Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensors

Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

[1]  François Marx,et al.  Advanced Integration of WiFi and Inertial Navigation Systems for Indoor Mobile Positioning , 2006, EURASIP J. Adv. Signal Process..

[2]  Raheem Beyah,et al.  GTID: A Technique for Physical Device and Device Type Fingerprinting , 2015, IEEE Transactions on Dependable and Secure Computing.

[3]  Catuscia Palamidessi,et al.  Optimal Geo-Indistinguishable Mechanisms for Location Privacy , 2014, CCS.

[4]  Moustafa Youssef,et al.  Nuzzer: A Large-Scale Device-Free Passive Localization System for Wireless Environments , 2009, IEEE Transactions on Mobile Computing.

[5]  Gabi Nakibly,et al.  PowerSpy: Location Tracking Using Mobile Device Power Analysis , 2015, USENIX Security Symposium.

[6]  Srinivasan Seshan,et al.  Access Point Localization Using Local Signal Strength Gradient , 2009, PAM.

[7]  Yusheng Ji,et al.  Leveraging RF-channel fluctuation for activity recognition: Active and passive systems, continuous and RSSI-based signal features , 2013, MoMM '13.

[8]  Shyamnath Gollakota,et al.  Wi-Fi Gesture Recognition on Existing Devices , 2014, ArXiv.

[9]  Guobin Shen,et al.  BeepBeep: a high accuracy acoustic ranging system using COTS mobile devices , 2007, SenSys '07.

[10]  Sneha Kumar Kasera,et al.  Preserving Location Privacy in Radio Networks Using a Stackelberg Game Framework , 2016, Q2SWinet@MSWiM.

[11]  Kamin Whitehouse,et al.  Protecting your daily in-home activity information from a wireless snooping attack , 2008, UbiComp.

[12]  Shu Wang,et al.  Acoustic Eavesdropping through Wireless Vibrometry , 2015, MobiCom.

[13]  Jiguo Yu,et al.  Side-channel information leakage of encrypted video stream in video surveillance systems , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[14]  Mauro Conti,et al.  Peek-a-boo: i see your smart home activities, even encrypted! , 2018, WISEC.

[15]  Guobin Shen,et al.  Experiencing and handling the diversity in data density and environmental locality in an indoor positioning service , 2014, MobiCom.

[16]  J. Seybold Introduction to RF Propagation , 2005 .

[17]  Jie Xiong,et al.  ArrayTrack: A Fine-Grained Indoor Location System , 2011, NSDI.

[18]  Prathima Agrawal,et al.  ARIADNE: a dynamic indoor signal map construction and localization system , 2006, MobiSys '06.

[19]  Bhaskar Krishnamachari,et al.  Ecolocation: a sequence based technique for RF localization in wireless sensor networks , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[20]  Ben Y. Zhao,et al.  Adversarial Localization against Wireless Cameras , 2018, HotMobile.

[21]  Nick Feamster,et al.  Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic , 2017, ArXiv.

[22]  Wenyuan Xu,et al.  DeWiCam: Detecting Hidden Wireless Cameras via Smartphones , 2018, AsiaCCS.

[23]  Jinjun Liu,et al.  Passive Human Trajectory Tracking Study in Indoor Environment with CSI , 2018, 2018 International Conference on Networking and Network Applications (NaNA).

[24]  Shwetak N. Patel,et al.  Whole-home gesture recognition using wireless signals , 2013, MobiCom.

[25]  P. Rousseeuw,et al.  Alternatives to the Median Absolute Deviation , 1993 .

[26]  Yusheng Ji,et al.  RF-Sensing of Activities from Non-Cooperative Subjects in Device-Free Recognition Systems Using Ambient and Local Signals , 2014, IEEE Transactions on Mobile Computing.

[27]  Kannan Srinivasan,et al.  PhyCloak: Obfuscating Sensing from Communication Signals , 2016, USENIX Annual Technical Conference.

[28]  David Wetherall,et al.  Tool release: gathering 802.11n traces with channel state information , 2011, CCRV.

[29]  Jie Yang,et al.  E-eyes: device-free location-oriented activity identification using fine-grained WiFi signatures , 2014, MobiCom.

[30]  Tong Xin,et al.  FreeSense: Indoor Human Identification with Wi-Fi Signals , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[31]  Lili Qiu,et al.  CAT: high-precision acoustic motion tracking , 2016, MobiCom.

[32]  Sheng Tan,et al.  WiFinger: leveraging commodity WiFi for fine-grained finger gesture recognition , 2016, MobiHoc.

[33]  William Enck,et al.  HomeSnitch: behavior transparency and control for smart home IoT devices , 2019, WiSec.

[34]  Wajih Ul Hassan,et al.  Analysis of Privacy Protections in Fitness Tracking Social Networks -or- You can run, but can you hide? , 2018, USENIX Security Symposium.

[35]  Matthias Hollick,et al.  Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi , 2018, MobiSys.

[36]  Dina Katabi,et al.  Duet , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[37]  Graeme E. Smith,et al.  Through-the-Wall Sensing of Personnel Using Passive Bistatic WiFi Radar at Standoff Distances , 2012, IEEE Transactions on Geoscience and Remote Sensing.

[38]  Xi Xiong,et al.  Customizing indoor wireless coverage via 3D-fabricated reflectors , 2017, BuildSys@SenSys.

[39]  Shan Lin,et al.  WiDet: Wi-Fi Based Device-Free Passive Person Detection with Deep Convolutional Neural Networks , 2018, MSWiM.

[40]  Mathieu Cunche,et al.  Spread of MAC address randomization studied using locally administered MAC addresses use historic , 2018 .

[41]  Sachin Katti,et al.  WiDeo: Fine-grained Device-free Motion Tracing using RF Backscatter , 2015, NSDI.

[42]  Paramvir Bahl,et al.  RADAR: an in-building RF-based user location and tracking system , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[43]  Triet Vo Huu,et al.  Inferring User Routes and Locations Using Zero-Permission Mobile Sensors , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[44]  Rosdiadee Nordin,et al.  Recent Advances in Wireless Indoor Localization Techniques and System , 2013, J. Comput. Networks Commun..

[45]  P. Sen,et al.  Large sample methods in statistics , 1993 .

[46]  Ben Y. Zhao,et al.  Preserving Location Privacy in Geosocial Applications , 2014, IEEE Transactions on Mobile Computing.

[47]  Chi Zhang,et al.  LiTell: robust indoor localization using unmodified light fixtures , 2016, MobiCom.

[48]  Moustafa Youssef,et al.  CoSDEO 2016 Keynote: A decade later — Challenges: Device-free passive localization for wireless environments , 2016, 2016 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops).

[49]  Yubo Yan,et al.  Motion-Fi: Recognizing and Counting Repetitive Motions with Passive Wireless Backscattering , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[50]  Heejo Lee,et al.  Carving secure wi-fi zones with defensive jamming , 2012, ASIACCS '12.

[51]  Lei Yang,et al.  Tagoram: real-time tracking of mobile RFID tags to high precision using COTS devices , 2014, MobiCom.

[52]  Carmela Troncoso,et al.  Back to the Drawing Board: Revisiting the Design of Optimal Location Privacy-preserving Mechanisms , 2017, CCS.

[53]  Yunhao Liu,et al.  Widar2.0: Passive Human Tracking with a Single Wi-Fi Link , 2018, MobiSys.

[54]  Nils Ole Tippenhauer,et al.  IoTScanner: Detecting Privacy Threats in IoT Neighborhoods , 2017, IoTPTS@AsiaCCS.

[55]  Xiang Li,et al.  Dynamic-MUSIC: accurate device-free indoor localization , 2016, UbiComp.

[56]  Yinjing Guo,et al.  A Survey on Human Behavior Recognition Using Channel State Information , 2019, IEEE Access.

[57]  Yunhao Liu,et al.  From RSSI to CSI , 2013, ACM Comput. Surv..

[58]  Fadel Adib,et al.  See through walls with WiFi! , 2013, SIGCOMM.

[59]  Gary Steri,et al.  Privacy leakages in Smart Home wireless technologies , 2014, 2014 International Carnahan Conference on Security Technology (ICCST).

[60]  Dina Katabi,et al.  iJam: Jamming Oneself for Secure Wireless Communication , 2010 .

[61]  Fan Zhang,et al.  Inferring users' online activities through traffic analysis , 2011, WiSec '11.

[62]  Shahrokh Valaee,et al.  A Survey on Behavior Recognition Using WiFi Channel State Information , 2017, IEEE Communications Magazine.

[63]  Sachin Katti,et al.  Position Tracking for Virtual Reality Using Commodity WiFi , 2017, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[64]  Yasamin Mostofi,et al.  Magnitude-Based Angle-of-Arrival Estimation, Localization, and Target Tracking , 2018, 2018 17th ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN).

[65]  Luis E. Ortiz,et al.  WiGEM: a learning-based approach for indoor localization , 2011, CoNEXT '11.

[66]  Yao Liu,et al.  Location-restricted Services Access Control Leveraging Pinpoint Waveforming , 2015, CCS.

[67]  Erik C. Rye,et al.  A Study of MAC Address Randomization in Mobile Devices and When it Fails , 2017, Proc. Priv. Enhancing Technol..

[68]  Sneha Kumar Kasera,et al.  Violating privacy through walls by passive monitoring of radio windows , 2014, WiSec '14.

[69]  Chenglin Miao,et al.  Towards Environment Independent Device Free Human Activity Recognition , 2018, MobiCom.

[70]  Fadel Adib,et al.  Multi-Person Localization via RF Body Reflections , 2015, NSDI.

[71]  Tadayoshi Kohno,et al.  CovertBand , 2017, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[72]  F. Hampel The Influence Curve and Its Role in Robust Estimation , 1974 .

[73]  Chuck Rieger,et al.  PinPoint: An Asynchronous Time-Based Location Determination System , 2006, MobiSys '06.

[74]  Qiang Liu,et al.  Practical Human Sensing in the Light , 2016, GETMBL.

[75]  Jun Zhang,et al.  A Review of Passive RFID Tag Antenna-Based Sensors and Systems for Structural Health Monitoring Applications , 2017, Sensors.

[76]  Li Xiong,et al.  Protecting Locations with Differential Privacy under Temporal Correlations , 2014, CCS.

[77]  Tao Li,et al.  DPSense: Differentially Private Crowdsourced Spectrum Sensing , 2016, CCS.

[78]  Sachin Katti,et al.  SpotFi: Decimeter Level Localization Using WiFi , 2015, SIGCOMM.

[79]  Fadel Adib,et al.  Emotion recognition using wireless signals , 2016, MobiCom.

[80]  Wei Wang,et al.  Understanding and Modeling of WiFi Signal Based Human Activity Recognition , 2015, MobiCom.

[81]  Kamin Whitehouse,et al.  Multipath Triangulation: Decimeter-level WiFi Localization and Orientation with a Single Unaided Receiver , 2018, MobiSys.

[82]  Swarun Kumar,et al.  Decimeter-Level Localization with a Single WiFi Access Point , 2016, NSDI.

[83]  Longfei Shangguan,et al.  Towards Programming the Radio Environment with Large Arrays of Inexpensive Antennas , 2019, NSDI.