research-article

Private Data Exfiltration from Cyber-Physical Systems Using Channel State Information

Authors:

Kasper RasmussenAuthors Info & Claims

WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

Pages 223 - 235

https://doi.org/10.1145/3463676.3485606

Published: 15 November 2021 Publication History

Abstract

Data exfiltration methods aim to extract data without authorization from a network or device without detection. In this paper, we present a novel data exfiltration method using Channel State Information (CSI) from ambient WiFi signals. Modulation is performed by modifying the environment by moving a physically actuated machine resulting in a change to the channel response that is measurable by a distant receiver capable of collecting CSI samples. An attacker can use this to exfiltrate data when transmission using conventional methods is impossible, yet the attacker controls a moving mechanism. We discuss the design of the covert channel in detail and produce a proof of concept implementation to evaluate the performance in terms of communication quality. We find that even a simple implementation provides robust communication in an office environment. Additionally, we present several countermeasures against an attack of this type.

Supplementary Material

MP4 File (WPES21-wpes29.mp4)

20 minute video presentation of the paper

Download
561.52 MB

References

[1]

[n. d.]. Atheros CSI tool. https://wands.sg/research/wifi/AtherosCSI/

[2]

2018. IEEE Standard for Ethernet. IEEE Std 802.3-2018 (Revision of IEEE Std 802.3-2015) (Aug. 2018), 1?5600. https://doi.org/10.1109/IEEESTD.2018.8457469 Conference Name: IEEE Std 802.3-2018 (Revision of IEEE Std 802.3-2015).

[3]

2021. IEEE Standard for Information Technology?Telecommunications and Information Exchange between Systems - Local and Metropolitan Area Networks?Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Std 802.11-2020 (Revision of IEEE Std 802.11-2016) (Feb. 2021), 1-4379. https://doi.org/10.1109/IEEESTD. 2021.9363693 Conference Name: IEEE Std 802.11-2020 (Revision of IEEE Std 802.11-2016).

[4]

2021. seemoo-lab/nexmon. https://github.com/seemoo-lab/nexmon original- date: 2016-10-27T09:31:28Z.

[5]

2021. seemoo-lab/nexmon_csi. https://github.com/seemoo-lab/nexmon_csi original-date: 2019-08-15T18:00:52Z.

[6]

Serdar Cabuk, Carla E. Brodley, and Clay Shields. 2004. IP covert timing channels: design and detection. In Proceedings of the 11th ACM conference on Computer and communications security (CCS '04). Association for Computing Machinery, New York, NY, USA, 178--187. https://doi.org/10.1145/1030083.1030108

Digital Library

[7]

Brent Carrara and Carlisle Adams. 2015. On Acoustic Covert Channels Between Air-Gapped Systems. In Foundations and Practice of Security (Lecture Notes in Computer Science ), Frédéric Cuppens, Joaquin Garcia-Alfaro, Nur Zincir Heywood, and Philip W. L. Fong (Eds.). Springer International Publishing, Cham, 3--16. https://doi.org/10.1007/978-3-319-17040-4_1

[8]

M. Chen, K. Liu, J. Ma, Y. Gu, Z. Dong, and C. Liu. 2021. SWIM: Speed-Aware WiFi-Based Passive Indoor Localization for Mobile Ship Environment. IEEE Transactions on Mobile Computing, Vol. 20, 2 (Feb. 2021), 765--779. https://doi.org/10.1109/TMC.2019.2947667 Conference Name: IEEE Transactions on Mobile Computing.

Digital Library

[9]

Catalin Cimpanu. 2020. Hackers target the air-gapped networks of the Taiwanese and Philippine military. https://www.zdnet.com/article/hackers-target-the-air-gapped-networks-of-the-taiwanese-and-philippine-military/

[10]

Luke Deshotels. 2014. Inaudible sound as a covert channel in mobile devices. In Proceedings of the 8th USENIX conference on Offensive Technologies (WOOT'14). USENIX Association, USA, 16.

Digital Library

[11]

F5OEO. 2021. F5OEO/rpitx. https://github.com/F5OEO/rpitx original-date: 2015--10--21T16:06:52Z.

[12]

Alexey G. Finogeev and Anton A. Finogeev. 2017. Information attacks and security in wireless sensor networks of industrial SCADA systems. Journal of Industrial Information Integration, Vol. 5 (March 2017), 6--16. https://doi.org/10.1016/j.jii.2017.02.002

[13]

G. Forbes, S. Massie, and S. Craw. 2020. WiFi-based Human Activity Recognition using Raspberry Pi. In 2020 IEEE 32nd International Conference on Tools with Artificial Intelligence (ICTAI). 722--730. https://doi.org/10.1109/ICTAI50040.2020.00115 ISSN: 2375-0197.

[14]

S. Z. Goher, B. Javed, and N. A. Saqib. 2012. Covert channel detection: A survey based analysis. In High Capacity Optical Networks and Emerging/Enabling Technologies. 057--065. https://doi.org/10.1109/HONET.2012.6421435 ISSN: 1949--4106.

[15]

Francesco Gringoli, Matthias Schulz, Jakob Link, and Matthias Hollick. 2019. Free Your CSI: A Channel State Information Extraction Platform For Modern Wi-Fi Chipsets. In Proceedings of the 13th International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization (WiNTECH '19). Association for Computing Machinery, Los Cabos, Mexico, 21--28. https://doi.org/10.1145/3349623.3355477

Digital Library

[16]

Xiuzhen Guo, Yuan He, Xiaolong Zheng, Liangcheng Yu, and Omprakash Gnawali. 2018. ZIGFI: Harnessing Channel State Information for Cross-Technology Communication. In IEEE INFOCOM 2018 - IEEE Conference on Computer Communications. 360--368. https://doi.org/10.1109/INFOCOM.2018.8486364

Digital Library

[17]

Mordechai Guri. 2020 a. AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers. arXiv:2012.06884 [cs] (Dec. 2020). http://arxiv.org/abs/2012.06884 arXiv: 2012.06884.

[18]

Mordechai Guri. 2020 b. AiR-ViBeR: Exfiltrating Data from Air-Gapped Computers via Covert Surface ViBrAtIoNs. arXiv:2004.06195 [cs](April 2020). http://arxiv.org/abs/2004.06195 arXiv: 2004.06195.

[19]

Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Yuval Elovici. 2015a. GSMem: data exfiltration from air-gapped computers over GSM frequencies. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC'15). USENIX Association, USA, 849--864.

[20]

M. Guri, G. Kedma, A. Kachlon, and Y. Elovici. 2014. AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE). 58--67. https://doi.org/10.1109/MALWARE.2014.6999418

[21]

Mordechai Guri, Matan Monitz, and Yuval Elovici. 2016a. USBee: Air-gap covert-channel via electromagnetic emission from USB. In 2016 14th Annual Conference on Privacy, Security and Trust (PST). 264--268. https://doi.org/10.1109/PST.2016.7906972

[22]

M. Guri, M. Monitz, Y. Mirski, and Y. Elovici. 2015b. BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations. In 2015 IEEE 28th Computer Security Foundations Symposium. 276--289. https://doi.org/10.1109/CSF.2015.26 ISSN: 2377--5459.

Digital Library

[23]

Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. 2016b. Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers. arXiv:1606.05915 [cs] (June 2016). http://arxiv.org/abs/1606.05915 arXiv: 1606.05915.

[24]

Mordechai Guri, Boris Zadov, Andrey Daidakulov, and Yuval Elovici. 2018. xLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs. In 2018 16th Annual Conference on Privacy, Security and Trust (PST). 1--12. https://doi.org/10.1109/PST.2018.8514196

[25]

Dan Halperin. 2021. dhalperi/linux-80211n-csitool. https://github.com/dhalperi/linux-80211n-csitool original-date: 2010--12--17T03:26:58Z.

[26]

N. Hou and Y. Zheng. 2020. CloakLoRa: A Covert Channel over LoRa PHY. In 2020 IEEE 28th International Conference on Network Protocols (ICNP). 1--11. https://doi.org/10.1109/ICNP49622.2020.9259364 ISSN: 2643--3303.

[27]

J. Hua, H. Sun, Z. Shen, Z. Qian, and S. Zhong. 2018. Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information. In IEEE INFOCOM 2018 - IEEE Conference on Computer Communications. 1700--1708. https://doi.org/10.1109/INFOCOM.2018.8485917

Digital Library

[28]

Hoonyong Lee, Changbum R. Ahn, and Nakjung Choi. 2020. Fine-grained occupant activity monitoring with Wi-Fi channel state information: Practical implementation of multiple receiver settings. Advanced Engineering Informatics, Vol. 46 (Oct. 2020), 101147. https://doi.org/10.1016/j.aei.2020.101147

[29]

Sung-Won Lee, Ji-Hun Kim, and Jonghee Youn. 2021. Simulation and Analysis of RF Attacks on Wireless SCADA System. In Advances in Computer Science and Ubiquitous Computing (Lecture Notes in Electrical Engineering ), James J. Park, Simon James Fong, Yi Pan, and Yunsick Sung (Eds.). Springer, Singapore, 281--287. https://doi.org/10.1007/978-981-15-9343-7_38

[30]

Tao Li, Chenqi Shi, Peihao Li, and Pengpeng Chen. 2021. A Novel Gesture Recognition System Based on CSI Extracted from a Smartphone with Nexmon Firmware. Sensors, Vol. 21, 1 (Jan. 2021), 222. https://doi.org/10.3390/s21010222 Number: 1 Publisher: Multidisciplinary Digital Publishing Institute.

[31]

Joe Loughry and David A. Umphress. 2002. Information leakage from optical emanations. ACM Transactions on Information and System Security, Vol. 5, 3 (Aug. 2002), 262--289. https://doi.org/10.1145/545186.545189

Digital Library

[32]

Yongsen Ma, Gang Zhou, and Shuangquan Wang. 2019. WiFi Sensing with Channel State Information: A Survey. ACM Comput. Surv., Vol. 52, 3 (2019), 36.

[33]

Ramya Jayaram Masti, Devendra Rai, Aanjhan Ranganathan, Christian Müller, Lothar Thiele, and Srdjan Capkun. 2015. Thermal covert channels on multi-core platforms. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC'15). USENIX Association, USA, 865--880.

Digital Library

[34]

Nikolay Matyunin, Jakub Szefer, Sebastian Biedermann, and Stefan Katzenbeisser. 2016. Covert channels using mobile device's magnetic field sensors. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE Press, Macao, Macao, 525--532. https://doi.org/10.1109/ASPDAC.2016.7428065

Digital Library

[35]

Sajid Nazir, Shushma Patel, and Dilip Patel. 2017. Assessing and augmenting SCADA cyber security: A survey of techniques. Computers & Security, Vol. 70 (Sept. 2017), 436--454. https://doi.org/10.1016/j.cose.2017.06.010

[36]

Matthias Schulz, Wegemer Daniel, and Matthias Hollick. 2017. Nexmon: The C-based Firmware Patching Framework. https://nexmon.org

[37]

Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. 2018. Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services - MobiSys '18. ACM Press, Munich, Germany, 256--268. https://doi.org/10.1145/3210240.3210333

Digital Library

[38]

Gaurav Shah, Andres Molina, and Matt Blaze. 2006. Keyboards and covert channels. In In Proceedings of the 2006 USENIX Security Symposium (July-August. 59--75.

[39]

Zhihui Shao, Mohammad A. Islam, and Shaolei Ren. 2020. Your Noise, My Signal: Exploiting Switching Noise for Stealthy Data Exfiltration from Desktop Computers. Proceedings of the ACM on Measurement and Analysis of Computing Systems, Vol. 4, 1 (May 2020), 07:1-07:39. https://doi.org/10.1145/3379473

Digital Library

[40]

Cheng Shen, Tian Liu, Jun Huang, and Rui Tan. 2021. When LoRa Meets EMR: Electromagnetic Covert Channels Can Be Super Resilient. IEEE Computer Society, 529--542. https://doi.org/10.1109/SP40001.2021.00031 ISSN: 2375--1207.

[41]

C. Studer, S. Medjkouh, E. Gonulta, T. Goldstein, and O. Tirkkonen. 2018. Channel Charting: Locating Users Within the Radio Environment Using Channel State Information. IEEE Access, Vol. 6 (2018), 47682--47698. https://doi.org/10.1109/ACCESS.2018.2866979 Conference Name: IEEE Access.

[42]

Zhice Yang, Qianyi Huang, and Qian Zhang. 2017. NICScatter: Backscatter as a Covert Channel in Mobile Devices. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (MobiCom '17). Association for Computing Machinery, New York, NY, USA, 356--367. https://doi.org/10.1145/3117811.3117814

Digital Library

[43]

Zheng Yang, Zimu Zhou, and Yunhao Liu. 2013. From RSSI to CSI: Indoor localization via channel response. ACM Computing Surveys (CSUR), Vol. 46, 2 (Dec. 2013), 25:1--25:32. https://doi.org/10.1145/2543581.2543592

Digital Library

[44]

S. Yousefi, H. Narui, S. Dayal, S. Ermon, and S. Valaee. 2017. A Survey on Behavior Recognition Using WiFi Channel State Information. IEEE Communications Magazine, Vol. 55, 10 (Oct. 2017), 98--104. https://doi.org/10.1109/MCOM.2017.1700082 Conference Name: IEEE Communications Magazine.

[45]

Sebastian Zander, Grenville Armitage, and Philip Branch. 2007. A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys Tutorials, Vol. 9, 3 (2007), 44--57. https://doi.org/10.1109/COMST.2007.4317620 Conference Name: IEEE Communications Surveys Tutorials.

Digital Library

[46]

Daqing Zhang, Hao Wang, Yasha Wang, and Junyi Ma. 2015. Anti-fall: A Non-intrusive and Real-Time Fall Detector Leveraging CSI from Commodity WiFi Devices. In Inclusive Smart Cities and e-Health (Lecture Notes in Computer Science), Antoine Geissbühler, Jacques Demongeot, Mounir Mokhtari, Bessam Abdulrazak, and Hamdi Aloulou (Eds.). Springer International Publishing, Cham, 181--193. https://doi.org/10.1007/978-3-319-19312-0_15

[47]

Lei Zhang, Enjie Ding, Yanjun Hu, and Yafeng Liu. 2019. A novel CSI-based fingerprinting for localization with a single AP. EURASIP Journal on Wireless Communications and Networking, Vol. 2019, 1 (Feb. 2019), 51. https://doi.org/10.1186/s13638-019--1371-y

[48]

Yanzi Zhu, Zhujun Xiao, Yuxin Chen, Zhijing Li, Max Liu, Ben Y. Zhao, and Haitao Zheng. 2020. Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensors. Proceedings 2020 Network and Distributed System Security Symposium (2020). https://doi.org/10.14722/ndss.2020.23053 arXiv: 1810.10109.

[49]

Yiwei Zhuo, Hongzi Zhu, Hua Xue, and Shan Chang. 2017. Perceiving accurate CSI phases with commodity WiFi devices. In IEEE INFOCOM 2017 - IEEE Conference on Computer Communications. 1--9. https://doi.org/10.1109/INFOCOM.2017.8056964

[50]

Hassan ZivariFard, Matthieu R. Bloch, and Aria Nosratinia. 2020. Keyless Covert Communication via Channel State Information. arXiv:2003.03308 [cs, math] (March 2020). http://arxiv.org/abs/2003.03308 arXiv: 2003.03308.

Cited By

Kumar RJoshi GChauhan ASingh ARao A(2023)A Deep Learning and Channel Sounding Based Data Authentication and QoS Enhancement Mechanism for Massive IoT NetworksWireless Personal Communications10.1007/s11277-023-10389-1130:4(2495-2514)Online publication date: 1-Apr-2023
https://doi.org/10.1007/s11277-023-10389-1
Guri M(2022)ETHERLED: Sending Covert Morse Signals from Air-Gapped Devices via Network Card (NIC) LEDs2022 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR54599.2022.9850284(163-170)Online publication date: 27-Jul-2022
https://doi.org/10.1109/CSR54599.2022.9850284

Index Terms

Private Data Exfiltration from Cyber-Physical Systems Using Channel State Information
1. Networks
  1. Network properties
    1. Network privacy and anonymity
2. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

Exact Error Rate Analysis of MIMO-MRC System under Cochannel Interference and Imperfect Channel State Information

In this paper, we derive closed-form solution for the bit error rate of multi-input multi-output (MIMO) system with maximum ratio combining. We consider binary PSK modulation suffers from cochannel interference (CCI) and imperfect channel state ...
Vulnerability and Protection of Channel State Information in Multiuser MIMO Networks
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Multiple-In-Multiple-Out (MIMO) offers great potential for increasing network capacity by exploiting spatial diversity with multiple antennas. Multiuser MIMO (MU-MIMO) further enables Access Points (APs) with multiple antennas to transmit multiple data ...
Data exfiltration

ContextOne of the main targets of cyber-attacks is data exfiltration, which is the leakage of sensitive or private data to an unauthorized entity. Data exfiltration can be perpetrated by an outsider or an insider of an organization. Given the increasing ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

November 2021

257 pages

ISBN:9781450385275

DOI:10.1145/3463676

General Chairs:
Yongdae Kim
Korea Advanced Institute of Science & Technology, Republic of Korea)
,
Jong Kim
Pohang University of Science and Technology, Republic of Korea
,
Program Chairs:
Giovanni Livraga
Università degli Studi di Milano, Italy
,
Noseong Park
Yonsei University, Republic of Korea

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
119
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)2

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kumar RJoshi GChauhan ASingh ARao A(2023)A Deep Learning and Channel Sounding Based Data Authentication and QoS Enhancement Mechanism for Massive IoT NetworksWireless Personal Communications10.1007/s11277-023-10389-1130:4(2495-2514)Online publication date: 1-Apr-2023
https://doi.org/10.1007/s11277-023-10389-1
Guri M(2022)ETHERLED: Sending Covert Morse Signals from Air-Gapped Devices via Network Card (NIC) LEDs2022 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR54599.2022.9850284(163-170)Online publication date: 27-Jul-2022
https://doi.org/10.1109/CSR54599.2022.9850284

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents