Dr.-Ing. Jiska Classen

Wireless Security / Reverse Engineering / Postdoc

Contact Information

Pankratiusstr. 2
64289 Darmstadt
S2|20 215
jclassen@seemoo.tu-darmstadt.de
+49 6151 16-25471
Homepage

Biography

Jiska Classen is a wireless and mobile security researcher. The intersection of these topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices. She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement and reverse engineered Apple's AirTag communication protocol.

Starting in July 2023, she will have her own research group at Hasso Plattner Institute in Potsdam.

She has previously spoken at Black Hat USA, DEF CON, RECon, hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmier Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and trainings, and published at prestigious academic venues.

Offered Theses Topics

Type

Year

No results match your search criteria.

2022 In progress

Android Wireless Subsystem Security

Supervisor: Jiska Classen

Earliest start date: February 2023 Wireless interfaces are an attack surface for zero-click remote code execution vulnerabilities. Typically, an attacker would try to find a parsing issue within a wireless chip or in a low-level wireless stack component within the operating system, and then escalate further. Thus, it is of importance to research these interfaces. Android is available for many platforms with different hardware. Vendors add custom hardware adaption layers for compatibility with Android. However, these interfacing layers are vendor-specific and proprietary. Detailed knowledge about interfaces between components enables security research [1] and building tooling to customize wireless chips and stacks [2, 3]. Due to the proprietary nature of these interfaces, many of them remain undocumented. We have a couple of yet to be researched wireless interfaces, as well as researched interfaces that would profit from developing better tooling. We offer experience within the Google ecosystem as well as OEMs (Samsung, etc.), including reverse-engineering tips for firmware and user-space daemons. Additionally, due to supervising a lot of theses in this area, we have a collection of example thesis about how to reverse engineer and fuzz such interfaces. We also have rooted up-to-date Android smartphones. For your own safety and security, these are designated research devices and not meant for private usage. When researching a new interface, it is common to uncover new vulnerabilities, which you will report within Google's vulnerability reward program or the OEM's program, and you might be rewarded a bug bounty. We also encourage and financially support you presenting your results at a scientific or security conference. Please contact us for more details and choosing a task that suits a thesis. A B.Sc. thesis would usually advance tooling for something previously reverse engineered (see [1]), and a M.Sc. thesis is about reverse-engineering an interface and developing tools (see [2]). The precise topic will be tailored to your previous experience. It is recommended to have a reverse-engineering background, e.g., previous participation in CTFs. Depending on the topic, either a strong programming background is required (develop an open-source tool for an Android interface) or a good understanding of software/hardware security is mandatory (fuzzing a protocol, implementing a firmware attack, …). We are currently getting many requests for this topic area. Please only contact us if you plan to start your thesis by February 2023 or later, or if you have sufficient background knowledge to work on a topic on your own (e.g., are already familiar with Android hacking and don't need an introduction). [1] ARIstoteles: iOS Baseband Interface Protocol Analysis [2] InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering [3] Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications.

2022 In progress

Bluetooth Security Analysis on Windows

Supervisor: Jiska Classen

Earliest start date: February 2023 In the past, we looked into multiple Bluetooth stacks: iOS [3], macOS [2], Linux, and Android. However, Windows is still a partially blind spot. What is there yet: A basic understanding of the Windows Bluetooth stack and existing debug tools to look into all packets. Reversing and documentation of the Windows Bluetooth stack. This is a great base to get started with Bluetooth security analysis and reverse engineering on Windows. There are multiple tasks that would be interesting, which ones you choose depend on your skill level and if you want to work on a BSc or a MSc thesis. Hook the Windows kernel with WinDBG to not only log packets but also inject and modify packets. Write a fuzzer for the Windows Bluetooth stack. Implement or simulate known attacks on Bluetooth stacks to analyze how they were patched. Integrate this knowledge about the Bluetooth stack into InternalBlue [1], a Bluetooth firmware experimentation framework. For further reference, see: [1] InternalBlue Project on GitHub, https://github.com/seemoo-lab/internalblue [2] B.Sc. Thesis about porting InternalBlue to macOS, https://github.com/seemoo-lab/internalblue/blob/master/doc/macos_bluetooth_stack_thesis_davide_toldo.pdf [3] M.Sc. Thesis about fuzzing Bluetooth on iOS, https://github.com/seemoo-lab/toothpicker/blob/master/assets/toothpicker_thesis.pdf

2021 In progress

Glitching Wireless Chips

Supervisor: Jiska Classen

Glitching is a method that allows bypassing security checks in firmware running on chips. Dropping voltage or inducing an electromagnetic field for a very short moment causes the chip to behave differently. For example, the chip might skip a check in the secure bootloader, allowing an attacker to run arbitrary firmware. This is of special interest for wireless security research. Instead of re-implementing protocols on software-defined radios, we can modify existing firmware to test very specific security assumptions in an otherwise unmodified environment. We have a lab with various equipment suitable for glitching, such as oscilloscopes, the ChipWhisperer and the ChipShouter. Thus, the thesis will require you to do at least some parts of the work onsite. However, we also have some ChipWhisperer Nanos etc., in case you want to do parts of the work from home. Required background knowledge is either electrical engineering or IT security. Can be done as both, either B.Sc. thesis or M.Sc. thesis, depending on the amount/complexity of chips.

2021 In progress

iPhone Baseband

Supervisor: Jiska Classen

2021 In progress

iOS CommCenter Protocol Analysis

Supervisor: Jiska Classen

2021 In progress

iOS CommCenter Fuzzing

Supervisor: Jiska Classen

2021 In progress

iOS Bluetooth Security

Supervisor: Jiska Classen

2021 Completed

Very Pwnable Network: Reverse Engineering and Vulnerability Analysis of AnyConnect for Linux

Supervisor: Jiska Classen

2021 In progress

Responsible Disclosure im IoT-Sektor

Supervisor: Jiska Classen

2021 In progress

Practical Analysis of Friendly Jamming to Augment the Security of Industrial Remote Control Systems

Supervisor: Jiska Classen

2021 In progress

Improving State Coverage in Bluetooth Fuzzing

Supervisor: Jiska Classen

2021 Completed

Attacks on Wireless Coexistence

Supervisor: Jiska Classen

2021 In progress

AnyConnect and VPN Security on iOS

Supervisor: Jiska Classen

2021 Completed

A Full-Band Bluetooth Sniffer for a Software-Defined Radio

Supervisor: Bastian Bloessl Jiska Classen

2020 Completed

Keylogging Side-Channel Attacks on Bluetooth Timestamps: A Timing Analysis of Keystrokes on Apple Magic Keyboards

Supervisor: Matthias Gazzari Jiska Classen

In the past several timing attacks have been applied to recover sensitive input on keyboards. If these kind of attacks could be migrated to the wireless communication of keyboards, this would make the use of wireless keyboards less secure. In this thesis we apply a timing attack on the Bluetooth communication of the Apple Magic Keyboard by recording the time between consecutive Bluetooth packets and recover the typing with a Hidden Markov Model (HMM). With this attack we are able to shrink the search space of random passwords by a factor of 5 to 10, which considerably speeds up exhaustive search.

2020 Completed

VPN in a Mobile Environment: Security, Privacy, and Usability

Supervisor: Jiska Classen

2020 Completed

ToothPicker: Enabling Over-the-Air and In-Process Fuzzing Within Apple's Bluetooth Ecosystem

Supervisor: Jiska Classen

2020 Completed

Remote Code Patching Framework for a TETRA Base Station

Supervisor: Jiska Classen

2020 Completed

Practical Security Analysis of IoT Ecosystems

Supervisor: Jiska Classen

2020 Completed

Practical Bluetooth RNG Analysis

Supervisor: Jiska Classen

2020 Completed

Polypyus: Firmware History Based Binary Diffing

Supervisor: Jiska Classen

2020 Completed

Fuzzing a TETRA Base Station via Binary Patching

Supervisor: Jiska Classen

2020 Completed

Bluetooth Low Energy Sniffing

Supervisor: Bastian Bloessl Jiska Classen

2020 Completed

Applicability of IoT Security Frameworks as Guidelines for Penetration Testing

Supervisor: Jiska Classen Max Maass

2020 Completed

Analyzing the macOS Bluetooth Stack

Supervisor: Jiska Classen

2019 In progress

Communicating Privacy and Security issues

Supervisor: Jiska Classen

2019 In progress

TETRA Base Station Binary Patching

Supervisor: Jiska Classen

2019 Completed

Intercom Security

Supervisor: Lars Almon Jiska Classen

Intercom security analysis.

2019 In progress

Bluetooth Entropy

Supervisor: Jiska Classen

2019 In progress

Bluetooth Controller Emulation and Fuzzing

Supervisor: Jiska Classen

2019 Completed

Secure Device Pairing Using Short-Range Acoustic Communication

Supervisor: Flor Maria Alvarez Zurita Jiska Classen

2019 Completed

PowerPC Binary Patching and dissecting of TETRA Base Station

Supervisor: Jiska Classen

2019 Completed

Fuzzing the Linux Bluetooth Stack

Supervisor: Jiska Classen

2019 Completed

Dynamic Bluetooth Firmware Analysis

Supervisor: Jiska Classen

2019 Completed

Analyzing Firmware and Cloud Security of a Premium IoT Ecosystem

Supervisor: Fabian Ullrich Jiska Classen

2019 Completed

A researcher’s guide to the Fitbit Ionic smartwatch

Supervisor: Jiska Classen Daniel Wegemer

2019 Completed

A Study on Proprietary Communication Protocols Used in TETRA Hardware Components

Supervisor: Jiska Classen

2018 Completed

Sicherheit funkferngesteuerter Rangierlokomotiven

Supervisor: Jiska Classen

2018 Completed

Security Analysis and Firmware Modification of Fitbit Fitness Trackers

Supervisor: Jiska Classen

2018 Completed

InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering

Supervisor: Matthias Schulz Jiska Classen

2018 Completed

Angriffsanalyse einer TETRA-Basisstation

Supervisor: Jiska Classen

2018 Completed

Analysing and Evaluating Interface, Communication, and Web Security in Productive IoT Ecosystems

Supervisor: Jiska Classen Max Maass

2017 Completed

TETRA Security Analysis by Fuzzing

Supervisor: Jiska Classen

2017 Completed

Improving a Linux Device Driver for Visible Light Communication

Supervisor: Jiska Classen

2017 Completed

Implementierung des unteren MAC-Layers für die OpenVLC Hardware

Supervisor: Jiska Classen

2017 Completed

Implementation of a Physical Layer for Visible Light Communication using the OpenVLC platform

Supervisor: Jiska Classen

2017 Completed

Detecting WiFi Covert Channels

Supervisor: Jiska Classen

2017 Completed

Design and Evaluation of a Hybrid SDR Testbed For Visible Light Communication and Wi-Fi

Supervisor: Jiska Classen

2017 Completed

Absicherung von SCADA-Protokollen

Supervisor: Jiska Classen

2016 Completed

TETRA Fuzzing

Supervisor: Jiska Classen

2016 Completed

Location Privacy of Digital Trunked Radio

Supervisor: Jiska Classen Robin Klose

Publications

Type

Year

Show awards only

No results match your search criteria.

2022 Other

Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging

Patrick Leu Giovanni Camurati Alexander Heinrich Marc Roeschlin Claudio Anliker Matthias Hollick Capkun Srdjan Jiska Classen

PDF BibTeX DOI: 10.48550/arXiv.2111.05313

2022 43rd IEEE Symposium on Security and Privacy Conference

Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation

Jiska Classen Francesco Gringoli Michael Hermann Matthias Hollick

BibTeX

2021 IEEE Conference on Communications and Network Security Conference

Very Pwnable Network: Cisco AnyConnect Security Analysis

Gerbert Roitburd Matthias Ortmann Matthias Hollick Jiska Classen

BibTeX DOI: 10.1109/CNS53000.2021.9705023

Abstract

Corporate Virtual Private Networks (VPNs) enable users to work from home or while traveling. At the same time, VPNs are tied to a company’s network infrastructure, forcing users to install proprietary clients for network compatibility reasons. VPN clients run with high privileges to encrypt and reroute network traffic. Thus, bugs in VPN clients pose a substantial risk to their users and in turn the corporate network. Cisco, the dominating vendor of enterprise network hardware, offers VPN connectivity with their AnyConnect client for desktop and mobile devices. While past security research primarily focused on the AnyConnect Windows client, we show that Linux and iOS are based on different architectures and have distinct security issues. Our reverse engineering as well as the follow-up design analysis and fuzzing reveal 13 new vulnerabilities. Seven of these are located in the Linux client. The root cause for privilege escalations on Linux is anchored so deep in the client’s architecture that it only got patched with a partial workaround. A similar analysis on iOS uncovers three AnyConnect-specific bugs as well as three general issues in iOS network extensions, which apply to all kinds of VPNs and are not restricted to AnyConnect.

2021 26th European Symposium on Research in Computer Security (ESORICS 2021) Conference

ARIstoteles - Dissecting Apple's Baseband Interface

Tobias Kröll Stephan Kleber Frank Kargl Matthias Hollick Jiska Classen

BibTeX DOI: 10.1007/978-3-030-88418-5_7

2021 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Happy MitM: Fun and Toys in Every Bluetooth Device

Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3448300.3467822

2021 28th Network and Distributed System Security Symposium (NDSS 2021) Conference

Polypyus - The Firmware Historian

Jan Friebertshäuser Florian Kosterhon Jiska Classen Matthias Hollick

PDF BibTeX DOI: 10.14722/bar.2021.23004

2021 28th Network and Distributed System Security Symposium (NDSS 2021) Conference

Dinosaur Resurrection: PowerPC Binary Patching for Base Station Analysis

Uwe Müller Eicke Hauck Timm Welz Jiska Classen Matthias Hollick

PDF BibTeX DOI: 10.14722/bar.2021.23009

2020 29th USENIX Security Symposium Conference

Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

Jan Ruge Jiska Classen Francesco Gringoli Matthias Hollick

PDF BibTeX

2020 29th USENIX Security Symposium Conference

ToothPicker: Apple Picking in the iOS Bluetooth Stack

Dennis Heinze Jiska Classen Matthias Hollick

PDF BibTeX

2020 14th USENIX Workshop on Offensive Technologies (WOOT 2020) Conference

Firmware Insider: Bluetooth Randomness is Mostly Random

Jörn Tillmanns Jiska Classen Felix Rohrbach Matthias Hollick

PDF BibTeX

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Lost and Found: Stopping Bluetooth Finders from Leaking Private Information

Mira Weller Jiska Classen Fabian Ullrich Denis Waßmann Erik Tews

BibTeX DOI: 10.1145/3395351.3399422

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Attaching InternalBlue to the proprietary macOS IOBluetooth framework

Davide Toldo Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3395351.3401697

Abstract

In this demo, we provide an overview of the macOS Bluetooth stack internals and gain access to undocumented low-level interfaces. We leverage this knowledge to add macOS support to the InternalBlue firmware modification and wireless experimentation framework.

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication

Florentin Putz Flor Álvarez Jiska Classen

PDF BibTeX DOI: 10.1145/3395351.3399420

Abstract

Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate devices. This requires a common hardware interface, which limits the use of existing SDP systems. We propose to use short-range acoustic communication for the initial pairing. Audio hardware is commonly available on existing off-the-shelf devices and can be accessed from user space without requiring firmware or hardware modifications. We improve upon previous approaches by designing Acoustic Integrity Codes (AICs): a modulation scheme that provides message authentication on the acoustic physical layer. We analyze their security and demonstrate that we can defend against signal cancellation attacks by designing signals with low autocorrelation. Our system can detect overshadowing attacks using a ternary decision function with a threshold. In our evaluation of this SDP scheme’s security and robustness, we achieve a bit error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on Android smartphones, we demonstrate pairing between different smartphone models.

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

MagicPairing: Apple’s Take on Securing Bluetooth Peripherals

Dennis Heinze Jiska Classen Felix Rohrbach

PDF BibTeX DOI: 10.1145/3395351.3399343

2020 Embedded Wireless Systems and Networks (EWSN) Conference

Improving the Reliability of Bluetooth Low Energy Connections

Michael Spörk Jiska Classen Carlo Alberto Boano Matthias Hollick Kay Römer

PDF BibTeX

Abstract

o sustain a reliable data exchange, applications based on Bluetooth Low Energy (BLE) need to effectively blacklist channels and adapt the physical mode of an active connection at runtime. Although the BLE specification foresees the use of these two mechanisms, their implementation is left up to the radio vendors and has not been studied in detail yet. This paper fills this gap: we first investigate experimentally how to assess the quality of a BLE connection at runtime using information gathered from the radio. We then show how this information can be used to promptly blacklist poor channels and select a physical mode that sustains a high link-layer reliability while minimizing power consumption. We implement both mechanisms on two popular platforms and show experimentally that they allow to significantly improve the reliability of BLE connections, with a reduction in packet loss by up to 22 % compared to existing solutions.

2020 International Conference on Embedded Wireless Systems and Networks (EWSN 2020) Conference

Analyzing Bluetooth Low Energy Connections on Off-the-Shelf Devices

Jiska Classen Michael Spörk Carlo Alberto Boano Kay Römer Matthias Hollick

PDF BibTeX

2020 Technische Universität Darmstadt PhD thesis

Security and Privacy for IoT Ecosystems

Jiska Classen

PDF BibTeX DOI: 10.25534/tuprints-00011422

Abstract

Smart devices have become an integral part of our everyday life. In contrast to smartphones and laptops, Internet of Things (IoT) devices are typically managed by the vendor. They allow little or no user-driven customization. Users need to use and trust IoT devices as they are, including the ecosystems involved in the processing and sharing of personal data. Ensuring that an IoT device does not leak private data is imperative. This thesis analyzes security practices in popular IoT ecosystems across several price segments. Our results show a gap between real-world implementations and state-of-the-art security measures. The process of responsible disclosure with the vendors revealed further practical challenges. Do they want to support backward compatibility with the same app and infrastructure over multiple IoT device generations? To which extent can they trust their supply chains in rolling out keys? Mature vendors have a budget for security and are aware of its demands. Despite this goodwill, developers sometimes fail at securing the concrete implementations in those complex ecosystems. Our analysis of real-world products reveals the actual efforts made by vendors to secure their products. Our responsible disclosure processes and publications of design recommendations not only increase security in existing products but also help connected ecosystem manufacturers to develop secure products. Moreover, we enable users to take control of their connected devices with firmware binary patching. If a vendor decides to no longer offer cloud services, bootstrapping a vendor-independent ecosystem is the only way to revive bricked devices. Binary patching is not only useful in the IoT context but also opens up these devices as research platforms. We are the first to publish tools for Bluetooth firmware and lower-layer analysis and uncover a security issue in Broadcom chips affecting hundreds of millions of devices manufactured by Apple, Samsung, Google, and more. Although we informed Broadcom and customers of their technologies of the weaknesses identified, some of these devices no longer receive official updates. For these, our binary patching framework is capable of building vendor-independent patches and retrofit security. Connected device vendors depend on standards; they rarely implement lower-layer communication schemes from scratch. Standards enable communication between devices of different vendors, which is crucial in many IoT setups. Secure standards help making products secure by design and, thus, need to be analyzed as early as possible. One possibility to integrate security into a lower-layer standard is Physical-Layer Security (PLS). PLS establishes security on the Physical Layer (PHY) of wireless transmissions. With new wireless technologies emerging, physical properties change. We analyze how suitable PLS techniques are in the domain of mmWave and Visible Light Communication (VLC). Despite VLC being commonly believed to be very secure due to its limited range, we show that using VLC instead for PLS is less secure than using it with Radio Frequency (RF) communication. The work in this thesis is applied to mature products as well as upcoming standards. We consider security for the whole product life cycle to make connected devices and IoT ecosystems more secure in the long term.

2019 13th USENIX Workshop on Offensive Technologies (WOOT 19) Conference

Vacuums in the Cloud: Analyzing Security in a Hardened IoT Ecosystem

Fabian Ullrich Jiska Classen Johannes Eger Matthias Hollick

PDF BibTeX

2019 Other

Vacuum Cleaning Security—Pinky and the Brain Edition

Fabian Ullrich Jiska Classen

PDF BibTeX

2019 The 17th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys ’19) Conference

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Dennis Mantz Jiska Classen Matthias Schulz Matthias Hollick

BibTeX DOI: 10.1145/3307334.3326089

Abstract

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In par ticular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep in sights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework—outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware.

2019 REcon 2019 Conference

Reversing and Exploiting Broadcom Bluetooth

Dennis Mantz Jiska Classen

PDF BibTeX

2019 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'19) Conference

Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices

Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3317549.3319727

Abstract

Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system’s driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke.

2019 EWSN'19-International Conference on Embedded Wireless Systems and Networks Conference

Practical VLC to WiFi Handover Mechanisms

Richard Meister Jiska Classen Muhammad Saad Saud Marcos Katz Matthias Hollick

PDF BibTeX

Abstract

Visible light communication (VLC) is an emerging communication technology that perfectly integrates into crowded legacy radio frequency (RF) environments to increase bandwidth. Despite the fact that integrating these technologies would be beneficial for both of them, there is only little research on handover mechanisms, and most of it is simulation only. We design a software defined radio (SDR) based VLC+WiFi testbed in which both technologies can coexist, design handover mechanisms between VLC and WiFi, and evaluate them based on user-induced link blockage measurements in our testbed.

2018 Other

Dissecting Broadcom Bluetooth

Jiska Classen Dennis Mantz

PDF BibTeX

2018 Other

Pinky & Brain are taking over the world with vacuum cleaners

Jiska Classen

PDF BibTeX

2018 Other

Fitbit Firmware Hacking

Jiska Classen Daniel Wegemer

BibTeX

2018 PACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) Conference

Anatomy of a Vulnerable Fitness Tracking System: Dissecting the Fitbit Cloud, App, and Firmware

Jiska Classen Daniel Wegemer Paul Patras Tom Spink Matthias Hollick

BibTeX

2017 34th Chaos Communication Congress Conference

Doping your Fitbit

Jiska Classen Daniel Wegemer

PDF BibTeX DOI: 10.5446/34791

2017 IEEE WCNC Conference

Pseudo Lateration: Millimeter-Wave Localization Using a Single RF Chain

Joe Chen Daniel Steinmetzer Jiska Classen Edward Knightly Matthias Hollick

BibTeX

2016 6th Workshop on Security and Privacy in Smartphones and Mobile Devices Conference

Analyzing TETRA Location Privacy and Network Availability

Martin Pfeiffer Jan-Pascal Kwiotek Jiska Classen Robin Klose Matthias Hollick

PDF BibTeX DOI: 10.1145/2994459.2994463

Abstract

TETRA is a digital communication standard taking over from analog communication in various emergency services and governmental agencies in Europe since the late 1990s. TETRA has to meet stringent requirements for a dependable communication infrastructure as it is used in the public safety sector by professional users and first responders. In fact, TETRA is claimed to enhance resilience, security, and availability compared to former analog communication standards. In this paper, we demonstrate that TETRA's location privacy and dependability can easily be undermined and weakened. In particular, TETRA devices can be localized by means of antenna arrays and direction finding techniques on the physical layer. Further, we practically evaluate the impact of various jamming and fuzzing attacks on two commonly used devices. The digital standard even raises new attack vectors, since regular beaconing enables localization of idle devices, and forged frames can provably crash devices.

2016 3rd ACM Workshop on Visible Light Communication Systems Article

Opportunities and Pitfalls in Securing Visible Light Communication on the Physical Layer

Jiska Classen Daniel Steinmetzer Matthias Hollick

BibTeX

2016 Other

Software Defined Radio – Open Source Wireless Hacking

Jiska Classen

BibTeX

2016 IEEE Infocom 2016 Poster Presentation (Infocom'16 Posters) Conference

Exploring Millimeter-Wave Network Scenarios with Ray-tracing based Simulations in mmTrace

Daniel Steinmetzer Jiska Classen Matthias Hollick

BibTeX

2016 Millimeter-wave Networking Workshop (mmNet 2016) Article

mmTrace: Modeling Millimeter-wave Indoor Propagation with Image-based Ray-tracing

Daniel Steinmetzer Jiska Classen Matthias Hollick

BibTeX

2015 Other

Building and Breaking Wireless Security

Jiska Classen

BibTeX

2015 IEEE Conference on Communications and Network Security 2015 (CNS) Conference

Eavesdropping with Periscopes: Experimental Security Analysis of Highly Directional Millimeter Waves

Daniel Steinmetzer Joe Chen Jiska Classen Edward Knightly Matthias Hollick

BibTeX DOI: 10.1109/CNS.2015.7346844

2015 2nd ACM Workshop on Visible Light Communication Systems Conference

The Spy Next Door: Eavesdropping on High Throughput Visible Light Communications

Jiska Classen Joe Chen Daniel Steinmetzer Matthias Hollick Edward Knightly

BibTeX

2015 IEEE Conference on Communications and Network Security (CNS) Conference

Practical Covert Channels for WiFi Systems

Jiska Classen Matthias Schulz Matthias Hollick

BibTeX

2015 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE UbiSafe Symposium) Conference

A Distributed Reputation System for Certification Authority Trust Management

Jiska Classen Johannes Braun Florian Volk Matthias Hollick Johannes Buchmann Max Mühlhäuser

BibTeX

2014 Journal of Computer Security Article

CA Trust Management for the Web PKI

Johannes Braun Florian Volk Jiska Classen Johannes Buchmann Max Mühlhäuser

BibTeX DOI: 10.3233/JCS-140509