Ghostbuster: Detecting the Presence of Hidden Eavesdroppers Anadi Chaman, Jiaming Wang, Jiachen Sun Romit Roy Choudhury, Haitham Hassanieh UIUC Presenter: Haofan Cai CMPE 253, 02/06/2019
Outline Motivation What is Ghostbuster Design Challenges System Architecture Implementation Evaluation Results Limitations & Conclusions
Outline Motivation What is Ghostbuster Design Challenges System Architecture Implementation Evaluation Results Limitations & Conclusions
Motivation
Motivation
Motivation Eavesdropping is a longstanding problem! No way to regulate or know who is listening on the wireless channel!
Defense Against Eavesdropping: Encryption Encryption breaks due to security loopholes. Vulnerability in WPA2 [SIGSAC’17] Low power devices employ weak or no encryption. Ultra-Low Power RFIDs [S&P’09, CCS;09, Usenix’12, Defcon’13, NSDI’15] Side Channel Attacks [CRYPTO’14, CHES’15, CCS’16, RSA’16, MobiCom’15] Medical Implants [S&P’10, SIGCOMM’11]
View the problem at a different angle: Can we detect the hidden presence of wireless eavesdroppers?
What is Ghostbuster ? A system that can reliably detect an eavesdropper in the presence of ongoing transmissions. Does not require any modifications to current transmitters and receivers. Implemented and empirically tested against SDR & WiFi cards based eavesdroppers.
Eavesdropper’s Digital Receiver Why can Ghostbuster find eavesdropper? Key Observation: Even passive receivers leakage RF signals on to the wireless medium Mixer Amplifier Baseband Processing RF Leakage Local Oscillator Eavesdropper’s Digital Receiver Receiver’s oscillator creates a sinusoid signal at the carrier frequency of operation
Profiling RF Leakage Simplified receiver architecture is COST WiFi cards frequency of the leaked signal fl can be expressed as a function of the center frequency fc for each one of the architectures:
Outline Motivation What is Ghostbuster Design Challenges System Architecture Implementation Evaluation Results Limitations Conclusions
Challenge 1:Weak Leakage RF Leakage
Challenge 1: Weak Leakage Noise RF Leakage RF Leakage is extremely weak: buried under noise floor Hard to detect with today’s receivers?
A Potential Solution Average noise by taking an FFT over a large time window 200 ms Time FFT 2.45 GHz Frequency
A Potential Solution Average noise by taking an FFT over a large time window 1 sec Time FFT 2.45 GHz Leakage Frequency
A Potential Solution Average noise by taking an FFT over a large time window 1.5 sec Time FFT Leakage 2.45 GHz Frequency
Challenge 2: On-going transmission However, large time windows are bound to include transmitted packets! Time Time
Challenge 2: On-going transmission However, large time windows are bound to include transmitted packets! Time Leakage is orders of magnitude weaker than TX signals. FFT 2.45 GHz Frequency
Challenge 3: Leakage from legitimate receivers Leakage is orders of magnitude weaker than TX signals. Other legitimate receivers also create RF leakage. How to extract the eavesdropper’s leakage in the presence of ongoing transmissions and leakage from other receivers?
Outline Motivation What is Ghostbuster Design Challenges System Architecture Implementation Evaluation Results Limitations & Conclusions
Leverage carrier frequency offset (CFO) Ghostbuster Step 1 Null On Going Transmissions Spatial Domain: MIMO Frequency Domain: Cancel Artifacts Step 2 Separate Leakages from other receivers Leverage carrier frequency offset (CFO)
Leverage carrier frequency offset (CFO) Ghostbuster Step 1 Null On Going Transmissions Spatial Domain: MIMO Frequency Domain: Cancel Artifacts Step 2 Separate Leakages from other receivers Leverage carrier frequency offset (CFO)
MIMO(multiple-input and multiple-output) Transmitter y1(t) ht1 x(t) ht2 y2(t) Ghostbuster he1 e(t) he2 Eavesdropper y1(t)=he1e(t)+ht1x(t) y2(t)=he2e(t)+ht2x(t)
OFDM (Orthogonal frequency-division multiplexing) OFDM bins Transmitted signal :
Ghostbuster ⋯ MIMO alone is not sufficient. Time Discontinuities Discontinuities in time result in artifacts & spurious frequencies that are very hard to cancel. Symbol 1 Symbol 2 Symbol 3 Symbol N ⋯
Leverage carrier frequency offset (CFO) Ghostbuster Step 1 Null On Going Transmissions Spatial Domain: MIMO Frequency Domain: Cancel Artifacts Step 2 Separate Leakages from other receivers Leverage carrier frequency offset (CFO)
Discontinuities & Artifacts Consider a single frequency Frequency Time More samples more samples Large Time Window
Discontinuities & Artifacts Consider a single frequency Frequency Time More samples more samples Large Time Window
Discontinuities & Artifacts Consider a single frequency Frequency Time More samples more samples Large Time Window
Discontinuities & Artifacts Consider a single frequency Frequency Time More samples more samples Large FFT Large Time Window
Discontinuities & Artifacts Consider a single frequency Frequency Time More samples more samples Large FFT Artifacts Large Time Window
Discontinuities & Artifacts Artifacts add up from all frequencies & symbols Leakage Artifacts add up from all packets in the time window
Canceling Artifacts Need to estimate the continuous (Off-Grid) frequency positions & coefficients Solve: Fix , solve for :Weighted Least Squares Fix ,,solve for. : Convex for good initial estimates of Solve using gradient descent.
Canceling Artifacts Solves for given a fixed In this case, the error function E is convex in . The optimization is a weighted least squares problem and has the following closed-form solution:
Canceling Artifacts Solves for given a fixed In this case, the error function E is non-convex in due to the complex exponentials. However, if we have good initial estimates of that are with in a small interval around fk, then the function becomes convex within this interval and we can use gradient descent to minimize it.
Leverage carrier frequency offset (CFO) Ghostbuster Step 1 Null On Going Transmissions Spatial Domain: MIMO Frequency Domain: Cancel Artifacts Step 2 Separate Leakages from other receivers Leverage carrier frequency offset (CFO)
Separate Leakages from other receivers What about leakage from other receivers? Leverage CFOs caused by hardware imperfections (Typically 100s Hz ~few kHz ) Use time windows of 1 sec to tens of seconds Count the number of legitimate receivers NL, number of detected receivers ND, if ND≠ NL, 2.45 GHz Frequency
Separate Leakages from other receivers What about leakage from other receivers? Leverage CFOs caused by hardware imperfections (Typically 100s Hz ~few kHz ) Use time windows of 1 sec to tens of seconds Count the number of legitimate receivers NL, number of detected receivers ND, if ND≠ NL, 2.45 GHz Frequency
Outline Motivation What is Ghostbuster Design Challenges System Architecture Implementation Evaluation Results Limitations & Conclusions
Implementation Implementing Ghostbuster use USRP(Software Defined Radios) Tested 16 WiFi Cards & 4 USRP daughterboards as eavesdroppers.
Outline Motivation What is Ghostbuster Design Challenges System Architecture Implementation Evaluation Results Limitations & Conclusions
Experiment Results SNR in dB versus Ghostbuster’s distance from a Wifi card eavesdropper with FFT window size of 1 sec. SNR in dB versus Ghostbuster’s distance from a USRP eavesdropper with FFT window size of 10 ms
Impact of FFT window size Hit rate for WiFi card and USRP eavesdroppers versus FFT window size when the eavesdropper is placed 1 m away from Ghostbuster Hit rate for WiFi card and USRP eavesdroppers versus FFT window size when the eavesdropper is placed 5 m away from Ghostbuster
Confusion Matrix Confusion matrix of classification probabilities obtained on experiments on USRP receivers in the range 1 m to 5 m. Confusion matrix of classification probabilities obtained on experiments on WiFi cards
WiFi Cards placed in monitor mode Leakage measured 1m away using 1 sec FFT Window Operating @ 2.4 GHz Operating @ 5 GHz 30 25 20 15 10 5 Peak SNR of Leakage in dB AR93XX AR9271 AR9485 BCM4360 BCM4352 BCM43526 BMC4329 BCM43xx AR9170 Intel 5100 Intel 7260 Intel 3165 Intel 7265 Intel 8260 Intel 5300 Intel 4965 l Broadcom Intel Qualcomm-Atheros Chipsets cover range of hardware architectures & WiFi protocols: 802.11a/b/g/n/ac
WiFi Cards placed in monitor mode Leakage measured 1m away using 1 sec FFT Window Operating @ 2.4 GHz Operating @ 5 GHz 30 25 20 15 10 5 Peak SNR of Leakage in dB NOT SUPPORTED NOT SUPPORTED NOT SUPPORTED BCM4360 BCM4352 BMC4329 BCM43xx Intel 5100 Intel 7260 Intel 3165 Intel 7265 Intel 8260 Intel 4965 AR93XX AR9170 AR9271 AR9485 BCM43526 Intel 5300 l Broadcom Intel Qualcomm-Atheros Chipsets cover range of hardware architectures & WiFi protocols: 802.11a/b/g/n/ac
Result Summary Ghostbuster can detect: WiFi Card eavesdroppers up to 7 meters away. USRP eavesdroppers up to 14 meters away. Detection Accuracy & Range improves with: Larger time windows. (10 ms < 100 ms < 1 sec) More MIMO chains. (2 MIMO < 3 MIMO < 4 MIMO) Ghostbuster can detect eavesdropper in the presence of transmissions & other receivers: With 95% accuracy with 1 other receivers. With 89.9% accuracy with 3 other receivers.
Outline Motivation What is Ghostbuster Design Challenges System Architecture Implementation Evaluation Results Limitations & Conclusions
Limitations & Conclusions Ghostbuster can detect eavesdroppers in the presence of ongoing transmissions & other receivers without requiring any modifications to current transmitters and receivers. A lot of future work: What if number of legitimate RXs is not known? Can we localize the eavesdropper? Can we reduce computational complexity? Opens the door for more practical applications: Detecting Remote Explosives More Efficient Carrier Sense Synchronizing Clocks through Leakage