SecureArray: Improving WiFi Security with Fine-Grained Physical-Layer Information MobiCom’13 Jie Xiong and Kyle Jamieson University College London CSE713 Spring 2017 Presentation Jinghao Shi

Target Threat: Active Attacks Inject packets Denial of service Jam and replay Spoofing … Home or Enterprise Network

Use Angle-of-Arrival (AoA) information to detect attackers SecureArray: Key Idea Use Angle-of-Arrival (AoA) information to detect attackers Pretend Legitimate User Attacker

Outline How to obtain AoA information? The SecureArray system How to utilize the AoA information? Integration with 802.11 RSN Evaluations

AoA Primer Ω= 1 2 𝜆𝑠𝑖𝑛𝜃× 2𝜋 𝜆 =𝜋𝑠𝑖𝑛𝜃 𝜃 = arcsin⁡( Ω 𝜋 ) Base band phase difference Ω= 1 2 𝜆𝑠𝑖𝑛𝜃× 2𝜋 𝜆 =𝜋𝑠𝑖𝑛𝜃 𝜃 = arcsin⁡( Ω 𝜋 )

AoA Primer (cont’d) 𝜃 = arcsin⁡( Ω 𝜋 ) d𝜃 𝑑Ω = 1 𝜋 2 − Ω 2

𝜃−Ω Sensitivity AP Client 𝜃 Attacker AP Client Attacker

Random Phase Perturbation Add random phase perturbation 𝜁 𝑖 to Ω to calculate AoA signature 𝜎 𝑖 𝜃 Repeat 𝐿 times, obtain 𝜎 1 𝜃 ,…, 𝜎 𝐿 (𝜃)

Comparing AoA Signatures M approaches 1 if Peaks align, and Have similar magnitude Binary threshold 𝜂

What if Client is Mobile? Channel Coherence Time 𝑇 𝑐 : The time duration over which the wireless channel can be considered unchanging

How to Utilize AoA Information? Integration with 802.11 RSN Three types of attacks Deauthentication deadlock Authenticated spoofing Authentication deadlock

Deauthentication Deadlock Attack 802.11X Extensible Authentication Protocol over LANs (EAPOL) Four Way Handshake AP compares AoA of Deauth and EAOPL msg 4 30−59𝜇𝑠

Authentication Spoofing Attack Scenario: attacker has gained access and pretends to be the legitimate user (spoofing) Client sends a challenge frame after overhearing an unexpected Ack.

Authentication Deadlock Attack Auth Req will cause AP to delete the client’s key. AP compares the AoA of Data and Auth Req packet

SecureArray Implementation Rice WARP platform 8 antennas in total

Evaluation Questions How to choose 𝜂? (similarity threshold) How to decide L? (number of random perturbations) How many AP antennas are needed? Distance between client and attacker? Mobile clients?

Experiment Setup Indoor office environment (30mx40m) 150 locations Static and mobile client Various client/attacker distance (3m – 5 cm)

Confusion Matrix and Receiver Operating Characteristic (ROC) Curve ROC Curve: True Positive Rate (TPR) vs. False Positive Rate (FPR) Standard way to show the performance of a binary classifier.

Overall ROC Curve Effectiveness of random perturbation L=1 100% detection rate with only 0.67% false alarm rate. L=1

Number of random-phase perturbations ( L ) Trade-off between accuracy and overhead L = 5 is sufficient Marginal improvement when L > 5.

Detection rate is high even w/ 4 antennas Number of AP antennas 1% 4.7% 11.3% Detection rate is high even w/ 4 antennas

Distance between client and attacker Miss rate increases to only 3.7% @5 cm

Inter-packet time (Static) False alarm rate is low even for 2s spacing

Inter-packet time (Mobile) Walk Speed 4km/h Coherence time 12ms

Detection Latency 𝑇 1 : time taken for packet detection and samples recording with WARP 1.6us 𝑇 2 : time taken for samples to be transferred to the server 2.56ms 𝑇 3 : time taken for the server to compute the metric and make the decision 10-20ms (L=5) Total latency ~20ms

Use Angle-of-Arrival (AoA) information to detect attackers Summary Use Angle-of-Arrival (AoA) information to detect attackers Attacks Deauthentication deadlock attack Authentication spoofing attack Authentication deadlock attack Prototype implementation on WARP Thorough evaluations Random phase perturbation (L) Attacker distance AP antennas Inter-packet time Pretend Legitimate User Attacker

Critique Need extra hardware Can not detect jamming attacks Multiple antennas at the AP Can not detect jamming attacks

References (See Full List in Paper) M. Eian and S. Mjølsnes. A formal analysis of IEEE 802.11w deadlock vulnerabilities. In Proc. of IEEE Infocom,2012. R. Schmidt. Multiple emitter location and signal parameter estimation. IEEE Trans. on Antennas and Propagation, AP-34(3):276–280, Mar. 1986. M. Eian and S. Mjølsnes. The modeling and comparison of wireless network denial of service attacks N. Anand, S. Lee, and E. Knightly. STROBE: Actively securing wireless communications using zero-forcing beamforming. In Proc. of IEEE Infocom, 2012. E. Aryafar, N. Anand, T. Salonidis, and E. Knightly. Design and experimental evaluation of multi-user beamforming in wireless LANs. In Proc. of ACM MobiCom, 2010. B. Bertka. 802.11w security: DoS attacks and vulnerability controls. In Proc. of Infocom, 2012. D. Faria and D. Cheriton. No long-term secrets: Location based security in overprovisioned wireless LANs. In Proc. Of ACM HotNets, 2004.