Attacks on public WLAN-based positioning systems

In this work, we study the security of public WLAN-based positioning systems. Specifically, we investigate the Skyhook positioning system, available on PCs and used on a number of mobile platforms, including Apple's iPod touch and iPhone. By implementing and analyzing several kinds of attacks, we demonstrate that this system is vulnerable to location spoofing and location database manipulation. In both, the attacker can arbitrarily change the result of the localization at the victim device, by either impersonating remote infrastructure or by tampering with the service database. Our attacks can easily be replicated and we conjecture that--without appropriate countermeasures--public WLAN-based positioning should therefore be used with caution in safety-critical contexts. We further discuss several approaches for securing WLAN-based positioning systems.

[1]  Gaetano Borriello,et al.  SpotON: An Indoor 3D Location Sensing Technology Based on RF Signal Strength , 2000 .

[2]  Sergey Bratus,et al.  Active behavioral fingerprinting of wireless devices , 2008, WiSec '08.

[3]  Srdjan Capkun,et al.  Transient-based identification of wireless sensor nodes , 2009, 2009 International Conference on Information Processing in Sensor Networks.

[4]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[5]  Markus G. Kuhn,et al.  An Asymmetric Security Mechanism for Navigation Signals , 2004, Information Hiding.

[6]  Srdjan Capkun,et al.  GPS-free Positioning in Mobile Ad Hoc Networks , 2004, Cluster Computing.

[7]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[8]  Srdjan Capkun,et al.  SecNav: secure broadcast localization and time synchronization in wireless networks , 2007, MobiCom '07.

[9]  Andy Hopper,et al.  A new location technique for the active office , 1997, IEEE Wirel. Commun..

[10]  Hari Balakrishnan,et al.  6th ACM/IEEE International Conference on on Mobile Computing and Networking (ACM MOBICOM ’00) The Cricket Location-Support System , 2022 .

[11]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[12]  B. R. Badrinath,et al.  Ad hoc positioning system (APS) using AOA , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[13]  Andy Hopper,et al.  The active badge location system , 1992, TOIS.

[14]  Dan S. Wallach,et al.  Wireless LAN location-sensing for security applications , 2003, WiSe '03.

[15]  Nils Ole Tippenhauer,et al.  UWB-based Secure Ranging and Localization; ; Technical Reports; , 2008 .

[16]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[17]  Dong Chao,et al.  Universal Software Radio Peripheral , 2010 .

[18]  Paramvir Bahl,et al.  RADAR: an in-building RF-based user location and tracking system , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[19]  Yih-Chun Hu,et al.  Packet leashes: a defense against wormhole attacks in wireless networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[20]  Santosh Pandey,et al.  A survey on localization techniques for wireless networks , 2006 .

[21]  J. Mcneff The global positioning system , 2002 .

[22]  Srdjan Capkun,et al.  GPS-free Positioning in Mobile Ad Hoc Networks , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[23]  Srdjan Capkun,et al.  Distance enlargement and reduction attacks on ultrasound ranging , 2005, SenSys '05.

[24]  David C. Moore,et al.  Robust distributed network localization with noisy range measurements , 2004, SenSys '04.

[25]  David A. Wagner,et al.  Secure verification of location claims , 2003, WiSe '03.

[26]  Oktay Ureten,et al.  Wireless security through RF fingerprinting , 2007, Canadian Journal of Electrical and Computer Engineering.

[27]  Yoko NISHIMURA,et al.  Google Earth , 2008, Encyclopedia of GIS.

[28]  L. El Ghaoui,et al.  Convex position estimation in wireless sensor networks , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[29]  Prathima Agrawal,et al.  A low-cost robust localization scheme for WLAN , 2006, WICON '06.

[30]  Srdjan Capkun,et al.  Implications of radio fingerprinting on the security of sensor networks , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[31]  Mani B. Srivastava,et al.  Dynamic fine-grained localization in Ad-Hoc networks of sensors , 2001, MobiCom '01.

[32]  Prathima Agrawal,et al.  TRaVarSeL-Transmission Range Variation based Secure Localization , 2007, Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks.

[33]  Nils Ole Tippenhauer,et al.  UWB-based Secure Ranging and Localization , 2008 .

[34]  Radha Poovendran,et al.  SeRLoc: secure range-independent localization for wireless sensor networks , 2004, WiSe '04.

[35]  Srdjan Capkun,et al.  Secure positioning of wireless devices with application to sensor networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[36]  Toshiro Kawahara,et al.  Robust indoor location estimation of stationary and mobile users , 2004, IEEE INFOCOM 2004.

[37]  Ted Kremenek,et al.  A Probabilistic Room Location Service for Wireless Networked Environments , 2001, UbiComp.

[38]  Prathima Agrawal,et al.  Client assisted location data acquisition scheme for secure enterprise wireless networks , 2005, IEEE Wireless Communications and Networking Conference, 2005.

[39]  Wade Trappe,et al.  Robust statistical methods for securing wireless localization in sensor networks , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[40]  Markus G. Kuhn,et al.  Attacks on time-of-flight distance bounding channels , 2008, WiSec '08.

[41]  Srdjan Capkun,et al.  SECTOR: secure tracking of node encounters in multi-hop wireless networks , 2003, SASN '03.

[42]  J. Barney,et al.  Commercialization of an ultra wideband precision asset location system , 2003, IEEE Conference on Ultra Wideband Systems and Technologies, 2003.

[43]  Wenyuan Xu,et al.  The feasibility of launching and detecting jamming attacks in wireless networks , 2005, MobiHoc '05.

[44]  Srdjan Capkun,et al.  ROPE: robust position estimation in wireless sensor networks , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[45]  Donggang Liu,et al.  Attack-resistant location estimation in sensor networks , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[46]  Srdjan Capkun,et al.  Secure positioning in wireless networks , 2006, IEEE Journal on Selected Areas in Communications.

[47]  Deborah Estrin,et al.  GPS-less low-cost outdoor localization for very small devices , 2000, IEEE Wirel. Commun..

[48]  Anjur Sundaresan Krishnakumar,et al.  Infrastructure-based location estimation in WLAN networks , 2004 .

[49]  Srdjan Capkun,et al.  Secure Localization with Hidden and Mobile Base Stations , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.