SecureArray: Improving WiFi
Security with Fine-Grained
Physical-Layer Information
MobiCom’13
Jie Xiong and Kyle Jamieson
University College London
CSE713 Spring 2017 Presentation
Jinghao Shi
1
Target Threat: Active Attacks
Home or Enterprise Network
Inject packets
- Denial of service
- Jam and replay
- Spoofing
-…
2
SecureArray: Key Idea
Use Angle-of-Arrival (AoA)
information to detect attackers
Pretend
Legitimate User
Attacker
3
Outline
• How to obtain AoA information?
• The SecureArray system
• How to utilize the AoA information?
• Integration with 802.11 RSN
• Evaluations
4
AoA Primer
Base band phase difference
1
2𝜋
Ω = 𝜆𝑠𝑖𝑛𝜃 ×
2
𝜆
= 𝜋𝑠𝑖𝑛𝜃
Ω
𝜃 = arcsin( )
𝜋
5
AoA Primer (cont’d)
Ω
𝜃 = arcsin( )
𝜋
d𝜃
1
=
𝑑Ω
𝜋 2 − Ω2
6
𝜃 − Ω Sensitivity
AP
Client
𝜃
Attacker
AP
7
Client Attacker
Random Phase Perturbation
- Add random phase perturbation 𝜁𝑖 to Ω to
calculate AoA signature 𝜎𝑖 𝜃
- Repeat 𝐿 times, obtain 𝜎1 𝜃 , … , 𝜎𝐿 (𝜃)
8
Comparing AoA Signatures
M approaches 1 if
- Peaks align, and
- Have similar magnitude
Binary threshold 𝜂
9
What if Client is Mobile?
Channel Coherence Time
𝑇𝑐 : The time duration over which the wireless channel can be
considered unchanging
10
How to Utilize AoA Information?
Integration with 802.11 RSN
Three types of attacks
- Deauthentication deadlock
- Authenticated spoofing
- Authentication deadlock
11
Deauthentication Deadlock Attack
802.11X
Extensible Authentication
Protocol over LANs (EAPOL)
Four Way Handshake
30 − 59𝜇𝑠
AP compares AoA of
Deauth and EAOPL msg 4
12
Authentication Spoofing Attack
Scenario: attacker has gained access and pretends to be the
legitimate user (spoofing)
Client sends a challenge frame
after overhearing an
unexpected Ack.
13
Authentication Deadlock Attack
Auth Req will cause AP
to delete the client’s key.
AP compares the AoA
of Data and Auth Req
packet
14
SecureArray Implementation
Rice WARP platform
8 antennas in total
15
Evaluation Questions
• How to choose 𝜂? (similarity threshold)
• How to decide L? (number of random
perturbations)
• How many AP antennas are needed?
• Distance between client and attacker?
• Mobile clients?
16
Experiment Setup
- Indoor office
environment (30mx40m)
- 150 locations
- Static and mobile client
- Various client/attacker
distance (3m – 5 cm)
17
Confusion Matrix and
Receiver Operating Characteristic (ROC) Curve
ROC Curve: True Positive Rate (TPR) vs. False Positive Rate (FPR)
Standard way to show the performance of a binary classifier.
18
Overall ROC Curve
Effectiveness of
random perturbation
100% detection rate with only 0.67%
false alarm rate.
L=1
19
Number of random-phase perturbations ( L )
- Trade-off between
accuracy and overhead
- L = 5 is sufficient
- Marginal improvement
when L > 5.
20
Number of AP antennas
1%
4.7% 11.3%
Detection rate is high
even w/ 4 antennas
21
Distance between client and attacker
Miss rate increases
to only 3.7% @5 cm
22
Inter-packet time (Static)
False alarm rate is low
even for 2s spacing
23
Inter-packet time (Mobile)
Walk Speed 4km/h
Coherence time 12ms
24
Detection Latency
• 𝑇1 : time taken for packet detection and samples recording with WARP
• 1.6us
• 𝑇2 : time taken for samples to be transferred to the server
• 2.56ms
• 𝑇3 : time taken for the server to compute the metric and make the
decision
• 10-20ms (L=5)
• Total latency
• ~20ms
25
Summary
Use Angle-of-Arrival (AoA)
information to detect attackers
Pretend
Legitimate User
Attacker
- Attacks
- Deauthentication deadlock attack
- Authentication spoofing attack
- Authentication deadlock attack
- Prototype implementation on WARP
- Thorough evaluations
- Random phase perturbation (L)
- Attacker distance
- AP antennas
26
- Inter-packet time
Critique
• Need extra hardware
• Multiple antennas at the AP
• Can not detect jamming attacks
27
References (See Full List in Paper)
• M. Eian and S. Mjølsnes. A formal analysis of IEEE 802.11w deadlock vulnerabilities. In
Proc. of IEEE Infocom,2012.
• R. Schmidt. Multiple emitter location and signal parameter estimation. IEEE Trans. on
Antennas and Propagation, AP-34(3):276–280, Mar. 1986.
• M. Eian and S. Mjølsnes. The modeling and comparison of wireless network denial of
service attacks
• N. Anand, S. Lee, and E. Knightly. STROBE: Actively securing wireless communications
using zero-forcing beamforming. In Proc. of IEEE Infocom, 2012.
• E. Aryafar, N. Anand, T. Salonidis, and E. Knightly. Design and experimental evaluation of
multi-user beamforming in wireless LANs. In Proc. of ACM MobiCom, 2010.
• B. Bertka. 802.11w security: DoS attacks and vulnerability controls. In Proc. of Infocom,
2012.
• D. Faria and D. Cheriton. No long-term secrets: Location based security in
overprovisioned wireless LANs. In Proc. Of ACM HotNets, 2004.
28