Jakob Link, M.Sc.

Wi-Fi sensing applications have achieved remarkable results over the last decade, offering accurate device-free localization and gesture recognition capabilities. Indeed, Wi-Fi sensing has quickly become a critical field of research for future communication systems under the paradigm known as joint communication and sensing. However, device-free wireless sensing can also be exploited for malign purposes against unaware victims, and the omnipresence of Wi-Fi transceivers poses a significant threat to people’s privacy. Therefore, it is essential to develop functional solutions that can effectively thwart wireless sensing. All the current attempts to hinder illegitimate wireless sensing rely on specialized hardware deployed in the environment, but their cost and complexity can undermine widespread deployment. In this paper, we explore the possibility of using native capabilities of Wi-Fi systems, namely beamforming, to thwart wireless sensing. To this end, we propose for the first time a solution that enables complete control over the beamforming in commercial Wi-Fi devices. On top of that, we build BeamDancer, which randomizes beamforming vectors to inhibit channel fingerprinting. We empirically demonstrate the effectiveness of the proposed solution against three different wireless sensing techniques, both data-driven and model-based, while preserving almost entirely the legitimate Wi-Fi traffic at the same time.

The D11 is Broadcom's proprietary IEEE 802.11 MAC implementation and an essential part of their WiFi chips. It is a microcontroller that orchestrates the Physical Layer and Radio Front-end implementation and is programmable through a custom microcode. We provide a new emulation framework for the D11 microcode and a corresponding firmware patch for the WiFi chip that enables essential debugging methods, including microcode breakpoints and D11 state extraction. This toolset allows researchers to analyze the D11 microcode in a controlled environment dynamically. To facilitate research on the D11, we provide an overview of state-of-the-art knowledge of the chip and publish all presented tools to the open-source community. We encourage everyone interested to enter the game, roll the D11, and provide new insights on Broadcom's MAC implementation.

We present a novel multi-hop data dissemination protocol for wireless networks that minimizes the total energy consumption across an entire network by minimizing the transmission power at each hop. It is based on a game-theoretic model, constructs a spanning tree topology in a decentralized manner, and is usable in practice. We evaluate the protocol via simulation and a pratical implementation on a testbed of 75 Raspberry Pis, demonstrating that a total energy reduction of up to 90% can be achieved compared to a simple broadcast protocol.

Several areas of wireless networking, such as wireless sensor networks or the Internet of Things, require application data to be distributed to multiple receivers in an area beyond the transmission range of a single node. This can be achieved by using the wireless medium’s broadcast property when retransmitting data. Due to the energy constraints of typical wireless devices, a broadcasting scheme that consumes as little energy as possible is highly desirable. In this article, we present a novel multi-hop data dissemination protocol called BTP. It uses a game-theoretical model to construct a spanning tree in a decentralized manner to minimize the total energy consumption of a network by minimizing the transmission power of each node. Although BTP is based on a game-theoretical model, it neither requires information exchange between distant nodes nor time synchronization during its operation, and it inhibits graph cycles effectively. The protocol is evaluated in Matlab and NS-3 simulations and through real-world implementation on a testbed of 75 Raspberry Pis. The evaluation conducted shows that our proposed protocol can achieve a total energy reduction of up to 90% compared to a simple broadcast protocol in real-world experiments.

Context-based copresence detection schemes are a necessary prerequisite to building secure and usable authentication systems in the Internet of Things (IoT). Such schemes allow one device to verify proximity of another device without user assistance utilizing their physical context (e.g., audio). The state-of-the-art copresence detection schemes suffer from two major limitations: (1) they cannot accurately detect copresence in low-entropy context (e.g., empty room with few events occurring) and insufficiently separated environments (e.g., adjacent rooms), (2) they require devices to have common sensors (e.g., microphones) to capture context, making them impractical on devices with heterogeneous sensors. We address these limitations, proposing Next2You, a novel copresence detection scheme utilizing channel state information (CSI). In particular, we leverage magnitude and phase values from a range of subcarriers specifying a Wi-Fi channel to capture a robust wireless context created when devices communicate. We implement Next2You on off-the-shelf smartphones relying only on ubiquitous Wi-Fi chipsets and evaluate it based on over 95 hours of CSI measurements that we collect in five real-world scenarios. Next2You achieves error rates below 4%, maintaining accurate copresence detection both in low-entropy context and insufficiently separated environments. We also demonstrate the capability of Next2You to work reliably in real-time and its robustness to various attacks.

Modern wireless transmission systems heavily benefit from knowing the channel response. The evaluation of Channel State Information (CSI) during the reception of a frame preamble is fundamental to properly equalizing the rest of the transmission at the receiver side. Reporting this state information back to the transmitter facilitates mechanisms such as beamforming and MIMO, thus boosting the network performance. While these features are an integral part of standards such as 802.11ac, accessing CSI data on commercial devices is either not possible, limited to outdated chipsets or very inflexible. This hinders the research and development of innovative CSI-dependent techniques including localization, object tracking, and interference evaluation. To help researchers and practitioners, we introduce the nexmon CSI Extractor Tool. It allows per-frame CSI extraction for up to four spatial streams using up to four receive chains on modern Broadcom and Cypress Wi-Fi chips with up to 80MHz bandwidth in both the 2.4 and 5GHz bands. The tool supports devices ranging from the low-cost Raspberry Pi platform, over mobile platforms such as Nexus smartphones to state-of-the-art Wi-Fi APs. We release all tools and Wi-Fi firmware patches as extensible open source project. It includes our user-friendly smartphone application to demonstrate the CSI extraction capabilities in form of a waterfall diagram.

Wi-Fi chips offer vast capabilities, which are not accessible through the manufacturers' official firmwares. Unleashing those capabilities can enable innovative applications on off-the-shelf devices. In this work, we demonstrate how to transmit raw IQ samples from a large buffer on Wi-Fi chips. We further show how to extract channel state information (CSI) on a per frame basis. As a proof-of-concept application, we build a covert channel on top of Wi-Fi to stealthily exchange information between two devices by prefiltering Wi-Fi frames prior to transmission. On the receiver side, the CSI is used to extract the embedded information. By means of experimentation, we show that regular Wi-Fi clients can still demodulate the underlying Wi-Fi frames. Our results show that covert channels on the physical layer are practical and run on off-the-shelf smartphones. By making available our raw signal transmitter, the CSI extractor, and the covert channel application to the research community, we ensure reproducibility and offer a platform for further innovative applications on Wi-Fi devices.