1. Ghostbuster: Detecting the Presence of Hidden Eavesdroppers
Anadi Chaman, Jiaming Wang, Jiachen Sun Romit Roy Choudhury, Haitham Hassanieh UIUC
Presenter: Haofan Cai
CMPE 253, 02/06/2019

2. Outline Motivation What is Ghostbuster Design Challenges
System Architecture
Implementation
Evaluation Results
Limitations & Conclusions

3. Outline Motivation What is Ghostbuster Design Challenges
System Architecture
Implementation
Evaluation Results
Limitations & Conclusions

4. Motivation

5. Motivation

6. Motivation Eavesdropping is a longstanding problem!
No way to regulate or know who is listening on the wireless channel!

7. Defense Against Eavesdropping: Encryption
Encryption breaks due to security loopholes.
Vulnerability in WPA2
[SIGSAC’17]
Low power devices employ weak or no encryption.
Ultra-Low Power RFIDs
[S&P’09, CCS;09, Usenix’12, Defcon’13, NSDI’15]
Side Channel Attacks
[CRYPTO’14, CHES’15, CCS’16, RSA’16, MobiCom’15]
Medical Implants
[S&P’10, SIGCOMM’11]

8. View the problem at a different angle:
Can we detect the hidden presence of
wireless eavesdroppers?

9. What is Ghostbuster ?
A system that can reliably detect an eavesdropper in the presence of ongoing transmissions.
Does not require any modifications to current transmitters and receivers.
Implemented and empirically tested against SDR & WiFi cards based eavesdroppers.

10. Eavesdropper’s Digital Receiver
Why can Ghostbuster find eavesdropper?
Key Observation: Even passive receivers leakage RF signals on to the wireless medium
Mixer
Amplifier
Baseband Processing RF
Leakage
Local Oscillator
Eavesdropper’s Digital Receiver
Receiver’s oscillator creates a sinusoid signal at the carrier frequency of operation

11. Profiling RF Leakage
Simplified receiver architecture is COST WiFi cards
frequency of the leaked signal fl can be expressed as a function of the center frequency fc for each one of the architectures:

12. Outline Motivation What is Ghostbuster Design Challenges
System Architecture
Implementation
Evaluation Results
Limitations
Conclusions

13. Challenge 1:Weak Leakage
RF Leakage

14. Challenge 1: Weak Leakage
Noise
RF Leakage
RF Leakage is extremely weak:
buried under noise floor
Hard to detect with today’s receivers?

15. A Potential Solution
Average noise by taking an FFT over a large time window
200 ms
Time
FFT
2.45 GHz
Frequency

16. A Potential Solution
Average noise by taking an FFT over a large time window
1 sec
Time
FFT
2.45 GHz
Leakage
Frequency

17. A Potential Solution
Average noise by taking an FFT over a large time window
1.5 sec
Time
FFT
Leakage
2.45 GHz
Frequency

18. Challenge 2: On-going transmission
However, large time windows are bound to include transmitted packets!
Time
Time

19. Challenge 2: On-going transmission
However, large time windows are bound to include transmitted packets!
Time
Leakage is orders of magnitude weaker than TX signals.
FFT
2.45 GHz
Frequency

20. Challenge 3: Leakage from legitimate receivers
Leakage is orders of magnitude weaker than TX signals.
Other legitimate receivers also create RF leakage.
How to extract the eavesdropper’s leakage in the presence of ongoing transmissions and leakage from other receivers?

21. Outline Motivation What is Ghostbuster Design Challenges
System Architecture
Implementation
Evaluation Results
Limitations & Conclusions

22. Leverage carrier frequency offset (CFO)
Ghostbuster
Step 1
Null On Going Transmissions
Spatial Domain: MIMO
Frequency Domain: Cancel Artifacts
Step 2
Separate Leakages from other receivers
Leverage carrier frequency offset (CFO)

23. Leverage carrier frequency offset (CFO)
Ghostbuster
Step 1
Null On Going Transmissions
Spatial Domain: MIMO
Frequency Domain: Cancel Artifacts
Step 2
Separate Leakages from other receivers
Leverage carrier frequency offset (CFO)

24. MIMO(multiple-input and multiple-output)
Transmitter
y1(t)
ht1
x(t)
ht2
y2(t)
Ghostbuster
he1
e(t)
he2
Eavesdropper
y1(t)=he1e(t)+ht1x(t)
y2(t)=he2e(t)+ht2x(t)

25. OFDM (Orthogonal frequency-division multiplexing)
OFDM bins
Transmitted signal :

26. Ghostbuster ⋯ MIMO alone is not sufficient.
Time
Discontinuities
Discontinuities in time result in artifacts & spurious frequencies that are very hard to cancel.
Symbol 1
Symbol 2
Symbol 3
Symbol N ⋯

27. Leverage carrier frequency offset (CFO)
Ghostbuster
Step 1
Null On Going Transmissions
Spatial Domain: MIMO
Frequency Domain: Cancel Artifacts
Step 2
Separate Leakages from other receivers
Leverage carrier frequency offset (CFO)

28. Discontinuities & Artifacts
Consider a single frequency
Frequency
Time
More samples
more samples
Large Time Window

29. Discontinuities & Artifacts
Consider a single frequency
Frequency
Time
More samples
more samples
Large Time Window

30. Discontinuities & Artifacts
Consider a single frequency
Frequency
Time
More samples
more samples
Large Time Window

31. Discontinuities & Artifacts
Consider a single frequency
Frequency
Time
More samples
more samples
Large FFT
Large Time Window

32. Discontinuities & Artifacts
Consider a single frequency
Frequency
Time
More samples
more samples
Large FFT
Artifacts
Large Time Window

33. Discontinuities & Artifacts
Artifacts add up from all frequencies & symbols
Leakage
Artifacts add up from all packets in the time window

34. Canceling Artifacts
Need to estimate the continuous (Off-Grid) frequency positions & coefficients
Solve:
Fix , solve for :Weighted Least Squares
Fix ,,solve for : Convex for good initial estimates of
Solve using gradient descent.

35. Canceling Artifacts Solves for given a fixed
In this case, the error function E is convex in . The optimization is a weighted least squares problem and has the following closed-form solution:

36. Canceling Artifacts Solves for given a fixed
In this case, the error function E is non-convex in due to the complex exponentials. However, if we have good initial estimates of that are with in a small interval around fk, then the function becomes convex within this interval and we can use gradient descent to minimize it.

37. Leverage carrier frequency offset (CFO)
Ghostbuster
Step 1
Null On Going Transmissions
Spatial Domain: MIMO
Frequency Domain: Cancel Artifacts
Step 2
Separate Leakages from other receivers
Leverage carrier frequency offset (CFO)

38. Separate Leakages from other receivers
What about leakage from other receivers?
Leverage CFOs caused by hardware imperfections (Typically 100s Hz ~few kHz )
Use time windows of 1 sec to tens of seconds
Count the number of legitimate receivers NL, number of detected receivers ND, if ND≠ NL,
2.45 GHz
Frequency

39. Separate Leakages from other receivers
What about leakage from other receivers?
Leverage CFOs caused by hardware imperfections (Typically 100s Hz ~few kHz )
Use time windows of 1 sec to tens of seconds
Count the number of legitimate receivers NL, number of detected receivers ND, if ND≠ NL,
2.45 GHz
Frequency

40. Outline Motivation What is Ghostbuster Design Challenges
System Architecture
Implementation
Evaluation Results
Limitations & Conclusions

41. Implementation
Implementing Ghostbuster use USRP(Software Defined Radios)
Tested 16 WiFi Cards & 4 USRP daughterboards as eavesdroppers.

42. Outline Motivation What is Ghostbuster Design Challenges
System Architecture
Implementation
Evaluation Results
Limitations & Conclusions

43. Experiment Results
SNR in dB versus Ghostbuster’s distance from a Wifi card eavesdropper with FFT window size of 1 sec.
SNR in dB versus Ghostbuster’s distance from a USRP eavesdropper with FFT window size of 10 ms

44. Impact of FFT window size
Hit rate for WiFi card and USRP eavesdroppers versus FFT window size when the eavesdropper is placed 1 m away from Ghostbuster
Hit rate for WiFi card and USRP eavesdroppers versus FFT window size when the eavesdropper is placed 5 m away from Ghostbuster

45. Confusion Matrix
Confusion matrix of classification probabilities obtained on experiments on USRP receivers in the range 1 m to 5 m.
Confusion matrix of classification probabilities obtained on experiments on WiFi cards

46. WiFi Cards placed in monitor mode
Leakage measured 1m away using 1 sec FFT Window
2.4 GHz 5 GHz 30 25 20 15 10 5
Peak SNR of Leakage in dB
AR93XX
AR9271
AR9485
BCM4360
BCM4352
BCM43526
BMC4329
BCM43xx
AR9170
Intel 5100
Intel 7260
Intel 3165
Intel 7265
Intel 8260
Intel 5300
Intel 4965 l
Broadcom
Intel
Qualcomm-Atheros
Chipsets cover range of hardware architectures & WiFi protocols: a/b/g/n/ac

47. WiFi Cards placed in monitor mode
Leakage measured 1m away using 1 sec FFT Window
2.4 GHz 5 GHz 30 25 20 15 10 5
Peak SNR of Leakage in dB
NOT SUPPORTED
NOT SUPPORTED
NOT SUPPORTED
BCM4360
BCM4352
BMC4329
BCM43xx
Intel 5100
Intel 7260
Intel 3165
Intel 7265
Intel 8260
Intel 4965
AR93XX
AR9170
AR9271
AR9485
BCM43526
Intel 5300 l
Broadcom
Intel
Qualcomm-Atheros
Chipsets cover range of hardware architectures & WiFi protocols: a/b/g/n/ac

48. Result Summary Ghostbuster can detect:
WiFi Card eavesdroppers up to 7 meters away.
USRP eavesdroppers up to 14 meters away.
Detection Accuracy & Range improves with:
Larger time windows. (10 ms < 100 ms < 1 sec)
More MIMO chains. (2 MIMO < 3 MIMO < 4 MIMO)
Ghostbuster can detect eavesdropper in the presence of transmissions & other receivers:
With 95% accuracy with 1 other receivers.
With 89.9% accuracy with 3 other receivers.

49. Outline Motivation What is Ghostbuster Design Challenges
System Architecture
Implementation
Evaluation Results
Limitations & Conclusions

50. Limitations & Conclusions
Ghostbuster can detect eavesdroppers in the presence of ongoing transmissions & other receivers without requiring any modifications to current transmitters and receivers.
A lot of future work:
What if number of legitimate RXs is not known?
Can we localize the eavesdropper?
Can we reduce computational complexity?
Opens the door for more practical applications:
Detecting Remote Explosives
More Efficient Carrier Sense
Synchronizing Clocks through Leakage