Risks and Use of Side Channels in Modern Wireless Systems
Abstract:
Modern wireless systems are constantly evolving with every generation by introducing new features, techniques, and designs to enhance system performance (e.g., high data rate). Consequently, these advancements result in wireless systems being complex, rendering them highly susceptible to new side-channel risks. In this thesis, we explore side-channel risks in protocol features meant to improve the performance of modern wireless systems, particularly in the presence of user activities. We demonstrate that a user's physical (e.g., walking, hand movement) and online (e.g., video streaming, file download) activities trigger changes in the lower-layer protocol features that are meant to improve the performance of modern wireless systems. These changes result in side channels that can either be leveraged to detect attacks or exploited to violate user privacy.
We begin by exploring a well-known feature in the physical layer of the Wi-Fi system, namely, the Channel State Information (CSI). CSI is an estimation of the wireless channel characteristics and plays a crucial role in increasing the channel capacity, thereby the performance of wireless systems. Additionally, CSI is also a side channel that reveals a user's physical activity information. We leverage this information and propose a novel case study to detect video looping attacks on surveillance systems. We demonstrate the feasibility of the proposed technique in a controlled office environment.
Subsequently, we investigate the data-link layer of modern cellular networks and discover a novel side channel present in a feature called Carrier Aggregation (CA). CA enables multiple base stations to concurrently transmit data to a single user, thereby increasing the overall data rate. We discover a side channel, namely, the number of actively transmitting base stations during the CA operation. In the presence of a user's physical activity of walking a path, this CA side-channel leaks location information. We propose to exploit the CA side channel to accurately identify the walking paths of the target user among a set of candidate paths. We demonstrate the feasibility of the attack in a typical indoor multi-story office building.
We further investigate the newly-discovered CA side channel and observe that a user's online activities (e.g., video streaming) leak additional side-channel information. Specifically, when a user streams a video, the CA side channel (i.e., number of transmitting base stations) and its corresponding timing information (i.e., how long each base station is transmitting) leak the video title. We propose to augment the CA side channel with the timing information to infer video titles that a target user watches from a pre-defined set. We demonstrate the effectiveness of the attack in two existing cellular networks in two countries.
Finally, we discuss countermeasures that can eliminate the CA side channel from future cellular systems. We also provide suggestions for the cellular operators to reduce the effectiveness of the side-channel attacks in existing cellular networks.