This paper aims to present a method to increase interpretability human analysts can have in actionable intelligence from analysing Wi-Fi signals used as passive radar systems for situational understanding. The Passive Radar Interpretability using Variational Auto Encoders (PRIVAtE) method is demonstrated using a recent dataset that estimates the latent distributions of antennas of the same Wi-Fi receiver to perform human activity recognition. The performance theoretical analysis of machine learning binary classification includes error probabilities using a statistical test based on a classification learned in the training phase. Results demonstrate that the compressed data obtained using the Variational Auto-Encoder is statistically very informative for providing situational understanding.
@inproceedings{10.1109/TechDefense59795.2023.10380847,author={Cominelli, Marco and Braca, Paolo and Millefiori, Leonardo M. and Kaplan, Lance M. and Srivastava, Mani B. and Gringoli, Francesco and Cerutti, Federico},booktitle={2023 IEEE International Workshop on Technologies for Defense and Security (TechDefense)},year={2023},url={https://doi.org/10.1109/TechDefense59795.2023.10380847},volume={},number={},pages={444-448},doi={10.1109/TechDefense59795.2023.10380847}}
Scalable Multi-Modal Learning for Cross-Link Channel Prediction in Massive IoT Networks
Kun Woo Cho, Marco Cominelli, Francesco Gringoli, Joerg Widmer, and Kyle Jamieson
In Proceedings of the 24th International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing (ACM MobiHoc), 2023
Tomorrow’s massive-scale IoT sensor networks are poised to drive uplink traffic demand, especially in areas of dense deployment. To meet this demand, however, network designers leverage tools that often require accurate estimates of Channel State Information (CSI), which incurs a high overhead and thus reduces network throughput. Furthermore, the overhead generally scales with the number of clients, and so is of special concern in such massive IoT sensor networks. While prior work has used transmissions over one frequency band to predict the channel of another frequency band on the same link, this paper takes the next step in the effort to reduce CSI overhead: predict the CSI of a nearby but distinct link. We propose Cross-Link Channel Prediction (CLCP), a technique that leverages multi-view representation learning to predict the channel response of a large number of users, thereby reducing channel estimation overhead further than previously possible. CLCP’s design is highly practical, exploiting existing transmissions rather than dedicated channel sounding or extra pilot signals. We have implemented CLCP for two different Wi-Fi versions, namely 802.11n and 802.11ax, the latter being the leading candidate for future IoT networks. We evaluate CLCP in two large-scale indoor scenarios involving both line-of-sight and non-line-of-sight transmissions with up to 144 different 802.11ax users and four different channel bandwidths, from 20 MHz up to 160 MHz. Our results show that CLCP provides a 2\texttimes throughput gain over baseline and a 30% throughput gain over existing prediction algorithms.
@inproceedings{10.1145/3565287.3610280,author={Cho, Kun Woo and Cominelli, Marco and Gringoli, Francesco and Widmer, Joerg and Jamieson, Kyle},title={Scalable Multi-Modal Learning for Cross-Link Channel Prediction in Massive IoT Networks},year={2023},isbn={9781450399265},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3565287.3610280},doi={10.1145/3565287.3610280},booktitle={Proceedings of the 24th International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing (ACM MobiHoc)},pages={221–229},numpages={9},location={Washington, DC, USA}}
Wi-Fi devices can effectively be used as passive radar systems that sense what happens in the surroundings and can even discern human activity. We propose, for the first time, a principled architecture which employs Variational Auto-Encoders for estimating a latent distribution responsible for generating the data, and Evidential Deep Learning for its ability to sense out-of-distribution activities. We verify that the fused data processed by different antennas of the same Wi-Fi receiver results in increased accuracy of human activity recognition compared with the most recent benchmarks, while still being informative when facing out-of-distribution samples and enabling semantic interpretation of latent variables in terms of physical phenomena. The results of this paper are a first contribution toward the ultimate goal of providing a flexible, semantic characterisation of black-swan events, i.e., events for which we have limited to no training data.
@inproceedings{10224098,author={Cominelli, Marco and Gringoli, Francesco and Kaplan, Lance M. and Srivastava, Mani B. and Cerutti, Federico},booktitle={26th International Conference on Information Fusion (FUSION)},title={Accurate Passive Radar via an Uncertainty-Aware Fusion of Wi-Fi Sensing Data},year={2023},pages={1-8},doi={10.23919/FUSION52260.2023.10224098}}
Wi-Fi sensing as a side-effect of communications is opening new opportunities for smart services integrating communications with environmental properties, first and foremost the position of devices and people. At the same time, this technology represents an unprecedented threat to people’s privacy, as personal information can be collected directly at the physical layer without any possibility to hide or protect it. Several works already discussed the possibility of safeguarding users’ privacy without hampering communication performance, using signal pre-processing at the transmitter side to introduce pseudo-random (artificial) patterns in the channel response estimated at the receiver, preventing the extraction of meaningful information from the channel state, a process called obfuscation. One step beyond the proof-of-concept for obfuscation feasibility, is its implementation in working systems. In this work, we present the implementation of a location obfuscation technique within the openwifi project that enables fine manipulation of the radio signal at transmitter side and yields acceptable, if not good, performance, the system has been implemented for both 802.11a/g/h and 802.11n systems, including MPDU aggregation, while implementation for 802.11ac or ax is still not feasible because openwifi does not support 40MHz channelization and beyond. This contribution discusses the implementation of the obfuscation subsystem, its performance, possible improvements, and further steps to allow authorized devices to “de-obfuscate” the signal and retrieve the sensed information.
@article{10.1016/j.comcom.2023.03.026,author={Ghiro, Lorenzo and Cominelli, Marco and Gringoli, Francesco and {Lo Cigno}, Renato},journal={Computer Communications},title={Wi-Fi Localization Obfuscation: An implementation in openwifi},year={2023},issn={0140-3664},doi={10.1016/j.comcom.2023.03.026},url={https://www.sciencedirect.com/science/article/pii/S0140366423001111},keywords={CSI-based Wi-Fi localization, Smart spaces, Privacy protection, Location obfuscation, FPGA implementation, Physical layer security},month=may}
Thanks to the ubiquitous deployment of Wi-Fi hotspots, channel state information (CSI)-based Wi-Fi sensing can unleash game-changing applications in many fields, such as healthcare, security, and entertainment. However, despite one decade of active research on Wi-Fi sensing, most existing work only considers legacy IEEE 802.11n devices, often in particular and strictly-controlled environments. Worse yet, there is a fundamental lack of understanding of the impact on CSI-based sensing of modern Wi-Fi features, such as 160-MHz bandwidth, multiple-input multiple-output (MIMO) transmissions, and increased spectral resolution in IEEE 802.11ax (Wi-Fi 6). This work aims to shed light on the impact of Wi-Fi 6 features on the sensing performance and to create a benchmark for future research on Wi-Fi sensing. To this end, we perform an extensive CSI data collection campaign involving 3 individuals, 3 environments, and 12 activities, using Wi-Fi 6 signals. An anonymized ground truth obtained through video recording accompanies our 80-GB dataset, which contains almost two hours of CSI data from three collectors. We leverage our dataset to dissect the performance of a state-of-the-art sensing framework across different environments and individuals. Our key findings suggest that (i) MIMO transmissions and higher spectral resolution might be more beneficial than larger bandwidth for sensing applications; (ii) there is a pressing need to standardize research on Wi-Fi sensing because the path towards a truly environment-independent framework is still uncertain. To ease the experiments’ replicability and address the current lack of Wi-Fi 6 CSI datasets, we release our 80-GB dataset to the community.
@inproceedings{10.1109/PERCOM56429.2023.10099368,author={Cominelli, Marco and Gringoli, Francesco and Restuccia, Francesco},booktitle={21st IEEE International Conference on Pervasive Computing and Communications (PerCom)},title={Exposing the CSI: A Systematic Investigation of CSI-based Wi-Fi Sensing Capabilities and Limitations},year={2023},pages={81-90},keywords={},doi={10.1109/PERCOM56429.2023.10099368},issn={2474-249X},month=mar}
The path toward 6G is still long and blurred, but a few key points seem to be already decided: integration of many different access networks; adoption of massive MIMO technologies; use of frequencies above current radio spectrum up to THz and beyond; and inclusion of artificial intelligence and machine learning in standard management and operations. One additional point that is less discussed, but seems key for success, is the advanced use of channel state information (CSI) for both equalization and decoding purposes as well as for sensing ones. CSI-based sensing promises a plethora of new applications and a quantum leap in service personalization and customer-centric network management. At the same time, CSI analysis, being based on the physical characteristics of the propagated signal, poses novel threats to people’s privacy and security: No software-based solution or cryptographic method above the physical layer can prevent the analysis of CSI. CSI analysis can reveal people’s position or activity, allow tracking them, and discover details on the environment that today can be seen only with cameras or radars. In this article, we discuss the current status of CSI-based sensing and present some technologies that can protect people’s privacy and at the same time allow legitimate use of the information carried by the CSI to offer better services.
@article{10.1109/MNET.010.2100740,author={Cigno, Renato Lo and Gringoli, Francesco and Cominelli, Marco and Ghiro, Lorenzo},journal={IEEE Network},title={Integrating CSI Sensing in Wireless Networks: Challenges to Privacy and Countermeasures},year={2022},volume={36},number={4},pages={174-180},keywords={},doi={10.1109/MNET.010.2100740},issn={1558-156X},month=jul}
Wi-Fi sensing as a side-effect of communications is opening new opportunities for smart services integrating communications with environmental properties, first and foremost the position of devices and people. At the same time, this technology represents an unprecedented threat to people’s privacy, as personal information can be collected directly at the physical layer without any possibility to hide or protect it. Several works already discussed the possibility of safeguarding users’ privacy without hampering communication performance. Usually, some signal pre-processing at the transmitter side is needed to introduce pseudo-random (artificial) patterns in the channel response estimated at the receiver, preventing the extraction of meaningful information from the channel state. However, there is currently just one implementation of such techniques in a real system (openwifi), and it has never been tested for performance. In this work, we present the implementation of a location obfuscation technique within the openwifi project that enables fine manipulation of the radio signal at transmitter side and yields acceptable, if not good, performance. The paper discusses the implementation of the obfuscation subsystem, its performance, possible improvements, and further steps to allow authorized devices to “de-obfuscate” the signal and retrieve the sensed information.
@inproceedings{10.1109/MedComNet55087.2022.9810411,author={Ghiro, Lorenzo and Cominelli, Marco and Gringoli, Francesco and Cigno, Renato Lo},booktitle={20th Mediterranean Communication and Computer Networking Conference (MedComNet)},title={On the Implementation of Location Obfuscation in openwifi and Its Performance},year={2022},volume={},number={},pages={64-73},keywords={},doi={10.1109/MedComNet55087.2022.9810411},issn={},month=jun}
The use of Channel State Information (CSI) as a means of sensing the environment through Wi-Fi communications, and in particular to locate the position of unaware people, was proven feasible several years ago and now it is moving from feasibility studies to high precision applications, thus posing a serious threat to people’s privacy in workplaces, at home, and maybe even outdoors. The work we present in this paper explores how the use of multiple localization receivers can enhance the precision and robustness of device-free CSI-based localization with a method based on a state-of-the-art Convolutional Neural Network. Furthermore, we explore the effect of the inter-antenna distance on localization, both with multiple receivers and with a single MIMO receiver. Next we discuss how a randomized pre-filtering at the transmitter can hide the information that the CSI carries on the location of one person indoor. We formalize the pre-filtering as a per-frame, per-subcarrier amplitude multiplication based on a Markovian stochastic process, and we discuss different signal clipping and smoothing methods highlighting the existence of a trade-off between communication performance and obfuscation efficiency. The methodology can in any case guarantee almost unhampered communications with very good localization obfuscation. Results are presented discussing two different ways of exploiting the multi-receiver or multi-antenna redundancy and how, in any case, properly randomized pre-distortion at the transmitter can prevent localization even if the attack is carried out with multiple localization devices (receivers controlled by the attacker) and not only with a multi-antenna (MIMO) receiver.
@article{10.1016/j.comcom.2022.03.011,title={On the properties of device-free multi-point CSI localization and its obfuscation},journal={Computer Communications},volume={189},pages={67-78},month=may,year={2022},issn={0140-3664},doi={10.1016/j.comcom.2022.03.011},url={https://www.sciencedirect.com/science/article/pii/S014036642200086X},author={Cominelli, Marco and Gringoli, Francesco and {Lo Cigno}, Renato},keywords={CSI-based Wi-Fi localization, Smart spaces, Privacy protection, Location obfuscation, Markovian modeling}}
Channel State Information (CSI)-based localization with 802.11 has been proven feasible in multiple scenarios and is becoming a serious threat to people’s privacy in workplaces, at home, and maybe even outdoors. Countering unauthorized localization without hampering communications is a non-trivial task, although some very recent works suggest that it is feasible with marginal modification of the 802.11 transmission chain, but this requires modifying 802.11 devices. Furthermore, if the attacker controls two devices and not just a receiver, transmission side signal manipulation cannot help. This work explores the possibility of countering CSI based localization with an active device that, instead of jamming signals to avoid that a malicious receiver exploits CSI information to locate a person, superimpose on frames a copy of the same frame signal whose goal is not destroying reception as in jamming, but only obfuscate the location-relevant information carried by the CSI. A prototype implementation and early results look promising; they show the feasibility of location obfuscation with high efficiency and excellent preservation of communication performance, and indicate that the technique works both against passive attacks, where the attacker controls only a receiver, and active ones, where he/she controls both a transmitter and a receiver. These results pave the road for further research on smart spaces that preserve users’ privacy with a technical solution and not only via legal prescriptions.
@article{10.1016/j.comcom.2021.12.019,title={AntiSense: Standard-compliant CSI obfuscation against unauthorized Wi-Fi sensing},journal={Computer Communications},volume={185},pages={92-103},month=mar,year={2022},issn={0140-3664},doi={10.1016/j.comcom.2021.12.019},url={https://www.sciencedirect.com/science/article/pii/S0140366421004916},author={Cominelli, Marco and Gringoli, Francesco and {Lo Cigno}, Renato},keywords={CSI-based Wi-Fi localization, Smart spaces, Privacy protection, Location obfuscation}}
Channel state information (CSI) is paramount to modern Wi-Fi communication systems, as it allows for proper equalization of frames at the receiver side and enables advanced signal processing techniques such as beamforming and MIMO. Given that the CSI can accurately mirror physical changes in the wireless channel, CSI analysis has become a valuable resource to many wireless sensing applications based on the opportunistic use of Wi-Fi signals. Since CSI can usually not be accessed by users directly, several CSI extraction tools have been published over the last few years for various Wi-Fi chipsets. In this paper, we present the first system ever capable of extracting CSI from 802.11ax consumer devices using the Broadcom 43684 Wi-Fi chipset. This platform can extract up to 160 MHz-wide CSI using 4x4 MIMO, and it is compatible with the latest HE PHY. We make our CSI extraction tool available to the research community to foster further work on this emerging topic.
@inproceedings{10.1145/3477086.3480833,author={Gringoli, Francesco and Cominelli, Marco and Blanco, Alejandro and Widmer, Joerg},title={AX-CSI: Enabling CSI Extraction on Commercial 802.11ax Wi-Fi Platforms},month=oct,year={2021},isbn={9781450387033},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3477086.3480833},doi={10.1145/3477086.3480833},booktitle={15th ACM Workshop on Wireless Network Testbeds, Experimental Evaluation & CHaracterization},pages={46–53},numpages={8},keywords={Wi-Fi, 802.11ax, Channel State Information},location={New Orleans, LA, USA},series={WiNTECH'21}}
WiFi location systems are remarkably accurate, with decimeter-level errors for recent CSI-based systems. However, such high accuracy is achieved under Line-of-Sight (LOS) conditions and with an access point (AP) density that is much higher than that typically found in current deployments that primarily target good coverage. In contrast, when many of the APs within range are in Non-Line-of-Sight (NLOS), the location accuracy degrades drastically.In this paper we present UbiLocate, a WiFi location system that copes well with common AP deployment densities and works ubiquitously, i.e., without excessive degradation under NLOS. UbiLocate demonstrates that meter-level median accuracy NLOS localization is possible through (i) an innovative angle estimator based on a Nelder-Mead search, (ii) a fine-grained time of flight ranging system with nanosecond resolution, and (iii) the accuracy improvements brought about by the increase in bandwidth and number of antennas of IEEE 802.11ac. In combination, they provide superior resolvability of multipath components, significantly improving location accuracy over prior work. We implement our location system on off-the-shelf 802.11ac devices and make the implementation, CSI-extraction tool and custom Fine Timing Measurement design publicly available to the research community. We carry out an extensive performance analysis of our system and show that it outperforms current state-of-the-art location systems by a factor of 2–3, both under LOS and NLOS.
@inproceedings{10.1145/3458864.3468850,author={Pizarro, Alejandro Blanco and Beltr\'{a}n, Joan Palacios and Cominelli, Marco and Gringoli, Francesco and Widmer, Joerg},title={Accurate Ubiquitous Localization with Off-the-Shelf IEEE 802.11ac Devices},month=jun,year={2021},isbn={9781450384438},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3458864.3468850},doi={10.1145/3458864.3468850},booktitle={19th Annual International Conference on Mobile Systems, Applications, and Services},pages={241–254},numpages={14},keywords={CSI, wireless networks, ToF, indoor localization, 802.11ac, AoA},location={Virtual Event, Wisconsin},series={MobiSys '21}}
The use of Channel State Information (CSI) as a means of sensing the environment through Wi-Fi communications, and in particular to locate the position of unaware people, is moving from feasibility studies to high precision applications. The work we present in this paper explores how the use of multiple localization receivers can enhance the precision and robustness of device-free CSI-based localization with a method based on a state-of-the-art Convolutional Neural Network. Next we discuss how a randomized pre-filtering at the transmitter can hide the information that the CSI carries on the location of one person indoor formalizing the manipulation technique. Results are presented discussing two different ways of exploiting the multi-receiver redundancy and how, in any case, properly randomized pre-distortion at the transmitter can prevent localization even if the attack is carried out with multiple localization devices (receivers controlled by the attacker).
@inproceedings{10.1109/MedComNet52149.2021.9501240,author={Cominelli, Marco and Gringoli, Francesco and Cigno, Renato Lo},booktitle={2021 19th Mediterranean Communication and Computer Networking Conference (MedComNet)},title={Passive Device-Free Multi-Point CSI Localization and Its Obfuscation with Randomized Filtering},year={2021},volume={},number={},pages={1-8},keywords={},doi={10.1109/MedComNet52149.2021.9501240},issn={},month=jun}
Passive, device-free localization of a person exploiting the Channel State Information (CSI) from Wi-Fi signals is quickly becoming a reality. While this capability would enable new applications and services, it also raises concerns about citizens’ privacy. In this work, we propose a carefully-crafted obfuscating technique against one of such CSI-based localization methods. In particular, we modify the transmitted I/Q samples by leveraging an irreversible randomized sequence. I/Q symbol manipulation at the transmitter distorts the location-specific information in the CSI while preserving communication, so that an attacker can no longer derive information on user’s location. We test this technique against a Neural Network (NN)-based localization system and show that the randomization of the CSI makes undesired localization practically unfeasible. Both the localization system and the CSI randomization are implemented on real devices. The experimental results obtained in our laboratories show that the considered localization method works smoothly regardless of the environment, and that adding random information to the CSI prevents the localization, thus providing the community with a system that preserve location privacy and communication performance at the same time.
@article{10.1016/j.comnet.2021.107970,title={IEEE 802.11 CSI randomization to preserve location privacy: An empirical evaluation in different scenarios},journal={Computer Networks},volume={191},pages={107970},month=may,year={2021},issn={1389-1286},doi={10.1016/j.comnet.2021.107970},url={https://www.sciencedirect.com/science/article/pii/S138912862100102X},author={Cominelli, Marco and Kosterhon, Felix and Gringoli, Francesco and {Lo Cigno}, Renato and Asadi, Arash},keywords={Localization, Privacy, Channel state information, Neural networks, Wi-Fi, Randomization, Experiments and measures}}
Channel State Information (CSI) based localization with 802.11 has been proven feasible in multiple scenarios and is becoming a serious threat to people privacy in work spaces, at home, and maybe even outdoors, even if outdoors experiments proving the feasibility are still not available. Countering unauthorized localization without hampering communications is a nontrivial task, although some very recent works suggest that it is feasible with marginal modification of the 802.11 transmission chain, but this requires modifying 802.11 devices. Furthermore, if the attacker controls two devices and not only a receiver, transmission side signal manipulation cannot help. This work explores the possibility of countering CSI based localization with an active device that, instead of jamming signals to avoid that a malicious receiver exploits CSI information to locate a person, superimpose on frames a copy of the same frame signal whose goal is not destroying reception as in jamming, but only obfuscate the location relevant information carried by the CSI. A prototype implementation and early results looks promising; they show feasibility of location obfuscation with high efficiency and excellent preservation of communication performance, paving the road for further research and improved users privacy.
@inproceedings{10.23919/WONS51326.2021.9415586,author={Cominelli, Marco and Gringoli, Francesco and Cigno, Renato Lo},booktitle={2021 16th Annual Conference on Wireless On-demand Network Systems and Services Conference (WONS)},title={Non Intrusive Wi-Fi CSI Obfuscation Against Active Localization Attacks},year={2021},volume={},number={},pages={1-8},keywords={},doi={10.23919/WONS51326.2021.9415586},issn={},month=mar}
Passive device-free localization of a person exploiting the Channel State Information (CSI) from Wi-Fi signals is quickly becoming a reality. While this capability would enable new applications and services, it also raises concerns about citizens’ privacy. In this work, we propose a carefully-crafted obfuscating technique against one of such CSI-based localization methods. In particular, we modify the transmitted I/Q samples by leveraging an irreversible randomized sequence. I/Q symbol manipulation at the transmitter distorts the location-specific information in the CSI while preserving communication, so that an attacker can no longer derive information on user’s location. We test this technique against a Neural Network (NN)-based localization system and show that the randomization of the CSI makes undesired localization practically unfeasible. Both the localization system and the randomization CSI management are implemented in real devices. The experimental results obtained in our laboratory show that the considered localization method (first proposed in an MSc thesis) works smoothly regardless of the environment, and that adding random information to the CSI mess up the localization, thus providing the community with a system that preserve location privacy and communication performance at the same time.
@inproceedings{10.1145/3411276.3412187,author={Cominelli, Marco and Kosterhon, Felix and Gringoli, Francesco and Cigno, Renato Lo and Asadi, Arash},title={An Experimental Study of CSI Management to Preserve Location Privacy},month=sep,year={2020},isbn={9781450380829},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3411276.3412187},doi={10.1145/3411276.3412187},booktitle={14th International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization},pages={64–71},numpages={8},keywords={neural networks, privacy, randomization, Wi-Fi, channel state information, experiments and measures, localization},location={London, United Kingdom},series={WiNTECH'20}}
Sniffing Bluetooth data sessions is considered a difficult task, because of the frequency-hopping channel access scheme this technology implements. In this paper we present a novel open-source sniffer that can monitor Bluetooth Low Energy (BLE) traffic on all channels in real time. The sniffer builds on a Software-Defined Radio (SDR) framework to capture the entire BLE spectrum and exploits Graphics Processing Unit (GPU) capabilities to channelize and process BLE traffic in real time. We show that our sniffer can easily and reliably detect active BLE connections, and infer their properties, including Access Address, CRC values and hopping sequences. From a general standpoint, we show that tracking many BLE data sessions at the same time becomes feasible even with relatively inexpensive equipment, as we are able to discover up to 24 simultaneous sessions within 80 ms on average.
@inproceedings{10.1109/MedComNet49392.2020.9191479,author={Cominelli, Marco and Patras, Paul and Gringoli, Francesco},booktitle={2020 Mediterranean Communication and Computer Networking Conference (MedComNet)},title={One GPU to Snoop Them All: a Full-Band Bluetooth Low Energy Sniffer},year={2020},volume={},number={},pages={1-4},keywords={},doi={10.1109/MedComNet49392.2020.9191479},issn={},month=jun}
Bluetooth Classic (BT) remains the de facto connectivity technology in car stereo systems, wireless headsets, laptops, and a plethora of wearables, especially for applications that require high data rates, such as audio streaming, voice calling, tethering, etc. Unlike in Bluetooth Low Energy (BLE), where address randomization is a feature available to manufactures, BT addresses are not randomized because they are largely believed to be immune to tracking attacks. We analyze the design of BT and devise a robust de-anonymization technique that hinges on the apparently benign information leaking from frame encoding, to infer a piconet’s clock, hopping sequence, and ultimately the Upper Address Part (UAP) of the master device’s physical address, which are never exchanged in clear. Used together with the Lower Address Part (LAP), which is present in all frames transmitted, this enables tracking of the piconet master, thereby debunking the privacy guarantees of BT. We validate this attack by developing the first Software-defined Radio (SDR) based sniffer that allows full BT spectrum analysis (79 MHz) and implements the proposed de-anonymization technique. We study the feasibility of privacy attacks with multiple testbeds, considering different numbers of devices, traffic regimes, and communication ranges. We demonstrate that it is possible to track BT devices up to 85 meters from the sniffer, and achieve more than 80% device identification accuracy within less than 1 second of sniffing and 100% detection within less than 4 seconds. Lastly, we study the identified privacy attack in the wild, capturing BT traffic at a road junction over 5 days, demonstrating that our system can re-identify hundreds of users and infer their commuting patterns.
@inproceedings{10.1109/SP40000.2020.00091,author={Cominelli, Marco and Gringoli, Francesco and Patras, Paul and Lind, Margus and Noubir, Guevara},booktitle={2020 IEEE Symposium on Security and Privacy (SP)},title={Even Black Cats Cannot Stay Hidden in the Dark: Full-band De-anonymization of Bluetooth Classic Devices},year={2020},volume={},number={},pages={534-548},keywords={},doi={10.1109/SP40000.2020.00091},issn={2375-1207},month=may}
The recently released Bluetooth 5.1 specification introduces fine-grained positioning capabilities in this wireless technology, which is deemed essential to context-/location-based Internet of Things (IoT) applications. In this paper, we evaluate experimentally, for the first time, the accuracy of a positioning system based on the Angle of Arrival (AoA) mechanism adopted by the Bluetooth standard. We first scrutinize the fidelity of angular detection and then assess the feasibility of using angle information from multiple fixed receivers to determine the position of a device. Our results reveal that angular detection is limited to a restricted range. On the other hand, even in a simple deployment with only two antennas per receiver, the AoA-based positioning technique can achieve sub-meter accuracy; yet attaining localization within a few centimeters remains a difficult endeavor. We then demonstrate that a malicious device may be able to easily alter the truthfulness of the measured AoA, by tampering with the packet structure. To counter this protocol weakness, we propose simple remedies that are missing in the standard, but which can be adopted with little effort by manufacturers, to secure the Bluetooth 5.1 positioning system.
@inproceedings{10.1145/3349623.3355475,author={Cominelli, Marco and Patras, Paul and Gringoli, Francesco},title={Dead on Arrival: An Empirical Study of The Bluetooth 5.1 Positioning System},month=oct,year={2019},isbn={9781450369312},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3349623.3355475},doi={10.1145/3349623.3355475},booktitle={13th International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization},pages={13–20},numpages={8},keywords={software-defined radio, direction finding, bluetooth low energy, angle of arrival, wireless positioning},location={Los Cabos, Mexico},series={WiNTECH '19}}