Cicada Attack: Degradation and Denial of Service Attacks
Download
Report
Transcript Cicada Attack: Degradation and Denial of Service Attacks
The Cicada Attack: Degradation and Denial
of Service Attacks in IR Ranging
Marcin Poturalski, Manuel Flury,
Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec
Outline
• Context: ranging and secure ranging
• The Cicada attack
• Attack performance evaluation
• Countermeasures
• Conclusion
2
Ranging
• Ranging can be applied in a number of applications
– Localization and navigation of robot fleets
3
Ranging
• Ranging can be applied in a number of applications
– Tracking of goods
4
Ranging
• Ranging can be applied in a number of applications
– Physical access control
• Many are security sensitive!
5
Ranging
• Ranging can be applied in a number of applications
– Physical access control
Impersonate
• Many are security sensitive!
6
Ranging
• Ranging can be applied in a number of applications
– Tracking of goods
• Many are security sensitive!
7
Ranging
• Ranging can be applied in a number of applications
– Tracking of goods
Manipulate
ranging measurement
• Many are security sensitive!
8
Securing Ranging
How to make ranging secure
?
9
Securing Ranging
• Distance bounding protocols
– S. Brands and D. Chaum. “Distance Bounding Protocols.” EUROCRYPT’93
– S. Capkun, L. Buttyan and J. Hubaux. “SECTOR: secure tracking of node
encounter in multi-hop wireless networks.” SASN’03
– L. Bussard and W. Bagga. “Distance-Bounding Proof of Knowledge to
Avoid Real- Time Attacks.” SEC’05
– G.P Hancke and M.G. Kuhn. “An RFID distance bounding protocol.”
SecureComm’05
– C. Meadows, P. Syverson and L. Chang. “Towards More Efficient Distance
Bounding Protocols for Use in Sensor Networks.” SecureComm’06
– J. Reid, J.M.G Nieto, T. Tang and B. Senadji, “Detecting Relay Attacks with
Timing-Based Protocols” ASIACCS’07
– D. Singelee and B. Preneel. “Distance bounding in noisy environments”.
ESAS’07
– …
10
Securing Ranging
• Distance bounding protocol example:
A
B
NV
tRTT
(P ⊕ NV, NP)
(NV,P,NP,MACPV(NV,P,NP))
• Provides an upper-bound on the computed distance
– Not possible to decrease the measures distance
• Messages travel at the speed of light
– Possible to increase the distance
• Relay delay messages
11
Securing Ranging
• Do distance bounding protocols solve the problem …?
Not quite
• Physical layer attacks against distance bounding
– J. Clulow, G.P. Hancke, M.G. Kuhn, T. Moore. “So Near and yet So Far: DistanceBounding Attacks in Wireless Networks.” ESAS’06
– M. Flury, M. Poturalski, P. Papadimitratos, J.-P. Hubaux, J.-Y. Le Boudec.
“Effectiveness of Distance-Decreasing Attacks Against Impulse Radio Ranging.”
WiSec’10
• This paper:
New kind of physical layer attack against (IR) ranging
12
Impulse Radio Ranging
• Precise ranging in dense multipath environments
• The first path is not necessarily the strongest path
13
The Ranging Process
Preamble: frame sequence modulated by ternary preamble code
Transmitter T
1. Coarse synchronization
Lock on strongest path
2. Fine synchronization
Back-search for first path
Receiver R
14
The Cicada Attack
Preamble: frame sequence modulated by ternary preamble code
Transmitter T
Malicious
transmitter M
Receiver R
Denial of Service: Ranging not possible
15
The Cicada Attack
Preamble: frame sequence modulated by ternary preamble code
Transmitter T
Cicada attack
Malicious
transmitter M
Back-search finds bogus first path
Receiver R
Degradation of Service: Range decreased
16
Denial vs Degradation
• Degradation is more stealthy than denial
– Potentially more severe
• We focus on an adversary aiming at degradation
17
The Cicada Attack
• Very simple to mount
– Requires only an IR transmitter
– Oblivious to preamble code
• Limited effectiveness
– Mild distance decrease
• Back-search window size, e.g., 20m
– Random distance decrease
18
Example Attack
19
Simulation Setup
SNRT
Transmitter T
SNRM
Receiver R
Malicious transmitter M
• IEEE 802.15.4a PHY
– Mandatory LPRF mode
– Indoor NLOS channel model
• Attack performance for 3 energy detection receivers:
– Vanilla – basic energy detection receiver
– MINF, PICNIC – receivers robust to multi user interference
• We simulate entire packet reception process
20
Vanilla Receiver
Packet not received
Failure of SFD detection
or data decoding
SNRT = 20dB
Packet not received
Failure of synchronization
Packet received
Packet received
ToA decreased by > 4ns
21
Vanilla Receiver
SNRT = 20dB
• The cicada signal sometimes misses the back-search window
22
Vanilla Receiver
SNRT = 20dB
• Increase cicada signal rate
23
Vanilla Receiver
SNRT = 20dB
SNRT = 20dB
• Increase cicada signal rate
24
MINF Receiver
• Designed to cope with benign multi-user interference
during fine synchronization
– Z. Sahinoglu and I. Guvenc. “Multiuser interference mitigation in
noncoherent UWB ranging via nonlinear filtering.” EURASIP Journal on
Wireless Communication Networks, 2006
– D. Dardari, A. Giorgetti, and M.Z. Win. “Time-of-arrival estimation of
UWB signals in the presence of narrowband and wideband
interference.” ICUWB, 2007
26
MINF Receiver
• Assume coarse synchronization is achieved
samples in frame
• Cicada signal is present in every frame
– Min filter will not remove it
2. Apply moving
minimum filter
frames
benign interferer
(code j)
1. Remove frames
according to
code i
user of interest
(code i)
27
Attack Performance against MINF
Vanilla
SNRT = 20dB
SNRT = 20dB
• Attack performs slightly worse than for Vanilla
28
PICNIC Receiver
• Design to cope with benign multi-user interference during
synchronization
– M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing
acquisition in IEEE 802.15.4a IR-UWB networks.” PIMRC, 2009
PICNIC
PICNIC
Vanilla
SNRT = 20dB
SNRT = 20dB
• Adversary exploits the interference robustness of the
PICNIC receiver to improve attack performance
29
Countermeasures to Degradation
• Do not perform back-search
– Loose in benign case ranging performance
• Perform multiple range measurements
– Cicada attack increases variance of measurements
• Modify the modulation scheme
– Time-hopping in the preamble?
• Secure synchronization algorithms
– Complexity and energy consumption is an issue
30
Conclusion
• Cicada attack
– Simple attack able to decrease distance
measured by IR ranging protocols
– Exploits fundamental difficulty in distinguishing
legitimate and interfering signals
• Security must be addressed at all layers
31
To learn more…
http://lca.epfl.ch/projects/snd
[email protected]
32
Extra slides
33
PICNIC Receiver
• Design to cope with benign multi-user interference during
synchronization
– M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing
acquisition in IEEE 802.15.4a IR-UWB networks.” PIMRC, 2009
• Component 1: Power Independent Detection (PID)
Threshold
0 :x<t
1 :x≥t
…
+ + + + +
+
+
+
Correlator output
• Component 2: Interference Cancelation
– Detect presence of alternative preamble code
– If detected, estimate and remove interference
34
Attack Performance against PICNIC
Vanilla
SNRT = 20dB
SNRT = 20dB
• Attack performs slightly worse than for Vanilla
• Denial sets in at low SNRM
35
Attack Performance against PICNIC
SNRT = 20dB
…
+ + + + +
+ +
+
Threshold
0 :x<t
1 :x≥t
SNRT = 20dB
• Correlator output is maximized for all cicada peaks
• Make cicada signal more sparse?
36
Attack Performance against PICNIC
SNRT = 20dB
SNRT = 20dB
• Adversary exploits the interference robustness of the
PICNIC receiver to improve attack performance
37
Attack Performance against PICNIC
8
SNRT = 20dB
SNRT = 20dB
• Attack with high rate cicada signal
38
Distance decrease
• Back-search window size 64ns
39