Content uploaded by Arash Asadi
Author content
All content in this area was uploaded by Arash Asadi on Nov 25, 2020
Content may be subject to copyright.
44
Stay Connected, Leave no Trace: Enhancing Security and
Privacy in WiFi via Obfuscating Radiometric Fingerprints
LUIS F. ABANTO-LEON∗,TU Darmstadt, Secure Mobile Networking Lab (SEEMOO), Germany
ANDREAS BÄUML∗,TU Darmstadt, Secure Mobile Networking Lab (SEEMOO), Germany
GEK HONG (ALLYSON) SIM, TU Darmstadt, Secure Mobile Networking Lab (SEEMOO), Germany
MATTHIAS HOLLICK, TU Darmstadt, Secure Mobile Networking Lab (SEEMOO), Germany
ARASH ASADI, TU Darmstadt, Wireless Communication and Sensing Lab (WiSe) & SEEMOO, Germany
The intrinsic hardware imperfection of WiFi chipsets manifests itself in the transmitted signal, leading to
a unique radiometric ngerprint. This ngerprint can be used as an additional means of authentication
to enhance security. In fact, recent works propose practical ngerprinting solutions that can be readily
implemented in commercial-o-the-shelf devices. In this paper, we prove analytically and experimentally
that these solutions are highly vulnerable to impersonation attacks. We also demonstrate that such a unique
device-based signature can be abused to violate privacy by tracking the user device, and, as of today, users do
not have any means to prevent such privacy attacks other than turning o the device.
We propose
RF-Veil
,
a radiometric ngerprinting solution that not only is robust against im-
personation aacks but also protects user privacy by obfuscating the radiometric ngerprint of the
transmier for non-legitimate receivers
. Specically, we introduce a
randomized paern of phase er-
rors
to the transmitted signal such that only the intended receiver can extract the original ngerprint of
the transmitter. In a series of experiments and analyses, we expose the vulnerability of adopting naive ran-
domization to statistical attacks and introduce countermeasures. Finally, we show the ecacy of
RF-Veil
experimentally in protecting user privacy and enhancing security. More importantly, our proposed solution
allows communicating with other devices, which do not employ RF-Veil.
CCS Concepts:
•Security and privacy →Mobile and wireless security
;
•Networks →Wireless local
area networks;
1 INTRODUCTION
The omnipresence of WiFi devices in our daily lives demands strong and quantiable security
and privacy mechanisms to protect us from attackers. WiFi security mechanisms traditionally
reside above the physical layer. This can be augmented by using physical layer characteristics (e.g.,
channel fading, interference, hardware impairments), which further enhance the security of WiFi.
In fact, physical layer security gained momentum after a chain of acute vulnerabilities rendered
these high-layer security mechanisms unsecure. This includes the disastrous RC4 vulnerability in
WEP [
12
] as well as the more recent attacks on WPA2 (e.g., KRACK [
37
] and Kr00k [
7
]). We have
also witnessed a variety of masquerading attacks in which the adversary mounts a machine-in-the-
middle (MitM) attack by creating a rogue access point (AP), mimicking the identity (i.e., SSID) of
a legitimate AP. It has been shown that physical layer security, in particular, radiometric (radio
frequency) ngerprinting can thwart such attacks [5,21,23].
Radiometric ngerprinting techniques rely on measuring and extracting device-specic imperfections
of the transmitter RF circuitry embedded in the emitted signal, which manifest in form of negligible
but distinguishable errors, e.g., in phase (e.g., [
23
]) or frequency (e.g., [
18
]). These imperfections are
so individualized that even chipsets from the same manufacturer have dierent ngerprints [
5
,
23
].
In Fig. 1a, we demonstrate that the radiometric ngerprint
1
of ve identical phones with the same
WiFi chipset are visually distinguishable. Thus, it is not surprising that these devices can be easily
dierentiated from one another with high success ratio (i.e., 96
.
5%). Such degree of accuracy, on the
∗Both authors contributed equally to this research.
1These ngerprints are extracted from non-linear phase errors derived from device-specic hardware imperfections [23]
Proc. ACM Meas. Anal. Comput. Syst., Vol. 4, No. 3, Article 44. Publication date: December 2020.
1 6 11 16 21 26 31 36 41 46 51 56
−50
0
50
Subcarrier index (k)
Fingerprint [deg]
Phone 1 Phone 2
Phone 3 Phone 4
Phone 5
(a)
Predicted
Phone Phone Phone Phone Phone
12345
Actual
Phone
10.985 0.0 0.0 0.0 0.0
Phone
20.0 0.985 0.085 0.0 0.0
Phone
30.0 0.115 0.965 0.0 0.0
Phone
40.0 0.0 0.025 1.0 0.0
Phone
50.010 0.0 0.0 0.0 0.995
(b)
Fig. 1. WiFi radiometric fingerprints of 5 identical phone (Samsung Galaxy S6). Fig. 1a shows that the
fingerprints dier from one another even though the chipsets belong to the same series and manufacturer, thus
allowing to distinguish among multifarious devices. Fig. 1b shows that the devices can be distinguished with
96.5% accuracy using a simple mean absolute error (MAE)-based classifier (MAE threshold =4.5◦).
one hand, reveals the potential of radiometric ngerprinting for achieving accurate authentication,
thus enhancing security. On the other hand, it raises major privacy concerns since adversaries can
locate/track devices using these unique ngerprints. Our work is motivated by the potential of
radiometric ngerprinting in coping with security and privacy challenges.
Challenge I: Privacy.
Any unique identier which can be easily measured/accessed by an
adversary poses a signicant privacy threat. Indeed, this is the motivation behind MAC address
randomization in WiFi or temporary identiers in cellular networks to prevent potential adversaries
from tracking users. Radiometric ngerprints expose users to the same privacy vulnerability, and
as of today, users do not have any means to prevent such privacy attacks other than turning o the
device. While randomizing the physical layer characteristics of the signal is a plausible solution
to enhance privacy, such procedure may degrade the communication link and disrupt or prevent
legitimate radiometric ngerprinting, which brings us to the next challenges.
Challenge II: Security.
Radiometric ngerprints are typically considered a secure anchor for
device authentication. Still, they are collectible by anyone in the vicinity of the transmitter who is
capable of "overhearing" the packets, e.g., 50-100 meters for WiFi. This exposes the ngerprinting
methods to impersonation attacks. Initial proposals argued that the cost of mimicking the ngerprints
is too high [
31
]. To date, a wide range of software-dened radios (SDRs) costing from a few hundred
(up to a few thousand) euros can collect and forge the ngerprints of other devices, e.g., through
modifying the phases of emitted signals, as shown in Section 2.2. This issue is further exacerbated
by the emergence of WiFi rmware patching tools [
34
], which enables commercial WiFi chipsets
to shape their signals and impersonate other devices.
Challenge III: Allowing for legitimate radiometric ngerprinting.
There are several so-
lutions to hide ones’ ngerprint: (i) Jamming, which defeats the primary purpose of WiFi, i.e.,
communication; (ii) Constructive interference. The seminal work of Oh et al. on location privacy [
25
]
and recent literature on privacy against WiFi sensing [
26
,
40
] use coordinated transmissions or
a secondary signal repeater to obfuscate the physical layer information, which are not scalable
and can be costly due to reliance on secondary devices; (iii) Fingerprint randomization at the trans-
mitter has the advantage of scalability, but it can disrupt the communication link by distorting
the channel estimation at the receiver. In [
8
], the authors randomize the transmitted signal to
obfuscate device-free localization but their approach introduces marginal impact on the quality of
the communication. Furthermore, we must ensure that the randomization is reversible to allow
legitimate ngerprinting.
2
1.1 Our approach
In this paper, we propose
RF-Veil
, a scalable approach that enhances the user privacy by
obfuscating the radiometric ngerprints of the device from adversaries while allowing the use
of channel state information (CSI)-based ngerprinting at legitimate receivers to strengthen the
security of the network.
In essence,
RF-Veil
adds a crafted randomized phase noise to the signal at the transmitter such
that the radiometric ngerprints are obfuscated, but the quality of communication remains intact.
Furthermore, we facilitate ngerprint extraction through a low-overhead synchronized random noise
generation process between legitimate transmitters and receivers. The properties of RF-Veil are:
Privacy-preserving
. The latest radiometric ngerprinting solutions extract device-specic
phase errors from the CSI [
18
,
23
].
RF-Veil
introduces deliberate phase noise to the subcarriers in
the OFDM symbols on a per-frame basis such that the adversary can no longer estimate the actual
radiometric ngerprint by analyzing the CSI, thus preventing the device identication/tracking via
radiometric ngerprint.
Secure against impersonation.
We strive to maintain the possibility of legitimate ngerprint-
ing without exposing the user to impersonation attacks. To this aim, we rst devise a technique
(synchronized phase noise generation), which enables only the legitimate receivers to denoise the
transmitted signals and extract the original ngerprint. Secondly, we apply the obfuscation on a
per-frame basis to eliminate the possibility of impersonation or reply attack via over-the-air packet
sning. The eectiveness of this method is proven both theoretically and experimentally, even in
presence of sophisticated adversaries with the capability of realizing statistical attacks.
Dual mode. RF-Veil
is designed to allow the legitimate use of wireless ngerprinting techniques
(e.g., for authentication as in [
23
]) in presence of our obfuscation method. Furthermore, a reduced
form of
RF-Veil
can be used to obfuscate the ngerprint of the device in order to only protect the
device’s privacy when ngerprinting is not used as an additional security feature, i.e., reversing
the phase noise is not required. We refer to this second operational mode as
RF-Veil-Standalone
.
In this mode, we can hide the ngerprint of the transmitter by executing the obfuscation blocks
without any handshake or coordination with other receivers. As a result, we can ensure privacy
protection in a much broader scenario, e.g., communicating with non-
RF-Veil
-enabled devices, in
absence of any active connections, or in connection establishment phase.
Low-overhead and scalable. RF-Veil
has low overhead from both computational and signal-
ing/control message perspective. Our simple yet eective obfuscation technique enabled extraction
of CSI-based radiometric ngerprints at the legitimate receiver without any additional complex
signal processing. Furthermore,
RF-Veil
is highly scalable since it is implemented directly at the
transmitter and does not rely on any secondary device [
26
,
40
]. Therefore, any WiFi device can
obfuscate its ngerprint easily and independently.
1.2 Our contributions
To the best of our knowledge, this is the rst work exposing privacy and security vulnerabilities
of radiometric ngerprints as well as devising practical methods to resolve them. Note that prior
works such as [
27
,
28
] propose techniques for preventing the exposure of unencrypted elds
(e.g., headers and payload information) to counter, for instance, reactive jamming attacks that
can adapt to the rate of transmission. While the approach prevents data analysis and acquisition
of transmission cues, it does not protect the radiometric ngerprint of the device. The following
summarizes our main contributions: (i) Showing vulnerabilities of recent CSI-based radiometric
ngerprinting solutions [
5
,
23
,
38
] to impersonation attacks (Section 3); (ii) Proposing a method for
injecting articial noise to the ngerprint without impacting communication quality (Section 4).
(iii) Designing
RF-Scope
, a benchmarking tool to assess the eectiveness of radiometric ngerprint
3
Phase artificially changed by transmitter
L-STF L-LTF L-SIG VHT-SIG-A VHT-
STF
VHT-
LTF
VHT-
SIG-B VHT-DATA
2Number of OFDM symbols : 2 1 2 1 1 1 N
Fig. 2. IEEE 802.11ac PHY frame format.
obfuscation against statistical attacks (Section 5). Specically,
RF-Scope
is a maximum-likelihood-
based estimator of the CSI, which we prove to be near-optimal through derivation of Cramer-Rao
bounds (Appendix B); (iv) Devising
RF-Veil
, a ngerprint obfuscation framework that circumvents
the privacy issues without impacting the communication quality (Section 6). (v) We prove the
ecacy of our proposals, both analytically and experimentally.
2 FINGERPRINTING PRIMER
Radio signal analysis to identify devices and distinguish between friends and foes dates back to
the time of the Vietnam war. In the same line, radiometric ngerprinting has gained momentum in
recent years with the surge of attacks that leverage hardware impairments to breach privacy and
security in wireless networks. Recently, CSI-based radiometric ngerprinting gained popularity
due to the availability of CSI extraction tools [
14
,
17
,
38
]. These tools allow per-frame CSI collection
from commercial WiFi chipsets (e.g., Intel, Qualcomm, Broadcom), making CSI-based ngerprinting
practical and feasible for all devices. In the following, a short overview of CSI estimation and
CSI-based ngerprinting is provided.
2.1 Channel estimation in WiFi
As a prelude to CSI-based ngerprinting, we describe channel estimation in WiFi throughout this
section. Fig. 2shows the IEEE 802.11ac PHY frame structure, wherein we recognize four distinct
elds: short training eld (STF), long training eld (LTF), SIG, and DATA (cf. 17.3 in [
35
]). The
receiver uses the STF eld for signal detection, automatic gain control, time synchronization, and
coarse carrier frequency oset (CFO). The LTF eld is employed for ne CFO estimation and channel
estimation. Channel estimation is performed by sending BPSK pilots over the LTF subcarriers of
two consecutive OFDM symbols. The SIG and DATA elds convey the MCS level and the payload,
respectively. The OFDM symbols in the SIG and DATA elds are equalized using the channel
estimated by the preceding LTF eld. The prex "L-" denotes the legacy elds, which are included
for compatibility with IEEE 802.11a.
Let
K
denote the number of subcarriers and
s=[s1,· · · ,sK]T∈CK×1
the BPSK pilot symbols
(dened in Equation 19-23 of [
35
]). Also, let
F∈CK×K
and
FH∈CK×K
denote the discrete Fourier
transform (DFT) matrix and the inverse DFT (IDFT) matrix, respectively. Moreover,
FFH=I
, with
(·)H
representing the Hermitian transpose. The discrete-time OFDM symbol is given by
x=FHs
[
1
]. In order to improve the signal robustness against multi-path interference, the periodic OFDM
symbol
˜
x
is produced by appending the cyclic prex (CP) to
x
. The CP consists of the last
L
samples
of
x
, thus
˜
x=xT
[K−L+1:K],xTT∈C(K+L)×1
. Appending the CP to
x
transforms the linear convolution
between
˜
x
and the channel
c=c1,· · · ,cJT∈CJ×1
(with
J<L
paths) into a circular convolution.
This has the advantage of simplifying OFDM demodulation and equalization at the receiver. Upon
transmitting
˜
x
over the channel
c
, the receiver obtains
˜
r=˜
x∗c
, where
∗
denotes the convolution
operator. To remove the impact of inter-block interference between adjacent LTF frames (caused
by multi-path propagation), we discard the rst
L
elements of
˜
r
, thus yielding
r=˜
r[L+1:L+K]∈CK×1
.
4
The received signal rcan be expressed as:
r1
.
.
.
rK
r
=
c10· · · 0cJ· · · c2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
cJcJ−10 0 0
0cJ0 0 0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
0 0 · · · cJcJ−1· · · c1
C
x1
.
.
.
xK
x
+
w1
.
.
.
wK
,
w
(1)
where
w∼ CN 0,σ2I
denotes circularly-symmetric complex Gaussian noise. The receiver demod-
ulates the received signal
r
by multiplying it with
F
to obtain
y=Fr =FCx +Fw
. The convolution
matrix
C∈CK×K
is circulant, which is a consequence of adding the CP to the transmitted signal. Cir-
culant matrices can be expressed via eigen-decomposition as
C=FHHF
, where
H=diag ([h1,· · · ,hK])
represents a diagonal matrix containing the eigenvalues of
C
[
13
]. As a result, the demodulated
signal ycollapses to y=FFHHFFHs+FHw=Hs +w. More specically,
y1
.
.
.
yK
y
=
h1· · · 0
.
.
.
...
.
.
.
0· · · hK
H
s1
.
.
.
sK
s
+
w1
.
.
.
wK
.
w
Thus, for any subcarrier k∈ K ={1,· · · ,K}, the received symbol is expressed as
yk=hksk+wk=|hk|ejϕksk+wk,(2)
which shows that the channel aects each pilot symbol
sk
by a complex-valued factor
hk=|hk|ejϕk
and additive noise
wk
. Since the pilot symbols
s
are known by the receiver, the CSI vector
h=
[h1,· · · ,hK]T
can be obtained upon equalizing each received symbol
yk
with the compensation
factor s∗
k
|sk|2. Thus, the estimated channel in subcarrier kis given by:
˜
hk=hksk
s∗
k
|sk|2+wk
s∗
k
|sk|2=|hk|ejϕk+wk.(3)
2.2 CSI-based fingerprinting
CSI-based radiometric ngerprinting techniques consist of analyzing the CSI to extract features
that are unique to the transmitting device. Specically, Zhuo et al. [
41
] found that WiFi chipsets
exhibit non-linear phase errors that change across subcarriers and are analogous to a sinusoidal
function, as shown in Fig. 1a. These phase errors are caused by I/Q imbalance as a result of hardware
imperfections. It was shown in [
41
] that these errors are latent signatures that can be extracted
upon removing the linear phase errors from the CSI. Building on this nding, Liu et al. [
23
] harness
these non-linear errors as CSI-based radiometric ngerprints for identication, thus preventing
impersonation by unauthorized WiFi devices. Following the same notation in (2) and (3), we denote
the CSI phases by Φ=[ϕ1,· · · ,ϕK]T, which can be further decomposed into
Φ=φ+ω+θ+ψ
linear errors
+ϵ
non-linear error (ngerprint)
,(4)
where
φ∈RK×1
represents the phase of the signal at the transmitter while
ω∈RK×1
,
θ∈RK×1
and
ψ∈RK×1
denote the phase errors due to sampling frequency oset, frame detection delay and time
of ight, respectively. By using the mirror subcarriers, the linear part of the phase errors can be
canceled [
23
]. Hence, the non-linear phase errors
ϵ∈RK×1
are obtained by the following equation
ϵ=Φ−2π λ ·v+1Q⋆,(5)
where
v=−K/
2
,· · · ,−
1
,
1
,· · · ,K/
2
T
and
λ
is a constant used for nullifying the linear phase rotation
in a specic frame whereas Q⋆is used for phase error normalization [23].
5
Legitimate
user/client
Attacker/Adversary
Adversary fingerprint
Original fingerprint
Fingerprint extraction
Impersonation
Access
point
Fig. 3. Adversary model. We consider an impersonation
scenario, where the adversary has captured the fingerprint
of the victim (legitimate user). The adversary forges the
fingerprint of the victim by introducing additional phase
rotations to its own fingerprint.
time[minutes]
0 1 2 3 4 5 6 7 8 9 10
Phone 1
Phone 2
Phone 3
Phone 4
Phone 5
Actual
Predicted
Fig. 4. Adversary prediction on the presence
time of 5dierent phones turned on and o at
dierent time intervals. An adversary can accu-
rately determine the presence of a specic user in a
network by tracking the radiometric ngerprints.
The authors show that the non-linear phase errors exhibit both time and location invariance and
change signicantly even across devices of the same manufacturer. As a result, these non-linear
phase errors can be used as highly distinctive radiometric ngerprints for device identication
by leveraging the above described approach in [
23
]. Even though the dierence is very small, the
phones are distinguishable from one another, as illustrated in Fig. 1b. As a result, the authors
conclude that these ngerprints can be used as countermeasures against impersonation attacks.
However, we show in the next section that impersonation is indeed possible.
3 ADVERSARY MODEL AND ATTACK SCENARIO
In this section, we introduce the adversary model and devise two attack scenarios, which aim at
breaching privacy and security.
3.1 Adversary model
We consider a scenario where the legitimate device (i.e., client) communicates with an AP and
vice versa, see Fig. 3. We further consider an adversary in transmission range of the legitimate
communication with the following capabilities: (i) sning packets sent by the legitimate device; (ii)
extracting the ngerprint of the legitimate device from the CSI; (iii) knowing its own ngerprint and
the ability to change it arbitrarily. Hence, the adversary can breach the user privacy upon extracting
the ngerprint from the snied packets. Even if the client employs MAC address randomization to
remain anonymous, the adversary can identify and track the client via the radiometric ngerprint
(Attack scenario I). Further, having the ability to change its ngerprint arbitrarily, the adversary
can subsequently modify its own ngerprint to impersonate the client, thus compromising the
security of the system (Attack scenario II). Note that we do not consider an adversary launching a
denial-of-service attack by jamming the WiFi signals as this will disrupt the communication in
WiFi channels as a whole.
3.2 Aack scenario I: Violating user privacy by tracking the radiometric fingerprints
This attack focuses on tracking the presence of specic devices in the network using their radio-
metric ngerprints. In this scenario, the privacy-invading adversary silently snis the encrypted
trac over a WiFi network, extracts the ngerprints from the CSI, and creates a database recording
time and duration in which a device was present in the vicinity. In order to show the ecacy of
this attack experimentally, we setup an adversary and 5phones that are entering and leaving the
network at dierent times over the course of 10 minutes. We depict the results of this experiment
in Fig. 4, in which the ground truth is presented in solid bars, whereas the hatched bars indicate
6
Hallway
Lab
AP
L1
L4
L2
L3
L5
L8
L7
L9
L6
L10
L11
8.2 m
19.5m
20%
40%
60%
80%
Ferro-concrete wall (30 cm) Plasterboard wall (14 cm)
Location L1 L2 L3 L4 L5 L6 L7 L8 L9 L10 L11
2.4 GHz 99.8% 99.6% 98 .3% 88.7% 98.3% 99 .4% 63.9% 76.5% 31 .9% 78.3% 34 .9%
5 GHz 95.8% 99.7% 99 .5% 97.6% 99 .6% 72.1% 74.9% 79 .4% 0% 0% 0%
Fig. 5. The success rate of impersonation aacks is shown as a
heatmap throughout the experimental site when using 2
.
4GHz.
Impersonation is possible even in challenging scenarios, i.e., through a
30-centimeter thick ferro-concrete wall. The table shows the success
rate at 2
.
4and 5GHz bands. The success rate at 5GHz is lower due
to higher propagation and penetration loss compared to 2.4GHz.
1 6 11 16 21 26 31 36 41 46 51 56
−45
−30
−15
0
15
30
Subcarrier index (k)
Fingerprint [deg]
Victim
ngerprint
Forged
ngerprint
Adversary
ngerprint
Fig. 6. Impersonation aack on CSI-
based radiometric fingerprinting. Imper-
sonation is feasible when the adversary is
capable of introducing additional craed
phase rotations per subcarrier to match
the fingerprint of the victim.
the adversary’s prediction. We observe that the adversary is able to determine the presence time of the
dierent phones with fairly high accuracy. Note that MAC layer anonymization techniques cannot
stop our adversary from tracking the presence of users across networks since such techniques do
not conceal the inherent physical cues of the device, i.e., radiometric ngerprint. In an era where
smartphones, smartwatches, and other WiFi-enabled wearables are omnipresent, these simple
attacks expose us to signicant privacy risks at workplace and at home.
3.3 Aack scenario II: Compromising security via impersonation aacks
Radiometric ngerprinting can enhance the security of networks by enabling means of additional
authentication based on physical layer properties of devices [
5
,
21
,
23
]. However, we found that an
adversary can easily impersonate other devices exploiting the ngerprinting scheme proposed by
Liu et al. [23]. We mount such an impersonation attack using an SDR as follows: we rst compute
the ngerprint of the SDR by connecting it to another receiver (e.g., another SDR, signal analyzer).
This needs to be done only once. Next, we measure the ngerprint of the target device, which only
requires the adversary to sni one (encrypted or unencrypted) packet sent by the target device.
Knowing the proprietary ngerprint and that of a target, we can compute the phase oset on
each subcarrier. These phase osets are added to the LTF subcarriers and all subcarriers in the
succeeding OFDM symbols (cf. Fig. 2) at the SDR. Consequently, the ngerprint extracted by the
receiver matches that of the target device. The SDR provides exible processing capabilities that
allow us to introduce phase rotations to the transmission chain easily. In Fig. 6, we demonstrate
how accurately the SDR (i.e., adversary) can replicate the ngerprint of another device (i.e., victim).
We now analyze the ecacy of the impersonation attack in a real-world scenario (i.e., an oce
building). We set up an AP which employs the CSI-based ngerprinting mechanism in [
23
] for
authentication. To show the severity of the attack, we mount the attack in dierent locations in
the vicinity of the victims, as depicted in Fig. 5. The adversary is transmitting 1000 packets in
each location from which the access point calculates the ngerprints and compares them against a
reference ngerprint of the legitimate user. We conduct this experiment for each of the WiFi bands
(i.e., 2
.
4and 5GHz) and show the results in the table in Fig. 5. In the 2
.
4GHz band, we observe
that the adversary can successfully impersonate the victim in all locations. While the attack is
7
⨂
⨂
⨂
! = [ $!, $", … , $#]
Phase randomization
Synchronization
index
Random
number
generator
OFDM symbols
without phase rotation
OFDM symbols with
phase rotation
CP
D/C
P/S
(!
("
(#
e$ %!
e$ %"
e$ %#
Key
⋮
K-point IDFT
!
2
1
⋮⋮
Digital baseband processing
Fig. 7. Diagram illustrating the phase randomization method at the transmier. Additional random phase
rotation at every subcarrier protects the fingerprint of the transmier and therefore prevents impersonation.
1 6 11 16 21 26 31 36 41 46 51 56
−200
0
200
Subcarrier index (k)
Fingerprint [deg]
Original ngerprint Obfuscated | Uniform
Obfuscated | Gaussian
Fig. 8. Fingerprints before and aer obfuscation.
Upon including random phase rotations in the subcar-
riers, the recovered fingerprint diers from the original.
0 20 40 60
31.5
32
32.5
33
Time [seconds]
Throughput [Mbit/s]
Throughput | Original
Throughput | Uniform
Throughput | Gaussian
Fig. 9. Throughput before and aer obfuscation. The
throughput is not aected by the phase rotations, as
these can be reverted at the receiver.
very successful in line-of-sight scenarios (i.e., inside the lab), we observe that it still yields very
high success rates in non-line-of-sight (NLOS) scenarios, e.g., the hallway or even in the oce
across the hallway. We kept all doors closed throughout the experiments. We also observe that the
impersonation attack is possible even in highly challenging scenarios, i.e., behind a 30-centimeter
thick ferro-concrete wall. However, the success rate is lower due to high signal attenuation. Due to
higher propagation and penetration loss at 5GHz band, the success rate in the NLOS locations (i.e.,
L5 to L11) is lower. In particular, in locations L9 to L11, no signal was received by the AP. However,
locations L5 to L8 yield similar results in 5GHz and 2
.
4GHz bands. We conclude that, as long as
the adversary is in range of the access point, they can successfully eectuate an impersonation
attack regardless of the frequency band used by the access point.
3.4 Takeaway
In this section, we emphasize the need for a secure and privacy-preserving ngerprinting solution.
Existing ngerprinting solutions based on CSI are capable of distinguishing between dierent devices,
even of the same model, allowing adversaries to track the presence of users in a network. Further, we
show that an adversary can successfully impersonate the victim’s device even through thick composite
steelâĂŞconcrete walls, which are among the most disruptive construction materials for wireless signals.
Hence, there are two main takeaway messages from this section:
(i)
device ngerprints can be used
to invade privacy of users and, as of the writing of this paper, there is no protection for users; and
(ii )
active deployments of CSI-based ngerprinting schemes can be attacked.
4 HOW TO INJECT ARTIFICIAL NOISE TO FINGERPRINTS WITHOUT IMPACTING
COMMUNICATION
Here we discuss our method for injecting articial noise (i.e., randomized phase rotation) to the
radiometric ngerprints. We further prove why it does not impact the quality of communication.
8
Randomizing the radiometric ngerprints is the rst logical step towards maintaining user
privacy. However, if not carefully designed, the randomization can potentially break/degrade the
communication link. As described in Section 2.1, the WiFi receiver relies on the LTF eld for
channel estimation. To ensure that obfuscation via randomization does not disrupt communication,
we maintain the introduced phase rotations on each subcarrier constant for the duration of the whole
frame. As a result, the estimated CSI from the preambles remains valid for the succeeding VHT-
DATA frame, as shown in Fig. 2, thus allowing successful decoding of information. In the following,
we describe the process. Fig. 7shows the transmitter chain of our proposed ngerprint obfuscation
method, in which we include deliberate phase randomization across all OFDM subcarriers. Having
the pre-shared key and randomization index, the receiver can decode the message and extract the
ngerprint without impacting the communication.
Let
zk
denote the phase rotation in subcarrier
k
intentionally included by the transmitter. From
(2)
,
the signal received in the
k
-th subcarrier is given by
yk=hkskejz k+wk
. Using
(3)
, the CSI at the
receiver is expressed as
˜
hk=hkejz k+wk=|hk|ej(ϕk+zk)+wk.(6)
Compared to (3), the factor
ejz k
in (6) obfuscates the legitimate CSI by shifting its phase in-
formation. As a result, the phase
zk
will appear in the radiometric ngerprint extracted by an
adversary, thus safeguarding the device original ngerprint. The eects of this phase randomization
mechanism can only be reverted by a trusted receiver that is aware of
zk
. In particular, we assume
that the phase
zk
is a realization of a random variable
Zk
, that can be generated locally at the receiver
since the pre-shared key to the random generator is known. As a result, the receiver generates
zk
and multiplies the perturbed
˜
hk
in (6) by
e−jz k
yielding
e−jz k|hk|ej(ϕk+zk)+wk=|hk|ejϕk+wk
,
which is equivalent to (3), and therefore showing that the CSI remains unaected as the phase
randomization can be removed. In addition, we denote the capacity of the channel in (3) by
C′=log21+|hk|ejϕk2/σ2=log21+|hk|2/σ2
. Similarly, the channel capacity of (6) is denoted by
C′′ =log21+|hk|ej(ϕk+zk)2/σ2=log21+|hk|2/σ2
, thus revealing the equivalence
C′≡C′′
. This
shows that the channel capacity before and after randomization does not change. Therefore, for a
given MCS level, the throughput is not altered by phase randomization as long as the phase
zk
is
generated correctly at each receiver. We generalize this idea for every subcarrier
k∈ K
. In Fig. 8,
we illustrate the original ngerprint of a device as well as the obfuscated versions, in which the
random phase rotations are obtained from uniform and Gaussian distributions, i.e., Zk∼ Uµk,ξ2
k
and
Zk∼ Nµk,ξ2
k
with
µk=
0deg and
ξ2
k=
60 deg
2
(deg
≡◦
). Since the additional randomized
phase
zk
diers for each subcarrier, the adversary cannot leverage the linear phase error dierence
among subcarriers to identify the users. In particular, if the same phase rotation
zk
is used for all
K
subcarriers, the original ngerprint can be easily extracted via the method proposed in [
23
] as such
method exploits the phase dierence among adjacent subcarriers, which in this case would be constant
and easy to remove. Moreover, we corroborate experimentally that the throughput is not aected
by our proposed obfuscation method. In particular, for the obfuscated signals depicted in Fig. 8, we
show the throughput in Fig. 9.
In the next section, we discuss the robustness of this approach against statistical attacks.
5RF-SCOPE: A BENCHMARKING TOOL FOR ASSESSING VULNERABILITY TO
STATISTICAL ATTACKS
Statistical attacks are common in cryptography where the adversary exploits statistical weak-
nesses of the underlying random number generators or hashing algorithms to discover the secrets,
e.g., birthday attacks [
3
]. In the course of our experiments, we discovered that an adversary can
mount similar attacks on phase randomization to restore the original ngerprint. Viewing this as
9
20
40
60
80
2
12
22
32
42
52
54
56
CSI measurement index
Subcarrier index (k)
CSI magnitude [mW]
20
40
60
80
2
12
22
32
42
52
-180
0
180
CSI measurement index
Subcarrier index (k)
CSI phase[deg]
Fig. 10. Collected CSI measurements with additional synchronization phase rotations obtained from a
zero-mean unit-variance Gaussian probability density function.
an estimation problem, we devise
RF-Scope
, which is a maximum likelihood-based approach design
to restore the legitimate (unimpaired) CSI from a set of captured CSI measurements with obfuscated
ngerprints. Thus, if the legitimate CSI is restored accurately, the radiometric ngerprint can be
extracted by the method described in Section 2.2 and used for malicious purposes. In essence, we
designed
RF-Scope
as a tool to evaluate the eciency of RF-ngerprint obfuscation against statistical
attacks. Specically, we designed an experiment in which the adversary captures 10000 CSI samples
(within
∼
10 seconds) and uses
RF-Scope
to estimate the legitimate CSI. This experiment showed
that an adversary can denoise the ngerprint even without the knowledge of the probability density
function used for phase randomization. We will elaborate on
RF-Scope
and the experimental results
in Section 5.1. We prove that this vulnerability stems from the zero-mean nature of the selected
distributions, see Section 5.2.
Fig. 10 shows the magnitude and phases of CSI measurements. We assume that the channel
impulse response is invariant for a short interval
τ
compliant with the channel coherence time
Tc
.
Thus, small-scale oscillations in the CSI magnitude are attributed to noise. On the other hand, the
CSI phase changes abruptly between contiguous measurements due to phase randomization.
5.1 A maximum-likelihood-based estimator for evaluating statistical aacks
RF-Scope
minimizes the overall approximation error between the unknown CSI and the col-
lected measurements. The premise is that adversaries do not have information on the probability
density function used for CSI phase randomization. Let
M=[m1,· · · ,mN]∈CK×N
denote a ma-
trix that collects
N
measurements in all
K
subcarriers, where vector
mn∈CK×1
represents the
CSI (contaminated with phase randomization and noise) in the
n
-th captured LTF frame. Also,
let
u=|h1|ejϕ1,· · · ,|hK|ejϕKT∈CK×1
denote the unknown unrandomized CSI vector. Further,
∆=[m1−u,· · · ,mN−u]=M−1T⊗u
represents the error matrix between the unknown CSI
u
and
the measurements M, where ⊗is the Kronecker product. We dene the following problem:
B:u⋆=argmin
u∈CK×1M−1T⊗u2
F,
J
(7)
where
∥·∥2
F
denotes the Frobenius norm. To solve problem
B
, we have used several Kronecker
product properties specied in Appendix A. Recalling that
∥∆∥2
F=Tr ∆T∆
, the objective function
can be recast as
J=TrM−1T⊗uTM−1T⊗u
. By employing Property 1 and Property 2, the
objective collapses to
J=TrMTM−1⊗uTM−MT1T⊗u+L⊗uTu
, where
L=11T
. To nd a
critical point
u⋆
that minimizes
J
, we compute the gradient of
J
with respect to
u
and equate
it to zero, i.e.,
∇uJ=
0. To this purpose, we resort to the use of dierentials. Thus,
dJ=Tr−
1⊗duTM−MT1T⊗du+L⊗duTu+L⊗uTdu
, where
d
denotes the dierential operator and
dM=
0,
dL=
0. Using Property 2,Property 3 and Property 4, the dierential of
J
is expressed as
dJ=Tr−M1⊗duT−1T⊗MTdu+L⊗duTu+L⊗uTdu
. Now, by means of Property 4 and
10
1 6 11 16 21 26 31 36 41 46 51 56
−40
−20
0
20
Subcarrier index (k)
Fingerprint [deg]
Original ngerprint
Recovered | Uniform
Recovered | Gaussian
16 18 20 22
−14
−20
−26
Fig. 11. Restored fingerprint upon CSI denoising. We observe that an adversary capable of mounting a statistical
attack can obtain the original ngerprint even after randomization.
Property 5 we obtain
dJ=
2
Tr−M1T+NuTdu
. The Frobenius inner product of two matrices
A
and
B
is dened as
⟨A,B⟩F≡TrATB
. Therefore,
dJ=
2
⟨−M1 +Nu,du⟩F
, from where we obtain
∇uJ=
2
−M1 +Nu
. Upon equating
∇uJ
to zero, we obtain
u⋆=1
NM1 =1
NN
n=1mn
. The denoised CSI
phase Φfor all subcarriers is computed as
Φ⋆=arctan Im 1
N
N
n=1
mn⊘Re 1
N
N
n=1
mn.(8)
Since denoised CSI is available through (8), the radiometric ngerprint
ϵ⋆
can be extracted using
(5). [
23
] Fig. 11 shows the restored ngerprints for uniform and Gaussian distributions with mean
µk=
0
◦
and variance
ξ2
k=
60 deg
2
, for all subcarriers
k∈ K
. In both cases, we have collected
N=
10000
measurements. We observe that the obtained ngerprints exhibit a small deviation with respect
to the original one. When uniform distribution is used, the mean absolute error (MAE) is 0
.
7489
◦
,
whereas that of Gaussian distribution is 1
.
2252
◦
. Although both distributions have a variance of
ξ2
k=
60 deg
2
, for the uniform case, this signies that the range of phase rotations is bounded to
[−99.2◦; 99.2◦]. However, for the Gaussian case, the range of rotation phases spans [−180◦; 180◦].
In Appendix B, we analyze the
RF-Scope
estimator under the Cramer-Rao bound (CRB) framework.
We show that RF-Scope attains near-optimality in estimating the CSI.
5.2 Statistical rationale for CSI denoising feasibility via RF-Scope
If an ecient estimator does not exist for an unknown variable, the maximum-likelihood esti-
mation often yields an asymptotically ecient estimator for suciently large number of samples.
Based on this premise, we expect the eect of randomization to be averaged out. Thus, motivated
by the outcome of
RF-Scope
, we justify why the eect of randomization, introduced in Section 4,
can be removed. By assuming that an adversary is capable of collecting an innite number of
measurements, we
RF-Scope
within the law of large numbers; which states that the average of
outcomes obtained from a large number of experiments approximates the expected value.
Assumption:
Let
fZkzk
be a symmetric zero-mean probability density function governing the random
phase rotation
Zk
, spanning an interval with upper and lower bounds
zU
k=Rk
and
zL
k=−Rk
, respectively.
Invoking the assumption above, the expected value of the corrupted CSI information in sub-
carrier
k
according to (6) is dened as
E˜
hk=EhkejZ k+E[wk]
, where
EhkejZ k=hkEejZ k=
hkRk
−Rkejz kfZkzkdz k. Using integration by parts, Eej Zkcan be recast as,
EejZ k=2 sin RkfZkRk−Rk
−Rk
sin zkf′
Zkzkdz k+jRk
−Rk
cos zkf′
Zkzkdz k=βreal
k+jβimag
k,(9)
where the equivalence
ud v=uv−vdu
is used assuming that
u=fZkzk
,
dv=ejz kdz k
and
fZk−Rk=fZkRk
due to symmetry. In the following, we instantiate three fundamental corollaries
that allow us to gain insights on the characteristics of (9).
Corollary 1: If д(x)is an even function, then its derivative д′(x)is an odd function.
11
Receiver Fingerprint
extraction
-
Denoising
Random number
generator
Key
Random phase rotations
CSI phase
De-obfuscated CSI phase
Recovered fingerprint
Authentication
Trans mitt er
Random number
generator
Synchronization
index
Key +
Original fingerprint
Random phase rotations
Randomized fingerprint
Encrypted
synchronization
index (enc[synci])
Probe Request and Response
Authentication
Association
RF-Veil-Standalone
normal RF-Veil
enc[sync0] + data
enc[synci] + data
⠇
WPA key exchange
RF-Veil key exchange
Encrypted
synchronization
index (enc[synci])
Fingerprint [deg]
40
20
0
-20
-40
Subcarrier index (k)
2 12 22 32 42 52
Subcarrier index (k)
2 12 22 32 42 52
Subcarrier index (k)
2 12 22 32 42 52
Fingerprint [deg]
20
0
-20
-40
Fingerprint [deg]
50
0
-50
Fingerprint [deg]
40
20
0
-20
-40
Subcarrier index (k)
2 12 22 32 42 52
Subcarrier index (k)
2 12 22 32 42 52
Fingerprint [deg]
100
0
-100
-200
Subcarrier index (k)
2 12 22 32 42 52
Fingerprint [deg]
50
0
-50
-100
-150
Subcarrier index (k)
2 12 22 32 42 52
Fingerprint [deg]
20
0
-20
-40
Fig. 12. Schematic overview of an
RF-Veil
transmier and receiver. The flow-diagram in the center depicts
the WiFi connection establishment and data exchange procedure (changes due to
RF-Veil
marked in red
color). The ACK messages are not shown in the figure for readability. They are not modified in RF-Veil.
Corollary 2: If д(x)is even and h(x)is odd, then q(x)=д(x)h(x)is odd.
Corollary 3: If д(x)is odd, then a
−aд(x)dx =0for a>0.
By means of Corollary 1, we assert that
f′
Zkzk
is an odd function. Also, via Corollary 2, the function
cos(zk)f′
Zkzk
is odd. Finally, by means of Corollary 3 the value of
βimag
k=Rk
−Rkcos zkf′
Zkzk=
0. As a
result,
EhkejZ k=βreal
khk
, which shows that (on average) the CSI in every subcarrier
k
is aected
only by a real-value attenuation factor βreal
kwithout altering the phase.
Claim:
When we obfuscate the ngerprints through phase randomization using symmetric zero-mean
distributions, RF-Scope produces an unbiased estimator for the CSI phase.
Harnessing this outcome, we compute the expected value of the proposed
RF-Scope
esti-
mator, i.e.,
Eu⋆=1
NN
n=1E[mn]=1
NN
n=1Ediag ejznh+wn
, where
zn=Zn,1,· · · ,Zn,KT
and
wn=wn,1,· · · ,wn,KT. Thus, Eu⋆reduces to
Eu⋆=
βreal
1· · · 0
.
.
.
...
.
.
.
0· · · βreal
K
|h1|ejϕ1
.
.
.
|hK|ejϕK
.(10)
From (10), we note that when the randomization scheme in Section 4is used for CSI obfuscation,
its eect can be removed via
RF-Scope
. Essentially, the restored CSI magnitudes
|hk|
are scaled
by βreal
kbut the phases ϕkremain unaected. As a result, an adversary can extract the radiometric
ngerprint
ϵ
(dened in (4)) from the restored CSI phase
Φ
. In order to prevent this outcome that
infringes secrecy, a specic type of probability density function is required that prevents CSI
denoising from collected measurements. This aspect is elaborated thoroughly in Section 6.2.
5.3 Takeaway
Any system relying on randomization for improving security/privacy should prove robust against
statistical attacks. Here we propose
RF-Scope
to assess the vulnerability of ngerprint randomization
against these attacks. This tool will be later used to demonstrate the robustness of our proposed
ngerprint obfuscation method (i.e.,
RF-Veil
) against statistical attacks. Furthermore, we analyze
the statistical rationale behind the aforementioned vulnerability. This analysis is then leveraged to
devise suitable countermeasures in the next section.
6 RF-VEIL: A PRIVACY- AND SECURITY-PRESERVING SOLUTION FOR
RADIOMETRIC FINGERPRINTING
In this section, we introduce our proposed technique
RF-Veil
, which injects crafted articial
noise to ngerprints in order to improve the robustness of WiFi transmissions against statistical
attacks aiming at ngerprint acquisition. In Fig. 12, we illustrate the building blocks of
RF-Veil
.
Note that, in
RF-Veil-Standalone
mode, we only need a subset of the blocks at the transmitter
12
since the receiver does not perform any radiometric ngerprinting. To avoid repetition, we highlight
the
RF-Veil-Standalone
-specic blocks and the algorithm workow in this mode in Section 6.4.
A short overview of RF-Veil.
As shown in Fig. 12,the transmitter uses a random number
generator to generate a pattern that obfuscates its radiometric ngerprint on a per-frame basis. The
random number generator follows a specic distribution that is robust against statistical attacks. The
receiver requires the seed to the random generator in order to generate the same pattern, which is
used for CSI denoising and ngerprint extraction. The details about standard compliancy, random
sequence generation, and key exchange are elaborated below.
6.1 Association
In WiFi, every new device rst associates to the AP upon arrival to the network. This includes
exchanging the probe, authentication, and association request and response messages. It is within
this stage that the AP and the device establish a secure connection. In
RF-Veil
, we require the
access point and the client to exchange one more key, which is used as one of the inputs to the
random number generator, as shown in Fig. 7. We choose to use a pre-shared key due to ease of
implementation. However, one can leverage alternative secret key extraction methods that rely on
channel response [
22
]. As a result, the receiver and transmitter do not require a security handshake
in advance but use physical layer information to generate the secret keys.
At this stage, the AP can extract the real ngerprint of the client after obtaining the shared key.
We elaborate further on this in Section 6.3.
6.2 Obfuscation at the transmier
The main task of the transmitter consists in obfuscation, as depicted on the left-hand side
in Fig. 12. For every frame, a random sequence is generated using the pre-shared key and the
synchronization index.
Pre-shared key.
In our implementation, we used a 128-bit key, which is refreshed every time
the device re-associates with the AP. As a privacy protection measure, we obfuscate the ngerprint
even before the association with an AP takes place. Hence, any frame transmitted from the devices
(e.g., beacon, discovery) has an obfuscated ngerprint. In this case, it is advised to generate a new
key periodically in order to protect against statistical attacks (see Section 4). We leave the frequency
of key renewal as a design choice. Since renewing the pre-shared key does not impose considerable
overhead, we suggest to lean towards higher security.
Synchronization index
. Attaching a synchronization index to each frame has two purposes:
(i) synchronize the random generator between the receiver and the transmitter and (ii) protect
the receiver from replay attacks. The synchronization is important because the pre-shared key
only ensures that the random generators at both ends produce the same string of random numbers.
However, if a frame is lost, then the receiver may try to de-obfuscate the frame with the wrong
pattern. To prevent this, we attach an index for each frame, so that the receiver can use this index in
combination with the pre-shared key to generate a synchronized and secure randomization pattern.
We intentionally refrained from using the existing 12-bit MAC frame sequence number due to its
vulnerability to replay attacks. Even at low data rates, the 12-bit sequence number resets within
seconds, whereas our 32-bit sequence number takes 24 days to reset at the rate of 1000 frames per
second. We expect the WiFi connection to be re-initiated within such an interval. Even though
the exposure of this synchronization index does not expose legitimate users to security threats, it
can still be abused for tracking. Therefore, we encrypt this index with the pre-shared key via XOR
operations. We further discuss this approach in Section 8.
Once the obfuscation pattern is generated for all subcarriers, the symbols of the regular WiFi
transmitter are rotated accordingly. The frame sequence number is then updated for the next frame
13
and stored in a lookup-table (LUT). Finally, the symbols with phase rotations can be sent out over
the air. However, one question still remains: how do we ensure robustness against statistical attacks?
Robustness against statistical attacks.
In Section 5, we showed experimentally and analyti-
cally that obfuscation with symmetric zero-mean distributions is susceptible to statistical attacks.
Recalling the analysis therein, a robust distribution against such attacks should have the following
properties.
(P1):fZz≥0(P2):∞
−∞
fZzdz =1(P3):fZz,fZ−z(P4):EfZz,0
Essentially,
(P1)
and
(P2)
are inherent properties of all probability density functions, i.e., they
are non-negative, and the total area under the graph
fZz
is equal to unity. On the one hand,
(P3)
requires the probability density function to be non-symmetric while
(P4)
states that it must not
be centered around zero. These properties ensure that the eect of the random phase rotations
will prevail even if a statistical attack is perpetrated. In Section 7, we corroborate experimentally
that probability density functions complying with
(P1)
,
(P2)
,
(P3)
and
(P4)
can conceal the radiometric
ngerprint eectively.
In the following, we justify the necessity for
(P3)
and
(P4)
. From (9), we note that
EejZ k=
βreal
k+jβimag
k
must be complex-valued in order to prevent the phase randomization eect from being
removed. This is attained when the term
βimag
k=Rk
−Rkcos zkf′
Zkzkdz k,
0, which produces a non-
zero phase shift that is absorbed by the CSI phase thus concealing the ngerprint. In order for
this to hold,
cos zkf′
Zkzk
must not be an odd function according to Corollary 3. Since
cos zk
is an
even function, this also signies that
f′
Zkzk
must not be an odd function according to Corollary 2.
Via Corollary 1, this requirement is satised when
fZkzk
is not an even function. Therefore, it is
revealed that we can design arbitrary probability density functions
fZkzk
that are not even with
non-zero mean, thus yielding the desired eect that prevents phase randomization removal.
A simple yet eective manner to meet the above criteria is using a shifted even probability density
function (e.g., shifted Gaussian or uniform distribution). We will experimentally prove that in Section 7.2.
6.3 De-obfuscation and authentication at the receiver
The right-hand side of Fig. 12 shows the two main tasks of the receiver: de-obfuscation and
authentication.
De-obfuscation
. Having the synchronization index and pre-shared key, the receiver can re-
generate the obfuscation pattern (i.e., randomized phase rotations) of the transmitted frame. This
allows the receiver to extract the original ngerprint. This is done easily by subtracting the
obfuscation pattern from the phase of the received signal.
Authentication
. The receiver veries the restored ngerprint against the original ngerprint of
the transmitter to authenticate the received frame. In addition, the receiver veries that the synchro-
nization index is larger than that in the last received frame. A frame whose synchronization index
is less than or equal to the last frame is probably sent from an adversary attempting a replay attack.
We highlight that with
RF-Veil
, WiFi devices can always obfuscate their ngerprint. We mentioned
in Section 4that
RF-Veil
is designed such that obfuscation does not impact the communication
performance. Hence, user privacy is always ensured through ngerprint concealment.
6.4 RF-Veil-Standalone mode
In this mode, we allow the transmitting device to hide its ngerprint by executing the obfusca-
tion blocks without any handshake or coordination with other receivers. Specically, the device
generates locally a synchronization index and the key, which are used as inputs for ngerprint
obfuscation, as depicted in the transmitter side of Fig. 12. As a result, we can ensure privacy
14
USRP Host
Middle MACPHYLower MAC MAC High
Abstraction
Fig. 13. Schematic overview of the hardware setup.
protection in a much broader scenario, e.g., communicating with non-
RF-Veil
-enabled devices, in
absence of any active connections, or in connection establishment phase.
6.5 SDR implementation
We have implemented
RF-Veil
using the USRP 2954R SDR platform. A simplied overview of
the hardware used in our setup is depicted in Fig. 13. Each USRP is connected via PCI-e interface to
a host machine running NI-Linux RT (kernel version 4.1.13-rt15-nilrt). We build
RF-Veil
using NI
802.11 application framework (AFW)
2
, which provides the physical layer and lower MAC layer
functions in the FPGA, while the rest of the MAC procedures run at the host (Linux RT in our
setup). We provide a detailed overview of the existing implementation in Appendix D. Due to space
constraints, we do not delve into the SDR implementation details. Our implementation and data is
available online3. The following briey describes the setup.
Fingerprint extraction at the receiver.
The physical layer implementation of 802.11 AFW
already includes CSI estimation in the FPGA. For our implementation, we have transferred the CSI
from the FPGA to the host via a Target-to-Host (T2H) FIFO on a per-frame basis. This enables fast
prototyping while maintaining real-time operation of the testbed. Having the CSI, we implemented
the radiometric ngerprinting using non-linear phase errors, as described in Section 2.2.
Fingerprint modication at the transmitter.
These are required modications at both the
FPGA and the host. At the host, we compute the obfuscation pattern, which is sent to the FPGA on
a per-frame basis. We made use of the interprocess communication protocol by NI to send packets
containing the additional phase rotations. Then, we modied the transmitter chain at the FPGA to
read the obfuscation pattern and multiply each outgoing symbol with the corresponding phase
rotations. This increases the latency of the transmission chain by 5 clock cycles (12.5 ns).
Secure ngerprinting.
We implement
RF-Veil
on top of the Fingerprint Extraction and Fin-
gerprint Modication modules on the host. We extend the packet headers so as to also carry the
32-bit synchronization index chosen at the transmitter. When a new packet is being prepared for
transmission, the MAC header is used to obtain the key and synchronization index from the LUT.
Then, the obfuscation pattern is generated using the key and synchronization index. This pattern
serves as input for the Fingerprint Modication module, which then pushes the values to the PHY.
At the receiver side, the CSI is written into the T2H Channel Estimation FIFO at the PHY. The
frame reception continues on the FPGA while the implementation of
RF-Veil
runs on the output
of the FIFO at the host. After the information for random pattern generation is obtained, and the
randomization is reverted, the ngerprint is calculated by the Fingerprint Extraction module. The
obtained ngerprint is then passed to the Matcher to be compared with the original ngerprint for
authentication.
6.6 Takeaway
In this section, we elaborated on the workings behind
RF-Veil
and its standalone-mode. We devised
the idea of synchronized obfuscation with special probability density functions to counter the statistical
attacks introduced in Section 5, as well as the tracking and impersonation attacks introduced in Section 3.
2http://www.ni.com/pdf/manuals/376779f.pdf
3https://github.com/seemoo-lab/RF-Veil
15
05k 10k
0
1
2
3
4
5
6
Uniform
Number of samples (N)
MAE [deg]
ξ2=5ξ2=20 ξ2=40 ξ2=60
05k 10k
0
1
2
3
4
5
6
Gaussian
Number of samples (N)
MAE [deg]
05k 10k
0
1
2
3
4
5
6
Laplacian
Number of samples (N)
MAE [deg]
05k 10k
0
1
2
3
4
5
6
Triangular
Number of samples (N)
MAE [deg]
Fig. 14. Mean absolute error (MAE) for dierent symmetric zero-mean distributions using
RF-Scope
in
802.11ac. These results show that zero-mean randomization is not robust against statistical aacks since the
fingerprint can be obtained with high accuracy and negligible error (below 2%).
The prototype implementation of
RF-Veil
on a USRP SDR platform enables us to experimentally
evaluate the performance of our approach. The takeaway message is that
RF-Veil
introduces low
overhead to the existing WiFi message ow while providing enhanced privacy for users and a secure
way of physical layer device identication.
7 EVALUATION
In this section, we rst evaluate the ecacy of the impersonation attack introduced in Sec-
tion 3. We then leverage
RF-Scope
to provide a broader assessment of the performance of naive
randomization (i.e., obfuscation via zero-mean distributions) and
RF-Veil
against statistical attacks.
7.1 Performance of naive randomization
In Section 5, we demonstrated the vulnerability of obfuscation, with zero-mean distributions, to
statistical attacks experimentally and analytically. In particular, we showed that an adversary can
easily restore the original ngerprint from 10000 frames. However, we have neither studied the
impact of number of samples, nor considered the eect of the distributions variance on the accuracy
of the restored ngerprint by the adversary. To this aim, in Fig. 14, we show the mean absolute error
(MAE) of the adversary’s estimate of the original ngerprint when using
RF-Scope
in 802.11ac. The
gure demonstrates the results under four distributions, namely, uniform, Gaussian, Laplacian, and
triangular. For each distribution, we compute the MAE with four variances. Here we make two key
observations: (i) the adversary can restore the original ngerprint with very high accuracy by just
processing the CSI of
∼
2000 frames (a couple of seconds
4
), and (ii) the CSI-recovery error increases
with the variance of randomization since larger variance leads to higher entropy of the obfuscated
ngerprints. This behavior is mainly observed when the number of samples is low. As more samples
are processed, the estimation error converges to nearly the same value (this is also supported by
equation (B7) in Appendix B). Nonetheless, an adversary can still obtain accurate estimates of
the original ngerprint with negligible error even when distributions with large variances are
employed. For instance, with only 1000 CSI samples, the MAE is below 3
◦
for distributions with a
variance of 60 deg
2
. For small variances such as
ξ2=
5
deg2
, with only 500 samples (roughly 0.5
seconds), the estimation error is consistently below 1
◦
for all distributions. We observe a similar
trend with 802.11a, whose results are available in Appendix C.
Remarks: We have shown experimentally that the eect of naive randomization can be removed if
an attacker is capable of collecting a few thousand samples to mount an statistical attack. Thus, naive
randomization does not protect the ngerprint of devices.
4
In estimating the time for collecting a given number of frames, we assume that the user transmits at
∼
8Mbps. This number
is referential and intendeds to provide an estimate of how fast an adversary can mount an statistical attack.
16
2 7 12 17 22 27 32 37 42 47 52
−30
−15
0
15
30
Subcarrier index (k)
Fingerprint [deg]
Original ngerprint Uniform Gaussian
Laplacian Triangular
Fig. 15. Restored fingerprint aer obfuscation with
RF-Veil
.Note that
RF-Veil
prevents potential adversaries
from infringing privacy and security since the original ngerprint cannot be recovered. In this experiment, the
RF-Veil
transmitters use the same values for shifting the means across the subcarriers. Hence, it is the expected
behavior that the restored ngerprint for the dierent random distributions are similar.
05k 10k
12
13
14
Uniform
Number of samples (N)
MAE [deg]
ξ2=5ξ2=20 ξ2=40 ξ2=60
05k 10k
12
13
14
Gaussian
Number of samples (N)
MAE [deg]
05k 10k
12
13
14
Laplacian
Number of samples (N)
MAE [deg]
05k 10k
12
13
14
Triangular
Number of samples (N)
MAE [deg]
Fig. 16. Mean absolute error (MAE) using
RF-Scope
in 802.11ac aer fingerprint obfuscation via
RF-Veil
.
Since the error is high, RF-Veil prevents adversaries from obtaining the fingerprint of the targeted victim.
7.2 RF-Veil performance
In this experiment, we evaluate the security and privacy enhancement achieved by
RF-Veil
.
Following the conditions for randomization patterns that are robust to statistical attacks (see
Section 6.2), we obfuscate the original signature of the device using the same four distributions
whose mean values are now shifted according to a random pattern, unlike the previous experiment.
The results of this experiment in legacy mode 802.11a are provided in Appendix C. As depicted in
Fig. 15, the recovered ngerprints using
RF-Scope
deviate from the original ngerprint substantially
and follow the course of a random pattern. Essentially, when an adversary uses statistical analysis to
identify devices, the extracted ngerprint will not match with the original ngerprint. To shed light
on this aspect, Fig. 16 depicts the MAE of ngerprints restored by
RF-Scope
with increasing sample
sizes and under dierent variances. As compared to the low MAE in Fig. 14 (3
◦
) where zero-mean
distributions are used, the MAE in Fig. 16 increases approximately by 4-fold (13
◦
) regardless of
the variances and sample sizes used. While all the variances lead to nearly the same error when
N
is large, we observe that a large variance produces more variability in the MAE, specially with a
small number of samples
N
. On the other hand, small variances produce a more condensed range
of MAE values throughout all
N
.This result demonstrates two promising properties of
RF-Veil
: (i)
the adversary’s estimate does not improve even with large number of samples, and (ii) the impact
of the variance on estimation is almost negligible as all the errors converge to a similar value (also
supported by equation (B7) in Appendix B). Note that the random pattern in Fig. 15 is generated
approximately within the same phase-error range as the original ngerprint (i.e., between
−
25
◦
and
40
◦
). Therefore, the attained MAE is not excessively large. However, the MAE can be arbitrarily
larger if we construct the pattern spanning a wider range.
17
64QAM 16QAM QPSK BPSK
2m
2m
2m
2m
5m
5m
5m
5m
10m
10m
10m
10m
20m
20m
20m
20m
0
20
40
Modulation and coding scheme (MCS)
Throughput [Mbps]
Standard WiFi WiFi with RF-Veil
Fig. 17. Average throughput of regular 802.11ac and RF-Veil in dierent distances and with dierent MCS
over the course of 60 seconds. Here, we prove experimentally that RF-Veil does not impact the throughput.
Remarks:
RF-Veil
protects users’ privacy by preventing adversaries from estimating the original
ngerprint for tracking/locating the user. Furthermore, the security is also enhanced, since the adversary
cannot successfully forge the original ngerprints of other devices.
Eect of RF-Veil on throughput.
In Section 4, we analytically showed that
RF-Veil
does not
impact the throughput of WiFi communication. Here, we conrm our analysis with experiments.
We design an experiment in which we measure the throughput of two WiFi devices at dierent
distances (up to 20m) and under distinct modulation and coding schemes (MCS) (up to 64 QAM)
with/without
RF-Veil
. Fig. 17 demonstrates that
RF-Veil
does not impact the throughput of the
system, thus conrming our analysis. This is because the ngerprint obfuscation of
RF-Veil
is based
only on phase rotations of the I/Q symbols within a frame. In particular, such rotations do not aect
the WiFi channel estimation since their eect is removed at the legitimate receivers. In the gure,
we only show the result of obfuscation with uniform random distribution with
ξ2=
60
◦
. However, we
report that the other random distributions (Gaussian, Laplacian, and triangular) do neither impact
the throughput. In this experiment, we also measured the computational overhead of
RF-Veil
.
Our measurements show that
RF-Veil
has an average execution time of 49.495 microseconds,
even though we implemented most parts of
RF-Veil
on the host (i.e., a windows machine). We
expect the execution time to drop by at least an order of magnitude in real-time kernel or FPGA
implementation.
Remark:
RF-Veil
has low computational overhead and does not impact the communication quality.
8 DISCUSSION
In this section, we discuss some of the practical aspects of RF-Veil.
To share or not to share?
For the secure CSI-denoising when using
RF-Veil
, we use a sym-
metric shared key as it provides the easiest way of synchronizing the random number generators
at the transmitter and receiver. Furthermore, the synchronization index can be easily encrypted by
XOR-ing the index with the shared key. An alternative to the key exchange we use in Section 6.1 is
a key extraction mechanism based on physical layer properties, such as [
22
]. This key extraction
method leverages channel response information at the transmitter and receiver to generate sym-
metric keys. Note that
RF-Veil
is compatible with both methods. Regardless of the method, the key
should be renewed at certain intervals, which brings us to the next point in our discussion.
How often should we renew the key?
The monotonically increasing 32-bit synchronization
index ensures that, even if the transmitter keeps the symmetric key static for a certain time, they
do not repeat the pattern of phase rotations. If the synchronization index wraps around at its
maximum of 2
32 =
4 294 967 296, the pattern of random phase rotations is repeated, and an adversary
can potentially launch a replay attack. In order to thwart such an attack, the key has to be renewed
before the transmitter starts to re-use their synchronization indices for this key. Furthermore, it is
important to point out that the transmitter initializes the synchronization index with a number
between 0and 2 147 483 648, which ensures that a part of the key cannot be guessed from the encrypted
18
05k 10k 15k 20k 25k
0
200
400
600
Packets per second
Key renewal time
[hours]
Fig. 18. Time to renew the key for dierent sending rates.
synchronization index in the frame. We plot the minimum time for key refreshment under dierent
transmission rates in Fig. 18 (for the worst case in which the transmitter chose to start at 2 147 483 648).
We observe that the key has to be refreshed every 596 hours (24
.
8days), assuming an average of
1000 packets per second. Even if we assume that the transmitter sends on average 25 000 packets
per second, which would imply a rate of 462
.
4Mbps, it will exhaust the number of available
synchronization indices in 23
.
8hours. Thus, even at very high rates (5TByte of trac per day),
the key exchange is not too frequent. Note that increasing the frequency of key exchange does
not decrease the security level but increase the overhead since the keys are either transmitted
encrypted by WPA2 or extracted by both transmitter and receiver using key extraction methods [
22
].
Subsequently, an exposure of this key would aect the privacy and security of the connection until
a new key is exchanged.
What if a frame is rejected?
A frame can be rejected for two dierent events:
(i)
the calculated
frame check sequence (FCS) of the frame does not match the actual FCS in the frame, and
(ii )
the
ngerprinting algorithm rejects the frame (e.g., the extracted ngerprint diers from the expected
one). In both cases, we let the MAC layer handle the re-transmission. In the case of a rejected
frame, an
RF-Veil
transmitter does not re-use the synchronization index of the frame that is to be
re-transmitted; instead, it increases the count as if a new frame was transmitted. This is crucial to
guarantee the security of the system as the encryption of the same synchronization index would
lead to the same cipher-text.
What if a device is not yet connected?
If a device is not connected to an AP, it can still
obfuscate its ngerprint by using
RF-Veil-Standalone
mode in order to lead a potential privacy-
intruding adversary astray. Once the device is connected to an AP and the pre-shared key has been
established, it can switch into
RF-Veil
mode, allowing the AP to securely extract the unrandomized
ngerprint. This same mechanism applies to the probe requests and acknowledgments in response
to probe responses from APs during active scanning. Note that, when the device is not associated
to an AP, it can simply use a random key.
How does an RF-Veil transmitter communicate with a non-RF-Veil receiver?
Recalling
Section 4, the obfuscation of ngerprints does not degrade the channel quality as the channel
estimation and equalization at the receiver can handle the arbitrary phase shifts introduced by
the transmitter. Specically, the additional phase rotations are absorbed by the CSI, and as long
as the same phase rotation pattern is used for all the subcarriers within the frame, the receiver
will assume that such CSI is legitimate. Hence, a receiver that is not aware of
RF-Veil
will simply
revert the phase shifts together with the channel eects. In other words, a transmitter using the
RF-Veil-Standalone
mode can still communicate with a legacy receiver. This receiver, however,
will not be able to extract the correct ngerprint of the transmitter.
Can we implement RF-Veil on commercial o-the-shelf (COTS) devices?
In recent years,
a number of research groups have developed rmware modication/patching tools which allow
manipulating MAC/PHY layer operations of the WiFi chipset. Although out of scope of this work,
we believe that
RF-Veil
can be implemented on COTS devices using such tools. In particular,
19
Schulz et al. [
33
] demonstrate the feasibility of modifying IQ symbols in commercial APs equipped
Broadcom chipsets using their rmware patching framework, i.e., nexmon5.
9 RELATED WORK
To date, we have not found any prior work on radiometric ngerprint obfuscation. Prior works
only focused on thwarting identication techniques that used packet metadata (frame size, data
rate, inter-packet time, etc.) and friendly jamming [
29
], upper-layer characteristics such as jitter of
beacon timestamps [
2
], rate switching mechanisms [
9
], and under-specication of the MAC layer
protocols and procedures [
4
,
6
]. The proposed countermeasures for these upper-layer ngerprinting
techniques consist of pattern randomization [
15
,
19
,
28
,
36
], similar to ours. However, unlike
RF-Veil
,
their approach eliminates the possibility of legitimate ngerprinting. Furthermore, the solutions therein
are not tested against statistical attacks.
In the following, we provide a broader overview of the radiometric ngerprinting solutions,
which can be categorized into transient-based and modulation-based approaches.
9.1 Transient-based approaches
The transient refers to the part of the signal in which the amplitude rises from background
noise to full power [
30
]. Given its dependence on the hardware characteristics, a transient is a
reliable feature for device identication by tracking the small but measurable dierences in the
turn-on transients. This can, for example, include the duration of turn-on transient [
30
] or standard
deviation of normalized amplitude, phase, and frequency [
16
]. These approaches are cumbersome
since they rely on the exact extraction of the transient portion of signals, which further depends
on the channel noise. To ensure accurate and timely detection of the transient despite the channel
noise, a very high sampling rate is required, which is typically achievable by high-end oscilloscopes
(e.g., 4 Giga samples per second in [11]).
9.2 Modulation-based approaches
Modulation- or steady-state approaches, as the name suggests, make use of errors in the mod-
ulated signal. The seminal work of Brik et al. [
5
] proposes to collect the ngerprints from ve
features of the modulated signal, that is, magnitude, phase and frequency error, I/Q origin o-
set, and SYNC correlation. They show experimentally that their solutions, called PARADIS, can
dierentiate among 130 identical IEEE 802.11b devices with an accuracy above 99% even under
mobility and varying noise conditions. Similar to the transient-based approaches, their approach
requires additional equipment since they rely on high-end vector analyzers for channel sampling.
Motivated by their work, recent approaches [
18
,
23
] propose to use the CSI obtained from the
pilot symbols which are readily available on WiFi chipsets, such as the Intel 5300 or Atheros
AR9380. Specically, Hua et al. [
18
] propose to compute the ngerprint using a combination of
CFO extracted from the CSI and time dierence of arrival (TDoA) computed from capturing 5000
adjacent frames. Furthermore, they require the device to remain stationary for at least 10 seconds
for authenticating a device based on the previously collected ngerprint. The most recent work on
radiometric ngerprinting [
23
] makes use of the non-linear phase errors extracted from CSI. Their
work takes advantage of non-linear phase error extraction methods proposed by Zhuo et al. in [
41
].
In this paper, we work toward obfuscating the radiometric ngerprints caused by non-linear phase
errors [
23
,
41
] since it neither relies on RF equipment with very high sampling rates nor requires
large number of frames or stationary user behavior for ngerprinting. Nonetheless,
RF-Veil
’s
5https://github.com/seemoo-lab/nexmon
20
approach can be extended to other features of the signal, which is controllable at the chipset, such
as CFO and amplitude.
10 CONCLUSIONS
Radiometric ngerprinting is typically considered a secure method for device identication [
23
,
31
,
39
]. In this paper, we rst demonstrate the vulnerability of the latest CSI-based radiometric
identication schemes to impersonation attacks, which emphasizes the need for ngerprinting
solutions that are robust against adversarial attacks on user security and privacy. We also illustrate
that a naive ngerprint-randomization approach does not withhold adversaries capable of mounting
statistical attacks (i.e.,
RF-Scope
in this paper). Consequently, we devise
RF-Veil
, a framework
that enhances user privacy against ngerprint-based tracking/localization attacks, and is robust to
statistical, impersonation, and replay attacks.
To the best of our knowledge, this is the rst article that addresses the vulnerabilities of radiometric
ngerprints. Hence, we foresee a few avenues of research as future work. Leveraging the randomization
patterns to create a side-channel between the receiver and transmitter is an interesting method for
exchanging the synchronization index. Furthermore, extending
RF-Veil
to support MIMO transmis-
sions or other signal characteristics such as CFO is another direction to further enhance user privacy.
Randomizing the STFs and its impact on the communication and radiometric ngerprints is also an
interesting research avenue. Further, investigating new distributions functions for the phase rotations
that not only preserve security and communication but also reduce the peak-to-average power ratio is
an interest research direction, especially for achieving high energy eciency in low-power IoT devices.
ACKNOWLEDGMENTS
This research is conducted in the context of the DFG-funded project SenShield (447586980). This
work is in part supported by the B5G-Cell project in SFB 1053 MAKI and by the LOEWE initiative
(Hesse, Germany) within the emergenCITY center. We would like to thank Clemens Felber and Dr.
Walter P. Nitzold from NI, Dresden, for their valuable guidance in modication of WiFi LabVIEW
AFW.
REFERENCES
[1]
Luis F. Abanto-Leon, Gek Hong (Allyson) Sim, Matthias Hollick, Amnart Boonkajay, and Fumiyuki Adachi. 2020.
SWAN: Swarm-Based Low-Complexity Scheme for PAPR Reduction. In IEEE GLOBECOM. 1–7.
[2]
Chrisil Arackaparambil, Sergey Bratus, Anna Shubina, and David Kotz. 2010. On the Reliability of Wireless Finger-
printing using Clock Skews. In ACM WiSec. 169–174.
[3]
Mihir Bellare and Tadayoshi Kohno. 2004. Hash function balance and its impact on birthday attacks. In International
Conference on the Theory and Applications of Cryptographic Techniques. Springer, 401–418.
[4]
Sergey Bratus, Cory Cornelius, David Kotz, and Daniel Peebles. 2008. Active Behavioral Fingerprinting of Wireless
Devices. In ACM WiSec. 56–61.
[5]
Vladimir Brik, Suman Banerjee, Marco Gruteser, and Sangho Oh. 2008. Wireless Device Identication with Radiometric
Signatures. In ACM MobiCom. 116–127.
[6] Johnny Cache. 2006. Fingerprinting 802.11 Devices. Ph.D. Dissertation. Naval Postgraduate School.
[7]
Milos Cermak, Stefan Svorencik, Robert Lipovsky, and Ondrej Kubovic. 2020. KR00K - CVE-2019-15126. Technical
Report. ESET.
[8]
Marco Cominelli, Felix Kosterhon, Francesco Gringoli, Renato Lo Cigno, and Arash Asadi. 2020. An Experimental
Study of CSI Management to Preserve Location Privacy. In ACM WiNTECH. 64–71.
[9]
Cherita L Corbett, Raheem A Beyah, and John A Copeland. 2008. Passive Classication of Wireless NICs during Active
Scanning. International Journal of Information Security 7, 5 (2008), 335–348.
[10]
A. N. D’Andrea, U. Mengali, and R. Reggiannini. 1994. The Modied Cramer-Rao Bound and its Application to
Synchronization Problems. IEEE Transactions on Communications 42, 234 (Feb 1994), 1391–1399.
[11]
Boris Danev and Srdjan Capkun. 2009. Transient-based Identication of Wireless Sensor Nodes. In ACM IPSN. 25–36.
21
[12]
Scott Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the Key Scheduling Algorithm of RC4. In SAC.
Springer Berlin Heidelberg, 1–24.
[13]
Robert M. Gray. 2006. Toeplitz and Circulant Matrices: A Review. Foundations and TrendsÂő in Communications and
Information Theory 2, 3 (2006), 155–239. https://doi.org/10.1561/0100000006
[14]
Francesco Gringoli, Matthias Schulz, Jakob Link, and Matthias Hollick. 2019. Free Your CSI: A Channel State Information
Extraction Platform For Modern Wi-Fi Chipsets. In ACM WiNTECH. 21–28.
[15]
Marco Gruteser and Dirk Grunwald. 2005. Enhancing Location Privacy in Wireless LAN through Disposable Interface
Identiers: A Quantitative Analysis. Mobile Networks and Applications 10, 3 (2005), 315–325.
[16]
Jeyanthi Hall, Michel Barbeau, and Evangelos Kranakis. 2004. Enhancing intrusion detection in wireless networks
using radio frequency ngerprinting. ICCIIT, 1–6.
[17]
Daniel Halperin, Wenjun Hu, Anmol Sheth, and David Wetherall. 2011. Tool Release: Gathering 802.11 n Traces with
Channel State Information. ACM SIGCOMM 41, 1 (Jan 2011), 53–53.
[18]
Jingyu Hua, Hongyi Sun, Zhenyu Shen, Zhiyun Qian, and Sheng Zhong. 2018. Accurate and Ecient Wireless Device
Fingerprinting Using Channel State Information. In IEEE INFOCOM. 1700–1708.
[19]
Jafar Haadi Jafarian, Amirreza Niakanlahiji, Ehab Al-Shaer, and Qi Duan. 2016. Multi-Dimensional Host Identity
Anonymization for Defeating Skilled Attackers. In Proceedings of the 2016 ACM Workshop on Moving Target Defense.
47–58.
[20] Steven M. Kay. 1993. Fundamentals of Statistical Signal Processing, Volume I: Estimation Theory. Prentice Hall.
[21]
Guyue Li, Jiabao Yu, Yuexiu Xing, and Aiqun Hu. 2019. Location-Invariant Physical Layer Identication Approach for
WiFi Devices. IEEE Access 7 (Aug 2019), 106974–106986.
[22]
Hongbo Liu, Yang Wang, Jie Yang, and Yingying Chen. 2013. Fast and Practical Secret Key Extraction by Exploiting
Channel Response. In IEEE INFOCOM. 3048–3056.
[23]
P. Liu, P. Yang, W. Song, Y. Yan, and X. Li. 2019. Real-time Identication of Rogue WiFi Connections Using Environment-
Independent Physical Features. In IEEE INFOCOM. 190–198.
[24]
R. Miller and C. B. Chang. 1978. A modied CramÃľr-Rao bound and its applications (Corresp.). IEEE Transactions on
Information Theory 24, 3 (May 1978), 398–400.
[25]
Sangho Oh, Tam Vu, Marco Gruteser, and Suman Banerjee. 2012. Phantom: Physical Layer Cooperation for Location
Privacy Protection. In IEEE INFOCOM. 3061–3065.
[26]
Yue Qiao, Ouyang Zhang, Wenjie Zhou, Kannan Srinivasan, and Anish Arora. 2016. PhyCloak: Obfuscating Sensing
from Communication Signals. In USENIX NSDI. 685–699.
[27]
Hanif Rahbari and Marwan Krunz. 2014. Friendly CryptoJam: A Mechanism for Securing Physical-layer Attributes. In
Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks. 129–140.
[28]
Hanif Rahbari and Marwan Krunz. 2015. Secrecy Beyond Encryption: Obfuscating Transmission Signatures in Wireless
Communications. IEEE Communications Magazine 53, 12 (2015), 54–60.
[29]
Hanif Rahbari and Marwan Krunz. 2015. Secrecy beyond encryption: obfuscating transmission signatures in wireless
communications. IEEE Communications Magazine 53, 12 (2015), 54–60.
[30]
Kasper Bonne Rasmussen and Srdjan Capkun. 2007. Implications of Radio Fingerprinting on the Security of Sensor
Networks. In EAI SecureComm. 331–340.
[31]
Pieter Robyns, Bram Bonné, Peter Quax, and Wim Lamotte. 2017. Noncooperative 802.11 MAC Layer Fingerprinting
and Tracking of Mobile Devices. Security and Communication Networks (2017).
[32]
T M Schmidl and D C Cox. 1997. Robust frequency and timing synchronization for OFDM. IEEE Transactions on
Communications 45, 12 (1997), 1613–1621.
[33]
Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. 2018. Shadow Wi-Fi: Teaching Smartphones to
Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi.
(Jun 2018), 256–268.
[34]
Matthias Schulz, Daniel Wegemer, and Matthias Hollick. 2017. Nexmon: The C-based Firmware Patching Framework.
https://nexmon.org
[35]
IEEE Computer Society. 2016. 802.11-2016: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
Specications. Technical Report. IEEE.
[36]
Mathy Vanhoef, Célestin Matte, Mathieu Cunche, Leonardo S Cardoso, and Frank Piessens. 2016. Why MAC Address
randomization Is Not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Proceedings of the 11th ACM
on Asia Conference on Computer and Communications Security. 413–424.
[37]
Mathy Vanhoef and Frank Piessens. 2017. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS ACM
SIGSAC. 1313–1328.
[38]
Yaxiong Xie, Zhenjiang Li, and Mo Li. 2018. Precise Power Delay Proling with Commodity Wi-Fi. IEEE Transactions
on Mobile Computing 18, 6 (Sep 2018), 1342–1355.
22
[39]
Qiang Xu, Rong Zheng, Walid Saad, and Zhu Han. 2015. Device Fingerprinting in Wireless Networks: Challenges and
Opportunities. IEEE Communications Surveys & Tutorials 18, 1 (2015), 94–104.
[40]
Yao Yao, Yan Li, Xin Liu, Zicheng Chi, Wei Wang, Tiantian Xie, and Ting Zhu. 2018. Aegis: An Interference-negligible
RF Sensing Shield. In IEEE INFOCOM. 1718–1726.
[41]
Yiwei Zhuo, Hongzi Zhu, Hua Xue, and Shan Chang. 2017. Perceiving Accurate CSI Phases with Commodity WiFi
Devices. In IEEE INFOCOM. 1–9.
A KRONECKER PRODUCT PROPERTIES
Property 1 (Transpose of a Kronecker product): Let A∈Cm×n,B∈Cr×s, then (A⊗B)T=AT⊗BT.
Property 2
(Product of two Kronecker products): Let
A∈Cm×n
,
B∈Cr×s
,
C∈Cn×p
, and
D∈Cs×t
, then
AB ⊗CD =(A⊗C)(B⊗D).
Property 3
(Trace of a Kronecker product of matrices): Let
A∈Cm×m
,
B∈Cn×n
, then
TrA⊗B=TrAB
.
Property 4 (Cyclic permutation of the trace): Let A∈Cm×n,B∈Cn×m, then TrAB=TrBA.
Property 5
(Trace of a Kronecker product of vectors): Let
a∈Cm×1
,
b∈Cm×1
, then
Tra⊗bT=TrabT
.
B CRAMER-RAO BOUND OF RF-SCOPE
We analyze the performance of
RF-Scope
and compare it to the Cramer-Rao bound (CRB) bound.
We show that
RF-Scope
is a near-optimal estimator of the CSI, as dened in (B22). For notation
simplicity and without loss of generality, in the sequel, we drop the subcarrier index
k
and consider
the analysis for a single subcarrier for which Nmeasurements are available.
Let mnbe a measurement (or observation) in a given subcarrier dened as
mn=he j Zn+wn,(B1)
where
Zn
is a random phase rotation and
h
is the complex-valued channel. Recalling Section
6,
Zn
is introduced by our proposed approach
RF-Veil
to prevent attackers from acquiring the
channel accurately. Thus, let
p(mn|Zn
;
h)
denote the joint likelihood function of
Zn
and
h
, given
the observation mn
p(mn|Zn;h)=1
√π σ 2e−1
σ2|mn−he j Zn|2
.(B2)
For Nuncorrelated measurements, we have the likelihood function
p(m1,· · · ,mN|Z1,· · · ,ZN;h)=ΠN
n=1
1
√π σ 2e−1
σ2|mn−he j Zn|2
,(B3)
which can be equivalently recast as
p(m|Z;h)=1
(π σ 2)N/2e−1
σ2∥m−he jZ∥2
2,(B4)
where
m=[m1,· · · ,mN]T
and
Z=[Z1,· · · ,ZN]T
. To compute the CRB of
h
, we require the likelihood
function
p(m
;
h)
. Note that this function can be obtained through averaging
p(m|Z
;
h)
over the
random nuisance variables Z. Thus, the likelihood function p(m;h)is computed as
p(m;h)=EZ1
(π σ 2)N/2e−1
σ2∥m−he jZ∥2
2,
=DZ
1
(π σ 2)N/2e−1
σ2∥m−he jZ∥2
2pZ(z)dz,
(B5)
where
z=[z1,· · · ,zN]T
denote the integration variables, and
DZ
is the domain of the random variables
Z
. In addition,
EZ
denotes statistical expectation with respect to
Z
, which has a priori probability
density function
pZ(z)
. Assuming that the random phases are independent, then
pZ(z)=N
n=1pZn(zn)
.
Thus, (B5) can be expressed as
p(m;h)=DZ1· · ·DZN
1
(π σ 2)N/2e−1
σ2N
n=1|mn−he j Zn|2
pZ1(z1) · · · pZN(zN)dz1· · · dzN.(B6)
23
The CRB of any unbiased estimator
hof the channel his given by
CRB
h=Em∂
∂hln p(m;h)∂
∂h∗ln p(m;h)−1
,(B7)
where
Em
denotes statistical expectation with respect to
m
[
20
]. Nonetheless, the computation
of this expression is analytically intractable due to the embedded integration with respect to the
random variables
Z1,· · · ,ZN
. As a result, a simpler (but looser) bound called the modied CRB
(MCRB) has been derived in [
10
,
24
]. Specically, the MCRB is a lower bound of the CRB, i.e.,
MCRB
h≤CRB
his dened as
MCRB
h=EZEm|Z∂
∂hln p(m|Z;h)∂
∂h∗ln p(m|Z;h)−1
.(B8)
From (B6), we compute the derivatives with respect to hand h∗,
∂
∂hln p(m|z;h)=1
σ2
N
n=1ejZ nm∗
n−h∗=1
σ2
N
n=1
w∗
nejZ n,(B9)
∂
∂h∗ln p(m|z;h)=1
σ2
N
n=1e−jZ nmn−h=1
σ2
N
n=1
wne−jZ n,(B10)
Upon replacing (B9) and (B10) in (B8), we obtain that
MCRB
h=EZEm|Z1
σ2
N
n=1
w∗
nejZ n1
σ2
N
l=1
wle−jZ l−1
,
=EZEw|Z1
σ2
N
n=1
w∗
nejZ n1
σ2
N
l=1
wle−jZ l−1
,
=EZEw|Z1
σ4
N
n=1
N
l=1
w∗
nwlejZ ne−jZ l−1
,
=EZEw|Z1
σ4
N
n=1|wn|2+1
σ4
N
n=1
N
l,n
w∗
nwlejZ ne−jZ l−1
,
=EZEw|Z1
σ4
N
n=1|wn|2+Ew|Z1
σ4
N
n=1
N
l,n
w∗
nwlejZ ne−jZ l−1
,
=EZ1
σ4
N
n=1
Ewn|Z|wn|2+1
σ4
N
n=1
N
l,n
Ewn|Zw∗
nEwl|Z[wl]ejZne−j Zl−1
,
=EZNσ2
σ4−1
.
(B11)
In the second step of (B11),
Em|Z
has been changed to
Ew|Z
due to the direct dependence of
m
on
w
(when
Z
is xed). Note that
Ewn|Z[wn]=
0and
Ewn|z|wn|2=σ2
since
w∼ CN 0,σ2I
. Thus,
N
n=1Ewn|z|wn|2=Nσ2and N
n=1N
l,iEwn|zw∗
nEwl|z[wl]ejZne−j Zl=0yielding
MCRB
h=σ2
N.(B12)
From (B12), we realize that the performance of an optimal estimator
ˆ
h
improves with
N
. Essentially,
as more measurements become available, the estimation error decreases. From Section 5.1, the
channel estimated by
RF-Scope
for a single subcarrier was found to be
u=1
NN
n=1mn
. To evaluate
the performance of
RF-Scope
we compute its mean square error (MSE). To this purpose, we assume
that the random phase rotations are distributed according to a Gaussian probability density function
dened as
pZn(zn)=1
√2π ξ 2e−(zn−µ)2
2ξ2
with mean
µ
and variance
ξ2
. Note that
ξ2
and
µ
are the same for
24
all the measurements because these are collected for a single subcarrier. Thus,
MSE (u)=E(u−h)∗(u−h),
=E1
N2
N
n=1
N
i=1
m∗
nmi−h∗
N
N
n=1
mn−h
N
N
n=1
m∗
i+|h|2,
=E1
N2
N
n=1
N
i=1
m∗
nmi
S1
−Eh∗
N
N
n=1
mn
S2
−Eh
N
N
n=1
m∗
i
S∗
2
+E|h|2,
(B13)
Now, by using (B1), we expand S1
S1=E1
N2
N
n=1
N
i=1
m∗
nmi,
=|h|2
N2EN
n=1
N
i=1
e−j(Zn−Zi)+h
N2EN
n=1
N
i=1
w∗
nejZ i+h∗
N2EN
n=1
N
i=1
wie−jZ n+1
N2EN
n=1
N
i=1
w∗
nwi
=|h|2
N2EN
n=1
N
i=1
e−j(Zn−Zi)+h
N2
N
n=1
N
i=1
Ew∗
nEejZ i
0
+h∗
N2
N
n=1
N
i=1
E[wi]Ee−jZn
0
+1
N2EN
n=1
N
i=1
w∗
nwi
Nσ2
,
=|h|2
N2EN
n=1
N
i=1
e−j(Zn−Zi)+σ2
N
(B14)
The sum of complex exponentials in (B14) can be equivalently expressed as,
N
n=1
N
i=1
e−j(Zn−Zi)=N+
N
n=1
N
i,n
e−j(Zn−Zi)
=N+2
N−1
i=1
N
n=i+1
cos(Zi−Zn)
=N+2
N(N−1)
2
l=1
cos(Xl)
=N+N(N−1)cos(X).
(B15)
In (B15),
X=Zi−Zn
,
∀i,n
denotes the dierence of two Gaussian random variables. The resulting
random variable
X
is also Gaussian, which can be obtained by means of the convolution theorem.
Specically,
X
has mean zero and twice the variance of
Zi
, i.e., the probability density function of
X
is given by pX(x)=1
√4π ξ 2e−x2
4ξ2. Replacing (B15) in (B14), S1can be recast as
S1=|h|2
N2EN
n=1
N
i=1
e−j(Zn−Zi)+σ2
N,
=|h|2
N2(N+N(N−1)E[cos(X)]) +σ2
N,
=|h|2
N+|h|2(N−1)
NE[cos(X)]+σ2
N,
=|h|2
N+|h|2(N−1)
N∞
−∞
cos(x)1
4π ξ 2e−x2
4ξ2dx +σ2
N,
=|h|2
N+|h|2(N−1)
Ne−ξ2
+σ2
N,
(B16)
25
where e−ξ2=∞
−∞ cos(x)1
√4π ξ 2e−x2
4ξ2dx. Besides, the term S2collapses to
S2=Eh∗
N
N
n=1
mn
=|h|2
N·EN
n=1
ejZ n+h∗
NEN
n=1
wn
=|h|2EejZ n+h∗
NEN
n=1
wn
0
=|h|2∞
−∞
ejZ n1
2π ξ 2e−(Zn−µ)2
2ξ2dZn
=|h|2e−ξ2/2ejµ.
(B17)
Collecting the results in (B16) and (B17), the MSE collapses to
MSE (u)=|h|2
N+|h|2e−ξ2−|h|2e−ξ2
N+σ2
N−|h|2e−ξ2/2ejµ−|h|2e−ξ2/2e−jµ+|h|2,
=|h|2+|h|2e−ξ2−2|h|2cos(µ)e−ξ2/2+|h|2
N−|h|2e−ξ2
N+σ2
N.
(B18)
By denition, the MSE of any estimator consists of the bias and the variance as shown in
MSE (u)=bias (u)2+var (u).(B19)
The bias of the estimator is computed as
bias (u)=E[u−h],
=E[u]−h,
=hEejZ −h,
=h∞
−∞
ejZ 1
2π ξ 2e−(z−µ)2
2ξ2dz −h,
=he −ξ2/2ejµ−h.
(B20)
Thus, the squared bias is
bias (u)2=(he−ξ2/2ejµ−h)∗(h e−ξ2/2ejµ−h),
=|h|2+|h|2e−ξ2−2|h|2cos(µ)e−ξ2/2.(B21)
By comparing (B18), (B19) and (B21), we can extract the variance of the estimator. Therefore,
var (u)=|h|2
N−|h|2
Ne−ξ2
+σ2
N.(B22)
Upon comparing (B12) and (B22), we note that a large variance
ξ2
(
ξ2
in radians) of the random
variables
Zn
leads to a high estimation error according to (B22). In such a case,
var (u)≈|h|2
N+σ2
N
.
However, for small values of
ξ2
, the variance collapses to
var (u)≈σ2
N
, thus showing the equivalence
between (B12) and (B22). While this observation demonstrates that the estimation error of
RF-Scope
is near-optimal in the variance sense, we also need to consider the bias in (B21), which is nonzero.
Ideally, the estimator needs to be unbiased, i.e.,
bias (u)2=
0. As explained in Section 6.2, a legitimate
user is aware of the synchronization index and key, and can therefore generate the same sequence
of random numbers that yield
µ
(i.e., shifts of the probability density functions). As a result, a
legitimate user can remove the additional shift, thus making
µ=
0. In contrast, for an attacker,
µ,
0.
The bias for legitimate users and attackers are respectively dened as
biasl(u)2=|h|2+|h|2e−ξ2−2|h|2e−ξ2/2,(B23)
biasa(u)2=|h|2+|h|2e−ξ2−2|h|2cos(µ)e−ξ2/2,µ,0,(B24)
26
5 20 40 60
10−3
10−2
10−1
100
101
ξ2[deg2]
bias (u)2/|h|2
Legitimate user
Attacker | µ=1◦
Attacker | µ=2◦
Attacker | µ=5◦
Attacker | µ=10◦
Attacker | µ=20◦
Attacker | µ=45◦
Attacker | µ=90◦
Attacker | µ=180◦
Fig. 19. Comparison of normalized biases between legitimate users and aackers considering various config-
urations of
µ
and
ξ2
.In the case of aackers, the bias increases since the additional shi
µ
cannot be removed.
Specifically, this occurs due to the impossibility to aackers of generating the sequence of random numbers that
renders µ, which can only obtained by legitimate users.
showing that biasl(u)2≤biasa(u)2.
To illustrate the dierence between (B23) and (B24), we show in Fig. 19 the biases for several
congurations of
µ
and
ξ2
. We observe that for only small
µ={1◦,5◦}
the biases of the attacker
and the legitimate users are similar. However, for suciently large
µ
the dierence between the
two biases becomes noticeable. In our approach,
RF-Veil
,
µ
is not xed but is instead randomly
generated for every subcarrier using the randomization index and the key. Therefore, for potential
attackers—not aware of this information—the bias for each subcarrier varies within the range of
values shown in Fig. 19, hindering accurate CSI acquisition. Further, for small
ξ2
we observe that
biasl(u)2≈
0, thus indicating that
RF-Scope
can be seen as an unbiased estimator in the case of
legitimate users when the variance of the phase rotations is low. To clarify this aspect, in Fig. 20a