Research Exam - University of California, San...
Transcript of Research Exam - University of California, San...
![Page 1: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/1.jpg)
Research ExamNishant Bhaskar
1
![Page 2: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/2.jpg)
The problem
Passive Eavesdropper
1 2 3
4 5 6
Wireless personal devices have become a homing beacon2
![Page 3: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/3.jpg)
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
Existing measures not enough
Alwaysavailable
3
![Page 4: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/4.jpg)
Not just a cautionary tale
4
![Page 5: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/5.jpg)
Techniques for wireless device identification• Passive eavesdropping • Tradeoff decision made by an adversary in
choosing a technique
Implications of device identification• User tracking – Social, physical, behavioral
In this survey
5
![Page 6: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/6.jpg)
Focused on papers in WiFi and Bluetooth
Limit analysis to link and physical layer device identification
Scope of survey
6
![Page 7: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/7.jpg)
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
7
![Page 8: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/8.jpg)
Due to manufacturer implementations
Packet contents transmitted in the clear• Device discovery packets • Link layer headers
Link layer controls packet timing• Packet scheduling and transmission• Timing properties can be measured
Identifying information - Link Layer
(a)
(b) (c)
8
![Page 9: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/9.jpg)
PhysicallayertransmitsthephysicalRFsignal• Informationindependentofhigherlayerconstraints
Physicallayermeasurement• Effectofsignalpropagationthroughthewirelesschannel• Fundamentalnon-idealitiesduetoRFsignalchainimperfections
Identifying information - Physical Layer
9
![Page 10: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/10.jpg)
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
10
![Page 11: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/11.jpg)
Universality • Works for all device roles? (Role)
Stability• Features stable with changing environment? (Environment)• Features stable with software updates? (Software)
Practicality• Cheap data collection equipment? (Cost)• Proven to work outside controlled environments? (Outdoor)
Taxonomy
11
![Page 12: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/12.jpg)
Technique Role Environment Software Cost OutdoorLink LayerPacket Contents Yes Yes No Yes YesPacket Timing No1 Yes No2 Yes YesPhysical LayerSignal Propagation Yes No Yes Yes NoHardware Imperfections Yes Yes Yes No No
Taxonomy
1:Inter-packetarrivalrate->Yes2:Clockskew->Yes
12
![Page 13: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/13.jpg)
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
13
![Page 14: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/14.jpg)
(a)
(b) (c)
Link Layer - Packet contents
14
![Page 15: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/15.jpg)
Packet contents (Martin et al. [PETS ‘19])
Handoff
WiFi settings
InstantHotspot
WiFi JoinNetwork
Nearby
WatchConnection
15
![Page 16: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/16.jpg)
Nearby messages broadcast 200 times/minute
MAC address changes, data field doesn’t• MAC addresses can be linked• Device can be continuously tracked
Use global MAC address• When sent concurrently with Handoff
Packet contents (Martin et al. [PETS ‘19])
16
![Page 17: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/17.jpg)
Handoff messages• Sent by Handoff-enabled apps• User interaction, app open/close
Sequence number predictable• Identification possible after several days• Knowing HW/SW improves prediction
Packet contents (Martin et al. [PETS ‘19])
17
![Page 18: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/18.jpg)
Freudiger et al. [WiSec ’15]• Sequence numbers link WiFi probe requests• Probes use global address when screen is active
Vanhoef et al. [Asia CCS ‘16]• IE fields identify WiFi device models, sequence numbers identify devices• SSID fingerprint of previously connected APs• WPS UUID derived from MAC address with a fixed seed
Martin et al. [PETS ‘17]• mDNS WiFi packets identify device model• Authentication packets contain global address
Packet contents overview
18
![Page 19: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/19.jpg)
Spill et al. [WOOT ‘06]• Reverse engineered Bluetooth MAC address, clock bits• Determined hopping to be able to follow device
Ryan et al. [WOOT ‘13]• Observed channel hopping for BLE was fixed increments• Whitening was much simpler than Bluetooth
Becker et al. [PETS ‘19] • BLE MAC address randomize but same advertisement payload• Devices can be tracked after randomization
Packet contents overview
19
![Page 20: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/20.jpg)
Most commonly used technique for user tracking
A reflection of protocol stack design choices• Properties susceptible to change with firmware upgrade
Identifying correct features is a manual process• There always is a feature out there!
Packet contents summary
20
![Page 21: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/21.jpg)
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
21
![Page 22: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/22.jpg)
Link layer schedules transmissions• Device discovery packets• Data packets
Timing side channel for device identification
Packet timing identification• Clock skew• Inter-packet arrival rate
Link layer - Packet timing
22
![Page 23: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/23.jpg)
Clock skew for device identification• Measured arrival time of preambles• Baseband properties filter preambles • Same properties for transmitter clock• Similarity distance for identification
Packet timing (Huang et al. [INFOCOM ‘14])
23
![Page 24: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/24.jpg)
Minimal variation in skew • 0.5 ppm across devices in an hour• 0.55 ppm across temperature ranges
High accuracy in identification• 38/56 devices were the exact same make
Packet timing (Huang et al. [INFOCOM ‘14])
24
![Page 25: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/25.jpg)
Jana et al. [MobiCom ‘08]• Computed clock skew for 802.11 radios• Used TSF timestamp in AP beacons, and microsecond timer on receiver side
Arackaparambil et al [WiSec ‘10]• Used TSF timestamp at receiver to improve measurement variance• Demonstrated virtual AP clock skew impersonation attack.
Packet timing overview
25
![Page 26: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/26.jpg)
Franklin et al. [SEC ‘06]• Inter probe request time identifies (NIC driver, host OS)
Loh et al. [WiSec ‘08]• Use time between probe request bursts for identification• Lower resolution of measurement needed (order of minutes)
Matte et al. [WiSec ‘16]• Combined inter burst and inter probe request timings• Needed only 4 group of bursts per transmitter for identification
Packet timing overview
26
![Page 27: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/27.jpg)
Inter packet arrival rate works for all devices.• Not stable to firmware upgrades
Clock skew is stable to firmware upgrades• But works only for master devices
Packet timing is a dangerous user tracking tool• Packet arrival rate reveals wireless application usage
Packet timing summary
27
![Page 28: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/28.jpg)
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
28
![Page 29: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/29.jpg)
Signal propagation through medium • Modifies signal properties
Idea of location as identity• Signal propagation used for localization• Utilize existing network of wireless devices
Signal changes can be measured through• Received Signal strength• Channel State Information
Physical layer - Signal propagation
29
![Page 30: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/30.jpg)
Multiple signal strength readings• Authentication request tagged with RSS from
different APs
Signalprints identify location of transmitter• Close transmitters differ by a max threshold• Far transmitters differ by atleast a min threshold
Signal propagation (Faria et al. [WiSec ‘06])
Faria etal.,Detectingidentity-basedattacksinwirelessnetworksusingsignalprints.WiSe’0630
![Page 31: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/31.jpg)
Accuracy of 91% in identifying devices• Devices separated by 7m in a room 45m X 24m• Using RSS values from 4 APs
Signalprint values influenced by environment• Moving furniture or people
Signal propagation (Faria et al. [WiSec ‘06])
31
![Page 32: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/32.jpg)
Bauer et al. [PETS ‘09]• Performed k-means clustering on signal strength values
Sheng et al. [INFOCOM ‘08]• Due to antennae diversity, RSS distributions follow GMM• Used mixture models to identify transmitter at particular location
Ghose et al. [INFOCOM ‘18]• RSS patterns vary according to relative motion of transmitter/receiver• Used that to design an authenticator with a helper device
Signal propagation overview
32
![Page 33: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/33.jpg)
Sen et al. [MobiSys ‘12]• CFRs at same location from same subcarrier form clusters.• Sampling multiple locations in a 1m X 1m grid to identify exact location
Jin et al. [ToWC ‘10]• CIR based localization by taking IFFT on CFR• Log scale ensures large delay components contribute to CIR
Signal propagation overview
33
![Page 34: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/34.jpg)
Signal propagation represents the wireless environment• Not stable to environment changes• Typically used indoors or in a constrained environment
Used to supplement other identification techniques• Predominately a localization technique• Signal strength can be measured by any radio
Signal propagation summary
34
![Page 35: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/35.jpg)
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
35
![Page 36: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/36.jpg)
Manufacturing imperfections • Quantified using signal non-idealities
Signal properties reflect hardware identity
Can be measured using • Transient signal • steady state signal
Physical layer - Hardware imperfections
36
![Page 37: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/37.jpg)
Physical layer - Hardware imperfections
37
![Page 38: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/38.jpg)
Attach a sensor to AP• Vector signal analyzer for measurement• Data relayed to central server for fingerprinting
Use steady state signal modulation properties for identification
• Frequency error, SYNC correlation, I/Q offset, magnitude error and phase error
Briketal.,WirelessDeviceIdentificationwithRadiometricSignatures.,MobiCom ’08,ACM
Hardware imperfections (Brik et al. [MobiCom‘08 ])
38
![Page 39: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/39.jpg)
High accuracy and stability for device identification• > 99.5% for over 138 devices• Minimal change in accuracy when devices moved around
Too ideal a test environment?• Vo-Huu et al. (WiSec 16) attempted reproducing results• Significant lower accuracy but high reproducibility
Briketal.,WirelessDeviceIdentificationwithRadiometricSignatures.,MobiCom ’08,ACM
Hardware imperfections (Brik et al. [MobiCom‘08 ])
39
![Page 40: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/40.jpg)
Hall et al. [WOC ‘03]• Detected Bluetooth radios using phase of transients• Observed slope of phase is linear at start of transmission
Hall et al. [IASTED ‘04]• Detected WiFi radios using phase, frequency and amplitude of transient
Suski et al. [GLOBECOM ‘08]• Amplitude of transient works better at low SNR• Used power spectral density to classify WiFi radios
Hardware imperfections overview
40
![Page 41: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/41.jpg)
Vo-Huu et al. [WiSec ‘16]• Used combination of CFO, SFO, transient for identification• Transient has higher contribution than modulation properties
Liu et al. [INFOCOM ‘19]• I/Q mismatch phase error from channel estimate• Phase gradients due to signal have lower variance than noise
Sun et al. [HotWireless ‘17]• Observed variation in CFO values, for detecting BLE signal• A BLE transmission exhibits constant CFO
Hardware imperfections overview
41
![Page 42: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/42.jpg)
A technique of great promise and frustration!• Best identifier for transmitter hardware• Measurement of properties reliably and accurately is hard
Require costly hardware • Demonstrated to work in only controlled environment
Further work needs to be done • Cost effective SDR tools and designing more reliable techniques
Hardware imperfections summary
42
![Page 43: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/43.jpg)
Identification techniques - Summary
Technique Role Environment Software Cost OutdoorLink LayerPacket Contents Yes Yes No Yes YesPacket Timing No1 Yes No2 Yes YesPhysical LayerSignal Propagation Yes No Yes Yes NoHardware Imperfections Yes Yes Yes No No1:Inter-packetarrivalrate->Yes2:Clockskew->Yes
43
![Page 44: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/44.jpg)
A number of identifiers exist at link and physical layer
An adversary’s choice is a tradeoff decision
Link layer techniques efficacy can be reduced by not transmitting so often
Physical layer techniques harder to defend against, but still not mature
Identification techniques - Summary
44
![Page 45: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/45.jpg)
1. Identifying information in wireless signals• Link layer• Physical layer
2. Taxonomy
3. Identification techniques• Link layer – Packet Contents• Link layer – Packet Timing• Physical layer - Signal propagation• Physical layer – Hardware imperfections
4. Tracking the device owner
Outline
45
![Page 46: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/46.jpg)
Tracking the device owner
Passive Eavesdropper
1 2 3
4 5 6
Device identification information can be used to track the user46
![Page 47: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/47.jpg)
User social linkages
Preferred Network List can be obtained by eavesdropping probe requests47
![Page 48: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/48.jpg)
PNL indicates likely city of residence• Geographic locations of APs from Wigle• Provenance rank for each likely city
Performed analysis on dataset collected at political rallies
• Closely predicted city-wise voting patterns• Social linkages revealed
User social linkages (Luzio et al. [INFOCOM ‘16])
48
![Page 49: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/49.jpg)
Connectedstate
User activity tracking
Physical activity related to data traffic of tracker49
![Page 50: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/50.jpg)
Fitness tracker leaks physical activity• Increased activity -> more data packets• Classification accuracy of activity -> 97.6%
Accelerometer features related to data traffic• Strong correlation observed• Can distinguish individual walking patterns
User activity tracking (Das et al. [HotMobile ‘16])
50
![Page 51: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/51.jpg)
A large amount of user tracking information is available
User tracking features exposed predominately at the link layer
We need to make better design choices and not keep repeating mistakes
Tracking the device owner - Summary
51
![Page 52: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/52.jpg)
Practical physical layer device identification
Analyzing potential privacy concerns with directed BLE advertisements
Wireless privacy leakage in personal medical devices
Directions for future work
52
![Page 53: Research Exam - University of California, San Diegocseweb.ucsd.edu/~nibhaska/papers/RE_slides_19.pdf1.Identifying information in wireless signals •Link layer •Physical layer 2.](https://reader036.fdocuments.us/reader036/viewer/2022070822/5f27a12cdfdd32755c416858/html5/thumbnails/53.jpg)
Questions?
53