Explicit and Implicit Information Leakage in Wireless Communication

Abstract

Information security vulnerabilities in wireless communication are caused by unforeseen behavior of a system as a result of flawed protocol designs or implementations. Such vulnerabilities may be exploited by an adversary in order to break the confidentiality, integrity and availability provided by a system, or compromise the privacy of its users. In this thesis, we focus on one particular class of vulnerabilities, namely information leakage, in context of two wireless protocols: Wi-Fi (802.11) and LoRa. With over 454 million Wi-Fi hotspots and 500,000 LoRa gateways forecast to be operational by 2020, these protocols are amongst the most popular wireless protocols in use at the time of writing. We will distinguish between and explore two types of information leakage, which we refer to as explicit information leakage and implicit information leakage. In the first main part of the thesis we will examine explicit information leakage, which stems from unintended flaws in the design or implementation of wireless protocols. More specifically, we will reveal a vulnerability in the 802.1X PEAP protocol, which is used as an authentication method in WPA2-Enterprise networks. This vulnerability allows an adversary to relay challenge responses from a LEAP handshake as valid credentials for a PEAP handshake, thereby gaining unauthorized access to the network. We show that this attack works on all Apple devices prior to iOS 8, OS X Yosemite and Apple TV 7. Next, we look at the MAC-layer frame aggregation mechanism introduced in 802.11n, and show how an adversary can abuse the delimiter scanning algorithm to remotely inject arbitrary Wi-Fi frames into an open network, even without requiring a radio. This is achieved by crafting a specific application-layer payload that leaks to the lower layers of the network stack when the A-MPDU delimiter is corrupted by incidental noise. We then analyze the information broadcasted in Wi-Fi Probe Request frames, and show that such frames leak sufficient information about the transmitting device to create a unique fingerprint. We show that this can be exploited to defeat privacy-preserving measures such as MAC address randomization in a large-scale field experiment, where data was gathered at a music festival over a two-day period. Moreover, we introduce a number of techniques to increase the frequency of Probe Request transmissions, for example by transmitting specially crafted GAS Request and ADDBA Request frames. For each of the vulnerabilities discussed in this part of the thesis, we propose countermeasures to mitigate their impact and improve the security and privacy of users. The second main part of the thesis looks into implicit information leakage, which originates from measurable side effects of a software or hardware implementation of a protocol. As a first example, we show how frequency offset errors introduced by the hardware of LoRa devices leak sufficient information to fingerprint individual devices on the physical layer. Complementary to this finding, we release an open source implementation of a novel demodulation algorithm, based on the gradient of the instantaneous frequency of a LoRa signal, that allows to synchronize to a LoRa signal while preserving any present frequency offset errors. Using this algorithm, we capture 8 datasets of LoRa symbols using an SDR and analyze the classification accuracy under various environments when using SVM, MLP and CNN classifiers. We also perform a brief experiment with zero-shot classification techniques, where LoRa devices can be classified without having access to prior training data about these devices. Finally, we consider the electromagnetic (EM) side-channel leakage of the AES cipher, which is used by both Wi-Fi and LoRa. In particular, we examine the application of machine learning and deep learning on EM traces leaked during the execution of AES, and propose a novel methodology to find the secret key based on these traces. Our methodology requires only a few minutes of training time on commodity hardware due to a less complex architecture, while outperforming state-of-the-art deep learning algorithms on the ASCAD benchmark dataset. Additionally, we show that the requirement of having to align signals prior to performing a CEMA attack can be removed by applying our methodology in the frequency domain of the captured EM traces, and provide a practical proof-of-concept by using a USRP B210 to attack an AES implementation running on an Arduino Duemilanove