Embed Size (px)
Citation preview
Research ExamNishant Bhaskar
1
The problem
Passive Eavesdropper
1 2 3
4 5 6
Wireless personal devices have become a homing beacon2
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
Existing measures not enough
Alwaysavailable
3
Not just a cautionary tale
4
Techniques for wireless device identification• Passive eavesdropping • Tradeoff decision made by an adversary in
choosing a technique
Implications of device identification• User tracking – Social, physical, behavioral
In this survey
5
Focused on papers in WiFi and Bluetooth
Limit analysis to link and physical layer device identification
Scope of survey
6
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
7
Due to manufacturer implementations
Packet contents transmitted in the clear• Device discovery packets • Link layer headers
Link layer controls packet timing• Packet scheduling and transmission• Timing properties can be measured
Identifying information - Link Layer
(a)
(b) (c)
8
PhysicallayertransmitsthephysicalRFsignal• Informationindependentofhigherlayerconstraints
Physicallayermeasurement• Effectofsignalpropagationthroughthewirelesschannel• Fundamentalnon-idealitiesduetoRFsignalchainimperfections
Identifying information - Physical Layer
9
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
10
Universality • Works for all device roles? (Role)
Stability• Features stable with changing environment? (Environment)• Features stable with software updates? (Software)
Practicality• Cheap data collection equipment? (Cost)• Proven to work outside controlled environments? (Outdoor)
Taxonomy
11
Technique Role Environment Software Cost OutdoorLink LayerPacket Contents Yes Yes No Yes YesPacket Timing No1 Yes No2 Yes YesPhysical LayerSignal Propagation Yes No Yes Yes NoHardware Imperfections Yes Yes Yes No No
Taxonomy
1:Inter-packetarrivalrate->Yes2:Clockskew->Yes
12
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
13
(a)
(b) (c)
Link Layer - Packet contents
14
Packet contents (Martin et al. [PETS ‘19])
Handoff
WiFi settings
InstantHotspot
WiFi JoinNetwork
Nearby
WatchConnection
15
Nearby messages broadcast 200 times/minute
MAC address changes, data field doesn’t• MAC addresses can be linked• Device can be continuously tracked
Use global MAC address• When sent concurrently with Handoff
Packet contents (Martin et al. [PETS ‘19])
16
Handoff messages• Sent by Handoff-enabled apps• User interaction, app open/close
Sequence number predictable• Identification possible after several days• Knowing HW/SW improves prediction
Packet contents (Martin et al. [PETS ‘19])
17
Freudiger et al. [WiSec ’15]• Sequence numbers link WiFi probe requests• Probes use global address when screen is active
Vanhoef et al. [Asia CCS ‘16]• IE fields identify WiFi device models, sequence numbers identify devices• SSID fingerprint of previously connected APs• WPS UUID derived from MAC address with a fixed seed
Martin et al. [PETS ‘17]• mDNS WiFi packets identify device model• Authentication packets contain global address
Packet contents overview
18
Spill et al. [WOOT ‘06]• Reverse engineered Bluetooth MAC address, clock bits• Determined hopping to be able to follow device
Ryan et al. [WOOT ‘13]• Observed channel hopping for BLE was fixed increments• Whitening was much simpler than Bluetooth
Becker et al. [PETS ‘19] • BLE MAC address randomize but same advertisement payload• Devices can be tracked after randomization
Packet contents overview
19
Most commonly used technique for user tracking
A reflection of protocol stack design choices• Properties susceptible to change with firmware upgrade
Identifying correct features is a manual process• There always is a feature out there!
Packet contents summary
20
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
21
Link layer schedules transmissions• Device discovery packets• Data packets
Timing side channel for device identification
Packet timing identification• Clock skew• Inter-packet arrival rate
Link layer - Packet timing
22
Clock skew for device identification• Measured arrival time of preambles• Baseband properties filter preambles • Same properties for transmitter clock• Similarity distance for identification
Packet timing (Huang et al. [INFOCOM ‘14])
23
Minimal variation in skew • 0.5 ppm across devices in an hour• 0.55 ppm across temperature ranges
High accuracy in identification• 38/56 devices were the exact same make
Packet timing (Huang et al. [INFOCOM ‘14])
24
Jana et al. [MobiCom ‘08]• Computed clock skew for 802.11 radios• Used TSF timestamp in AP beacons, and microsecond timer on receiver side
Arackaparambil et al [WiSec ‘10]• Used TSF timestamp at receiver to improve measurement variance• Demonstrated virtual AP clock skew impersonation attack.
Packet timing overview
25
Franklin et al. [SEC ‘06]• Inter probe request time identifies (NIC driver, host OS)
Loh et al. [WiSec ‘08]• Use time between probe request bursts for identification• Lower resolution of measurement needed (order of minutes)
Matte et al. [WiSec ‘16]• Combined inter burst and inter probe request timings• Needed only 4 group of bursts per transmitter for identification
Packet timing overview
26
Inter packet arrival rate works for all devices.• Not stable to firmware upgrades
Clock skew is stable to firmware upgrades• But works only for master devices
Packet timing is a dangerous user tracking tool• Packet arrival rate reveals wireless application usage
Packet timing summary
27
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
28
Signal propagation through medium • Modifies signal properties
Idea of location as identity• Signal propagation used for localization• Utilize existing network of wireless devices
Signal changes can be measured through• Received Signal strength• Channel State Information
Physical layer - Signal propagation
29
Multiple signal strength readings• Authentication request tagged with RSS from
different APs
Signalprints identify location of transmitter• Close transmitters differ by a max threshold• Far transmitters differ by atleast a min threshold
Signal propagation (Faria et al. [WiSec ‘06])
Faria etal.,Detectingidentity-basedattacksinwirelessnetworksusingsignalprints.WiSe’0630
Accuracy of 91% in identifying devices• Devices separated by 7m in a room 45m X 24m• Using RSS values from 4 APs
Signalprint values influenced by environment• Moving furniture or people
Signal propagation (Faria et al. [WiSec ‘06])
31
Bauer et al. [PETS ‘09]• Performed k-means clustering on signal strength values
Sheng et al. [INFOCOM ‘08]• Due to antennae diversity, RSS distributions follow GMM• Used mixture models to identify transmitter at particular location
Ghose et al. [INFOCOM ‘18]• RSS patterns vary according to relative motion of transmitter/receiver• Used that to design an authenticator with a helper device
Signal propagation overview
32
Sen et al. [MobiSys ‘12]• CFRs at same location from same subcarrier form clusters.• Sampling multiple locations in a 1m X 1m grid to identify exact location
Jin et al. [ToWC ‘10]• CIR based localization by taking IFFT on CFR• Log scale ensures large delay components contribute to CIR
Signal propagation overview
33
Signal propagation represents the wireless environment• Not stable to environment changes• Typically used indoors or in a constrained environment
Used to supplement other identification techniques• Predominately a localization technique• Signal strength can be measured by any radio
Signal propagation summary
34
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
35
Manufacturing imperfections • Quantified using signal non-idealities
Signal properties reflect hardware identity
Can be measured using • Transient signal • steady state signal
Physical layer - Hardware imperfections
36
Physical layer - Hardware imperfections
37
Attach a sensor to AP• Vector signal analyzer for measurement• Data relayed to central server for fingerprinting
Use steady state signal modulation properties for identification
• Frequency error, SYNC correlation, I/Q offset, magnitude error and phase error
Briketal.,WirelessDeviceIdentificationwithRadiometricSignatures.,MobiCom ’08,ACM
Hardware imperfections (Brik et al. [MobiCom‘08 ])
38
High accuracy and stability for device identification• > 99.5% for over 138 devices• Minimal change in accuracy when devices moved around
Too ideal a test environment?• Vo-Huu et al. (WiSec 16) attempted reproducing results• Significant lower accuracy but high reproducibility
Briketal.,WirelessDeviceIdentificationwithRadiometricSignatures.,MobiCom ’08,ACM
Hardware imperfections (Brik et al. [MobiCom‘08 ])
39
Hall et al. [WOC ‘03]• Detected Bluetooth radios using phase of transients• Observed slope of phase is linear at start of transmission
Hall et al. [IASTED ‘04]• Detected WiFi radios using phase, frequency and amplitude of transient
Suski et al. [GLOBECOM ‘08]• Amplitude of transient works better at low SNR• Used power spectral density to classify WiFi radios
Hardware imperfections overview
40
Vo-Huu et al. [WiSec ‘16]• Used combination of CFO, SFO, transient for identification• Transient has higher contribution than modulation properties
Liu et al. [INFOCOM ‘19]• I/Q mismatch phase error from channel estimate• Phase gradients due to signal have lower variance than noise
Sun et al. [HotWireless ‘17]• Observed variation in CFO values, for detecting BLE signal• A BLE transmission exhibits constant CFO
Hardware imperfections overview
41
A technique of great promise and frustration!• Best identifier for transmitter hardware• Measurement of properties reliably and accurately is hard
Require costly hardware • Demonstrated to work in only controlled environment
Further work needs to be done • Cost effective SDR tools and designing more reliable techniques
Hardware imperfections summary
42
Identification techniques - Summary
Technique Role Environment Software Cost OutdoorLink LayerPacket Contents Yes Yes No Yes YesPacket Timing No1 Yes No2 Yes YesPhysical LayerSignal Propagation Yes No Yes Yes NoHardware Imperfections Yes Yes Yes No No1:Inter-packetarrivalrate->Yes2:Clockskew->Yes
43
A number of identifiers exist at link and physical layer
An adversary’s choice is a tradeoff decision
Link layer techniques efficacy can be reduced by not transmitting so often
Physical layer techniques harder to defend against, but still not mature
Identification techniques - Summary
44
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
45
Tracking the device owner
Passive Eavesdropper
1 2 3
4 5 6
Device identification information can be used to track the user46
User social linkages
Preferred Network List can be obtained by eavesdropping probe requests47
PNL indicates likely city of residence• Geographic locations of APs from Wigle• Provenance rank for each likely city
Performed analysis on dataset collected at political rallies
• Closely predicted city-wise voting patterns• Social linkages revealed
User social linkages (Luzio et al. [INFOCOM ‘16])
48
Connectedstate
User activity tracking
Physical activity related to data traffic of tracker49
Fitness tracker leaks physical activity• Increased activity -> more data packets• Classification accuracy of activity -> 97.6%
Accelerometer features related to data traffic• Strong correlation observed• Can distinguish individual walking patterns
User activity tracking (Das et al. [HotMobile ‘16])
50
A large amount of user tracking information is available
User tracking features exposed predominately at the link layer
We need to make better design choices and not keep repeating mistakes
Tracking the device owner - Summary
51
Practical physical layer device identification
Analyzing potential privacy concerns with directed BLE advertisements
Wireless privacy leakage in personal medical devices
Directions for future work
52
Questions?
53
