Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Cicada Attack: Degradation and Denial of Service Attacks in IR Ranging Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves.

Similar presentations


Presentation on theme: "The Cicada Attack: Degradation and Denial of Service Attacks in IR Ranging Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves."— Presentation transcript:

1 The Cicada Attack: Degradation and Denial of Service Attacks in IR Ranging Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec

2 Outline Context: ranging and secure ranging The Cicada attack Attack performance evaluation Countermeasures Conclusion 2

3 Ranging Ranging can be applied in a number of applications – Localization and navigation of robot fleets 3 ranging

4 Ranging Ranging can be applied in a number of applications – Tracking of goods 4 ranging

5 Ranging can be applied in a number of applications – Physical access control Many are security sensitive! Ranging 5 ranging

6 Ranging can be applied in a number of applications – Physical access control Many are security sensitive! Ranging 6 Impersonate

7 Ranging Ranging can be applied in a number of applications – Tracking of goods Many are security sensitive! 7 ranging

8 Ranging Ranging can be applied in a number of applications – Tracking of goods Many are security sensitive! 8 Manipulate ranging measurement

9 Securing Ranging 9 How to make ranging secure ?

10 Securing Ranging Distance bounding protocols – S. Brands and D. Chaum. “Distance Bounding Protocols.” EUROCRYPT’93 – S. Capkun, L. Buttyan and J. Hubaux. “SECTOR: secure tracking of node encounter in multi-hop wireless networks.” SASN’03 – L. Bussard and W. Bagga. “Distance-Bounding Proof of Knowledge to Avoid Real- Time Attacks.” SEC’05 – G.P Hancke and M.G. Kuhn. “An RFID distance bounding protocol.” SecureComm’05 – C. Meadows, P. Syverson and L. Chang. “Towards More Efficient Distance Bounding Protocols for Use in Sensor Networks.” SecureComm’06 – J. Reid, J.M.G Nieto, T. Tang and B. Senadji, “Detecting Relay Attacks with Timing-Based Protocols” ASIACCS’07 – D. Singelee and B. Preneel. “Distance bounding in noisy environments”. ESAS’07 –…–… 10

11 Securing Ranging Distance bounding protocol example: Provides an upper-bound on the computed distance – Not possible to decrease the measures distance Messages travel at the speed of light – Possible to increase the distance Relay delay messages 11 AB NVNV t RTT (P ⊕ N V, N P ) (N V,P,N P,MAC PV (N V,P,N P ))

12 Securing Ranging Do distance bounding protocols solve the problem …? Physical layer attacks against distance bounding – J. Clulow, G.P. Hancke, M.G. Kuhn, T. Moore. “So Near and yet So Far: Distance- Bounding Attacks in Wireless Networks.” ESAS’06 – M. Flury, M. Poturalski, P. Papadimitratos, J.-P. Hubaux, J.-Y. Le Boudec. “Effectiveness of Distance-Decreasing Attacks Against Impulse Radio Ranging.” WiSec’10 This paper: New kind of physical layer attack against (IR) ranging 12 Not quite

13 Impulse Radio Ranging Precise ranging in dense multipath environments The first path is not necessarily the strongest path 13

14 The Ranging Process 14 Receiver R Transmitter T Preamble: frame sequence modulated by ternary preamble code 2. Fine synchronization Back-search for first path 1. Coarse synchronization Lock on strongest path

15 The Cicada Attack 15 Receiver R Transmitter T Preamble: frame sequence modulated by ternary preamble code Malicious transmitter M Denial of Service: Ranging not possible

16 The Cicada Attack 16 Receiver R Transmitter T Preamble: frame sequence modulated by ternary preamble code Malicious transmitter M Degradation of Service: Range decreased Back-search finds bogus first path Cicada attack

17 Degradation is more stealthy than denial – Potentially more severe We focus on an adversary aiming at degradation Denial vs Degradation 17

18 The Cicada Attack Very simple to mount – Requires only an IR transmitter – Oblivious to preamble code Limited effectiveness – Mild distance decrease Back-search window size, e.g., 20m – Random distance decrease 18

19 Example Attack 19

20 Simulation Setup IEEE a PHY – Mandatory LPRF mode – Indoor NLOS channel model Attack performance for 3 energy detection receivers: – Vanilla – basic energy detection receiver – MINF, PICNIC – receivers robust to multi user interference We simulate entire packet reception process 20 Receiver RTransmitter TMalicious transmitter M SNR T SNR M

21 Vanilla Receiver 21 SNR T = 20dB Packet received ToA decreased by > 4ns Packet not received Failure of synchronization Packet not received Failure of SFD detection or data decoding

22 Vanilla Receiver The cicada signal sometimes misses the back-search window 22 SNR T = 20dB

23 Vanilla Receiver Increase cicada signal rate 23 SNR T = 20dB

24 Vanilla Receiver Increase cicada signal rate 24 SNR T = 20dB

25 Vanilla Receiver Degradation takes place: – If the cicada signal is not lost in noise – If the cicada signal is lower than the signal of T 25 SNR T = 20dB

26 MINF Receiver Designed to cope with benign multi-user interference during fine synchronization – Z. Sahinoglu and I. Guvenc. “Multiuser interference mitigation in noncoherent UWB ranging via nonlinear filtering.” EURASIP Journal on Wireless Communication Networks, 2006 – D. Dardari, A. Giorgetti, and M.Z. Win. “Time-of-arrival estimation of UWB signals in the presence of narrowband and wideband interference.” ICUWB,

27 MINF Receiver 27 samples in frame frames user of interest (code i) benign interferer (code j) 1.Remove frames according to code i 2.Apply moving minimum filter Assume coarse synchronization is achieved Cicada signal is present in every frame – Min filter will not remove it

28 Attack Performance against MINF Attack performs slightly worse than for Vanilla 28 SNR T = 20dB Vanilla

29 PICNIC Receiver Design to cope with benign multi-user interference during synchronization – M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing acquisition in IEEE a IR-UWB networks.” PIMRC, 2009 Adversary exploits the interference robustness of the PICNIC receiver to improve attack performance 29 SNR T = 20dB Vanilla SNR T = 20dB PICNIC SNR T = 20dB

30 Countermeasures to Degradation Do not perform back-search – Loose in benign case ranging performance Perform multiple range measurements – Cicada attack increases variance of measurements Modify the modulation scheme – Time-hopping in the preamble? Secure synchronization algorithms – Complexity and energy consumption is an issue 30

31 Conclusion Cicada attack – Simple attack able to decrease distance measured by IR ranging protocols – Exploits fundamental difficulty in distinguishing legitimate and interfering signals Security must be addressed at all layers 31

32 To learn more… 32

33 Extra slides 33

34 PICNIC Receiver Design to cope with benign multi-user interference during synchronization – M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing acquisition in IEEE a IR-UWB networks.” PIMRC, 2009 Component 1: Power Independent Detection (PID) Component 2: Interference Cancelation – Detect presence of alternative preamble code – If detected, estimate and remove interference … Threshold 0 : x < t 1 : x ≥ t Correlator output

35 Attack Performance against PICNIC Attack performs slightly worse than for Vanilla Denial sets in at low SNR M 35 SNR T = 20dB Vanilla SNR T = 20dB

36 … Attack Performance against PICNIC Correlator output is maximized for all cicada peaks Make cicada signal more sparse? 36 Threshold 0 : x < t 1 : x ≥ t SNR T = 20dB

37 Attack Performance against PICNIC Adversary exploits the interference robustness of the PICNIC receiver to improve attack performance 37 SNR T = 20dB

38 Attack Performance against PICNIC Attack with high rate cicada signal 38 SNR T = 20dB 8

39 Distance decrease Back-search window size 64ns 39


Download ppt "The Cicada Attack: Degradation and Denial of Service Attacks in IR Ranging Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves."

Similar presentations


Ads by Google