research-article

Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi

Authors:

Matthias Schulz,

Francesco Gringoli,

Matthias HollickAuthors Info & Claims

MobiSys '18: Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services

Pages 256 - 268

https://doi.org/10.1145/3210240.3210333

Published: 10 June 2018 Publication History

Abstract

Wi-Fi chips offer vast capabilities, which are not accessible through the manufacturers' official firmwares. Unleashing those capabilities can enable innovative applications on off-the-shelf devices. In this work, we demonstrate how to transmit raw IQ samples from a large buffer on Wi-Fi chips. We further show how to extract channel state information (CSI) on a per frame basis. As a proof-of-concept application, we build a covert channel on top of Wi-Fi to stealthily exchange information between two devices by prefiltering Wi-Fi frames prior to transmission. On the receiver side, the CSI is used to extract the embedded information. By means of experimentation, we show that regular Wi-Fi clients can still demodulate the underlying Wi-Fi frames. Our results show that covert channels on the physical layer are practical and run on off-the-shelf smartphones. By making available our raw signal transmitter, the CSI extractor, and the covert channel application to the research community, we ensure reproducibility and offer a platform for further innovative applications on Wi-Fi devices.

Supplementary Material

WEBM File (p256-schulz.webm)

Download
122.20 MB

References

[1]

I. E. Bagci, U. Roedig, I. Martinovic, M. Schulz, and M. Hollick. 2015. Using Channel State Information for Tamper Detection in the Internet of Things. In Proc. of the 31st Annual Computer Security Applications Conference (ACSAC '15). ACM, 131--140.

Digital Library

[2]

Jiska Classen, Matthias Schulz, and Matthias Hollick. 2015. Practical covert channels for WiFi systems. In 2015 IEEE Conference on Communications and Network Security (CNS). 209--217.

[3]

Mango Communications. 2017. WARP Project. http://warpproject.org

[4]

Aveek Dutta, Dola Saha, Dirk Grunwald, and Douglas Sicker. 2013. Secret Agent Radio: Covert Communication through Dirty Constellations. Springer Berlin Heidelberg, Berlin, Heidelberg, 160--175.

Digital Library

[5]

Ettus Research, A National Instruments Company. 2010. https://www.ettus.com.

[6]

C. G. Girling. 1987. Covert Channels in LAN's. IEEE Transactions on Software Engineering SE-13, 2 (1987), 292--296.

Digital Library

[7]

Iwona Grabska and Krzysztof Szczypiorski. 2013. Steganography in WiMAX networks. In 2013 5th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT). 20--27.

[8]

Iwona Grabska and Krzysztof Szczypiorski. 2014. Steganography in Long Term Evolution Systems. In 2014 IEEE Security and Privacy Workshops. 92--99.

Digital Library

[9]

Szymon Grabski and Krzysztof Szczypiorski. 2013. Steganography in OFDM Symbols of Fast IEEE 802.11n Networks. In 2013 IEEE Security and Privacy Workshops. 158--164.

Digital Library

[10]

Great Scott Gadgets. 2009. HackRF One. http://greatscottgadgets.com/hackrf/.

[11]

Daniel Halperin, Wenjun Hu, Anmol Sheth, and David Wetherall. 2011. Tool Release: Gathering 802.11N Traces with Channel State Information. SIGCOMM Comput. Commun. Rev. 41, 1 (Jan. 2011), 53--53.

Digital Library

[12]

Zaid Hijaz and Victor S. Frost. 2010. Exploiting OFDM systems for covert communication. In 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE. 2149--2155.

[13]

Rizky Pratama Hudhajanto, I Gede Puja Astawa, and Amang Sudarsono. 2016. Covert Communication in MIMO-OFDM System Using Pseudo Random Location of Fake Subcarriers. EMITTER International Journal of Engineering Technology 4, 1 (2016).

[14]

Z.Jiang, J. Zhao, X. Y.Li, J. Han, and W. Xi. 2013. Rejecting the Attack: Source Authentication for Wi-Fi Management Frames using CSI Information. In Proc. of the 32nd IEEE International Conference on Computer Communications (INFOCOM '13). IEEE, 2544--2552.

[15]

Swarun Kumar, Diego Cifuentes, Shyamnath Gollakota, and Dina Katabi. 2013. Bringing Cross-layer MIMO to Today's Wireless LANs. In Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM (SIGCOMM '13). 387--398.

Digital Library

[16]

Butler W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM 16, 10 (1973), 613--615.

Digital Library

[17]

Zhijun Li and Tian He. 2017. WEBee: Physical-Layer Cross-Technology Communication via Emulation. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (MobiCom '17). 2--14.

Digital Library

[18]

Lime Microsystems. 2017. LimeSDR. http://www.limemicro.com/products/software-defined-radio/.

[19]

F. Ricciato, S. Sciancalepore, F. Gringoli, N. Facchi, and G. Boggia. 2018. Position and Velocity Estimation of a Non-cooperative Source From Asynchronous Packet Arrival Time Measurements. IEEE Transactions on Mobile Computing (2018), 1--1.

[20]

Matthias Schulz, Francesco Gringoli, Daniel Steinmetzer, Michael Koch, and Matthias Hollick. 2017. Massive Reactive Smartphone-Based Jamming using Arbitrary Waveforms and Adaptive Power Control. In Proc. of the ACM Conference on Security and Privacy in Wireless & Mobile Networks (WiSec) 2017. Boston, USA.

Digital Library

[21]

Matthias Schulz, Daniel Wegemer, and Matthias Hollick. 2017. Nexmon: Build Your Own Wi-Fi Testbeds With Low-Level MAC and PHY-Access Using Firmware Patches on Off-the-Shelf Mobile Devices. In Proceedings of the 11th Workshop on Wireless Network Testbeds, Experimental Evaluation & CHaracterization (WiN-TECH 17). 59--66.

Digital Library

[22]

Matthias Schulz, Daniel Wegemer, and Matthias Hollick. 2017. Nexmon: The C-based Firmware Patching Framework. https://nexmon.org

[23]

K. Szczypiorski. 2003. HICCUPS: Hidden communication system for corrupted networks. In In Proc. of: The Tenth International Multi-Conference on Advanced Computer Systems ACS'2003, October 22-24, 2003 Miedzyzdroje. 31--40.

[24]

Krzysztof Szczypiorski and Wojciech Mazurczyk. 2010. Hiding Data in OFDM Symbols of IEEE 802.11 Networks. In 2010 International Conference on Multimedia Information Networking and Security. 835--840.

Digital Library

[25]

Kun Tan, Jiansong Zhang, Ji Fang, He Liu, Yusheng Ye, Shen Wang, Yongguang Zhang, Haitao Wu, Wei Wang, and Geoffrey M. Voelker. 2009. Sora: High Performance Software Radio Using General Purpose Multi-core Processors. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI'09). 75--90.

Digital Library

[26]

Manfred Wolf. 1989. Covert channels in LAN protocols. Springer Berlin Heidelberg, Berlin, Heidelberg, 89--101.

Digital Library

[27]

Yaxiong Xie, Zhenjiang Li, and Mo Li. 2015. Precise Power Delay Profiling with Commodity WiFi. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (MobiCom '15). 53--64.

Digital Library

Cited By

Wei XSaha D(2024)WISE: Waveform Independent Signal Embedding for Covert CommunicationIEEE Transactions on Machine Learning in Communications and Networking10.1109/TMLCN.2023.33433262(64-80)Online publication date: 2024
https://doi.org/10.1109/TMLCN.2023.3343326
Liu JYu JZhang RWang SYang KAn J(2024)Intelligent Reflecting Surface-Aided Covert Ambient Backscatter CommunicationIEEE Transactions on Communications10.1109/TCOMM.2024.335644172:6(3558-3571)Online publication date: Jun-2024
https://doi.org/10.1109/TCOMM.2024.3356441
Yang YChen MBlankenship YLee JGhassemlooy ZCheng JMao S(2024)Positioning Using Wireless Networks: Applications, Recent Progress, and Future ChallengesIEEE Journal on Selected Areas in Communications10.1109/JSAC.2024.342362942:9(2149-2178)Online publication date: Sep-2024
https://doi.org/10.1109/JSAC.2024.3423629
Show More Cited By

Recommendations

A prototype of uplink NOMA wi-fi with successive interference cancellation: demo
MobiHoc '22: Proceedings of the Twenty-Third International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing

New data transmission methods are needed for future Wi-Fi networks to increase throughput and support dense deployments. Wi-Fi networks often consist of devices of different generations, so these methods need to support backward compatibility. Uplink ...
Dangerous Wi-Fi access point: attacks to benign smartphone applications

Personalization by means of third party application is one of the greatest advantages of smartphones. For example, when a user looks for a path to destination, he can download and install a navigation application with ease from official online market ...
Comparison of SUN and Wi-Fi P2P WSN in M2M environments
Special issue on Recent Advances of ICT Convergence on WSN Applications

In wireless sensor network, two scenarios are combined which involve either short-range or long-range communications. IEEE 802.15.4g and IEEE 802.11 are considered in machine to machine environments, because they can utilize the identical frequency ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MobiSys '18: Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services

June 2018

560 pages

ISBN:9781450357203

DOI:10.1145/3210240

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

In-Cooperation

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

MobiSys '18

Sponsor:

SIGMOBILE

MobiSys '18: The 16th Annual International Conference on Mobile Systems, Applications, and Services

June 10 - 15, 2018

Munich, Germany

Acceptance Rates

Overall Acceptance Rate 274 of 1,679 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

64
Total Citations
View Citations
1,353
Total Downloads

Downloads (Last 12 months)137
Downloads (Last 6 weeks)19

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wei XSaha D(2024)WISE: Waveform Independent Signal Embedding for Covert CommunicationIEEE Transactions on Machine Learning in Communications and Networking10.1109/TMLCN.2023.33433262(64-80)Online publication date: 2024
https://doi.org/10.1109/TMLCN.2023.3343326
Liu JYu JZhang RWang SYang KAn J(2024)Intelligent Reflecting Surface-Aided Covert Ambient Backscatter CommunicationIEEE Transactions on Communications10.1109/TCOMM.2024.335644172:6(3558-3571)Online publication date: Jun-2024
https://doi.org/10.1109/TCOMM.2024.3356441
Yang YChen MBlankenship YLee JGhassemlooy ZCheng JMao S(2024)Positioning Using Wireless Networks: Applications, Recent Progress, and Future ChallengesIEEE Journal on Selected Areas in Communications10.1109/JSAC.2024.342362942:9(2149-2178)Online publication date: Sep-2024
https://doi.org/10.1109/JSAC.2024.3423629
Smith PSarkar SPatwari NKasera S(2024)On Passive Privacy-Preserving Exposure Notification Using Hash CollisionsIEEE Internet of Things Journal10.1109/JIOT.2024.335325511:9(16134-16147)Online publication date: 1-May-2024
https://doi.org/10.1109/JIOT.2024.3353255
Yazdani-Abyaneh AHirzallah MKrunz M(2024)Countermeasuring Aggressors via Intelligent Adaptation of Contention Window in CSMA/CA SystemsIEEE Access10.1109/ACCESS.2024.341623212(88216-88230)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3416232
Schumann RLi FGrzegorzek M(2023)WiFi Sensing with Single-Antenna Devices for Ambient Assisted LivingProceedings of the 8th international Workshop on Sensor-Based Activity Recognition and Artificial Intelligence10.1145/3615834.3615841(1-8)Online publication date: 21-Sep-2023
https://dl.acm.org/doi/10.1145/3615834.3615841
Link JBreuer DGringoli FHollick M(2023)Rolling the D11Proceedings of the 17th ACM Workshop on Wireless Network Testbeds, Experimental evaluation & Characterization10.1145/3615453.3616520(88-95)Online publication date: 6-Oct-2023
https://dl.acm.org/doi/10.1145/3615453.3616520
Cao SLi DLee SXiong JCosta XHassanieh HAsadi ACox LPerino DWidmer JGiustiniano D(2023)PowerPhone: Unleashing the Acoustic Sensing Capability of SmartphonesProceedings of the 29th Annual International Conference on Mobile Computing and Networking10.1145/3570361.3613270(1-16)Online publication date: 2-Oct-2023
https://dl.acm.org/doi/10.1145/3570361.3613270
Hou NXia XZheng Y(2023)CloakLoRa: A Covert Channel Over LoRa PHYIEEE/ACM Transactions on Networking10.1109/TNET.2022.320925531:3(1159-1172)Online publication date: Jun-2023
https://doi.org/10.1109/TNET.2022.3209255
Zhang YSun WRen YLee SLi M(2023)Channel Adapted Antenna Augmentation for Improved Wi-Fi ThroughputIEEE Transactions on Mobile Computing10.1109/TMC.2022.319545322:11(6297-6310)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TMC.2022.3195453
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents