LoWS Lo cation-based W i-Fi S ervices A Complete Open Source - - PowerPoint PPT Presentation
LoWS Lo cation-based W i-Fi S ervices A Complete Open Source Solution for Wi-Fi Beacon Stuffing Based Location-based Services WMNC 2016 Sven Zehl , Niels Karowski, Anatolij Zubow and Adam Wolisz Telecommunication Networks Group Technische
Telecommunication Networks Group Technische Universität Berlin
A Complete Open Source Solution for Wi-Fi Beacon Stuffing Based Location-based Services
WMNC 2016 Sven Zehl, Niels Karowski, Anatolij Zubow and Adam Wolisz
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 2
Motivation
IEEE 802.11 is the standard technology for wireless
networks especially in providing wireless Internet access
IEEE 802.11 Access Points are widely deployed
Source: gowex.com
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 3
Motivation
Access points are announcing their presence using IEEE
802.11 beacon frames
IEEE 802.11 capable devices in the vicinity receive
these beacon frames
To accelerate this process, clients can trigger the AP to
send out the information contained in the beacon frames immediately using IEEE 802.11 probe requests
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 4
Motivation
To accelerate the collection process, IEEE 802.11
clients can trigger the AP to send out the information contained in the IEEE 802.11 beacon frames immediately
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 5
Motivation
Beacon frames are built up using fixed length
parameters and variable length fields (tagged parameters)
The variable length fields are called IEEE 802.11
information elements (IE) and are used e.g. for the SSID or the supported rates
The IEEE 802.11 standard defines vendor-specific
information elements to transport custom data
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 6
Motivation
The term IEEE 802.11 beacon stuffing means to
embed additional information within beacon frames
This enables to broadcast location-based information
from access points to clients without the need of:
Clients to associate Clients to have Internet access Clients sharing their intents New hardware on sender or receiver side
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 7
Motivation - Example Scenarios
Location-based WiFi Services
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 8
Motivation - Scenarios
Emergency Propagation System
Warn people in the emergency area and give them
instructions (fire emergency, shooting-rampage, earthquake, etc.)
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 9
Motivation - Scenarios
Physical service announcements and advertisements Waiting ticket number broadcasting Train-station or airport announcements
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 10
The Location based WiFi Services System
Location-based WiFi Services
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 11
The Location based WiFi Services System (LoWS System)
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 12
The LoWS System – Global Codebook Approach
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 13
The LoWS System – The Dichotomous Code
Combining the global codebook approach and the
local codebook approach
Divide the code in a location independent part (LIC,
global codebook) and a location dependent part (LDC, local codebook)
Global codebooks are preinstalled in the LoWS
receiver applications, local codebooks are distributed via local codebook-servers and downloaded by the LoWS receiver application when a location is entered the first time
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 14
The LoWS System – Global Address Server and Local Codebook Servers
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 15
The LoWS System – LoWS Control Access Point Adapter Interface
Considering the heterogeneity of the
Wireless LAN architectures, e.g. an autonomous or a
centralized architecture
Wireless LAN hardware, e.g. hardware from Cisco, Aerohive,
Huawei or OpenWRT based APs
Embedding of additional data within beacon frames is
hardware specific
LoWS Control Access Point Adapter Interface enables
to interoperate with different access point types by defining a uniform interface
Designed an Access Point Adapter for OpenWRT
based APs (autonomous architecture) and Cisco lightweight APs (centralized architecture)
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 16
The LoWS System Architecture
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 17
The LoWS System Architecture
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 18
The LoWS System Architecture
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 19
The LoWS System Architecture
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 20
Embedding additional Data in IEEE 802.11 Beacon Frames
Location-based WiFi Services
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 21
Embedding Data in Beacons
Centralized WLAN Architecture: Cisco CAP-3502 AP
Leader in IEEE 802.11
enterprise deployments
APs are managed by
centralized controller using the CAPWAP protocol
Proprietary software, no
modification possible
Autonomous WLAN Architecture: OpenWRT based AP
Support of about 600 different
IEEE 802.11 autonomous APs from over 100 distinct vendors
Open source Linux-based
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 22
Embedding Data in Beacons - Cisco Access Points
Cisco APs embed their hostname within every
broadcasted beacon frame within a special IE:
Hostname of AP can be set via SNMP on the WLAN
controller.
Enables the embedding of 15 ASCII characters
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 23
Embedding Data in Beacons – OpenWRT based APs
OpenWRT utilizes open source
access point software hostapd:
hostapd can be controlled via
daemon hostapd_cli
Patching of hostapd and
hostapd_cli enables adding of additional IE(s) to beacon frames during AP runtime
OpenWRT supports radiotap frame
injection:
Enables the sending of additional
beacon frames beside hostapd and setting of transmission rate for the broadcasted beacon frames
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 24
Retrieving the additional embedded Information
Location-based WiFi Services
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 25
Receiving the embedded Data – Enabling to retrieve IEEE 802.11 IE(s) without root access on Android
Challenge: no solution exists that enables
the retrieval of information elements out of the Wi-Fi scan results without patching the
We enabled this possibility by combining
the Android WiFi API with direct driver communication via Netlink sockets
Using the Android standard API to start a
new WiFi scan
Sending Netlinks commands to driver to
retrieve the IEEE 802.11 scan results from kernel
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 26
Prototype of the LoWS System
Location-based WiFi Services
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 27
LoWS System Prototype
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 28
LoWS System Prototype
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 29
LoWS System Prototype
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 30
LoWS System Prototype
Implemented prototypes of the LoWS Control, the local
codebook-server and the global address-server using PHP and MySQL.
Implemented the LoWS Receiver Application for
Android devices that can be used on COTS Android devices without root privileges.
Implemented Access Point Adapter for OpenWRT based
APs and Cisco lightweight APs.
Currently supported LoWS services:
Beacon Emergency Propagation System Physical Service Announcement Waiting Ticket Number
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 31
LoWS System Prototype Evaluation – Energy Consumption
LoWS receiver devices are mostly mobile devices that
are battery powered
LoWS receiver application consists of a background
scan service which is executed periodically and therefore permanently consumes energy
Evaluation of the energy consumption:
Used IEEE 802.11 active scan energy consumption
estimation from Lin et. al 2010 for the energy consumption of the IEEE 802.11 hardware per scan
Measured LoWS Background Scan Service energy
consumption using the Power Tutor application from the University of Michigan (Zhang et. al 2010)
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 32
LoWS System Prototype – Energy Consumption Estimation
LBSS = LoWS Background Scan Service
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 33
Conclusion
Design and Implementation of the Location based WiFi
Services System (LoWS System) that supports:
Utilization of already deployed sending COTS hardware Easy integration of new sending hardware Installation of the LoWS receiving application on COTS
Android devices
Utilization of IEEE 802.11 Information Elements to transport
additional data broadcasted within beacon and probe response frames
Supports the sending of predefined codes (Dichotomous
Code)
LoWS prototype is published as open-source on Github:
https://github.com/lows
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 34
Thank you!
https://github.com/lows
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 35
BACKUP SLIDES
Flexible Information Broadcasting using Beacon Stuffing in IEEE 802.11 Networks
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 36
The LoWS System – Global or Local Codebook Approach
Global codebook approach
+ Only one codebook globally + Codebook can be preinstalled on all LoWS entities
Local codebook approach
+ Every location can include location details
access needed.
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 37
Location-based WiFi Services Protocol
Reduced LoWS frame format:
Minimal amount of overhead (1byte service type, 2 bytes payload) Transport of the dichotomous code
Flexible LoWS frame format:
Variable amount of payload Transport of the dichotomous code as well as of other kinds of
data representations
Additional features:
Fragmentation Authentication Encryption
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 38
LoWS Protocol – Reduced Frame Example
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 39
LoWS Protocol Flexible Frame Example
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 40
LoWS Protocol - Fragmentation
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 41
LoWS Protocol - Security
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 42
LoWS Protocol – Fragmentation and Security
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 43
Possibilities to embed Information into Beacon Frames
SSID Concatenation[1]
32 alphanumeric characters, no software modification
Problem: Embedded information appears as new Wi-Fi network
BSSID Concatenation[1]
6 octets, requires driver modification on sender side
Problem: Small amount of data, problems with some receiver implementations
Information Elements (IE)[1]
255 bytes per IE, multiple IEs per beacon, requires user-space modification on sender and receiver side
Problem: Increases length of beacon and needed air-time
Length Field Overloading[2]
Up to 191 bits (23,8 bytes), requires driver modification on sender and receiver side
Problem: Small amount of data embedding, variable embedding lengths
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 44
Structure of a IEEE 802.11 Beacon Frame
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 45
IEEE 802.11 Information Element
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 46
Beacon Emergency Propagation System (BEPS)
Example reduced format of protocol Using HASC emergency codes used in US hospitals
Use first ASCII char for code, e.g. „R“ = RED for „fire, Second ASCII for location specific instructions, e.g. „w“ for
„use west stairs to evacuate“
Instructions can be made customizable by network
administrator (downloadable codebook mapped to MAC of access points)
Example:
emergency (0x52)
to evacuate (0x77)
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 47
Embedding Data in Beacons - Cisco Access Points
Managed by the CAPWAP protocol (RFC5415)
Source:d-jet.com
set via CAPWAP control messages (RFC 5416)
using manufacturer installed certificates (MICs) for symmetric key exchange
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 48
Embedding Data in Beacons - Cisco Access Points
The CCX Information Element
therefore solution is only suitable for information changes with low frequency or high priority
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 49
Embedding Data in Beacons - Cisco Access Points
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 50
Embedding Data in Beacons - OpenWRT Access Points
Netlink Protocol and Hostapd
which:
via hostapd_cli
and initial beacon frame structure
Netlink sockets
enables adding of Information Elements during runtime to beacon frames and probe responses
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 51
Embedding Data in Beacons - OpenWRT Access Points
Radiotap Frame Injection
frame injection via a monitor interface
additional beacon frames beside hostapd
the IEEE 802.11 transmission rate and therefore the control of the sending range
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 52
Embedding Limitations
Cisco CAP-3502 AP
15 ASCII characters are
available, but system administrator also needs hostname for identification
Recognition if location-based
information embedded into hostname
signaling
E.g. hostname:
AP2-EN-FL2^XXX^ (X=embedded information, ^=identifier)
OpenWRT based AP
252 byte per vendor-specific
Information Element can be used
Number of information
elements is restricted by maximum IEEE802.11 management frame body size (2320 Byte in theory)
Recognition if vendor-specific
element belongs to our protocol
that is not registered at IEEE, for identification
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 53
Retrieving the additional embedded Information
Flexible Information Broadcasting using Beacon Stuffing in IEEE 802.11 Networks
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 54
Receiving the embedded Data – Modification of the Android Standard Wifi API
Problem: The standard Android Wi-Fi API does not provide access to all Information Elements (IEs) inside beacon frames.
Native Interface (JNI) classes to deliver all IEs to user via the modified API Next problem: Patching of WPA Supplicant and the JNI classes needs a full new operating system installation
development kit (NDK) and nl80211 library to start new Wi-Fi scan and to get all IEs from driver directly without WPA_Supplicant Remaining problem: Root-access is needed
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 55
Receiving the embedded Data – Combine Standard Java API with native Netlink Communication
results from driver when „New Scan Results“ intent is received Problem solved!
Framework, no root needed, no operating system modification required
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 56
Prototype of the LoWS System
Flexible Information Broadcasting using Beacon Stuffing in IEEE 802.11 Networks
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 57
LoWS Android Application - Overview
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 58
LoWS Control - Overview
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 59
LoWS Control - Database
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 60
Related Work
Flexible Information Broadcasting using Beacon Stuffing in IEEE 802.11 Networks
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 61
Related Work – Client Pull based Approach and Server Push based Approach
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 62
Related Work – Client Pull based Approaches (Selection)
ANQP = Access Network Query Protocol GAS = Generic Advertisement Service
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 63
Related Work – Client Pull based Approaches (Selection)
ANQP = Access Network Query Protocol GAS = Generic Advertisement Service
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 64
Related Work – Client Pull based Approaches (Selection)
ANQP = Access Network Query Protocol GAS = Generic Advertisement Service
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 65
Related Work – Client Pull based Approaches (Selection)
ANQP = Access Network Query Protocol GAS = Generic Advertisement Service
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 66
Related Work – Server Push based Approaches
Additional information is
embedded within all IEEE 802.11 beacon and / or probe response frames:
By utilizing the SSID field
(Chandra et. al 2007, Microsoft 2006, Pico Systems 2007)
By utilizing the BSSID field
(Chandra et. al 2007, Microsoft 2006)
By adding a custom data field
(IEEE 802.11 information element) (Chandra et. al 2007, Microsoft 2006, Samsung 2011)
Special approaches:
Length Field Overloading
(Gupta and Rohil 2012)
Custom IEEE 802.11 Frame
(Wirtz et al. 2014)
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 67
Related Work – Conclusion
System architecture
Server Push or Client Pull based approach
Embedding technique (within beacon and/or probe
response frames)
Exploiting the SSID field or a subset of it Utilizing the BSSID field Additional custom data field (IEEE 802.11 IE) Length field overloading
Encoding technique
URL that points to the information GAS or ANQP from IEEE 802.11u Extensible Markup Language (XML) Codes that can be decoded with predefined codebooks Custom data format
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 68
LoWS System Prototype Evaluation – Additional Channel Utilization
Additional data in beacon and probe response frames
increases IEEE 802.11 channel utilization
Calculated the additional channel utilization for:
Cisco lightweight AP adapter (hostname embedding) OpenWRT based AP adapter with additional IE within the
beacon and probe responses sent by hostapd (IEEE 802.11 rate is fixed to 1 Mbit/s)
OpenWRT based AP adapter with beacon frame injection
beside hostapd (IEEE 802.11 rate can be adjusted, but additional data consists of one full IEEE 802.11 management frame)
Respectively for a reduced LoWS protocol frame (5 bytes) and
a flexible LoWS protocol frame which utilizes a full IE (257 bytes)
TKN
Telecommunication Networks Group
LoWS - WMNC 2016 69
LoWS System Prototype – Channel Utilization
hostname embedding within the Cisco IE additional IE embedded in beacons broadcasted by AP with 1 Mbit/s rate additional (injected) beacon frames with 1Mbit/s additional (injected) beacon frames with 54Mbit/s
N/A
Reduced LoWS (5 bytes), maximum flexible LoWS (one full vendor specific IE, 257 bytes)