Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac WLAN

In this work, we compare the performance of a passive eavesdropper in 802.11b/n/ac WLAN networks. In particular, we investigate the downlink of 802.11 networks in infrastructure mode (e. g. from an access point to a terminal) using Commercial-Of-The-Shelf (COTS) devices. Recent 802.11n/ac amendments introduced several physical and link layer features, such as MIMO, spatial diversity, and frame aggregation, to increase the throughput and the capacity of the channel. Several information theoretical studies state that some of those 802.11n/ac features (e. g. beamforming) should provide a degradation of performance for a passive eavesdropper. However, the real impact of those features has not yet been analyzed in a practical context and experimentally evaluated. We present a theoretical discussion and a statistical analysis (using path loss models) to estimate the effects of such features on a passive eavesdropper in 802.11n/ac, using 802.11b as a baseline. We use Signal-to-Noise-Ratio (SNR) and Packet-Error-Rate (PER) as our main metrics. We compute lower and upper bounds for the expected SNR difference between 802.11b and 802.11n/ac using high-level wireless channel characteristics. We show that the PER in 802.11n/ac increases up to 98% (compared to 802.11b) at a distance of 20 m between the sender and the eavesdropper. To obtain a PER of 0.5 in 802.11n/ac, the attacker’s maximal distance is reduced by up to 129.5 m compared to 802.11b. We perform an extensive set of experiments, using COTS devices in an indoor office environment, to verify our theoretical estimations. The experimental results validate our predicted effects and show that every amendment add extra resiliency against passive COTS eavesdropping.

[1]  Miguel R. D. Rodrigues,et al.  On Wireless Channels With ${M}$-Antenna Eavesdroppers: Characterization of the Outage Probability and $\varepsilon $-Outage Secrecy Capacity , 2011, IEEE Transactions on Information Forensics and Security.

[2]  William A. Arbaugh,et al.  Real 802.11 Security: Wi-Fi Protected Access and 802.11i , 2003 .

[3]  Hesham El Gamal,et al.  On the Secrecy Capacity of Fading Channels , 2007, ISIT.

[4]  Frédérique E. Oggier,et al.  The secrecy capacity of the MIMO wiretap channel , 2008, ISIT.

[5]  Zhu Han,et al.  Improving Wireless Physical Layer Security via Cooperating Relays , 2010, IEEE Transactions on Signal Processing.

[6]  A. Lee Swindlehurst,et al.  Robust Beamforming for Security in MIMO Wiretap Channels With Imperfect CSI , 2010, IEEE Transactions on Signal Processing.

[7]  Nikos C. Sagias,et al.  Physical Layer Security for Multiple-Antenna Systems: A Unified Approach , 2016, IEEE Transactions on Communications.

[8]  Victor C. M. Leung,et al.  Improving physical-layer security in wireless communications using diversity techniques , 2014, IEEE Network.

[9]  Martin E. Hellman,et al.  The Gaussian wire-tap channel , 1978, IEEE Trans. Inf. Theory.

[10]  Srdjan Capkun,et al.  Investigation of Signal and Message Manipulations on the Wireless Channel , 2011, ESORICS.

[11]  Massimo Bernaschi,et al.  Access points vulnerabilities to DoS attacks in 802.11 networks , 2008, Wirel. Networks.

[12]  Miguel R. D. Rodrigues,et al.  On Wireless Channels with M-Antenna Eavesdroppers: Characterization of the Outage Probability and Outage Secrecy Capacity , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[13]  David A. Wagner,et al.  Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[14]  Eldad Perahia,et al.  Next Generation Wireless LANs: 802.11n and 802.11ac , 2013 .

[15]  Planet Wireless,et al.  Cwna Certified Wireless Network Administrator Official Study Guide , 2003 .

[16]  Bernhard Walke,et al.  The IEEE 802.11 universe , 2010, IEEE Communications Magazine.

[17]  Wim Lamotte,et al.  Short paper: exploiting WPA2-enterprise vendor implementation weaknesses through challenge response oracles , 2014, WiSec '14.

[18]  Dirk Grunwald,et al.  MOJO: a distributed physical layer anomaly detection system for 802.11 WLANs , 2006, MobiSys '06.

[19]  William A. Arbaugh,et al.  An empirical analysis of the IEEE 802.11 MAC layer handoff process , 2003, CCRV.

[20]  A. D. Wyner,et al.  The wire-tap channel , 1975, The Bell System Technical Journal.

[21]  Srinivasan Seshan,et al.  Understanding and mitigating the impact of RF interference on 802.11 networks , 2007, SIGCOMM 2007.

[22]  B.D. Van Veen,et al.  Beamforming: a versatile approach to spatial filtering , 1988, IEEE ASSP Magazine.

[23]  Iain B. Collings,et al.  Transmit Antenna Selection for Security Enhancement in MIMO Wiretap Channels , 2013, IEEE Transactions on Communications.

[24]  Andrea Goldsmith,et al.  Wireless Communications , 2005, 2021 15th International Conference on Advanced Technologies, Systems and Services in Telecommunications (TELSIKS).

[25]  Bernhard Walke,et al.  IEEE 802.11 Wireless Local Area Networks , 2006 .

[26]  Georgios Kambourakis,et al.  Intrusion Detection in 802.11 Networks: Empirical Evaluation of Threats and a Public Dataset , 2016, IEEE Communications Surveys & Tutorials.

[27]  Alfred O. Hero,et al.  Secure space-time communication , 2003, IEEE Trans. Inf. Theory.

[28]  Tony Q. S. Quek,et al.  Best Antenna Placement for Eavesdroppers: Distributed or Co-Located? , 2016, IEEE Communications Letters.

[29]  Zheng Chang,et al.  IEEE 802.11ac: Enhancements for very high throughput WLANs , 2011, 2011 IEEE 22nd International Symposium on Personal, Indoor and Mobile Radio Communications.

[30]  Stefan Savage,et al.  Jigsaw: solving the puzzle of enterprise 802.11 analysis , 2006, SIGCOMM.