Jamming for Access Control

the interference pattern is known, it is possible to eliminate the interfering waveform and recover the original signal (Halperin, Anderson, et al., 2008). And even if the interference patterns is not known, it is possible for the attacker to increase the degrees of freedom that the receiver has. For example, Tippenhauer et al. (2013) showed that an attacker always has the option to increase its number of antennas, allowing to isolate the defensive jamming signal and to recover the confidential information. Our approach does not suffer from these drawbacks, because we interfere with the reception of an attacked device, whose capabilities are known to us, instead of interfering with the reception of an eavesdropper, which can have arbitrarily advanced capabilities.

2.2. Jamming for Access Control

The concept of using selective interference for access control has recently been proposed in several application areas: to protect implanted medical devices (IMDs) from malicious readers, to increase the privacy of RFID tags, and to ensure authentic communication in WSNs. In contrast to these works, we provide a system that allows configurable security policies based on packet content and aims to provide a central protection over larger distances in a networked setting, in contrast to a reader–single device setting. A summary of the following comparison is provided in Table 2.1.

2.2.1. Wireless LAN

Wireless intrusion detection and prevention systems (WIPS) are also closely related to the wireless firewall (Scarfone and Mell, 2007, §5) in the context of wireless LANs. They are primarily focus on detecting attacks and policy violations in ieee . networks. However, commercial products for WLAN protection such as AirMagnet by Fluke Corporation (2011), AirDefense by Motorola Solutions (2011) or SpectraGuard by AirTight Net-works (2011) do not prevent the reception of packets; rather, they exploit the fact that communication is only possible after reaching an associated state with an access point, and repeatedly break this association to the adversary.

These systems have only limited capability to deny access to unauthorized nodes by sending spoofed disassociation and de-authentication frames to rogue devices. This approach is not applicable to protect low-power wireless networks because their protocols do not use such association mechanisms.

2. State of the Art in Physical Layer Security

SystemApplicationareaMaximumGuardBlockingcriteriaPrototypereactiontimedistanceevaluation

IMDshieldImplantedmedical10ms20cmEachpacketisblocked √(USRP2)devices(IMDs)andselectivelyforwardedIMDGuardIMDsTensofms20cmGuardnoticesaspoofingattack∼(MICAz)WarlockDukeImprovisedexplosives(IEDs)n/an/a(100m)Anysignalinguardedfreq.bands √(custom)BlockerTagsRFID300µs20cmTagquerytoprotectedprefix×(tag)RFIDGuardianRFID300µs1mTagquerytotaginACL×(handheld)JammingforGoodSensornetworks5ms2–3mAddress+RSSIofregistrationpacket √(MICAz)WiFireSensornetworks64µs10–20mPer-packetdecision(header+payload) √(USRP2)Table2.1.:Comparisonofrelatedprotectionsystemsusingphysicallayerresponses.

12

2.2. Jamming for Access Control

Thus, in contrast to these higher-layer approaches, the wireless firewall must operate on the physical layer to achieve its goal.

Our approach supports more sophisticated access blocking rules and does not rely on valid frame semantics to deny access but uses physical-layer jamming. Furthermore. our approach is immune to malicious nodes which discard disassociation and de-authentication frames to remain connected.

2.2.2. Implanted Medical Devices

There are several works that consider securing IMDs to ensure the safety and privacy of patients with IMDs. This is because the devices may otherwise send out confidential information or even be reconfigured wirelessly against the patients wishes (Fu, 2009; Halperin, Heydt-Benjamin, et al., 2008).

Heartbeats. IMDs face challenges similar to WSNs, namely low computa-tional resources and limited energy. Gollakota, Hassanieh, et al. (2011) describe an external IMD protection system, or IMD “shield,” that allows to regulate access to the device using selective interference, protecting it from malicious readers. The shield is a battery-powered device that is worn close the implanted device (with a distance of less than 20 cm), e.g., in the form of a pendant. It acts as a proxy that simultaneously receives and destroys any packet related to the protected IMD. If the packet is going to the IMD, the shield checks whether the reader is trusted and forwards the packet. If the packet originated from the IMD, the packet is forwarded in encrypted form to the querying reader to protect the patients’s privacy. A USRP2-based prototype system is presented, showing that an attacker can only succeed if it uses high transmit power and close proximity.

IMDGuard. Xu et al. (2011) also describe an external guardian system that protects IMDs from untrusted readers. It supports an IMD during cryp-tographic operations, and uses selective interference when an attacker tries to disturb this operation. This system also works transparently, i.e., there is no need to modify the IMD after it is implanted. However, in contrast to the concept of the wireless firewall, the external guardian must be placed in close proximity to the protected device, which constitutes a reader–device setting instead of a networked setting with several devices that we are aiming for.

Additionally, they do not offer programmable security policies: IMDGuard uses packet timing to detect malicious packets. However, the concept relies on cryptographic protocols and uses the physical layer response only as a

counter-2. State of the Art in Physical Layer Security

measure to spoofing attacks. In contrast to these works, we offer configurable policies for several devices in a distributed sensor network setting.

2.2.3. Radio Frequency Identification Tags

Radio frequency identification (RFID) tags are well known for their extreme resource limitations and lack of reprogrammability. Several contributions show that remote protection can be used in this context as well.

Blocker Tags. To protect the privacy of RFID tags from malicious readers, Juels, Rivest, et al. (2003) introduce the “blocker tag” to prevent the tag discovery by confusing readers with artificial collisions. The attacker queries a prefix of node IDs (e.g., the first two bits), and on collisions the reader refines the prefix, such that the blocker tag can force the reader to traverse the full address space by generating intentional interference. In this case, the reader assumes that several tags are present and that more specific queries are required; but as the collisions are triggered for all queries, the reader is forced to search the complete address space (e.g., 2⁶⁴ addresses). Juels and Brainard (2004) extend this concept to signal privacy policies to benign readers.

RFID Guardian. Rieback et al. (2005; 2007) offer a similar solution but support the protection of configurable sets of RFIDs (blocker tags only support address blocks). A battery-powered handheld device, the “RFID Guardian,” monitors all queries and interferes with a tag’s response to hide its presence from malicious readers. The system enables the use of config-urable access control lists (ACLs) for arbitrary sets of RFID tags that specify which readers are allowed to interact with which tags. Again, this is a reader–

device setting with small distances (up to 1 m for RFID Guardian). However, the main difference to our work is that these schemes do not operate on a per-packet basis: malicious queries are actually received by the tag, and only the tag’s response is blocked. This is not problematic because RFID tags commonly do not keep state information. With our implementation, we can prevent sensor motes from receiving any malicious packet, also protecting their internal state. With the wireless firewall, we want to protect devices starting with the very first packet.

14

2.2. Jamming for Access Control

2.2.4. Wireless Sensor Networks

Jamming for Good. A closely related work protects sensor motes from spoofed packets (based on RSSI information) using selective interference (Martinovic, Gollan, et al., 2008; Martinovic, Pichota, and Schmitt,

2009). This work showed that injection attacks against WSNs can be mit-igated in a cooperative manner by jamming packets with suspicious signal fingerprints.

In these works, sensor devices support each other to prevent impersonation attacks, i.e., an attacker pretending to be part of the network by spoofing its source address to look like an existing network device. When a sensor device wants to send data, it first sends a “reservation packet” to notify others of its transmission wish before it starts sending the data packet. Sensor devices in the vicinity compare the claimed source address and the physical signal fingerprint of the reservation (which depends on the device’s location and is hard to spoof) with previously observed measurements. In case of a mismatch (i.e., a potential attack), the device schedules a concurrent transmission with the data packet, intercepting the spoofed packet. This approach explores the concept of over-the-air support to increase security, but also forces an expensive mode of operation on the network.

Because standard sensor motes are considered in their experiments, a spe-cial admission frame prior to the actual data frames is necessary to relax the timing constraints in order to decouple the jamming decision from the actual jamming process The protection is performed by the network motes themselves, analyzing if the RSSI signature of the registration packet matches with the claimed source address, and scheduling the transmission of an inter-fering packet concurrent with the data packet in case of a mismatch. However, the requirement that motes must receive packets that are not addressed to them and send packets for interference is expensive in terms of energy. So, while the goals are similar, the approach is different. We explore the use of specially designed wireless firewall devices that provide a per-packet central enforcement of access policies, without requiring a custom MAC protocol.

The wireless firewall explores the use of a dedicated security infrastructure to protect wireless devices in a fully transparent way: no modifications are required, the devices do not even need to know that WiFire is protecting them.

Home jamming. Brown et al. (2013) present a jamming system that protects a home network from injection attacks in the spirit of Jamming for Good introduced above. The authors present a dedicated device that focuses

2. State of the Art in Physical Layer Security

on the MAC protocol of the ZigBee standard, which is prevalent in the context of home automation.

2.2.5. Other Applications

In the military context, the U.S. military employs mobile jamming systems to protect convoys in Iraq from improvised roadside bombs, stopping a bomb trigger signal from arriving at the bomb’s receiver (LaShomb, 2006).¹ How-ever, not much is known about the system’s implementation and operation.