attacksonpublicwlan-basedpositioningsystems · 2015-01-16 ·...
TRANSCRIPT
Attacks on Public WLAN-based Positioning Systems
Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan CapkunDepartment of Computer Science, ETH Zurich
8092 Zurich, Switzerland
{tinils, kasperr, poepperc, capkuns}@inf.ethz.ch
ABSTRACT
In this work, we study the security of public WLAN-basedpositioning systems. Specifically, we investigate the Sky-hook positioning system, available on PCs and used on anumber of mobile platforms, including Apple’s iPod touchand iPhone. By implementing and analyzing several kindsof attacks, we demonstrate that this system is vulnerableto location spoofing and location database manipulation.In both, the attacker can arbitrarily change the result ofthe localization at the victim device, by either impersonat-ing remote infrastructure or by tampering with the servicedatabase. Our attacks can easily be replicated and we con-jecture that—without appropriate countermeasures—publicWLAN-based positioning should therefore be used with cau-tion in safety-critical contexts. We further discuss severalapproaches for securing WLAN-based positioning systems.
Categories and Subject Descriptors
C.2.1 [Computer-Communication Networks]: NetworkArchitecture and Design —Distributed networks, Wirelesscommunication; K.6.5 [Management of Computing andInformation Systems]: Security and Protection
General Terms
Security
Keywords
Public WLAN localization, Localization Attacks
1. INTRODUCTIONIn the last decade, researchers have proposed a number of
WLAN positioning techniques for (local area) wireless net-works [7,12,23,54]. The applications of these techniques arebroad and range from improving networking functions (i.e.,position-based routing) to enabling location-related applica-tions (e.g., access control and data harvesting).
WLAN positioning systems are now being commercializedand are being used as a substitution and/or complement to
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.MobiSys’09, June 22–25, 2009, Kraków, Poland.Copyright 2009 ACM 978-1-60558-566-6/09/06 ...$5.00.
the Global Positioning System [19]. One such system is theWi-Fi positioning system (WPS) from Skyhook [6], availablefor PCs (as a plug-in) and on a number of mobile platforms,including the Apple iPod touch and iPhone [1] as well asNokia mobile phones based on Symbian [5]. The resultingposition can also be used by other services, such as the Cy-berAngel Security and Recovery System [2]. The SkyhookWPS relies on existing WLAN access points for localiza-tion of devices that have 802.11a/b/g wireless interfaces. InWPS, a mobile device collects information about all visibleWLAN access points in its vicinity, sends this informationto the Skyhook location database which replies with a po-sition estimate based on the aggregated information. Theposition estimate can then be directly used by a mappingapplication like Google maps or can be combined with othersources of location information, such as those from GSM sta-tions or GPS. Positioning systems by Mexens [31] and theFraunhofer institute [17] have a similar mode of operation.We call these systems public WLAN-based positioning sys-tems, since they rely on public WLAN access points whichare not under control of the service operator that providesthe positioning service.
In this work, we analyze the security of public WLAN-based positioning systems. Using the example of the Sky-hook WPS, we demonstrate that such positioning systemsare vulnerable to location-spoofing attacks: by jamming andreplaying localization signals, an attacker can convince a de-vice that it is at a position which is different from its actualphysical position. Public WLAN-based positioning systemsalso rely on large databases that contain information aboutthe position of the infrastructure. This information is oftengathered by using the data reported by the users—eithermanually or automated during the positioning process. Weshow that this basic principle makes the Skyhook WPS vul-nerable to database manipulation attacks, which can equallybe used for location spoofing. We further discuss possibleapproaches for securing public positioning systems and showtheir potential advantages and drawbacks, given the con-straints of the application scenarios in which they are used.
By performing these attacks, we demonstrate the limita-tions of Skyhook and similar positioning systems, in termsof the guarantees that they provide and the applicationsthat they can be used for. Given the relative simplicity ofthe attacks and the availability of the equipment used toperform the attacks, we conclude that, without appropriatemodifications, these positioning systems cannot be used insecurity- and safety-critical applications.
To the best of our knowledge, this work is the first that an-
alyzes the security of public WLAN positioning systems andthe first that demonstrates the implementation of location-spoofing attacks in WLAN networks. Equally, we are un-aware of any prior work that discusses location databasemanipulation attacks.
The structure of the paper is as follows. We give back-ground information on public WLAN-based positioning inSection 2. We describe location-spoofing attacks in Sec-tion 3 and database manipulation attacks in Section 4. Solu-tions for securing public WLAN-based positioning systemsare discussed in Section 5. In Section 6, we describe relatedwork and we conclude the paper in Section 7.
2. BACKGROUND:WLAN-BASED
POSITIONING SYSTEMSWLAN positioning systems include range-based systems,
which rely on RSS (Received Signal Strength) measurements,and range-free systems, which rely on the presence of local-ization beacons. Both types of systems make use of WLANaccess points (AP) as localization stations which typicallybroadcast service announcement beacons from fixed knownlocations. Based on the reception of these beacons, devicescompute their positions. In range-based systems [7,18,20,36,39], the localized node (LN) records the signals received fromaccess points, measures their RSS values, converts them intoranges, and estimates its own positions using the measuredranges. In range-free systems, the LN registers which APsare in its reception range and, based on this information,estimates its position. In most proposed WLAN-based posi-tioning systems, the APs are controlled by the authority thatoperates the system. Typically, range-free and range-basedWLAN positioning systems achieve a positioning accuracyin the order of meters, and if they rely on location finger-printing, they can achieve accuracy in the order of tens ofcentimeters [7,36,39].
Skyhook’s Wi-Fi Positioning System (WPS) is a metro-politan area public positioning system; it is a software-onlysystem and requires a LN solely to have a WLAN-capablecard and an Internet connection. Skyhook’s WPS differsfrom existing WLAN positioning systems in that it doesnot maintain its own AP infrastructure; instead, it relies onthe existing commercial, public, and private access points.In WPS, the operator (Skyhook) creates a location lookuptable (LLT), which contains data samples taken from differ-ent locations. To develop and extend its LLT, the operatoris sending vehicles with GPS and roof-mounted antennasthrough urban and suburban areas to scan the present APs.For each location, the Medium Access Control (MAC) ad-dresses of all visible access points are stored. This lookup ta-ble can then be queried by the software on the LN. Since ob-taining information about available access points in an areacan be a work-intensive process (that needs to be constantlyupdated due to the dynamics of the WLAN networks), WPSalso allows users to enter (on-line) locations and MAC ad-dresses of their access points and of access points that theyobserve in their vicinity. As we will discuss later, Skyhookalso leverages information obtained from location requeststo update its WLAN location database (LLT).
WPS localization can be divided into five phases, as shownin Figure 1. In phase 1, the LN scans all (802.11a/b/g)WLAN channels for access points by broadcasting a probe
1.
2.
3.
4.
Access Points
LN LLT
Figure 1: The Skyhook localization process. 1. TheLN broadcasts a probe request frame. 2. APs replywith a response beacon frame. 3. The LN queriesthe LLT server. 4. The server returns location dataabout the observed APs. 5. The LN computes itslocation.
request frame on all channels.1 In phase 2, the APs inrange reply to the LN with network announcement beaconframes containing, among other parameters, their MAC ad-dresses. After having detected these beacons and recordedtheir corresponding signal strengths, the LN sends the iden-tified MACs over an encrypted channel to the Skyhook LLT(phase 3); this step requires that the LN has an (internet)connection to the service provider. In phase 4, the servercompares the reported MACs to the data stored in the LLTand returns the locations of the access points to the LN,again in encrypted form. In phase 5, the LN computes itsposition based on the received access point location infor-mation using a non-disclosed algorithm2.
Note that by sending information about its neighboringaccess points to the WPS database, the LN also allows Sky-hook to update its database.
This description of WPS is based on our experiments. Ac-cording to the tests we performed, other factors such as thereceived signal strength of the individual AP beacons do notseem to influence the localization result.
3. LOCATION SPOOFINGIn this section, we analyze the security of the Skyhook
WPS and we show attacks on its positioning service. Wedemonstrate that the Skyhook WPS is vulnerable to attacksin which signal insertions, replays, and/or jamming allow anattacker to either prevent the localization or to convince adevice that it is at a position which is different from its ac-tual physical position (location spoofing). Our attacks arecomposed of two actions: (1) impersonation of access points(from one location to another) and (2) elimination of signalssent by legitimate access points. Since rogue access pointscan forge their MAC addresses and can transmit at arbi-trary power levels within their physical capabilities, accesspoint impersonation can be easily done in WPS (see Sec-tion 3.2). Equally, since WLAN signals are easy to jam (see
1In our experiments, we found that some devices performedactive scanning while others only collected beacons passively.If only passive scanning is used, phase 1 is redundant.2We were not able to find the description of the Skyhook’sposition computation algorithm in the open literature.
Figure 2: Equipment used in our experiment. TheiPod and iPhone devices in front are being located,the laptops are used to impersonate access points(APs), and the software radios on the left are usedto jam legitimate APs.
Section 3.3), signals from legitimate access points can beeliminated, thus enabling location spoofing.
In what follows we will demonstrate location-spoofing at-tacks in three scenarios: (i) the LN is not in the range oflegitimate APs (AP impersonation), (ii) the LN is in therange of legitimate APs and uses only WLAN-based local-ization (AP replacement) and (iii) the LN is in the range oflegitimate APs and uses a hybrid WLAN/GSM-based local-ization system. Further we will show that the same attackscan be performed on Skyhook’s Loki browser plug-in on astandard PC (see Section 3.4).
3.1 EquipmentIn our experiments, we used the following equipment. As
positioning devices, we used Apple’s iPhone and iPod touch[1] devices with the WPS-enabled Google maps applicationas well as a laptop with an installed Skyhook’s Loki browserplug-in [6]. The iPhone was a first generation, original modelwithout GPS support (OS version 1.1.4, model MB384LL,firmware 04.04.05 G), the iPod model was MA632ZD. Toperform the attacks, the attacker both needs devices thatimpersonate legitimate access points and devices that elimi-nate legitimate access point signals. For access point im-personation, we used two laptops running Ubuntu Linuxconfigured as wireless access points (using the Scapy packetmanipulation program, v. 1.2); the laptops were transmit-ting on channels which were not occupied by existing accesspoints, and they were configured such that they could mod-ify the MAC addresses of their Wi-Fi interfaces, their net-work names (SSID), and signal strengths. To eliminate sig-nals from legitimate access points we jammed these signalsusing a software radio platform (USRP Rev. 4.2 [15] withdaughterboards for the 2.4 GHz band (FLEX2400 2-6-2006),operated by Gnuradio 3.0). Our equipment is displayed inFigure 2.
3.2 AP ImpersonationFirst, we performed an attack which we call access point
impersonation attack. The idea of an AP impersonation at-tack is to report remote access points to the attacked device,which will then compute a location that is in the proximity
(a) (b)
Figure 3: Location-spoofing attack. (a) Location inNew York City (circle in the center) displayed byan iPod physically located in Europe (caused by anAP impersonation/replacement attack) (b) Physicallocation of the impersonated APs (indicated by thearrow and displayed using Google Earth [4]).
of the remote APs. This attack exploits the fact that WPSlocalization relies on MAC addresses for the identificationof APs. AP MAC addresses are public since they are con-tained in the network announcement beacons and can thusbe replayed.
To execute the AP impersonation attack, we used a Lap-top with a WLAN card, running a purpose-written programto impersonate APs. Our program waits for probe requestssent by the LN (iPhone or iPod) and replies to these requestswith custom-made beacon responses that correspond to thebeacon responses from the impersonated remote APs. Eachbeacon response ri contains a MACi address that equals theMAC address of the spoofed network i; the beacon also con-tains an SSIDi which is not necessarily equal to the one ofthe spoofed network. We note that network SSIDs are notused by the WPS to identify the APs, but they helped us todistinguish the impersonated from legitimate APs. All otherparameters in the beacon responses were set to their defaultvalues (e.g., signal strength was set to 17 dBm). This setupenabled us to impersonate an almost arbitrary number ofaccess points in the vicinity of the LN.
In our experiment, we chose to impersonate four geograph-ically mutually close access points located in New York City,and we set their SSIDs to: NY1, NY2, NY3, NY4. In orderto find the MAC addresses corresponding to these accesspoints, we used the WiGLE database [57], which providesinformation about worldwide wireless networks.
We first performed the experiment in an environment with-out WLAN coverage, i.e., no legitimate APs were visible tothe iPod at its physical location at the time of localization.By impersonating the APs as described, the localization pro-cess on the iPod returned a location in New York City, whilethe device was physically located in Europe; this is shownin Figure 3. The displayed location was close to the po-sition of the spoofed access points. We then successfullyperformed a more fine-grained spoofing attack and modifiedthe displayed location of an iPod such that it displayed aposition in the city center of our city, approx. 1 km from its
Figure 4: Location-spoofing attack. Location dis-played by the iPod in city downtown (marked by acircle) at about 1 km distance from the iPod’s ac-tual position (marked by a pin) at university cam-pus (caused by an AP impersonation/replacementattack).
actual position (at the university campus). This is shown onFigure 4. Beyond succeeding in performing the AP imper-sonation attack, we learned that at least some of the accesspoints that we impersonated are registered in the Skyhookdatabase (LLT).
We then performed the same attack in an area covered bypublic APs. We impersonated wireless networks with MACaddresses of access points that are contained in the Skyhookdatabase, but are located far (New York) from the actualphysical location of the device. As a result, the WPS algo-rithm failed since the LN (iPod) registered access points atlocations which are physically too far apart and was thusnot able to resolve its own position. Although, in this sce-nario, the location-spoofing attack failed, it unveiled a sim-ple denial-of-service (DoS) attack on WPS localization. Toperform this DoS attack, the attacker only needs to imper-sonate an AP which is contained in the Skyhook databaseand is located far from the actual physical location of thelocalized device.
In the following section, we show how to successfully spoofa location of a device even if it resides in an area covered bypublic (legitimate) APs.
3.3 AP ReplacementNowadays, most urban and suburban regions as well as
other popular areas are covered by a large number of legiti-mate APs and will—with increasing probability—be catego-rized by Skyhook. In order for the AP impersonation attackto succeed despite the presence of known APs, we need toeliminate the announcement beacons sent by the legitimateAPs and replace them with our impersonated AP beacons.We call this an AP replacement attack and consider it as amore comprehensive form of the AP impersonation attack.
The idea behind the AP replacement attack is shown inFigure 5. In this attack, we use standard wireless tools todetect the channels on which the legitimate APs are trans-mitting beacons and then launch a physical-layer jammingattack to disable the reception of those beacons on the iden-tified channels. The jamming is not noticed by the user
1.
2a.
X
X
X
2.
2b.
3.
4.
Access Points
LN LLT
Attacker
Figure 5: AP replacement attack. The beacons oflegitimate APs are jammed (2a) and the attackersends spoofed beacon responses to the LN (2b). TheLN processes the spoofed beacons instead (3), asthey pretend to be legitimate APs from a differentlocation. As a result, the LLT will return locationdata for the remote position (4).
because the simple user interface on the iPod does not pro-vide enough information to detect ongoing jamming. Si-multaneously, we insert signals from impersonated APs onnon-jammed channels.
In our attack setup, the legitimate access points weretransmitting on WLAN channels 6, 10, and 11 (up to 13channels are available in 802.11b/g). We used software-defined radios (USRPs [3], Figure 2) to emit uniform noiseon those channels, which blocked the communication be-tween legitimate APs and the iPod. By using physical-layerjamming, we had full control over the transmission powerand bandwidth of the jamming signals and could easily eludethe 802.11 protocol standard. We then announced the im-personated networks using channel 2. The localization re-sults on the iPhone resembled the ones of the AP imper-sonation attack in Section 3.2. Equally the AP replacementcaused the iPod to report an incorrect, attacker-chosen lo-cation (in New York or in city downtown, as shown in Fig-ures 3(a) and 4).
If an attacker targets devices that use passive networkscanning, a more stealthy attack can be performed by jam-ming according to the AP beacon schedules (this was how-ever not reasonable for our attacks on the iPhone due tothe active network scanning mode). Given sufficiently fasthardware, the attacker can also jam the beacons reactively(for passive and active network scanning); in this case thejamming device first senses for ongoing beacon transmissions(typically a beacon frame has a length of approx. 100 byte,taking about 10 to 100 µs) and then jams them in a targeted(or selective) way after their detection.
Instead of physical-layer jamming, an attacker could alsouse MAC layer jamming [58] or signal overshadowing, whichwould likewise eliminate the legitimate AP signals, but wouldstill allow the insertion of fake beacons even if all non-overlapping frequency ranges in 802.11b/g are used for le-gitimate beacon transmissions. Using MAC layer jamming,the attacker can prevent the APs from sending beacons bykeeping the channel busy all the time.
(a) (b)
Figure 6: Attack on iPhone WLAN/GSM localiza-tion. (a) Location displayed by the iPhone in thecity center (marked by a circle) at about 1 km dis-tance from the iPhone’s actual position (marked bya pin) at university campus (caused by an AP im-personation/replacement attack). (b) Location dis-played by the iPhone when spoofing failed. The at-tacker’s target location was in New York City, farfrom the location that the iPhone’s GSM localiza-tion computed (in Europe). The attack thus failedand the iPhone displayed the location computed us-ing GSM localization (marked by a circle).
3.4 Location Spoofing Attacks on HybridWLAN/GSM Localization Systems
The attacks described in Sections 3.2 and 3.3 were per-formed on an iPod touch device. Regarding localization,the iPhone differs from the iPod in the sense that it ap-plies a hybrid localization technique that combines WLANand GSM base station localization. On the iPhone, GSM-based localization provides a rough position estimate, whileWLAN localization provides the device with a fine-grainedposition estimate.
GSM, the second source of location information, can beused to detect displaced (impersonated) locations in theWPS process and enables the devices to fall back to GSM lo-calization. As our experiments showed, if the position thatthe device computes using WPS is too far away from theposition that it obtains using GSM information, the iPhonewill only display the position computed using GSM (i.e., itignores the WPS position). This is shown on Figure 6b.
However, since the GSM localization is significantly lessaccurate than WPS localization, using the attack describedin Section 3.3, we were still able to displace the iPhonewithin its GSM localization accuracy (in our test, within1 km distance). The result of this attack can be seen inFigure 6a; the figure shows the real physical location of thedevice (marked by a pin) and the location displayed by theiPhone (marked by a circle). This result is similar to theone obtained for iPod location spoofing (Figure 4).
In order to spoof the position of an iPhone to differentcities or countries, the attacker either needs to disable theGSM signal reception (e.g., using widely available GSM jam-mers) or spoof GSM base stations, which has been shown to
be feasible for GSM [33] and even for UMTS networks [32].Spoofing a GSM base station is more complex than imper-sonating a WLAN AP because it involves a functional pro-tocol interaction with the mobile device. Nevertheless, inGSM, base stations do not authenticate to the user and aretherefore inherently susceptible to impersonation attacks.Attacks using GSM base station spoofing or jamming werenot part of our experiments.
3.5 PC Location SpoofingWe further tested the same attacks on a Laptop with an
installation of Skyhook’s Loki browser plug-in [6]. This plug-in is installed into the browser like a toolbar and is able toprovide web sites with location information. We repeatedthe above described location-spoofing attack (AP imperson-ation and replacement) and the results we got on the Laptopwere identical to the ones reported by iPod touch.
Consequently, if users rely on Loki to provide their webapplications with location information, this can be misusedby the attacker and possibly lead to a wider system or datacompromise, since the attacker can fully control the locationthat Loki provides to the application.
One can further imagine a web service that provides in-formation to the user only if the user is at a given location.Given the described attacks, Loki cannot be used for loca-tion verification, since even the user could spoof his ownlocation to get access to the service (e.g., pretending to bein New York, while being in Europe). Loki results couldequally be modified in a number of other ways, includingthe manipulation of input that the plug-in gets from thenetworking interfaces.
4. LOCATION DATABASE
MANIPULATIONAP location/MAC data enters the Skyhook database in
one of three ways: (1) The database is extended and up-dated by vehicle-based signal scanning and data collectionperformed by the company, (2) new access points can beinserted manually online (by users and nonusers of the ser-vice), and (3) Skyhook incorporates data that was submittedby users in localization queries in order to improve the accu-racy of its reference database. As we show in what follows,Skyhook’s WPS database (LLT) is not resistant to targetedlocation database manipulation attacks, although Skyhooktries to counteract this threat by applying error-detectionand error-correction methods (surveying the age and con-sistency of data and executing periodic rescans of outdatedareas [6]).
In database manipulation attacks, the attacker tries to ac-tively interfere with the database underlying the localizationprocess by inserting wrong data and/or by modifying exist-ing entries, e.g., by changing the recorded positions of ac-cess points to remote positions. Consequently, the attackermay not only change the result of an individual localization,but influence many localizations that all use the commondatabase (in this case, the LLT).
4.1 Injection of False DataHere we show how we successfully inserted false location
information for an access point into the Skyhook LLT. Dur-ing the location-spoofing experiments described in Section 3,access point APk was used to provide internet access over
Figure 7: Data corruption in the LLT (using Loki).The lower (black) arrow displays the original loca-tion D of APk in the LLT. The upper (green) arrowshows the new location U , after impersonating anaccess point with APk’s MAC.
WLAN to the iPod in order to enable the communicationbetween the iPod and Skyhook’s database. The MAC ofAPk was, before the experiments, unknown to Skyhook.
When we spoofed the location of the iPod (located atthe university campus at location U), the iPod reported toSkyhook not only the impersonated APs (from location Dat city downtown), but also the MAC of the APk (locatedat U) that it used for its internet connection. As a conse-quence, the MAC address of APk got added by WPS to theLLT with location D although being physically located ap-prox. 1 km away (at U). Subsequent tests in which the iPodwas connected only to APk showed that the iPod displayeda location at D, confirming that, in the LLT database, APk
had a position in the city downtown.This attack is a direct consequence of Skyhook’s WPS
mode of operation, in which the LLT database is not beingupdated only by company employees and on-line users, butalso through the localization requests that users send whenthey want to determine their positions.
4.2 Corruption of Existing DataA more severe form of the data manipulation attack is the
virtual relocation of access points that have already beencategorized in the database. To demonstrate this, we usedthe access point APk that was previously injected at thelocation in city downtown (position D). To change the lo-cation of APk in LLT, we set up a second access point us-ing APk’s MAC at our university campus (position U) andkept it active over a longer time (several days). All localiza-tions executed by users in this area were now also submittingAPk’s MAC when localizing themselves—however this timefor the new position U . As a consequence, Skyhook startedto resolve the old location of APk to the new position U ,assuming that the majority of the reported MAC addressesdefine the correct location. Consequently, the access pointAPk was moved in the LLT database from location D to itsnew position U , as shown in Figure 7. As before, we verifiedthis result by localizing a device using only APk.
Because this database manipulation attack is conducted
Figure 8: Reverse AP location lookup in the LLT.Using a spoofed access point and modifying its MACaddress resulted in a localization in Quebec, Canada,though being physically located in Europe.
involuntarily by all users using the WPS service in range ofAPk, this attack is hard to detect by the service provider(Skyhook). Although we acknowledge that this manipula-tion attack only succeeds in settings where the localizationservice is triggered (much) more often at the new locationthan at the old one, this attack represents a powerful threatto the correctness of the LLT database and may affect theresults of the localization service for many users and at manylocations.
4.3 Reverse Location LookupsUsing our attack equipment from Section 3, we were able
to find the exact positions of APs recorded in the LLT withknown MAC addresses but unknown positions. Althoughthis does not manipulate the database contents, it still rep-resents an undesired function of WPS revealing (confiden-tial) positions of access points; here we assume that Skyhookwants to maintain the confidentiality of the AP MAC-AP lo-cation bindings.
We performed a reverse AP location lookup by changingthe MAC address (switching two bits) of one of the spoofedaccess points in the downtown area which we used in theprior attacks. The position resulting from an iPod localiza-tion using this access point was Quebec, Canada, as shown inFigure 8. Since manufacturers often assign MAC addresseslinearly to their products, this also allows us, e.g., to look upthe locations of access points from one production charge.
4.4 ConclusionFrom the above analysis and attacks we conclude that
WLAN localization systems that use the data originatingfrom clients to update their database (LLT)—either explic-itly by manual insertions or implicitly during the localizationprocess—are susceptible to database manipulation attacks.Both attacks can be easily performed by the attacker, withthe additional advantage that, in the latter case, the up-date requests are actually reported by legitimate, honestusers. In Section 5, we will outline mechanisms that protectpublic (cooperative) WLAN localization systems from suchdatabase manipulations and/or that mitigate the attacks.
5. SECURING PUBLIC WLAN-BASED
LOCALIZATIONIn this section, we discuss solutions to protect the LN
against location-spoofing attacks. Our design space includessolutions that are based on client, transmission, and service-provider mechanisms. The first countermeasure we presentis based on client-side integrity checks. We then discuss se-cure data acquisition techniques; achieving authenticationfor the received signals is technically challenging. Finally,we propose techniques for thwarting database manipula-tion attacks by detecting and eliminating false data in thedatabase.
5.1 Client-Based Integrity ChecksOne approach to detect attacks is based on location his-
tory recordings on the LN. For each localization request bythe user, the current position is computed as in the originalWPS system. To detect displacement attacks, the result-ing position is then compared to the latest stored positionin the history record. This allows the detection of attacksthat try to displace the LN over a distance that the LN isunlikely to cover within the given time. If the new locationwould require a speed exceeding a maximal average speed,an attack can be suspected. Additionally, a trace of multi-ple past locations can be examined to prevent the attackerfrom starting the attack before the real measurements aretaken. Unfortunately, due to greatly varying speed of travelin typical urban areas (e.g., public transportation systems),the tolerated maximum average speed will have to be high.Therefore, the attacker can still displace the LN within alarge area in such scenarios.
Using location history records does not require any hard-ware or software modifications in the APs or in the (Sky-hook) WLAN-positioning system but can be implementedon the LN. However, in order to cover a wide range ofattacks, automatically triggered (background) localizationwould be required so that the latest recordings are still re-cent enough.
5.2 Secure Data AcquisitionThe first observation we make regarding secure data acqui-
sition is that the localization beacons of WLAN access pointscan be easily forged and replayed. Traditional authentica-tion mechanisms would not help much here because theywould require software modifications at the access points,which are not under the control of the service provider (e.g.,Skyhook). Furthermore, even if appropriate modificationswould be made to the access points and AP beacons wouldbe properly authenticated, public WLAN based localizationsystems would still be vulnerable to jamming and wormhole-based [24] signal relay attacks [28, 51]. To prevent relay(wormhole) attacks, the access points and the localized nodes(LNs) would therefore need to mutually authenticate theircommunication and would either need to be tightly timesynchronized, or use challenge-response protocols with ac-curate (i.e., ns) time measurements [8]; both would requiresignificant hardware and software modifications to both theaccess points and the LNs.
Given that such modifications of access points and LNsare not feasible in public WLAN positioning systems, au-thentication of access point beacons needs to be done in amanner that does not require any pre-shared cryptographicmaterial between the APs and the LNs. For this, we pro-
pose to use unique AP characteristics such as their traffic orsignal fingerprints. These fingerprints should be difficult toforge and easy to measure (by the LNs); if they are not, APscould be impersonated in the same manner as in the WPSsystem that uses (easily forgeable) MACs as device identi-fiers. Equally, traffic and signal fingerprints of APs needto be chosen such that they are unique or mutually distin-guishable with high probability. Since access points do notcooperate in fingerprint extraction with the LNs or with thesystem provider, the fingerprints also need to be easily mea-surable by the provider to build the LLT database and bythe LN for AP identification.
Assuming that such AP fingerprints can be measured bythe LNs, our fingerprint-enhanced WPS would then workin the following manner. The service provider measures thefingerprint data of the APs using appropriate software andhardware, and stores it in the LLT along with the MAC ad-dresses and RSS values for each access point; as a side effect,manual user input, which represents a source of false infor-mation, would be precluded and reverse location lookupscould be prevented. During the localization, the fingerprint-enhanced LNs measure the fingerprint data from the sur-rounding APs and report this data along with the MACaddresses and signal strengths to the service provider that,in turn, compares it to the data in the LLT. Based on aprobabilistic analysis, the service provider returns the loca-tion information which is then used by the LN to computeits position. If the analysis fails, i.e., if the fingerprint datadoes not correspond to the stored data up to a pre-defineddegree, possibly indicating an attack, no location informa-tion is returned. Alternatively the most likely position couldbe returned along with a warning that the location could notbe verified. This could then be presented to the user, e.g.,as a red circle instead of a blue marking the found location.
Recently, a number of results have emerged that show howunique characteristics of WLAN access points and of otherwireless devices can be measured. One way of identifyingaccess points is by collecting data specific to their configu-ration or model. The feasibility of this approach was dis-cussed in [9]. This approach does neither require hardwaremodification of the LN device nor changes on the scannedaccess points but instead relies on characteristic behavior ofdifferent AP models on malformed 802.11 frames. Althoughthis does not completely prevent location-spoofing attacks,it makes them more difficult since the attacker has to ex-tract AP device specific data in order to compose adequatelyforged response frames. This would require his prior physicalpresence at the access point whose location is to be spoofed.In [25], the authors use intra-device clock skews to differen-tiate individual devices on the internet. In [10, 13, 41, 48],the respective authors discuss signal fingerprints based onphysical characteristics of individual device radios. While[41] and [13] focus on the fingerprinting of CC2420 andChipcon 1000 (433MHz) wireless sensor motes, [48] and [10]demonstrate the successful fingerprinting of 802.11b WLANnetwork interface cards. Different distinction features maybe extracted: e.g., unique transient characteristics [48] orunique timing behavior in the modulation (frequency mag-nitude, phase errors, I/Q origin offset, etc.) [10].
The process of collecting these fingerprints requires spe-cialized hardware which would have to be added to the LNdevices. Signal fingerprints would prevent attacks by attack-ers using off-the-shelf hardware, but they would not prevent
a sophisticated attack by an attacker that samples and re-plays the signals on the physical layer. Spoofing fingerprintsbased on physical characteristics of the transmitted signalrequires a high frequency sampling oscilloscope with a sam-pling rate at least as high as the fingerprinting hardwarein the LNs. In addition, an attacker would need an ar-bitrary waveform generator capable of reconstructing thesampled signal without adding any distortion or noise. Thisis very hard because the oscilloscope, waveform generator,and controlling computer all have finite dynamic ranges,i.e., they can only represent the captured signal in steps.These hardware requirements make signal fingerprints muchharder to forge than behavioral fingerprints. The usabil-ity of the fingerprint-enhanced WPS stimulates further re-search on identifying non-forgeable and easily measurableAP fingerprints, in particular regarding fingerprinting sta-bility with respect to mobility of the capturing device andto environmental effects such as multipath propagation andinterference.
Another technique for detecting and preventing locationspoofing in WPS is by geo-locating the IP address of the APthat is used to query the location database. Although thisinformation is relatively coarse and can be spoofed using IPtunneling, it can be used to make simple location spoofingattacks at larger distances (e.g., to different countries) moredifficult.
5.3 Mitigating Database PoisoningWe now discuss techniques for the mitigation of database
poisoning and their implications on the system behavior.The risk of database poisoning based on user-supplied data(Section 4) can be mitigated in several ways. We distinguishtemporal rules and update rules.
Temporal rules for system updates determine the reactiontime of the LLT towards new or changed data. A systemwhich updates its LLT immediately with new user data willbe closest to mapping the real situation, but it also enablesan attacker to more easily influence localization results ina targeted manner. In contrast, a system which only in-troduces a new AP once and will never update the respec-tive location will be most secure against database attacks,but cannot reflect real-world changes. User-based databaseupdates may follow different temporal rules based on theirrespective confidence levels. In other words, the more likelythe correctness of a database update is, the quicker it shouldbe represented in the database. Nevertheless, there remainsa trade-off between database freshness and resistance againstattacks.
Database update rules determine if a newly reported APenters the LLT and/or if the information stored for it ismodified (e.g., a new location is assigned); update rules mayincorporate information from multiple users or nearby APs.New entries as reported by one or multiple users (eitherautomatically during the localization or by manual inser-tion) may contradict existing entries—in such a case updaterules are required that determine how the system reacts tothem. We define a contradicting location report as a reportthat claims a location x for an access point APi while theactive location y stored for APi in the database is furtheraway from x than the transmission range allows. Withoutattackers and without AP repositioning, contradicting re-ports would never occur; instead, the reported APs wouldeither confirm the data in the LLT or could be used for new
Figure 9: Intersection of transmission ranges forthree access points. Each access point APi is asso-ciated with a confidence value Ci between zero andone. We propose to return a confidence indicationtogether with the localized region. A darker colorindicates a more precise location estimate but withlower confidence. In our example, the probabilitythat the LN is located outside of the entire regionis
Q
i(1 − Ci) = 2.5% (assuming the confidence values
are independent).
LLT entries. However, given the possibility of legitimateAP repositioning, the LLT should remain consistent in thepresence of attackers. As a solution, we propose to store con-fidence values together with the location data in the LLT; ifa location x has the highest confidence value for APi thenlocation x is active. An AP is relocated in the database if theconfidence in location y exceeds the confidence for any otherlocation; then y becomes active. The confidence values areupdated based on majority updates and consistency checks;the former (Maj ) incorporates majority user reports, thelatter (Con) incorporates consistency with the neighboringAPs. More precisely, typical database update rules include:
• New : Locations of APs collected by the service providerenter the database with the maximum confidence value,user-reported APs with the minimum confidence value.
• Maj : If, over a period of time (hours to few days), moreuser reports on access point APi occur for location ythan for the currently active location x and, at thesame time, the number of reports for x significantlydrop, the confidence in y increases and the confidencein x decreases (majority update rule).
• Con: The confidence in a position y of access pointAPi increases if the frequency of localization and thelocalization pattern for APi are comparable to those ofphysically close APs with maximum confidence value,i.e., the reported environment close to y matches thesystem model in the database (consistency check rule).
This approach leads to consistent data in the LLT butdoes not entirely rule out database attacks (e.g., if an at-tacker physically moves an AP or if (sets of) isolated APsare relocated). Therefore, we propose that the confidencevalues should be part of the localization result (for all LLTswith user-supplied data).
In Figure 9, we give an example of the data returned tothe client. This data could consist of the location of each ob-served access point along with confidence values. This will
enable the client to make a probabilistic map of the area andpresent it to the user, using an aggregation function of itschoice. The example in Figure 9 uses a product-based ag-gregation function. The three observed access points haveconfidence values C1 = 0.8, C2 = 0.5, and C3 = 0.75 re-spectively. That means that if the client chooses to onlyrely on the information from one AP, say AP1, it can doso with a confidence of 80%. If the client requires a moreprecise location it will have to rely on more access points.Each access point has a confidence level for the correctnessof its location in the LLT (i.e., that it was neither spoofednor moved by the attacker), so the more access points theclient utilizes the more precise its location estimate can be(e.g., within the center region) but the less confident it canbe that the result is correct (30% in the example). We notethat, in general settings and despite the countermeasuresdescribed above, the transmission ranges of the sensed APsmay not necessarily be overlapping and the same AP mighthave multiple location entries in the LLT (if attacks are tak-ing place). Hence, the locations of the sensed AP’s may beremote or even ambiguous. The best the LN can do is toprovide this conflicting information to the user in form ofgraphically (non-overlapping) localization regions includingthe varying confidence levels of the entries in the LLT.
During our experiments, we observed that APs are oftenabundant in urban environments. In addition, both com-mercial and private AP will typically rarely change their po-sitions. Both assumptions suggest that the service providercan choose more stringent temporal rules without impact-ing the performance too much. Indeed, we argue that evenif the provider chooses to never relocate an AP, the perfor-mance of the system in terms of localization precision willonly be affected marginally. This would prevent databasepoisoning attacks on existing records. Nevertheless, an at-tacker could mount a denial of service (DoS)-like attack byregistering MAC addresses of APs at arbitrary locations be-fore they are detected by the service provider or reportedby other users. But since it is rather hard for an attackerto predict the MAC address of a specific AP, this will notallow targeted DoS attacks.
6. RELATED WORKIn the last decade, a number of outdoor localization sys-
tems for mobile devices were proposed and implemented,based on satellite communication (GPS [19]), cellular net-works (GSM), Wi-Fi networks or specialized platforms [7,12, 16, 23, 40, 54, 55]. These techniques differ in terms of ac-curacy, reliability, and hardware requirement. Positioningtechniques were also extended and used for positioning inwireless ad-hoc networks [11,14,34,35,44,50].
Later security analysis has shown many of these systemsor underlying technologies to be vulnerable to attacks [32,33,37,38,56]. Proposals followed that aim at securing GPS [26].Furthermore, several proposals have been made to improvethe security in WLAN-based localization. However, thesesolutions require the cooperation of the APs [37–39,46].
To secure systems not based on WLAN, several secureranging and secure localization systems were proposed inthe open literature. The first secure ranging protocol wasdescribed in [8]; this protocol was later applied to a wire-less scenario and extended to provide mutual authentica-tion in [49]. To allow more resource constrained devices toperform secure ranging in noisy environments, Hancke and
Kuhn proposed an alternative protocol in [21]. This paperalso discussed possible implementations of secure rangingin hardware. An authenticated ranging protocol for wirelessdevices was proposed in [53]. Attacks on possible implemen-tations of secure ranging protocols were discussed in [22].
A system for secure localization was proposed in [43],based on ultrasonic and radio wireless communications; thissystem is limited by the use of ultrasonic signals, which re-quires that no attackers are present in the area of interestas demonstrated in [45]. Kuhn [26] proposes an asymmetricsecurity mechanism for navigation signals, based on hiddenmessage spreading codes. Capkun and Hubaux [51,52] pro-pose a secure localization technique called verifiable multi-lateration, based on secure ranging, which further enablesa local infrastructure to verify positions of the localized de-vices. Authenticated ranging and secure localization (ver-ifiable multilateration) were implemented in [47]. In [53],Capkun et al. propose a location verification scheme basedon hidden and mobile base stations.
Lazos et al. [27] propose a technique for secure positioningof a network of sensors based on directional antennas. Lazoset al. [28] propose an extension of this technique that copeswith jamming and replays of localization signals. In [42], theauthors propose and implement a system for broadcast local-ization and time-synchronization, based on navigation signalencoding, that prevents signal replay and time-shift attacks.Li et al. [29] and Liu et al. [30] propose statistical methodsfor securing localization in wireless sensor networks.
To the best of our knowledge, this work is the first that an-alyzes the security of public WLAN positioning systems andthe first that demonstrates the implementation of location-spoofing attacks in WLAN networks. Equally, we are un-aware of any prior work that discusses location databasemanipulation attacks.
7. CONCLUSIONIn this work, we studied the security of public WLAN-
based positioning systems. Specifically, we investigated theSkyhook positioning system [6], available for PCs and usedon a number of mobile platforms, including Apple’s iPodtouch and iPhone. We demonstrated that this system is vul-nerable to location spoofing and location database manipu-lation attacks. By demonstrating these attacks, we showedthe limitations of Skyhook and similar public WLAN-basedpositioning systems, in terms of the guarantees that theyprovide and the applications that they can be used for.Given the relative simplicity of the described attacks, weconclude that, without appropriate modifications, these po-sitioning system cannot be used in security- and safety-critical applications. We further discussed approaches forsecuring public WLAN positioning systems based on client-side integrity checks, secure data acquisition, and the mit-igation of database poisoning. We call for more researchon the development of usable and secure public position-ing solutions, based on, e.g., access point signal fingerprintsand/or calibration of location databases.
8. ACKNOWLEDGMENTSThe work presented in this paper was in part supported by
the Swiss National Science Foundation under Grant 200021-116444 as well as by the Zurich Information Security Center.
9. REFERENCES[1] Apple Inc. http://www.apple.com.
[2] Cyberangel security and recovery system.http://www.skyhookwireless.com/press/skyhookcyberangel.php.
[3] GNU Radio: The gnu software radio.http://gnuradio.org/trac.
[4] Google earth. http://earth.google.com.
[5] Loki Mobile applet for Nokia phones using Symbian.http://loki.com/download/mobile.
[6] Skyhook, Inc. http://www.skyhookwireless.com.
[7] P. Bahl and V. N. Padmanabhan. RADAR: AnIn-Building RF-Based User Location and TrackingSystem. In Proceedings of the IEEE Conference onComputer Communications (InfoCom), volume 2,2000.
[8] S. Brands and D. Chaum. Distance-boundingprotocols. In Workshop on the Theory and Applicationof Cryptographic Techniques (EUROCRYPT).Springer, 1994.
[9] S. Bratus, C. Cornelius, D. Kotz, and D. Peebles.Active behavioral fingerprinting of wireless devices. InProceedings of the ACM Conference on WirelessNetwork Security (WiSec), 2008.
[10] V. Brik, S. Banerjee, M. Gruteser, and S. Oh. Wirelessdevice identification with radiometric signatures. InProceedings of the ACM/IEEE InternationalConference on Mobile Computing and Networking(MobiCom), 2008.
[11] N. Bulusu, J. Heidemann, and D. Estrin. GPS-less lowcost outdoor localization for very small devices. IEEEPersonal Communications Magazine, 7(5), October2000.
[12] P. Castro, P. Chiu, T. Kremenek, and R. Muntz. AProbabilistic Room Location Service for WirelessNetworked Environments. In Proceedings of theInternational Conference on Ubiquitous Computing(Ubicomp), volume 2201, 2001.
[13] B. Danev and S. Capkun. Transient-basedidentification of wireless sensor nodes. In Proceedingsof the ACM/IEEE International Conference onInformation Processing in Sensor Networks (IPSN),2009.
[14] L. Doherty, K. Pister, and L. El Ghaoui. Convexposition estimation in wireless sensor networks. InProceedings of the IEEE Conference on ComputerCommunications (InfoCom), April 2001.
[15] Ettus. Universal software radio peripheral (USRP).http://www.ettus.com.
[16] R. J. Fontana, E. Richley, and J. Barney.Commercialization of an ultra wideband precisionasset location system. IEEE Conference on UltraWideband Systems and Technologies, 2003.
[17] Fraunhofer IIS. Autonomous WLAN positioningsystem. press release.http://www.fraunhofer.de/EN/press/pi/2008/01/Presseinformation14012008.jsp, 2008.
[18] S. Ganu, A. Krishnakumar, and P. Krishnan.Infrastructure-based location estimation in WLANnetworks. In Proceedings of the IEEE WirelessCommunications and Networking Conference(WCNC), March 2004.
[19] I. Getting. The Global Positioning System. IEEESpectrum, December 1993.
[20] Y. Gwon, R. Jain, and T. Kawahara. Robust indoorlocation estimation of stationary and mobile users. InProceedings of the IEEE Conference on ComputerCommunications (InfoCom), March 2004.
[21] G. Hancke and M. Kuhn. An RFID DistanceBounding Protocol. In Proceedings of the InternationalConference on Security and Privacy for EmergingAreas in Communications Networks (SecureComm).IEEE Computer Society, 2005.
[22] G. Hancke and M. Kuhn. Attacks on ‘Time-of-Flight’Distance Bounding Channels. In Proceedings of theACM Conference on Wireless Network Security(WiSec). ACM, 2008.
[23] J. Hightower, G. Boriello, and R. Want. SpotON: Anindoor 3D location sensing technology based on RFsignal strength. Technical Report 2000-02-02,University of Washington, 2000.
[24] Y.-C. Hu, A. Perrig, and D. B. Johnson. PacketLeashes: A Defense against Wormhole Attacks inWireless Networks. In Proceedings of the IEEEConference on Computer Communications (InfoCom),San Francisco, USA, April 2003.
[25] T. Kohno, A. Broido, and K. C. Claffy. Remotephysical device fingerprinting. In Proceedings of theIEEE Symposium on Security and Privacy, 2005.
[26] M. Kuhn. An asymmetric security mechanism fornavigation signals. In Proceedings of the InformationHiding Workshop, 2004.
[27] L. Lazos and R. Poovendran. SeRLoc: securerange-independent localization for wireless sensornetworks. In Proceedings of the ACM Workshop onWireless Security (WiSe), 2004.
[28] L. Lazos, R. Poovendran, and S. Capkun. ROPE:robust position estimation in wireless sensor networks.In Proceedings of the symposium on Informationprocessing in sensor networks (IPSN). IEEE Press,2005.
[29] Z. Li, W. Trappe, Y. Zhang, and B. Nath. RobustStatistical Methods for Securing Wireless Localizationin Sensor Networks. In Proceedings of the symposiumon Information processing in sensor networks (IPSN),2005.
[30] D. Liu, P. Ning, and W. Du. Attack-ResistantLocation Estimation in Sensor Networks. InProceedings of the symposium on Informationprocessing in sensor networks (IPSN), 2005.
[31] Mexens LLC. Navizon virtual GPS service.http://www.navizon.com.
[32] U. Meyer and S. Wetzel. A man-in-the-middle attackon UMTS. In Proceedings of the ACM Workshop onWireless Security (WiSe), 2004.
[33] C. Mitchell. The security of the GSM air interfaceprotocol. Technical report, RHUL-MA-2001-3, RoyalHolloway University of London, 2001.
[34] D. Moore, J. Leonard, D. Rus, and S. Teller. Robustdistributed network localization with noisy rangemeasurements. In Proceedings of the ACM Conferenceon Networked Sensor Systems (SenSys), 2004.
[35] D. Niculescu and B. Nath. Ad hoc positioning system(APS) using AoA. In Proceedings of the IEEE
Conference on Computer Communications (InfoCom),San Francisco, USA, April 2003.
[36] S. Pandey and P. Agrawal. A survey on localizationtechniques for wireless networks. Journal of theChinese Institute of Engineers, 29(7), 2006.
[37] S. Pandey, F. Anjum, and P. Agrawal.TRaVarSeL–Transmission Range Variation basedSecure Localization, pages 215–236. 2007.
[38] S. Pandey, F. Anjum, B. Kim, and P. Agrawal. Alow-cost robust localization scheme for WLAN. InProceedings of the International Workshop on WirelessInternet, New York, NY, USA, 2006. ACM.
[39] S. Pandey, B. Kim, F. Anjum, and P. Agrawal. Clientassisted location data acquisition scheme for secureenterprise wireless networks. IEEE WirelessCommunications and Networking Conference(WCNC), 2, March 2005.
[40] N. B. Priyantha, A. Chakraborty, andH. Balakrishnan. The Cricket location-support system.In Proceedings of the ACM/IEEE InternationalConference on Mobile Computing and Networking(MobiCom), 2000.
[41] K. B. Rasmussen and S. Capkun. Implications of radiofingerprinting on the security of sensor networks. InProceedings of the International Conference onSecurity and Privacy for Emerging Areas inCommunications Networks (SecureComm), 2007.
[42] K. B. Rasmussen, S. Capkun, and M. Cagalj. SecNav:secure broadcast localization and time synchronizationin wireless networks. In Proceedings of the ACM/IEEEInternational Conference on Mobile Computing andNetworking (MobiCom), 2007.
[43] N. Sastry, U. Shankar, and D. Wagner. Secureverification of location claims. In Proceedings of theACM Workshop on Wireless Security (WiSe), 2003.
[44] A. Savvides, C.-C. Han, and M. B. Strivastava.Dynamic fine-grained localization in Ad-Hoc networksof sensors. In Proceedings of the ACM/IEEEInternational Conference on Mobile Computing andNetworking (MobiCom), 2001.
[45] S. Sedihpour, S. Capkun, S. Ganeriwal, andM. Srivastava. Implementation of Attacks onUltrasonic Ranging Systems.Demo at the ACMConference on Networked Sensor Systems (SenSys),2005.
[46] P. Tao, A. Rudys, A. M. Ladd, and D. S. Wallach.Wireless LAN location-sensing for securityapplications. In Proceedings of the ACM Workshop onWireless Security (WiSe), 2003.
[47] N. O. Tippenhauer and S. Capkun. UWB-basedSecure Ranging and Localization. Technical Report586, ETH Zurich, January 2008.
[48] O. Ureten and N. Serinken. Wireless security throughRF fingerprinting. Canadian Journal of Electrical andComputer Engineering, 32, 2007.
[49] S. Capkun, L. Buttyan, and J.-P. Hubaux. Sector:Secure tracking of node encounters in multi-hopwireless networks. In Proceedings of the ACMWorkshop on Security of Ad Hoc and Sensor Networks(SASN), October 2003.
[50] S. Capkun, M. Hamdi, and J.-P. Hubaux. GPS-freePositioning in Mobile Ad-Hoc Networks. ClusterComputing, 5(2), April 2002.
[51] S. Capkun and J.-P. Hubaux. Secure positioning ofwireless devices with application to sensor networks.In Proceedings of the IEEE Conference on ComputerCommunications (InfoCom), volume 3, 2005.
[52] S. Capkun and J.-P. Hubaux. Secure positioning inwireless networks. IEEE Journal on Selected Areas inCommunications, 24(2), February 2006.
[53] S. Capkun, M. Cagalj, and M. Srivastava. Securelocalization with hidden and mobile base stations. InProceedings of the IEEE Conference on ComputerCommunications (InfoCom), April 2006.
[54] R. Want, A. Hopper, V. Falcao, and J. Gibbons. TheActive Badge Location system. ACM Transactions onInformation Systems, 10(1), 1992.
[55] A. Ward, A. Jones, and A. Hopper. A New LocationTechnique for the Active Office. IEEE PersonalCommunications, 4(5), October 1997.
[56] J. S. Warner and R. G. Johnston. Think GPS CargoTracking = High Security? Think Again. Technicalreport, Los Alamos National Laboratory, 2003.
[57] WiGLE. Wireless Geographic Logging Engine.http://wigle.net/.
[58] W. Xu, W. Trappe, Y. Zhang, and T. Wood. Thefeasibility of launching and detecting jamming attacksin wireless networks. In Proceedings of the ACMInternational Symposium on Mobile Ad HocNetworking and Computing (MobiHoc), 2005.