On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University.

On Physical-Layer Identification of Wireless Devices

BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012

Presented by: Vinit PatelWichita State University

Outline of the Paper

• Introduction on Physical-layer device identification

• Physical-Layer Device Identification system and it’s components

• Physical-Layer Identification techniques and approaches

• Attacks within Physical-Layer Identification• Implication and examples.• Conclusion

Introduction

• Physical Layer Identification: technique that allows wireless devices to be identified by unique characteristics of their analog(radio) circuitry. (Fingerprinting)– This is possible due to the imperfections in the

analog circuitry that is made in the manufacturing process.

Introduction

• Different purpose of PLI (Physical Layer Identification)– Intrusion detection– Access Control– Wormhole detection– Cloning detection – Location and anonymity privacy– Also for RFID(as we saw in Tuesday’s class)

Physical-Layer Device Identification system and it’s components

• Involves three entities

Physical-Layer Device Identification system and it’s components

• Two modules for a PLI

– Enrollment: Signals are captured from device and fingerprints of the device is stored in a database

– Identification: Fingerprints that are obtained are matched with the fingerprints in the DB that are stored during enrollment• Can identify a device• Can identify from among many devices• Can verify that device matches a claimed identity

Device under Identification

• Any device that uses radio communication can be subject to PLI

– Different classes of device that can be identified by PLI: VHF(very high frequency) transmitters, HF RFID, UHF(Ultra high) RFID, Bluetooth, and IEEE 802.11 and IEEE 802.15.4 transceivers

– What makes the device unique? Imperfections in design and manufacturing. [Toonstra and Kinser 1995, 1996]

Identification Signals • Identification Signals: Signals that are collected for the purpose of identifying the device• Different signal characteristics are observed here such

as amplitude, frequency, and phase

Acquisition Setup

• Responsible for the acquisition and digitalization of the identification signals.– Should never influence the signal (adding noise)– Should be preserved and keep the same

characteristics the PLI relies on– High quality may be necessary

Acquisition Setup

• Two types of identification:• Passive: Acquires the signal without

interacting with the device.• Active: Acquires the signal after challenging

the device to transmit them.

Feature Extraction Module• Responsible for extracting characteristics from the

signals that can then be used to distinguish devices or classes of devices

• Two types of features involved:– Predefined Features: Well understood characteristics

that are known in advance prior to recording of the signals

– Inferred Features: Features that are not known from a predefined feature set.• Can be used for dimensionality reduction• Take out redundant information from the sample and use

that as it’s feature that contains only relevant information

Device Fingerprints• Fingerprints are SET of features that are used to identify devices.• Properties of fingerprints:

– Universality: Every device should have considered features

– Uniqueness: No two devices should have same fingerprint

– Permanence: Fingerprints obtained should not change over time

– Collectability: should capture signals with existing equipment

– Robustness: should be able to be evaluated even with other interference radio signals

– Data Dependency: Fingerprints need to be obtained from features extracted from a specific signal pattern

Fingerprint matcher and Database

• Compares extracted device fingerprints with the fingerprints that are stored in the DB during the enrollment phase of the device

• Matcher is implemented by a distance measures such as:– Euclidean– Mahalanobis distances– Probabilistic Neural Networks (PNN) (complex)– Support vector machines (SVM) (complex)

System Performance and Design Issues

• System performance expressed in error rates– FAR(False accept rate)– FRR(False reject rate)– EER(Equal error rate)• When FAR and FRR are equal• Most commonly used metric

System Performance and Design Issues

• Performance of PLI all depends on:– Resources available

– Cost• Higher the quality and speed, higher the cost

– Acquisition setups• Certain signals may be hard to get a different locations

Proposed improvements for PLI systems

• System properties that always needs improving: accuracy(most significant), computational speed, exception handling, and costs.

• Four different strategies can be deployed to achieve this task.

Proposed improvements for PLI systems

• (1) Acquire signals from multiple acquisition setups• Getting signal from different location at same time

• (2) Acquire signals from multiple transmitters on same device (MIMO)

• More robust fingerprints, (two fingerprints instead of one)

• (3) collect several acquisitions of the same signal• To obtain more reliable fingerprints. Samples are Averaged out

into one significant sample and that is used to create the fingerprint

• (4) Consider different signal parts• Different modularties of signals are combined to improve

accuracy and robustness

Physical-Layer Identification techniques and approaches

• Identification of radio signals became very important during WWII.

• Two main techniques/approaches discussed in paper:– Transient based approach and Modulation based

approach.

Transient Based Approach

• Techniques that use the turn on/off transient of a radio signal.

Analog to digital converter

Transient Based Approach• Fingerprinting Approach Details

1. Extract the transient part− Threshold-based algorithm

2. Extract features from the transient signal (fingerprints)− Transient length− Number of peaks in transient− Amplitude in transient

3. Classify unknown fingerprints to the reference fingerprints (using a Kalman filter)

− Compute the classification error rate

Transient Based Approach Experiments

Modulation Based Approach

• This technique is used by extracting unique features from the signal part that has been modulated (data).

– New approach that is still being researched

Modulation Based Approach• Fingerprinting Approach Details

1. Capture the signals using the vector signal analyzer– QPSK constellation– Signal spectrum

2. Extract the following errors due to QPSK modulation− I/Q origin offset− Frequency offset− Error Vector Magnitude

3. Fingerprints are represented by a vector of the above three errors

4. Compute the classification error rate (CER)• Ratio of incorrectly classified device

fingerprints over all classified fingerprints

QPSK Signal Constellation

01

11

00

10

Other Approaches/Techniques• Baseband power spectrum density of packet preambles

– 20% CER

• Using near transient and midamble regions of GSM-GMSK(Global System for mobile communication)(Gaussian minimum shift keying) burst signals– The CER was higher in the midamble than using the transient regions.

• For UHF RFID:– Using timing properties of the tags– Showed that the duration of response can be used to distinguish

same manufacturer and RFID type.• For HF RFID:

– Timing and modulation shape features can only be used to identify between manufacturers.

Attacks within Physical-Layer Identification

• This section discusses attacks that aim to subvert the decision of an application and anonymity of wireless devices that aims to identify even if the device is not willing to.– Assumes a “Dolev-Yao style attacker”• Attacker can observe, capture, modify, compose, and

(re)play signals transmitted by device

Signal Replay Attack• Goal is to observe the signals of device, capture them in digital

form, and then transmit the signal again towards the PLI.

– Attacker does not modify the signal– Attackers knowledge:

• Not assumed for the feature extraction and matching• Assumed for how to observe, capture, and submit signals to system is

needed.

• Why replay attacks ?– To gain access to resources by replacing an authentication message– In DOS, to confuse the destination host

Signal Replay Attack

• Aims at preserving the digital sample of the signal.

– Note: replay of digital signals can never be exact as opposed to information bits.

• High end hardware and controlled wireless medium needed to improve accuracy.• Could be relayed without being stored in digital form.

– Need amplifiers and multiple antennas are needed.

Feature Replay Attacks

• This attack creates, modifies, or composes signals that reproduce ONLY the features that is considered by a PLI system.

– Similar to message forging but….

• This attack only requires the information bits unlike the analog/digital signal samples and data payload in forging.

Feature Replay Attacks• Needs to preserve the identification features.

• Attacker needs to know features that the PLI extracts from device.

• Needs to be able to forge signals while keeping the unique features.

• Feature replay attacks can be launched by:– Using arbitrary waveform generators– Using a device with similar features of target device (large set of same

model and manufac devices)– Replicate circuitry/components of target device(Hardest)

Implication and examples of PLI(Intrusion Detection in WLAN networks)

• (1) PLI can be used to enhance security of WLAN’s– By providing access control to prevent unauthorized

devices on the network.• PLI deployed in AP’s to defend against cryptographic key

compromise by attacker.• PLI can help determine multiple MAC’s or crypto keys that

belong to same device.• Attacker who holds the crypto key(s) still cannot

authenticate to network unless somehow gets pass the PLI system

• (2) PLI techniques can be used to protect against rogue AP’s.

• System property requirements:– Physical layer device fingerprints need to be

resilient to distance and location.– Transient signal samples can have wireless channel

characteristics with the device specific information it already intends to have.• This still remains a open question on how to handle this.

• Security Requirements:– Resilient to remote impersonation attacks– Resilient to attacks by signal and feature replays

Implication and examples of PLI(Intrusion Detection in WLAN networks)

• RFID transponders in docs can be successfully cloned even if protective measures are in place

• PLI can be applied to document cloning in two different ways:

– (1) Fingerprints are measured before the RFID deployment, stored in back end database, indexed with unique ID.

– (2) Fingerprints are measured before the RFID deployment, BUT stored in the transponders memory.• Advantage: document authenticity can be verified OFFLINE.• Disadvantage: Fingerprint is stored on transponder, so requires access

protection. Also, Fingerprints need to compact enough to fit in the memory

Implication and examples of PLI(Device Cloning Detection-RFID-Identify Documents)

• System Property Requirements:– Special purpose built devices need to be made.• Need to measured in multiple locations(country

border)• Devices should be high quality to preserve the

fingerprint from distortions

Implication and examples of PLI(Device Cloning Detection-RFID-Identify Documents)

• PLI provides means to detect counterfeit products by creating PLI fingerprints that bind the RFID tag to the original, claimed identity.– Unlike E-Passports where the fingerprints is stored

directly on the passport, the fingerprints would be stored in a database.• This can be compared later with those fingerprints

obtained from the RFID tag.

Implication and examples of PLI(Device Cloning Detection-RFID-Enabled Supply Chains)

• System Property Requirements:– High computational speed

• Large amount of products on pallets pass through identification gates in a short time.

– Fingerprints need to be robust• Tags placed anywhere on pallets and may interfere with other wireless

communication

– High system accuracy• Verifying falses may slow down supply chain process

• System Security Requirements:– Equipping each counterfeit product with a replaying device is too

expensive– Equipping with RFID tags that have similar feature to tags on real

products will pass identification requirement and smart choice in order of cost.

Implication and examples of PLI(Device Cloning Detection-RFID-Enabled Supply Chains)

Other Related Applications

• Worm hole attack:– Creates a tunnel that connects two points in network

and relays messages back and forth.– Can filter unwanted packets and refuse traffic

forwarding– PLI can be used to verify the origin device of signal

transmitted• Sybil Attack:– Attacker assigns different identities on the same node. – PLI’s can detect multiple device identities.

Implication and examples of PLIAnonymity and Location Privacy

• PLI techniques require few packets to identify the number of devices in the vicinity and classify individual packets to the corresponding transmitting device.

• Example-Targeting UHF RFID– Shown to leak information which is independent to your position.– If user has a number of UFH tags, network of readers can track,

regardless of location and distance.

• Example: user has 5 cards– Can be identified among 6x10^6 users.

– Shows that card holder privacy can be compromised by the ability to read UHF RFID from large distances

Conclusion• Benefit applications such as access control, device cloning detection, and

provide identity (location) privacy.

• Has been investigated on a broad general spectrum of wireless technologies, but Primarily as defensive techniques.

• A lot of future research is still available in this area– What are the exact causes of identification?– The feasibility or non feasibility needs to be considered– How much information entropy does fingerprints contain?

• By analyzing the system, state of art approaches, attacks, security issues we can give a overview of physical layer identification on wireless devices.

THANK YOU !