1 / 19

Attacks on Public WLAN-based Positioning Systems

Attacks on Public WLAN-based Positioning Systems. Nils Ole Tippenhauer , Kasper Bonne Rasmussen, Christina Pöpper , and Srdjan ˇ Capkun Department of Computer Science, ETH Zurich.

lore
Download Presentation

Attacks on Public WLAN-based Positioning Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacks on Public WLAN-based Positioning Systems Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich In Proceedings of the ACM/Usenix International Conference on Mobile Systems, Applications and Services (MobiSys), 2009

  2. Online • Introduction • Background • Location Spoofing • Location Database Manipulation • Conclusion

  3. Introduction • Public WLAN-based Positioning Systems • Allow localization using omnipresent wireless access points • Enable device without GPS to establish their position • Allow localization with precision of ≤ 10m, even indoors or underground

  4. Introduction • Skyhook’s WPS in the iPod and iPhone • In iPhone and iPod touch since late 2007 • Skyhook also offers additional services such as localization of stolen device • iPhone OS 3.0 allows tracking of iPhone via PC

  5. Example attack case • Security box holding valuables, transported by courier • Reporting WLAN-based position periodically to a controller • Attacker wants to move box to a safe location to open it • Goal: Make the box believe it never left intended path

  6. How does it actually work • The localized node (LN) sends out probe request frames on all channels • Access points announce their presence • Observed MAC addresses are sent to the location lookup table (LLT) • The LLT replies with location information The traffic between LN and LLT is encrypted

  7. AP impersonation attack 2a. Attacker jams legitimate AP announcements 2b. Attacker inserts own impersonated AP announcements 3. LLT is now queried for location of remote APs

  8. Attack details Jamming the legitimate APs sent noise on 3 channels using two GNURadios Many alternative options: physical layer, protocol layer Fourth channel was used to send data of 4 impersonated APs

  9. Attack details Impersonating APs • MAC addresses of real APs at remote location • Obtained through WiGLE – a public wardriving database • Impersonation by single laptop constantly changing its MAC address

  10. Results • Jamming worked very reliably and was easy to achieve • When using only the public WLAN localization, the devices localized themselves at the remote location in New York city • For the iPhone, additional GSM cell localization prevented a change of location outside the local city radius

  11. Countermeasures Several proposals to mitigate the presented impersonation attack: • AP authentication • Aggregation of multiple localization methods • LN-based integrity checks • AP fingerprinting

  12. LN based integrity checks Basic variant: • Compare new position with last known position • Assume maximum speed to detect large displacements Continuous version: • Periodically record MAC addresses from present location • Integrity check over last n locations • Warn user or abort localization

  13. Fingerprint based countermeasures Use more data to identify APs, such as: • Configuration • Implementation of protocols [Bratus,WiSec’08] • Physical characteristics of signals [Brik,MobiCom’08] Collect these in the LLT as well, and verify reported APs.

  14. Database manipulation attacks Attacks on the LLT are possible as well, and will affect all users of the service.

  15. Database manipulation attacks Data enters the LLT in the following way: • Collected or bought by the owner • Positioning requests by the LNs • Manual update by users By arbitrarily choosing the reported MAC addresses, the attacker can perform the following attacks • Inject own AP entries into the database • Perform reverse location lookup (track people moving to a different city!) • Change the stored location for existing entries

  16. Database manipulation attacks • The AP’s location in the LLT is A • The attacker reports the AP among other APs at location B • As a result, the AP’s location is changed to location B in the LLT

  17. Database manipulation countermeasures • Data update rules: allow several possible locations with different confidence values • The location with the highest confidence value is active • Confidence depends on majority votes or consistency of location reports with current data • Temporal update rules: update the LLT quicker for changes with high confidence, and slower for changes with low confidence • Tradeoff between database freshness and resistance against attacks The provider can choose to only rely on self collected data, but this will lead to outdated entries

  18. Conclusion Summary • Study the security of Public WLAN-based positioning system • Presented LN and LLT based attacks and discussed countermeasures • Demo the current systems should not be used in security relevant contexts Future work • Similar attacks are possible on GSM and even GPS • Combine these attacks to defeat devices using all these mechanisms • Exploration of signal fingerprints of APs

  19. Map and Track Friends http://plash.iis.sinica.edu.tw/plash/*.action

More Related