match your search criteria.
Acoustic Communication: Ubiquitous ad-hoc communication?
I offer challenging topics on all aspects of the acoustic physical layer, which allows smartphones to use their integrated audio hardware for aerial communication, similar to wireless radio communication. The main use case is short-range communication, e.g., for pairing.The advantage: We can implement custom physical layers without expensive SDRs.
Contact me if you have any research ideas on this topic. Experience with signal processing is recommended.
FIDO2 & WebAuthn: Usability, Security, Deployability
The FIDO2 standards for strong authentication on the Internet promise a world without passwords. All modern browsers support this, so you can log in to websites with dedicated hardware tokens (e.g., YubiKeys) or with platform authenticators (e.g., Windows Hello).
I offer topics on the usability, security, and deployability of FIDO2 and its implementations, on all layers of the technology stack. Contact me if you have any specific research ideas.
Limits on Inferring Handwritten Characters using Wearables
Analysis of Keystroke Dynamics Obfuscation Techniques
Evaluation of Acoustic Communication Schemes
Inferring Keystrokes from RGB-D Camera Streams
Investigating the Pitfalls of FIDO2 Usability in Practice
Handwriting Recognition using IMU and EMG Sensor Data
FIDO2 Platform Authenticators
Software Defined Wireless Networks
I work a lot with Software Defined Radio, in particular GNU Radio. Talk to me, if you are interested in:
Implementing or testing a standard or proprietary technology.
Real-time signal processing (e.g., scheduling or benchmarking).
Hardware acceleration (SIMD, FPGA, or GPU).
Distributed signal processing.
If you are excited about one of these topics, we can come up with a Bachelor or Master thesis that matches your interest.
3D Positioning and Posture detection using iOS
Modern smartphones contain many sensors and frameworks that can capture the surrounding world.Capable mobile processors, machine learning and frameworks allow us to capture the pose of a human with very little extra work.
We are looking for a student that wants to work with augmented reality and extend the posture detection system in iOS with a 3D positioning system. The software may combine multiple iPhones at different locations to enhance tracking. In the end, such a system allows to quickly create dataset necessary for WiFi sensing, create interactive games and more.
A small introduction to the available frameworks has been given on WWDC 2020. Starting at minute 13 the video shows what is already possible today.
Preserving Privacy against WiFi Sensing
Your WiFi router is constantly monitoring the surrounding. You can analyze the channel state information to detect location and even trajectory of people in their homes. There are many other applications including detecting heartbeat, breathing rate, reading lips, etc. If you interested in implementing one of these systems using real hardware and finding solutions to fight against it, send me an email. Note that these are rather challenging topics as they require good knowledge of communication as well as signal processing.
WiFi Sensing countermeasures
Expected gain of knowledge
Wireless communication, Signal processing, Physical layer privacy
SDR-based Beam Exciter for Large-Scale Heavy Ion Accelerator
This thesis is in cooperation with the GSI Helmholtz Centre for Heavy Ion Research in Darmstadt. The GSI operates a unique large-scale accelerator for heavy ions. Researchers from around the world use this facility for experiments that help them make fascinating discoveries in basic research.
The goal of this thesis is to implement and evaluate an SDR-based exciter for the accelerator beam. Please contact me for further information.
Protecting Heartbeat and Respiration Information in WiFi Sensing Applications
Security Analysis of Neighbor Awareness Networking-capable Wi-Fi Firmware using Fuzzing
Protocol Design for Energy-Efficient Broadcast Tree Contruction in Wireless Ad-Hoc Networks
iOS CommCenter Protocol Analysis
iOS CommCenter Fuzzing
iOS Bluetooth Security
Very Pwnable Network: Reverse Engineering and Vulnerability Analysis of AnyConnect for Linux
Responsible Disclosure im IoT-Sektor
Practical Analysis of Friendly Jamming to Augment the Security of Industrial Remote Control Systems
Improving State Coverage in Bluetooth Fuzzing
Attacks on Wireless Coexistence
AnyConnect and VPN Security on iOS
A Full-Band Bluetooth Sniffer for a Software-Defined Radio
Speeding up and hardening zero-interaction pairing by utilizing off-the-shelf IoT actuators
Analyzing the Deployment of Device-Specific Android Security Features
Delay-Tolerant LoRaWAN with mobile Gateways and SatCom Backhaul
LoRa for Smart Street Lamps
Circumventing ECG Authentication with Deep Generative Models based on PPG Pulse Data
Low-Latency Flooding in IEEE 802.11g Networks through Concurrent Broadcasting with Wireless Synchronization using WARP Software-Defined Radios
Keylogging Side-Channel Attacks on Bluetooth Timestamps: A Timing Analysis of Keystrokes on Apple Magic Keyboards
The Latency–Throughput Tradeoff of GPP-based SDRs
GNU Radio Runtime Performance Evaluation
Analysis of Apple’s crowdsourced location tracking system
Prevalence Analysis of Dark Patterns in Newsletters
Implementation and Analysis of a Keystroke Dynamics Authentication System
Wi-Fi Sharing for All: Reverse Engineering and Breaking the Apple Wi-Fi Password Sharing Protocol
Modern devices provide more and more functionality, simplifying everyday tasks. Obscured from the user are the complex, proprietary, and undocumented protocol stacks, most of them always listening in the background. In this thesis, we take a look at one of these features, Apple Wi-Fi Password Sharing, which enables users to share the Wi-Fi password to guests in their home. We publish documentation of involved frameworks, describe the actual protocol, and search for vulnerabilities. Besides one implementation bug, we find multiple small flaws in the protocol and user interface, which we combine into two attacks, a denial-of-service attack, which crashes the iOS settings app, and a man-in-the-middle attack, which spoofs the victim into an attacker-controlled Wi-Fi network.
Advanced Mitigation and Response Methods in the Context of Automotive Ethernet Security
Spectrum Monitoring with Smart Street Lamps
VPN in a Mobile Environment: Security, Privacy, and Usability
ToothPicker: Enabling Over-the-Air and In-Process Fuzzing Within Apple’s Bluetooth Ecosystem
Remote Code Patching Framework for a TETRA Base Station
Practical Security Analysis of IoT Ecosystems
Practical Bluetooth RNG Analysis
Polypyus: Firmware History Based Binary Diffing
Fuzzing a TETRA Base Station via Binary Patching
Bluetooth Low Energy Sniffing
Applicability of IoT Security Frameworks as Guidelines for Penetration Testing
Analyzing the macOS Bluetooth Stack
Analyzing Apple’s Private Wireless Communication Protocols with a Focus on Security and Privacy
Communicating Privacy and Security issues
Creating an indoor simulation tool witha realistic antenna model for an IEEE 802.11ad 60 GHz devices
Detecting Extension Abuse in the Wild
Security Analysis of LoRaWAN: An Experimental Evaluation of Attacks
Security Evaluation of LoRaWAN Network Servers using Fuzzing
Low Power Wide Area Network (LPWAN) technologies like Long Range Wide Area Network (LoRaWAN) are used for creating low maintenance sensor networks in many scenarios. The central part of a LoRaWAN is the Network Server (NS). Previous security research often focused on conceptual security issues in the protocol, this work evaluates fuzzing, the security testing using semi-valid random messages, as a technique to find vulnerabilities in NSs. We investigate the situation of practical network deployments and software in use. Then we derive an approach for a general fuzzing framework for NSs. We present our fuzzer implementation in detail and describe experiments we conducted with an example network server. The results show that this network server was susceptible to a denial of service attack. We therefore conclude that fuzzing is an appropriate tool for making LoRaWANs more secure by uncovering vulnerabilities in NSs.
nextoyou - a zero-interactiion co-presence detection scheme based on Channel State Information
Communicating Privacy and Security issues
Bluetooth Mesh Network Security Analysis: An Experimental Evaluation of Attacks Using Btlejack
GNU Radio on Android
PrivacyMail – Analyzing the Email Tracking Ecosystem
TETRA Base Station Binary Patching
Intercom security analysis.
Bluetooth Controller Emulation and Fuzzing
PrivacyGraph – A Holistic View of the Online Tracking Ecosystem
Applicability of Penetration Testing Guides for the Internet of Things
Smart Home Security
Practical Evaluation of LoRa in Multihop Networks
Practical Evaluation of LoRa in Multihop Networks
Implementation of a Linux User-space Neighbor Awareness Networking Protocol Stack
Implementation of a Linux User-space Neighbor Awareness Networking Protocol Stack
Analyzing Email Privacy
Advanced TSCH Scheduling Mechanisms for Wireless Sensor Networks
Practical Performance Analysis of Neighbor Awareness Networking
Inferring Keystrokes from Myo Armband Electromyographic and Inertial Measurement Unit Data
Security Analysis of IoT Ecosystems
Secure Device Pairing Using Short-Range Acoustic Communication
PowerPC Binary Patching and dissecting of TETRA Base Station
Fuzzing the Linux Bluetooth Stack
Dynamic Bluetooth Firmware Analysis
Analyzing Firmware and Cloud Security of a Premium IoT Ecosystem
A researcher’s guide to the Fitbit Ionic smartwatch
A Study on Proprietary Communication Protocols Used in TETRA Hardware Components
Security Aspects of the Apple Wireless Direct Link Protocol
Separation of Channel Coefficients in Concurrent Wi-Fi Transmissions using Deep Neural Networks
Design of a Secure DIAMETER Edge Agent - study of the capabilities and performances of a DEA, with a PoC implementation
Combining WiFi, Bluetooth and BLE: Limitations and synergy effects of using Google Nearby Connections 2.0
Now most of the smartphones are equipped with different wireless interfaces namely Wi-Fi, Bluetooth, BLE, Ad-hoc Wi-Fi, and NFC. These different interfaces have different weaknesses and strengths. Bluetooth is suited for low bandwidth and short-range communication. Bluetooth Low Energy(BLE) on the other hand is aimed at devices which have limited power supply and need to transfer data in short intervals. Wi-Fi is well suited for high bandwidth, low-latency communication with increased ranges. By utilizing the combination of these interfaces, we can enhance the performance of offline peer-to-peer connectivity. The number of devices using the Internet is growing at a rapid rate, creating traffic congestion especially by using multimedia services. we can offload and distribute this traffic using high performance peer-to-peer connectivity. With the growing need of Infrastructureless network in the remote or disaster-stricken area, better device-to-device communication could prove to be life-saving. Nearby Connections 2.0 is the new offline peer-to-peer, high bandwidth low latency API from Google. It uses a combination of Wi-Fi Direct, BLE and Bluetooth to create reliable and fast connections. In this thesis, we evaluate Nearby Connections against all three interfaces it uses. We execute 4 experiments with different network parameters to analyze the limitations and benefits of using Nearby Connections. By varying different parameters we maximize the performance of each interface to observe the behavior of Nearby Connections. Our evaluation results indicate that this is in fact not the case with Nearby Connections. It does not adjust itself to get the best out of underlying interfaces. We show the limitations of Nearby Connections API. However, it performed better than both Bluetooth and BLE but against Wi-Fi Direct it performed way below the par.
Desynchronization Attacks and Mitigations for the Apple Wireless Direct Link Protocol
Learning the Beams: Efficient Millimeter-Wave Beam-Steering Techniques
Beam-steering is the backbone of millimeter-wave (mm-wave) networks and key to achieve data-rates of multiple gigabit per second. Nodes must steer their antennas so that they maximize the signal gain towards the intended communication partner. The state-of-the-art to find the best antenna configuration is to probe all possible antenna configurations. This process caused high overhead, especially in case of mobility when parameters must be adjusted continuously.
In this thesis, you apply machine learning techniques to find the antenna parameters most suitable for probing and select the optimal configuration with low overhead.
Implementation and evaluation in this thesis, should be performed by means of our mm-wave testbed platform with off-the-shelf IEEE 802.11ad devices. Experience with Linux, wireless network configuration, proper tools, and scripting languages is highly recommended.
Draining Mallory and Sybil: DoS-resistant Disruption-Tolerant Networks
Disruption-Tolerant Networks (DTNs) can be used as a communication means in the emergency context when communication infrastructure is unavailable. In DTNs, mobile user devices such as smartphones act as “data mules”: they store, carry and forward messages. Unfortunately, the “storing” part is especially vulnerable to denial-of-service (DoS) attacks since an attacker can flood the network with bogus information and, thus, replace or purge valid messages from a node’s buffer.
In this thesis, you will implement and evaluate a novel, DoS-resistant buffer management scheme in IBR-DTN , DTN implementation written in C++, which also runs on standard Android smartphones.
 IBR-DTN. https://github.com/ibrdtn/ibrdtn.
Evaluation of MAC protocols for wireless sensor networks
Learning the Beams: Applying Evolution Algorithms for Optimized IEEE 802.11 ad Beamtraining
Wifi-based Key Encryption on Android Smartphones
CSMA/CD for Wi-Fi
Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is a technique used in wired networks like Ethernet (IEEE 802.3) to improve network performance by efficient medium access. When a collision is detected, the colliding nodes terminate their transmissions to keep the collision time as short as possible. This effectively improves the utilization of the transmission medium, since less time is spent in collisions and the time between transmission attempts is reduced.
In wireless networks, however, CSMA/CD is generally assumed to be impractical due to the physical characteristics of the wireless channel. In fact, the power of a signal degrades by orders of magnitudes on its way from transmitter to receiver due to free space path loss and signal propagation effects, such as attenuation and reflections. Therefore, even if a transmitter was equipped with a separate receive antenna, its own transmission would typically drown out the weak signals from other transmitters, which would render the detection of weak signals impossible. Nevertheless, recent research has demonstrated that self-interference cancellation techniques become feasible, which allows to design full-duplex radios . This might effectively be key to the design of CSMA/CD for IEEE 802.11-based networks, allowing for enhanced network performance under high load conditions .
 Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh Bharadia, Siddharth Seth, Kannan Srinivasan, Philip Levis, Sachin Katti, and Prasun Sinha. “Practical, Real-Time, Full Duplex Wireless”, 17th annual international conference on Mobile computing and networking (ACM MobiCom ‘11). Las Vegas, Nevada, USA, 2011, pp. 301-312.
 Konstantinos Voulgaris, Athanasios Gkelias, Imran Ashraf, Mischa Dohler and A. H. Aghvami. “Throughput Analysis of Wireless CSMA/CD for a Finite User Population”, IEEE Vehicular Technology Conference, Montreal, Quebec, CA, 2006, pp. 1-5.
Literature review: Review different self-interference cancellation techniques and assess their suitability for 802.11-based networks. Also review literature relating to channel access techniques.
CSMA/CD design: Make a conceptual design of a fully-fledged CSMA/CD mechanism, which also takes practical limitations into account, such as settling times of gain controls. Your design may also employ correlation techniques to detect weak signals from far-away nodes.
Implementation: Implement your CSMA/CD design on a software-defined radio. Self-interference cancellation might require a combination of well-considered antenna placement on the device, analog cancellation in the RF band, and digital cancellation in the baseband. Your implementation may be based on GNU Radio and USRP, or on WARP.
Evaluation: Evaluate the performance of individual components of your implementation (e.g., the self-interference cancellation gain), as well as the overall performance of CSMA/CD nodes in a real network, as compared to conventional CSMA/CA.
Practical Low-Layer Attacks on IEEE802.11ad by Modified WiFi Firmware
Millimeter-Wave (mm-wave) communication systems such as IEEE 802.11ad use directional beams that need to be trained prior to establishing a high-throughput connection. Such beam training protocols–the backbone of mm-wave communications–have a high impacts of the security of performance. Jamming or manipulating the frames associated with the beam steering might prevent a connection from being established or steer the beam for an adversary’s benefit. We already obtained access to a WiFi chip of state-of-the-art routers at firmware level.
A bachelor or master thesis is this area might extend our current framework and integrate, for example, packet injection or jamming to launch and evaluate the aforementioned attacks.
Students should not be afraid of analyzing binary data and assembly instructions. Experience with IDA Pro is recommended.
60 Ghz Channel Models: From Theory to Practice (and Back Again)
The channel characteristics of millimeter-wave communication systems at 60 GHz differ those in lower frequency bands and require a fundamental rethinking of network design. To investigate such aspects of network performance, we developed a raytracing based simulation framework to predict the signal quality in arbitrary environments. However, the internals in the simulation are based on theoretical considerations and models. So far, simulation results have not been compared to realistic measurements.
In this thesis, your task is to extend our simulation framework  in MATLAB and/or Python and compare results with realistic measurements performed with common IEEE 802.11ad router hardware. We expect that impairments due to cheap antenna and RF circuit design lead to divergences from simulation. Can you adapt the simulation to provide more realistic outcomes?
 mmTrace: ray-tracing based millimeter-wave propagation simulation
Hacking Bluetooth Firmware of WiFi Combo Chips in Mobile Devices
Processing and evaluation of the smarter field test about delay-tolerant networks in the event of an disaster
This thesis is about the processing and evaluation of the data generated by the Smartphone-based Communication Networks for Emergency Response (smarter) project. The smarter project is a research project that investigates the use of Delay Tolerant Networks (DTNs) as a method of communication for the civil population during a disaster situation. During this thesis the recorded data is transferred into a format readable by the simulator The Opportunistic Network Environment Simulator (The ONE), so that the field experiment can be repeated as often as required. This makes it possible to easily compare the data with that of other projects or to combine it with data genera ted by the simulator. The thesis also highlights some difficulties that may occure during the analysis and execution of field experiments.
Performance Comparision of Packet Schemes for Mutually Hidden Messages
Separation of Channel Coefficients with Deep Neural Networks
The separation of channel coefficients is a time-consuming operation. In this thesis project, we are going to explore the suitability of deep neural networks (DNNs) to speed up a specific PHY-related optimization task
The goal of this project is to explore the suitability of DNNs to separate channel coefficients. The project main goals are:
Research the literature about uses of DNNs in other optimization problems
Explore suitable DNN configurations for the envisioned task
Evaluate the DNN’s performance in terms of accuracy and speed
Analyzing Vulnerability and Privacy Data from the PrivacyScore platform
Every day new cyber security vulnerabilities are discovered and reported, which indicate weak security standards adapted by websites. The main aim of a hacker is to steal sensitive information by exploiting these vulnerabilities. The information and data compromised can be very costly and damaging for an organization. Hence, due to ever evolving tactics of the hackers and the changing cyber threat landscape, it is very important for an organization to be aware of the security vulnerabilities.
Until now, most of the work which is done allows to discover the vulnerabilities in web applications and anticipate the vulnerabilities exploits. Different techniques are used in this regard, including machine learning, evaluating inter-module relationships, and application of data analytics. All of these approaches have a common goal, which is to discover existing and new vulnerabilities and predict them for future. Some solutions consider evaluating the application code by performing static or dynamic analysis and finding vulnerabilities. However, a very critical question in this whole scenario arises, as to what we can do after a vulnerability is discovered? How to find similar vulnerabilities in the system and share this information with others for proactive resolution of the vulnerabilities? In this regard, data analysis of security vulnerabilities can provide a wealth of information. It can provide efficient vulnerability assessment by analyzing the existing vulnerability data
Privacy als Wettbewerbsfaktor? Analyse der Reaktionen von Unternehmen auf Privacy-Score-Bewertungen
NEAT-TCP: Generation of TCP Congestion Control through Neuroevolution of Augmenting Topologies for Wireless Multi-Hop Networks
TCP performance in wireless multi-hop networks (WMNs) is hard to achieve due to losses on the wireless channel, interferences and limited resources at individual nodes. Recent research has proposed a simple neural network (NN) structure with one input layer, two hidden layers, and one output layer that efficiently applies congestion control and that results in significant performance improvements compared to conventional TCP variants .
Further, NeuroEvolution of Augmenting Topologies (NEAT) is a method based on evolutionary algorithms that can outperform fixed-topology NNs in reinforcement learning tasks. We expect that NEAT may improve the performance of manually crafted NNs like iTCP even further.
The goal of this project is to assess the ability of NEAT to further improve the performance of an iTCP-based congestion control algorithm in the context of WMNs. The project main goals are:
Implement iTCP in a network simulation environment (ns-3)
Use NEAT to generate a modified NN structure for congestion control
Compare the performance of the modified congestion control to the initial iTCP-based version
 A. B. M. Alim Al Islam and Vijay Raghunathan, “iTCP: an intelligent TCP with neural network based end-to-end congestion control for ad-hoc multi-hop wireless mesh networks”, Wireless Networks, Volume 21, Issue 2, pp. 581–610, February 2015. doi: 10.1007/s11276-014-0799-6
 Kenneth O. Stanley and Risto Miikkulainen, “Evolving Neural Networks through Augmenting Topologies”, Evolutionary Computation 10:2, pp. 99-127, MIT Press, 2002. doi: 10.1162/106365602320169811
Implementing a WiFi Jammer on a Raspberry Pi
Experimental Evaluation on Inband Device-to-Device Communication in LTE
Practical Broadcast Tree Construction with Potential Game for Energy-Efficient Data Dissemination in Ad-Hoc Networks
This project addresses the problem of energy-efficient data dissemination from a source node to all other nodes in a wireless multi-hop network. Mahdi Mousavi et al. from the Communications Engineering Lab at TU Darmstadt have devised a decentralized algorithm towards this goal that is based on game theory . While simulation results have shown that this mechanism significantly outperforms other conventional flooding mechanisms, its practical applicability still remains unexplored.
The goal of this thesis project is to design a practical protocol that runs the game theoretical algorithm in  and to evaluate its performance in a network simulation environment. The project main goals are:
Analyze the game theoretical algorithm  for limiting assumptions
Devise a practical protocol for broadcast tree construction that is based on 
Implement this protocol in a simulation environment (ns-3)
Evaluate the energy efficiency of the constructed broadcast tree in comparison to conventional flooding techniques while taking the protocol overhead into account
 Mahdi Mousavi, Hussein Al-Shatri, Matthias Wichtlhuber, David Hausheer and Anja Klein, “Energy-Efficient Data Dissemination in Ad Hoc Networks: Mechanism Design with Potential Game”, 2015 International Symposium on Wireless Communication Systems (ISWCS), Brussels, 2015, pp. 616-620. doi: 10.1109/ISWCS.2015.7454421
Using Physical Unclonable Functions (PUFs) for Data-Link Layer Authenticity Verification to Mitigate Attacks on IEEE 802.11ad Beam Training
Practical Defense Against Pollution Attacks in Network Coding-based Systems
Network Coding has many positives properties that make it especially suitable for Wireless Multihop Networks . Network Coding can be used to increase the effective capacity of the network, by coding (simplest form: bit-wise XOR) together packets of different flows and forwarding them in a single broadcast transmission to their intended receivers, e.g., . It can also be used within a single flow to improve forward error correction (FEC) and, thus, increase transmission reliability, e.g., . Unfortunately, systems based on Network Coding are easy targets for a number of attacks, and even easier to disrupt than protocols based on traditional forwarding .
In this thesis, you will familiarize yourself with the concept of Network Coding and analyize potential threats to both inter- and intra-flow Network Coding. Based on this, you will design and implement practical security measures. The design should then be validated against a number of different attacks.
Experimental Evaluation of Mobile Attacks on Ad hoc Routing Protocols
Testing the Efficacy of Vulnerability Disclosure over different Channels
Sicherheit funkferngesteuerter Rangierlokomotiven
Security Analysis and Firmware Modification of Fitbit Fitness Trackers
InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering
Angriffsanalyse einer TETRA-Basisstation
Analysing and Evaluating Interface, Communication, and Web Security in Productive IoT Ecosystems
Reverse Engineering the Apple Auto Unlock Protocol
Estimating Global MANET Metrics Based on Locally Observed Information
Knowledge of global network state is crucial for several innovative network optimization techniques. Essentially, incorporating knowledge about the overall network state into locally made decisions at decentralized nodes might improve the overall network performance. A node might for instance perform transitions between network mechanisms that are optimized for certain network conditions. However, an individual node’s scope of the network is limited in practice since it is able to overhear the wireless channel only locally, and explicit notification about global network state would result in large overhead. Therefore, we seek to extend a node’s view into the network by means of machine learning techniques.
The goal of this thesis is to estimate global metrics of a mobile ad-hoc network (MANET) by means of locally overheard information in a network simulation environment.
Literature review: Identify network optimization techniques that rely on global network knowledge and extract their requirements.
Define metrics: Make a list of global network properties that should be classified or estimated.
Identification of features: Identify potential features that can be obtained by traffic monitoring. Features that comprise relevant information about distant nodes might for instance be obtained by inspecting packet headers of the higher layers (e.g., network layer and transport layer).
Feature engineering and machine learning: Select and engineer features that can be obtained by overhearing the wireless channel.
Implementation: Run experiments with the ns-3 network simulator and evaluate the estimator’s performance.
Self-Replicating Malware for Wi-Fi Chips
Understanding the Apple Auto Unlock Protocol
Abstract of final thesis:
The Apple Watch provides the ability to automatically unlock a device running macOS when in proximity. The underlying proprietary protocol is called Auto Unlock (AU) and differs from other smart locking techniques. It uses a combination of two wireless technologies: Bluetooth Low Energy (BLE) and IEEE 802.11, to facilitate secure proximity detection. In this work we analyze the protocol by using reverse engineering and dynamic debugging. We show that AU uses both standardized protocols as well as proprietary techniques to implement a secure distance bounding protocol. With this knowledge, we discuss attack vectors and conduct a successful Man-in-the-Middle (MitM) attack on the protocol. Furthermore, we provide a starting point to allow implementations on other platforms by specifying the protocol and establish the foundation for further attacks.
Investigating practical man-in-the-middle network attacks on IEEE 802.11 ad
Wi-Fi based Covert Channels on Android Smartphones
Evaluation of Latency Reduction Techniques for 5th Generation Mobile Network
Extension of the Open Visible Light Communication Driver for Linux
ACE security profiles for the IoT
Securing SCADA Protocols
OAuth 2.0 for IoT: IPsec channel establishment and authorized resource access in the IoT
To secure the Internet of Things (IoT) while keeping its interoperability with today’s Internet is crucial to unleash the full potential of the IoT. Authentication and Authorization are fundamental guarantees to enable further security and operational challenges. To fulfill these guarantees in complex and diverse scenarios, we propose a solution based on the Authentication and Authorization for Constrained Environments (ACE) Framework, a token-based authorization, and authorization. Our solution, the IPsec profile for ACE, builds on the IPsec protocol suite and the Internet Engineering Task Force (IETF) IoT stack to provide network layer security and IPsec channel establishment based on token provisioning for constrained devices. The Direct Provisioning (DP) of Security Association (SA), symmetric-based authenticated establishment (Internet Key Exchange Protocol version 2 (IKEv2) in Pre-Shared Key (PSK) mode), and asymmetric key-based authenticated establishment (IKEv2 in Certificate-based Public Key (CPK) mode) are specified as ways to establish SAs, i.e., IPsec channels. We provide an implementation for Contiki, an Operating System (OS) for constrained devices such as the Zolertia Firefly. Furthermore, we evaluate our protocol design providing an lower bound for the performance of the profile. The evaluation includes network latency and processing time, energy consumption, memory footprint and packet sizes for the different SA establishment methods. The results provide a benchmark for the different protocol steps as well as aggregated measures for each of the evaluated setups. Our evaluation showed that the DP establishment has the smallest memory footprint and ACE packet size, and at the same time the highest performance. In the other hand, the authenticated establishment featuring IKEv2 in CPK mode, shows the largest memory footprint and packet size, together with the lowest performance of the three SA establishment methods. The trade-off regarding Random Access Memory (RAM) and Read-Only Memory (ROM) footprint, power consumption and network latency and processing time and security guarantees are also described.
Reverse Engineering the Apple Wireless Direct Link Protocol
Apple Wireless Direct Link (AWDL) is a proprietary and undocumented 802.11 based peer-to-peer protocol. It is implemented in all of Apple’s operating systems. In this thesis a reverse engineering method using binary analysis complemented by runtime analysis with traces and logs was applied. We found that each device in AWDL provides its own channel sequence. An elected master node is used to synchronize these sequences. Outside these windows of time, devices can use their wireless radio for other protocols or save energy by turning it off. Each node adapts its channel sequence, e.g. depending on network load, shifting the ratio between infrastructure and peer-to-peer Wi-Fi. This thesis also provides a first analysis of AWDL, includes the frame format documentation and presents a Wireshark dissector and a prototype implementation for AWDL.
Collide, Collate, Collect: Recognizing Senders in Wireless Collisions
With wireless mobile IEEE 802.11a/g networks, collisions are currently inevitable despite effective counter measures. This work proposes an approach to detect the MAC addresses of transmitting stations in case of a collision, and measures its practical feasibility. Recognizing senders using cross-correlation in the time domain worked surprisingly well in simulations using Additive White Gaussian Noise (AWGN) and standard Matlab channel models.
Real-world experiments using software-defined radios also showed promising results in spite of decreased accuracy due to channel effects. During the experiments, various Modulation and Coding Schemes (MCSs) and scrambler initialization values were compared. Knowledge about which senders were transmitting leading up to a collision could help develop new improvements to the 802.11 MAC coordination function, or serve as a feature for learning-based algorithms.
Collisions on wireless networks most likely lead to packet losses. Current network protocols typically recover from these situations by retransmissions. In doing so, the overall network capacity is reduced and the network delay increases with the amount and duration of collisions. However, collided frames may still reveal valuable information that might be suitable for advanced protocol designs.
Detect frame alignments of collided frames at the PHY.
Devise techniques to detect known data, such as MAC header fields.
Analyze real network scenarios with respect to collisions, classify observed events (e.g., pairs of hidden terminals) and generate statistics.
Decompilation and Automated Analysis of b43 Assembly Code used in Broadcom WiFi Chips
Practical use of network coding to sustain robustness in secure mobile ad hoc communication
Neighbor Discovery and Maintenance under Mobility in mmWave-based Mesh Networks
Secure localization and distance bounding with IEEE 802.11
Modification of LTE firmwares on Smartphones
Implementation of a Contextual Framework for Secure Device Pairing Methods on Android
With the proliferation of numerous personal gadgets and smart devices, device pairing has become prominent in introducing security to such a diverse environment. Clearly, the process of secure device pairing is much more ambiguous than previously thought. This stems from the fact that there is no coherent vision of the pairing problem among the research community. To this end, we see that there is a plethora of various pairing protocols that have been proposed many of which are insecure or fail to work in practice. Clearly, there is no single winner in a device pairing race.
Correspondingly, one solution to such a problem is to support several pairing methods. However, from a user prospective this may create an additional burden. On top of that, some pairing protocols may be less appropriate security‐wise in certain scenarios. For instance, if a paring method relies on audio but is used in a noisy environment, this creates an additional attack vector or causes reliability issues. Another example are visual paring techniques used in a public place, which can be subject to shoulder surfing.
Overall, in this thesis you will research which contextual information that can be gathered by a modern smartphone can augment in secure device pairing. We already have a working Android implementation which performs different methods of device pairing.
More specifically, your task is to identify which factors can be potentially hazardous or beneficial for a certain pairing method in a particular scenario. The context that we are going to incorporate includes both the environmental information as well as the user input (feedback, preferences, etc.). Hence, you’ll take measurements on the smartphone to rate the environmental information, and perform a small user study (20-30 users) on the device pairing usability.
Design, Implementation and Evaluation of a Privacy-preserving Framework for Trust Inference on Android
Nexman-based Wireless Penetration Testing Suite for Android
Design, Implementation and Evaluation of Realistic Scenarios and Movement Models for Natural Disasters Using Simulations for Delay Tolerant Networks
Seeing the continuous increase in natural disasters around the world, many people are contemplating how to contribute helping those in need. Among them are several computer scientists who fulfil their share by developing technology which enables fast and reliable communication in disaster areas. We were inspired by their work and thus wanted to further improve the state-of-the-art. DTN is a specific technology which can be used for the creation of alternative networks in disaster areas, where conventional ones are unavailable due to the inevitable destructions implied by the disaster. Given that such technology is usually evaluated within network simulators we exclusively focus on improving the state-of-the-art of movement models and scenarios utilized within such simulators. The very random driven, and thus not realistic, state-of-the-art is improved by our contribution in the form of a fully designed, implemented, and evaluated realistic natural disaster movement model with underlying scenarios. The results of our evaluation indicate that previously published results might be too optimistic. Thus, further approximations to reality are inevitable for more accurate simulation of DTN, in the goal to ultimately obtain better and more realistic results.
TETRA Security Analysis by Fuzzing
Improving a Linux Device Driver for Visible Light Communication
Implementierung des unteren MAC-Layers für die OpenVLC Hardware
Implementation of a Physical Layer for Visible Light Communication using the OpenVLC platform
Detecting WiFi Covert Channels
Design and Evaluation of a Hybrid SDR Testbed For Visible Light Communication and Wi-Fi
Absicherung von SCADA-Protokollen
A Framework for Adaptive Energy-efficient Neighbour Discovery in Oppertunistic Networks
Implementation of infrastructureless BFPSI on Android
60 GHz Millimeter Wave Medium Access Control
The state-of-the art of the channel access sharing in millimeter-wave and non-millimeter wave communications.
Define the challenges that are important to have an optimal sharing between medium access.
Development of a simulation tool or a simple test-bed to analyze the result of the proposed technique.
Due to the limitation of bandwidth at the lower frequency band and extreme increase in the demand for high quality multimedia content transmission, 60 GHz serves a key solution to this problem. Further, 60 GHz is foreseen to be the upcoming frequency for Wifi networks. However, there are many interesting challenges for medium access due to the unique propagation at this frequency.
This project is aimed to find out the solution to the sharing the different medium accesses techniques based on the data traffic.
Concurrent transmission D2D millimeter-wave
Directional transmission used for millimeter wave communication arises many challenges. However, extreme spatial sharing of the millimeter wave spectrum boost the throughput per area by a significant amount. The increase in per area throughput is nevertheless still an open research!
Literature review on the existing concurrent wireless transmission in microwave and millimeter wave.
Identify the challenges of concurrent transmission using millimeter wave.
Propose possible ways to solve the problem found
Evaluation of concurrent transmission using off-the-shelf devices.
Secure Context Migration between IEEE 802.11 Networks
Probe request tracking in WiFi firmware
Reactive, Smaratphone-based Jammer for IEEE 802.11 Networks
Secure key exchange protocol for a group communication during emergency responses
Utilizing Secure Elements to Establish Authentication in MANETs on Android
Design and Implementation of a Service-Oriented Architecture for Large-Scale Testbed Management
Wireless Multihop Network testbeds are often distributed over large physical areas and have many devices which renders management challenging. A multitude of diverse frameworks are available to assist in the management of such testbeds. Properties like scalability, heterogeneous hardware support and effortless testbed configuration are a self-evident goal for these frameworks. However, this combination is hard to achieve and the exact requirements vary for different testbeds. Instead of providing a completely new and tailored experimentation framework, I propose Panopticon, a service oriented management framework, providing a lower layer to intercept and improve existing functionality. It slices large, distributed testbeds into dynamically sized subunits, offering a granular choice in testbed experimentation frameworks for every slice. Such an exper- imentation framework can be selected regarding the exact experiment’s requirements and not as a compromise between all available testbed components. Panopticon’s list of services can be extended, offering simple entry points for new, custom implementations. It is a framework federating network enabled infrastructures.
Energy efficient WiFi analysis framework on smartphones
Unified Multi-modal Secure Device Pairing for Infrastructure and Ad-hoc Networks Bachelor Thesis
Todays technologies heavily rely on wireless communications. Our mobile devices connect to infrastructure devices such as wireless routers, perform ad-hoc connections among each other and connect to peripheral devices such as smart watches, fitness tracker and headsets. However, since security is essential in most application scenarios, authentication is a big challenge. To join a wireless network pre-shared credentials are required. Pairing in proximity via bluetooth requires the same pin to be entered on both devices. This proceeding is inconvenient and differs for different kinds of devices. Although, user-friendly and secure pairing mechanisms utilizing multi-modal technologies are proposed, no unified solution exists, yet.
In this thesis you elaborate different kind of pairing mechanism and analyze their security regarding various attacks. You design a unified multi-modal pairing protocol and implement a prototype on Android.
Your protocol combines pairing strategies over different communication technologies (e.g. WiFi, Bluetooth, NFC, sound, light) and selects a suitable subset matching the devices capabilities. Since some strategies are easier to intercept than others, your protocol attests the paring procedure for retrospective trust estimation in application context. With your proposal we show that a unified multi-modal paring is feasible for both infrastructure and ad-hoc networks with flexible security requirements.
Unified Multi-Modal Device Pairing in Infrastructure and Ad-hoc networks
A Systemfor Privacy-Preserving Mobile Health and Fitness Data Sharing: Design, Implementation and Evaluation
Reverse Engineering Apple’s Multipeer Connectivity Framework and Implementation on the Android platform
Enabling Seamless Transitions betweegn Cyrptographically Secured
Location Privacy of Digital Trunked Radio
Infecting the Wire: Wireless Eavesdropping, Packet Injection and Reactive Jamming on Wired 10Base-T IEEE 802.3 Ehternet Networks
Privacy and anonymity risks on Android
Performance evaluation of an anonymous communication system on a mobile device
Implementation and Evaluation of PUF-based Cryptographic Kex Generation Schemes on FPGA
Design and Evaluation of a supervised machine learning based Intrusion Detection System for WSN
Securing Efficient Network Flooding and Time Synchronization for Ultra-Low Latency Communication in Wireless Sensor Networks
Design and Implementation of lichtweight attestation for embedded systems
Intrusion Detection using Data Mining
Audio-based Covert Channels on Smartphones
Wireless Eavesdropping and Pocket Injection in Ethernet Networks
Design, Implementation and Evaluation of a System Information Service
Measuring the Impact of Denial of Service Attacks on Wireless Sensor
Protecting User Privacy by Learning from Mobile Communication Data
Design, Integration and Evaluation of Real-time Notifications
Network ID: Self-Provisioning Service Proxy
Let’s go WARP: Integrating the Click Modular Router and the Wireless Open-Access Research Platform
Delay-tolerant routing for emergency networks
Signal Pre-Processing in a Physical Layer Based Key Management System for Wireless Communications
Statistically analysing the Impact of
Security Analysis of Physical Layor Key Exchange Mechanism
Implementation and Detection of culluding injection attacks by means of active probing
Decentralized Privacy-preserving Location Mechanism
Corridor Building in Wireless Multihop Networks
Outlier Detection in Wireless Sensor Networks
Realtime aggregation and spatial visualization of emergency messages
Security Mechanisms for Emergency Response Networks
Design, Implementation and Evaluation of Incentive Schemes for Mobile Sensing Applications
Physical layer path signatures for wireless multihop networks
Improving of the detection mechanism of an open-source intrusion detection system
Practical Physical Layer Security in MIMO Systems using Software Defined Radios
Implementation of a cross-layer technique for an OFDM-based Wiresell Mesh Network
Geographic Routing Based on Physical Layer Information for Wireless Multihop Networks
Performance-based Intrusion Detection in Wireless Sensor Networks
Mobile Phones as Sensors for Intrusion Detection in Wireless Mesh Networks
Secure Modular Protokolls for Wireless Multihop Networks
Implementation and Evaluation of Opportunistic Mobile Ad Hoc Networks
Design, Implementation, and Evaluation of User Interfaces for Decentralized Privacy-Preserving Mechanisms
Towards Strong Anonymity in Delay-Tolerant Networks
Increasing Privacy Awareness through Intuitive Interfaces for Participatory Sensing Applications
Methods for Trust Assessment in Participatory Sensing Scenarios
Secure Monitoring of Wireless Sensor Networks
On the Efficiency of Privacy-preserving Path Hiding for Participatory Sensing Applications
Dynamic Subchannel Allocation in OFDMA-Based Wireless Mesh Networks
Decentralized Trust Models for Participatory Sensing
Privacy-aware Tasking for Participatory Sensing Applications
Machine Learning-based Anomaly Detection in Wireless Sensor Networks
A Framework for Privacy Metrics in Participatory Sensing Scenarios
Improving Link Quality in Wireless Sensor Networks
Generation, Distribution and Verification of Sensor-based Credentials for Participatory Sensing Scenarios
Methods to Identify and Classify Social Links: Design and Implementation
Implementation and Evaluation of a Mechanism to Preserve Location Privacy in Participatory Sensing Scenarios
Anonymity and Reputation in Participatory Sensing
Security Solutions for Geographic Routing in Wireless Multihop Networks
Realization of a Testbed and Analysis of Attacks against Routing Mechanisms in Mobile Ad hoc Networks
Mitigating Attacks on IEEE 802.11s Security Mechanisms
Fine-gained Access Control Enabling Privacy Support in Participatory Sensing