Jiska Classen

The Spy Next Door: Eavesdropping on High Throughput Visible Light Communications

Wireless networks based on visible light communication (VLC) are often considered to be resilient to eavesdropping by design, since light cannot penetrate most walls and objects. In this paper, we experimentally study the ability of a VLC eavesdropper to intercept and decode a transmission even while being outside of the direct beam. We design a testbed using software defined radios (SDRs) and evaluate different VLC eavesdropping scenarios. We find that a small gap under a door can be sufficient for an eavesdropper to decode high-order modulated (DCO-OFDM 64-QAM) reflected signals outside of a room. Likewise, neither Victorian keyholes nor window coatings provide any significant protection against information leakage to the outside. Furthermore, eavesdroppers located in the same room but not facing the sender can profit from reflections on walls.

Eavesdropping with periscopes: Experimental security analysis of highly directional millimeter waves

Next generation wireless networks utilizing millimeter waves (mm-waves) achieve extremely high data rates using narrow signal beams. Featuring a high directivity and being susceptible to blockage by objects, mm-waves are often assumed to be hard to intercept. However, small-scale objects within the beam cause reflections, thus enabling eavesdroppers to receive the signal from the outside. In this paper, we practically demonstrate the vast impact that inconspicuous objects might have on mm-wave security. Experiments on our novel mm-wave software defined radio (SDR) testbed highlight that even centimeter-scale reflectors make eavesdropping from outside the signal beam possible. More sophisticated objects increase the signal strength of the reflected signal or allow the attacker to choose its location with more latitude. Modern communication devices with metal surfaces like mobile phones or laptops cause sufficient reflections for eavesdropping as well; signals will bounce off the intended receiver. With our experiments, we demonstrate empirically that reflections enable potential attackers to achieve a received signal strength as high as that of the intended receiver with only a minimal impact on the receivers performance. For blockages that do not impact the quality of the reception, reflections decrease the secrecy capacity by 32%. When tolerating small signal blockage towards the intended receiver, the attacker overcomes any inherent security of narrow beams and reduces the secrecy capacity to zero.

Practical covert channels for WiFi systems

Wireless covert channels promise to exfiltrate information with high bandwidth by circumventing traditional access control mechanisms. Ideally, they are only accessible by the intended recipient and-for regular system users/operators-indistinguishable from normal operation. While a number of theoretical and simulation studies exist in literature, the practical aspects of WiFi covert channels are not well understood. Yet, it is particularly the practical design and implementation aspect of wireless systems that provides attackers with the latitude to establish covert channels: the ability to operate under adverse conditions and to tolerate a high amount of signal variations. Moreover, covert physical receivers do not have to be addressed within wireless frames, but can simply eavesdrop on the transmission. In this work, we analyze the possibilities to establish covert channels in WiFi systems with emphasis on exploiting physical layer characteristics. We discuss design alternatives for selected covert channel approaches and study their feasibility in practice. By means of an extensive performance analysis, we compare the covert channel bandwidth. We further evaluate the possibility of revealing the introduced covert channels based on different detection capabilities.

CA trust management for the Web PKI

The steadily growing number of certification authorities (CAs) assigned to the Web Public Key Infrastructure (Web PKI) and trusted by current browsers imposes severe security issues. Apart from being impossible for relying entities to assess whom they actually trust, the current binary trust model implemented with the Web PKI makes each CA a single point of failure and creates an enormous attack surface. In this article, we present CA-TMS, a user-centric CA trust management system based on trust views. CA-TMS can be used by relying entities to individually reduce the attack surface. CA-TMS works by restricting the trust placed in CAs of the Web PKI to trusting in exactly those CAs actually required by a relying entity. This restriction is based on locally collected information and does not require the alteration of the existing Web PKI. CA-TMS is complemented by an optional reputation system that allows to utilize the knowledge of other entities while maintaining the minimal set of trusted CAs. Our evaluation of CA-TMS with real world data shows that an attack surface reduction by more than 95% is achievable.

mmTrace: Modeling millimeter-wave indoor propagation with image-based ray-tracing

Current mm-wave indoor propagation analysis techniques have limited options when it comes to more than one transmitter and receiver. Experimental testbed hardware is expensive and state-of-the-art simulation methods, such as statistical channel models, are limited to specific scenarios. To overcome these problems, we present mmTrace, a fast deterministic image-based ray-tracing simulation framework for mm-wave propagation. It supports developing mm-wave specific protocols and, in contrast to common statistical models, deals with multiple transceivers. The strengths of mmTrace constitute signal variations at different receivers and interference of multiple transmitters, which are crucial in certain situations. We implement our framework in MATLAB and validate simulated channel impulse responses against those of statistical channel models for IEEE 802.11ad in well-defined scenarios. Our results indicate that image-based ray-tracing is a feasible tool to predict interference in mm-wave communication systems.

Pseudo Lateration: Millimeter-Wave Localization Using a Single RF Chain

While radio-based indoor localization schemes achieve decimeter-scale accuracy, they typically require precise reference measurements, multiple infrastructure nodes, or a multi-RF-chain anchor. In this paper, we propose Pseudo LATeration (PLAT), an indoor localization protocol that requires only a single RF chain infrastructure anchor and does not require prior knowledge of the environment. PLAT leverages the directionality and propagation characteristics of millimeter-wave transmissions to relax the requirement of multiple infrastructure anchors and RF chains by constructing pseudo anchors from reflected signal paths. By combining these pseudo anchors with time-of-flight measurements for distance estimation, PLAT can localize a users device in indoors. Our evaluation reveals centimeter scale location accuracy for typical office environments. In testbed measurements and simulations, localization errors are centimeter scale for distances up to 1.5 m and beamwidths at or below 8.6 degrees. Although accuracy decreases to decimeter scale with additional propagation distance, we show that multiple reflection paths can mitigate this effect.

A Distributed Reputation System for Certification Authority Trust Management

In the current Web Public Key Infrastructure (Web PKI), few central instances have the power to make trust decisions. From a systems perspective, it has the side effect that every Certification Authority (CA) becomes a single point of failure (SPOF). In addition, trust is no individual matter per user, what makes trust decisions hard to revise. Hence, we propose a method to leverage Internet users and thus distribute CA trust decisions. However, the average user is unable to manually decide which incoming TLS connections are trustworthy and which are not. Therefore, we overcome this issue with a distributed reputation system that facilitates sharing trust opinions while preserving user privacy. We assess our methodology using real-world browsing histories. Our results exhibit a significant attack surface reduction with respect to the current Web PKI, and at the same time we only introduce a minimal overhead.

Opportunities and pitfalls in securing visible light communication on the physical layer

Securing visible light communication (VLC) systems on the physical layer promises to prevent against a variety of attacks. Recent work shows that the adaption of existing legacy radio wave physical layer security (PLS) mechanisms is possible with minor changes. Yet, many adaptations open new vulnerabilities due to distinct propagation characteristics of visible light. A common understanding of threats arising from various attacker capabilities is missing. We specify a new attacker model for visible light physical layer attacks and evaluate the applicability of existing PLS approaches. Our results show that many attacks are not considered in current solutions.

Anatomy of a Vulnerable Fitness Tracking System: Dissecting the Fitbit Cloud, App, and Firmware

Fitbit fitness trackers record sensitive personal information, including daily step counts, heart rate profiles, and locations visited. By design, these devices gather and upload activity data to a cloud service, which provides aggregate statistics to mobile app users. The same principles govern numerous other Internet-of-Things (IoT) services that target different applications. As a market leader, Fitbit has developed perhaps the most secure wearables architecture that guards communication with end-to-end encryption. In this article, we analyze the complete Fitbit ecosystem and, despite the brands continuous efforts to harden its products, we demonstrate a series of vulnerabilities with potentially severe implications to user privacy and device security. We employ a range of techniques, such as protocol analysis, software decompiling, and both static and dynamic embedded code analysis, to reverse engineer previously undocumented communication semantics, the official smartphone app, and the tracker firmware. Through this interplay and in-depth analysis, we reveal how attackers can exploit the Fitbit protocol to extract private information from victims without leaving a trace, and wirelessly flash malware without user consent. We demonstrate that users can tamper with both the app and firmware to selfishly manipulate records or circumvent Fitbits walled garden business model, making the case for an independent, user-controlled, and more secure ecosystem. Finally, based on the insights gained, we make specific design recommendations that can not only mitigate the identified vulnerabilities, but are also broadly applicable to securing future wearable system architectures.

Breaking Fitness Records without Moving: Reverse Engineering and Spoofing Fitbit

Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors’ cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.