Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi

Wi-Fi chips offer vast capabilities, which are not accessible through the manufacturers' official firmwares. Unleashing those capabilities can enable innovative applications on off-the-shelf devices. In this work, we demonstrate how to transmit raw IQ samples from a large buffer on Wi-Fi chips. We further show how to extract channel state information (CSI) on a per frame basis. As a proof-of-concept application, we build a covert channel on top of Wi-Fi to stealthily exchange information between two devices by prefiltering Wi-Fi frames prior to transmission. On the receiver side, the CSI is used to extract the embedded information. By means of experimentation, we show that regular Wi-Fi clients can still demodulate the underlying Wi-Fi frames. Our results show that covert channels on the physical layer are practical and run on off-the-shelf smartphones. By making available our raw signal transmitter, the CSI extractor, and the covert channel application to the research community, we ensure reproducibility and offer a platform for further innovative applications on Wi-Fi devices.

[1]  Swarun Kumar,et al.  Bringing cross-layer MIMO to today's wireless LANs , 2013, SIGCOMM.

[2]  Wojciech Mazurczyk,et al.  Hiding Data in OFDM Symbols of IEEE 802.11 Networks , 2010, 2010 International Conference on Multimedia Information Networking and Security.

[3]  KRZYSZTOF SZCZYPIORSKI HICCUPS : Hidden Communication System for Corrupted Networks , 2003 .

[4]  Gennaro Boggia,et al.  Position and Velocity Estimation of a Non-Cooperative Source From Asynchronous Packet Arrival Time Measurements , 2018, IEEE Transactions on Mobile Computing.

[5]  Matthias Hollick,et al.  Practical covert channels for WiFi systems , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[6]  Haitao Wu,et al.  Sora: High Performance Software Radio Using General Purpose Multi-core Processors , 2009, NSDI.

[7]  Ivan Martinovic,et al.  Using Channel State Information for Tamper Detection in the Internet of Things , 2015, ACSAC 2015.

[8]  Matthias Hollick,et al.  Massive reactive smartphone-based jamming using arbitrary waveforms and adaptive power control , 2017, WISEC.

[9]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[10]  Manfred Wolf Covert Channels in LAN Protocols , 1989, LANSEC.

[11]  Matthias Hollick,et al.  DEMO: Using NexMon, the C-based WiFi firmware modification framework , 2016, WISEC.

[12]  Victor S. Frost,et al.  Exploiting OFDM systems for covert communication , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[13]  Mo Li,et al.  Precise Power Delay Profiling with Commodity Wi-Fi , 2015, IEEE Transactions on Mobile Computing.

[14]  Iwona Grabska,et al.  Steganography in WiMAX networks , 2013, 2013 5th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT).

[15]  Xiang-Yang Li,et al.  Rejecting the attack: Source authentication for Wi-Fi management frames using CSI Information , 2012, 2013 Proceedings IEEE INFOCOM.

[16]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[17]  Zhijun Li,et al.  WEBee: Physical-Layer Cross-Technology Communication via Emulation , 2017, MobiCom.

[18]  Amang Sudarsono,et al.  Covert Communication in MIMO-OFDM System Using Pseudo Random Location of Fake Subcarriers , 2016 .

[19]  Iwona Grabska,et al.  Steganography in Long Term Evolution Systems , 2014, 2014 IEEE Security and Privacy Workshops.

[20]  Matthias Hollick,et al.  Nexmon: Build Your Own Wi-Fi Testbeds With Low-Level MAC and PHY-Access Using Firmware Patches on Off-the-Shelf Mobile Devices , 2017, WiNTECH@MobiCom.

[21]  Krzysztof Szczypiorski,et al.  Steganography in OFDM Symbols of Fast IEEE 802.11n Networks , 2013, 2013 IEEE Security and Privacy Workshops.

[22]  David Wetherall,et al.  Tool release: gathering 802.11n traces with channel state information , 2011, CCRV.

[23]  Dirk Grunwald,et al.  Secret Agent Radio: Covert Communication through Dirty Constellations , 2012, Information Hiding.