what we get in 3G data access

Data-plan subscribers are charged based on the used traffic volume in 3G/4G cellular networks. This usage-based charging system has been operational and received general success. In this work, we conduct experiments to critically assess both this usage-based accounting architecture and application-specific charging policies by operators. Our evaluation compares the network-recorded volume with the delivered traffic at the end device. We have found that, both generally work in common scenarios but may go wrong in the extreme cases: We are charged for what we never get, and we can get what we want for free. In one extreme case, we are charged for at least three hours and 450MB or more data despite receiving no single bit. In another extreme case, we are able to transfer 200MB or any amount we specify for free. The root causes lie in lack of both coordination between the charging system and the end device, and prudent policy enforcement by certain operators. We propose immediate fixes and discuss possible future directions.

Accounting for roaming users on mobile data access: issues and root causes

In this paper, we study how mobility affects mobile data accounting, which records the usage volume for each roaming user. We find out that, current 2G/3G/4G systems have well-tested mobility support solutions and generally work well. However, under certain biased, less common yet possible scenarios, accounting gap between the operators log and the users observation indeed exists. The gap can be as large as 69.6% in our road tests. We further discover that the root causes are diversified. In addition to the no-signal case reported in the prior work [23], they also include handoffs, as well as insufficient coverage of hybrid 2G/3G/4G systems. Inter-system handoffs (that migrate user devices between radio access technologies of 2G, 3G, and 4G) may incur non-negligible accounting discrepancy.

What is wrong/right with IEEE 802.11n Spatial Multiplexing Power Save feature?

The IEEE 802.11n standard has proposed a new Spatial Multiplexing Power Save (SMPS) feature, which allows for a station to retain one active receive chain, to mitigate MIMO circuitry power consumption. But does it work in all cases? Our experiments reveal that SMPS may not always save power compared with multiple active chains at the receiver. Even when it does, it may be proven more energy hungry. In this work, we seek to uncover the “good”, the “bad” and the “ugly” of SMPS using real experiments. We further devise a MIMO Receiver Energy Save (MRES) algorithm, which seeks to identify and set the most energy-efficient receive chain setting, by using a novel, low-overhead sampling scheme. Our prototype experiments show that, MRES outperforms SMPS with energy savings up to 37%.

How voice calls affect data in operational LTE networks

Both voice and data are indispensable services in current cellular networks. In this work, we study the inter-play of voice and data in operational LTE networks. We assess how the popular CSFB-based voice service affects the IP-based data sessions in 4G LTE networks, and visa versa. Our findings reveal that the interference between them is mutual. On one hand, voice calls may incur throughput drop, lost 4G connectivity, and application aborts for data sessions. One the other hand, users may miss incoming voice calls when turning on data access. The fundamental problem is that, signaling and control for circuit-switched voice and packet-switched data have dependency and coupling effect via the LTE phone client. We further propose fixes to the identified issues.

A MAC Protocol for Multi-Channel Multi-Interface Wireless Mesh Network Using Hybrid Channel Assignment Scheme

In recent years, Wireless Mesh Network (WMN) which uses a multi-hop configuration to extend the reach of the last-mile access to Internet has come into public notice. WMN improves network performance by the use of multiple orthogonal (non-overlapping) channels and multiple wireless interfaces. However, the Medium Access Control (MAC) protocol in IEEE 802.11 standard was designed and suited for only one channel and one interface. In this paper, we present a new MAC protocol which is specially designed for multi-channel and multi-interface WMNs. The proposed MAC protocol employs a hybrid channel assignment strategy to solve the rendezvous problem and a waiting time scheme for updating network allocation vectors (NAVs) to solve the multichannel hidden terminal problem. Simulation results show that the proposed protocol can achieve a better utilization of both interfaces and channels.

Insecurity of Voice Solution VoLTE in LTE Mobile Networks

VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

Control-plane protocol interactions in cellular networks

Control-plane protocols are complex in cellular networks. They communicate with one another along three dimensions of cross layers, cross (circuit-switched and packet-switched) domains, and cross (3G and 4G) systems. In this work, we propose signaling diagnosis tools and uncover six instances of problematic interactions. Such control-plane issues span both design defects in the 3GPP standards and operational slips by carriers. They are more damaging than data-plane failures. In the worst-case scenario, users may be out of service in 4G, or get stuck in 3G. We deduce root causes, propose solutions, and summarize learned lessons.

Release-time-based multi-channel MAC protocol for wireless mesh networks

The wireless mesh network (WMN) has been considered one of the most promising techniques for extending broadband access to the last mile. In order to utilize multiple channels to increase the throughput in WMNs, a variety of multi-channel MAC (MMAC) protocols have been proposed in the literature. In particular, the dedicated control channel (DCC) approach can greatly simply many design issues in multi-channel environments by using a common control channel to exchange control signals. On the other hand, it allows each sender-receiver pair to dynamically select a data channel for their data transmission in an on-demand matter. However, the common control channel would become a bottleneck of the overall performance. Besides, the selection of data channels would be highly related to the final throughput. In this paper, we propose a new MMAC protocol, named the release-time-based MMAC (RTBM) to overcome the control channel bottleneck and data channel selection problems in the DCC approach. The RTBM consists of three major components: (1) Control initiation-time predication (CIP); (2) Dynamic data-flow control (DDC); (3) Enhanced channel selection (ECS). The CIP can predict a proper initiation time for each control process to reduce control overhead. The DDC can dynamically adjust the flow of each data transmission to fully exploit the channel bandwidth. The ECS can achieve a higher reusability of data channels to further enhance the throughput. Simulation results show that the RTBM can substantially improve the throughput in both single-hop and multi-hop networks.

How voice call technology poses security threats in 4G LTE networks

To support voice calls vital to mobile users and carriers, 4G LTE cellular networks adopt two solutions: VoLTE (Voice Over LTE) and CSFB (Circuit-Switched FallBack). In this paper, we disclose that both schemes are harmful to mobile users from a security perspective. The adoption of the latest VoLTE allows an attacker to manipulate the radio resource states of the victims device in a silent call attack, thereby draining the victims battery 5-8 times faster. CSFB exhibits two vulnerabilities of exposing 4G↔3G network switch to adversaries. This can be further exploited to launch ping-pong attacks where mobile users may suffer from up to 91.5% performance downgrade, or 4G denial-of-service (DoS) attacks where mobile users are deprived of 4G LTE connectivity without their consent. We devise two proof-of-concept attacks as showcases, and demonstrate their viability over operational LTE networks. We analyze their root causes and uncover that the problems lie in seemingly sound design decisions for functional correctness but such choices bear unexpected and intriguing implications for security design. We finally propose remedies to mitigate the attack damage.