Daniel Steinmetzer

The Spy Next Door: Eavesdropping on High Throughput Visible Light Communications

Wireless networks based on visible light communication (VLC) are often considered to be resilient to eavesdropping by design, since light cannot penetrate most walls and objects. In this paper, we experimentally study the ability of a VLC eavesdropper to intercept and decode a transmission even while being outside of the direct beam. We design a testbed using software defined radios (SDRs) and evaluate different VLC eavesdropping scenarios. We find that a small gap under a door can be sufficient for an eavesdropper to decode high-order modulated (DCO-OFDM 64-QAM) reflected signals outside of a room. Likewise, neither Victorian keyholes nor window coatings provide any significant protection against information leakage to the outside. Furthermore, eavesdroppers located in the same room but not facing the sender can profit from reflections on walls.

Eavesdropping with periscopes: Experimental security analysis of highly directional millimeter waves

Next generation wireless networks utilizing millimeter waves (mm-waves) achieve extremely high data rates using narrow signal beams. Featuring a high directivity and being susceptible to blockage by objects, mm-waves are often assumed to be hard to intercept. However, small-scale objects within the beam cause reflections, thus enabling eavesdroppers to receive the signal from the outside. In this paper, we practically demonstrate the vast impact that inconspicuous objects might have on mm-wave security. Experiments on our novel mm-wave software defined radio (SDR) testbed highlight that even centimeter-scale reflectors make eavesdropping from outside the signal beam possible. More sophisticated objects increase the signal strength of the reflected signal or allow the attacker to choose its location with more latitude. Modern communication devices with metal surfaces like mobile phones or laptops cause sufficient reflections for eavesdropping as well; signals will bounce off the intended receiver. With our experiments, we demonstrate empirically that reflections enable potential attackers to achieve a received signal strength as high as that of the intended receiver with only a minimal impact on the receivers performance. For blockages that do not impact the quality of the reception, reflections decrease the secrecy capacity by 32%. When tolerating small signal blockage towards the intended receiver, the attacker overcomes any inherent security of narrow beams and reduces the secrecy capacity to zero.

Massive reactive smartphone-based jamming using arbitrary waveforms and adaptive power control

It is not commonly known that off-the-shelf smartphones can be converted into versatile jammers. To understand how those jammers work and how well they perform, we implemented a jamming firmware for the Nexus 5 smartphone. The firmware runs on the real-time processor of the Wi-Fi chip and allows to reactively jam Wi-Fi networks in the 2.4 and 5 GHz bands using arbitrary waveforms stored in IQ sample buffers. This allows us to generate a pilot-tone jammer on off-the-shelf hardware. Besides a simple reactive jammer, we implemented a new acknowledging jammer that selectively jams only targeted data streams of a node while keeping other data streams of the same node flowing. To lower the increased power consumption of this jammer, we implemented an adaptive power control algorithm. We evaluated our implementations in friendly jamming scenarios to oppress non-compliant Wi-Fi transmissions and to protect otherwise vulnerable devices in industrial setups. Our results show that we can selectively hinder Wi-Fi transmissions in the vicinity of our jamming smartphone leading to an increased throughput for other nodes or no blockage of non-targeted streams on a jammed node. Consuming less than 300 mW when operating the reactive jammer allows mobile operation for more than 29 hours. Our implementation demonstrates that jamming communications was never that simple and available for every smartphone owner, while still allowing surgical jamming precision and energy efficiency. Nevertheless, it involves the danger of abuse by malicious attackers that may take over hundreds of devices to massively jam Wi-Fi networks in wide areas.

Compressive Millimeter-Wave Sector Selection in Off-the-Shelf IEEE 802.1 lad Devices

Achieving data-rates of multiple Gbps in 60 GHz millimeter-wave (mm-wave) communication systems requires efficient beam-steering algorithms. To find the optimal steering direction on IEEE 802.11ad compatible devices, state-of-the-art approaches sweep through all predefined antenna sectors. Recently, much more efficient alternatives, such as compressive path tracking, have been proposed, which scale well even with arrays with thousands of antenna elements. However, such have not yet been integrated into consumer devices. In this work, we adapt compressive path tracking for sector selection in off-the-shelf IEEE 802.1 lad devices. In contrast to existing solutions, our compressive sector selection tolerates the imperfections of low-cost hardware, tracks beam directions in 3D and does not rely on pseudo-random beams. We implement our protocol on a commodity router, the TP-Link Talon AD7200, by modifying the sector sweep algorithm in the IEEE 802.11ad chips firmware. In particular, we modify the firmware to obtain the signal strength of received frames and to select custom sectors. Using this extension, we precisely measure the devices sector patterns. We then select the best sector based on the measured patterns and sweep only through a subset of probing sectors. Our results demonstrate, that our protocol outperforms the existing sector sweep, increases stability, and speeds up the sector selection by factor 2.3.

mmTrace: Modeling millimeter-wave indoor propagation with image-based ray-tracing

Current mm-wave indoor propagation analysis techniques have limited options when it comes to more than one transmitter and receiver. Experimental testbed hardware is expensive and state-of-the-art simulation methods, such as statistical channel models, are limited to specific scenarios. To overcome these problems, we present mmTrace, a fast deterministic image-based ray-tracing simulation framework for mm-wave propagation. It supports developing mm-wave specific protocols and, in contrast to common statistical models, deals with multiple transceivers. The strengths of mmTrace constitute signal variations at different receivers and interference of multiple transmitters, which are crucial in certain situations. We implement our framework in MATLAB and validate simulated channel impulse responses against those of statistical channel models for IEEE 802.11ad in well-defined scenarios. Our results indicate that image-based ray-tracing is a feasible tool to predict interference in mm-wave communication systems.

Pseudo Lateration: Millimeter-Wave Localization Using a Single RF Chain

While radio-based indoor localization schemes achieve decimeter-scale accuracy, they typically require precise reference measurements, multiple infrastructure nodes, or a multi-RF-chain anchor. In this paper, we propose Pseudo LATeration (PLAT), an indoor localization protocol that requires only a single RF chain infrastructure anchor and does not require prior knowledge of the environment. PLAT leverages the directionality and propagation characteristics of millimeter-wave transmissions to relax the requirement of multiple infrastructure anchors and RF chains by constructing pseudo anchors from reflected signal paths. By combining these pseudo anchors with time-of-flight measurements for distance estimation, PLAT can localize a users device in indoors. Our evaluation reveals centimeter scale location accuracy for typical office environments. In testbed measurements and simulations, localization errors are centimeter scale for distances up to 1.5 m and beamwidths at or below 8.6 degrees. Although accuracy decreases to decimeter scale with additional propagation distance, we show that multiple reflection paths can mitigate this effect.

Survey and Systematization of Secure Device Pairing

Secure device pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this paper, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis. The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.

Opportunities and pitfalls in securing visible light communication on the physical layer

Securing visible light communication (VLC) systems on the physical layer promises to prevent against a variety of attacks. Recent work shows that the adaption of existing legacy radio wave physical layer security (PLS) mechanisms is possible with minor changes. Yet, many adaptations open new vulnerabilities due to distinct propagation characteristics of visible light. A common understanding of threats arising from various attacker capabilities is missing. We specify a new attacker model for visible light physical layer attacks and evaluate the applicability of existing PLS approaches. Our results show that many attacks are not considered in current solutions.

Adaptive Codebook Optimization for Beam-Training on Off-The-Shelf IEEE 802.11ad Devices

Beamforming is vital to overcome the high attenuation in wireless millimeter-wave networks. It enables nodes to steer their antennas in the direction of communication. To cope with complexity and overhead, the IEEE 802.11ad standard uses a sector codebook with distinct steering directions. In current off-the-shelf devices, we find codebooks with generic pre-defined beam patterns. While this approach is simple and robust, the antenna modules that are typically deployed in such devices are capable of generating much more precise antenna beams. In this paper, we adaptively adjust the sector codebook of IEEE 802.11ad devices to optimize the transmit beam patterns for the current channel. To achieve this, we propose a mechanism to extract full channel state information (CSI) regarding phase and magnitude from coarse signal strength readings on off-the-shelf IEEE 802.11ad devices. Since such devices do not expose the CSI directly, we generate a codebook with phase-shifted probing beams that enables us to obtain the CSI by combining strategically selected magnitude measurements. Using this CSI, transmitters dynamically compute a transmit beam pattern that maximizes the signal strength at the receiver. Thereby, we automatically exploit reflectors in the environment and improve the received signal quality. Our implementation of this mechanism on off-the-shelf devices demonstrates that adaptive codebook optimization achieves a significantly higher throughput of about a factor of two in typical real-world scenarios.

Exploring millimeter-wave network scenarios with ray-tracing based simulations in mmTrace.

The advantages of mm-wave communication technology with highly directional transmissions enable high data rates in dense wireless networks. Even though first consumer hardware is already available, specific propagation effects are not yet well understood. Analyses of wireless network behavior with mm-wave communication links are required to design efficient protocols. In this work, we consider three well-known problem scenarios in wireless networks in our ray-tracing based channel simulation framework mmTrace. Our results indicate that mm-waves exhibit advantages to block interferences but also raise the question of optimal antenna alignment. Simulations as ours highlight the importance of mm-wave propagation models as network behavior differs from common considerations.