Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac - - PowerPoint PPT Presentation

practical evaluation of passive cots eavesdropping in 802
SMART_READER_LITE
LIVE PREVIEW

Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac - - PowerPoint PPT Presentation

Apr 26, 2023 429 likes •661 views

CANS 17 @ Hong Kong Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac WLAN D ANIELE A NTONIOLI (SUTD), S. S IBY (EPFL), N. O. T IPPENHAUER (SUTD) Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in

slide-1
SLIDE 1

CANS 17 @ Hong Kong

Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac WLAN

DANIELE ANTONIOLI (SUTD),

  • S. SIBY (EPFL),
  • N. O. TIPPENHAUER (SUTD)

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac 1

slide-2
SLIDE 2

Our Motivations

  • Some PHY features theoretically disadvantage an eavesdropper

◮ Eg: reduce eavesdropping range ◮ Few practical evaluations of those claims ◮ Typically not focusing on a real protocol

  • 802.11n/ac WLAN amendments

◮ Use of MIMO and beamforming

  • Is eavesdropping affected by recent PHY features?

◮ If yes, we get extra resilience for free ◮ Even from COTS devices Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Introduction 2

slide-3
SLIDE 3

Our Metrics

  • SNR: Signal-to-Noise-Ratio

◮ Power of the useful signal divided by the noise power at the

receiver

◮ 10 log10 SNR = SNRdB

  • BER: Bit-Error-Rate

◮ Probability of erroneously decoding 1-bit at the receiver ◮ Not exact quantity (MCS, fading model) ◮ 10−6 is considered a reasonable BER value

  • PER: Packet-Error-Rate

◮ Computed as: PER = 1 − (1 − BER)N ◮ N is the average packet size in bits Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Introduction 3

slide-4
SLIDE 4

Our Evaluation of 802.11 Eavesdropping

  • 802.11n/ac vs. 802.11b

◮ Passive eavesdropper (Eve) ◮ Downlink channel (from Alice to Bob) ◮ NLOS environment (exploit multipath) ◮ 802.11b as a baseline: no MIMO

  • Predictions

◮ Eve’s SNR disadvantage in b vs. n/ac ◮ Eve’s PER disadvantage compared to Bob in n/ac

  • Experimental evaluation

◮ With COTS devices in an indoor environment ◮ Measure PER and SNR ◮ Compare results with predictions Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Introduction 4

slide-5
SLIDE 5

802.11 Downlink Passive Eavesdropping

  • 802.11b (SISO)

◮ Alice uses 1 antenna ◮ No disadvantages for Eve ◮ Eve success depends on:

dAE

  • 802.11n/ac (MIMO)

◮ Alice uses L antennas ◮ Transmit-beamforming

towards Bob disadvantages Eve

◮ Eve success depends on:

dAE, dBE, and L

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Introduction 5

slide-6
SLIDE 6

Our Attacker Model

  • Eve is a passive eavesdropper

◮ Eavesdrop the downlink ◮ Outside the main lobe (if Alice uses beamforming)

  • Equipotent to Bob

◮ COTS devices ◮ Same number of antennas

  • Eavesdrops in monitor mode

◮ No retransmissions Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Models 6

slide-7
SLIDE 7

Theoretical Discussion Goals

  • Quantify the disadvantages of Eve

◮ In 802.11n/ac (MIMO) compared to 802.11b (SISO)

  • Eve’s SNR disadvantage

◮ Upper bound from BER formula (Rayleigh fading) ◮ Lower bound from transmit-beamforming gain

  • Expected BER and PER of Eve vs. Bob

◮ Varying their distances to Alice ◮ Using 802.11n/ac different path loss models Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 7

slide-8
SLIDE 8

Passive Eavesdropping 802.11n/ac

  • 802.11n/ac (MISO)

◮ Alice uses L antennas ◮ Transmit-beamforming towards Bob disadvantages Eve ◮ Eve success depends on: dAE, dBE, and L Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 8

slide-9
SLIDE 9

SNR Disadvantage: Upper Bound

Number of transmitting antennas (L) is key: λ =

  • SNR

2 + SNR (1) BERSISO = 1 2 (1 − λ) (2) BERMISO = 1 − λ 2 L ·

L−1

  • i=0

L + i − 1 i 1 + λ 2 i (3)

  • If L = 4 and BER = 10−6, then

◮ SNRSISO = 57 (no diversity) ◮ SNRMISO = 16 (diversity order = 4) ◮ Eve’s SNR disadvantage in 802.11n/ac is 41 dB (at most) Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 9

slide-10
SLIDE 10

SNR Disadvantage: Lower Bound

The MISO transmission gain from Alice to Bob is (using CCD): g2 = 10 log10(L) dB (4)

  • Eve is not benefiting from g
  • If L = 4, then

◮ Eve’s SNR disadvantage in 802.11n/ac is 6 dB (at least) Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 10

slide-11
SLIDE 11

SNR Disadvantage: Lower Bound

The MISO transmission gain from Alice to Bob is (using CCD): g2 = 10 log10(L) dB (4)

  • Eve is not benefiting from g
  • If L = 4, then

◮ Eve’s SNR disadvantage in 802.11n/ac is 6 dB (at least)

  • Eve’s SNR disadvantage in 802.11n/ac form 6 to 41 dB

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 10

slide-12
SLIDE 12

BER and PER: Indoor Path Loss Models

  • From: Next Gen. Wireless LAN: 802.11n and 802.11ac

◮ dBP is the breakpoint distance ◮ σSF is the shadowing std dev (log-normal) ◮ sPL LOS and NLOS path loss slopes

  • Model B: Residential (intra-room)

◮ dBP = 5 m ◮ σSF = 3, 4 dB ◮ sPL = 2, 3.5

  • Model D: Office (large conference room)

◮ dBP = 10 m ◮ σSF = 3, 5 dB ◮ sPL = 2, 3.5 Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 11

slide-13
SLIDE 13

Model B (Residential) Expected BER

20 40 60 80 100 120 140

Distance from Alice d [m]

0.000 0.025 0.050 0.075 0.100 0.125 0.150 0.175

Expected BER

Eve Bob (L=2) Bob (L=4)

  • BER of Eve, Bob(L=2) and Bob(L=4) in 802.11n (BPSK)

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 12

slide-14
SLIDE 14

Model B (Residential) Expected PER

20 40 60 80 100 120 140

Distance from Alice d [m]

0.0 0.2 0.4 0.6 0.8 1.0

Expected PER

PER = 50% Eve Bob (L=2) Bob (L=4)

  • PER of Eve, Bob(L=2) and Bob(L=4) in 802.11n (BPSK)

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 13

slide-15
SLIDE 15

Model B (Residential) Expected PER

20 40 60 80 100 120 140

Distance from Alice d [m]

0.0 0.2 0.4 0.6 0.8 1.0

Expected PER 12.5 m: Eve’s PER = 0.5 20 m: Eve’s PER = 0.98, Bob’s PER = 0 129.5 m from Eve: Bob’s PER 0.5

PER = 50% Eve Bob (L=2) Bob (L=4)

  • PER of Eve, Bob(L=2) and Bob(L=4) in 802.11n (BPSK)

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Theoretical Discussion 13

slide-16
SLIDE 16

Experimental Indoor Office Layout ~ 2 . 5 m

  • Alice, Bob, and Eve locations

◮ dAB = 2 m ◮

dAE = [2.5, 5.0, . . . , 20] m (8 distances)

◮ ∆dAE = 2.5 m ◮ Constant angle and elevation ◮ NLOS (exploit multipath) Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Experimental Evaluation 14

slide-17
SLIDE 17

Experimental Setup: COTS and PHY

  • COTS devices

◮ Alice: Linksys WRT3200ACM, 4x4, OpenWrt ◮ 802.11n: Bob and Eve use a TL-WN722N USB dongle ◮ 802.11ac: Bob uses an USB-AC68, Eve uses a MacBook Pro

  • Physical layer setup

◮ PA = 23 dBm (Alice’s tx power) ◮ N0 = −91 dBm (mean noise power at receiver) ◮ Chb/n/ac = 11, 11, 36 Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Experimental Evaluation 15

slide-18
SLIDE 18

Experimental Setup: Traffic and Metrics

  • UDP traffic from Alice to Bob

◮ Using iperf ◮ 30 repetitions per distance

  • SNR

◮ RSSI and noise floor from PHY radiotap headers

  • PER

◮ From incorrect UDP checksums ◮ Over the total number of packet sent ◮ Underestimate PER (no FCS) Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Experimental Evaluation 16

slide-19
SLIDE 19

Eve’s Measured PER vs. Model D (Office)

2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0

dAE [m]

20 40 60 80 100

Eve’s PER %

Model D prediction 802.11b Model D prediction 802.11n Model D prediction 802.11ac Measured values 802.11b Measured values 802.11n Measured values 802.11ac

  • Eve’s PER is increasing with 802.11b/n/ac

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Experimental Evaluation 17

slide-20
SLIDE 20

Eve’s Measured SNR

2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0

dAE [m]

10 20 30 40 50 60

Eve’s SNR [dB]

802.11b 802.11n 802.11ac

  • Eve’s SNR in 802.11n/ac is smaller than in 802.11b

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Experimental Evaluation 18

slide-21
SLIDE 21

Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac

  • Predicted 802.11n/ac disadvantages for Eve

◮ SNR is bounded by 6-41 dB ◮ PER increases to 98% when dAE > 20 m ◮ Eve has to be 129.5 m closer to get same performance as Bob

  • Experimental results about Eve

◮ PER increases significantly when dAE > 15 m ◮ PER is 20% higher in 802.11n than in 802.11b ◮ PER is 30% higher in 802.11ac than in 802.11b

  • We conclude that

◮ 802.11n/ac PHY features disadvantage an eavesdropper Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Conclusions 19

slide-22
SLIDE 22

Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac

  • Predicted 802.11n/ac disadvantages for Eve

◮ SNR is bounded by 6-41 dB ◮ PER increases to 98% when dAE > 20 m ◮ Eve has to be 129.5 m closer to get same performance as Bob

  • Experimental results about Eve

◮ PER increases significantly when dAE > 15 m ◮ PER is 20% higher in 802.11n than in 802.11b ◮ PER is 30% higher in 802.11ac than in 802.11b

  • We conclude that

◮ 802.11n/ac PHY features disadvantage an eavesdropper

Thanks for your time! Questions?

Daniele Antonioli Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac Conclusions 19