Attacks on Public WLAN-based Positioning Systems

PowerPoint

Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Ppper, and Srdjan CapkunDepartment of Computer Science, ETH ZurichAttacks on Public WLAN-based Positioning SystemsIn Proceedings of the ACM/Usenix International Conference on Mobile Systems, Applications and Services (MobiSys), 2009OnlineIntroductionBackgroundLocation SpoofingLocation Database ManipulationConclusionIntroductionPublic WLAN-based Positioning SystemsAllow localization using omnipresent wireless access pointsEnable device without GPS to establish their positionAllow localization with precision of 10m, even indoors or undergroundIntroductionSkyhooks WPS in the iPod and iPhoneIn iPhone and iPod touch since late 2007Skyhook also offers additional services such as localization of stolen deviceiPhone OS 3.0 allows tracking of iPhone via PCExample attack caseSecurity box holding valuables, transported by courierReporting WLAN-based position periodically to a controllerAttacker wants to move box to a safe location to open itGoal: Make the box believe it never left intended pathHow does it actually workThe localized node (LN) sends out probe request frames on all channelsAccess points announce their presenceObserved MAC addresses are sent to the location lookup table (LLT)The LLT replies with location informationThe traffic between LN and LLT is encrypted

AP impersonation attack2a. Attacker jams legitimate AP announcements2b. Attacker inserts own impersonated AP announcements3. LLT is now queried for location of remote APs

Attack detailsJamming the legitimate APssent noise on 3 channels using two GNURadiosMany alternative options: physical layer, protocol layerFourth channel was used to send data of 4 impersonated APs

Attack detailsImpersonating APsMAC addresses of real APs at remote locationObtained through WiGLE a public wardriving databaseImpersonation by single laptop constantly changing its MAC addressResultsJamming worked very reliably and was easy to achieveWhen using only the public WLAN localization, the devices localized themselves at the remote location in New York cityFor the iPhone, additional GSM cell localization prevented a change of location outside the local city radius

CountermeasuresSeveral proposals to mitigate the presented impersonation attack:AP authenticationAggregation of multiple localization methodsLN-based integrity checksAP fingerprintingLN based integrity checksBasic variant:Compare new position with last known positionAssume maximum speed to detect large displacementsContinuous version:Periodically record MAC addresses from present locationIntegrity check over last n locationsWarn user or abort localizationFingerprint based countermeasuresUse more data to identify APs, such as:ConfigurationImplementation of protocols [Bratus,WiSec08]Physical characteristics of signals [Brik,MobiCom08]Collect these in the LLT as well, and verify reported APs.Database manipulation attacksAttacks on the LLT are possible as well, and will affect all users of the service.

Database manipulation attacksData enters the LLT in the following way:Collected or bought by the ownerPositioning requests by the LNsManual update by users

By arbitrarily choosing the reported MAC addresses, the attacker can perform the following attacksInject own AP entries into the databasePerform reverse location lookup (track people moving to a different city!)Change the stored location for existing entriesDatabase manipulation attacksThe APs location in the LLT is AThe attacker reports the AP among other APs at location BAs a result, the APs location is changed to location B in the LLT

Database manipulation countermeasuresData update rules: allow several possible locations with different confidence valuesThe location with the highest confidence value is activeConfidence depends on majority votes or consistency of location reports with current data

Temporal update rules: update the LLT quicker for changes with high confidence, and slower for changes with low confidenceTradeoff between database freshness and resistance against attacks

The provider can choose to only rely on self collected data, but this will lead to outdated entriesConclusionSummaryStudy the security of Public WLAN-based positioning systemPresented LN and LLT based attacks and discussed countermeasuresDemo the current systems should not be used in security relevant contexts

Future workSimilar attacks are possible on GSM and even GPSCombine these attacks to defeat devices using all these mechanismsExploration of signal fingerprints of APsMap and Track Friendshttp://plash.iis.sinica.edu.tw/plash/*.action