On Physical-Layer Identiﬁcation of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University
Outline of the Paper • Introduction on Physical-layer device identification • Physical-Layer Device Identification system and it’s components • Physical-Layer Identification techniques and approaches • Attacks within Physical-Layer Identification • Implication and examples. • Conclusion
Introduction • Physical Layer Identification: technique that allows wireless devices to be identified by unique characteristics of their analog(radio) circuitry. (Fingerprinting) • This is possible due to the imperfections in the analog circuitry that is made in the manufacturing process.
Introduction • Different purpose of PLI (Physical Layer Identification) • Intrusion detection • Access Control • Wormhole detection • Cloning detection • Location and anonymity privacy • Also for RFID(as we saw in Tuesday’s class)
Physical-Layer Device Identification system and it’s components • Involves three entities
Physical-Layer Device Identification system and it’s components • Two modules for a PLI • Enrollment: Signals are captured from device and fingerprints of the device is stored in a database • Identification: Fingerprints that are obtained are matched with the fingerprints in the DB that are stored during enrollment • Can identify a device • Can identify from among many devices • Can verify that device matches a claimed identity
Device under Identification • Any device that uses radio communication can be subject to PLI • Different classes of device that can be identified by PLI: VHF(very high frequency) transmitters, HF RFID, UHF(Ultra high) RFID, Bluetooth, and IEEE 802.11 and IEEE 802.15.4 transceivers • What makes the device unique? Imperfections in design and manufacturing. [Toonstra and Kinser 1995, 1996]
Identification Signals • Identification Signals: Signals that are collected • for the purpose of identifying the device • Different signal characteristics are observed here such as amplitude, frequency, and phase
Acquisition Setup • Responsible for the acquisition and digitalization of the identification signals. • Should never influence the signal (adding noise) • Should be preserved and keep the same characteristics the PLI relies on • High quality may be necessary
Acquisition Setup • Two types of identification: • Passive: Acquires the signal without interacting with the device. • Active: Acquires the signal after challenging the device to transmit them.
Feature Extraction Module • Responsible for extracting characteristics from the signals that can then be used to distinguish devices or classes of devices • Two types of features involved: • Predefined Features: Well understood characteristics that are known in advance prior to recording of the signals • Inferred Features: Features that are not known from a predefined feature set. • Can be used for dimensionality reduction • Take out redundant information from the sample and use that as it’s feature that contains only relevant information
Device Fingerprints • Fingerprints are SET of features that are used to identify devices. • Properties of fingerprints: • Universality: Every device should have considered features • Uniqueness: No two devices should have same fingerprint • Permanence: Fingerprints obtained should not change over time • Collectability: should capture signals with existing equipment • Robustness: should be able to be evaluated even with other interference radio signals • Data Dependency: Fingerprints need to be obtained from features extracted from a specific signal pattern
Fingerprint matcher and Database • Compares extracted device fingerprints with the fingerprints that are stored in the DB during the enrollment phase of the device • Matcher is implemented by a distance measures such as: • Euclidean • Mahalanobis distances • Probabilistic Neural Networks (PNN) (complex) • Support vector machines (SVM) (complex)
System Performance and Design Issues • System performance expressed in error rates • FAR(False accept rate) • FRR(False reject rate) • EER(Equal error rate) • When FAR and FRR are equal • Most commonly used metric
System Performance and Design Issues • Performance of PLI all depends on: • Resources available • Cost • Higher the quality and speed, higher the cost • Acquisition setups • Certain signals may be hard to get a different locations
Proposed improvements for PLI systems • System properties that always needs improving: accuracy(most significant), computational speed, exception handling, and costs. • Four different strategies can be deployed to achieve this task.
Proposed improvements for PLI systems • (1) Acquire signals from multiple acquisition setups • Getting signal from different location at same time • (2) Acquire signals from multiple transmitters on same device (MIMO) • More robust fingerprints, (two fingerprints instead of one) • (3) collect several acquisitions of the same signal • To obtain more reliable fingerprints. Samples are Averaged out into one significant sample and that is used to create the fingerprint • (4) Consider different signal parts • Different modularties of signals are combined to improve accuracy and robustness
Physical-Layer Identification techniques and approaches • Identification of radio signals became very important during WWII. • Two main techniques/approaches discussed in paper: • Transient based approach and Modulation based approach.
Transient Based Approach • Techniques that use the turn on/off transient of a radio signal. Analog to digital converter
Transient Based Approach • Fingerprinting Approach Details 1. Extract the transient part − Threshold-based algorithm 2. Extract features from thetransient signal (fingerprints) − Transient length − Number of peaks in transient − Amplitudein transient 3. Classify unknown fingerprintsto the reference fingerprints (using a Kalman filter) − Compute the classificationerror rate
Modulation Based Approach • This technique is used by extracting unique features from the signal part that has been modulated (data). • New approach that is still being researched
01 00 11 10 QPSK Signal Constellation Modulation Based Approach • Fingerprinting Approach Details • Capture the signals using the vector signal analyzer • QPSK constellation • Signal spectrum • Extract the following errorsdue to QPSK modulation − I/Q origin offset − Frequency offset − Error Vector Magnitude • Fingerprints are representedby a vector of the above threeerrors • Compute the classificationerror rate (CER) • Ratio of incorrectly classified device fingerprints over all classified fingerprints
Other Approaches/Techniques • Baseband power spectrum density of packet preambles • 20% CER • Using near transient and midamble regions of GSM-GMSK(Global System for mobile communication)(Gaussian minimum shift keying) burst signals • The CER was higher in the midamble than using the transient regions. • For UHF RFID: • Using timing properties of the tags • Showed that the duration of response can be used to distinguish same manufacturer and RFID type. • For HF RFID: • Timing and modulation shape features can only be used to identify between manufacturers.
Attacks within Physical-Layer Identification • This section discusses attacks that aim to subvert the decision of an application and anonymity of wireless devices that aims to identify even if the device is not willing to. • Assumes a “Dolev-Yao style attacker” • Attacker can observe, capture, modify, compose, and (re)play signals transmitted by device
Signal Replay Attack • Goal is to observe the signals of device, capture them in digital form, and then transmit the signal again towards the PLI. • Attacker does not modify the signal • Attackers knowledge: • Not assumed for the feature extraction and matching • Assumed for how to observe, capture, and submit signals to system is needed. • Why replay attacks ? • To gain access to resources by replacing an authentication message • In DOS, to confuse the destination host
Signal Replay Attack • Aims at preserving the digital sample of the signal. • Note: replay of digital signals can never be exact as opposed to information bits. • High end hardware and controlled wireless medium needed to improve accuracy. • Could be relayed without being stored in digital form. • Need amplifiers and multiple antennas are needed.
Feature Replay Attacks • This attack creates, modifies, or composes signals that reproduce ONLY the features that is considered by a PLI system. • Similar to message forging but…. • This attack only requires the information bits unlike the analog/digital signal samples and data payload in forging.
Feature Replay Attacks • Needs to preserve the identification features. • Attacker needs to know features that the PLI extracts from device. • Needs to be able to forge signals while keeping the unique features. • Feature replay attacks can be launched by: • Using arbitrary waveform generators • Using a device with similar features of target device (large set of same model and manufac devices) • Replicate circuitry/components of target device(Hardest)
Implication and examples of PLI(Intrusion Detection in WLAN networks) • (1) PLI can be used to enhance security of WLAN’s • By providing access control to prevent unauthorized devices on the network. • PLI deployed in AP’s to defend against cryptographic key compromise by attacker. • PLI can help determine multiple MAC’s or crypto keys that belong to same device. • Attacker who holds the crypto key(s) still cannot authenticate to network unless somehow gets pass the PLI system • (2) PLI techniques can be used to protect against rogue AP’s.
Implication and examples of PLI(Intrusion Detection in WLAN networks) • System property requirements: • Physical layer device fingerprints need to be resilient to distance and location. • Transient signal samples can have wireless channel characteristics with the device specific information it already intends to have. • This still remains a open question on how to handle this. • Security Requirements: • Resilient to remote impersonation attacks • Resilient to attacks by signal and feature replays
Implication and examples of PLI(Device Cloning Detection-RFID-Identify Documents) • RFID transponders in docs can be successfully cloned even if protective measures are in place • PLI can be applied to document cloning in two different ways: • (1) Fingerprints are measured before the RFID deployment, stored in back end database, indexed with unique ID. • (2) Fingerprints are measured before the RFID deployment, BUTstored in the transponders memory. • Advantage: document authenticity can be verified OFFLINE. • Disadvantage: Fingerprint is stored on transponder, so requires access protection. Also, Fingerprints need to compact enough to fit in the memory
Implication and examples of PLI(Device Cloning Detection-RFID-Identify Documents) • System Property Requirements: • Special purpose built devices need to be made. • Need to measured in multiple locations(country border) • Devices should be high quality to preserve the fingerprint from distortions
Implication and examples of PLI(Device Cloning Detection-RFID-Enabled Supply Chains) • PLI provides means to detect counterfeit products by creating PLI fingerprints that bind the RFID tag to the original, claimed identity. • Unlike E-Passports where the fingerprints is stored directly on the passport, the fingerprints would be stored in a database. • This can be compared later with those fingerprints obtained from the RFID tag.
Implication and examples of PLI(Device Cloning Detection-RFID-Enabled Supply Chains) • System Property Requirements: • High computational speed • Large amount of products on pallets pass through identification gates in a short time. • Fingerprints need to be robust • Tags placed anywhere on pallets and may interfere with other wireless communication • High system accuracy • Verifying falses may slow down supply chain process • System Security Requirements: • Equipping each counterfeit product with a replaying device is too expensive • Equipping with RFID tags that have similar feature to tags on real products will pass identification requirement and smart choice in order of cost.
Other Related Applications • Worm hole attack: • Creates a tunnel that connects two points in network and relays messages back and forth. • Can filter unwanted packets and refuse traffic forwarding • PLI can be used to verify the origin device of signal transmitted • Sybil Attack: • Attacker assigns different identities on the same node. • PLI’s can detect multiple device identities.
Implication and examples of PLIAnonymity and Location Privacy • PLI techniques require few packets to identify the number of devices in the vicinity and classify individual packets to the corresponding transmitting device. • Example-Targeting UHF RFID • Shown to leak information which is independent to your position. • If user has a number of UFH tags, network of readers can track, regardless of location and distance. • Example: user has 5 cards • Can be identified among 6x10^6 users. • Shows that card holder privacy can be compromised by the ability to read UHF RFID from large distances
Conclusion • Benefit applications such as access control, device cloning detection, and provide identity (location) privacy. • Has been investigated on a broad general spectrum of wireless technologies, but Primarily as defensive techniques. • A lot of future research is still available in this area • What are the exact causes of identification? • The feasibility or non feasibility needs to be considered • How much information entropy does fingerprints contain? • By analyzing the system, state of art approaches, attacks, security issues we can give a overview of physical layer identification on wireless devices.