Publications

We publish our research papers at a wide spectrum of venues. Our papers received 20 awards at international conferences and journals. Among them are the IEEE WoWMoM’13 Best Demo Award, IEEE WoWMoM’14 Best Paper Award, IEEE WoWMoM’14 Best Poster Award, ACM WiSec’15 Best Paper Award, ACM WiSec’17 Best Paper Award, ACM WiNTECH’17 Best Paper Award, ACM MobiCom’18 Best Community Paper Award, ACM MobiCom’18 Best Demo Award, ACM WiNTECH’18 Best Demo Award, EWSN’20 Best Demo Award, ACM WiSec’20 Best Demo Award, IEEE WoWMoM’20 Best Paper Award, ACM IMWUT’20 Distinguished Paper Award, ACM WiSec’21 Best Demo Award, ACM WiSec’21 Best Demo Award, DCOSS’21 Best Paper Award, ACM WiSec’22 Best Paper Award, ACM CHI’23 Best Paper Award, ACM CSCW’24 Best Paper Award, and ACM CHI’25 Honorable Mention Award.
No results match your search criteria.

  2025  Technische Universität Darmstadt Darmstadt PhD thesis

Cyber Attack Prevention and Detection for Electric Vehicle Charging

Dustin Kern

PDF BibTeX DOI: 10.26083/tuprints-00029823

Abstract
The increasing adoption of Electric Vehicles (EVs) is transforming the automotive landscape, driven by the need for a more sustainable transportation sector. To support the widespread use of EVs, an efficient and reliable charging infrastructure is essential. For this, several related communication protocols and backend systems have been established to manage power delivery, authorization, and billing. The main goals are the security of charge session payments and a power grid-friendly scheduling of EV charging loads. The charging of EVs, however, also involves various security risks in associated use-cases. On the one hand, regarding the use-case of charge authorization and billing, existing protocols fail to protect against relevant adversaries. As a result, backend operators are exposed to the risk of significant financial damages and EV users are exposed to severe privacy risks. On the other hand, regarding the use-case of charge session power control and load balancing, existing processes can be manipulated by compromised systems. As a result, adversaries may be able to cause severe physical damage to involved systems and potentially harm power grid operations. In this dissertation, we address selected security risks. For charge authorization and billing, we present three solutions to enhance the preventive security of EV charging protocols. More specifically, we present concepts (i) for the integration of crypto-agility and the use of Post-Quantum Cryptography (PQC), (ii) for the use of Self-Sovereign Identities (SSIs) to enhance EV user privacy, and (iii) for the adoption of a standardized authorization framework to reduce existing complexity. Regarding manipulations of charge session control, we present several concepts for the analysis, detection, and mitigation of related attacks. More specifically, we present (i) a feasibility analysis of resulting attacks on grid stability and a related co-simulation framework, (ii) different anomaly detection concepts for either large-scale coordinated attacks on the grid or attacks in individual charging sessions, (iii) approaches for improving detection performance, including a Generative Adversarial Network (GAN)-based Intrusion Detection System (IDS) optimization and a combination of large-scale and session-based detection, and (iv) methods for attack mitigation based on IDS outputs. All presented concepts are implemented and evaluated with regard to relevant criteria. Concepts for EV charging protocol security are evaluated regarding performance/usability criteria based on proof-of-concept implementations and regarding security/privacy criteria based on formal protocol analyses using the Tamarin prover. Concepts for the analysis, detection, and mitigation of session control-related attacks are implemented with simulation-based approaches to evaluate their effect on involved systems and their detection/mitigation performance. Used Tamarin models and simulation data are published for reproducibility and future use in related studies. Overall, our results show the presented concepts can provide a significant benefit to the security of EV charging in the sector’s future.

  2025  Technische Universität Darmstadt Darmstadt PhD thesis

Where Are We? Security, Misuse, and Manipulation of Location-based Systems

Alexander Heinrich

PDF BibTeX DOI: 10.26083/tuprints-00029727

Abstract
Location-based systems allow us to perform many tasks: we can check the weather wherever we are, navigate unfamiliar environments, and track our running workouts as well as valuables such as laptops or luggage. However, all of these examples require access to highly sensitive and private location data. Misuse of this data allows adversaries to identify individuals based on a few locations, track them digitally without consent, or manipulate location data to bypass location-based access policies, such as those implemented in cars or smart door locks. In this thesis, we contribute to three emerging areas of location-based systems: (1) Security and misuse of Bluetooth offline-finding networks; (2) Security, reliability, and accuracy of localization with UWB; and (3) Secure location sharing via satellite. Our methodology is diverse. We reverse-engineer implementations to investigate their privacy and security protections, open up proprietary systems and provide open-source implementations. Furthermore, we develop tools to protect users from unwanted location tracking, research novel attack vectors and protections, and conduct user studies to understand the needs of victims of unwanted tracking. To summarize our main research results: (1) We analyze Apple’s Find My network, uncover vulnerabilities that expose individuals’ location data, and demonstrate that the network can be misused for tracking and stalking. Based on our results, we open up the proprietary network and publish a framework that allows any programmable Bluetooth device to be integrated into the Find My network, making it locatable. To protect users from unwanted tracking attacks, we develop and publish the AirGuard app, which identifies malicious trackers following a person and alerts them. We conduct a survey with over 5,000 participants and find that 44% of stalking victims have suffered from unwanted location tracking. With the study results and AirGuard user data, we identify patterns and methods used by stalkers, and where trackers are hidden. (2) We measure the accuracy and reliability of Ultra-Wide Band (UWB) distance measurements in consumer smartphones and find that, while results are accurate in most cases, all devices measured a small number of large outliers. Furthermore, we analyze the security of UWB against distance manipulation attacks and develop a novel physical-layer attack that can reduce the measured distance by several meters. (3) Encryption and privacy protection mechanisms are often neglected in satellite communication. We evaluate the iPhone’s location-sharing via satellite feature and find robust security mechanisms with multi-layer encryption in place. Nevertheless, we identify bypasses around Apple’s restrictions and manage to use satellite services from restricted areas and send text messages encoded in location updates. We propose countermeasures for all vulnerabilities we find. In addition to academic publications, our work has demonstrated real-world impact with the AirGuard apps for Android and iOS. They have been installed over 1.3million times in the last three and a half years. Several victims of unwanted tracking informed us that they had found trackers using our application, preventing further tracking. By pushing for better detection mechanisms, we influenced major companies: Apple and Google have proposed standardized tracking detection for all Bluetooth trackers.

  2025  Network and Distributed System Security (NDSS) Symposium 2025 Conference

Starshields for iOS: Navigating the Security Cosmos in Satellite Communication

Jiska Classen Alexander Heinrich Fabian Portner Felix Rohrbach Matthias Hollick

PDF BibTeX DOI: 10.14722/ndss.2025.240124

Abstract
Apple has integrated satellite communication into their latest iPhones, enabling emergency communication, road- side assistance, location sharing with friends, iMessage, and SMS. This technology allows communication when other wireless services are unavailable. However, the use of satellites poses restrictions on bandwidth and delay, making it difficult to use modern communication protocols with their security and privacy guarantees. To overcome these challenges, Apple designed and implemented a proprietary satellite communication protocol to address these limitations. We are the first to successfully reverse-engineer this protocol and analyze its security and privacy properties. In addition, we develop a simulation-based testbed for testing emergency services without causing emergency calls. Our tests reveal protocol and infrastructure design issues. For example, compact protocol messages come at the cost of missing integrity protection and require an internet-based setup phase. We further demonstrate various restriction bypasses, such as misusing location sharing to send arbitrary text messages on old iOS versions, and sending iMessages over satellite from region-locked countries. These bypasses allow us to overcome censorship and operator control of text messaging services.

  2024  IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN) Conference

State-aware Subscriber Steering in Fiber Access Networks for Improved Resilience

Fridolin Siegmund Philip Jonas Franz Bjoern Nagel Maik Rüder Lisa Wernet Matthias Hollick Ralf Kundel

PDF BibTeX DOI: 10.1109/NFV-SDN61811.2024.10807483

Abstract
Network softwarization is currently emerging in home and enterprise Internet access networks. Still, the advantages of programmable hardware nodes and virtualized network functions in the access network as resilience enablers should be researched more. Access networks are typically built in a two-layer tree topology with sparse redundancy and limited adaptability. To overcome this, this work investigates how softwarization with redundancy can achieve resilience improvements in such networks. We present an architecture and prototypical implementation of a fiber-based access network and subscriber termination, with a redundant and adaptive design throughout the whole path from subscribers to the Internet. By proactively migrating states and steering subscriber flows, we reached total average downtimes of around 156 milliseconds to restore Internet access after disruption in the case of one subscriber. In comparison, it takes hours to restore Internet access in case of an outage with zero redundancy. Our solution is cost-effective by exploiting the architectural advances of Software Defined Networking, allowing the use of virtualized network functions and hardware-based functions simultaneously.

  2024  18th ACM Workshop on Wireless Network Testbeds, Experimental evaluation & Characterization 2024 Conference

Beyond Sensing: A High-Performance Software-Defined LoRa Gateway

Vincenz Mechler Matthias Hollick Bastian Bloessl

PDF BibTeX DOI: 10.1145/3636534.3697317

Abstract
LoRa is about to become the standard for Low-Power Wide-Area Networks (LPWANs), being well suited for many Internet of Things (IoT) and sensor network applications. The success of the technology sparked interest to adopt LoRa for other, more challenging use-cases in industrial automation or control of cyber-physical systems. Regular LoRa gateways are, however, limited in their number of parallel demodulation paths and restricted to a single network. To overcome this limitation, we implement a software-defined, multichannel LoRa receiver that is able to receive all common spreading factors and uplink channel combinations of the LoRaWAN EU868 frequency plan. In addition, our receiver does not rely on hard-coded sync words, enabling a mechanism similar to monitor mode in WLAN networks. Experimental evaluation using Software-Defined Radios (SDRs) confirms superior performance compared to commercial LoRa gateways.

  2024  14th IEEE Global Humanitarian Technology Conference (GHTC2024) Conference

On the Feasibility of Digital VHF Communications in Crisis Scenarios

Michi Hermann Bastian Bloessl

PDF BibTeX DOI: 10.1109/GHTC62424.2024.10771549

Abstract
Communication is key, especially during a crisis. In case of larger incidents, existing infrastructure often faces outages, making it difficult - if not impossible - to communicate. While first responders have communication solutions for these cases, civilians remain disconnected. To avoid such stressful situations, we study Rattlegram, a novel communication solution that uses acoustic coupling of smartphones with VHF/UHF handheld radios to transmit digital information. We compare it to existing protocols for the VHF/UHF band and evaluate its performance in simulations and field tests. We demonstrate its applicability, showing that even a cheap handheld radio can be used to establish communication up to a distance of over 18km in rural and close to 1 km in urban environments. The results highlight that Rattlegram is a viable technology that can be the base for affordable, infrastructure-less emergency communication for the masses.

  2024  IEEE Transactions on Wireless Communications Article

Physical-Layer Privacy via Randomized Beamforming Against Adversarial Wi-Fi Sensing: Analysis, Implementation, and Evaluation

Marco Cominelli Shaghayegh Shahcheraghi Jakob Link Matthias Hollick Federico Cerutti Francesco Gringoli Arash Asadi

BibTeX DOI: 10.1109/TWC.2024.3485477

Abstract
Wi-Fi sensing applications have achieved remarkable results over the last decade, offering accurate device-free localization and gesture recognition capabilities. Indeed, Wi-Fi sensing has quickly become a critical field of research for future communication systems under the paradigm known as joint communication and sensing. However, device-free wireless sensing can also be exploited for malign purposes against unaware victims, and the omnipresence of Wi-Fi transceivers poses a significant threat to people’s privacy. Therefore, it is essential to develop functional solutions that can effectively thwart wireless sensing. All the current attempts to hinder illegitimate wireless sensing rely on specialized hardware deployed in the environment, but their cost and complexity can undermine widespread deployment. In this paper, we explore the possibility of using native capabilities of Wi-Fi systems, namely beamforming, to thwart wireless sensing. To this end, we propose for the first time a solution that enables complete control over the beamforming in commercial Wi-Fi devices. On top of that, we build BeamDancer, which randomizes beamforming vectors to inhibit channel fingerprinting. We empirically demonstrate the effectiveness of the proposed solution against three different wireless sensing techniques, both data-driven and model-based, while preserving almost entirely the legitimate Wi-Fi traffic at the same time.

  2024  27th ACM Conference on Computer-Supported Cooperative Work and Social Computing (CSCW 2024) Conference

PairSonic: Helping Groups Securely Exchange Contact Information

Florentin Putz Steffen Haesler Thomas Völkl Maximilian Gehring Nils Rollshausen Matthias Hollick

PDF BibTeX DOI: 10.1145/3678884.3681818

Abstract
Securely exchanging contact information is essential for establishing trustworthy communication channels that facilitate effective online collaboration. However, current methods are neither user-friendly nor scalable for large groups of users. In response, we introduce PairSonic, a novel group pairing protocol that extends trust from physical encounters to online communication. PairSonic simplifies the pairing process by automating the tedious verification tasks of previous methods through an acoustic out-of-band channel using smartphones' built-in hardware. Our protocol not only facilitates connecting users for computer-supported collaboration, but also provides a more user-friendly and scalable solution to the authentication ceremonies currently used in end-to-end encrypted messengers like Signal or WhatsApp. PairSonic is available as open-source software: https://github.com/seemoo-lab/pairsonic

  2024  Proceedings of the ACM on Human-Computer Interaction Article

Sounds Good? Fast and Secure Contact Exchange in Groups

Florentin Putz Steffen Haesler Matthias Hollick

PDF BibTeX DOI: 10.1145/3686964

Abstract
Trustworthy digital communication requires the secure exchange of contact information, but current approaches lack usability and scalability for larger groups of users. We evaluate the usability of two secure contact exchange systems: the current state of the art, SafeSlinger, and our newly designed protocol, PairSonic, which extends trust from physical encounters to spontaneous online communication. Our lab study (N=45) demonstrates PairSonic's superior usability, automating the tedious verification tasks from previous approaches via an acoustic out-of-band channel. Although participants significantly preferred our system, minimizing user effort surprisingly decreased the perceived security for some users, who associated security with complexity. We discuss user perceptions of the different protocol components and identify remaining usability barriers for CSCW application scenarios.

  2024  2024 IEEE Conference on Communications and Network Security (CNS) Conference

A Data-Driven Evaluation of the Current Security State of Android Devices

Ernst Leierzopf René Mayrhofer Michael Roland Wolfgang Studier Lawrence Dean Martin Seiffert Florentin Putz Lucas Becker Daniel Thomas

BibTeX DOI: 10.1109/CNS62487.2024.10735682

Abstract
Android’s fast-paced development cycles and the large number of devices from different manufacturers do not allow for an easy comparison between different devices’ security and privacy postures. Manufacturers each adapt and update their respective firmware images. Furthermore, images published on OEM websites do not necessarily match those installed in the field. Relevant software aspects do not remain static after initial device release, but need to be measured on real devices that receive these updates. There are various potential sources for collecting such attributes, including webscraping, crowdsourcing, and dedicated device farms. However, raw data alone is not helpful in making meaningful decisions on device security and privacy. We make a website available to access collected data. Our implementation focuses on reproducible requests and supports filtering by OEMs, devices, device models, and attributes. To improve usability, we further propose a security score grounded on the list of attributes. Based on input from Android experts, including a focus group and eight individuals, we have created a method that derives attribute weights from the importance of attributes for mitigating threats on the Android platform. We derive weights for general use cases and suggest possible examples for more specialized weights for groups of confidentiality/privacy-sensitive users and integrity-sensitive users. Since there is no one-size-fits-all setting for Android devices, our website provides the possibility to adapt all parameters of the calculated security score to individual needs.

  2024  IEEE Access Article

Resilience-by-Design in 6G Networks: Literature Review and Novel Enabling Concepts

Ladan Khaloopour Yanpeng Su Florian Raskob Tobias Meuser Roland Bless Leon Janzen Kamyar Abedi Marko Andjelkovic Hekma Chaari Pousali Chakraborty Michael Kreutzer Matthias Hollick Thorsten Strufe Norman Franchi Vahid Jamali

PDF BibTeX DOI: 10.1109/ACCESS.2024.3480275

Abstract
The sixth generation (6G) mobile communication networks are expected to intelligently integrate into various aspects of modern digital society, including smart cities, homes, health-care, transportation, and factories. While offering a multitude of services, it is likely that societies become increasingly reliant on 6G infrastructure. Any disruption to these digital services, whether due to human or technical failures, natural disasters, or terrorism, would significantly impact citizens’ daily lives. Hence, 6G networks need not only to provide high-performance services but also to be resilient in maintaining essential services in the face of potentially unknown challenges. This paper provides a general review of the state of the art on resilient systems, definitions, concepts, and approaches. Moreover, it introduces a comprehensive concept, i.e., resilience-by-design (RBD), in three different levels for designing resilient 6G communication networks, summarizing our initial studies within the German Open6GHub project. First, we outline the general RBD enabling principles and discuss their related sub-categories. Next, adopting an interdisciplinary approach, we propose to embed these principles across all 6G layers/perspectives including electronics, physical channel, network components and functions, networks, services, and cross-layer and cross-infrastructure considerations and discuss their challenges. We further elaborate the RBD principles and their realizations along with several 6G use-cases. The paper is concluded by presenting a comprehensive list of open problems for future research on 6G resilience.

  2024  USENIX Conference on Offensive Technologies Proceedings of the 18th USENIX Conference on Offensive Technologies (WOOT'24) Conference

Oh no, my RAN! breaking into an O-RAN 5G indoor base station

Leon Janzen Lucas Becker Colin Wiesenäcker Matthias Hollick

PDF BibTeX

  2024  22nd Annual International Conference on Mobile Systems, Applications and Services (MOBISYS '24) Conference

Always On Air: Adaptive Physical Layer Switching For Uninterrupted UAV Air-to-Ground Communication

Vincenz Mechler Felix Wiegand Matthias Hollick Bastian Bloessl

BibTeX DOI: 10.1145/3661810.3663467

Abstract
Reliable wireless communication is crucial for remote operation of Unmanned Aerial Vehicles (UAVs). Yet, staying in control of the vehicle at all times poses a great challenge, given the dynamics of the wireless channel. Existing technologies are optimized for a given application and, therefore, not well suited for this use case, as they cannot provide both high throughput in high Signal to Noise Ratio (SNR) regimes and high reliability in low SNR regimes. To overcome this limitation, we propose a channel-aware predictive physical layer switching algorithm, utilizing the UAV's telemetry data for implicit synchronization. We evaluate our system experimentally in a fully emulated testbed, achieving an overall outage probability as low as 0.7 % while increasing the average throughput.

  2024  Technische Universität Darmstadt Darmstadt PhD thesis

Radio Resource Management for Millimeter-Wave Networks: Modeling and Design

Luis Fernando Abanto Leon

PDF BibTeX DOI: 10.26083/tuprints-00026363

Abstract
Radio resource management (RRM) plays a critical role in modern wireless communications networks. RRM 's ultimate goal is to devise strategies to efficiently manage the network's radio resources, e.g., infrastructure and spectrum, and thus coordinate interference and ensure QoS requirements for the UE. RRM has undergone a tremendous transformation from initially being limited to solely the physical layer with fixed policies to presently incorporating dynamic cross-layer algorithms that allow controlling multiple characteristics of the physical and higher layers. Each succeeding generation of wireless mobile technology has contributed to expanding the network capabilities but has also posed new challenges for RRM in coordinating more radio spectrum, e.g., millimeter-wave spectrum, and more radio infrastructure, e.g., CoMP and IAB. Therefore, as wireless technologies evolve, RRM strategies must also adapt to account for emerging radio infrastructure and spectrum, ensuring their efficient utilization along with the existing resources. This thesis proposes several RRM strategies and algorithms to improve radio resource utilization, addressing challenges intrinsic to the evolution of wireless mobile technologies. Different RRM research problems are investigated considering diverse radio resources, such as precoding, admission control, and discrete rate allocation, focusing on various use cases, such as Industry 4.0. The strategies and algorithms developed herein not only target networks deployed using SDMA, adopted as de facto multiple access scheme, but also target emerging multiple access schemes, such as LDMA and RSMA. In addition, the strategies and algorithms are not limited to access networks only, but also include backhaul networks, specifically IAB technology.

  2023  Conference on Communications and Network Security (CNS 2023) Conference

BeamSec: A Practical mmWave Physical Layer Security Scheme Against Strong Adversaries

Afifa Ishtiaq Arash Asadi Ladan Khaloopour Waqar Ahmed Vahid Jamali Matthias Hollick

BibTeX DOI: 10.1109/CNS59707.2023.10289003

Abstract
The high directionality of millimeter-wave (mmWave) communication systems has proven effective in reducing the attack surface against eavesdropping, thus improving the physical layer security. However, even with highly directional beams, the system is still exposed to eavesdropping against adversaries located within the main lobe. In this paper, we propose BeamSec, a solution to protect the users even from adversaries located in the main lobe. The key feature of BeamSec are: (i) Operating without the knowledge of eavesdropper’s location/channel; (ii) Robustness against colluding eavesdropping attack and (iii) Standard compatibility, which we prove using experiments via our IEEE 802.11ad/ay-compatible 60 GHz phased-array testbed. Methodologically, BeamSec first identifies uncorrelated and diverse beampairs between the transmitter and receiver by analyzing signal characteristics available through standard-compliant procedures. Next, it encodes the information jointly over all selected beampairs to minimize information leakage. We study two methods for allocating transmission time among different beams, namely uniform allocation (no knowledge of the wireless channel) and optimal allocation for maximization of the secrecy rate (with partial knowledge of the wireless channel). Our experiments show that BeamSec outperforms the benchmark schemes against single and colluding eavesdroppers and enhances the secrecy rate by 79.8% over a random paths selection benchmark.

  2023  Primary Conference on the Analysis of Mobile Phone Datasets in Social, Urban, Societal and Industrial Problems,NetMob ’23 Conference

Maintaining App Services in Disrupted Cities: A Crisis and Resilience Evaluation Tool

Leon Würsching Matthias Hollick

PDF BibTeX

Abstract
Disaster scenarios can disconnect entire cities from the core network (CN), isolating base stations (BSs) and disrupting the Internet connection of app services for many users. Such a disruption is particularly disastrous when it affects critical app services such as communication, information, and navigation. Deploying local app servers at the network edge can solve this issue but leaves mobile network operators (MNOs) faced with design decisions regarding the criticality of traffic flows, the BS topology, and the app server deployment. We present the Crisis and Resilience Evaluation Tool (CARET) for crisis-mode radio access networks RANs, enabling MNOs to make informed decisions about a city's RAN configuration based on real-world data of the NetMob23 dataset.

  2023  Technische Universität Darmstadt Darmstadt Master's thesis

Security Analysis of Samsung's Ultra-Wideband Ecosystem and the Usage of NXP Ultra-Wideband Chips

Martin Reza Heyden

PDF BibTeX DOI: 10.26083/tuprints-00024378

Abstract
Ultra-Wideband (UWB) is a radio technology that uses a high bandwidth and enables use-cases for precise position estimation in close ranges. In recent years, UWB functionality found its way into many smartphones and Internet of Things (IoT) products, including devices from Samsung that use UWB chips by NXP. However, neither the security of Samsung’s UWB ecosystem entities nor the usage and communication of the integrated NXP UWB chips were publicly explored yet. Since UWB integration into smartphones and UWB chips for smartphone-related use-cases are new, only a few directly related works exist. These works analyze the chips’ physical-layer security and the integration of UWB into Apple devices, but no work addresses the firmware security of NXP’s UWB chips and the UWB integration into Samsung’s devices. Therefore, in our thesis, we analyze the security of Samsung’s UWB ecosystem entities, including NXP’s SR100T UWB chip featured on the Samsung Galaxy S21 Ultra, which we use as our test phone. We further assess the security of Samsung’s SmartTag+ that features NXP’s SR040 UWB chip and is part of the ecosystem. Our goal is to identify attack vectors and evaluate a selection of them. Furthermore, to aid our analysis and create attacks in our evaluation, we implement several utilities that help us decode the communication with NXP’s UWB chips, attack the SR100T on our Samsung phone independently of the user space, and simulate attacks against the ecosystem’s entities. In our evaluation, we find several vulnerabilities in different ecosystem entities. In addition, our findings about NXP’s UWB chips and their communication protocols provide a foundation for future research that evaluates the security of UWB chips addressable over Ultra-Wideband Command Interface (UCI) as well as the security of their integration.

  2023  29th Annual International Conference on Mobile Computing and Networking (ACM MobiCom '23) Conference

Software-Defined Wireless Communication Systems for Heterogeneous Architectures

David Volz Andreas Koch Bastian Bloessl

BibTeX DOI: 10.1145/3570361.3614084

Abstract
Future cellular networks will be programmable and increasingly software-defined with APIs to hook into the communication stack closer and closer to the physical layer. This allows operators, for example, to plug-in third-party machine learning algorithms to optimize performance. At the same time, this flexibility implies that compute resources cannot be provisioned statically but have to be distributed dynamically during runtime. While the hardware platforms for such systems are available, we lack suitable software frameworks that help to realize such systems. In this demonstration, we present two Open Source projects that fill this gap: FutureSDR, a portable real-time signal processing framework with native support for accelerators (like GPUs and FGPAs); and IPEC, which enables fully automatic composition of multi-accelerator FPGA designs. We believe that these tools - especially in combination with each other - can provide the base for building research prototypes and allow experimentation with software-defined wireless communication systems.

  2023  29th Annual International Conference on Mobile Computing and Networking (ACM MobiCom '23) Conference

Introducing FreeSpeaker - A Modular Smart Home Hub Prototyping Platform

Hermann Leinweber Jonatan Crystall Frank Hessel Florentin Putz Matthias Hollick

PDF BibTeX DOI: 10.1145/3570361.3614080

Abstract
Smart home speakers have become a commodity item in many households and provide interesting research opportunities in areas like wireless communication and human-computer interaction. Commercial devices do not provide sufficient access for many research tasks. We present a modular smart home hub designed specifically for research purposes. The electronic and mechanical components are designed with reproducibility in mind and can be easily recombined for a project's needs. Additionally, we show applications of the hub in different scenarios.

  2023  17th ACM Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization (WiNTECH '23) Conference

Rolling the D11: An Emulation Game for the Whole BCM43 Family

Jakob Link David Breuer Francesco Gringoli Matthias Hollick

BibTeX DOI: 10.1145/3615453.3616520

Abstract
The D11 is Broadcom's proprietary IEEE 802.11 MAC implementation and an essential part of their WiFi chips. It is a microcontroller that orchestrates the Physical Layer and Radio Front-end implementation and is programmable through a custom microcode. We provide a new emulation framework for the D11 microcode and a corresponding firmware patch for the WiFi chip that enables essential debugging methods, including microcode breakpoints and D11 state extraction. This toolset allows researchers to analyze the D11 microcode in a controlled environment dynamically. To facilitate research on the D11, we provide an overview of state-of-the-art knowledge of the chip and publish all presented tools to the open-source community. We encourage everyone interested to enter the game, roll the D11, and provide new insights on Broadcom's MAC implementation.

  2023  31st Interdisciplinary Information Management Talks Conference

A Large-Scale Data Collection and Evaluation Framework for Android Device Security Attributes

Ernst Leierzopf Michael Roland René Mayrhofer Florentin Putz

PDF BibTeX DOI: 10.35011/IDIMT-2023-63

Abstract
Android’s fast-lived development cycles and increasing amounts of manufacturers and device models make a comparison of relevant security attributes, in addition to the already difficult comparison of features, more challenging. Most smartphone reviews only consider offered features in their analysis. Smartphone manufacturers include their own software on top of the Android Open Source Project (AOSP) to improve user experience, to add their own pre-installed apps or apps from third-party sponsors, and to distinguish themselves from their competitors. These changes affect the security of smartphones. It is insufficient to validate device security state only based on measured data from real devices for a complete assessment. Promised major version releases, security updates, security update schedules of devices, and correct claims on security and privacy of pre-installed software are some aspects, which need statistically significant amounts of data to evaluate. Lack of software and security updates is a common reason for shorter lifespans of electronics, especially for smartphones. Validating the claims of manufacturers and publishing the results creates incentives towards more sustainable maintenance and longevity of smartphones. We present a novel scalable data collection and evaluation framework, which includes multiple sources of data like dedicated device farms, crowdsourcing, and webscraping. Our solution improves the comparability of devices based on their security attributes by providing measurements from real devices.

  2023  48th Conference on Local Computer Networks Conference

Energy-efficient Broadcast Trees for Decentralized Data Dissemination in Wireless Networks

Artur Sterz Robin Klose Markus Sommer Jonas Höchst Jakob Link Bernd Simon Anja Klein Matthias Hollick Bernd Freisleben

PDF BibTeX DOI: 10.1109/LCN58197.2023.10223400

Abstract
We present a novel multi-hop data dissemination protocol for wireless networks that minimizes the total energy consumption across an entire network by minimizing the transmission power at each hop. It is based on a game-theoretic model, constructs a spanning tree topology in a decentralized manner, and is usable in practice. We evaluate the protocol via simulation and a pratical implementation on a testbed of 75 Raspberry Pis, demonstrating that a total energy reduction of up to 90% can be achieved compared to a simple broadcast protocol.

  2023  Proceedings of the 17th ACM International Conference on Distributed and Event-Based Systems Conference

No One Size (PPM) Fits All: Towards Privacy in Stream Processing Systems

Mikhail Fomichev Manisha Luthra Maik Benndorf Pratyush Agnihotri

PDF BibTeX DOI: 10.1145/3583678.3596889

Abstract
Stream processing systems (SPSs) have been designed to process data streams in real-time, allowing organizations to analyze and act upon data on-the-fly, as it is generated. However, handling sensitive or personal data in these multilayered SPSs that distribute resources across sensor, fog, and cloud layers raises privacy concerns, as the data may be subject to unauthorized access and attacks that can violate user privacy, hence facing regulations such as the GDPR across the SPS layers. To address these issues, different privacy-preserving mechanisms (PPMs) are proposed to protect user privacy in SPSs. Yet, selecting and applying such PPMs in SPSs is challenging, since they must operate in real-time while tolerating little overhead. The multilayered nature of SPSs complicates privacy protection because each layer may confront different privacy threats, which must be addressed by specific PPMs. To overcome these challenges, we present Prinseps, our comprehensive privacy vision for SPSs. Towards this vision, we (1) identify critical privacy threats on different layers of the multilayered SPS, (2) evaluate the effectiveness of existing PPMs in addressing such threats, and (3) integrate privacy considerations into the decision-making processes of SPSs.

  2023  IEEE Transactions on Mobile Computing Article

Stochastic Modeling of Beam Management in mmWave Vehicular Networks

Somayeh Aghashahi Samaneh Aghashahi Zolfa Zeinalpour-Yazdi Aliakbar Tadaion Arash Asadi

BibTeX DOI: 10.1109/tmc.2021.3138449

Abstract
Mobility management is a major challenge for millimeter-wave (mmWave) cellular networks. In particular, directional beamforming in mmWave devices renders high-speed mobility support very complex. This complexity, however, is not limited to system design but also the performance estimation and evaluation. Hence, some have turned their attention to stochastic modeling of mmWave vehicular communication to derive closed-form expressions that can characterize the coverage and rate behavior of the network. In this article, we model and analyze the beam management for mmWave vehicular networks. To the best of our knowledge, this is the first work that goes beyond coverage and rate analysis. Specifically, we focus on a multi-lane divided highway scenario in which base stations and vehicles are present on both sides of the highway. In addition to providing analytical expressions for the average number of beam switching and handover events, we provide design insights for the operators to fine-tune their network through more informed choice of system parameters, including the number of resources dedicated to channel feedback and beam alignment operations.

  2023  ACM 2023 CHI Conference on Human Factors in Computing Systems Conference

FIDO2 the Rescue? Platform vs. Roaming Authentication on Smartphones

Leon Würsching Florentin Putz Steffen Haesler Matthias Hollick

PDF BibTeX DOI: 10.1145/3544548.3580993

Abstract
Modern smartphones support FIDO2 passwordless authentication using either external security keys or internal biometric authentication, but it is unclear whether users appreciate and accept these new forms of web authentication for their own accounts. We present the first lab study (N=87) comparing platform and roaming authentication on smartphones, determining the practical strengths and weaknesses of FIDO2 as perceived by users in a mobile scenario. Most participants were willing to adopt passwordless authentication during our in-person user study, but closer analysis shows that participants prioritize usability, security, and availability differently depending on the account type. We identify remaining adoption barriers that prevent FIDO2 from succeeding password authentication, such as missing support for contemporary usage patterns, including account delegation and usage on multiple clients.

  2023  Technische Universität Darmstadt Darmstadt PhD thesis

Decentralized Ultra-Reliable Low-Latency Communications through Concurrent Cooperative Transmission

Robin Klose

PDF BibTeX DOI: 10.26083/tuprints-00024070

Abstract
Emerging cyber-physical systems demand for communication technologies that enable seamless interactions between humans and physical objects in a shared environment. This thesis proposes decentralized URLLC (dURLLC) as a new communication paradigm that allows the nodes in a wireless multi-hop network (WMN) to disseminate data quickly, reliably and without using a centralized infrastructure. To enable the dURLLC paradigm, this thesis explores the practical feasibility of concurrent cooperative transmission (CCT) with orthogonal frequency-division multiplexing (OFDM). CCT allows for an efficient utilization of the medium by leveraging interference instead of trying to avoid collisions. CCT-based network flooding disseminates data in a WMN through a reception-triggered low-level medium access control (MAC). OFDM provides high data rates by using a large bandwidth, resulting in a short transmission duration for a given amount of data. This thesis explores CCT-based network flooding with the OFDM-based IEEE 802.11 Non-HT and HT physical layers (PHYs) to enable interactions with commercial devices. An analysis of CCT with the IEEE 802.11 Non-HT PHY investigates the combined effects of the phase offset (PO), the carrier frequency offset (CFO) and the time offset (TO) between concurrent transmitters, as well as the elapsed time. The analytical results of the decodability of a CCT are validated in simulations and in testbed experiments with Wireless Open Access Research Platform (WARP) v3 software-defined radios (SDRs). CCT with coherent interference (CI) is the primary approach of this thesis. Two prototypes for CCT with CI are presented that feature mechanisms for precise synchronization in time and frequency. One prototype is based on the WARP v3 and its IEEE 802.11 reference design, whereas the other prototype is created through firmware modifications of the Asus RT-AC86U wireless router. Both prototypes are employed in testbed experiments in which two groups of nodes generate successive CCTs in a ping-pong fashion to emulate flooding processes with a very large number of hops. The nodes stay synchronized in experiments with 10 000 successive CCTs for various modulation and coding scheme (MCS) indices and MAC service data unit (MSDU) sizes. The URLLC requirement of delivering a 32-byte MSDU with a reliability of 99.999 % and with a latency of 1 ms is assessed in experiments with 1 000 000 CCTs, while the reliability is approximated by means of the frame reception rate (FRR). An FRR of at least 99.999 % is achieved at PHY data rates of up to 48 Mbit/s under line-of-sight (LOS) conditions and at PHY data rates of up to 12 Mbit/s under non-line-of-sight (NLOS) conditions on a 20 MHz wide channel, while the latency per hop is 48.2 µs and 80.2 µs, respectively. With four multiple input multiple output (MIMO) spatial streams on a 40 MHz wide channel, a LOS receiver achieves an FRR of 99.5 % at a PHY data rate of 324 Mbit/s. For CCT with incoherent interference, this thesis proposes equalization with time-variant zero-forcing (TVZF) and presents a TVZF receiver for the IEEE 802.11 Non-HT PHY, achieving an FRR of up to 92 % for CCTs from three unsyntonized commercial devices. As CCT-based network flooding allows for an implicit time synchronization of all nodes, a reception-triggered low-level MAC and a reservation-based high-level MAC may in combination support various applications and scenarios under the dURLLC paradigm.

  2023  WiSec '23: 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

DEMO: Secure Bootstrapping of Smart Speakers Using Acoustic Communication

Markus Scheck Florentin Putz Frank Hessel Hermann Leinweber Jonatan Crystall Matthias Hollick

PDF BibTeX DOI: 10.26083/tuprints-00024180

Abstract
Smart speakers are highly privacy-sensitive devices: They are located in our homes and provide an Internet-enabled microphone, making them a prime target for attackers. The pairing between a client device and the speaker must be protected to prohibit adversaries from accessing the device. Most commercial protocols are vulnerable to nearby adversaries as they do not probe for human presence at the speaker or proximity between both devices. In addition to security, the protocol must provide a user-friendly way for initial bootstrapping of the speaker. We design an open pairing protocol for the establishment of a shared secret between both devices using acoustic messaging to guarantee proximity, and release our implementation for the smart speaker as well as Android and Linux clients as open-source software on GitHub.

  2023  Sensors Article

Energy-Efficient Decentralized Broadcasting in Wireless Multi-Hop Networks

Artur Sterz Robin Klose Markus Sommer Jonas Höchst Jakob Link Bernd Simon Anja Klein Matthias Hollick Bernd Freisleben

BibTeX DOI: 10.3390/s23177419

Abstract
Several areas of wireless networking, such as wireless sensor networks or the Internet of Things, require application data to be distributed to multiple receivers in an area beyond the transmission range of a single node. This can be achieved by using the wireless medium’s broadcast property when retransmitting data. Due to the energy constraints of typical wireless devices, a broadcasting scheme that consumes as little energy as possible is highly desirable. In this article, we present a novel multi-hop data dissemination protocol called BTP. It uses a game-theoretical model to construct a spanning tree in a decentralized manner to minimize the total energy consumption of a network by minimizing the transmission power of each node. Although BTP is based on a game-theoretical model, it neither requires information exchange between distant nodes nor time synchronization during its operation, and it inhibits graph cycles effectively. The protocol is evaluated in Matlab and NS-3 simulations and through real-world implementation on a testbed of 75 Raspberry Pis. The evaluation conducted shows that our proposed protocol can achieve a total energy reduction of up to 90% compared to a simple broadcast protocol in real-world experiments.

  2022  Liquid Crystals: The way to Scalable and Practical Reconfigurable Intelligent Surfaces in 6G Other

Liquid Crystals: The way to Scalable and Practical Reconfigurable Intelligent Surfaces in 6G

Rolf Jakoby Dongwei Wang Robin Neuder Arash Asadi Alejandro Jiménez Sáez

BibTeX DOI: 10.36227/techrxiv.21335733

Abstract
With the rise of models describing the potential and limitations of Reconfigurable Intelligent Surfaces (RISs) in wireless communication and sensing channels, numerous hardware solutions are being developed. The most common solutions are based on varactors, Positive-Intrinsic-Negative (PIN) diodes, and Micro-Electro-Mechanical Systems (MEMS). Recently, several works on 1-bit nematic Liquid Crystal (LC) RISs have been published. This paper presents the use of LC technology for the realization of continuously tunable mm-Wave RISs to address the increasing interest in this technology. Starting from basic LC theory, we introduce two different realization methods, the reflectarray and the phased array method. Comparing LC technology to the competing technologies, we see that the main advantage is the low cost of large panels, followed by a low-power consumption. However, there are some challenges that the LC technology faces such as its impedance matching, its biasing, and tuning times in the order of 10s of ms. With this in mind, we analyze for which applications LC-based RISs are best suited.

  2022  28th Annual International Conference on Mobile Computing And Networking Conference

Designing, building, and characterizing RF switch-based reconfigurable intelligent surfaces

Marco Rossanese Placido Mursia Andres Garcia-Saavedra Vincenzo Sciancalepore Arash Asadi Xavier Costa-Perez

BibTeX DOI: 10.1145/3495243.3558256

Abstract
In this poster, we present the Reconfigurable Intelligent Surface (RIS) that we designed, built, and tested. At first, the RIS technology is briefly discussed, subsequently, our prototype details are explained, and finally, we conclude by showing the obtained test results. Our RIS design comprises arrays of patch antennas, delay lines, and programmable radio-frequency (RF) switches that enable almost-passive 3D beamforming, i.e., without active RF components.

  2022  ACM Transactions on Sensor Networks Article

LoRaWAN Security: An Evolvable Survey on Vulnerabilities, Attacks and their Systematic Mitigation

Frank Hessel Lars Almon Matthias Hollick

BibTeX DOI: 10.1145/3561973

Abstract
The changing vulnerability and threat landscape constantly challenge the security of wireless communication standards and protocols. For the Internet of Things (IoT), LoRaWAN is one of the dominant technologies for urban environments, industrial settings, or critical infrastructures due to its low-power and long-range capabilities. LoRaWAN IoT deployments are expected to operate for multiple years or even decades. Hence, it is imperative to maintain operational security at all times while continuously evolving the security of the standard and its implementations. We survey LoRaWAN security and follow a systematic and evolvable approach that can be dynamically updated. To this end, we propose a novel methodology to create evolvable surveys which relate the analyzed critical security concepts, thus allowing IT security experts to reason about LoRaWAN security properties over time. With this, we provide a tool to hardware manufacturers, software developers and providers, and network operators to achieve sustainable security for IoT deployments.

  2022  ISNGI - the International Symposium for Next Generation Infrastructure Conference

Resilient data platforms for smart cities

Michaela Leštáková Yasin Alhamwy Frank Hessel Kevin Logan Andreas Morgen Martin Pietsch

PDF BibTeX

  2022  15th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

AirGuard - Protecting Android Users from Stalking Attacks by Apple Find My Devices

Alexander Heinrich Niklas Bittner Matthias Hollick

BibTeX DOI: 10.1145/3507657.3528546

Abstract
Finder networks in general, and Apple's Find My network in particular, can pose a grave threat to users' privacy and even health if these networks are abused for stalking. Apple's release of the AirTag-a very affordable tracker covered by the nearly ubiquitous Find My network-amplified this issue. While Apple provides a stalking detection feature within its ecosystem, billions of Android users are still left in the dark. Apple recently released the Android app "Tracker Detect," which does not deliver a convincing feature set for stalking protection. We reverse engineer Apple's tracking protection in iOS and discuss its features regarding stalking detection. We design "AirGuard" and release it as an Android app to protect against abuse by Apple tracking devices. We compare the performance of our solution with the Apple-provided one in iOS and study the use of AirGuard in the wild over multiple weeks using data contributed by tens of thousands of active users.

  2022  ACM Transactions on Internet of Things Article

Next2You: Robust Copresence Detection Based on Channel State Information

Mikhail Fomichev Luis F. Abanto-Leon Max Stiegler Alejandro Molina Ramirez Jakob Link Matthias Hollick

PDF BibTeX DOI: 10.1145/3491244

Abstract
Context-based copresence detection schemes are a necessary prerequisite to building secure and usable authentication systems in the Internet of Things (IoT). Such schemes allow one device to verify proximity of another device without user assistance utilizing their physical context (e.g., audio). The state-of-the-art copresence detection schemes suffer from two major limitations: (1) they cannot accurately detect copresence in low-entropy context (e.g., empty room with few events occurring) and insufficiently separated environments (e.g., adjacent rooms), (2) they require devices to have common sensors (e.g., microphones) to capture context, making them impractical on devices with heterogeneous sensors. We address these limitations, proposing Next2You, a novel copresence detection scheme utilizing channel state information (CSI). In particular, we leverage magnitude and phase values from a range of subcarriers specifying a Wi-Fi channel to capture a robust wireless context created when devices communicate. We implement Next2You on off-the-shelf smartphones relying only on ubiquitous Wi-Fi chipsets and evaluate it based on over 95 hours of CSI measurements that we collect in five real-world scenarios. Next2You achieves error rates below 4%, maintaining accurate copresence detection both in low-entropy context and insufficiently separated environments. We also demonstrate the capability of Next2You to work reliably in real-time and its robustness to various attacks.

  2022 Other

Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging

Patrick Leu Giovanni Camurati Alexander Heinrich Marc Roeschlin Claudio Anliker Matthias Hollick Capkun Srdjan Jiska Classen

BibTeX DOI: 10.48550/arXiv.2111.05313

Abstract
We present the first over-the-air attack on IEEE802.15.4z High-Rate Pulse Repetition Frequency (HRP) Ultra-Wide Band (UWB)distance measurement systems. Specifically, we demonstrate a practical distance reduction attack against pairs of Apple U1 chips (embedded in iPhones and AirTags), as well as against U1 chips inter-operating with NXP and Qorvo UWBchips. These chips have been deployed in a wide range of phones and cars to secure car entry and start and are projected for secure contactless payments, home locks, and contact tracing systems. Our attack operates without any knowledge of cryptographic material, results in distance reductions from 12m (actual distance) to 0m (spoofed distance) with attack success probabilities of up to 4%, and requires only an inexpensive (USD 65) off-the-shelf device. Access control can only tolerate sub-second latencies to not inconvenience the user, leaving little margin to perform time-consuming verifications. These distance reductions bring into question the use of UWB HRPinsecurity-critical applications.

  2022  DeSIRE Conference 2022 Conference

Urban data platforms and urban critical infrastructure

Michaela Leštáková Frank Hessel Kevin Logan Yasin Alhamwy Andreas Morgen Martin Pietsch

BibTeX

Abstract
Urban data platforms (UDP) are currently being launched in many cities as a part of their smart city strategies. They gather and provide access to data from various urban domains, including critical infrastructure. We performed a survey about UDPs in Germany. Focusing on their potential for improving resilience of the city (resilience through ICT) and the resilience of the UDPs themselves (resilience for ICT), our key findings were: ▪ UDP providers tend to focus on normal conditions rather than crisis ▪ critical infrastructure is often not covered ▪ lack of focus on crisis shows in the design of the UDPs as well

  2022  43rd IEEE Symposium on Security and Privacy Conference

Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation

Jiska Classen Francesco Gringoli Michael Hermann Matthias Hollick

BibTeX

  2021  Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies Article

My(o) Armband Leaks Passwords: An EMG and IMU Based Keylogging Side-Channel Attack

Matthias Gazzari Annemarie Mattmann Max Maass Matthias Hollick

BibTeX DOI: 10.1145/3494986

Abstract
Wearables that constantly collect various sensor data of their users increase the chances for inferences of unintentional and sensitive information such as passwords typed on a physical keyboard. We take a thorough look at the potential of using electromyographic (EMG) data, a sensor modality which is new to the market but has lately gained attention in the context of wearables for augmented reality (AR), for a keylogging side-channel attack. Our approach is based on neural networks for a between-subject attack in a realistic scenario using the Myo Armband to collect the sensor data. In our approach, the EMG data has proven to be the most prominent source of information compared to the accelerometer and gyroscope, increasing the keystroke detection performance. For our end-to-end approach on raw data, we report a mean balanced accuracy of about 76 % for the keystroke detection and a mean top-3 key accuracy of about 32 % on 52 classes for the key identification on passwords of varying strengths. We have created an extensive dataset including more than 310 000 keystrokes recorded from 37 volunteers, which is available as open access along with the source code used to create the given results.

  2021  4th International Workshop on Emerging Technologies for Authorization and Authentication Conference

Future-Proof Web Authentication: Bring Your Own FIDO2 Extensions

Florentin Putz Steffen Schön Matthias Hollick

PDF BibTeX DOI: 10.1007/978-3-030-93747-8_2

Abstract
The FIDO2 standards for strong authentication on the Internet define an extension interface, which allows them to flexibly adapt to future use cases. The domain of establishing new FIDO2 extensions, however, is currently limited to web browser developers and members of the FIDO alliance. We show how researchers and developers can design and implement their own extensions for using FIDO2 as a well-established and secure foundation to demonstrate innovative authentication concepts or to support custom deployments. Our open-source implementation targets the full FIDO2 stack, such as the Chromium web browser and hardware tokens, to enable tailor-made authentication based on the power of the existing FIDO2 ecosystem. To give an overview of existing extensions, we survey all published FIDO2 extensions by manually inspecting the source code of major web browsers and authenticators. Their current design, however, hinders the implementation of custom extensions, and they only support a limited number of extensions out of the box. We discuss weaknesses of current implementations and identify the lack of extension pass-through as a major limitation in current FIDO2 clients.

  2021  IEEE Conference on Communications and Network Security Conference

Very Pwnable Network: Cisco AnyConnect Security Analysis

Gerbert Roitburd Matthias Ortmann Matthias Hollick Jiska Classen

BibTeX DOI: 10.1109/CNS53000.2021.9705023

Abstract
Corporate Virtual Private Networks (VPNs) enable users to work from home or while traveling. At the same time, VPNs are tied to a company’s network infrastructure, forcing users to install proprietary clients for network compatibility reasons. VPN clients run with high privileges to encrypt and reroute network traffic. Thus, bugs in VPN clients pose a substantial risk to their users and in turn the corporate network. Cisco, the dominating vendor of enterprise network hardware, offers VPN connectivity with their AnyConnect client for desktop and mobile devices. While past security research primarily focused on the AnyConnect Windows client, we show that Linux and iOS are based on different architectures and have distinct security issues. Our reverse engineering as well as the follow-up design analysis and fuzzing reveal 13 new vulnerabilities. Seven of these are located in the Linux client. The root cause for privilege escalations on Linux is anchored so deep in the client’s architecture that it only got patched with a partial workaround. A similar analysis on iOS uncovers three AnyConnect-specific bugs as well as three general issues in iOS network extensions, which apply to all kinds of VPNs and are not restricted to AnyConnect.

  2021  30th USENIX Security Symposium Conference

PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop

Alexander Heinrich Matthias Hollick Thomas Schneider Milan Stute Christian Weinert

PDF BibTeX

Abstract
Apple's offline file-sharing service AirDrop is integrated into more than 1.5 billion end-user devices worldwide. We discovered two design flaws in the underlying protocol that allow attackers to learn the phone numbers and email addresses of both sender and receiver devices. As a remediation, we study the applicability of private set intersection (PSI) to mutual authentication, which is similar to contact discovery in mobile messengers. We propose a novel optimized PSI-based protocol called PrivateDrop that addresses the specific challenges of offline resource-constrained operation and integrates seamlessly into the current AirDrop protocol stack. Using our native PrivateDrop implementation for iOS and macOS, we experimentally demonstrate that PrivateDrop preserves AirDrop's exemplary user experience with an authentication delay well below one second. We responsibly disclosed our findings to Apple and open-sourced our PrivateDrop implementation.

  2021  14th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop

Alexander Heinrich Matthias Hollick Thomas Schneider Milan Stute Christian Weinert

PDF BibTeX DOI: 10.1145/3448300.3468252

Abstract
Apple’s file-sharing service AirDrop leaks phone numbers and email addresses by exchanging vulnerable hash values of the user’s own contact identifiers during the authentication handshake with nearby devices. In a paper presented at USENIX Security’21, we theoretically describe two attacks to exploit these vulnerabilities and propose “PrivateDrop” as a privacy-preserving drop-in replacement for Apple’s AirDrop protocol based on private set intersection. In this demo, we show how these vulnerabilities are efficiently exploitable via Wi-Fi and physical proximity to a target. Privacy and security implications include the possibility of conducting advanced spear phishing attacks or deploying multiple “collector” devices in order to build databases that map contact identifiers to specific locations. For our proof-of-concept, we leverage a custom rainbow table construction to reverse SHA-256 hashes of phone numbers in a matter of milliseconds. We discuss the trade-off between success rate and storage requirements of the rainbow table and, after following responsible disclosure with Apple, we publish our proof-of-concept implementation as “AirCollect” on GitHub.

  2021  14th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

OpenHaystack: A Framework for Tracking Personal Bluetooth Devices via Apple's Massive Find My Network

Alexander Heinrich Milan Stute Matthias Hollick

BibTeX DOI: 10.1145/3448300.3468251

Abstract
OpenHaystack is an open-source framework for locating personal Bluetooth devices using Apple’s Find My Network. A user can integrate it into Bluetooth-capable devices, such as notebooks, or create custom tracking accessories that can be attached to personal items (key rings, backpacks, etc.). We provide firmware images for the Nordic nRF5 chips and the ESP32. We show that they consume little energy and run from a single coin cell for a year. Our macOS application can locate personal accessories. Finally, we make both application and firmware available on GitHub.

  2021  19th Annual International Conference on Mobile Systems, Applications, and Services Conference

FastZIP: faster and more secure zero-interaction pairing

Mikhail Fomichev Julia Hesse Lars Almon Timm Lippert Jun Han Matthias Hollick

BibTeX DOI: 10.1145/3458864.3467883

Abstract
With the advent of the Internet of Things (IoT), establishing a secure channel between smart devices becomes crucial. Recent research proposes zero-interaction pairing (ZIP), which enables pairing without user assistance by utilizing devices' physical context (e.g., ambient audio) to obtain a shared secret key. The state-of-the-art ZIP schemes suffer from three limitations: (1) prolonged pairing time (i.e., minutes or hours), (2) vulnerability to brute-force offline attacks on a shared key, and (3) susceptibility to attacks caused by predictable context (e.g., replay attack) because they rely on limited entropy of physical context to protect a shared key. We address these limitations, proposing FastZIP, a novel ZIP scheme that significantly reduces pairing time while preventing offline and predictable context attacks. In particular, we adapt a recently introduced Fuzzy Password-Authenticated Key Exchange (fPAKE) protocol and utilize sensor fusion, maximizing their advantages. We instantiate FastZIP for intra-car device pairing to demonstrate its feasibility and show how the design of FastZIP can be adapted to other ZIP use cases. We implement FastZIP and evaluate it by driving four cars for a total of 800 km. We achieve up to three times shorter pairing time compared to the state-of-the-art ZIP schemes while assuring robust security with adversarial error rates below 0.5%.

  2021  Computer Networks Article

IEEE 802.11 CSI randomization to preserve location privacy: An empirical evaluation in different scenarios

Marco Cominelli Felix Kosterhon Francesco Gringoli Renato Lo Cigno Arash Asadi

BibTeX DOI: 10.1016/j.comnet.2021.107970

Abstract
Passive, device-free localization of a person exploiting the Channel State Information (CSI) from Wi-Fi signals is quickly becoming a reality. While this capability would enable new applications and services, it also raises concerns about citizens’ privacy. In this work, we propose a carefully-crafted obfuscating technique against one of such CSI-based localization methods. In particular, we modify the transmitted I/Q samples by leveraging an irreversible randomized sequence. I/Q symbol manipulation at the transmitter distorts the location-specific information in the CSI while preserving communication, so that an attacker can no longer derive information on user’s location. We test this technique against a Neural Network (NN)-based localization system and show that the randomization of the CSI makes undesired localization practically unfeasible. Both the localization system and the CSI randomization are implemented on real devices. The experimental results obtained in our laboratories show that the considered localization method works smoothly regardless of the environment, and that adding random information to the CSI prevents the localization, thus providing the community with a system that preserve location privacy and communication performance at the same time.

  2021  30th USENIX Security Symposium Conference

Disrupting Continuity of Apple's Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi

Milan Stute Alexander Heinrich Jannik Lorenz Matthias Hollick

PDF BibTeX

Abstract
Apple controls one of the largest mobile ecosystems, with 1.5 billion active devices worldwide, and offers twelve proprietary wireless Continuity services. Previous works have unveiled several security and privacy issues in the involved protocols. These works extensively studied AirDrop while the coverage of the remaining vast Continuity service space is still low. To facilitate the cumbersome reverse-engineering process, we describe the first guide on how to approach a structured analysis of the involved protocols using several vantage points available on macOS. Also, we develop a toolkit to automate parts of this otherwise manual process. Based on this guide, we analyze the full protocol stacks involved in three Continuity services, in particular, Handoff (HO), Universal Clipboard (UC), and Wi-Fi Password Sharing (PWS). We discover several vulnerabilities spanning from Bluetooth Low Energy (BLE) advertisements to Apple's proprietary authentication protocols. These flaws allow for device tracking via HO's mDNS responses, a denial-of-service (DoS) attack on HO and UC, a DoS attack on PWS that prevents Wi-Fi password entry, and a machine-in-the-middle (MitM) attack on PWS that connects a target to an attacker-controlled Wi-Fi network. Our PoC implementations demonstrate that the attacks can be mounted using affordable off-the-shelf hardware ($20 micro:bit and a Wi-Fi card). Finally, we suggest practical mitigations and share our findings with Apple, who have started to release fixes through iOS and macOS updates.

  2021  Technische Universität Darmstadt Darmstadt Bachelor's thesis

ARIstoteles: iOS Baseband Interface Protocol Analysis

Tobias Kröll

PDF BibTeX DOI: 10.26083/tuprints-00019397

Abstract
The Apple Remote Invocation protocol is not yet publicly known and handles the communication between an Intel baseband chip and the Communication Center on iOS. Thus, it is indirectly controllable via over-the-air interactions, that could be issued from rogue base stations. Finding vulnerabilities in this proprietary protocol may reveal a critical and broad attack surface, that does not even require user interaction. The protocol can be analyzed via fuzzing, debug log outputs and reverse engineering. These informations can then be visualized in a Wireshark dissector, to analyze packet traces. Information about such a protocol help to understand crashes, discover potential security risks or can even be used to uncover unknown configurations and features of the baseband chips.

  2021  Technische Universität Darmstadt Darmstadt Master's thesis

Modification of LTE Firmwares on Smartphones

Carsten Bruns

PDF BibTeX DOI: 10.26083/tuprints-00017397

Abstract
Every mobile phone contains a modem subsystem responsible for communication with mobile networks. In contrast to the well known main system of smartphones, running for example an Android operating system, the modem hardware details and its software are secrets of the manufacturer, leaving the modem as a black box to us. Hence, this work analyzes recent Qualcomm modems supporting the latest deployed communication standard LTE. We then use the gained knowledge to implement a patching framework allowing easy modification of the modem’s firmware binary in a high level programming language. To demonstrate its usability, we realize applications ranging from debugging tools up to LTE MAC layer sniffing, security key extraction and access to channel estimates of the physical layer. These also show that malicious code in the modem subsystem imposes a severe and realistic threat. Furthermore, this work opens the modem as a research platform for recent mobile network technologies, removing the need for expensive special equipment in many research projects.

  2021  Technische Universität Darmstadt Darmstadt PhD thesis

Making Zero-interaction Pairing and Authentication Practical in the Internet of Things

Mikhail Fomichev

PDF BibTeX DOI: 10.26083/tuprints-00019768

Abstract
The proliferation of the Internet of Things (IoT) requires establishing and maintaining secure communication between smart devices to ensure user privacy and trustworthiness of IoT systems. Zero-interaction pairing (ZIP) and zero-interaction authentication (ZIA) are recent techniques that allow pairing or authenticating devices without user involvement utilizing devices’ physical context (e.g., ambient audio). Compared to centralized security solutions for the IoT such as public-key infrastructure (PKI) and conventional user-assisted pairing and authentication methods (e.g., entering a password), ZIP and ZIA schemes promise improved user experience, as they do not require users to participate in pairing or authentication procedures, and easy deployment, as they rely on on-board sensors of smart devices. However, we find that proposed ZIP and ZIA schemes are still immature, requiring improvements in three areas: security, usability, and deployability. In this thesis, we advance the domain of ZIP and ZIA in these three areas as follows. First, we analyze state-of-the-art ZIP and ZIA schemes both theoretically and empirically using real-world data that we collect. Our findings reveal that these schemes show reduced security and usability under realistic conditions, and we identify reasons why this reduction occurs. Second, we improve on ZIP, proposing a novel ZIP architecture called FastZIP combining a recently introduced Fuzzy Password-Authenticated Key Exchange (fPAKE) protocol, which has stronger security properties than the cryptographic primitives used by the state-of-the-art ZIP schemes, and sensor fusion, which allows building robust context from multiple sensor modalities, each capturing a distinct physical phenomenon. We demonstrate, collecting real-world data using off-the-shelf devices, that FastZIP has higher security guarantees than state-of-the-art ZIP schemes against brute-force offline and predictable context attacks (e.g., context replay) and significantly shorter pairing time, improving the usability of our scheme. Third, we develop a new copresence detection method named Next2You; copresence detection is a core part of any ZIA scheme. Next2You utilizes channel state information (CSI), which captures a unique wireless context of an environment (e.g., a room), and neural networks. Through our real-world experiments using off-the-shelf smartphones, we demonstrate that Next2You outperforms state-of-the-art copresence detection methods in two ways: (1) it achieves accurate copresence detection in challenging cases of low-entropy context (e.g., empty room with few events occurring) and insufficiently separated environments (e.g., adjacent rooms), thus is more secure and (2) Next2You requires devices to only have ubiquitous Wi-Fi chipsets, without a need for extra sensors (e.g., microphones), improving the deployability of our method. Fourth, we publicly release the collected context data and codebase of the above contributions, enhancing the reproducibility in the domain of ZIP and ZIA.

  2021  Technische Universität Darmstadt Darmstadt Master's thesis

LoRaWAN Security Analysis : An Experimental Evaluation of Attacks

Frank Hessel

PDF BibTeX DOI: 10.26083/tuprints-00017550

Abstract
Low-power wide-area networks (LPWAN) are becoming the wireless backbone for modern business processes and municipal administration. LoRaWAN, which stands for long-range wide-area network, is a recent medium access control (MAC) layer protocol competing for this market. It stands out by its open operator model and a novel modulation technique. With LoRaWAN and other communication technologies are becoming a dependency for more and more aspects of today's society, the question for their security and reliability comes up. Previous researches on the topic have already revealed vulnerabilities in the first LoRaWAN specification, which have been partly mitigated in the most recent LoRaWAN 1.1. However, related studies often provide only theoretical results or consider practical scenarios only on a specific, small scale. In this thesis, we present a LoRaWAN security evaluation framework that allows field-testing the security and reliability characteristics of actual LoRaWAN deployments. This provides not only reproducible results but also allows making a comparison between defined versions of the specification and LoRaWAN software. Before expounding implementation details, we provide a literature survey on LoRaWAN vulnerabilities and attacks to identify interesting aspects for further evaluation. From our experimental results, we show that jamming is a serious threat to the availability of LoRaWAN networks. Furthermore, we demonstrate the practical applicability of two replay attacks against a selection of LoRaWAN software and illustrate why they will remain relevant for years due to backward compatibility.

  2021  Technische Universität Darmstadt Darmstadt PhD thesis

Improving Online Privacy and Security Through Crowdsourced Transparency Platforms and Operator Notifications

Max Jakob Maass

PDF BibTeX DOI: 10.26083/tuprints-00019190

Abstract
Modern life relies on the internet for everything from communicating and shopping to banking and seeking medical advice. However, this growth of internet-based services also leads to a higher risk of security and privacy issues. Finding and remediating these issues is an important challenge which cannot be addressed through purely technical means, as legal, economic, and psychological factors can also play a role in how these issues are created and resolved. This dissertation approaches this challenge from two sides: we discuss how to collect data and detect issues in the web and email ecosystems, and how the operators of affected systems can be convinced to address them. Today, efforts to understand internet ecosystems frequently rely on automated large-scale scans. These can efficiently investigate large numbers of systems, but cannot access some ecosystems that require manual actions (e.g., signing up for a newsletter or account). To gather research data and gain access to new ecosystems, we propose and develop two public transparency platforms for use by internet users which collect information about security and privacy issues in the web and email ecosystems using a crowdsourcing approach. We consult with legal experts to ensure the adherence of our platforms to the relevant legislation. Over the 4 years of operation the platforms collected over 3 million scan results, which can serve as a basis for future research. Our platforms also revealed a number of privacy, security and compliance issues, which should be addressed by the operators of the affected systems. Past research has shown that notifying operators about issues and convincing them to make changes is a challenging problem and frequently results in unsatisfactory remediation rates. We thus investigate the factors influencing the success of large-scale notification campaigns. For this purpose, we conduct three notification studies that evaluate different methods to incentivize system operators to address the issues, like inducing a competitive pressure (leveraging our existing public platform), highlighting the security threat an issue poses, or informing the operators that their systems are not compliant with relevant legislation. We also evaluate the choice of the message medium and the sender as factors in the success of a notification campaign. We collaborate with researchers from economics, law, and psychology to gain additional insights into the behavior of organizations and individual operators. Finally, we derive organizational and methodological recommendations for future notification campaigns based on our experience.

  2021  ARES 2021: The 16th International Conference on Availability, Reliability and Security Conference

Snail Mail Beats Email Any Day: On Effective Operator Security Notifications in the Internet

Max Maass Marc-Pascal Clement Matthias Hollick

BibTeX DOI: 10.1145/3465481.3465743

Abstract
In the era of large-scale internet scanning, misconfigured websites are a frequent cause of data leaks and security incidents. Previous research has investigated sending automated email notifications to operators of insecure or compromised websites, but has often met with limited success due to challenges in address data quality, spam filtering, and operator distrust and disinterest. While several studies have investigated the design and phrasing of notification emails in a bid to increase their effectiveness, the use of other contact channels has remained almost completely unexplored due to the required effort and cost. In this paper, we investigate two methods to increase notification success: the use of letters as an alternative delivery medium, and the description of attack scenarios to incentivize remediation. We evaluate these factors as part of a notification campaign utilizing manually-collected address information from 1359 German website operators and focusing on unintentional information leaks from web servers. We find that manually collected addresses lead to large increases in delivery rates compared to previous work, and letters were markedly more effective than emails, increasing remediation rates by up to 25 percentage points. Counterintuitively, providing detailed descriptions of possible attacks can actually decrease remediation rates, highlighting the need for more research into how notifications are perceived by recipients.

  2021  ARES 2021: The 16th International Conference on Availability, Reliability and Security Conference

Best Practices for Notification Studies for Security and Privacy Issues on the Internet

Max Maass Henning Pridöhl Dominik Herrmann Matthias Hollick

BibTeX DOI: 10.1145/3465481.3470081

Abstract
Researchers help operators of vulnerable and non-compliant internet services by individually notifying them about security and privacy issues uncovered in their research. To improve efficiency and effectiveness of such efforts, dedicated notification studies are imperative. As of today, there is no comprehensive documentation of pitfalls and best practices for conducting such notification studies, which limits validity of results and impedes reproducibility. Drawing on our experience with such studies and guidance from related work, we present a set of guidelines and practical recommendations, including initial data collection, sending of notifications, interacting with the recipients, and publishing the results. We note that future studies can especially benefit from extensive planning and automation of crucial processes, i. e., activities that take place well before the first notifications are sent.

  2020  IEEE Radar Conference Conference

An Unsupervised Approach for Graph-based Robust Clustering of Human Gait Signatures

A. Taştan M. Muma A. M. Zoubir

BibTeX DOI: 10.1109/RadarConf2043947.2020.9266313

Abstract
Classification of gait abnormalities plays a key role in medical diagnosis, sports, physiotherapy and rehabilitation. We demonstrate the effectiveness of a new graph construction-based outlier detection method and and the applicability of a new parameter-free clustering approach on radar-based human gait signatures. Micro-Doppler radar-based human gait signatures of ten test subjects for five different gait types consisting of normal, simulated abnormal and assisted walks are clustered using five different clustering algorithms. The proposed algorithm outperforms existing methods both in cluster enumeration and partition and achieves an overall correct clustering rate of 92.8%. The developed method is promising for performing medical diagnosis in a robust unsupervised fashion.

  2020  Proceedings of the ACM on Measurement and Analysis of Computing Systems Article

Stay Connected, Leave no Trace: Enhancing Security and Privacy in WiFi via Obfuscating Radiometric Fingerprints

Luis F. Abanto-Leon Andreas Bäuml Gek Hong Sim Matthias Hollick Arash Asadi

PDF BibTeX DOI: 10.1145/3428329

  2020  3rd Workshop on Benchmarking Cyber-Physical Systems and Internet of Things (CPS-IoTBench 2020) Conference

Towards an Automated Monitoring of RF Activity in Low-Power Wireless Testbeds

Markus Schuß Carlo Alberto Boano Kay Römer Jakob Link Matthias Hollick

PDF BibTeX

  2020  14th International Workshop on Wireless Network Testbeds, Experimental evaluation & Characterization Conference

Hardware-Accelerated Real-Time Stream Data Processing on Android with GNU Radio

Bastian Bloessl Lars Baumgärtner Matthias Hollick

PDF BibTeX DOI: 10.1145/3411276.3412184

Abstract
With the ever-increasing performance of smartphones and tablets, they become viable platforms for applications that were, in the past, only possible on desktops or laptops. In this paper, we study their applicability for real-time stream-data processing, which is particularly interesting for Software Defined Radio (SDR) applications, enabling wireless measurement and experimentation campaigns on mobile platforms. To this end, we port GNU Radio, a state-of-theart, open source, real-time stream-data processing framework, to Android and evaluate its performance. We show that it is possible to fully benefit from available accelerators, i.e., Single Instruction Multiple Data (SIMD) and the Graphics Processing Unit (GPU), which provide considerable speedups and allow for efficient implementations. As a general-purpose real-time data processing framework, GNU Radio can provide the base for a wide range of applications. To demonstrate its flexibility, we provide example applications that implement FM and Wireless LAN (WLAN). Our toolchain is published as open source software, thus serving as an enabler for highly mobile SDR applications.

  2020  29th USENIX Security Symposium Conference

Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

Jan Ruge Jiska Classen Francesco Gringoli Matthias Hollick

PDF BibTeX

  2020  14th USENIX Workshop on Offensive Technologies (WOOT 2020) Conference

Firmware Insider: Bluetooth Randomness is Mostly Random

Jörn Tillmanns Jiska Classen Felix Rohrbach Matthias Hollick

PDF BibTeX

  2020  13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Attaching InternalBlue to the proprietary macOS IOBluetooth framework

Davide Toldo Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3395351.3401697

Abstract
In this demo, we provide an overview of the macOS Bluetooth stack internals and gain access to undocumented low-level interfaces. We leverage this knowledge to add macOS support to the InternalBlue firmware modification and wireless experimentation framework.

  2020  13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication

Florentin Putz Flor Álvarez Jiska Classen

PDF BibTeX DOI: 10.1145/3395351.3399420

Abstract
Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate devices. This requires a common hardware interface, which limits the use of existing SDP systems. We propose to use short-range acoustic communication for the initial pairing. Audio hardware is commonly available on existing off-the-shelf devices and can be accessed from user space without requiring firmware or hardware modifications. We improve upon previous approaches by designing Acoustic Integrity Codes (AICs): a modulation scheme that provides message authentication on the acoustic physical layer. We analyze their security and demonstrate that we can defend against signal cancellation attacks by designing signals with low autocorrelation. Our system can detect overshadowing attacks using a ternary decision function with a threshold. In our evaluation of this SDP scheme’s security and robustness, we achieve a bit error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on Android smartphones, we demonstrate pairing between different smartphone models.

  2020  IEEE DCOSS 2020: International Conference on Distributed Computing in Sensor Systems Conference

Concurrent Wireless Cut-Through Forwarding: Ultra Low-Latency Multi-Hop Communication for the IoT

Nicolás Himmelmann Dingwen Yuan Lars Almon Matthias Hollick

PDF BibTeX

  2020  IEEE International Conference on Communications (icc2020) Conference

NEAT-TCP: Generation of TCP Congestion Control Through Neuroevolution of Augmenting Topologies

Kay Luis Wallaschek Robin Klose Lars Almon Matthias Hollick

PDF BibTeX

Abstract
We present NEAT-TCP, a novel technique to automatically generate congestion control algorithms in a data-driven fashion while optimizing towards a specified global system utility. NEAT-TCP employs an artificial neural network (ANN) in each node and generates a population of ANNs by means of an evolutionary algorithm called NEAT. The ANNs run independently from each other at the communication endpoints and take only features as inputs that are locally available at these nodes. We define the system utility as a combined maximization of overall throughput and throughput fairness between flows according to Jain's fairness index. The nodes are deployed in a grid topology in ns-3 simulations, which makes it particularly difficult to maximize the utility due to different interference levels for the data flows. In our experiments, NEAT-TCP achieves 69 % more fairness, 66 % less mean end-to-end delay and 71 % less packet loss in relation to TCP New Reno at the cost of 19 % less overall throughput, which meets our multi-criteria objective.

  2020  Technische Universität Darmstadt Darmstadt PhD thesis

Secure device-to-device communication for emergency response

Flor Álvarez

PDF BibTeX DOI: 10.25534/tuprints-00011486

Abstract
Mobile devices have the potential to make a significant impact during disasters. However, their practical impact is severely limited by the loss of access to mobile communication infrastructure: Precisely, when there is a surge in demand for communications from people in a disaster zone, this capacity for communications is severely curtailed. This loss of communications undermines the effectiveness of the many recent innovations in the use of smartphones and similar devices to mitigate the effects of disasters. While various solutions have been proposed, e. g., by having handsets form wireless ad hoc networks, none are complete: Some are specific to certain mobile operating systems or operating system versions. Others result in unacceptably increased energy consumption, flattening the batteries of phones at a time when users need to conserve energy due to the loss of access to opportunities to recharge their mobile devices. Realistic user behaviour, including patterns of movement and communications, are also rarely addressed. Further, security is rarely considered in a comprehensive and satisfying manner, leaving users exposed to a variety of potential attacks. Thus there is a compelling need to find more effective solutions for communications, energy management, and security of mobile devices operating in disaster conditions. To address these shortcomings, this thesis provides a suite of comprehensive solutions that contribute to facilitate secure device-to-device communication for emergency response. This thesis works to solve these problems by: (i) Conducting a large-scale field-trial to understand and analyze civilians’ behaviour during disaster scenarios; (ii) Proposing a practical, lightweight scheme for bootstrapping device-to-device security, that is tailored for local urban operations representative of disaster scenarios; (iii) Realizing novel energy management strategies for the neighbour discovery problem, which deliver significant energy savings in return for only a minimal reduction in neighbour discovery efficiency; (iv) The description of novel concepts for using devices in a smart city environment that remain functional following a disaster to support communications among mobile devices. In short, this thesis adds considerably to the understanding of the difficulties in the formation of direct device-to-device communications networks composed primarily of civilians’ mobile devices, and how several facets of this problem can be mitigated. Several of the proposed enhancements are also implemented. Thus, this thesis also takes essential steps in the direction of realizing such solutions to demonstrate their feasibility on real devices, intending to improve the tools available to civilians post-disaster.

  2020  Embedded Wireless Systems and Networks (EWSN) Conference

Improving the Reliability of Bluetooth Low Energy Connections

Michael Spörk Jiska Classen Carlo Alberto Boano Matthias Hollick Kay Römer

PDF BibTeX

Abstract
o sustain a reliable data exchange, applications based on Bluetooth Low Energy (BLE) need to effectively blacklist channels and adapt the physical mode of an active connection at runtime. Although the BLE specification foresees the use of these two mechanisms, their implementation is left up to the radio vendors and has not been studied in detail yet. This paper fills this gap: we first investigate experimentally how to assess the quality of a BLE connection at runtime using information gathered from the radio. We then show how this information can be used to promptly blacklist poor channels and select a physical mode that sustains a high link-layer reliability while minimizing power consumption. We implement both mechanisms on two popular platforms and show experimentally that they allow to significantly improve the reliability of BLE connections, with a reduction in packet loss by up to 22 % compared to existing solutions.

  2020  Technische Universität Darmstadt Darmstadt PhD thesis

Availability by Design: Practical Denial-of-Service-Resilient Distributed Wireless Networks

Milan Stute

PDF BibTeX DOI: 10.25534/tuprints-00011457

Abstract
Distributed wireless networks (DWNs) where devices communicate directly without relying on Internet infrastructure are on the rise, driving new applications and paradigms such as multimedia, authentication, payment, Internet of things (IoT), vehicular communication, and emergency response. However, the increased societal reliance on technology and the resulting “always-on” expectations of the users increase the risk of denial-of-service (DoS) attacks as they can leverage disruption in new ways beyond extortions (ransomware) that are common in today’s Internet ecosystem. These new risks extend to our physical world, directly impacting our daily lives, e.g., by being locked out of a smart home or by disrupting vehicular collision avoidance systems. As a research community, we need to protect those new applications that—as we find—can be mapped to a total of three distinct networking scopes: neighbor, island, and archipelago. In this thesis, we advance the field in each of these scopes. First, we analyze two proprietary neighbor communication protocols, Apple Wireless Direct Link (AWDL) and Apple AirDrop, that are deployed on more than 1.4 billion devices worldwide. During the process, we uncover several security and privacy vulnerabilities ranging from design flaws to implementation bugs leading to a machine-in-the-middle (MitM) attack on AirDrop, a DoS attack on AWDL preventing communication, and DoS attacks enabling crashing of neighboring devices. In addition, we found privacy leaks that enable user identification and long-term tracking. All attacks can be mounted using low-cost off-the-shelf hardware. In total, we disclose eight distinct vulnerabilities that we mitigate in collaboration with Apple. Second, we design and implement a new island communication protocol tailored to IoT scenarios, which provides provable protections against previously neglected risks such as wormhole- and replay-supported greyhole attacks. We support our analytical findings with testbed experiments. Third, we propose an archipelago-scope communication framework for emergencies that achieves resiliency against flooding and Sybil attacks. We evaluate our design using an original expert knowledge-based simulation that models human mobility during the aftermath of the 2013 Typhoon Haiyan in the Philippines. Finally, and to nourish future research, we provide a guide for analyzing Apple’s wireless ecosystem and publish several software artifacts, including an AWDL Wireshark dissector, open AWDL and AirDrop implementations, a prototype of our IoT communication protocol, and our natural disaster mobility model.

  2020  International Conference on Embedded Wireless Systems and Networks (EWSN 2020) Conference

Analyzing Bluetooth Low Energy Connections on Off-the-Shelf Devices

Jiska Classen Michael Spörk Carlo Alberto Boano Kay Römer Matthias Hollick

PDF BibTeX

  2020  International Conference on Embedded Wireless Systems and Networks (EWSN 2020) Conference

Cross-Technology Broadcast Communication between Off-The-Shelf Wi-Fi, BLE, and IEEE 802.15.4 Devices

Hannah Brunner Rainer Hofmann Markus Schuss Jakob Link Matthias Hollick Carlo Alberto Boano Kay Römer

PDF BibTeX

  2020  Technische Universität Darmstadt Darmstadt PhD thesis

Security and Privacy for IoT Ecosystems

Jiska Classen

PDF BibTeX DOI: 10.25534/tuprints-00011422

Abstract
Smart devices have become an integral part of our everyday life. In contrast to smartphones and laptops, Internet of Things (IoT) devices are typically managed by the vendor. They allow little or no user-driven customization. Users need to use and trust IoT devices as they are, including the ecosystems involved in the processing and sharing of personal data. Ensuring that an IoT device does not leak private data is imperative. This thesis analyzes security practices in popular IoT ecosystems across several price segments. Our results show a gap between real-world implementations and state-of-the-art security measures. The process of responsible disclosure with the vendors revealed further practical challenges. Do they want to support backward compatibility with the same app and infrastructure over multiple IoT device generations? To which extent can they trust their supply chains in rolling out keys? Mature vendors have a budget for security and are aware of its demands. Despite this goodwill, developers sometimes fail at securing the concrete implementations in those complex ecosystems. Our analysis of real-world products reveals the actual efforts made by vendors to secure their products. Our responsible disclosure processes and publications of design recommendations not only increase security in existing products but also help connected ecosystem manufacturers to develop secure products. Moreover, we enable users to take control of their connected devices with firmware binary patching. If a vendor decides to no longer offer cloud services, bootstrapping a vendor-independent ecosystem is the only way to revive bricked devices. Binary patching is not only useful in the IoT context but also opens up these devices as research platforms. We are the first to publish tools for Bluetooth firmware and lower-layer analysis and uncover a security issue in Broadcom chips affecting hundreds of millions of devices manufactured by Apple, Samsung, Google, and more. Although we informed Broadcom and customers of their technologies of the weaknesses identified, some of these devices no longer receive official updates. For these, our binary patching framework is capable of building vendor-independent patches and retrofit security. Connected device vendors depend on standards; they rarely implement lower-layer communication schemes from scratch. Standards enable communication between devices of different vendors, which is crucial in many IoT setups. Secure standards help making products secure by design and, thus, need to be analyzed as early as possible. One possibility to integrate security into a lower-layer standard is Physical-Layer Security (PLS). PLS establishes security on the Physical Layer (PHY) of wireless transmissions. With new wireless technologies emerging, physical properties change. We analyze how suitable PLS techniques are in the domain of mmWave and Visible Light Communication (VLC). Despite VLC being commonly believed to be very secure due to its limited range, we show that using VLC instead for PLS is less secure than using it with Radio Frequency (RF) communication. The work in this thesis is applied to mature products as well as upcoming standards. We consider security for the whole product life cycle to make connected devices and IoT ecosystems more secure in the long term.

  2020  International Journal of Disaster Risk Reduction Article

Empirical insights for designing Information and Communication Technology for International Disaster Response

Milan Stute Max Maass Tom Schons Marc-André Kaufhold Christian Reuter Matthias Hollick

BibTeX DOI: 10.1016/j.ijdrr.2020.101598

Abstract
Due to the increase in natural disasters in the past years, Disaster Response Organizations (DROs) are faced with the challenge of coping with more and larger operations. Currently appointed Information and Communications Technology (ICT) used for coordination and communication is sometimes outdated and does not scale, while novel technologies have the potential to greatly improve disaster response efficiency. To allow adoption of these novel technologies, ICT system designers have to take into account the particular needs of DROs and characteristics of International Disaster Response (IDR). This work attempts to bring the humanitarian and ICT communities closer together. In this work, we analyze IDR-related documents and conduct expert interviews. Using open coding, we extract empirical insights and translate the peculiarities of DRO coordination and operation into tangible ICT design requirements. This information is based on interviews with active IDR staff as well as DRO guidelines and reports. Ultimately, the goal of this paper is to serve as a reference for future ICT research endeavors to support and increase the efficiency of IDR operations.

  2019  IEEE Global Communications Conference (GLOBECOM) 2019 Conference

Riding the Waves: Decoding Asynchronous Multi-User MISO via Time-Variant Zero-Forcing

Robin Klose Matthias Hollick

PDF BibTeX

Abstract
uture wireless communication systems are envisioned to meet stringent latency requirements to support control applications and machine interactions. One important step in this direction is to eliminate waiting times in the protocol stack, which can be achieved by letting multiple nodes transmit the same data concurrently just when the data becomes available. This communication paradigm essentially enables wide-range broadcasting and low-latency flooding. However, imperfect transmitter synchronization may arise in such schemes, which causes signal incoherence, which in turn prohibits reception with conventional decoders. In this paper, we introduce time-variant zero-forcing (TVZF), a novel equalization technique that deals with non-stationary interferences. In doing so, TVZF relaxes the requirements for time and frequency synchronization in concurrent multi-user transmissions. We present a receiver design for asynchronous MU-MISO with IEEE 802.11g compliant signals and evaluate it with over-the-air transmissions in a WARP SDR testbed in LOS and NLOS scenarios. The relative timing and frequency offsets between concurrent transmitters are systematically tuned to assess our receiver's performance in comparison to commodity hardware. For timing offsets up to the length of the cyclic prefix and frequency offsets up to 5 kHz, our receiver achieves average frame reception rates of 97 % and 92 % for LOS and NLOS, respectively.

  2019  2019 IEEE Global Communications Conference (GLOBECOM) Conference

Hybrid Precoding for Multi-Group Multicasting in mmWave Systems

Luis F. Abanto-Leon Matthias Hollick Gek Hong Sim

PDF BibTeX

Abstract
Multicast beamforming is known to improve spectral efficiency. However, its benefits and challenges for hybrid precoders design in millimeter-wave (mmWave) systems remain understudied. To this end, this paper investigates the first joint design of hybrid transmit precoders (with an arbitrary number of finite-resolution phase shifts) and receive combiners for mmWave multi-group multicasting. Our proposed design leverages semidefinite relaxation (SDR), alternating optimization and Cholesky matrix factorization to sequentially optimize the digital/analog precoders at the transmitter and the combiners at each receiver. By considering receivers with multiple- antenna architecture, our design remarkably improves the overall system performance. Specifically, with only two receive antennas the average transmit power per received message improves by $ 16.8% $ while the successful information reception is boosted by $ 60% $. We demonstrate by means of extensive simulations that our hybrid precoder design performs very close to its fully-digital counterpart even under challenging scenarios (i.e., when co-located users belong to distinct multicast groups).

  2019  GetMobile: Mobile Computing and Communications Article

Zero-Interaction Security - Towards Sound Experimental Validation

Mikhail Fomichev Max Maass Matthias Hollick

PDF BibTeX DOI: 10.1145/3372300.3372304

Abstract
Reproducibility and realistic datasets are crucial for advancing research. Unfortunately, they are often neglected as valid scientific contributions in many young disciplines, with computer science being no exception. In this article, we show the challenges encountered when reproducing the work of others, collecting realistic data in the wild, and ensuring that our own work is reproducible in turn. The presented findings are based on our study investigating the limits of zero-interaction security (ZIS)- a novel concept, leveraging sensor data collected by Internet of Things (IoT) devices to pair or authenticate devices. In particular, we share our experiences in reproducing five state-of-the-art ZIS schemes, collecting a comprehensive dataset of sensor data from the real world, evaluating these schemes on the collected data, and releasing the data, code, and documentation to facilitate reproducibility of our results.

  2019  13th International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization (WiNTECH ’19) Conference

Free Your CSI: A Channel State Information Extraction Platform For Modern Wi-Fi Chipsets

Francesco Gringoli Matthias Schulz Jakob Link Matthias Hollick

PDF BibTeX DOI: 10.1145/3349623.3355477

Abstract
Modern wireless transmission systems heavily benefit from knowing the channel response. The evaluation of Channel State Information (CSI) during the reception of a frame preamble is fundamental to properly equalizing the rest of the transmission at the receiver side. Reporting this state information back to the transmitter facilitates mechanisms such as beamforming and MIMO, thus boosting the network performance. While these features are an integral part of standards such as 802.11ac, accessing CSI data on commercial devices is either not possible, limited to outdated chipsets or very inflexible. This hinders the research and development of innovative CSI-dependent techniques including localization, object tracking, and interference evaluation. To help researchers and practitioners, we introduce the nexmon CSI Extractor Tool. It allows per-frame CSI extraction for up to four spatial streams using up to four receive chains on modern Broadcom and Cypress Wi-Fi chips with up to 80MHz bandwidth in both the 2.4 and 5GHz bands. The tool supports devices ranging from the low-cost Raspberry Pi platform, over mobile platforms such as Nexus smartphones to state-of-the-art Wi-Fi APs. We release all tools and Wi-Fi firmware patches as extensible open source project. It includes our user-friendly smartphone application to demonstrate the CSI extraction capabilities in form of a waterfall diagram.

  2019  Proceedings of the GNU Radio Conference Article

Benchmarking and Profiling the GNURadio Scheduler

Bastian Bloessl Marcus Müller Matthias Hollick

PDF BibTeX

Abstract
From a technical perspective, GNURadio has two main assets: its comprehensive block library of optimized, state-of-the-art signal processing algorithms and its runtime environment. The latter manages the data flow and turns GNURadio in a real-time signal processing framework. In contrast to the block library, where it is easy to replace blocks with more efficient implementations, the runtime grew organically, which resulted in a complex system that is hard to maintain. At the same time, there are concerns about its performance. To understand the current implementation and explore opportunities for future improvements, we provide benchmarking and profiling results. We, furthermore, compare the performance of GNURadio’s default with a manually optimized configuration to show the potential of a more advanced scheduler.

  2019  2019 World Congress on Resilience, Reliability and Asset Management (WCRRAM) Conference

The Emergency Responsive Digital City

Matthias Hollick Anne Hofmeister Jens Ivo Engels Bernd Freisleben Gerrit Hornung Anja Klein Michèle Knodt Imke Lorenz Max Mühlhäuser Peter F. Pelz Annette Rudolph-Cleff Ralf Steinmetz Florian Steinke Oskar von Stryk

BibTeX

  2019  The 17th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys ’19) Conference

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Dennis Mantz Jiska Classen Matthias Schulz Matthias Hollick

BibTeX DOI: 10.1145/3307334.3326089

Abstract
Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In par ticular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep in sights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework—outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware.

  2019  12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'19) Conference

Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices

Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3317549.3319727

Abstract
Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system’s driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke.

  2019  EWSN'19-International Conference on Embedded Wireless Systems and Networks Conference

Practical VLC to WiFi Handover Mechanisms

Richard Meister Jiska Classen Muhammad Saad Saud Marcos Katz Matthias Hollick

PDF BibTeX

Abstract
Visible light communication (VLC) is an emerging communication technology that perfectly integrates into crowded legacy radio frequency (RF) environments to increase bandwidth. Despite the fact that integrating these technologies would be beneficial for both of them, there is only little research on handover mechanisms, and most of it is simulation only. We design a software defined radio (SDR) based VLC+WiFi testbed in which both technologies can coexist, design handover mechanisms between VLC and WiFi, and evaluate them based on user-induced link blockage measurements in our testbed.

  2019  Proceedings of the IEEE Article

Transitions: A Protocol-Independent View of the Future Internet

Bastian Alt Markus Weckesser Christian Becker Matthias Hollick Sounak Kar Robin Klose Roland Kluge Heinz Koeppl Wasiur R. KhudaBukhsh Manisha Luthra Mahdi Mousavi Max Mühlhäuser Martin Pfannemüller Amr Rizk Andy Schürr Ralf Steinmetz Anja Klein

BibTeX DOI: 10.1109/JPROC.2019.2895964

  2019  43rd IEEE Conference on Local Computer Networks (LCN) Conference

Sea of Lights: Practical Device-to-Device Security Bootstrapping in the Dark

Flor Álvarez Matthias Hollick

PDF BibTeX DOI: 10.1109/LCN.2018.8638102

Abstract
Practical solutions to bootstrap security in today's information and communication systems critically depend on centralized services for authentication as well as key and trust management. This is particularly true for mobile users. Identity providers such as Google or Facebook have active user bases of two billion each, and the subscriber number of mobile operators exceeds five billion unique users as of early 2018. If these centralized services go completely 'dark' due to natural or man made disasters, large scale blackouts, or country-wide censorship, the users are left without practical solutions to bootstrap security on their mobile devices. Existing distributed solutions, for instance, the so-called web-of-trust are not sufficiently lightweight. Furthermore, they support neither cross-application on mobile devices nor strong protection of key material using hardware security modules. We propose Sea of Lights (SOL), a practical lightweight scheme for bootstrapping device-to-device security wirelessly, thus, enabling secure distributed self-organized networks. It is tailored to operate `in the dark' and provides strong protection of key material as well as an intuitive means to build a lightweight web-of-trust. SOL is particularly well suited for local or urban operation in scenarios such as the coordination of emergency response, where it helps containing/limiting the spreading of misinformation. As a proof of concept, we implement SOL in the Android platform and hence test its feasibility on real mobile devices. We further evaluate its key performance aspects using simulation.

  2019  Technische Universität Darmstadt Darmstadt PhD thesis

Performance and Security Enhancements in Practical Millimeter-Wave Communication Systems

Daniel Steinmetzer

PDF BibTeX

Abstract
Millimeter-wave (mm-wave) communication systems achieve extremely high data rates and provide interference-free transmissions. to overcome high attenuations, they employ directional antennas that focus their energy in the intended direction. Transmissions can be steered such that signals only propagate within a specific area-of-interest. Although these advantages are well-known, they are not yet available in practical networks. IEEE 802.11ad, the recent standard for communications in the unlicensed 60 GHz band, exploits a subset of the directional propagation effects only. Despite the large available spectrum, it does not outperform other developments in the prevalent sub-6 GHz bands. This underutilization of directional communications causes unnecessary performance limitations and leaves a false sense of security. For example, standard compliant beam training is very time consuming. It uses suboptimal beam patterns, and is unprotected against malicious behaviors. Furthermore, no suitable research platform exists to validate protocols in realistic environments. To address these challenges, we develop a holistic evaluation framework and enhance the performance and security in practical mm-wave communication systems. Besides signal propagation analyses and environment simulations, our framework enables practical testbed experiments with off-the-shelf devices. We provide full access to a tri-band router’s operating system, modify the beam training operation in the Wi-Fi firmware, and create arbitrary beam patterns with the integrated antenna array. This novel approach allows us to implement custom algorithms such as a compressive sector selection that reduces the beam training overhead by a factor of 2.3. By aligning the receive beam, our adaptive beam switching algorithm mitigates interference from lateral directions and achieves throughput gains of up to 60%. With adaptive beam optimization, we estimate the current channel conditions and generate directional beams that implicitly exploit potential reflections in the environment. These beams increase the received signal strength by about 4.4 dB. While intercepting a directional link is assumed to be challenging, our experimental studies show that reflections on small-scale objects are sufficient to enable eavesdropping from afar. Additionally, we practically demonstrate that injecting forged feedback in the beam training enables Man-in-the Middle attacks. With only 7.3% overhead, our authentication scheme protects against this beam stealing and enforces responses to be only accepted from legitimate devices. By making beam training more efficient, effective, and reliable, our contributions finally enable practical applications of highly directional transmissions.

  2019  2019 IEEE International Conference on Pervasive Computing and Communications Workshops, PerCom Workshops 2019 Conference

CoalaViz: Supporting Traceability of Adaptation Decisions in Pervasive Communication Systems

Martin Pfannemüller Markus Weckesser Roland Kluge Janick Edinger Manisha Luthra Robin Klose Christian Becker Andy Schürr

BibTeX

  2019  2019 IEEE 44nd Conference on Local Computer Networks (LCN) Conference

The King is Dead Long Live the King! Towards Systematic Performance Evaluation of Heterogeneous Bluetooth Mesh Networks in Real World Environments

Lars Almon Flor Álvarez Laurenz Kamp Matthias Hollick

BibTeX

Abstract
Wireless networks based on Bluetooth mesh (BM) promise a variety of Internet of Things applications from health- care monitoring to smart buildings. BM introduces a novel network concept that supports up to 32767 devices and 127 hops. So far no readily available dataset or toolset exists to perform systematic in-depth performance analysis of this standard. In this paper, we present insights on the performance and practical usability of BM. We conduct realistic smart office experiments with heterogeneous devices distributed throughout an area of approximately 1100m2. By varying network pa- rameters and BM node features, we collect the first public available BM dataset. Based on our experience, the use of current implementations is error-prone due to the complexity of BM. To facilitate researchers to conduct further experiments, we propose a toolset to configure and systematically evaluate BM performance. Finally we discuss several pitfalls that should be avoided in designing and deploying such networks.

  2019  7th Annual Privacy Forum (APF 2019) Conference

Towards Transparency in Email Tracking

Max Maass Stephan Schwär Matthias Hollick

BibTeX DOI: 10.1007/978-3-030-21752-5_2

Abstract
Tracking technologies have become ubiquitous, not only on websites but also in email messages. However, while protection and transparency tools exist for the web, no such tools exist for email messages, thus obscuring privacy violations. We introduce the PrivacyMail platform to assist with the automated analysis of email messages. The platform automatically analyzes commercial mailing lists, making it easier to detect different forms of tracking. Our platform introduces transparency about the practices of companies, and serves as a tool for regulators, data protection professionals and consumers alike. Our preliminary results show widespread email tracking, where opening an email can result in information being sent to up to 13 third parties, in some cases disclosing the users' email address in the process.

  2019  Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) Article

Perils of Zero-Interaction Security in the Internet of Things

Mikhail Fomichev Max Maass Lars Almon Alejandro Molina Matthias Hollick

BibTeX DOI: 10.1145/3314397

Abstract
The Internet of Things (IoT) demands authentication systems which can provide both security and usability. Recent research utilizes the rich sensing capabilities of smart devices to build security schemes operating without human interaction, such as zero-interaction pairing (ZIP) and zero-interaction authentication (ZIA). Prior work proposed a number of ZIP and ZIA schemes and reported promising results. However, those schemes were often evaluated under conditions which do not reflect realistic IoT scenarios. In addition, drawing any comparison among the existing schemes is impossible due to the lack of a common public dataset and unavailability of scheme implementations. In this paper, we address these challenges by conducting the first large-scale comparative study of ZIP and ZIA schemes, carried out under realistic conditions. We collect and release the most comprehensive dataset in the domain to date, containing over 4250 hours of audio recordings and 1 billion sensor readings from three different scenarios, and evaluate five state-of-the-art schemes based on these data. Our study reveals that the effectiveness of the existing proposals is highly dependent on the scenario they are used in. In particular, we show that these schemes are subject to error rates between 0.6% and 52.8%.

  2019  2019 IEEE International Conference on Pervasive Computing and Communications Workshops, PerCom Workshops 2019 Conference

Demo: Visualizing Adaptation Decisions in Pervasive Communication Systems

Martin Pfannemüller Janick Edinger Markus Weckesser Roland Kluge Manisha Luthra Robin Klose Christian Becker Andy Schürr

BibTeX

  2019  Wirtschaftsinformatik 2019 Conference

On the Difficulties of Incentivizing Online Privacy through Transparency: A Qualitative Survey of the German Health Insurance Market

Max Maass Nicolas Walter Dominik Herrmann Matthias Hollick

BibTeX

Abstract
Today, online privacy is the domain of regulatory measures and privacy-enhancing technologies. Transparency in the form of external and public assessments has been proposed for improving privacy and security because it exposes otherwise hidden deficiencies. Previous work has studied privacy attitudes and behavior of consumers. However, little is known on how organizations react to measures that employ public "naming and shaming" as an incentive for improvement. We performed the first study on this aspect by conducting a qualitative survey with 152 German health insurers. We scanned their websites with PrivacyScore.org to generate a public ranking and confronted the insurers with the results. We obtained a response rate of 27%. Responses ranged from positive feedback to legal threats. Only 12% of the sites - mostly non-responders - improved during our study. Our results show that insurers struggle due to unawareness, reluctance, and incapability, and demonstrate the general difficulties of transparency-based approaches.

  2019  Proceedings of the ACM on Programming Languages Article

A Fault-Tolerant Programming Model for Distributed Interactive Applications

Ragnar Mogk Joscha Drechsler Guido Salvaneschi Mira Mezini

BibTeX DOI: 10.1145/3360570

Abstract
Ubiquitous connectivity of web, mobile, and IoT computing platforms has fostered a variety of distributed applications with decentralized state. These applications execute across multiple devices with varying reliability and connectivity. Unfortunately, there is no declarative fault-tolerant programming model for distributed interactive applications with an inherently decentralized system model. We present a novel approach to automating fault tolerance using high-level programming abstractions tailored to the needs of distributed interactive applications. Specifically, we propose a calculus that enables formal reasoning about applications' dataflow within and across individual devices. Our calculus reinterprets the functional reactive programming model to seamlessly integrate its automated state change propagation with automated crash recovery of device-local dataflow and disconnection-tolerant distribution with guaranteed automated eventual consistency semantics based on conflict-free replicated datatypes. As a result, programmers are relieved of handling intricate details of distributing change propagation and coping with distribution failures in the presence of interactivity. We also provides proofs of our claims, an implementation of our calculus, and an empirical evaluation using a common interactive application.

  2019  9th IEEE Global Humanitarian Technology Conference (IEEE GHTC 2019) Conference

Bluemergency: Mediating Post-disaster Communication Systems using the Internet of Things and Bluetooth Mesh

Flor Álvarez Lars Almon Hauke Radtki Matthias Hollick

BibTeX

Abstract
Mobile devices have shown to be very useful during and post disaster. If the communication infrastructure breaks down, however, they become almost useless as most services rely on Internet connectivity. Building post-disaster networks based purely on smartphones remains a challenging task, and, as of today, no practical solutions exist. The rapidly growing Internet of Things (IoT) offers the possibility to improve this situation. With an increase in smart spaces such as smart homes and smart offices, we move towards digital cities that are deeply penetrated by IoT technology. Many IoT devices are battery powered and can aid in mediating an emergency network. In scenarios where the electrical grid is still operational, yet communication infrastructure failed, non-battery powered IoT devices can similarly help to relief congestion or build a backup network in case of cyber attacks. With the recent release of the Bluetooth Mesh standard, a common interface between mobile devices and the IoT has become available. The key idea behind this standard is to allow existing and new devices to build large-scale multi-hop sensor networks. By enabling hundreds of devices to communicate with each other, Bluetooth Mesh (BT MESH) becomes a practical technical solution for enabling communication post disaster. In this paper, we propose a novel emergency network concept that utilizes the parts of digital cities that remains operational in case of disaster, thus mediating large- scale post-disaster device-to-device communication. Since the Bluetooth Mesh standard is backwards compatible to Bluetooth 4.0, most of today’s mobile devices can join such a network. No special hardware or software modifications are necessary, especially no jail-breaking of the smartphones.

  2019  28th USENIX Security Symposium (USENIX Security '19) Conference

A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link

Milan Stute Sashank Narain Alex Mariotto Alexander Heinrich David Kreitschmann Guevara Noubir Matthias Hollick

PDF BibTeX

Abstract
Apple Wireless Direct Link (AWDL) is a key protocol in Apple's ecosystem used by over one billion iOS and macOS devices for device-to-device communications. AWDL is a proprietary extension of the IEEE 802.11 (Wi-Fi) standard and integrates with Bluetooth Low Energy (BLE) for providing services such as Apple AirDrop. We conduct the first security and privacy analysis of AWDL and its integration with BLE. We uncover several security and privacy vulnerabilities ranging from design flaws to implementation bugs leading to a man-in-the-middle (MitM) attack enabling stealthy modification of files transmitted via AirDrop, denial-of-service (DoS) attacks preventing communication, privacy leaks that enable user identification and long-term tracking undermining MAC address randomization, and DoS attacks enabling targeted or simultaneous crashing of all neighboring devices. The flaws span across AirDrop's BLE discovery mechanism, AWDL synchronization, UI design, and Wi-Fi driver implementation. Our analysis is based on a combination of reverse engineering of protocols and code supported by analyzing patents. We provide proof-of-concept implementations and demonstrate that the attacks can be mounted using a low-cost ($20) micro:bit device and an off-the-shelf Wi-Fi card. We propose practical and effective countermeasures. While Apple was able to issue a fix for a DoS attack vulnerability after our responsible disclosure, the other security and privacy vulnerabilities require the redesign of some of their services.

  2019  Security Standardisation Research Conference 2019 (ACM CCS Workshop) Conference

Toxic Friends in Your Network: Breaking the Bluetooth Mesh Friendship Concept

Flor Álvarez Lars Almon Ann-Sophie Hahn Matthias Hollick

BibTeX

Abstract
Bluetooth Low Energy is the dominant wireless technology empowering the Internet-of-Things. It has recently been amended with Bluetooth Mesh, which promises secure low energy multi-hop wireless connectivity with a software-only upgrade to existing Bluetooth devices. Bluetooth Mesh claims to be suitable for building large-scale multi-hop sensor networks with thousands of devices and up to 127 hops. In particular, it introduces the friendship concept, allowing low power Internet-of-Things devices to save energy by going into sleep mode, while their associated friend node caches their packets. In this paper, we show that the security model underlying the friendship concept introduces a number of simplifying assumptions that can be harnessed against the Bluetooth Mesh network. We demonstrate three fundamental vulnerabilities in the security model that lead to denial-of-service and impersonation attacks. Furthermore, we experimentally proof that our denial-of-service attack significantly affects the battery life of low power Internet-of-Things devices from a normal duration of two years to just few days. In addition, we introduce btlemesh, an open-source tool to analyze Bluetooth Mesh and perform the aforementioned security tests in practice. Finally, we discuss possible countermeasures to mitigate these vulnerabilities.

  2018  12th International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization (WiNTECH '18) Conference

TPy: A Lightweight Framework for Agile Distributed Network Experiments

Daniel Steinmetzer Milan Stute Matthias Hollick

PDF BibTeX DOI: 10.1145/3267204.3267214

Abstract
Experimental validation of novel network solutions, protocols, and applications gains increasing importance. The complexity of today's network systems makes evaluations in physical testbeds mandatory to capture real-world effects. However, this causes methodological and technical issues and challenges researchers in handling their agile testbed deployments. In contrast to Internet-scale testbeds, most agile experiments require specific topologies, specialized hardware, or a custom environment. They typically run only a few times and demand live user interaction. Existing management systems for Internet-scale testbeds do not accommodate these needs due to their complexity and maintenance overhead. In this paper, we present TPy, a lightweight and flexible framework to conduct distributed network experiments. TPy is written in Python and extendable via modules. To demonstrate its versatility and ease-of-use, we use TPy to perform experiments in the domains of millimeter-wave and secure multi-hop communications. We share TPy as open source software to support the community of experimental evaluation.

  2018  The 24th Annual International Conference on Mobile Computing and Networking (MobiCom '18) Conference

Demo: Linux Goes Apple Picking: Cross-Platform Ad hoc Communication with Apple Wireless Direct Link

Milan Stute David Kreitschmann Matthias Hollick

PDF BibTeX DOI: 10.1145/3241539.3267716

Abstract
Apple Wireless Direct Link (AWDL) is a proprietary and undocumented wireless ad hoc protocol that Apple introduced around 2014 and which is the base for applications such as AirDrop and AirPlay. We have reverse engineered the protocol and explain its frame format and operation in our MobiCom '18 paper "One Billion Apples' Secret Sauce: Recipe of the Apple Wireless Direct Link Ad hoc Protocol." AWDL builds on the IEEE 802.11 standard and implements election, synchronization, and channel hopping mechanisms on top of it. Furthermore, AWDL features an IPv6-based data path which enables direct communication. To validate our own work, we implement a working prototype of AWDL on Linux-based systems. Our implementation is written in C, runs in userspace, and makes use of Linux's Netlink API for interactions with the system's networking stack and the pcap library for frame injection and reception. In our demonstrator, we show how our Linux system synchronizes to an existing AWDL cluster or takes over the master role itself. Furthermore, it can receive data frames from and send them to a MacBook or iPhone via AWDL. We demonstrate the data exchange via ICMPv6 echo request and replies as well as sending and receiving data over a TCP connection.

  2018  The 24th Annual International Conference on Mobile Computing and Networking (MobiCom '18) Conference

One Billion Apples' Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol

Milan Stute David Kreitschmann Matthias Hollick

PDF BibTeX DOI: 10.1145/3241539.3241566

Abstract
Apple Wireless Direct Link (AWDL) is a proprietary and undocumented IEEE 802.11-based ad hoc protocol. Apple first introduced AWDL around 2014 and has since integrated it into its entire product line, including iPhone and Mac. While we have found that AWDL drives popular applications such as AirPlay and AirDrop on more than one billion end-user devices, neither the protocol itself nor potential security and Wi-Fi coexistence issues have been studied. In this paper, we present the operation of the protocol as the result of binary and runtime analysis. In short, each AWDL node announces a sequence of Availability Windows (AWs) indicating its readiness to communicate with other AWDL nodes. An elected master node synchronizes these sequences. Outside the AWs, nodes can tune their Wi-Fi radio to a different channel to communicate with an access point, or could turn it off to save energy. Based on our analysis, we conduct experiments to study the master election process, synchronization accuracy, channel hopping dynamics, and achievable throughput. We conduct a preliminary security assessment and publish an open source Wireshark dissector for AWDL to nourish future work.

  2018  CHANTS '18 - 13th Workshop on Challenged Networks Conference

Conducting a Large-scale Field Test of a Smartphone-based Communication Network for Emergency Response

Flor Álvarez Lars Almon Patrick Lieser Tobias Meuser Yannick Dylla Björn Richerzhagen Matthias Hollick Ralf Steinmetz

PDF BibTeX DOI: 10.1145/3264844.3264845

Abstract
Smartphone-based communication networks form a basis for services in emergency response scenarios, where communication infrastructure is impaired or overloaded. Still, their design and evaluation are largely based on simulations that rely on generic mobility models and weak assumptions regarding user behavior. For a realistic assessment, scenario-specific models are essential. To this end, we conducted a large-scale field test of a set of emergency services that relied solely on ad hoc communication. Over the course of one day, we gathered data from smartphones distributed to 125 participants in a scripted disaster event. In this paper, we present the scenario, measurement methodology, and a first analysis of the data. Our work provides the first trace combining user interaction, mobility, and additional sensor readings of a large-scale emergency response scenario, facilitating future research.

  2018  MobiCom 2018 - 24th ACM Annual International Conference on Mobile Computing and Networking Conference

Adaptive Codebook Optimization for Beam-Training on Off-The-Shelf IEEE 802.11ad Devices

Joan Palacios Daniel Steinmetzer Adrian Loch Matthias Hollick Joerg Widmer

PDF BibTeX DOI: 10.1145/3241539.3241576

Abstract
Beamforming is vital to overcome the high attenuation in wireless millimeter-wave networks. It enables nodes to steer their antennas in the direction of communication. To cope with complexity and overhead, the IEEE 802.11ad standard uses a sector codebook with distinct steering directions. In current off-the-shelf devices, we find codebooks with generic pre-defined beam patterns. While this approach is simple and robust, the antenna modules that are typically deployed in such devices are capable of generating much more precise antenna beams. In this paper, we adaptively adjust the sector codebook of IEEE 802.11ad devices to optimize the transmit beam patterns for the current channel. To achieve this, we propose a mechanism to extract full channel state information (CSI) regarding phase and magnitude from coarse signal strength readings on off-the-shelf IEEE 802.11ad devices. Since such devices do not expose the CSI directly, we generate a codebook with phase-shifted probing beams that enables us to obtain the CSI by combining strategically selected magnitude measurements. Using this CSI, transmitters dynamically compute a transmit beam pattern that maximizes the signal strength at the receiver. Thereby, we automatically exploit reflectors in the environment and improve the received signal quality. Our implementation of this mechanism on off-the-shelf devices demonstrates that adaptive codebook optimization achieves a significantly higher throughput of about a factor of two in typical real-world scenarios.

  2018  Computer Communications Article

The Nexmon firmware analysis and modification framework: Empowering researchers to enhance Wi-Fi devices

Matthias Schulz Daniel Wegemer Matthias Hollick

PDF BibTeX DOI: 10.1016/j.comcom.2018.05.015

Abstract
The most widespread Wi-Fi enabled devices are smartphones. They are mobile, close to people and available in large quantities, which makes them perfect candidates for real-world wireless testbeds. Unfortunately, most smartphones contain closed-source FullMAC Wi-Fi chips that hinder the modification of lower-layer Wi-Fi mechanisms and the implementation of new algorithms. To enable researchers’ access to lower-layer frame processing and advanced physical-layer functionalities on Broadcom Wi-Fi chips, we developed the Nexmon firmware patching framework. It allows users to create firmware modifications for embedded ARM processors using C code and to change the behaviour of Broadcom’s real-time processor using Assembly. Currently, our framework supports nine Broadcom chips available in smartphones and Raspberry Pis. Our example patches enable monitor mode, frame injection, handling of ioctls, ucode compression, flashpatches, software-defined radio capabilities, channel state information extraction and access to debugging features. To enhance firmware analysis, we present a debugger application that directly accesses the debugging core of the ARM microcontroller executing the Wi-Fi firmware. Additionally, we discuss how Wi-Fi chips can be protected from malicious firmware while still allowing researchers to run custom code. Using Nexmon, researchers can unleash the full capabilities of off-the-shelf Wi-Fi devices.

  2018  Technische Universität Darmstadt Master's thesis

Security Analysis and Firmware Modification of Fitbit Fitness Trackers

Matthias Hanreich

BibTeX

  2018  Technische Universität Darmstadt Master's thesis

Learning the Beams

Fabian Franke

BibTeX

  2018  Technische Universität Darmstadt Master's thesis

InternalBlue – A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering

Dennis Mantz

BibTeX

  2018  Technische Universität Darmstadt Bachelor's thesis

Wi-Fi Based Key Exchange On Android Smartphones

Damir Mehmedovic

BibTeX

  2018  15th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON 2018) Conference

Fast and Infuriating: Performance and Pitfalls of 60 GHz WLANs Based on Consumer-Grade Hardware

Swetank Kumar Saha Hany Assasa Adrian Loch Naveen Muralidhar Prakash Roshan Shyamsunder Shivang Aggarwal Daniel Steinmetzer Dimitrios Koutsonikolas Joerg Widmer Matthias Hollick

PDF BibTeX DOI: 10.1109/SAHCN.2018.8397123

Abstract
Wireless networks operating in the 60 GHz band have the potential to provide very high throughput but face a number of challenges (e.g., high attenuation, beam training, and coping with mobility) which are widely accepted but often not well understood in practice. Understanding these challenges, and especially their actual impact on consumer-grade hardware is fundamental to fully exploit the high physical layer rates in the 60 GHz band. To this end, we perform an extensive measurement campaign using two commercial off-the-shelf 60 GHz routers in practical real-world environments. Our study is centered around two fundamental adaptation mechanisms in 60 GHz networks-beam training and rate control- whose interactions are key for performance. Understanding these interactions allows us to revisit a range of issues and provide much deeper insights into the reasons for specific performance compared to prior work on performance characterization. Further, our study goes beyond basic link characterization and explores for the first time practical considerations such as coverage and access point deployment. While some of our observations are expected, we also obtain highly surprising insights that challenge the prevailing wisdom in the community.

  2018  11th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Beam-Stealing: Intercepting the Sector Sweep to Launch Man-in-the-Middle Attacks on Wireless IEEE 802.11ad Networks

Daniel Steinmetzer Yimin Yuan Matthias Hollick

PDF BibTeX DOI: 10.1145/3212480.3212499

Abstract
Millimeter-wave (mm-wave) communication systems provide high data-rates and enable emerging application scenarios, such as 'information showers' for location-based services. Devices are equipped with antenna arrays using dozens of elements to achieve high directionality and thus creating a signal beam that focuses only on a specific area-of-interest. This new communication paradigm of steerable links requires a rethinking of wireless networks and calls for efficient protocols to train the beam alignment among network nodes. The IEEE 802.1 lad standard defines the so-called sector sweep that sweeps through a predefined set of antenna-sectors to find the optimal antenna steerings. Such low-layer protocols lack proper security mechanisms and open unprecedented attack possibilities. Distant attackers might tamper with the beam-training and literally 'steal' the beam from other devices. In this work, we investigate the threat of such beam-stealing attacks that intercept the sector sweep. By injecting forged feedback, we force victims to steer their signals towards the attacker's location. We implement a proof-of-concept on commercial off-the-shelf devices and evaluate the impacts on eavesdropping and acting as a Man-in-the-Middle (MITM). Our practical experiments in typical indoor scenarios reveal that beam-stealing increases the eavesdropping performance by 38% and allow a MITM to relay packets with an average error of only 1%. With these results, we emphasize the threat of beam-training attacks on mm-wave networks and aim to raise the awareness of attack vectors that are emerging with new low-layer amendments in next-generation wireless networks.

  2018  Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services Conference

Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi

Matthias Schulz Jakob Link Francesco Gringoli Matthias Hollick

PDF BibTeX DOI: 10.1145/3210240.3210333

Abstract
Wi-Fi chips offer vast capabilities, which are not accessible through the manufacturers' official firmwares. Unleashing those capabilities can enable innovative applications on off-the-shelf devices. In this work, we demonstrate how to transmit raw IQ samples from a large buffer on Wi-Fi chips. We further show how to extract channel state information (CSI) on a per frame basis. As a proof-of-concept application, we build a covert channel on top of Wi-Fi to stealthily exchange information between two devices by prefiltering Wi-Fi frames prior to transmission. On the receiver side, the CSI is used to extract the embedded information. By means of experimentation, we show that regular Wi-Fi clients can still demodulate the underlying Wi-Fi frames. Our results show that covert channels on the physical layer are practical and run on off-the-shelf smartphones. By making available our raw signal transmitter, the CSI extractor, and the covert channel application to the research community, we ensure reproducibility and offer a platform for further innovative applications on Wi-Fi devices.

  2018  Technische Universität Darmstadt Master's thesis

Analysing and Evaluating Interface, Communication, and Web Security in Productive IoT Ecosystems

Fabian Ullrich

BibTeX

  2018  2018 IEEE International Conference on Communications Workshops (ICC Workshops) Conference

Making Wi-Fi Fit for the Tactile Internet: Low-Latency Wi-Fi Flooding Using Concurrent Transmissions

Francesco Gringoli Robin Klose Matthias Hollick Nahla Ali

BibTeX DOI: 10.1109/ICCW.2018.8403487

Abstract
Real-time human-to-machine and machine-to-machine interactions at the edge of the Internet are the key drivers for research in high-speed and low-latency wireless communication. In order to meet the most stringent latency demands, such interactions should be carried out autonomously by groups of nodes at the edge, potentially resorting to specialized physical layer techniques. While past research has mostly focused on 5G cellular network technology, we assess the feasibility to utilize IEEE 802.11 (Wi-Fi) technology for this purpose. In contrast to existing work on macrodiversity schemes to enhance network capacities, we highlight the potential of macrodiversity to reduce the latency in one-to-many communication scenarios through concurrent network flooding. To this end, we study the practical feasibility of concurrent transmissions with IEEE 802.11, while taking the characteristics of both the DSSS PHY and the OFDM PHY of IEEE 802.11 into account. In particular, we quantify the impact of the limiting factors that impair the decodability of concurrent Wi-Fi transmissions and analyze their combined effects in simulations and practical SDR testbed experiments. In doing so, we also assess the capability of commodity hardware to decode concurrent Wi-Fi transmissions while deliberately introducing signal impairments by tuning the limiting factors. With this, we identify the key parameter limits to enable low-latency flooding at the edge with IEEE 802.11.

  2018  IEEE International Conference on Computer Communications (INFOCOM) Conference

Indoor Localization Using Commercial Off-The-Shelf 60 GHz Access Points

Guillermo Bielsa Joan Palacios Adrian Loch Daniel Steinmetzer Paolo Cesari Joerg Widmer

BibTeX

Abstract
The very large bandwidth available in the 60 GHz band allows, in principle, to design highly accurate positioning systems. Integrating such systems with standard protocols (e.g., IEEE 802.11ad) is crucial for the deployment of location-based services, but it is also challenging and limits the design choices. Another key problem is that consumer-grade 60 GHz hardware only provides coarse channel state information, and has highly irregular beam shapes due to its cost-efficient design. In this paper, we explore the location accuracy that can be achieved using such hardware, without modifying the 802.11ad standard. We consider a typical 802.11ad indoor network with multiple access points (APs). Each AP collects the coarse signal-to-noise ratio of the directional beacons that clients transmit periodically. Given the irregular beam shapes, the challenge is to relate each beacon to a set of transmission angles that allows to triangulate a user. We design a location system based on particle filters along with linear programming and Fourier analysis. We implement and evaluate our algorithm on commercial off-the-shelf 802.11ad hardware in an office scenario with mobile human blockage. Despite the strong limitations of the hardware, our system operates in real-time and achieves sub-meter accuracy in 70% of the cases.

  2018  IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Conference

Optimal Joint Routing and Scheduling in Millimeter-Wave Cellular Networks

Dingwen Yuan Hsuan-Yin Lin Joerg Widmer Matthias Hollick

PDF BibTeX DOI: 10.1109/INFOCOM.2018.8485929

Abstract
Millimeter-wave (mmWave) communication is a promising technology to cope with the expected exponential increase in data traffic in 5G networks. mmWave networks typically require a very dense deployment of mmWave base stations (mmBS). To reduce cost and increase flexibility, wireless backhauling is needed to connect the mmBSs. The characteristics of mmWave communication, and specifically its high directionality, imply new requirements for efficient routing and scheduling paradigms. We propose an efficient scheduling method, so-called schedule-oriented optimization, based on matching theory that optimizes QoS metrics jointly with routing. It is capable of solving any scheduling problem that can be formulated as a linear program whose variables are link times and QoS metrics. As an example of the schedule-oriented optimization, we show the optimal solution of the maximum throughput fair scheduling (MTFS). Practically, the optimal scheduling can be obtained even for networks with over 200 mmBSs. To further increase the runtime performance, we propose an efficient edge-coloring based approximation algorithm with provable performance bound. It achieves over 80% of the optimal max-min throughput and runs 5 to 100 times faster than the optimal algorithm in practice. Finally, we extend the optimal and approximation algorithms for the cases of multi-RF-chain mmBSs and integrated backhaul and access networks.

  2018  Technische Universität Darmstadt Bachelor's thesis

Angriffsanalyse einer TETRA-Basisstation

Sven Neubauer

BibTeX

  2018  PACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) Conference

Anatomy of a Vulnerable Fitness Tracking System: Dissecting the Fitbit Cloud, App, and Firmware

Jiska Classen Daniel Wegemer Paul Patras Tom Spink Matthias Hollick

BibTeX

  2018  Technische Universität Darmstadt Darmstadt PhD thesis

Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications

Matthias Schulz

PDF BibTeX

Abstract
Smartphones come with a variety of sensors and communication interfaces, which make them perfect candidates for mobile communication testbeds. Nevertheless, proprietary firmwares hinder us from accessing the full capabilities of the underlying hardware platform which impedes innovation. Focusing on FullMAC Wi-Fi chips, we present Nexmon, a C-based firmware modification framework. It gives access to raw Wi-Fi frames and advanced capabilities that we found by reverse engineering chips and their firmware. As firmware modifications pose security risks, we discuss how to secure firmware handling without impeding experimentation on Wi-Fi chips. To present and evaluate our findings in the field, we developed the following applications. We start by presenting a ping-offloading application that handles ping requests in the firmware instead of the operating system. It significantly reduces energy consumption and processing delays. Then, we present a software-defined wireless networking application that enhances scalable video streaming by setting flow-based requirements on physical-layer parameters. As security application, we present a reactive Wi-Fi jammer that analyses incoming frames during reception and transmits arbitrary jamming waveforms by operating Wi-Fi chips as software-defined radios (SDRs). We further introduce an acknowledging jammer to ensure the flow of non-targeted frames and an adaptive power-control jammer to adjust transmission powers based on measured jamming successes. Additionally, we discovered how to extract channel state information (CSI) on a per-frame basis. Using both SDR and CSI-extraction capabilities, we present a physical-layer covert channel. It hides covert symbols in phase changes of selected OFDM subcarriers. Those manipulations can be extracted from CSI measurements at a receiver. To ease the analysis of firmware binaries, we created a debugging application that supports single stepping and runs as firmware patch on the Wi-Fi chip. We published the source code of our framework and our applications to ensure reproducibility of our results and to enable other researchers to extend our work. Our framework and the applications emphasize the need for freely modifiable firmware and detailed hardware documentation to create novel and exciting applications on commercial off-the-shelf devices.

  2018   Tagung Software Engineering (SE) des Fachbereichs Softwaretechnik der Gesellschaft für Informatik Conference

A systematic approach to constructing families of incremental topology control algorithms using graph transformation

Roland Kluge Michael Stein Gergely Varró Andy Schürr Matthias Hollick Max Mühlhäuser

PDF BibTeX

Abstract
In this talk, we present results on integrating support for variability modeling into a correct-by-construction development methodology for topology control algorithms, as appeared online in the Software & Systems Modeling journal in 2017. A topology control algorithm reduces the size of the visible neighborhood of a node in a wireless communication network. At the same time, it must fulfill important consistency properties to ensure a high quality of service. In previous work, we proposed a constructive, model-driven methodology for designing individual topology control algorithms based on declarative graph constraints and graph transformation rules; the resulting algorithms are guaranteed to preserve the specified properties. Even though many topology control algorithms share substantial (structural) parts, few works leverage these commonalities at design time. In this work, we generalize our proposed construction methodology by modeling variability points to support the construction of families of algorithms. We show the applicability of our approach by reengineering six existing topology control algorithms and developing e-kTC, a novel energy-efficient variant of the topology control algorithm kTC. Finally, we evaluate a subset of the algorithms using a novel integration of a wireless network simulator and a graph transformation tool.

  2018  6th IEEE Conference on Communications and Network Security (CNS 2018) Conference

ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control

Santiago Aragon Marco Tiloca Max Maass Matthias Hollick Shahid Raza

BibTeX DOI: 10.1109/CNS.2018.8433209

Abstract
The Authentication and Authorization for Constrained Environments (ACE) framework provides fine-grained access control in the Internet of Things, where devices are resource-constrained and with limited connectivity. The ACE framework defines separate profiles to specify how exactly entities interact and what security and communication protocols to use. This paper presents the novel ACE IPsec profile, which specifies how a client establishes a secure IPsec channel with a resource server, contextually using the ACE framework to enforce authorized access to remote resources. The profile makes it possible to establish IPsec Security Associations, either through their direct provisioning or through the standard IKEv2 protocol. We provide the first Open Source implementation of the ACE IPsec profile for the Contiki OS and test it on the resource-constrained Zolertia Firefly platform. Our experimental performance evaluation confirms that the IPsec profile and its operating modes are affordable and deployable also on constrained IoT platforms.

  2017  CoNEXT ’17: The 13th International Conference on emerging Networking EXperiments and Technologies Conference

Compressive Millimeter-Wave Sector Selection in Off-the-Shelf IEEE 802.11ad Devices

Daniel Steinmetzer Daniel Wegemer Matthias Schulz Jörg Widmer Matthias Hollick

BibTeX DOI: 10.1145/3143361.3143384

Abstract
Achieving data-rates of multiple Gbps in 60 GHz mm-wave communication systems requires efficient beam-steering algorithms. To find the optimal steering direction on IEEE 802.11ad compatible devices, state-of-the-art approaches sweep through all predefined antenna sectors. Recently, much more efficient alternatives, such as compressive path tracking, have been proposed, which scale well even with arrays with thousands of antenna elements. However, such have not yet been integrated into consumer devices. In this work, we adapt compressive path tracking for sector selection in off-the-shelf IEEE 802.11ad devices. In contrast to existing solutions, our compressive sector selection tolerates the imperfections of low-cost hardware, tracks beam directions in 3D and does not rely on pseudo-random beams. We implement our protocol on a commodity router, the TP-Link Talon AD7200, by modifying the sector sweep algorithm in the IEEE 802.11ad chip's firmware. In particular, we modify the firmware to obtain the signal strength of received frames and to select custom sectors. Using this extension, we precisely measure the device's sector patterns. We then select the best sector based on the measured patterns and sweep only through a subset of probing sectors. Our results demonstrate, that our protocol outperforms the existing sector sweep, increases stability, and speeds up the sector selection by factor 2.3.

  2017  IEEE GLOBECOM Conference

Temporal Coverage Analysis of Router-based Cloudlets Using Human Mobility Patterns

Christian Meurisch Julien Gedeon Artur Gogel The An Binh Nguyen Fabian Kaup Florian Kohnhäuser Lars Baumgärtner Milan Schmittner Max Mühlhäuser

BibTeX

  2017  Technische Universität Darmstadt Darmstadt Master's thesis

Detecting WiFi Covert Channels

Serafettin Ay

BibTeX

  2017  Technische Universität Darmstadt Darmstadt Master's thesis

mproving a Linux Device Driver for Visible Light Communication

Ahmed Muneeb

BibTeX

  2017  Technische Universität Darmstadt Darmstadt Master's thesis

Investigating Practical Man-in-the-middle Network Attacks on IEEE 802.11ad

Yimin Yuan

BibTeX

  2017  42nd Annual IEEE Conference on Local Computer Networks (LCN 2017) Conference

Unsupervised Traffic Flow Classification Using a Neural Autoencoder

Jonas Höchst Matthias Hollick Bernd Freisleben Lars Baumgärtner

BibTeX

Abstract
The delay and bandwidth requirements of today's mobile applications differ widely depending on the functionality provided and the data transferred, such as uploading user generated multimedia content, playing online games, or streaming live videos. To perform resource management, mobile wireless networks can particularly profit from classifying and predicting mobile application traffic. State-of-the-art traffic classification approaches have various disadvantages: port-based classification methods can be circumvented by choosing non-standard ports, protocol fingerprinting can be confused by the use of encryption, and current supervised learning methods for analyzing the statistical properties of network flows try to detect predefined classes, such as e-mail or FTP traffic, learned during training. In this paper, we present a novel approach to unsupervised traffic flow classification using statistical properties of flows and clustering based on a neural autoencoder. In contrast to previous work, the neural autoencoder is used to automatically cluster traffic flows, for example, into downloads, uploads, or voice calls, independent of the particular network protocols, such as FTP or HTTP(S), used for performing these tasks. A novel time interval based feature vector construction and a semi-automatic cluster labeling method facilitate traffic flow classification independent of known traffic classes or classification constraints. An experimental evaluation of the proposed approach on real data captured from about 25 mobile devices performing daily work over a period of 4 months is presented. The obtained results show that 7 different classes of mobile traffic flows are detected with an average precision of 80% and an average recall of 75%, indicating the feasibility of our approach.

  2017  Technische Universität Darmstadt Darmstadt Bachelor's thesis

Implementation of a physical layer for visible light communication using the OpenVLC platform

Tim Kornhuber

BibTeX

  2017  IEEE Conference on Local Computer Networks (LCN) Conference

SEDCOS: A Secure Device-to-Device Communication System for Disaster Scenarios

Florian Kohnhäuser Milan Stute Lars Baumgärtner Lars Almon Stefan Katzenbeisser Matthias Hollick Bernd Freisleben

BibTeX

  2017  1st ACM Workshop on Millimeter Wave Networks and Sensing Systems (mmNets 2017) Conference

Mitigating Lateral Interference: Adaptive Beam Switching for Robust Millimeter-Wave Networks

Daniel Steinmetzer Adrian Loch Amanda García-García Jörg Widmer Matthias Hollick

BibTeX DOI: 10.1145/3130242.3130244

Abstract
Putting into practice 'pseudo-wire' links in wireless millimeter-wave (mm-wave) networks is challenging due to the significant side lobes of consumer-grade phased antenna arrays. Nodes should steer their beams such that they maximize the signal gain but also minimize interference from lateral directions via both their main lobe and their side lobes. Most importantly, interference can be caused by parallel operation of incompatible standards such as WiGig and IEEE 802.11ad and may change very fast. This timing requirement, prevents the use of existing beam switching solutions to mitigate interference. In this paper, we present an adaptive beam switching (ABS) mechanism that can deal with the above timescale issue in rapidly changing interference scenarios. Instead of performing a full beam sweep, the key idea is to only probe beampatterns at the receiver which are likely to avoid interference. In contrast to earlier work, our mechanism does not require any location information nor a detailed shape of the beampatterns. We exploit similarities among side lobes of beampatterns to estimate the performance of all beampatterns without sending extensive probes. To evaluate our mechanism in practice, we develop a customized research platform that allows us to control the beam-selection on low-cost IEEE 802.11ad routers. Experimental results with WiGig transceivers as interference source show that our adaptive beam switching mechanism achieves an average throughput gain of 60% and decreases the training time by 82.4% compared to the original IEEE 802.11ad behavior.

  2017  Technische Universität Darmstadt Darmstadt Master's thesis

Design and evaluation of a hybrid SDR testbed for visible light communication and Wi-Fi

Richard Meister

BibTeX

  2017  Technische Universität Darmstadt Darmstadt Bachelor's thesis

Implementierung des unteren MAC-Layers für die OpenVLC-Hardware

Michael Kümpel

BibTeX

  2017  IEEE Global Humanitarian Technology Conference (GHTC) Conference

A Practical and Secure Social Media Facility for Internet-Deprived Populations

Jeremy Lakeman Matthew Lloyd Romana Challans Angus Wallace Paul Gardner-Stephen Milan Stute Matthias Hollick

BibTeX

  2017  11th Workshop on Wireless Network Testbeds, Experimental Evaluation & CHaracterization Conference

Nexmon: Build Your Own Wi-Fi Testbeds With Low-Level MAC and PHY-Access Using Firmware Patches on Off-the-Shelf Mobile Devices

Matthias Schulz Daniel Wegemer Matthias Hollick

PDF BibTeX

Abstract
The most widespread Wi-Fi enabled devices are smartphones. They are mobile, close to people and available in large quantities, which makes them perfect candidates for real-world wireless testbeds. Unfortunately, most smartphones contain closed-source FullMAC Wi-Fi chips that hinder the modification of lower-layer Wi-Fi mechanisms and the implementation of new algorithms. To enable researchers' access to lower-layer frame processing and advanced physical-layer functionalities on Broadcom Wi-Fi chips, we developed the Nexmon firmware patching framework. It allows users to create firmware modifications for embedded ARM processors using C code and to change the behavior of Broadcom's real-time processor using Assembly. Currently, our framework supports five Broadcom chips available in smartphones and Raspberry Pis. Our example patches enable monitor mode, frame injection, handling of ioctls, ucode compression and flashpatches. In a simple ping offloading example, we demonstrate how handling pings in firmware reduces power consumption by up to 165 mW and is nine times faster than in the kernel on a Nexus 5. Using Nexmon, researchers can unleash the full capabilities of off-the-shelf Wi-Fi devices.

  2017  Technische Universität Darmstadt Darmstadt PhD thesis

Utilizing Advanced Network Context to Optimize Software-Defined Networks

Marc Werner

PDF BibTeX

Abstract
Legacy network systems and protocols are mostly static and keep state information in silo-style storage, thus making state migration, transformation and re-use difficult. Software-Defined Network (SDN) approaches in unison with Network Function Virtualization (NFV) allow for more flexibility, yet they are currently restricted to a limited set of state migration options. Additionally, existing systems and protocols are mostly tailored to meet the requirements of specific application scenarios. As a result, the protocols cannot easily be adapted to novel application demands, organically growing networks, etc. Impeding the sharing of networking and system state, along with lacking support for dynamic transitions between systems and protocols, severely limits the ability to optimally manage resources and dynamically adapt to a desirable overall configuration. These limitations not only affect the network performance but also hinder the deployment of new and innovative protocols as a hard break is usually not feasible and thus full support for legacy systems is required. On the one hand, we propose a generalized way to collect, store, transform, and share context between systems and protocols in both the legacy Internet as well as NFV/SDN-driven networks. This allows us to share state information between multiple systems and protocols from NFs over BGP routers to protocols on all layers of the network stack. On the other hand, we introduce an architecture for designing modular protocols that are built with transition in mind. We argue that the modular design of systems and protocols can remove the key limitations of today’s monolithic protocols and allow for a more dynamic network management. First, we design and implement a Storage and Transformation Engine for Advanced Net- working context (STEAN) which constitutes a shared context storage, making network state information available to other systems and protocols. Its pivotal feature is the ability to allow for state transformation as well as for persisting state to enable future re-use. Second, we provide a Blueprint for Switching Between Mechanisms that serves as a framework and guideline for developers to standardize and ease the process of designing and implementing systems and protocols that support transitions as a first order principle. By means of experimentation, we show that our architecture covers a diverse set of challenging use cases in legacy systems—such as Wireless Multihop Networks (WMNs)—as well as in NFV/SDN-enabled systems. In particular, we demonstrate the feasibility of our approach by migrating state information between two instances of the PRADS NF in a virtualized Mininet environment, and show that our solution outperforms state of the art frameworks that are specifically built for NF migration. We further demonstrate that a dynamic switch between WMN routing protocols is possible at runtime and that the state information can be reutilized for bootstrapping novel protocol modules, thus minimizing the control overhead.

  2017  MetaRheinMainChaosDays - Bundesdatenschau (MRMCD 2017) Conference

Web-Privacy: Lustwandeln im Trackergarten

Max Maass

PDF BibTeX

  2017   Jahrestagung der Gesellschaft für Informatik (INFORMATIK 2017) Conference

PrivacyScore: Analyse von Webseiten auf Sicherheits- und Privatheitsprobleme - Konzept und rechtliche Zulässigkeit

Max Maass Anne Laubach Dominik Herrmann

BibTeX DOI: 10.18420/in2017_107

Abstract
PrivacyScore ist ein öffentliches Web-Portal, mit dem automatisiert überprüft werden kann, ob Webseiten gängige Mechanismen zum Schutz von Sicherheit und Privatheit korrekt implementieren. Im Gegensatz zu existierenden Diensten ermöglicht PrivacyScore, mehrere Webseiten in Benchmarks miteinander zu vergleichen, die Ergebnisse differenziert und im Zeitverlauf zu analysieren sowie nutzerdefinierte Kriterien für die Auswertung zu definieren. PrivacyScore verbessert dadurch nicht nur die Transparenz für Endanwender, sondern erleichtert auch die Arbeit der Datenschutz-Aufsichtsbehörden. In diesem Beitrag stellen wir das Konzept des Dienstes vor und wir erörtern, unter welchen Umständen das automatische Scannen und öffentliche „Anprangern“ von Schwächen aus rechtlicher Sicht zulässig ist.

  2017  IEEE Communications Surveys & Tutorials Article

Survey and Systematization of Secure Device Pairing

Mikhail Fomichev Flor Álvarez Daniel Steinmetzer Paul Gardner-Stephen Matthias Hollick

BibTeX DOI: 10.1109/COMST.2017.2748278

Abstract
Secure Device Pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things (IoT) devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this article, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis. The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.

  2017  International Conference on Computer Communications and Networks (ICCCN'17): Posters Conference

Upgrading Wireless Home Routers as Emergency Cloudlet and Secure DTN Communication Bridge

Christian Meurisch The An Binh Nguyen Julien Gedeon Florian Kohnhäuser Milan Schmittner Stefan Niemczyk Stefan Wullkotte Max Mühlhäuser

BibTeX

  2017  10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017) Conference

Massive reactive smartphone-based jamming using arbitrary waveforms and adaptive power control

Matthias Schulz Francesco Gringoli Michael Koch Daniel Steinmetzer Matthias Hollick

PDF BibTeX DOI: 10.1145/3098243.3098253

Abstract
It is not commonly known that off-the-shelf smartphones can be converted into versatile jammers. To understand how those jammers work and how well they perform, we implemented a jamming firmware for the Nexus 5 smartphone. The firmware runs on the real-time processor of the Wi-Fi chip and allows to reactively jam Wi-Fi networks in the 2.4 and 5 GHz bands using arbitrary waveforms stored in IQ sample buffers. This allows us to generate a pilot-tone jammer on off-the-shelf hardware. Besides a simple reactive jammer, we implemented a new acknowledging jammer that selectively jams only targeted data streams of a node while keeping other data streams of the same node flowing. To lower the increased power consumption of this jammer, we implemented an adaptive power control algorithm. We evaluated our implementations in friendly jamming scenarios to oppress non-compliant Wi-Fi transmissions and to protect otherwise vulnerable devices in industrial setups. Our results show that we can selectively hinder Wi-Fi transmissions in the vicinity of our jamming smartphone leading to an increased throughput for other nodes or no blockage of non-targeted streams on a jammed node. Consuming less than 300 mW when operating the reactive jammer allows mobile operation for more than 29 hours. Our implementation demonstrates that jamming communications was never that simple and available for every smartphone owner, while still allowing surgical jamming precision and energy efficiency. Nevertheless, it involves the danger of abuse by malicious attackers that may take over hundreds of devices to massively jam Wi-Fi networks in wide areas.

  2017  Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017) Conference

DEMO: Demonstrating Reactive Smartphone-Based Jamming

Matthias Schulz Matthias Hollick Francesco Gringoli Efstathios Deligeorgopoulos

BibTeX DOI: 10.1145/3098243.3106022

Abstract
Reactive Wi-Fi jammers on off-the-shelf hardware that may facilitate mobile friendly jamming applications have only been shown recently. Until now, no demonstrators existed to reproduce the results obtained with these systems, hence, inhibiting re-use for further research or educational applications. In this work, we present an Android app that allows to create advanced jamming scenarios with four Nexus 5 smartphones. We use two of them to inject Wi-Fi frames with UDP payload, one to receive frames and analyze if they were corrupted and one that acts as a reactive jammer that selectively jams according to a UDP port. The user can choose between a simple reactive jammer and an acknowledging jammer. All jammers are implemented as Wi-Fi firmware patches by using the Nexmon framework. During the demonstration, users may adjust parameters of transmitted frames and observe the throughputs of correct and corrupted frames as bar graphs at the receiver. At the jamming node, users may design an arbitrary jamming signal in the frequency domain and adjust the jamming power, the target UDP port and the jammer type. The MAC addresses used during the experiments are hard coded to hinder users from simply abusing the app in other setups. Overall, the demonstration proofs that highly sophisticated Wi-Fi jammers can run on smartphones.

  2017  5th Annual Privacy Forum (APF 2017) Conference

PrivacyScore: Improving Privacy and Security via Crowd-Sourced Benchmarks of Websites

Max Maass Pascal Wichmann Henning Pridöhl Dominik Herrmann

BibTeX DOI: 10.1007/978-3-319-67280-9_10

Abstract
Website owners make conscious and unconscious decisions that affect their users, potentially exposing them to privacy and security risks in the process. In this paper we introduce PrivacyScore, an automated website scanning portal that allows anyone to benchmark security and privacy features of multiple websites. In contrast to existing projects, the checks implemented in PrivacyScore cover a wider range of potential privacy and security issues. Furthermore, users can control the ranking and analysis methodology. Therefore, PrivacyScore can also be used by data protection authorities to perform regularly scheduled compliance checks. In the long term we hope that the transparency resulting from the published benchmarks creates an incentive for website owners to improve their sites. We plan to announce the public availability of a first version of PrivacyScore at the Annual Privacy Forum in June 2017

  2017  Pervasive and Mobile Computing Article

Instrumenting Wireless Sensor Networks : A Survey on the Metrics That Matter

Dingwen Yuan Salil S. Kanhere Matthias Hollick

PDF BibTeX DOI: 10.1016/j.pmcj.2016.10.001

Abstract
Wireless Sensor Networks (WSN) are part of the technical fundament enabling the Internet of Things (IoT), where sensing and actuator nodes instantaneously interact with the environment at large. As such they become part of everyday life and drive applications as diverse as medical monitoring, smart homes, smart environment, and smart factories, to name but a few. To acquire data, individual sensors interact with the physical environment by sensing physical phenomena in proximity. The wireless network connectivity is leveraged to collect the raw data or pre-processed events, and to disseminate code, queries or commands. Actuating capabilities facilitate instant interactions with the environment or application processes. Experience on how to operate large scale heterogeneous WSNs in (critical) real-world applications is still scarce, and operational considerations are often an afterthought to WSN deployment. A principled look into the metrics, i.e., a standard or best practice of measurement of the vital parameters in WSNs is still missing. In this article, we contribute a survey on the most important metrics to characterize the performance of WSNs. We define an abstract system model for WSNs, take a look on what the WSN community considers metrics that matter, and categorize the metrics into scopes of relevance. We discuss the properties of the metrics as well as practical aspects on how to obtain and process them. Our survey can serve as a manual for implementors and operators of WSNs in the IoT.

  2017  20th ACM International Conference on Modeling, Analysis and Simulation of Wireless and Mobile Systems Conference

Reverse Engineering Human Mobility in Large-scale Natural Disasters

Milan Stute Max Maass Tom Schons Matthias Hollick

BibTeX DOI: 10.1145/3127540.3127542

Abstract
Delay/Disruption-Tolerant Networks (DTNs) have been around for more than a decade and have especially been proposed to be used in scenarios where communication infrastructure is unavailable. In such scenarios, DTNs can offer a best-effort communication service by exploiting user mobility. Natural disasters are an important application scenario for DTNs when the cellular network is destroyed by natural forces. To assess the performance of such networks before deployment, we require appropriate knowledge of human mobility. In this paper, we address this problem by designing, implementing, and evaluating a novel mobility model for large-scale natural disasters. Due to the lack of GPS traces, we reverse-engineer human mobility of past natural disasters (focusing on 2010 Haiti earthquake and 2013 Typhoon Haiyan) by leveraging knowledge of 126 experts from 71 Disaster Response Organizations (DROs). By means of simulation-based experiments, we compare and contrast our mobility model to other well-known models, and evaluate their impact on DTN performance. Finally, we make our source code available to the public.

  2017  2017 IEEE 42nd Conference on Local Computer Networks (LCN) Conference

Lightweight Detection of Denial-of-Service Attacks on Wireless Sensor Networks Revisited

Michael Riecker Lars Almon Matthias Hollick

PDF BibTeX DOI: 10.1109/LCN.2017.110

Abstract
The resource-constrained nature of sensor nodes makes wireless sensor networks (WSNs) especially susceptible to denial-of-service (DoS) attacks. Due to the wireless communication medium, it is difficult to prevent attacks such as jamming. Hence, mechanisms to detect attacks during operation are required. The current generation of intrusion detection systems are still rather heavyweight, as some form of collaboration is typically needed. In this paper, we study the behavior of a large number of node-centric metrics under jamming and blackhole attacks, by applying a logistic regression. In our experiments, we vary several parameters, such as traffic intensity, transmission power, and attacker location. We consider the most common topologies in wireless sensor networks such as central data collection and meshed multi-hop networks by using the collection tree and the mesh protocol. The created regression models are then used to implement a fully localized intrusion detection system requiring no collaboration, showing that certain models can be generalized to different networks.

  2017  2017 IEEE Global Humanitarian Technology Conference Conference

Emergency Communication in Challenged Environments via Unmanned Ground and Aerial Vehicles

Lars Baumgärtner Stefan Kohlbrecher Juliane Euler Tobias Ritter Milan Stute Christian Meurisch Max Mühlhäuser Matthias Hollick Oskar von Stryk Bernd Freisleben

BibTeX DOI: 10.1109/GHTC.2017.8239244

Abstract
Unmanned ground vehicles (UGVs) and unmanned aerial vehicles (UAVs) are promising assets to support rescue operations in natural or man-made disasters. Most UGVs and UAVs deployed in the field today depend on human operators and reliable network connections to the vehicles. However, network connections in challenged environments are often lost, thus control can no longer be exercised. In this paper, we present a novel approach to emergency communication where semi-autonomous UGVs and UAVs cooperate with humans to dynamically form communication islands and establish communication bridges between these islands. Humans typically form an island with their mobile devices if they are in physical proximity; UGVs and UAVs extend an island's range by carrying data to a neighboring island. The proposed approach uses delay/disruption-tolerant networking for non-time critical tasks and direct mesh connections for prioritized tasks that require real-time feedback. The developed communication platform runs on rescue robots, commodity mobile devices, and various drones, and supports our operations and control center software for disaster management.

  2017  9th International Conference on Communication Systems & Networks Conference

mm-Broker: Managing Directionality and Mobility Issues of Millimeter-Wave via D2D Communication

Gek Hong Sim Arash Asadi Adrian Loch Matthias Hollick Jörg Widmer

BibTeX

  2017  2017 IEEE Symposium on Computers and Communications (ISCC) Conference

Dynamic Role Assignment in Software-Defined Wireless Networks

Pablo Graubner Markus Sommer Matthias Hollick Bernd Freisleben

PDF BibTeX DOI: 10.1109/ISCC.2017.8024619

Abstract
Software-defined networking paradigms have found their way into wireless edge networks, allowing network slicing, mobility management, and resource allocation. This paper presents dynamic role assignment as a novel approach to software-defined network topology management for wireless edge devices, such as laptops, tablets and smartphones. It combines the centralized control of wireless Network Interface Controller (NIC) modes with Network Function Virtualization (NFV) to integrate network topology transitions as well as network service and application service placement within a single mechanism. Our proposal is evaluated with respect to latency, bandwidth, and power consumption of the edge nodes. The experimental results show significant differences in both bandwidth (up to 18%) and power consumption (up to 15%) for playing different roles, and when using (a) a web proxy and (b) an intrusion prevention system as examples of application services.

  2016  41st Conference on Local Computer Networks (IEEE LCN, Demo Track) Conference

Panopticon: Supervising Network Testbed Resources

M. Werner D. Kratschmann Matthias Hollick

BibTeX

  2016  Proceedings 6th IEEE Global Humanitarian Technology Conference (GHTC) Conference

Maintaining both availability and integrity of communications: Challenges and guidelines for data security and privacy during disasters and crises

Flor Álvarez Paul Gardner-Stephen Matthias Hollick

PDF BibTeX DOI: 10.1109/GHTC.2016.7857261

Abstract
Communications play a vital role in the response to disasters and crises. However, existing communications infrastructure is often impaired, destroyed or overwhelmed during such events. This leads to the use of substitute communications solutions including analog two-way radio or unsecured internet access. Often provided by unknown third parties, these solutions may have less sophisticated security characteristics than is desirable. While substitute communications are often invaluable, care is required to minimize the risk to NGOs and individuals stemming from the use of communications channels with reduced or unknown security properties. This is particularly true if private information is involved, including the location and disposition of individuals and first responders. In this work we enumerate the principal risks and challenges that may arise, and provide practical guidelines for mitigating them during crises. We take plausible threats from contemporary disaster and crisis events into account and discuss the security and privacy features of state-of-the-art communications mechanisms.

  2016  6th Workshop on Security and Privacy in Smartphones and Mobile Devices Conference

Analyzing TETRA Location Privacy and Network Availability

Martin Pfeiffer Jan-Pascal Kwiotek Jiska Classen Robin Klose Matthias Hollick

PDF BibTeX DOI: 10.1145/2994459.2994463

Abstract
TETRA is a digital communication standard taking over from analog communication in various emergency services and governmental agencies in Europe since the late 1990s. TETRA has to meet stringent requirements for a dependable communication infrastructure as it is used in the public safety sector by professional users and first responders. In fact, TETRA is claimed to enhance resilience, security, and availability compared to former analog communication standards. In this paper, we demonstrate that TETRA's location privacy and dependability can easily be undermined and weakened. In particular, TETRA devices can be localized by means of antenna arrays and direction finding techniques on the physical layer. Further, we practically evaluate the impact of various jamming and fuzzing attacks on two commonly used devices. The digital standard even raises new attack vectors, since regular beaconing enables localization of idle devices, and forged frames can provably crash devices.

  2016  17th International Symposium on A World of Wireless, Mobile and Multimedia Networks Conference

Tie-breaking Can Maximize Fairness without Sacrificing Throughput in D2D-assisted Networks

Vincenzo Mancuso Arash Asadi Peter Jacko

BibTeX DOI: 10.1109/WoWMoM.2016.7523498

  2016  Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec 2016) Conference

DEMO: Using NexMon, the C-based WiFi firmware modification framework

Matthias Schulz Daniel Wegemer Matthias Hollick

BibTeX DOI: 10.1145/2939918.2942419

Abstract
FullMAC WiFi chips have the potential to realize modifications to WiFi implementations that exceed the limits of current standards or to realize the implementation of new standards, such as 802.11p, on off-the-shelve hardware. As a developer, one, however, needs access to the firmware source code to implement these modifications. In general, WiFi firmwares are closed source and do not allow any modifications. With our C-based programming framework, NexMon, we allow the extension of existing firmware of Broadcom's FullMAC WiFi chips. In this work, we demonstrate how to get started by running existing example projects and by creating a new project to transmit arbitrary frames with a Nexus 5 smartphone.

  2016  Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec 2016) Conference

Profiling the Strength of Physical-Layer Security: A Study in Orthogonal Blinding

Yao Zheng Matthias Schulz Wenjing Lou Thomas Hou Matthias Hollick

BibTeX DOI: 10.1145/2939918.2939933

Abstract
Physical layer security for wireless communication is broadly considered as a promising approach to protect data confidentiality against eavesdroppers. However, despite its ample theoretical foundation, the transition to practical implementations of physical-layer security still lacks success. A close inspection of proven vulnerable physical-layer security designs reveals that the flaws are usually overlooked when the scheme is only evaluated against an inferior, single-antenna eavesdropper. Meanwhile, the attacks exposing vulnerabilities often lack theoretical justification. To reduce the gap between theory and practice, we posit that a physical-layer security scheme must be studied under multiple adversarial models to fully grasp its security strength. In this regard, we evaluate a specific physical-layer security scheme, i.e. orthogonal blinding, under multiple eavesdropper settings. We further propose a practical "ciphertext-only attack" that allows eavesdroppers to recover the original message by exploiting the low entropy fields in wireless packets. By means of simulation, we are able to reduce the symbol error rate at an eavesdropper below 1% using only the eavesdropper's receiving data and a general knowledge about the format of the wireless packets.

  2016  Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec 2016) Conference

DEMO: Demonstrating Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Matthias Schulz Adrian Loch Matthias Hollick

BibTeX DOI: 10.1145/2939918.2942418

Abstract
After being widely studied in theory, physical layer security schemes are getting closer to enter the consumer market. Still, a thorough practical analysis of their resilience against attacks is missing. In this work, we use software-defined radios to implement such a physical layer security scheme, namely, orthogonal blinding. To this end, we use orthogonal frequency-division multiplexing (OFDM) as a physical layer, similarly to WiFi. In orthogonal blinding, a multi-antenna transmitter overlays the data it transmits with noise in such a way that every node except the intended receiver is disturbed by the noise. Still, our known-plaintext attack can extract the data signal at an eavesdropper by means of an adaptive filter trained using a few known data symbols. Our demonstrator illustrates the iterative training process at the symbol level, thus showing the practicability of the attack.

  2016  IEEE Transactions on Information Forensics and Security Article

On the Privacy and Performance of Mobile Anonymous Microblogging

Marius Senftleben Ana Barroso Mihai Bucicoiu Matthias Hollick Stefan Katzenbeisser Erik Tews

BibTeX DOI: 10.1109/TIFS.2016.2541633

Abstract
Microblogging is a popular form of online social networking activity. It allows users to send messages in a one-to-many publish-subscribe manner. Most current service providers are centralized and deploy a client-server model with unencrypted message content. As a consequence, all user behavior can, by default, be monitored, and censoring based on message content can easily be enforced on the server side. A distributed, peer-to-peer microblogging system consisting of mobile smartphone-equipped users that exchange group encrypted messages in an anonymous and censorship-resistant manner can alleviate privacy and censorship issues. We experimentally evaluate message spread of such systems with simulations that run on a range of synthetic and real-world mobility inputs, thus extending the previous work. We show that such systems are feasible for a range of mobility and network settings, both under normal and under adversarial conditions, e.g., under the presence of nodes which jam the network or send spam.

  2016  Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec 2016) Conference

Trust The Wire, They Always Told Me!: On Practical Non-Destructive Wire-Tap Attacks Against Ethernet

Matthias Schulz Patrick Klapper Matthias Hollick Erik Tews

BibTeX DOI: 10.1145/2939918.2940650

Abstract
Ethernet technology dominates enterprise and home network installations and is present in datacenters as well as parts of the backbone of the Internet. Due to its wireline nature, Ethernet networks are often assumed to intrinsically protect the exchanged data against attacks carried out by eavesdroppers and malicious attackers that do not have physical access to network devices, patch panels and network outlets. In this work, we practically evaluate the possibility of wireless attacks against wired Ethernet installations with respect to resistance against eavesdropping by using off-the-shelf software-defined radio platforms. Our results clearly indicate that twisted-pair network cables radiate enough electromagnetic waves to reconstruct transmitted frames with negligible bit error rates, even when the cables are not damaged at all. Since this allows an attacker to stay undetected, it urges the need for link layer encryption or physical layer security to protect confidentiality.

  2016  ACM Conference on Security and Privacy in Wireless and Mobile Networks 2016 (ACM WiSec'16) Conference

Far Away and Yet Nearby - A Framework for Practical Distance Fraud on Proximity Services for Mobile Devices (Demo)

Tobias Schultes Markus Grau Daniel Steinmetzer Matthias Hollick

BibTeX

  2016  IEEE Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM) Conference

Xcastor: Secure and Scalable Group Communication in Ad Hoc Networks

Milan Schmittner Matthias Hollick

BibTeX

Abstract
Mobile ad hoc networks (MANETs) are emerging as a practical technology for emergency response communication in the case a centralized infrastructure malfunctions or is not available. Using smartphones as communication devices, MANETs may be readily established among the civilian population of affected areas. Beneficiaries would be civilian first responders, which may form small collaborating groups. Communication in such groups must be reliable for disaster response to be effective. In this paper, we address the issue of reliable group communication on the network layer. We design and implement the first secure explicit multicast routing protocol called Xcastor, in which we extend the secure and scalable routing concept of the Castor unicast routing protocol towards supporting reliable communication for large numbers of small groups. By simulation, we show significant performance improvements over Castor.

  2016  IFIP Networking Conference (IFIP Networking) Conference

STEAN: A Storage and Transformation Engine for Advanced Networking Context

Marc Werner Johannes Schwandke Matthias Hollick Oliver Hohlfeld Torsten Zimmermann Klaus Wehrle

BibTeX DOI: 10.1109/IFIPNetworking.2016.7497203

Abstract
Legacy Internet systems and protocols are mostly static and keep state information in silo-style storage, thus making state migration, transformation and re-use difficult. Software Defined Networking (SDN) approaches in unison with Network Functions Virtualization (NFV) allow for more flexibility, yet they are currently restricted to a limited set of state migration options. Impeding the sharing of networking and system state severely limits the ability to optimally manage resources and dynamically adapt to a desirable overall configuration. We propose a generalized way to collect, store, transform, and share context between NFs in both the legacy Internet and NFV/SDN-driven systems. To this end, we design and implement a Storage and Transformation Engine for Advanced Networking Context (STEAN), which constitutes a shared context storage, making network state information available to other systems and protocols. Its pivotal feature is the ability to allow for state transformation as well as for persisting state to enable future re-use. By means of experimentation, we show that STEAN covers a diverse set of challenging use cases in legacy systems as well as in NFV/SDN-enabled systems.

  2016  Technische Universität Darmstadt Darmstadt Master's thesis

A System for Privacy-Preserving Mobile Health and Fitness Data Sharing: Design, Implementation and Evaluation

Max Maass

PDF BibTeX

Abstract
The growing spread of smartphones and other mobile devices has given rise to a number of health and fitness applications. Users can track their calorie intake, get reminders to take their medication, and track their fitness workouts. Many of these services have social components, allowing users to find like-minded peers, compete with their friends, or participate in open challenges. However, the prevalent service model forces users to disclose all of their data to the service provider. This may include sensitive information, like their current position or medical conditions. In this thesis, we will design, implement and evaluate a privacy-preserving fitness data sharing system. The system provides privacy not only towards other users, but also against the service provider, does not require any Trusted Third Parties (TTPs), and is backed by strong cryptography. Additionally, it hides the communication metadata (i.e. who is sharing data with whom). We evaluate the security of the system with empirical and formal methods, including formal proofs for parts of the system. We also investigate the performance with empirical data and a simulation of a large-scale deployment. Our results show that the system can provide strong privacy guarantees. However, it incurs a significant networking overhead for large deployments.

  2016  Technische Universität Darmstadt Darmstadt PhD thesis

Improving Quality of Service in Wireless Sensor Networks for Industrial Automation

Dingwen Yuan

PDF BibTeX

Abstract
Monitoring and control systems have played a central role in industry and everyday life, often in a non-intrusive manner. Yet, they will become more ubiquitous, autonomous and distributed, with the rapid development of the envisioned technologies of "smart homes", "smart cities" and "industry 4.0". All these new technologies are built upon the enabling technology of WSN. Their success depends to a large extent on the communication capability of WSNs. Fast reaction and feedback is a common characteristic of these technologies, therefore, how to achieve low-latency, high-reliability and flexibility in WSN communication is a key challenge, and a decisive success factor. WSN refers to a network that connects a number of low-cost, low-power sensor nodes which have sensing and/or actuating capabilities, and can communicate with each other over short distance via a low-power radio. The predominant advantages that WSN offers are 1) distribution and fault tolerance in communication and sensing/actuation by leveraging large number of sensor nodes, 2) cost reduction by removing the cables of communication and power supply, and 3) flexibility in the deployment of tiny cableless sensor nodes. However, one main drawback of the wireless technology, in contrast to the mature wired counterpart, is the much weaker communication capability --- the combined result of stronger interference in the wireless channel, the weak signal strength of low-power radios and the complexity in the scheduling of multi-hop wireless communication. The main goal of the thesis is to facilitate the transition from wired technology to wireless technology for industrial automation. Specifically, I provide solutions for improving and guaranteeing QoS in WSN communication. I tackle the problem for two scenarios where the network topology is either known or not. When the network topology is known, I adopt an approach of reservation-based scheduling, i.e., through centralized scheduling of communication opportunities, in order to optimize various communication metrics. In the thesis, I propose a very efficient multi-channel scheduling algorithm that gives nearly optimal latency performance (within 1.22% of the optimum) for the tree-based convergecast, which is by far the predominant communication pattern, especially for monitoring applications. I also propose very efficient multi-channel scheduling algorithms that offer high schedulability and low overhead for multi-flow periodic real-time communication on an arbitrary network topology with multiple gateways. Such a communication pattern is typical of a multi-loop control system. On the other hand, if the network topology is unknown or changes very dynamically, I optimize the QoS in communication by exploiting concurrent transmission on the physical layer, which is routing-free by nature. First, I proposes a simple model for concurrent transmissions in WSN which accurately predicts the success or failure in the packet reception. Then I design the Sparkle protocol for highly reliable, low latency and energy efficient multi-flow periodic communication. Finally, it presents the Ripple protocol for high throughput, reliable and energy efficient network flooding using pipeline transmissions and forward error correction, which significantly improves the state-of-the-art. Although the thesis assumes WSN as the communication technology and industrial automation as the application scenario, it is by no means restricted to these settings since the proposed solutions can be applied to other wireless networks and other scenarios with similar communication patterns and QoS concerns.

  2016  IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC) Conference

Addressing MAC Layer Inefficiency and Deafness of IEEE802.11ad Millimeter Wave Networks using a Multi-Band Approach

Gek Hong Sim Thomas Nitsche Jörg Widmer

BibTeX

  2016  Millimeter-wave Networking Workshop 2016, in conjunction with the 35th IEEE International Conference on Computer Communications (IEEE INFOCOM 2016) Article

Millimeter-Wave Blind Spots: Mitigating Deafness Collisions Using Frame Aggregation

Adrian Loch Gek Hong Sim

BibTeX

  2016  The 17th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2016) Conference

Learning from Experience: Efficient Decentralized Scheduling for 60GHz Mesh Networks

Gek Hong Sim Rui Li Cristina Cano Paul Patras David Malone Jörg Widmer

BibTeX

  2016  IEEE Transactions on Wireless Communications Article

Finite Horizon Opportunistic Multicast Beamforming

Gek Hong Sim Jörg Widmer

BibTeX

  2015  31st Annual Computer Security Applications Conference (ACSAC 2015) Article

Using Channel State Information for Tamper Detection in the Internet of Things

Ibrahim Ethem Bagci Utz Roedig Ivan Martinovic Matthias Schulz Matthias Hollick

BibTeX

Abstract
Each 802.11n WiFi frame contains a preamble which allows a receiver to estimate the impact of the wireless channel and of the transmitter on the received signal. The estimation result - the CSI - is used by a receiver to extract the transmitted information. However, as the CSI depends on the communication environment and the transmitter hardware it can as well be used for security purposes. If an attacker tampers with a transmitter it will have an effect on the CSI measured at a receiver. Many IoT devices use WiFi for communication and CSI based tamper detection is a valuable building block for securing the future IoT. Unfortunately not only tamper events lead to CSI fluctuations; movement of people in the communication environment has an impact too. We propose to analyse CSI values of a transmission simultaneously at multiple receivers to improve distinction of tamper and movement events. A moving person has an impact on some but not all communication links between transmitter and the receivers. A temper event impacts on all links between transmitter and the receivers. The paper describes the necessary algorithms for the proposed tamper detection method. In particular we analyse the tamper detection capability in practical deployments with varying intensity of people movement. For example, in our experiments with low movement intensity it was possible to detect all tamper situations (TPR of one) while achieving a zero FPR.

  2015  13th International Conference on Advances in Mobile Computing and Multimedia (MoMM) Conference

Can I Help You Setting Your Privacy? A Survey-based Exploration of Users Attitudes towards Privacy Suggestions

Delphine Reinhardt Franziska Engelmann Matthias Hollick

BibTeX

  2015  Pervasive and Mobile Computing Article

OFDMA for Wireless Multihop Networks: From Theory to Practice

Adrian Loch Matthias Hollick Alexander Kühne Anja Klein

BibTeX DOI: 10.1016/j.pmcj.2015.07.003

Abstract
Orthogonal Frequency-Division Multiple Access (OFDMA) enables nodes to exploit spatial diversity in Wireless Mesh Networks (WMNs). As a result, throughput improves significantly. While existing work often considers the physical layer only, using OFDMA in a WMN also affects the link and network layers. In particular, multi-hop forwarding may result in severe bottlenecks since OFDMA resource allocations are typically based on local information only. In this paper, we design a practical system that mitigates such bottlenecks. To this end, we allow for resource allocation based on channel and traffic conditions at the physical layer, per-subcarrier coding at the link layer, and per-subcarrier packet segmentation at the network layer. We implement our approach on software-defined radios and show that it provides significant throughput gains compared to traditional schemes.

  2015  IEEE 40th Conference on Local Computer Networks (LCN 2015) Article

Performance evaluation of delay-tolerant wireless friend-to-friend networks for undetectable communication

Ana Barroso Matthias Hollick

BibTeX DOI: 10.1109/LCN.2015.7366356

Abstract
Anonymous communication systems have recently increased in popularity in wired networks, but there are no adequate equivalent systems for wireless networks under strong surveillance. In this work we evaluate the performance of delay-tolerant friend-to-friend networking, which can allow anonymous communication in a wireless medium under strong surveillance by relying on trust relationships between the network's users. Since strong anonymity properties incur in performance penalties, a good understanding of performance under various conditions is crucial for the successful deployment of such a system. We simulate a delay-tolerant friend-to-friend network in several scenarios using real-world mobility data, analyze the trade-offs of network-related parameters and offer a preliminary throughput estimation.

  2015  International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM) Conference

APP and PHY in Harmony: Demonstrating Scalable Video Streaming Supported by Flexible Physical Layer Control

Denny Stohr Matthias Schulz Matthias Hollick Wolfgang Effelsberg

BibTeX

  2015  Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec) Conference

Lockpicking Physical Layer Key Exchange: Weak Adversary Models Invite the Thief

Daniel Steinmetzer Matthias Schulz Matthias Hollick

BibTeX DOI: 10.1145/2766498.2766514

Abstract
Physical layer security schemes for wireless communications are currently crossing the chasm from theory to practice. They promise information-theoretical security, for instance by guaranteeing the confidentiality of wireless transmissions. Examples include schemes utilizing artificial interference—that is ’jamming for good’—to enable secure physical layer key exchange or other security mechanisms. However, only little attention has been payed to adjusting the employed adversary models during this transition from theory to practice. Typical assumptions give the adversary antenna configurations and transceiver capabilities similar to all other nodes: single antenna eavesdroppers are the norm. We argue that these assumptions are perilous and ’invite the thief’. In this work, we evaluate the security of a representative practical physical layer security scheme, which employs artificial interference to secure physical layer key exchange. Departing from the standard single-antenna eavesdropper, we utilize a more realistic multi-antenna eavesdropper and propose a novel approach that detects artificial interferences. This facilitates a practical attack, effectively ’lockpicking’ the key exchange by exploiting the diversity of the jammed signals. Using simulation and real-world software-defined radio (SDR) experimentation, we quantify the impact of increasingly strong adversaries. We show that our approach reduces the secrecy capacity of the scheme by up to 97% compared to single-antenna eavesdroppers. Our results demonstrate the risk unrealistic adversary models pose in current practical physical layer security schemes.

  2015  Technische Universität Darmstadt Darmstadt PhD thesis

Lightweight Intrusion Detection in Wireless Sensor Networks

Michael Riecker

PDF BibTeX

Abstract
Wireless sensor networks have become a mature technology. They are increasingly being used in different practical applications. Examples include the monitoring of industrial environments and light adaptation in tunnels. For such applications, attacks are a serious concern. A disrupted sensor network may not only have a financial impact, but could also be safety-critical. Hence, the availability of a wireless sensor network is our key protection goal in this thesis. A special challenge lies in the fact, that sensor nodes typically are physically unprotected. Hence, insider attacks are supposed to occur, e.g., by compromising the nodes and getting in possession of the cryptographic keys, thereby becoming a legitimate member of the network. As a result, mechanisms to detect attacks during operation are necessary. Traditionally, intrusion detection systems are used to discover network anomalies. Due to severe resource-restrictions, building such a system for wireless sensor networks is challenging; it has to be small in size. Therefore, it is important to reduce the required information for intrusion detection. The majority of these systems designed for wireless sensor networks is working decentralized, i.e., the nodes try to detect the attacks locally, mostly by using some type of collaboration with other nodes. So far, the real-world effects of attacks on wireless sensor networks have not yet been studied widely. Consequently, state-of-the-art intrusion detection systems often need to analyze a large number of metrics for attack detection. The execution frequency of the detection algorithm is mainly periodic or constant. Another problem that needs further research, is the possibility of reducing the detection frequency. We also investigate the feasibility of performing intrusion detection without collaboration, in order to enable the lightweight detection of denial-of-service attacks on wireless sensor networks. To overcome these shortcomings, in this work we conduct systematic measurements in a real testbed in order to quantify the impact of denial-of-service attacks. This allows us to identify those metrics, which are significantly influenced by an attack, and thus are appropriate for attack detection. We present a fully localized intrusion detection system, in which the nodes do not have to collaborate with each other. Based on these results we propose two architectures, allowing the randomization of the detection frequency. The advantage here is, that an adversary may not predict well in advance, which node is responsible to perform intrusion detection at a certain point in time. The gathered data from the extensive measurements is analyzed with statistical approaches. The presented intrusion detection systems are evaluated in simulations and prototypical implementations.

  2015  2nd International Conference on Networked Systems (Netsys) Conference

APP and PHY in Harmony: A Framework Enabling Flexible Physical Layer Processing to Address Application Requirements

Matthias Schulz Denny Stohr Stefan Wilk Benedikt Rudolph Matthias Hollick Wolfgang Effelsberg

PDF BibTeX DOI: 10.1109/NetSys.2015.7089076

Abstract
Mobile data traffic, particularly mobile video, grows at an unprecedented pace. Despite recent advances at the physical layer, today’s wireless network infrastructure cannot keep up with this growth. This is partially due to the missing flexibility to adapt the physical layer continuously to best support both application level as well as network requirements. In this paper we show how to harness the flexibility of advanced physical layers in practice. We designed and implemented a research platform that provides a flexible application-centric physical layer for Android smartphones using software-defined radios (SDRs) as radio interfaces. Our solution allows applications to define flows and apply per-flow settings that are mapped into distinct physical layer settings. As a proof-of-concept and for testbed evaluation, we implemented our system together with a mobile video streaming application. The latter uses a Motion-JPEG based lightweight scalable video codec (SVC) to generate incremental data flows. We show that our system maximizes video quality at the receiver’s side, while keeping the energy consumption at the transmitter at a minimum. Our solution demonstrates that jointly optimizing network traffic and application quality is feasible in practice using a flexible physical layer processing approach.

  2015  Technische Universität Darmstadt Darmstadt PhD thesis

Enabling Efficient, Robust, and Scalable Wireless Multi-Hop Networks: A Cross-Layer Approach Exploiting Cooperative Diversity

Adrian Carlos Loch Navarro

PDF BibTeX

Abstract
The practical performance in terms of throughput, robustness, and scalability of traditional Wireless Multihop Networks (WMNs) is limited. The key problem is that such networks do not allow for advanced physical layers, which typically require (a) spatial diversity via multiple antennas, (b) timely Channel State Information (CSI) feedback, and (c) a central instance that coordinates nodes. We propose Corridor-based Routing to address these issues. Our approach widens traditional hop-by-hop paths to span multiple nodes at each hop, and thus provide spatial diversity. As a result, at each hop, a group of transmitters cooperates at the physical layer to forward data to a group of receivers. We call two subsequent groups of nodes a stage. Since all nodes participating in data forwarding at a certain hop are part of the same fully connected stage, corridors only require one-hop CSI feedback. Further, each stage operates independently. Thus, Corridor-based Routing does not require a network-wide central instance, and is scalable. We design a protocol that builds end-to-end corridors. As expected, this incurs more overhead than finding a traditional WMN path. However, if the resulting corridor provides throughput gains, the overhead compensates after a certain number of transmitted packets. We adapt two physical layers to the aforementioned stage topology, namely, Orthogonal Frequency-Division Multiple Access (OFDMA), and Interference Alignment (IA). In OFDMA, we allocate each subchannel to a link of the current stage which provides good channel conditions. As a result, we avoid deep fades, which enables OFDMA to transmit data robustly in scenarios in which traditional schemes cannot operate. Moreover, it achieves higher throughputs than such schemes. To minimize the transmission time at each stage, we present an allocation mechanism that takes into account both the CSI, and the amount of data that each transmitter needs to transmit. Further, we address practical issues and implement our scheme on software-defined radios. We achieve roughly 30% average throughput gain compared to a WMN not using corridors. We analyze OFDMA in theory, simulation, and practice. Our results match in all three domains. Further, we design a physical layer for corridor stages based on IA in the frequency domain. Our practical experiments show that IA often performs poorly because the decoding process augments noise. We find that the augmentation factor depends only on the channel coefficients of the subchannels that IA uses. We design a mechanism to determine which transmitters should transmit to which receivers on which subchannels to minimize noise. Since the number of possible combinations is very large, we use heuristics that reduce the search space significantly. Based on this design, we present the first practical frequency IA system. Our results show that our approach avoids noise augmentation efficiently, and thus operates robustly. We observe that IA is most suitable for stages with specific CSI and traffic conditions. In such scenarios, the throughput gain compared to a WMN not using corridors is 25% on average, and 150% in the best case. Finally, we design a decision engine which estimates the performance of both OFDMA and IA for a given stage, and chooses the one which achieves the highest throughput. We evaluate corridors with up to five stages, and achieve roughly 20% average throughput gain. We conclude that switching among physical layers to adapt to the particular CSI and traffic conditions of each stage is crucial for efficient and robust operation.

  2015  IEEE Wireless Communications Letters Article

Highly Efficient Known-Plaintext Attacks against Orthogonal Blinding based Physical Layer Security

Yao Zheng Matthias Schulz Wenjing Lou Thomas Hou Matthias Hollick

BibTeX DOI: 10.1109/LWC.2014.2363176

Abstract
In this letter, we describe highly effective known-plaintext attacks against physical layer security schemes. We substantially reduce the amount of required known-plaintext symbols and lower the symbol error rate (SER) for the attacker. In particular, we analyze the security of orthogonal blinding schemes that disturb an eavesdropper’s signal reception using artificial noise transmission. We improve the attack efficacy using fast converging optimization algorithms and combining the measurements of neighboring subchannels in a multicarrier system. We implement the enhanced attack algorithms by solving unregularized and regularized least squares problems. By means of simulation, we show that the performance of the new attack algorithms supersedes the normalized least mean square approach discussed in the work of Schulz et al., e.g., by lowering the eavesdropper’s SER by 82% while using 95% less known plaintext.

  2015  ACM WiSec'15 Conference

NFCGate - An NFC Relay Application for Android

Max Jakob Maaß Uwe Müller Tom Schons Daniel Wegemer Matthias Schulz

BibTeX DOI: 10.1145/2766498.2774984

Abstract
Near Field Communication (NFC) is a technology widely used for security-critical applications like access control or payment systems. Many of these systems rely on the security assumption that the card has to be in close proximity to communicate with the reader. We developed NFCGate, an Android application capable of relaying NFC communication between card and reader using two rooted but otherwise unmodified Android phones. This enables us to increase the distance between card and reader, eavesdrop on, and even modify the exchanged data. The application should work for any system built on top of ISO 14443-3 that is not hardened against relay attacks, and was successfully tested with a popular contactless card payment system and an electronic passport document.

  2015  14th International Conference on Mobile and Ubiquitous Multimedia (MUM) Conference

Show Me Your Phone, I Will Tell You Who Your Friends Are: Analyzing Smartphone Data to Identify Social Relationships

Delphine Reinhardt Franziska Engelmann Andrey Moerov Matthias Hollick

BibTeX DOI: 10.1145/2836041.2836048

Abstract
Access control is a key principle to protect user privacy online. The combination of both the wealth of user-generated data in online social networks and overly complex user interfaces lead to a high user burden for privacy control, hence making the observance of the above principles difficult. We investigate how communication metadata on smartphones can facilitate providing tailored suggestions for restricted audience groups, thus limiting the sharing of data to the intended users only. To this end, we have performed a user study collecting a dataset including contact names, calls, SMS, MMS, and e-mail on personal smartphones in everyday use. In this paper, we examine which are the key features determining the social relationship category of a contact using machine learning. We obtain promising results for an automated classification of contacts into work-related, family-related and other social-interaction-related, thus enabling the possibility of user assistance for privacy control. Obtaining a more fine-grained categorization of the latter category into acquaintances, friends, and university-mates is shown to be difficult, since these categories blur in our study group.

  2015  14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE UbiSafe Symposium) Conference

A Distributed Reputation System for Certification Authority Trust Management

Jiska Classen Johannes Braun Florian Volk Matthias Hollick Johannes Buchmann Max Mühlhäuser

BibTeX

  2014  11th International Conference on Mobile Ad Hoc and Sensor Systems (MASS) Conference

Building Cross-Layer Corridors in Wireless Multihop Networks

Adrian Loch Pablo Quesada Matthias Hollick Alexander Kühne Anja Klein

PDF BibTeX DOI: 10.1109/MASS.2014.19

Abstract
Corridor-based Routing widens traditional hop-by-hop paths to enable advanced physical layer mechanisms in Wireless Multihop Networks. The key concept is to let groups of nodes cooperate to jointly forward data. Instead of establishing a path formed by a fixed sequence of nodes, the network layer builds a "corridor" from source to destination to allow for such an approach. The corridor is divided into stages, which consist of the aforementioned groups of nodes. Existing mechanisms for Corridor-based Routing focus on the physical layer and assume a routing protocol that builds the corridor. In this paper, we design a corridor construction algorithm and a practical protocol that implements it. In particular, we address in detail the overhead introduced by our protocol, since this is crucial for performance and an open issue of Corridor-based Routing. We implement our approach both in simulation and practice. We obtain the turning point at which corridors become profitable and show that our protocol builds corridors, which enable throughput gains up to 74%.

  2014  11th International Symposium on Wireless Communications Systems (ISWCS'14) Conference

BER Enhancements for Practical Interference Alignment in the Frequency Domain

Alexander Kuehne Adrian Loch Thomas Nitsche Joerg Widmer Matthias Hollick Anja Klein

BibTeX DOI: 10.1109/ISWCS.2014.6933317

  2014  39th IEEE Conference on Local Computer Networks (LCN 2014) Conference

Practical OFDMA for Corridor-based Routing in Wireless Multihop Networks

Adrian Loch Matthias Hollick Alexander Kühne Anja Klein

PDF BibTeX DOI: 10.1109/LCN.2014.6925750

Abstract
Corridor-based Routing enables advanced physical layer schemes in Wireless Multihop Networks (WMNs). It widens paths in order to span multiple nodes per hop. As a result, groups of nodes cooperate locally at each hop to forward packets. Recent theoretical work suggests using Orthogonal Frequency-Division Multiple Access (OFDMA) in combination with Corridor-based Routing to improve throughput in WMNs. However, results focus on achievable capacity and do not consider practical issues such as modulation and coding schemes. In this paper, we study OFDMA for corridors in practice and implement it on software-defined radios. We show that OFDMA corridors provide significantly larger throughput gains when considering realistic modulation and coding, achieving up to 2x throughput gain compared to traditional routing not based on corridors.

  2014  Technische Universität Darmstadt PhD thesis

Active Intrusion Detection for Wireless Multihop Networks

Rodrigo Daniel do Carmo

PDF BibTeX

Abstract
This work focuses on network security and introduces an active-probing technique for intrusion detection in wireless multihop networks. Wireless networks have been the revolution of personal communications of the past decades. Millions of devices with wireless capabilities are sold to end customers every year: smartphones that enable access to the Internet almost everywhere, computers with wireless connections, personal watches, sports shoes, digital cameras, and even lenses with wireless capabilities. Today's communication capabilities are based on the concept of single hop networks. The future and vision of wireless communications is to let radio devices form multihop networks. Wireless multihop networks can be instrumental for several scenarios, such as search and rescue in disaster areas, thus potentially helping to save lives. Detecting attacks that can disrupt the network operation can be considered of utmost importance for many applications. We found that the field of intrusion detection for wireless multihop networks is generally limited. Purely centralized intrusion detection systems are ill suited because wireless multihop networks miss a clear line of defense due to their distributed nature. The most studied approach to intrusion detection in wireless multihop networks is distributed intrusion detection, which consists of deploying detection sensors in all or part of the nodes of the network. Many different approaches following this distributed detection paradigm have been proposed in the literature, but there is still a lack of practical implementations. Some implemented systems showed that the overhead generated on the nodes is excessively high, which makes the distributed detection principle unsuitable for networks operating on resource-constraint devices. Moreover, passive eavesdropping of the wireless medium makes the detection of certain attacks difficult or impossible. Other proposed intrusion detection/mitigation systems require modifications to the base routing protocols in use, thus braking the compatibility with legacy systems. In this dissertation we propose a novel approach to intrusion detection that overcomes the limitations of the existing approaches. Instead of deploying intrusion detection systems on the nodes of a wireless multihop networks, we propose deploying nodes into the network only for this purpose. The intrusion detection nodes are trustworthy, as well as less limited in resources (computing resources, energy resources, mobility). In contrast to distributed intrusion detection systems in the literature, the intrusion detection nodes in our scheme do not detect attacks locally but detect them by looking into the nodes of the network from the outside. To this end, we propose we propose employing an active-probing technique in this dissertation. It uses an approach similar to the classical ping or active fingerprinting, i.e., it works by sending testing packets to a host and recording/analyzing its reaction. In addition, if we let the intrusion detection node be mobile, it can move through the network and examine all its nodes. The innovation of our approach is that, in contrast to fingerprinting or classical active techniques, we propose an active technique not to identify or characterize nodes, but to determine if they work according to protocol specifications, as well as to detect malicious activities. In this dissertation, we propose an active-probing technique for intrusion detection and show its conception, design and evaluation. While remaining general, we test our active-probing technique in an office wireless mesh testbed running the emerging mesh standard IEEE 802.11s. We perform a solid evaluation of the active probing and its parameters. For example, we show how transmitting replications of testing packets can be beneficial under different network conditions and keeps false positive rates below 1.3%. We show how our active-probing technique detects attacks such as selective dropping of packets, black hole and colluding misrelay attacks with detection rates above 90%. We model a temporal-selective Bayes classifier to infer the state of a network node under test which is generally applicable to other systems. For our purpose, it classifies whether a node misbehaves based on the outcome of a set of active probes. We design a recursive probe selection scheme based on the current posterior of the Bayes classifier and a prediction step. This facilitates reducing the number of active probes while maximizing the insights gained by the set of probes executed. We also show that other passive techniques can complement an active-probing-based intrusion detection system. We further propose a lightweight metric called neighbor variation rate for anomaly detection. We study how the neighborhood varies over time and we represent it with a quantitative measurable value. We create a detection model based on this metric and we apply it for anomaly/intrusion detection. Last but not least, we provide the community with a modular implementation and documentation of our active intrusion detection system for wireless mesh networks as open source software available for free online.

  2014  15th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks Conference

Practical Interference Alignment in the Frequency Domain for OFDM-based Wireless Access Networks

Adrian Loch Thomas Nitsche Alexander Kuehne Matthias Hollick Joerg Widmer Anja Klein

BibTeX DOI: 10.1109/WoWMoM.2014.6918922

Abstract
Interference alignment (IA) is often considered in the spatial domain in combination with MIMO systems. In contrast, aligning interference in the frequency domain among multiple subcarriers can also benefit single-antenna OFDM-based access networks. It allows for flexible operation on a per-subcarrier basis. We investigate the gains achievable by frequency IA in practice for a scenario with multiple access points and clients. Previous work is predominantly theoretical and focuses on idealized cases where all nodes have the same average signal-to-noise ratio (SNR). On the contrary, in practical networks, nodes typically have heterogeneous SNRs depending on channel conditions, which might have a significant impact on IA performance. We tackle this problem by designing mechanisms that adaptively choose which nodes shall perform IA on which subcarriers depending on current channel conditions. We implement and validate our approach on software-defined radios. To the best of our knowledge, this is the first practical implementation of IA in the frequency domain. Our measurements show that (1) frequency IA is feasible in practice, and (2) choosing appropriate nodes and subcarriers overcomes the main limitations due to heterogeneous SNRs. Our mechanisms enable IA in scenarios where it would be infeasible otherwise, achieving throughput gains close to the 33% theoretical maximum.

  2014  Technische Universität Darmstadt Darmstadt Master's thesis

Scalable and Secure Multicast Routing for Mobile Ad-hoc Networks

Milan Schmittner

PDF BibTeX

Abstract
Mobile Ad-Hoc Networks (MANETs) are decentralized and autonomous communication systems: They can be used to provide connectivity when a natural disaster has brought down the infrastructure, or they can support freedom of speech in countries with governmental Internet restrictions. MANET design requires careful attention to scalability and security due to low-capacity and error-prone wireless links as well as the openness of these systems. In this thesis, we address the issue of multicast as a means to efficiently support the MANET application of group communication on the network layer. To this aim, we first survey the research literature on the current state of the art in MANET routing, and we identify a gap between scalability and security in multicast routing protocols–two aspects that were only considered in isolation until now. We then develop an explicit multicast protocol based on the design of a secure unicast protocol, aiming to maintain its security properties while introducing minimal overhead. Our simulation results reveal that our protocol reduces bandwidth utilization in group communication scenarios by up to 45 % compared to the original unicast protocol, while providing significantly better resilience under blackhole attacks. A comparison with pure flooding allows us to identify a practical group size limit, and we present ideas for better large-group support.

  2014  39th IEEE Conference on Local Computer Networks (LCN) Conference

Making Active-Probing-Based Network Intrusion Detection in Wireless Multihop Networks Practical: A Bayesian Inference Approach to Probe Selection.

R. do Carmo J. Hoffmann V. Willert Matthias Hollick

BibTeX

  2014  Proceedings of the 3rd Workshop of Software Radio Implementation Forum (SRIF 2014), co-located with ACM Sigcomm 2014 Conference

WARP Drive - Accelerating Wireless Multi-hop Cross-layer Experimentation on SDRs

Adrian Loch Matthias Schulz Matthias Hollick

BibTeX

  2014  Proceedings of the 15th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2014) Conference

How did you get here? PHY-Layer Path Signatures

Adrian Loch David Meier Matthias Hollick

BibTeX

  2014  15th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2014) Conference

Corridor-based Routing: Opening Doors to PHY-Layer Advances for Wireless Multihop Networks

Adrian Loch Matthias Hollick A. Kühne A. Klein

BibTeX DOI: 10.1109/WoWMoM.2014.6919011

Abstract
Today, the performance of routing mechanisms in Wireless Multihop Networks (WMNs) is still limited by the lower layers. While recent cross-layer approaches take advantage of the characteristics of the medium, they are often based on traditional physical layers such as OFDM. State-of-the-art techniques used in one-hop scenarios, such as OFDMA or MIMO, pose a significant challenge in practical multihop networks, since typically Channel State Information (CSI) at the transmitter is required. Due to its volatile nature, disseminating timely CSI in the network is often infeasible. We generalize Corridor-based Routing to enable advanced physical layers in WMNs. Instead of routing packets from node to node, we forward them along fully-connected groups of nodes. As a result (1) CSI only needs to be exchanged locally to enable cooperation in a group, and (2) groups can adaptively choose the best physical layer technique according to CSI. We investigate the benefits of Corridor-based Routing and present a protocol design that enables operation of corridors in WMNs.

  2014  11th IEEE/IFIP Annual Conference on Wireless On-demand Network Systems and Services (WONS 2014) Conference

Analyzing Active Probing for Practical Intrusion Detection in Wireless Multihop Networks

Rodrigo do Carmo Matthias Hollick

BibTeX

  2014  International Conference on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP) Other

TrustMeter: A trust assessment scheme for collaborative privacy mechanisms in participatory sensing applications

Delphine Christin Daniel Rodriguez Pons-Sorolla Matthias Hollick Salil Kanhere

BibTeX

  2014  Proceedings of the Network and Distributed System Security Symposium (NDSS 2014) Conference

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Matthias Schulz Adrian Loch Matthias Hollick

BibTeX

Abstract
Physical layer security schemes for wireless communication systems have been broadly studied from an information theory point of view. In contrast, there is a dearth of attack methodologies to analyze the achievable security on the physical layer. To address this issue, we develop a novel attack model for physical layer security schemes, which is the equivalent to known-plaintext attacks in cryptoanalysis. In particular, we concentrate on analyzing the security of orthogonal blinding schemes that disturb an eavesdropper’s signal reception using artificial noise transmission. We discuss the theory underlying our attack methodology and develop an adaptive filter trained by known-plaintext symbols to degrade the secrecy of orthogonal blinding. By means of simulation and measurements on real wireless channels using software-defined radios with OFDM transceivers, we obtain the operating area of our attack and evaluate the achievable secrecy degradation. We are able to reduce the secrecy of orthogonal blinding schemes to Symbol Error Rates (SERs) below 10% at an eavesdropper, with a knowledge of only a 3% of the symbols transmitted in typical WLAN frames.

  2014  1st KuVS Workshop on Anticipatory Networks Conference

Mind the Gap – Understanding the Traffic Gap when Switching Communication Protocols

Marc Werner Tobias Lange Matthias Hollick Torsten Zimmermann Klaus Wehrle

BibTeX

Abstract
A large variety of routing protocols for Wireless Multihop Networks exists today. These protocols are tailored towards a specific networking scenario and cannot be easily adapted to suit the changing requirements of novel applications, organically growing networks, etc. Introducing a modular design allowing for dynamic switching between routing mechanisms is a promising approach to overcome this challenge. However, in the transition phase between mechanisms, a gap in network traffic can occur while the new protocol is initialized, thus effectively leaving the network disconnected. The resulting service interruption decreases the user experience and violates the quality of service requirements of, for example, multimedia applications such as Voice over IP. In this paper, we perform a measurement study to analyze the characteristic effects of switching between routing mechanisms on a wireless mesh testbed. Specifically, we analyze the switch between a link state and a distance vector routing mechanisms. The obtained results allow for identifying some key factors affecting the transition between mechanism.

  2014  Proceedings of the 39th IEEE Conference on Local Computer Networks (LCN) Conference

Measuring the Impact of Denial-of-Service Attacks on Wireless Sensor Networks

Michael Riecker D. Thies Matthias Hollick

BibTeX

  2014  29th IFIP TC 11 International Conference, SEC 2014 Conference

Evaluating the Security of a DNS Query Obfuscation Scheme for Private Web Surfing

Dominik Herrmann Max Maass Hannes Federrath

BibTeX DOI: 10.1007/978-3-642-55415-5_17

Abstract
The Domain Name System (DNS) does not provide query privacy. Query obfuscation schemes have been proposed to overcome this limitation, but, so far, they have not been evaluated in a realistic setting. In this paper we evaluate the security of a random set range query scheme in a real-world web surfing scenario. We demonstrate that the scheme does not sufficiently obfuscate characteristic query patterns, which can be used by an adversary to determine the visited websites. We also illustrate how to thwart the attack and discuss practical challenges. Our results suggest that previously published evaluations of range queries may give a false sense of the attainable security, because they do not account for any interdependencies between queries.

  2014  11th European Conference on Wireless Sensor Networks (EWSN) Conference

Making 'Glossy' Networks Sparkle: Exploiting Concurrent Transmissions for Energy Efficient, Reliable, Ultra-low Latency Communication in Wireless Control Networks

Dingwen Yuan Michael Riecker Matthias Hollick

BibTeX

  2013  Pervasive and Mobile Computing (PMC) Article

uSafe: A Privacy-aware and Participative Mobile Application for Citizen Safety in Urban Environments

Delphine Christin C. Roßkopf Matthias Hollick

BibTeX

  2013  Proceedings of the 11th International Conference on Advances in Mobile Computing and Multimedia (MoMM) Article

Raising User Awareness about Privacy Threats in Participatory Sensing Applications through Graphical Warnings

Delphine Christin M. Michalak Matthias Hollick

BibTeX

  2013  14th Workshop on Signal Processing Advances in Wireless Communications (SPAWC 2013) Conference

CSI Feedback in OFDMA Wireless Networks with Multiple Transmitter-Receiver Pairs

Adrian Loch Matthias Hollick Thomas Nitsche Joerg Widmer Alexander Kühne Anja Klein

PDF BibTeX DOI: 10.1109/SPAWC.2013.6612106

  2013  Proceedings of the 2nd Workshop of Software Radio Implementation Forum (SRIF 2013), co-located with ACM Sigcomm 2013 Conference

Evaluating Dynamic OFDMA Subchannel Allocation for Wireless Mesh Networks on SDRs

Robin Klose Adrian Loch Matthias Hollick

BibTeX

  2013  2013 Wireless Communications and Networking Conference (WCNC'13) Conference

Node Selection for Corridor-based Routing in OFDMA Multihop Networks

Alexander Kühne Adrian Loch Matthias Hollick Anja Klein

PDF BibTeX DOI: 10.1109/WCNC.2013.6554877

Abstract
In multi-hop networks, conventional forwarding along a unicast route forces the data transmission to follow a fixed sequence of nodes. In previous works, it has been shown that widening this path to create a corridor of forwarding nodes and applying OFDMA to split and merge the data as it travels through the corridor towards the destination node leads to considerable gains in achievable throughput compared to the case forwarding data along a unicast route. However, the problem of selecting potential nodes to act as forwarding nodes within the corridor has not been addressed in the literature, as in general a rather homogeneous network topology with equally spaced relay clusters per hop between source and destination node has been assumed. In this paper, a more realistic heterogeneous network is considered where the nodes in the area between source and destination are randomly distributed instead of being clustered with equal distance. A node selection scheme is presented which selects the forwarding nodes within the corridor based on a given unicast route between source and destination node. In simulations, it is shown that with the proposed node selection scheme, considerable throughput gains of up to 50 % compared to forwarding along unicast route can be achieved applying corridor-based routing in heterogeneous networks especially in sparse networks.

  2013  Proceedings of the 2013 IEEE International Conference on Sensing, Communication, and Networking (SECON 2013) Conference

A Rapid Prototyping Framework for Practical OFDMA Systems using Software Defined Radios

Robin Klose Adrian Loch Matthias Hollick

BibTeX

  2013  Proceedings of the 14th International Symposium on a World of Wireless, Mobile and Multimedia Networks (IEEE WoWMoM, D-SPAN Workshop) Conference

A Blueprint for Switching Between Secure Routing Protocols in Wireless Multihop Networks

M. Werner J. Kaiser Matthias Hollick E. Weingärtner K. Wehrle

BibTeX

Abstract
A plethora of (secure) routing protocols exists for wireless multihop networks. These protocols are mostly tailored to meet the performance and security requirements of specific application scenarios. As a result, the protocols cannot easily be adapted to novel application demands, organically growing networks, etc. We argue that the modular design of routing protocols and security mechanisms can remove the key limitations of today’s monolithic routing protocols. We show the feasibility of a modular routing approach for wireless multihop networks using the example of a wireless mesh network. In particular, we demonstrate that a dynamic switch between protocol modules is possible at runtime by means of simulation as well as testbed experimentation. We further demonstrate that the security associations and the key material can be reutilized for bootstrapping novel protocol modules, thus minimizing the control overhead.

  2013  Proceedings of the 14th IEEE International Workshop on Signal Processing Advances for Wireless Communications (SPAWC 2013) Conference

EVM and RSSI Link Quality Measurements in Frequency Selective Fading Channels

Thomas Nitsche Jörg Widmer Adrian Loch Matthias Hollick

BibTeX

  2013   Essener Workshop Neue Herausforderungen in der Netzsicherheit Conference

Not the Enemy but the Ally: Increasing the Security of Wireless Networks Using Smartphones (extended abstract)

Rodrigo do Carmo Marc Werner Paul Klobuszenski Matthias Hollick

BibTeX

  2013  Proceedings of the 2nd ACM workshop on Hot topics on wireless network security and privacy Article

DogoIDS: a mobile and active intrusion detection system for IEEE 802.11s wireless mesh networks

Rodrigo do Carmo Matthias Hollick

BibTeX DOI: 10.1145/2463183.2463187

Abstract
Wireless Mesh Networks (WMN) are particularly vulnerable to attacks, since they feature constraint nodes, multi-hop communication, and an open wireless communication channel. These features limit the feasibility of the deployment of contemporary Intrusion Detection Systems (IDS): centralized systems fail because there is no strict network boundary, and distributed and/or cooperative systems challenge the limited resources of the nodes. As a result, practical IDSs for WMNs are scarce, and existing systems are limited with respect to detection capabilities. In this paper we present the design, implementation, and evaluation of "DogoIDS": an open source, mobile, active-probing-based intrusion detection system. Exploiting mobility allows to mitigate the limitations of distributed, node-dependent systems. The active nature of the system achieves detection capabilities beyond that of a purely passive system. We show the accuracy and speed of our prototype in a testbed WMN---based on the IEEE 802.11s standard---under realistic attacks.

  2013  17th International ITG Workshop on Smart Antennas (WSA'13) Conference

Spatial reuse in OFDMA multi-hop networks applying corridor-based routing

Alexander Kühne Adrian Loch Matthias Hollick Anja Klein

BibTeX

Abstract
In multi-hop networks, conventional forwarding along a unicast route forces the data transmission to follow a fixed sequence of nodes. In previous works, it has been shown that widening this path to create a corridor of forwarding nodes and applying OFDMA to split and merge the data as it travels through the corridor towards the destination node leads to considerable gains in achievable throughput compared to the case of forwarding data along a unicast route. However, the possibility of applying spatial reuse in such kind of networks has not been investigated. In this paper, three different schemes for spatial reuse in multi-hop OFDMA networks applying corridorbased routing are presented and compared to the case without spatial reuse. From simulations it can be seen that spatial reuse increases the throughput. For different signal-to-noise ratio regions, different schemes perform best due to the way the interference is handled by the schemes.

  2013  Proceedings of the 2013 Conference on Networked Systems (NetSys 2013) Conference

Face the Enemy: Attack Detection for Planar Graph Routing

Adrian Loch Matthias Hollick

BibTeX

  2013  Pervasive and Mobile Computing Article

Curve-based Planar Graph Routing with Guaranteed Delivery in Multihop Wireless Networks

Adrian Loch Hannes Frey Matthias Hollick

BibTeX DOI: 10.1016/j.pmcj.2013.03.004

Abstract
Localized geographic routing schemes operating on planar graphs promise scalability for use within large multihop wireless networks. However, none of the existing schemes is flexible enough to adapt the sequence of faces visited by the constructed path. Thus, real-world constraints may severely impact the network performance. To address this problem, we extend planar graph routing to allow the algorithm to forward packets along a sequence of faces intersected by any arbitrary curve. We analytically prove that this extended scheme is loop free and allows for guaranteed delivery. Furthermore, we investigate schemes for choosing curves dealing with imperfections in the network.

  2013  Pervasive and Mobile Computing Article

IncogniSense: An Anonymity-preserving Reputation Framework for Participatory Sensing Applications

Delphine Christin C. Roßkopf Matthias Hollick Leonardo Martucci Salil Kanhere

BibTeX

  2013  Proceedings of the 12th GI/ITG KuVS Fachgespräch Drahtlose Sensornetze (FGSN13) Conference

Weniger ist Mehr: Leichtgewichtige Metriken zur Erkennung von Denial-of-Service Angriffen in Drahtlosen Sensornetzen

Michael Riecker Matthias Hollick

BibTeX

  2013  Technische Universität Darmstadt Darmstadt PhD thesis

Privacy in Participatory Sensing - User-controlled Privacy-preserving Solutions for Mobile Sensing Applications

Delphine Christin

PDF BibTeX

Abstract
Information and Communication Technology is commonly recognized as one of the key enablers in improving the quality of life in our modern society. By including citizens in the digital world, the efficiency of existing services has already been improved. In a second wave, the technological advances of mobile phones promise to further bridge the gap between physical world and cyberspace. Using sensors embedded in mobile phones, a torrent of data about the physical world can be collected. The inclusion of the gathered data into the digital world contributes to the realization of the vision of so-called smart spaces, ranging from smart homes to smart cities and beyond. These smart spaces can substantially increase the quality of life by leveraging the participation of billions of citizens by, e.g., monitoring traffic congestion and noise pollution. The collection of sensor readings in participatory sensing applications however puts the privacy of the users at risk, as they may reveal sensitive information about themselves, such as the locations they visited. Users aware of such threats may decide to opt out of the application, thus decreasing the quantity and quality of the gathered data. Privacy protection is therefore mandatory to encourage potential contributions. Most existing privacy-preserving solutions specifically tailored to participatory sensing applications fail to include users in the loop, despite the individual nature of the conception of privacy. They are mainly preconfigured by application administrators and cannot be personalized by users according to their privacy preferences. Moreover, a majority of existing approaches relies on a central entity responsible for the users’ privacy protection. In addition to be a single point of failure, users need to entrust them not to disclose sensitive information to unauthorized third parties. In order to address these shortcomings and ultimately foster the users’ contributions, we propose three privacy-preserving solutions in which users are in control of their privacy protection and can adapt the underlying mechanisms to their own preferences. Furthermore, the provided privacy protection is independent of the trustworthiness of the application server. In particular, we present a scheme in which users mutually preserve their privacy by physically exchanging sensor readings, along with the time and location of their collection, during opportunistic meetings. By breaking the association between users’ identities and sensor readings, the exchanges prevent curious application administrators from inferring the locations visited by the participants based on the uploaded sensor readings. This scheme, however, relies on the collaboration of all participating users. In order to assess the users’ degrees of collaboration, we therefore propose mechanisms based on user ratings that readily identify and quarantine malicious users. Using both schemes, users are hence able to determine the applied exchange strategy based the assessed trust levels of encountered users as well as their individual preferences. As a result, the collected data are obfuscated prior to their upload to the application server. Furthermore, we propose an innovative scheme based on periodic pseudonyms that allows the application server to assess the trustworthiness of the contributed sensor readings without endangering the users’ privacy. In addition to rely on blind signatures, our scheme introduces the concept of reputation cloaking in order to prevent curious application administrators from linking consecutive pseudonyms based on an analysis of their reputation. By applying different proposed cloaking schemes, users can control and balance the inherent trade-off between anonymity protection and loss in reputation according to their personal preferences. In addition to proposing these three schemes, we investigate the degree of privacy protection achieved by the devised solutions by means of extensive simulations under realistic scenarios and conditions. Besides, we assess the applicability of our contributions in participatory sensing applications by using real-world data traces and through prototypical implementation. Based on our thorough evaluation, we provide guidelines for the parametrization of the proposed schemes by considering both the user and application perspectives.

  2013  CHI Conference on Human Factors in Computing Systems Conference

Improving Privacy Settings for Facebook by Using Interpersonal Distance as Criterion

M. Kauer B. Franz T. Pfeiffer M. Heine Delphine Christin

BibTeX DOI: 10.1145/2468356.2468498

Abstract
The possibility to define custom privacy settings in Facebook has been improved over the last years. Still,numerous users do not know how to change those settings or do not use the settings because they are cumbersome to use. Within this paper a new method for defining the privacy settings in online social networks is presented that uses the social distance between users as setting criterion. This approach was tested as a paper prototype in a first user study with 10 participants. Results show that the number of errors was significantly decreased and that the subjective evaluation of the interface was promising.

  2013  Accepted for publication in Proceedings of the 38th IEEE Conference on Local Computer Networks (LCN demo) Conference

Smarter Building for the Smart Grid? Let them Forecast Their Power Consumption

Alexander Reinhard Delphine Christin Kai Li Salil Kanhere Jin Zhang

BibTeX

  2013  accepted for publication in Proceedings of 5th ACM Workshop on Embedded Systems for Energy-Efficient Buildings (BuildSys posters) Conference

Predicting the Power Consumption of Electric Appliances through Time Series Pattern Matching

Andreas Reinhardt Delphine Christin Salil Kanhere

BibTeX

  2013  Accepted for publication in Proceedings of the 3rd IFIP Conference on Sustainable Internet and ICT for Sustainability (SustainIT) Conference

Enhancing User Privacy by Prepocessing Distributed Smart Meter Data

Andreas Reinhardt F. Englert Delphine Christin

BibTeX

  2013  38th IEEE Conference on Local Computer Networks (LCN) Conference

Let's Talk Together: Understanding Concurrent Transmission in Wireless Sensor Networks

Dingwen Yuan Matthias Hollick

BibTeX

  2013  Accepted for publication in Proceedings of the IEEE Workshop on Privacy and Anonymity for the Digital Economy (LCN Workshop) Conference

What’s the Value of Your Privacy? Exploring Factors that Influence Privacy-sensitive Contributions to Participatory Sensing Applications

Delphine Christin C. Büchner N. Leibecke

BibTeX

  2013  Information Security Technical Report (ISTR) Article

Share with Strangers: Privacy Bubbles as User-centered Privacy Control for Mobile Content Sharing Applications

Delphine Christin P. Sánchez López Andreas Reinhardt Matthias Hollick Michaela Kauer

BibTeX

  2013  Accepted for publication in Proceedings of 38th Annual IEEE Conference on Local Computer Networks (LCN) Conference

On the Efficiency of Privacy-preserving Path Hiding for Mobile Sensing Applications

Delphine Christin Andreas Reinhardt Matthias Hollick

BibTeX

  2012  Proceedings of the 7th IEEE International Workshop on Practical Issues in Building Sensor Network Applications (SenseApp) Conference

CachedSensing: Exploring and Documenting the Environment as a Treasure Hunt

Delphine Christin C. Büttner Nicolas Repp

BibTeX

  2012  Proceedings of the 2nd IFIP Conference on Sustainable Internet and ICT for Sustainability (SustainIT) Conference

On the Accuracy of Appliance Identification Based on Distributed Load Metering Data.

Andreas Reinhardt Peter Baumann D. Burgstahler Matthias Hollick H. Chonov Marc Werner R. Steinmetz

BibTeX

Abstract
Dynamic load management, i.e., allowing electricity utilities to remotely turn electric appliances in households on or off, represents a key element of the smart grid. Appliances should however only be disconnected from mains when no negative side effects, e.g., loss of data or thawing food, are incurred thereby. This motivates the use of appliance identification techniques, which determine the type of an attached appliance based on the continuous sampling of its power consumption. While various implementations based on different sampling resolutions have been presented in existing literature, the achievable classification accuracies have rarely been analyzed. We address this shortcoming and evaluate the accuracy of appliance identification based on the characteristic features of traces collected during the 24 hours of a day. We evaluate our algorithm using more than 1,000 traces of different electrical appliances' power consumptions. The results show that our approach can identify most of the appliances at high accuracy.

  2012  Proceedings of the 8th ACM International Symposium on QoS and Security for Wireless and Mobile Networks (ACM Q2SWinet) Conference

Signs of a Bad Neighborhood: A Lightweight Metric for Anomaly Detection in Mobile Ad Hoc Networks

R. do Carmo M. Werner Matthias Hollick

BibTeX

Abstract
Anomaly detection in wireless multihop networks is notoriously difficult: the wireless channel causes random errors in transmission and node mobility leads to constantly changing node neighborhoods. The Neighbor Variation Rate (NVR) introduced in this paper is a metric that quantitatively describes how the topology of the neighborhood of a node in a wireless multihop network evolves over time. We analyze the expressiveness of this metric under different speeds of nodes and measuring intervals and we employ it to detect anomalies in the network caused by malicious node activity. We validate our detection model and investigate its parameterization by means of simulation. We build a proof-of-concept and deploy it in a real-world IEEE 802.11s wireless mesh network composed of several static nodes and some mobile nodes. In real-world experiments, we mount attacks against the mesh network and analyze the expressiveness of NVR to characterize these attacks. In addition, we analyze the behavior of NVR when applied to an external dataset obtained from measurements of a real-world dynamic AODV-based mobile ad hoc network. Our results show that our metric is lightweight yet effective for anomaly detection in both stationary and mobile wireless multihop networks.

  2012  Pervasive and Mobile Computing Article

Balancing energy efficiency and throughput fairness in IEEE 802.11 WLANs

Andres Garcia-Saavedra Pablo Serrano Albert Banchs Matthias Hollick

BibTeX

  2012  17th International OFDM-Workshop (InOWo'12) Conference

Opportunistic forwarding in multi-hop OFDMA networks with local CSI

A. Kühne A. Klein Adrian Loch Matthias Hollick

BibTeX

Abstract
In multi-hop networks, conventional unipath routing approaches force the data transmission to follow a fixed sequence of nodes. In this paper, we widen this path to create a corridor of forwarding nodes. Within this corridor, data can be split and joined at different nodes as the data travels through the corridor towards the destination node. To split data, decode-and-forward OFDMA is used since with OFDMA, one can exploit the benefits of opportunistically allocating different subcarriers to different nodes according to their channel conditions. To avoid interference, each subcarrier is only allocated once per hop. It is assumed that only local channel state information (CSI) for the next hop towards the destination is available at the nodes, i.e. it can not be guaranteed that a certain node is able to forward its received data in the next hop. This leads to additional transmission phases decreasing the overall network throughput. In this paper, different opportunistic forwarding algorithms are presented which differ in the resource allocation strategy and in the amount of cooperation required between the nodes. Simulations show that in multihop networks, corridor-based routing using opportunistic forwarding with a proper resource allocation strategy outperforms conventional unipath routing approaches in terms of achievable throughput, especially in case of a node drop out.

  2012   GI/ITG KuVS Fachgespräch "Drahtlose Sensornetze" (FGSN) Conference

Optimization and Scheduling of Wireless Sensor Networks for Periodic Control Systems

Dingwen Yuan Matthias Hollick

BibTeX

  2012  23rd IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC'12) Conference

Corridor-based Routing using Opportunistic Forwarding in OFDMA Multihop Networks

A. Kühne A. Klein Adrian Loch Matthias Hollick

BibTeX DOI: 10.1109/PIMRC.2012.6362553

Abstract
In multi-hop networks, conventional unipath routing approaches force the data transmission to follow a fixed sequence of nodes. In this paper, we widen this path to create a corridor of forwarding nodes. Within this corridor, data can be split and joined at different nodes as the data travels through the corridor towards the destination node. To split data, decode-and-forward OFDMA is used since with OFDMA, one can exploit the benefits of opportunistically allocating different subcarriers to different nodes according to their channel conditions. To avoid interference, each subcarrier is only allocated once per hop. For the presented scheme, the problem of optimizing the network throughput by means of resource and power allocation is formulated and two suboptimal algorithms are proposed to solve this problem with feasible effort. Simulations show that in multi-hop networks corridor-based routing using opportunistic forwarding outperforms conventional unipath routing approaches in terms of achievable throughput.

  2012  In Proceedings of Seventh International Conference on Availability, Reliability and Security (ARES 2012) Conference

Topology-Driven Secure Initialization in Wireless Sensor Networks: A Tool-Assisted Approach

Stanislaus Stelle Mark Manulis Matthias Hollick

BibTeX

  2012  In Proceedings of 12th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM) Conference

Energy-efficient fair channel access for IEEE 802.11 WLANs

Andres Garcia-Saavedra Pablo Serrano Albert Banchs Matthias Hollick

BibTeX

  2012  13th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM) Conference

Curve-based Planar Graph Routing with Guaranteed Delivery in Multihop Wireless Networks

Hannes Frey Matthias Hollick Adrian Loch

BibTeX DOI: 10.1109/WoWMoM.2012.6263689

Abstract
Localized geographic routing schemes operating on planar graphs promise scalability for use within large multihop wireless networks. Existing schemes base routing path construction on faces defined by the planar graph. Once running on a particular planar graph, none of the existing schemes is flexible enough to adapt the sequence of faces visited by the constructed path. Thus, real-world constraints such as network congestion, limited node energy levels, or non-cooperation of nodes might severely impact the performance and the robustness of existing planar graph routing variants. To address this problem, we extend planar graph routing with one further degree of freedom: control over the sequence of visited faces. Basically, our face routing extension now follows a sequence of faces intersected by any curve we can freely adjust. We investigate basic schemes for choosing curves dealing with imperfections in the network, and derive algorithms for routing and forwarding along these curves. We analytically prove that our scheme is loop free and allows for guaranteed delivery in arbitrary planar connected graphs. We implement curve-based routing and show its feasibility by means of a simulation study. As a proof-of-concept scenario, we investigate the case of non-cooperating nodes. Our results show that curve-based routing is able to sustain the delivery of packets where traditional schemes fail.

  2012  16th International ITG Workshop on Smart Antennas (WSA'12) Conference

Two-Way Relaying for Multiple Applications in Wireless Sensor Networks

Z. Chen A. Kühne A. Klein A. Loch Matthias Hollick J. Widmer

BibTeX DOI: 10.1109/WSA.2012.6181227

Abstract
Recent work in wireless sensor networks implies possibilities of concurrent support of multiple applications. In this paper, we discuss a novel scheme called hybrid computation in two-way relaying, which introduces cooperation of three sensor nodes to support bi-directional communications of two applications. Applications in wireless sensor networks require different computations and forms of aggregation. In the proposed scheme, different computations at the intermediate node are integrated in a two-way relaying scheme. For computations and transmissions in the proposed scheme, data from all three nodes are considered.We propose a superposition coding protocol and a time division protocol to handle the transmission of the messages from the intermediate node. The problem of maximizing the sum rate is discussed. The results show that the superposition coding protocol outperforms the time division protocol.

  2012  Proceedings of the 10th IEEE International Conference on Pervasive Computing and Communications (PerCom) Conference

IncogniSense: An Anonymity-preserving Reputation Framework for Participatory Sensing Applications

Delphine Christin C. Roßkopf Matthias Hollick Leonardo Martucci Salil Kanhere

BibTeX

  2012  Proceedings of the 37th IEEE Conference on Local Computer Networks (LCN) Conference

A Secure Monitoring and Control System for Wireless Sensor Networks

Michael Riecker R. Thome D. Yuan Matthias Hollick

BibTeX

  2012  Proceedings of the 37th IEEE Conference on Local Computer Networks (LCN) Conference

HOPSCOTCH: An Adaptive and Distributed Channel Hopping Technique for Interference Avoidance in Wireless Sensor Networks

Dingwen Yuan Michael Riecker Matthias Hollick

BibTeX

  2011  The Journal of Systems & Software Article

A Survey on Privacy in Mobile Participatory Sensing Applications

Delphine Christin Andreas Reinhardt Salil Kanhere Matthias Hollick

BibTeX DOI: 10.1016/j.jss.2011.06.073

Abstract
The presence of multimodal sensors on current mobile phones enables a broad range of novel mobile applications. Environmental and user-centric sensor data of unprecedented quantity and quality can be captured and reported by a possible user base of billions of mobile phone subscribers worldwide. The strong focus on the collection of detailed sensor data may however compromise user privacy in various regards, e.g., by tracking a user’s current location. In this survey, we identify the sensing modalities used in current participatory sensing applications, and assess the threats to user privacy when personal information is sensed and disclosed. We outline how privacy aspects are addressed in existing sensing applications, and determine the adequacy of the solutions under real-world conditions. Finally, we present countermeasures from related research fields, and discuss their applicability in participatory sensing scenarios. Based on our findings, we identify open issues and outline possible solutions to guarantee user privacy in participatory sensing.

  2011  Proceedings of the 8th IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2011) Conference

Privacy-preserving Collaborative Path Hiding for Participatory Sensing Applications

Delphine Christin J. Guillemet Andreas Reinhardt Matthias Hollick Salil Kanhere

BibTeX

Abstract
The presence of multimodal sensors on current mobile phones enables a broad range of novel mobile applications including, e.g., monitoring noise pollution or traffic and road con- ditions in urban environments. Data of unprecedented quantity and quality can be collected and reported by a possible user base of billions of mobile phone subscribers worldwide. The collection of detailed sensor and location data may however compromise user privacy. In this paper, we present a decentralized mechanism to preserve location privacy during the collection of sensor readings. As most sensor readings are geotagged, we propose to exchange them between users in physical proximity in order to jumble the paths followed by the users. We evaluate different strategies to exchange and report the sensor readings to the application using real-world GPS traces of mobile users. The results demonstrate the feasibility and efficacy of our proposed scheme, which can obfuscate up to 100% of the visited locations in the best instances.

  2011  8th IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS) Conference

Curve-based Planar Graph Routing in Multihop Wireless Networks

Hannes Frey Matthias Hollick Adrian Loch

BibTeX DOI: 10.1109/MASS.2011.127

Abstract
Scalability of routing algorithms is a critical issue in large multihop wireless networks. In this sense, approaches like localized geographic routing are very promising. Existing schemes base routing path construction on faces defined by the planar graph of the network. Once running on a particular planar graph, none of the existing schemes is flexible enough to adapt the sequence of faces visited by the constructed path. To address this problem, we extend planar graph routing with one further degree of freedom: control over the sequence of visited faces. Basically, our face routing extension now follows a sequence of faces intersected by any curve we can freely adjust. We motivate our work by discussing application scenarios that benefit from our scheme and suggest basic mechanisms for choosing appropriate curves. We further present preliminary results from an implementation of our curve-based routing scheme.

  2011  Proceedings of the 3rd International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Phone Use (IWSSI/SPMU) Conference

A Picture is Worth a Thousand Words: Privacy-aware and Intuitive Relationship Establishment in Online Social Networks

Delphine Christin Tobias Freudenreich Matthias Hollick

BibTeX

  2011  Proceedings of the 10th GI/ITG KuVS Fachgespräch Drahtlose Sensornetze (FGSN11) Conference

We Must Move - We Will Move: On Mobile Phones as Sensing Platforms

Delphine Christin Matthias Hollick

BibTeX

  2011  Proceedings of the 10th GI/ITG KuVS Fachgespräch Drahtlose Sensornetze (FGSN11) Conference

A Secure Monitoring and Control System for Wireless Sensor Networks

Michael Riecker W. Müller Matthias Hollick K. Saller

BibTeX

  2010  Proceedings of IEEE LCN 2010 Conference

The Rise and Fall of the AODV Protocol: A Testbed Study on Practical Routing Attacks

C. Gottron P. Larbig A. König Matthias Hollick R. Steinmetz

BibTeX

  2010  Forschen Article

Sichere Netze - Mit dem Nutzer im Zentrum (Invited Paper)

Matthias Hollick Thorsten Strufe Alejandro Buchmann

BibTeX

  2010  Proceedings of 9th GI/ITG KuVS Fachgespräch Drahtlose Sensornetze, Würzburg, Germany Conference

Fine-grained Access Control Enabling Privacy Support in Wireless Sensor Networks (Extended Abstract)

Delphine Christin Andreas Reinhardt Salil Kanhere Matthias Hollick

BibTeX

  2010  Proceedings of the 19th International Conference on Computer Communication Networks (ICCCN 2010) Conference

Security and Privacy Objectives for Sensing Applications in Wireless Community Networks (Invited Paper)

Delphine Christin Matthias Hollick Mark Manulis

BibTeX

  2010  Proceedings of European Wireless 2010 Conference

On the Energy Efficiency of IEEE 802.11 WLANs

P. Serrano A. Garcia-Saavedra Matthias Hollick A. Banchs

BibTeX

  2010  Journal of Communications and Networks (JCN) Article

On the Trade-Off between Throughput Maximization and Energy Consumption Minimization in IEEE 802.11 WLANs

P. Serrano Matthias Hollick A. Banchs

BibTeX

  2010  Proceedings of the 7th European Conference on Wireless Sensor Networks (EWSN 2010) Conference

Trimming the Tree: Tailoring Adaptive Huffman Coding to Wireless Sensor Networks

Alexander Reinhard Delphine Christin Matthias Hollick Johannes Schmitt Parag S. Mogre Ralf Steinmetz

BibTeX

  2010  Wireless Communications and Mobile Computing Article

CORE: Centrally Optimized Routing Extensions for Efficient Bandwidth Management and Network Coding in the IEEE 802.16 MeSH Mode

Parag S. Mogre N. D'Heureuse Matthias Hollick R. Steinmetz

BibTeX

  2010  Wireless Communications and Mobile Computing Article

A Security Framework for Wireless Mesh Networks

Parag S. Mogre K. Graffi Matthias Hollick R. Steinmetz

BibTeX

  2009  Proceedings of IEEE GLOBECOM 2009 Conference

An Analytical Model of Routing, Misbehavior, and Countermeasures in Mobile Ad Hoc Networks

André König Daniel Seither Matthias Hollick Ralf Steinmetz

BibTeX

  2009  Proceedings of IFIP Wireless Days 2009 Conference

Quality of Experience of Voice Communication in Large-Scale Mobile Ad Hoc Network

Christian Gottron André König Matthias Hollick Sonja Bergsträßer Tomas Hildebrandt Ralf Steinmetz

BibTeX

  2009 Other

ContextFramework.KOM - Eine offene Middleware zur Integration heterogener Sensoren in eine Kontext-sensitive Kommunikationsplattform (Extended Abstract)

J. Schmitt M. Kropff Alexander Reinhard Matthias Hollick

BibTeX

  2009  Proceedings of the Sixth International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness (ICST QSHINE 2009), Las Palmas de Gran Canaria, Spain Conference

Throughput and Energy Efficiency in IEEE 802.11 WLANs: Friends or Foes?

P. Serrano A. Banchs L. Vollero Matthias Hollick

BibTeX

  2009  Proceedings of the Sixth Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (IEEE SECON 2009), Rome, Italy Conference

Stream-oriented Lossless Packet Compression in Wireless Sensor Networks

Andreas Reinhardt Matthias Hollick Ralf Steinmetz

BibTeX

  2009  WiMAX Evolution: Emerging Technologies and Applications Other

WiMAX Mesh Architectures and Network Coding

Parag S. Mogre Matthias Hollick C. Schwingenschlögl A. Ziller R. Steinmetz

BibTeX

  2009  Procedings of the IEEE International Conference on Communications (IEEE ICC 2009), Dresden, Germany Conference

A Stochastic Analysis of Secure Joint Decision Processes in Peer-to-Peer Systems

A. König Matthias Hollick R. Steinmetz

BibTeX

  2009  Proceedings of the 34th IEEE Conference on Local Computer Networks (IEEE LCN 2009), Zurich, Switzerland Conference

Incorporating Spatial Reuse into Algorithms for Bandwidth Management and Scheduling in IEEE 802.16j Relay Networks

Parag S. Mogre Matthias Hollick S. Dimitrov R. Steinmetz

BibTeX

  2009  Proceedings of the 9th Würzburg Workshop on IP: Joint ITG and Euro-NF Workshop Visions of Future Generation Networks (EuroView2009), Würzburg, Germany Conference

An Evaluation of Cooperative Decisions in Peer-to-Peer Systems - Mathematics vs. Testbed Studies (Abstract)

A. König Matthias Hollick R. Steinmetz

BibTeX

  2009  Proceedings of the 34th IEEE Conference on Local Computer Networks (IEEE LCN 2009), Zurich, Switzerland Conference

Distributed Bandwidth Reservation Strategies to Support Efficient Bandwidth Utilization and QoS on a Per-Link Basis in IEEE 802.16 Mesh Networks

Parag S. Mogre Matthias Hollick R. Steinmetz V. Dadia S. Sengupta

BibTeX

  2008  Procedings of 4th IEEE International Workshop on Wireless and Sensor Networks Security (IEEE WSNS 2008), Atlanta, USA Conference

Harnessing Delay Tolerance to Increase Delivery Ratios in Mobile Ad Hoc Networks with Misbehaving Nodes

André König Christian Gottron Matthias Hollick Ralf Steinmetz

BibTeX

  2008 Other

An Approach towards Adaptive Payload Compression in Wireless Sensor Networks (Extended Abstract)

Andreas Reinhardt Matthias Hollick Ralf Steinmetz

BibTeX

  2008  Proceedings of 5th Annual International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous 2008), Dublin, Ireland Conference

Exploiting Schelling Behavior for Improving Data Accessibility in Mobile Peer-to-Peer Networks

L. Vu K. Nahrstedt Matthias Hollick

BibTeX

  2008  Proceedings of the 1st IEEE International Workshop on Wireless Network Coding (IEEE WiNC 2008) co-located with IEEE SECON 2008, San Francisco, USA Conference

A Note on Practical Deployment editions for Network Coding in the IEEE 802.16 MeSH Mode

Parag S. Mogre Matthias Hollick M. Kropff R. Steinmetz C. Schwingenschlögl

BibTeX

  2008  Security and Communication Networks (SCN) Article

GeoSec - Quarantine Zones for Mobile Ad hoc Networks

A. König Matthias Hollick T. Krop R. Steinmetz

BibTeX

  2007  Proceedings of the 2nd ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation and Characterization (WiNTECH 2007) co-located with ACM MobiCom 2007, Montreal, Canada Conference

JiST/MobNet: Combined Simulation, Emulation, and Real-world Testbed for Ad hoc Networks

T. Krop M. Bredel Matthias Hollick Ralf Steinmetz

BibTeX

  2007  Praxis der Informationsverarbeitung und Kommunikation (PIK), Special edition on Internet-Telefonie and Voice over IP Article

Dynamische Authentifizierung für Provider-übergreifende VoIP-Kommunikation

J. Schmitt T. Hecker Matthias Hollick Ralf Steinmetz

BibTeX

  2007  Proceedings of the 17th International Workshop on Network and Operating Systems Support for Digital Audio & Video (NOSSDAV 2007), Urbana-Champaign, IL, USA Conference

QoS in Wireless Mesh Networks: Challenges, Pitfalls and Roadmap to its Realization (Keynote Paper)

Parag S. Mogre Matthias Hollick R. Steinmetz

BibTeX

  2007  Proceedings of the 15th IEEE International Workshop on Quality of Service (IWQoS 2007), Evanston, IL, USA Conference

Slow and Steady: Modelling and Performance Analysis of the Network Entry Process in IEEE 802.16

Matthias Hollick Parag S. Mogre C. Schott Ralf Steinmetz

BibTeX

  2007  Proceedings of the 32nd IEEE Conference on Local Computer Networks (IEEE LCN 2007), Dublin, Ireland Conference

AntSec, WatchAnt and AntRep:Innovative Security Mechanisms for Wireless Mesh Networks

Parag S. Mogre K. Graffi Matthias Hollick R. Steinmetz

BibTeX

  2007  Praxis der Informationsverarbeitung und Kommunikation (PIK), Special edition on Current Trends in Network and Service Management Article

Der Assistent in Hintergrund: Adaptives Kommunikationsmanagement durch Lernen vom Nutzer

J. Schmitt Matthias Hollick R. Steinmetz

BibTeX

  2007  Long-Term and Dynamical Aspects of Information Security: Emerging Trends in Information and Communication Security Conference

Geographically Secure Routing for Mobile Ad Hoc Networks: A Cross-Layer Based Approach

André König Matthias Hollick R. Ackermann R. Steinmetz

BibTeX

  2007  Proceedings of IEEE MASS 2007, Pisa, Italy Conference

A Case for Joint Routing and Scheduling and Network Coding in TDMA-based Wireless Mesh Networks: A Cross-layer Approach (Extended Abstract and Poster)

Parag S. Mogre N. D'Heureuse Matthias Hollick R. Steinmetz

BibTeX

  2006  Proceedings of Seventh ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc 2006), Montreal, Canada Conference

Crossing the Chasm with Ad hoc Networks - The Provider-mediated Communication Paradigm (Extended Abstract and Post)

T. Krop J. Widmer Matthias Hollick C. Prehofer Ralf Steinmetz

BibTeX

  2006  Computer Communications Article

QoS Routing Open Agenda

X. Masip-Bruin M. Yannuzzi J. Domingo-Pascual A. Fonte M. Curado E. Monteiro F. Kuipers P. van Mieghem S. Avallone G. Ventre P. Aranda-Gutierrez Matthias Hollick R. Steinmetz L. Iannone K. Salamatian

BibTeX

  2006  Proceedings of 2. Essener Workshop zu Neuen Herausforderungen in der Netzsicherheit (EWNS 2006), Essen, Germany Conference

Sicherheit und Verfügbarkeit in mobilen Ad hoc Netzen - Ein geographischer, schichtenübergreifender Ansatz (Abstract)

A. König Matthias Hollick J. Schmitt R. Steinmetz

BibTeX

  2005  Proceedings of Kommunikation in Verteilten Systemen (KiVS 2005), Workshop Peer-to-Peer-Systeme und -Anwendungen, Kaiserslautern, Germany Conference

Establishing P2P-Overlays for Ad Hoc Networks Using Provider Subscription

T. Krop M. Kappes Matthias Hollick

BibTeX

  2005  Proceedings of ACM MobiCom 2005, Köln, Germany Conference

Modeling Static and Dynamic Behavior of Routes in Mobile Ad hoc Networks (Extended Abstract and Poster)

T. Krop Matthias Hollick F. Krist Parag S. Mogre R. Steinmetz

BibTeX

  2005  Proceedings of 30th Annual IEEE Conference on Local Computer Networks (LCN2005), Sydney, Australia Conference

M2DR: A Near-optimal Multiclass Minimum-delay Routing Algorithm for Smart Radio Access Networks

Matthias Hollick Parag S. Mogre T. Krop H.-P. Huth J. Schmitt Ralf Steinmetz

BibTeX

  2004  Proceedings of the 30th EUROMICRO Conference (EUROMICRO 2004), Rennes, France Conference

A Survey on Dependable Routing in Sensor Networks, Ad hoc Networks, and Cellular Networks

Matthias Hollick Ivan Martinovic T. Krop I. Rimac

BibTeX

  2004  Proceedings of Second International Conference on Wired/Wireless Internet Communications (WWIC 2004), Frankfurt (Oder), Germany Conference

The Ad Hoc On-Demand Distance Vector Protocol: An Analytical Model of the Route Acquisition Process

Matthias Hollick J. Schmitt C. Seipl Ralf Steinmetz

BibTeX

  2003 Other

Modeling Mobility for Cellular Networks Based on Statistical Data Collection

Matthias Hollick T. Krop J. Schmitt

BibTeX

  2002 Other

The Ad Hoc On-Demand Distance Vector Protocol: An Analytical Model of the Route Acquisition Process

Matthias Hollick J. Schmitt

BibTeX

  2002  Enterprise Security Conference

Security for Ad-Hoc Service Information - Threat Analysis of the Service Location Protocol

Matthias Hollick Ralf Steinmetz

BibTeX

  2001  Proceedings of Third International Conference on Information, Communications & Signal Processing (ICICS 2001), Singapore Conference

Security Issues in Group Integrity Management for Multimedia Multicasting

Andreas Meissner Lars Wolf Matthias Hollick Ralf Steinmetz

BibTeX

  2001  Proceedings of International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2001), Split, Croatia Conference

Security Goals for Service Discovery in Ad-hoc Environments

Matthias Hollick Ralf Steinmetz

BibTeX

  2001  Innovative Anwendungen in Kommunikationsnetzen, Proceedings der 15. DFN-Arbeitstagung über Kommunikationsnetze, Düsseldorf, Germany Conference

Sicherheitsaspekte bei der Einsatzplanung von Microsoft Windows 2000

Matthias Hollick W. Rosenow T. Bormuth Ralf Steinmetz

BibTeX

  2001  Third International Workshop on Networked Group Communication Conference

A Security Model for Multicast Group Integrity Management

Matthias Hollick Andreas Meissner L. Wolf Ralf Steinmetz

BibTeX

  1999 Other

Schwerpunktentwicklungen der Computertechnik und Telekommunikation, Benutzungsmodelle und Werkzeuge: Zukünftige Entwicklung von Kommunikationstechnologie und Multimedia

Ralf Steinmetz Matthias Hollick

BibTeX