![Page 1: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/1.jpg)
On Physical-Layer Identification of Wireless Devices
BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012
Presented by: Vinit PatelWichita State University
![Page 2: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/2.jpg)
Outline of the Paper
• Introduction on Physical-layer device identification
• Physical-Layer Device Identification system and it’s components
• Physical-Layer Identification techniques and approaches
• Attacks within Physical-Layer Identification• Implication and examples.• Conclusion
![Page 3: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/3.jpg)
Introduction
• Physical Layer Identification: technique that allows wireless devices to be identified by unique characteristics of their analog(radio) circuitry. (Fingerprinting)– This is possible due to the imperfections in the
analog circuitry that is made in the manufacturing process.
![Page 4: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/4.jpg)
Introduction
• Different purpose of PLI (Physical Layer Identification)– Intrusion detection– Access Control– Wormhole detection– Cloning detection – Location and anonymity privacy– Also for RFID(as we saw in Tuesday’s class)
![Page 5: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/5.jpg)
Physical-Layer Device Identification system and it’s components
• Involves three entities
![Page 6: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/6.jpg)
Physical-Layer Device Identification system and it’s components
• Two modules for a PLI
– Enrollment: Signals are captured from device and fingerprints of the device is stored in a database
– Identification: Fingerprints that are obtained are matched with the fingerprints in the DB that are stored during enrollment• Can identify a device• Can identify from among many devices• Can verify that device matches a claimed identity
![Page 7: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/7.jpg)
Device under Identification
• Any device that uses radio communication can be subject to PLI
– Different classes of device that can be identified by PLI: VHF(very high frequency) transmitters, HF RFID, UHF(Ultra high) RFID, Bluetooth, and IEEE 802.11 and IEEE 802.15.4 transceivers
– What makes the device unique? Imperfections in design and manufacturing. [Toonstra and Kinser 1995, 1996]
![Page 8: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/8.jpg)
Identification Signals • Identification Signals: Signals that are collected for the purpose of identifying the device• Different signal characteristics are observed here such
as amplitude, frequency, and phase
![Page 9: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/9.jpg)
Acquisition Setup
• Responsible for the acquisition and digitalization of the identification signals.– Should never influence the signal (adding noise)– Should be preserved and keep the same
characteristics the PLI relies on– High quality may be necessary
![Page 10: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/10.jpg)
Acquisition Setup
• Two types of identification:• Passive: Acquires the signal without
interacting with the device.• Active: Acquires the signal after challenging
the device to transmit them.
![Page 11: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/11.jpg)
Feature Extraction Module• Responsible for extracting characteristics from the
signals that can then be used to distinguish devices or classes of devices
• Two types of features involved:– Predefined Features: Well understood characteristics
that are known in advance prior to recording of the signals
– Inferred Features: Features that are not known from a predefined feature set.• Can be used for dimensionality reduction• Take out redundant information from the sample and use
that as it’s feature that contains only relevant information
![Page 12: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/12.jpg)
Device Fingerprints• Fingerprints are SET of features that are used to identify devices.• Properties of fingerprints:
– Universality: Every device should have considered features
– Uniqueness: No two devices should have same fingerprint
– Permanence: Fingerprints obtained should not change over time
– Collectability: should capture signals with existing equipment
– Robustness: should be able to be evaluated even with other interference radio signals
– Data Dependency: Fingerprints need to be obtained from features extracted from a specific signal pattern
![Page 13: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/13.jpg)
Fingerprint matcher and Database
• Compares extracted device fingerprints with the fingerprints that are stored in the DB during the enrollment phase of the device
• Matcher is implemented by a distance measures such as:– Euclidean– Mahalanobis distances– Probabilistic Neural Networks (PNN) (complex)– Support vector machines (SVM) (complex)
![Page 14: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/14.jpg)
System Performance and Design Issues
• System performance expressed in error rates– FAR(False accept rate)– FRR(False reject rate)– EER(Equal error rate)• When FAR and FRR are equal• Most commonly used metric
![Page 15: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/15.jpg)
System Performance and Design Issues
• Performance of PLI all depends on:– Resources available
– Cost• Higher the quality and speed, higher the cost
– Acquisition setups• Certain signals may be hard to get a different locations
![Page 16: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/16.jpg)
Proposed improvements for PLI systems
• System properties that always needs improving: accuracy(most significant), computational speed, exception handling, and costs.
• Four different strategies can be deployed to achieve this task.
![Page 17: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/17.jpg)
Proposed improvements for PLI systems
• (1) Acquire signals from multiple acquisition setups• Getting signal from different location at same time
• (2) Acquire signals from multiple transmitters on same device (MIMO)
• More robust fingerprints, (two fingerprints instead of one)
• (3) collect several acquisitions of the same signal• To obtain more reliable fingerprints. Samples are Averaged out
into one significant sample and that is used to create the fingerprint
• (4) Consider different signal parts• Different modularties of signals are combined to improve
accuracy and robustness
![Page 18: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/18.jpg)
Physical-Layer Identification techniques and approaches
• Identification of radio signals became very important during WWII.
• Two main techniques/approaches discussed in paper:– Transient based approach and Modulation based
approach.
![Page 19: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/19.jpg)
Transient Based Approach
• Techniques that use the turn on/off transient of a radio signal.
Analog to digital converter
![Page 20: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/20.jpg)
Transient Based Approach• Fingerprinting Approach Details
1. Extract the transient part− Threshold-based algorithm
2. Extract features from the transient signal (fingerprints)− Transient length− Number of peaks in transient− Amplitude in transient
3. Classify unknown fingerprints to the reference fingerprints (using a Kalman filter)
− Compute the classification error rate
![Page 21: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/21.jpg)
Transient Based Approach Experiments
![Page 22: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/22.jpg)
Modulation Based Approach
• This technique is used by extracting unique features from the signal part that has been modulated (data).
– New approach that is still being researched
![Page 23: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/23.jpg)
Modulation Based Approach• Fingerprinting Approach Details
1. Capture the signals using the vector signal analyzer– QPSK constellation– Signal spectrum
2. Extract the following errors due to QPSK modulation− I/Q origin offset− Frequency offset− Error Vector Magnitude
3. Fingerprints are represented by a vector of the above three errors
4. Compute the classification error rate (CER)• Ratio of incorrectly classified device
fingerprints over all classified fingerprints
QPSK Signal Constellation
01
11
00
10
![Page 24: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/24.jpg)
Other Approaches/Techniques• Baseband power spectrum density of packet preambles
– 20% CER
• Using near transient and midamble regions of GSM-GMSK(Global System for mobile communication)(Gaussian minimum shift keying) burst signals– The CER was higher in the midamble than using the transient regions.
• For UHF RFID:– Using timing properties of the tags– Showed that the duration of response can be used to distinguish
same manufacturer and RFID type.• For HF RFID:
– Timing and modulation shape features can only be used to identify between manufacturers.
![Page 25: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/25.jpg)
Attacks within Physical-Layer Identification
• This section discusses attacks that aim to subvert the decision of an application and anonymity of wireless devices that aims to identify even if the device is not willing to.– Assumes a “Dolev-Yao style attacker”• Attacker can observe, capture, modify, compose, and
(re)play signals transmitted by device
![Page 26: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/26.jpg)
Signal Replay Attack• Goal is to observe the signals of device, capture them in digital
form, and then transmit the signal again towards the PLI.
– Attacker does not modify the signal– Attackers knowledge:
• Not assumed for the feature extraction and matching• Assumed for how to observe, capture, and submit signals to system is
needed.
• Why replay attacks ?– To gain access to resources by replacing an authentication message– In DOS, to confuse the destination host
![Page 27: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/27.jpg)
Signal Replay Attack
• Aims at preserving the digital sample of the signal.
– Note: replay of digital signals can never be exact as opposed to information bits.
• High end hardware and controlled wireless medium needed to improve accuracy.• Could be relayed without being stored in digital form.
– Need amplifiers and multiple antennas are needed.
![Page 28: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/28.jpg)
Feature Replay Attacks
• This attack creates, modifies, or composes signals that reproduce ONLY the features that is considered by a PLI system.
– Similar to message forging but….
• This attack only requires the information bits unlike the analog/digital signal samples and data payload in forging.
![Page 29: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/29.jpg)
Feature Replay Attacks• Needs to preserve the identification features.
• Attacker needs to know features that the PLI extracts from device.
• Needs to be able to forge signals while keeping the unique features.
• Feature replay attacks can be launched by:– Using arbitrary waveform generators– Using a device with similar features of target device (large set of same
model and manufac devices)– Replicate circuitry/components of target device(Hardest)
![Page 30: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/30.jpg)
Implication and examples of PLI(Intrusion Detection in WLAN networks)
• (1) PLI can be used to enhance security of WLAN’s– By providing access control to prevent unauthorized
devices on the network.• PLI deployed in AP’s to defend against cryptographic key
compromise by attacker.• PLI can help determine multiple MAC’s or crypto keys that
belong to same device.• Attacker who holds the crypto key(s) still cannot
authenticate to network unless somehow gets pass the PLI system
• (2) PLI techniques can be used to protect against rogue AP’s.
![Page 31: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/31.jpg)
• System property requirements:– Physical layer device fingerprints need to be
resilient to distance and location.– Transient signal samples can have wireless channel
characteristics with the device specific information it already intends to have.• This still remains a open question on how to handle this.
• Security Requirements:– Resilient to remote impersonation attacks– Resilient to attacks by signal and feature replays
Implication and examples of PLI(Intrusion Detection in WLAN networks)
![Page 32: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/32.jpg)
• RFID transponders in docs can be successfully cloned even if protective measures are in place
• PLI can be applied to document cloning in two different ways:
– (1) Fingerprints are measured before the RFID deployment, stored in back end database, indexed with unique ID.
– (2) Fingerprints are measured before the RFID deployment, BUT stored in the transponders memory.• Advantage: document authenticity can be verified OFFLINE.• Disadvantage: Fingerprint is stored on transponder, so requires access
protection. Also, Fingerprints need to compact enough to fit in the memory
Implication and examples of PLI(Device Cloning Detection-RFID-Identify Documents)
![Page 33: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/33.jpg)
• System Property Requirements:– Special purpose built devices need to be made.• Need to measured in multiple locations(country
border)• Devices should be high quality to preserve the
fingerprint from distortions
Implication and examples of PLI(Device Cloning Detection-RFID-Identify Documents)
![Page 34: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/34.jpg)
• PLI provides means to detect counterfeit products by creating PLI fingerprints that bind the RFID tag to the original, claimed identity.– Unlike E-Passports where the fingerprints is stored
directly on the passport, the fingerprints would be stored in a database.• This can be compared later with those fingerprints
obtained from the RFID tag.
Implication and examples of PLI(Device Cloning Detection-RFID-Enabled Supply Chains)
![Page 35: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/35.jpg)
• System Property Requirements:– High computational speed
• Large amount of products on pallets pass through identification gates in a short time.
– Fingerprints need to be robust• Tags placed anywhere on pallets and may interfere with other wireless
communication
– High system accuracy• Verifying falses may slow down supply chain process
• System Security Requirements:– Equipping each counterfeit product with a replaying device is too
expensive– Equipping with RFID tags that have similar feature to tags on real
products will pass identification requirement and smart choice in order of cost.
Implication and examples of PLI(Device Cloning Detection-RFID-Enabled Supply Chains)
![Page 36: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/36.jpg)
Other Related Applications
• Worm hole attack:– Creates a tunnel that connects two points in network
and relays messages back and forth.– Can filter unwanted packets and refuse traffic
forwarding– PLI can be used to verify the origin device of signal
transmitted• Sybil Attack:– Attacker assigns different identities on the same node. – PLI’s can detect multiple device identities.
![Page 37: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/37.jpg)
Implication and examples of PLIAnonymity and Location Privacy
• PLI techniques require few packets to identify the number of devices in the vicinity and classify individual packets to the corresponding transmitting device.
• Example-Targeting UHF RFID– Shown to leak information which is independent to your position.– If user has a number of UFH tags, network of readers can track,
regardless of location and distance.
• Example: user has 5 cards– Can be identified among 6x10^6 users.
– Shows that card holder privacy can be compromised by the ability to read UHF RFID from large distances
![Page 38: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/38.jpg)
Conclusion• Benefit applications such as access control, device cloning detection, and
provide identity (location) privacy.
• Has been investigated on a broad general spectrum of wireless technologies, but Primarily as defensive techniques.
• A lot of future research is still available in this area– What are the exact causes of identification?– The feasibility or non feasibility needs to be considered– How much information entropy does fingerprints contain?
• By analyzing the system, state of art approaches, attacks, security issues we can give a overview of physical layer identification on wireless devices.
![Page 39: On Physical-Layer Identication of Wireless Devices BORIS DANEV, DAVIDE ZANETTI, and SRDJAN CAPKUN, 2012 Presented by: Vinit Patel Wichita State University](https://reader035.vdocuments.us/reader035/viewer/2022062619/5518bf5d550346881f8b552b/html5/thumbnails/39.jpg)
THANK YOU !