Dr.-Ing. Daniel Steinmetzer

Contact Information

Offered Theses Topics

No results match your search criteria.

  2018 Completed

Learning the Beams: Efficient Millimeter-Wave Beam-Steering Techniques

Supervisor: Daniel Steinmetzer

Motivation Beam-steering is the backbone of millimeter-wave (mm-wave) networks and key to achieve data-rates of multiple gigabit per second. Nodes must steer their antennas so that they maximize the signal gain towards the intended communication partner. The state-of-the-art to find the best antenna configuration is to probe all possible antenna configurations. This process caused high overhead, especially in case of mobility when parameters must be adjusted continuously. Goal In this thesis, you apply machine learning techniques to find the antenna parameters most suitable for probing and select the optimal configuration with low overhead. Implementation and evaluation in this thesis, should be performed by means of our mm-wave testbed platform with off-the-shelf IEEE 802.11ad devices. Experience with Linux, wireless network configuration, proper tools, and scripting languages is highly recommended.

  2018 Completed

Learning the Beams: Applying Evolution Algorithms for Optimized IEEE 802.11 ad Beamtraining

Supervisor: Daniel Steinmetzer

  2018 Completed

Practical Low-Layer Attacks on IEEE802.11ad by Modified WiFi Firmware

Supervisor: Daniel Steinmetzer

Motivation Millimeter-Wave (mm-wave) communication systems such as IEEE 802.11ad use directional beams that need to be trained prior to establishing a high-throughput connection. Such beam training protocols--the backbone of mm-wave communications--have a high impacts of the security of performance. Jamming or manipulating the frames associated with the beam steering might prevent a connection from being established or steer the beam for an adversary's benefit. We already obtained access to a WiFi chip of state-of-the-art routers at firmware level. Goal A bachelor or master thesis is this area might extend our current framework and integrate, for example, packet injection or jamming to launch and evaluate the aforementioned attacks. Students should not be afraid of analyzing binary data and assembly instructions. Experience with IDA Pro is recommended.

  2018 Completed

60 Ghz Channel Models: From Theory to Practice (and Back Again)

Supervisor: Daniel Steinmetzer

Motivation The channel characteristics of millimeter-wave communication systems at 60 GHz differ those in lower frequency bands and require a fundamental rethinking of network design. To investigate such aspects of network performance, we developed a raytracing based simulation framework to predict the signal quality in arbitrary environments. However, the internals in the simulation are based on theoretical considerations and models. So far, simulation results have not been compared to realistic measurements. Goal In this thesis, your task is to extend our simulation framework [1] in MATLAB and/or Python and compare results with realistic measurements performed with common IEEE 802.11ad router hardware. We expect that impairments due to cheap antenna and RF circuit design lead to divergences from simulation. Can you adapt the simulation to provide more realistic outcomes? [1] mmTrace: ray-tracing based millimeter-wave propagation simulation

  2018 Completed

Using Physical Unclonable Functions (PUFs) for Data-Link Layer Authenticity Verification to Mitigate Attacks on IEEE 802.11ad Beam Training

Supervisor: Daniel Steinmetzer

  2017 Completed

Investigating practical man-in-the-middle network attacks on IEEE 802.11 ad

Supervisor: Daniel Steinmetzer

  2016 Completed

Unified Multi-modal Secure Device Pairing for Infrastructure and Ad-hoc Networks Bachelor Thesis

Supervisor: Daniel Steinmetzer

Motivation Todays technologies heavily rely on wireless communications. Our mobile devices connect to infrastructure devices such as wireless routers, perform ad-hoc connections among each other and connect to peripheral devices such as smart watches, fitness tracker and headsets. However, since security is essential in most application scenarios, authentication is a big challenge. To join a wireless network pre-shared credentials are required. Pairing in proximity via bluetooth requires the same pin to be entered on both devices. This proceeding is inconvenient and differs for different kinds of devices. Although, user-friendly and secure pairing mechanisms utilizing multi-modal technologies are proposed, no unified solution exists, yet. Goal In this thesis you elaborate different kind of pairing mechanism and analyze their security regarding various attacks. You design a unified multi-modal pairing protocol and implement a prototype on Android. Your protocol combines pairing strategies over different communication technologies (e.g. WiFi, Bluetooth, NFC, sound, light) and selects a suitable subset matching the devices capabilities. Since some strategies are easier to intercept than others, your protocol attests the paring procedure for retrospective trust estimation in application context. With your proposal we show that a unified multi-modal paring is feasible for both infrastructure and ad-hoc networks with flexible security requirements.

  2016 Completed

Unified Multi-Modal Device Pairing in Infrastructure and Ad-hoc networks

Supervisor: Daniel Steinmetzer

Publications

No results match your search criteria.

  2019  Technische Universität Darmstadt PhD thesis

Performance and Security Enhancements in Practical Millimeter-Wave Communication Systems

Daniel Steinmetzer

PDF BibTeX

Abstract
Millimeter-wave (mm-wave) communication systems achieve extremely high data rates and provide interference-free transmissions. to overcome high attenuations, they employ directional antennas that focus their energy in the intended direction. Transmissions can be steered such that signals only propagate within a specific area-of-interest. Although these advantages are well-known, they are not yet available in practical networks. IEEE 802.11ad, the recent standard for communications in the unlicensed 60 GHz band, exploits a subset of the directional propagation effects only. Despite the large available spectrum, it does not outperform other developments in the prevalent sub-6 GHz bands. This underutilization of directional communications causes unnecessary performance limitations and leaves a false sense of security. For example, standard compliant beam training is very time consuming. It uses suboptimal beam patterns, and is unprotected against malicious behaviors. Furthermore, no suitable research platform exists to validate protocols in realistic environments. To address these challenges, we develop a holistic evaluation framework and enhance the performance and security in practical mm-wave communication systems. Besides signal propagation analyses and environment simulations, our framework enables practical testbed experiments with off-the-shelf devices. We provide full access to a tri-band router’s operating system, modify the beam training operation in the Wi-Fi firmware, and create arbitrary beam patterns with the integrated antenna array. This novel approach allows us to implement custom algorithms such as a compressive sector selection that reduces the beam training overhead by a factor of 2.3. By aligning the receive beam, our adaptive beam switching algorithm mitigates interference from lateral directions and achieves throughput gains of up to 60%. With adaptive beam optimization, we estimate the current channel conditions and generate directional beams that implicitly exploit potential reflections in the environment. These beams increase the received signal strength by about 4.4 dB. While intercepting a directional link is assumed to be challenging, our experimental studies show that reflections on small-scale objects are sufficient to enable eavesdropping from afar. Additionally, we practically demonstrate that injecting forged feedback in the beam training enables Man-in-the Middle attacks. With only 7.3% overhead, our authentication scheme protects against this beam stealing and enforces responses to be only accepted from legitimate devices. By making beam training more efficient, effective, and reliable, our contributions finally enable practical applications of highly directional transmissions.

  2018  12th International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization (WiNTECH '18) Conference

TPy: A Lightweight Framework for Agile Distributed Network Experiments

Daniel Steinmetzer Milan Stute Matthias Hollick

PDF BibTeX DOI: 10.1145/3267204.3267214

Abstract
Experimental validation of novel network solutions, protocols, and applications gains increasing importance. The complexity of today's network systems makes evaluations in physical testbeds mandatory to capture real-world effects. However, this causes methodological and technical issues and challenges researchers in handling their agile testbed deployments. In contrast to Internet-scale testbeds, most agile experiments require specific topologies, specialized hardware, or a custom environment. They typically run only a few times and demand live user interaction. Existing management systems for Internet-scale testbeds do not accommodate these needs due to their complexity and maintenance overhead. In this paper, we present TPy, a lightweight and flexible framework to conduct distributed network experiments. TPy is written in Python and extendable via modules. To demonstrate its versatility and ease-of-use, we use TPy to perform experiments in the domains of millimeter-wave and secure multi-hop communications. We share TPy as open source software to support the community of experimental evaluation.

  2018  MobiCom 2018 - 24th ACM Annual International Conference on Mobile Computing and Networking Conference

Adaptive Codebook Optimization for Beam-Training on Off-The-Shelf IEEE 802.11ad Devices

Joan Palacios Daniel Steinmetzer Adrian Loch Matthias Hollick Joerg Widmer

PDF BibTeX DOI: 10.1145/3241539.3241576

Abstract
Beamforming is vital to overcome the high attenuation in wireless millimeter-wave networks. It enables nodes to steer their antennas in the direction of communication. To cope with complexity and overhead, the IEEE 802.11ad standard uses a sector codebook with distinct steering directions. In current off-the-shelf devices, we find codebooks with generic pre-defined beam patterns. While this approach is simple and robust, the antenna modules that are typically deployed in such devices are capable of generating much more precise antenna beams. In this paper, we adaptively adjust the sector codebook of IEEE 802.11ad devices to optimize the transmit beam patterns for the current channel. To achieve this, we propose a mechanism to extract full channel state information (CSI) regarding phase and magnitude from coarse signal strength readings on off-the-shelf IEEE 802.11ad devices. Since such devices do not expose the CSI directly, we generate a codebook with phase-shifted probing beams that enables us to obtain the CSI by combining strategically selected magnitude measurements. Using this CSI, transmitters dynamically compute a transmit beam pattern that maximizes the signal strength at the receiver. Thereby, we automatically exploit reflectors in the environment and improve the received signal quality. Our implementation of this mechanism on off-the-shelf devices demonstrates that adaptive codebook optimization achieves a significantly higher throughput of about a factor of two in typical real-world scenarios.

  2018  15th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON 2018) Conference

Fast and Infuriating: Performance and Pitfalls of 60 GHz WLANs Based on Consumer-Grade Hardware

Swetank Kumar Saha Hany Assasa Adrian Loch Naveen Muralidhar Prakash Roshan Shyamsunder Shivang Aggarwal Daniel Steinmetzer Dimitrios Koutsonikolas Joerg Widmer Matthias Hollick

PDF BibTeX DOI: 10.1109/SAHCN.2018.8397123

Abstract
Wireless networks operating in the 60 GHz band have the potential to provide very high throughput but face a number of challenges (e.g., high attenuation, beam training, and coping with mobility) which are widely accepted but often not well understood in practice. Understanding these challenges, and especially their actual impact on consumer-grade hardware is fundamental to fully exploit the high physical layer rates in the 60 GHz band. To this end, we perform an extensive measurement campaign using two commercial off-the-shelf 60 GHz routers in practical real-world environments. Our study is centered around two fundamental adaptation mechanisms in 60 GHz networks-beam training and rate control- whose interactions are key for performance. Understanding these interactions allows us to revisit a range of issues and provide much deeper insights into the reasons for specific performance compared to prior work on performance characterization. Further, our study goes beyond basic link characterization and explores for the first time practical considerations such as coverage and access point deployment. While some of our observations are expected, we also obtain highly surprising insights that challenge the prevailing wisdom in the community.

  2018  11th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Beam-Stealing: Intercepting the Sector Sweep to Launch Man-in-the-Middle Attacks on Wireless IEEE 802.11ad Networks

Daniel Steinmetzer Yimin Yuan Matthias Hollick

PDF BibTeX DOI: 10.1145/3212480.3212499

Abstract
Millimeter-wave (mm-wave) communication systems provide high data-rates and enable emerging application scenarios, such as 'information showers' for location-based services. Devices are equipped with antenna arrays using dozens of elements to achieve high directionality and thus creating a signal beam that focuses only on a specific area-of-interest. This new communication paradigm of steerable links requires a rethinking of wireless networks and calls for efficient protocols to train the beam alignment among network nodes. The IEEE 802.1 lad standard defines the so-called sector sweep that sweeps through a predefined set of antenna-sectors to find the optimal antenna steerings. Such low-layer protocols lack proper security mechanisms and open unprecedented attack possibilities. Distant attackers might tamper with the beam-training and literally 'steal' the beam from other devices. In this work, we investigate the threat of such beam-stealing attacks that intercept the sector sweep. By injecting forged feedback, we force victims to steer their signals towards the attacker's location. We implement a proof-of-concept on commercial off-the-shelf devices and evaluate the impacts on eavesdropping and acting as a Man-in-the-Middle (MITM). Our practical experiments in typical indoor scenarios reveal that beam-stealing increases the eavesdropping performance by 38% and allow a MITM to relay packets with an average error of only 1%. With these results, we emphasize the threat of beam-training attacks on mm-wave networks and aim to raise the awareness of attack vectors that are emerging with new low-layer amendments in next-generation wireless networks.

  2018  IEEE International Conference on Computer Communications (INFOCOM) Conference

Indoor Localization Using Commercial Off-The-Shelf 60 GHz Access Points

Guillermo Bielsa Joan Palacios Adrian Loch Daniel Steinmetzer Paolo Cesari Joerg Widmer

BibTeX

Abstract
The very large bandwidth available in the 60 GHz band allows, in principle, to design highly accurate positioning systems. Integrating such systems with standard protocols (e.g., IEEE 802.11ad) is crucial for the deployment of location-based services, but it is also challenging and limits the design choices. Another key problem is that consumer-grade 60 GHz hardware only provides coarse channel state information, and has highly irregular beam shapes due to its cost-efficient design. In this paper, we explore the location accuracy that can be achieved using such hardware, without modifying the 802.11ad standard. We consider a typical 802.11ad indoor network with multiple access points (APs). Each AP collects the coarse signal-to-noise ratio of the directional beacons that clients transmit periodically. Given the irregular beam shapes, the challenge is to relate each beacon to a set of transmission angles that allows to triangulate a user. We design a location system based on particle filters along with linear programming and Fourier analysis. We implement and evaluate our algorithm on commercial off-the-shelf 802.11ad hardware in an office scenario with mobile human blockage. Despite the strong limitations of the hardware, our system operates in real-time and achieves sub-meter accuracy in 70% of the cases.

  2018  2018 ACM International Workshop on Wireless Network Testbeds, Experimental evaluation & Characterization (WiNTECH'18) Conference Postprint

TPy: A Lightweight Framework for Agile Distributed Network Experiments

Daniel Steinmetzer Milan Stute Matthias Hollick

PDF BibTeX DOI: 10.25534/tuprints-00013317

Abstract
Experimental validation of novel network solutions, protocols, and applications gains increasing importance. The complexity of today's network systems makes evaluations in physical testbeds mandatory to capture real-world effects. However, this causes methodological and technical issues and challenges researchers in handling their agile testbed deployments. In contrast to Internet-scale testbeds, most agile experiments require specific topologies, specialized hardware, or a custom environment. They typically run only a few times and demand live user interaction. Existing management systems for Internet-scale testbeds do not accommodate these needs due to their complexity and maintenance overhead. In this paper, we present TPy, a lightweight and flexible framework to conduct distributed network experiments. TPy is written in Python and extendable via modules. To demonstrate its versatility and ease-of-use, we use TPy to perform experiments in the domains of millimeter-wave and secure multi-hop communications. We share TPy as open source software to support the community of experimental evaluation.

  2017  CoNEXT ’17: The 13th International Conference on emerging Networking EXperiments and Technologies Conference

Compressive Millimeter-Wave Sector Selection in Off-the-Shelf IEEE 802.11ad Devices

Daniel Steinmetzer Daniel Wegemer Matthias Schulz Jörg Widmer Matthias Hollick

BibTeX DOI: 10.1145/3143361.3143384

Abstract
Achieving data-rates of multiple Gbps in 60 GHz mm-wave communication systems requires efficient beam-steering algorithms. To find the optimal steering direction on IEEE 802.11ad compatible devices, state-of-the-art approaches sweep through all predefined antenna sectors. Recently, much more efficient alternatives, such as compressive path tracking, have been proposed, which scale well even with arrays with thousands of antenna elements. However, such have not yet been integrated into consumer devices. In this work, we adapt compressive path tracking for sector selection in off-the-shelf IEEE 802.11ad devices. In contrast to existing solutions, our compressive sector selection tolerates the imperfections of low-cost hardware, tracks beam directions in 3D and does not rely on pseudo-random beams. We implement our protocol on a commodity router, the TP-Link Talon AD7200, by modifying the sector sweep algorithm in the IEEE 802.11ad chip's firmware. In particular, we modify the firmware to obtain the signal strength of received frames and to select custom sectors. Using this extension, we precisely measure the device's sector patterns. We then select the best sector based on the measured patterns and sweep only through a subset of probing sectors. Our results demonstrate, that our protocol outperforms the existing sector sweep, increases stability, and speeds up the sector selection by factor 2.3.

  2017  1st ACM Workshop on Millimeter Wave Networks and Sensing Systems (mmNets 2017) Conference

Mitigating Lateral Interference: Adaptive Beam Switching for Robust Millimeter-Wave Networks

Daniel Steinmetzer Adrian Loch Amanda García-García Jörg Widmer Matthias Hollick

BibTeX DOI: 10.1145/3130242.3130244

Abstract
Putting into practice 'pseudo-wire' links in wireless millimeter-wave (mm-wave) networks is challenging due to the significant side lobes of consumer-grade phased antenna arrays. Nodes should steer their beams such that they maximize the signal gain but also minimize interference from lateral directions via both their main lobe and their side lobes. Most importantly, interference can be caused by parallel operation of incompatible standards such as WiGig and IEEE 802.11ad and may change very fast. This timing requirement, prevents the use of existing beam switching solutions to mitigate interference. In this paper, we present an adaptive beam switching (ABS) mechanism that can deal with the above timescale issue in rapidly changing interference scenarios. Instead of performing a full beam sweep, the key idea is to only probe beampatterns at the receiver which are likely to avoid interference. In contrast to earlier work, our mechanism does not require any location information nor a detailed shape of the beampatterns. We exploit similarities among side lobes of beampatterns to estimate the performance of all beampatterns without sending extensive probes. To evaluate our mechanism in practice, we develop a customized research platform that allows us to control the beam-selection on low-cost IEEE 802.11ad routers. Experimental results with WiGig transceivers as interference source show that our adaptive beam switching mechanism achieves an average throughput gain of 60% and decreases the training time by 82.4% compared to the original IEEE 802.11ad behavior.

  2017  IEEE Communications Surveys & Tutorials Article

Survey and Systematization of Secure Device Pairing

Mikhail Fomichev Flor Álvarez Daniel Steinmetzer Paul Gardner-Stephen Matthias Hollick

BibTeX DOI: 10.1109/COMST.2017.2748278

Abstract
Secure Device Pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things (IoT) devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this article, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis. The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.

  2017  10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017) Conference

Massive reactive smartphone-based jamming using arbitrary waveforms and adaptive power control

Matthias Schulz Francesco Gringoli Michael Koch Daniel Steinmetzer Matthias Hollick

PDF BibTeX DOI: 10.1145/3098243.3098253

Abstract
It is not commonly known that off-the-shelf smartphones can be converted into versatile jammers. To understand how those jammers work and how well they perform, we implemented a jamming firmware for the Nexus 5 smartphone. The firmware runs on the real-time processor of the Wi-Fi chip and allows to reactively jam Wi-Fi networks in the 2.4 and 5 GHz bands using arbitrary waveforms stored in IQ sample buffers. This allows us to generate a pilot-tone jammer on off-the-shelf hardware. Besides a simple reactive jammer, we implemented a new acknowledging jammer that selectively jams only targeted data streams of a node while keeping other data streams of the same node flowing. To lower the increased power consumption of this jammer, we implemented an adaptive power control algorithm. We evaluated our implementations in friendly jamming scenarios to oppress non-compliant Wi-Fi transmissions and to protect otherwise vulnerable devices in industrial setups. Our results show that we can selectively hinder Wi-Fi transmissions in the vicinity of our jamming smartphone leading to an increased throughput for other nodes or no blockage of non-targeted streams on a jammed node. Consuming less than 300 mW when operating the reactive jammer allows mobile operation for more than 29 hours. Our implementation demonstrates that jamming communications was never that simple and available for every smartphone owner, while still allowing surgical jamming precision and energy efficiency. Nevertheless, it involves the danger of abuse by malicious attackers that may take over hundreds of devices to massively jam Wi-Fi networks in wide areas.

  2016  ACM Conference on Security and Privacy in Wireless and Mobile Networks 2016 (ACM WiSec'16) Conference

Far Away and Yet Nearby - A Framework for Practical Distance Fraud on Proximity Services for Mobile Devices (Demo)

Tobias Schultes Markus Grau Daniel Steinmetzer Matthias Hollick

BibTeX

  2015  Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec) Conference

Lockpicking Physical Layer Key Exchange: Weak Adversary Models Invite the Thief

Daniel Steinmetzer Matthias Schulz Matthias Hollick

BibTeX DOI: 10.1145/2766498.2766514

Abstract
Physical layer security schemes for wireless communications are currently crossing the chasm from theory to practice. They promise information-theoretical security, for instance by guaranteeing the confidentiality of wireless transmissions. Examples include schemes utilizing artificial interference—that is ’jamming for good’—to enable secure physical layer key exchange or other security mechanisms. However, only little attention has been payed to adjusting the employed adversary models during this transition from theory to practice. Typical assumptions give the adversary antenna configurations and transceiver capabilities similar to all other nodes: single antenna eavesdroppers are the norm. We argue that these assumptions are perilous and ’invite the thief’. In this work, we evaluate the security of a representative practical physical layer security scheme, which employs artificial interference to secure physical layer key exchange. Departing from the standard single-antenna eavesdropper, we utilize a more realistic multi-antenna eavesdropper and propose a novel approach that detects artificial interferences. This facilitates a practical attack, effectively ’lockpicking’ the key exchange by exploiting the diversity of the jammed signals. Using simulation and real-world software-defined radio (SDR) experimentation, we quantify the impact of increasingly strong adversaries. We show that our approach reduces the secrecy capacity of the scheme by up to 97% compared to single-antenna eavesdroppers. Our results demonstrate the risk unrealistic adversary models pose in current practical physical layer security schemes.