Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial - - PowerPoint PPT Presentation

et tu alexa
SMART_READER_LITE
LIVE PREVIEW

Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial - - PowerPoint PPT Presentation

Feb 24, 2023 185 likes •383 views

Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensors Yanzi Zhu * , Zhujun Xiao , Yuxin Chen, Zhijing Li * , Max Liu, Ben Y. Zhao, Heather Zheng University of Chicago, *UC Santa Barbara 1 Smart Devices are Everywhere

slide-1
SLIDE 1

Et Tu Alexa?

When Commodity WiFi Devices Turn into Adversarial Motion Sensors

Yanzi Zhu*, Zhujun Xiao, Yuxin Chen, Zhijing Li*, Max Liu, Ben Y. Zhao, Heather Zheng University of Chicago, *UC Santa Barbara

1

slide-2
SLIDE 2

Smart Devices are Everywhere

2

Smart Home Smart Factory Smart Office

slide-3
SLIDE 3

Attacks Enabled by Smart Devices

3

Server room Meeting room Private

  • ffice

WiFi sniffer 1.Hack the device Internet 2.Hack the network

  • 3. network traffic

analysis

A new form of attack via passive WiFi signal analysis

This paper

Router

slide-4
SLIDE 4

Silent Reconnaissance Attack

4

Server room Meeting room Private

  • ffice

WiFi sniffer Continuous motion tracking: 13:35:00 move in server room 13:45:00 leave server room 13:45:20 move in private office 13:55:20 leave private office

slide-5
SLIDE 5

Silent Reconnaissance Attack

5

Server room Meeting room Private

  • ffice

WiFi sniffer

Reconnaissance attack via listening to (w/o decoding) WiFi signals

slide-6
SLIDE 6

Leveraging Two Facts

(1) Smart devices are filling our home/office/factory; each room has multiple devices.

6

(2) Smart devices transmit WiFi data regularly.

Device Packets sent per second Active Idle 108 ≥ 0.5 16 2 200 6.64 ≥ 3.33 ≥ 2.44 257 28.6

TV

slide-7
SLIDE 7

Human Motion is “Embedded” in Ambient WiFi Signals

7

Server room Meeting room Private

  • ffice

Threat model: 1. Non-intrusive 2. Undetectable Ambient WiFi signals fluctuate when humans move. Sniffer captures such fluctuation.

slide-8
SLIDE 8

Outline

Introduction Silent Reconnaissance Attack Attack Implementation & Real-world Evaluation Defense

8

slide-9
SLIDE 9

How is Human Motion Embedded in WiFi Signals

9

WiFi Device A Sniffer time sniffer’s received signal of A

Large signal variation indicates human motion. Anchor (motion sensor) motion

slide-10
SLIDE 10

Measure Signal Variation via CSI

Our solution: leverage Channel State Information (CSI)

  • CSI = signal strength at different sub-frequencies

10

signal amplitude time

  • 1. Compute std for

each sub-frequency

σaCSI

Time frequency

… Our final metric

  • 2. Average std across

sub-frequencies

slide-11
SLIDE 11

𝜏!"#$ Captures Human Motion

𝜏!"#$ can tell human is moving towards or away from anchor.

11

𝜏!"#$ can separate with and without human motion.

σaCSI

without motion Time with motion

σaCSI

without motion Time with motion moving away moving towards

slide-12
SLIDE 12

Our Attack: End-to-end View

12

Phase 1: bootstrapping Identify and locate static WiFi devices to their individual rooms

1 Attacker Static Sniffer

Phase 2: continuous monitoring Human motion sensing by a static sniffer

2

slide-13
SLIDE 13

Attack Implementation & Real-world Evaluation

Implementation

  • Modified WiFi firmware to passively collect CSI
  • 1st to enable passive CSI collection of any commodity

WiFi devices*

Experiments

  • 11 homes & offices with various floorplans
  • 31 WiFi devices & 5 volunteers

Measurements

  • 41 hours of data (~8 hours of human motion)

13

Setup Example

WiFi Device Sniffer

Sniffer: Nexus 5 w/ modified WiFi firmware *Previous work can not collect CSI continuously on commodity devices.

slide-14
SLIDE 14

Attack is Effective

14

99.7% 80.6% 46% 10.7% 3.6% 15% 20 40 60 80 100 Percentage % Human detection rate False alarm rate

Human detection rate =

T(attacker reports room has human inside ) T(room has human inside ) T(room does not have human inside) T(attacker reports room has human inside)

False alarm rate =

State-of-the-art human sensing* (4 anchors)

* LiFS: Low human-effort, device-free localization with fine-grained subcarrier information. MobiCom’16.

Ours Ours (1 anchor) (4 anchors)

slide-15
SLIDE 15

Attack is Robust

15

How effective is our attack at low packet rate?

  • Human detection rate drops only 1.5% when anchor transmits at 2

packets per second (pps), compared to full rate 11pps.

How about non-human sources of motion?

Fans Oscillating Fans No Impact Distinguishable Similar to Human Pets

slide-16
SLIDE 16

Reducing quality

Signal obfuscation by smart devices Signal obfuscation by AP

Defense via Corrupting Attacker’s Received Signal

Observation: the effectiveness of this attack depends on quantity and quality of signals.

16

Reducing quantity

WiFi rate limiting MAC randomization Geofencing Ineffective and/or impractical

Our defense

slide-17
SLIDE 17

Our Proposal: AP-Based Obfuscation

17

WiFi Device A Sniffer

AP sends cover traffic on behalf of each smart device (using its MAC address). Spatial Obfuscation AP randomly vary power over time. Temporal Obfuscation

AP

slide-18
SLIDE 18

99.7% 47.5%

w/o defense w/ defense

Our Proposal: AP-Based Obfuscation

18

AP sends cover traffic on behalf of each smart device (using its MAC address). Spatial Obfuscation AP randomly vary power over time. Temporal Obfuscation With defense, human detection rate drops significantly.

slide-19
SLIDE 19

Conclusion

Undetectable silent reconnaissance attack

  • No hacking needed, only passive WiFi signal analysis

Effective in real-world evaluations

  • 11 homes/offices, 31 WiFi devices

New defenses

  • AP-based obfuscation is effective

19

Thank you Any questions?