Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marcin Poturalski, Manuel Flury,

Published byGriffin Page Modified over 9 years ago

Similar presentations

Presentation on theme: "Marcin Poturalski, Manuel Flury,"— Presentation transcript:

1 The Cicada Attack: Degradation and Denial of Service Attacks in IR Ranging
Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec

2 Outline Context: ranging and secure ranging The Cicada attack
Attack performance evaluation Countermeasures Conclusion

3 Ranging Ranging can be applied in a number of applications
Localization and navigation of robot fleets ranging

4 Ranging Ranging can be applied in a number of applications
Tracking of goods ranging

5 Ranging Many are security sensitive!
Ranging can be applied in a number of applications Physical access control Many are security sensitive! ranging

6 Ranging Many are security sensitive!
Ranging can be applied in a number of applications Physical access control Many are security sensitive! Impersonate

7 Ranging Many are security sensitive!
Ranging can be applied in a number of applications Tracking of goods Many are security sensitive! ranging

8 Ranging Many are security sensitive!
Ranging can be applied in a number of applications Tracking of goods Many are security sensitive! Manipulate ranging measurement

9 How to make ranging secure
Securing Ranging How to make ranging secure ?

10 Securing Ranging Distance bounding protocols
S. Brands and D. Chaum. “Distance Bounding Protocols.” EUROCRYPT’93 S. Capkun, L. Buttyan and J. Hubaux. “SECTOR: secure tracking of node encounter in multi-hop wireless networks.” SASN’03 L. Bussard and W. Bagga. “Distance-Bounding Proof of Knowledge to Avoid Real- Time Attacks.” SEC’05 G.P Hancke and M.G. Kuhn. “An RFID distance bounding protocol.” SecureComm’05 C. Meadows, P. Syverson and L. Chang. “Towards More Efficient Distance Bounding Protocols for Use in Sensor Networks.” SecureComm’06 J. Reid, J.M.G Nieto, T. Tang and B. Senadji, “Detecting Relay Attacks with Timing-Based Protocols” ASIACCS’07 D. Singelee and B. Preneel. “Distance bounding in noisy environments”. ESAS’07

11 Securing Ranging Distance bounding protocol example:
Provides an upper-bound on the computed distance Not possible to decrease the measures distance Messages travel at the speed of light Possible to increase the distance Relay delay messages A B NV tRTT (P ⊕ NV, NP) (NV,P,NP,MACPV(NV,P,NP))

12 Securing Ranging Not quite
Do distance bounding protocols solve the problem …? Physical layer attacks against distance bounding J. Clulow, G.P. Hancke, M.G. Kuhn, T. Moore. “So Near and yet So Far: Distance-Bounding Attacks in Wireless Networks.” ESAS’06 M. Flury, M. Poturalski, P. Papadimitratos, J.-P. Hubaux, J.-Y. Le Boudec. “Effectiveness of Distance-Decreasing Attacks Against Impulse Radio Ranging.” WiSec’10 This paper: New kind of physical layer attack against (IR) ranging Not quite

13 Impulse Radio Ranging Precise ranging in dense multipath environments
The first path is not necessarily the strongest path

14 The Ranging Process Transmitter T Receiver R
Preamble: frame sequence modulated by ternary preamble code Transmitter T 1. Coarse synchronization Lock on strongest path 2. Fine synchronization Back-search for first path Receiver R

15 The Cicada Attack Denial of Service: Ranging not possible
Preamble: frame sequence modulated by ternary preamble code Transmitter T Malicious transmitter M Receiver R Denial of Service: Ranging not possible

16 The Cicada Attack Degradation of Service: Range decreased
Preamble: frame sequence modulated by ternary preamble code Transmitter T Cicada attack Malicious transmitter M Back-search finds bogus first path Receiver R Degradation of Service: Range decreased

17 Denial vs Degradation Degradation is more stealthy than denial
Potentially more severe We focus on an adversary aiming at degradation

18 The Cicada Attack Very simple to mount Limited effectiveness
Requires only an IR transmitter Oblivious to preamble code Limited effectiveness Mild distance decrease Back-search window size, e.g., 20m Random distance decrease

19 Example Attack

20 Simulation Setup Transmitter T Receiver R Malicious transmitter M
SNRT SNRM Transmitter T Receiver R Malicious transmitter M IEEE a PHY Mandatory LPRF mode Indoor NLOS channel model Attack performance for 3 energy detection receivers: Vanilla – basic energy detection receiver MINF, PICNIC – receivers robust to multi user interference We simulate entire packet reception process

21 Vanilla Receiver Packet not received
Failure of SFD detection or data decoding Packet received Packet received ToA decreased by > 4ns Packet not received Failure of synchronization SNRT = 20dB

22 Vanilla Receiver SNRT = 20dB The cicada signal sometimes misses the back-search window

23 Vanilla Receiver SNRT = 20dB Increase cicada signal rate

24 Vanilla Receiver SNRT = 20dB SNRT = 20dB Increase cicada signal rate

25 Vanilla Receiver Degradation takes place:
SNRT = 20dB Degradation takes place: If the cicada signal is not lost in noise If the cicada signal is lower than the signal of T

26 MINF Receiver Designed to cope with benign multi-user interference during fine synchronization Z. Sahinoglu and I. Guvenc. “Multiuser interference mitigation in noncoherent UWB ranging via nonlinear filtering.” EURASIP Journal on Wireless Communication Networks, 2006 D. Dardari, A. Giorgetti, and M.Z. Win. “Time-of-arrival estimation of UWB signals in the presence of narrowband and wideband interference.” ICUWB, 2007

27 MINF Receiver Assume coarse synchronization is achieved
Cicada signal is present in every frame Min filter will not remove it samples in frame Remove frames according to code i Apply moving minimum filter frames benign interferer (code j) user of interest (code i)

28 Attack Performance against MINF
SNRT = 20dB Vanilla SNRT = 20dB Attack performs slightly worse than for Vanilla

29 PICNIC Receiver Design to cope with benign multi-user interference during synchronization M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing acquisition in IEEE a IR-UWB networks.” PIMRC, 2009 Adversary exploits the interference robustness of the PICNIC receiver to improve attack performance SNRT = 20dB PICNIC PICNIC SNRT = 20dB SNRT = 20dB Vanilla

30 Countermeasures to Degradation
Do not perform back-search Loose in benign case ranging performance Perform multiple range measurements Cicada attack increases variance of measurements Modify the modulation scheme Time-hopping in the preamble? Secure synchronization algorithms Complexity and energy consumption is an issue

31 Conclusion Cicada attack Security must be addressed at all layers
Simple attack able to decrease distance measured by IR ranging protocols Exploits fundamental difficulty in distinguishing legitimate and interfering signals Security must be addressed at all layers

32 http://lca.epfl.ch/projects/snd marcin.poturalski@epfl.ch
To learn more…

33 Extra slides

34 PICNIC Receiver Design to cope with benign multi-user interference during synchronization M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing acquisition in IEEE a IR-UWB networks.” PIMRC, 2009 Component 1: Power Independent Detection (PID) Component 2: Interference Cancelation Detect presence of alternative preamble code If detected, estimate and remove interference Threshold 0 : x < t 1 : x ≥ t + Correlator output

35 Attack Performance against PICNIC
SNRT = 20dB Vanilla SNRT = 20dB Attack performs slightly worse than for Vanilla Denial sets in at low SNRM

36 Attack Performance against PICNIC
SNRT = 20dB + Threshold 0 : x < t 1 : x ≥ t SNRT = 20dB Correlator output is maximized for all cicada peaks Make cicada signal more sparse?

37 Attack Performance against PICNIC
SNRT = 20dB SNRT = 20dB Adversary exploits the interference robustness of the PICNIC receiver to improve attack performance

38 Attack Performance against PICNIC
8 SNRT = 20dB SNRT = 20dB Attack with high rate cicada signal

39 Distance decrease Back-search window size 64ns

Download ppt "Marcin Poturalski, Manuel Flury,"

Similar presentations

UWB Channels – Capacity and Signaling Department 1, Cluster 4 Meeting Vienna, 1 April 2005 Erdal Arıkan Bilkent University.

UWB Channels – Capacity and Signaling Department 1, Cluster 4 Meeting Vienna, 1 April 2005 Erdal Arıkan Bilkent University.
Multiuser Detection for CDMA Systems

Multiuser Detection for CDMA Systems
VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Network Coding Testbed Using Software-Defined Radio Abstract In current generation networks, network nodes operate by replicating and forwarding the packets.

Network Coding Testbed Using Software-Defined Radio Abstract In current generation networks, network nodes operate by replicating and forwarding the packets.
ISWCS’06, Valencia, Spain 1 Blind Adaptive Channel Shortening by Unconstrained Optimization for Simplified UWB Receiver Design Authors: Syed Imtiaz Husain.

ISWCS’06, Valencia, Spain 1 Blind Adaptive Channel Shortening by Unconstrained Optimization for Simplified UWB Receiver Design Authors: Syed Imtiaz Husain.
Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves.

Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves.
Monday, June 01, 2015 ARRIVE: Algorithm for Robust Routing in Volatile Environments 1 NEST Retreat, Lake Tahoe, June 17-19 2002.

Monday, June 01, 2015 ARRIVE: Algorithm for Robust Routing in Volatile Environments 1 NEST Retreat, Lake Tahoe, June
IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos.

IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos.
A Low-Cost Method to Thwart Relay Attacks in Wireless Sensor Networks Reza Shokri Tutors: Panos Papadimitratos, Marcin Poturalski 29 January 2008.

A Low-Cost Method to Thwart Relay Attacks in Wireless Sensor Networks Reza Shokri Tutors: Panos Papadimitratos, Marcin Poturalski 29 January 2008.
Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan Seshan (CMU) Presented by Lei Yang in CS595H, W08 1 Understanding and Mitigating.

Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan Seshan (CMU) Presented by Lei Yang in CS595H, W08 1 Understanding and Mitigating.
Communication Technology Laboratory Wireless Communication Group Partial Channel State Information and Intersymbol Interference in Low Complexity UWB PPM.

Communication Technology Laboratory Wireless Communication Group Partial Channel State Information and Intersymbol Interference in Low Complexity UWB PPM.
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
Adaptive Self-Configuring Sensor Network Topologies ns-2 simulation & performance analysis Zhenghua Fu Ben Greenstein Petros Zerfos.

Adaptive Self-Configuring Sensor Network Topologies ns-2 simulation & performance analysis Zhenghua Fu Ben Greenstein Petros Zerfos.
The National Centres of Competence in Research are managed by the Swiss National Science Foundation on behalf of the Federal Authorities NCCR MICS review.

The National Centres of Competence in Research are managed by the Swiss National Science Foundation on behalf of the Federal Authorities NCCR MICS review.
1 A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks Reza Shokri, Marcin Poturalski, Gael Ravot, Panos Papadimitratos, and.

1 A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks Reza Shokri, Marcin Poturalski, Gael Ravot, Panos Papadimitratos, and.
Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.

Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.
Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless Sensor Networks Dongjin Son, Bhaskar Krishnamachari and John.

Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless Sensor Networks Dongjin Son, Bhaskar Krishnamachari and John.
Cooperative spectrum sensing in cognitive radio Aminmohammad Roozgard.

Cooperative spectrum sensing in cognitive radio Aminmohammad Roozgard.

Similar presentations

Ads by Google