Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based."— Presentation transcript:

1 Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based Positioning Systems In Proceedings of the ACM/Usenix International Conference on Mobile Systems, Applications and Services (MobiSys), 2009

2 Online Introduction Background Location Spoofing Location Database Manipulation Conclusion

3 Introduction Public WLAN-based Positioning Systems Allow localization using omnipresent wireless access points Enable device without GPS to establish their position Allow localization with precision of ≤ 10m, even indoors or underground

4 Introduction Skyhook’s WPS in the iPod and iPhone In iPhone and iPod touch since late 2007 Skyhook also offers additional services such as localization of stolen device iPhone OS 3.0 allows tracking of iPhone via PC

5 Example attack case Security box holding valuables, transported by courier Reporting WLAN-based position periodically to a controller Attacker wants to move box to a safe location to open it Goal: Make the box believe it never left intended path

6 How does it actually work 1. The localized node (LN) sends out probe request frames on all channels 2. Access points announce their presence 3. Observed MAC addresses are sent to the location lookup table (LLT) 4. The LLT replies with location information The traffic between LN and LLT is encrypted

7 AP impersonation attack 2a. Attacker jams legitimate AP announcements 2b. Attacker inserts own impersonated AP announcements 3. LLT is now queried for location of remote APs

8 Attack details Jamming the legitimate APs sent noise on 3 channels using two GNURadios Many alternative options: physical layer, protocol layer Fourth channel was used to send data of 4 impersonated APs

9 Attack details Impersonating APs MAC addresses of real APs at remote location Obtained through WiGLE – a public wardriving database Impersonation by single laptop constantly changing its MAC address

10 Results Jamming worked very reliably and was easy to achieve When using only the public WLAN localization, the devices localized themselves at the remote location in New York city For the iPhone, additional GSM cell localization prevented a change of location outside the local city radius

11 Countermeasures Several proposals to mitigate the presented impersonation attack: AP authentication Aggregation of multiple localization methods LN-based integrity checks AP fingerprinting

12 LN based integrity checks Basic variant: Compare new position with last known position Assume maximum speed to detect large displacements Continuous version: Periodically record MAC addresses from present location Integrity check over last n locations Warn user or abort localization

13 Fingerprint based countermeasures Use more data to identify APs, such as: Configuration Implementation of protocols [Bratus,WiSec’08] Physical characteristics of signals [Brik,MobiCom’08] Collect these in the LLT as well, and verify reported APs.

14 Database manipulation attacks Attacks on the LLT are possible as well, and will affect all users of the service.

15 Database manipulation attacks Data enters the LLT in the following way: Collected or bought by the owner Positioning requests by the LNs Manual update by users By arbitrarily choosing the reported MAC addresses, the attacker can perform the following attacks Inject own AP entries into the database Perform reverse location lookup (track people moving to a different city!) Change the stored location for existing entries

16 Database manipulation attacks 1. The AP’s location in the LLT is A 2. The attacker reports the AP among other APs at location B 3. As a result, the AP’s location is changed to location B in the LLT

17 Database manipulation countermeasures Data update rules: allow several possible locations with different confidence values The location with the highest confidence value is active Confidence depends on majority votes or consistency of location reports with current data Temporal update rules: update the LLT quicker for changes with high confidence, and slower for changes with low confidence Tradeoff between database freshness and resistance against attacks The provider can choose to only rely on self collected data, but this will lead to outdated entries

18 Conclusion Summary Study the security of Public WLAN-based positioning system Presented LN and LLT based attacks and discussed countermeasures Demo the current systems should not be used in security relevant contexts Future work Similar attacks are possible on GSM and even GPS Combine these attacks to defeat devices using all these mechanisms Exploration of signal fingerprints of APs

19 Map and Track Friends http://plash.iis.sinica.edu.tw/plash/*.action

Download ppt "Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based."

Similar presentations

Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.

Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.
Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Chunyi Peng, Guobin Shen, Yongguang Zhang, Yanlin Li, Kun Tan BeepBeep: A High Accuracy Acoustic Ranging System using COTS Mobile Devices.

Chunyi Peng, Guobin Shen, Yongguang Zhang, Yanlin Li, Kun Tan BeepBeep: A High Accuracy Acoustic Ranging System using COTS Mobile Devices.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
In-Band Flow Establishment for End-to-End QoS in RDRN Saravanan Radhakrishnan.

In-Band Flow Establishment for End-to-End QoS in RDRN Saravanan Radhakrishnan.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
University of Massachusetts Amherst InteLock TM Team: Emmanuel Seguin Josh Coffin Anh-Kiet Huynh Christos Tsiokos Remote Access and Proximity Key Advisor:

University of Massachusetts Amherst InteLock TM Team: Emmanuel Seguin Josh Coffin Anh-Kiet Huynh Christos Tsiokos Remote Access and Proximity Key Advisor:
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
Computer Networking Devices Seven Different Networking Components.

Computer Networking Devices Seven Different Networking Components.

Similar presentations

Ads by Google