Theses

  2022 Completed

SpyFi: Deep Learning for CSI-based Keylogging Side Channel Attacks

Supervisor: Matthias Gazzari Jakob Link

Spying on what is typed on a keyboard with Wi-Fi signals sounds scary but might not be as far from reality as suspected. Wi-Fi-enabled devices constantly measure the communication channel conditions represented with Channel State Information (CSI). Finger and hand movements alter the wireless signal propagation characteristic and cause changes in the CSI over time. Prior work proves it is possible to correlate the patterns in a CSI time series to the motion of keys pressed on a keyboard. This leaking information from Wi-Fi signal distortions can be exploited in a side-channel keylogging attack. Typing is a prevalent activity when it comes to working with computers on a regular basis. Considering that what we type reveals not only private messages like emails or notes but also highly sensitive data such as passwords or banking information, this leaves a frightening prospect. In this thesis, we practically explore the potential threat of side-channel keylogging attacks with CSI by implementing and comparing the conventional method found in related work to deep learning-based approaches to infer keystrokes. Motivated by the fact that the use of deep learning models promises less effort in pre-processing and feature extraction, we apply deep learning approaches for the first time for CSI-based keylogging and extend the knowledge about the applications of Deep Neural Networks (DNNs). We create a dataset worth more than 24 hours of recording time with a controlled experimental setup to empirically evaluate the performance of the implemented keyloggers. Our results indicate the difficulties and limitations our keylogging models face, which renders keylogging attacks with Wi-Fi signals rather cumbersome for real-world attackers.

  2022 Completed

Machine Learning Aided Penetration Testing: Concept of a Penetration Testing Automation Environment

Supervisor: Matthias Gazzari

Network penetration testing involves experienced techniques that require consideration of environment specific parameters and planning of conduct. Penetration testers should focus on novel vulnerabilities and spend their attention to interrelations regarding possible threats and risks to not lose time on repeating tasks. Reinforcement Learning (RL) is the key approach to make autonomous penetration testing practically applicable inside real-world computer networks. The literature describes attack path generation with a priori knowledge about the environment, simulation-only approaches without applicability to real-world computer networks or emulation-only approaches with no RL integration. This thesis optimizes, trains and evaluates RL agents for four benchmark scenarios with increasing size, complexity and heterogeneity of hosts, and a Proof of Concept (PoC) demonstrates the transferability of a simulation environment into an emulation environment. Creating a realistic emulation environment in which RL agents can apply their learned knowledge from the fast simulation environment allows delegation of repeatable tasks to the learned agent and let penetration testers focus on novel and individual aspects of the target network.

  2023 In progress

Limits of Thermal Camera Keylogging Side-Channel Attacks

Supervisor: Matthias Gazzari

...

  2023 Available from: April 2024

Protection mechanisms against unwanted tracking/stalking

Supervisor: Alexander Heinrich

The release of more Bluetooth item finders and key finders that use a vast finder network increased the risk for stalking and location tracking on people increases. Especially the Apple AirTag and Samsung SmartTag are dangerous devices since the manufacturers updated all their Smartphones to find and report these devices. We study the prevalence of this issue and try to create applications, algorithms, and datasets to help users identify trackers and disable them. With AirGuard, we created the first automatic tracking detection against AirTags for Android. Our project is open-source, and we continue to develop it to support other devices. If you are interested in tracking protection mechanisms innovative ways to identify all kinds of trackers and want to create software used by thousands of users, please reach out. Contact: Alexander Heinrich aheinrich@seemoo.tu-darmstadt.de Links: https://github.com/seemoo-lab/AirGuard https://play.google.com/store/apps/details?id=de.seemoo.at_tracking_detection.release

  2023 In progress

Detect Sensitive Activity to Protect Users of Wearables

Supervisor: Matthias Gazzari

...

  2023 In progress

Fingerprinting Environments With Gas Sensors

Supervisor: Matthias Gazzari

...

  2023

Assorted Hardware Security Topics

Supervisor: Davide Toldo

I offer supervision mostly of hardware-based offensive security topics. Assist me and my team in getting access to the firmware of embedded systems, bypass security mechanisms and reverse engineer cutting-edge devices. Topics (can) involve building custom hardware (target boards, tools, experimental setups), reverse engineering firmware and more. Contact me if this sounds interesting to you. Experience with hardware (electronics, microcontrollers, circuit boards) is recommended.

  2023 Available now

Reverse Engineering Broadcom's Vector Application Specific Processor (VASIP)

Supervisor: Jakob Link

Selected Broadcom Wi-Fi SoCs feature a Vector Application Specific Processor (VASIP). A brief description of its application areas can be found in the following patent: Inter-radio communications for scheduling or allocating time-varying frequency resources. The processor might be used to mitigate interference, support MU-MIMO operation, or in general help with computational complex tasks correlated to signal processing. Understanding VASIPs functionalities and capabilities, paired with its positioning near the radio front-end, can open up a new practical platform for researchers with a large area of applications in the wireless field on real end-user devices. To gain more insight into this type of processor we offer several thesis topics, ranging from analyzing its default functionalities up to reverse engineering its instruction set. You should be comfortable with the C-language, digging in the unknown, signal processing, and improving your skill-set. Be aware that depending on the sub-topic this might be a heavy task.

  2023 In progress

Power Characterization of Acoustic Communication and Other Wireless Ad-Hoc Communication Technologies for Smartphones and the Internet of Things

Supervisor: Florentin Putz

...

  2023 In progress

Measuring Acoustic Communication Schemes

Supervisor: Florentin Putz

...

  2023 Completed

Machine Learning Based Data Rate Optimization for Mobile LoRaWAN Sensors

Supervisor: Luis Alves Frank Hessel

Adaptive Data Rate is a feature of LoRaWAN that allows to optimize the network performance by adjusting the data rate of end devices based on their current channel conditions. Current approaches to ADR optimization algorithms focus on static or low-mobile end devices, and the specification recommends to disable ADR for mobile devices, e.g. location trackers. To let these devices also benefit from ADR adjustments, this thesis suggests to implement a predictive ADR algorithm based on deep reinforcement learning. The algorithm is evaluated on a real-world data set captured in the city of Darmstadt.

  2023 In progress

Automated Surveillance Recognition in Smart Environments

Supervisor: Matthias Gazzari Frank Hessel

This topic is about implementing various models to recognize the presence of as many smart things as possible based on sensor or other time series data. The goal of this topic is to compare and evaluate these models against each other in certain settings like in a smart home environment.

  2023 Completed

Continuous Fuzzing Integration Into State of the Art Development Processes for Improved Software Security

Supervisor: David Noel Breuer

...

  2023 Available now

Acoustic Communication: Ubiquitous ad-hoc communication?

Supervisor: Florentin Putz

I offer challenging topics on all aspects of the acoustic physical layer, which allows smartphones to use their integrated audio hardware for aerial communication, similar to wireless radio communication. The main use case is short-range communication, e.g., for pairing.The advantage: We can implement custom physical layers without expensive SDRs. Contact me if you have any research ideas on this topic. Strong experience with signal processing is required.

  2023 Available now

Security and Resilience of 6G/Open RAN

Supervisor: Leon Würsching

A resilient 6G system must be prepared for different failure scenarios to absorb incidents up to a certain level. The Open RAN standard [1] proposes to split the RAN into multiple units, exposing new potential points of failure and increasing the overall attack surface of the RAN. I offer Bachelor's and Master's theses exploring a given part of the 6G/Open RAN system and investigating aspects related to its security and resilience. For example, I am looking for students interested in one of the following: penetration-testing a component security analysis of a network protocol resilience analysis of infrastructure in a disaster scenario mathematically modeling requirements for a system to survive specific scenarios ... Don't worry if your favorite method is not mentioned here. There is an indefinite number of aspects to investigate in the 6G system. Let me know what you would like to do (reverse engineering, fuzzing, stochastics, conducting a user study?), and we will see if there is a way. While it can be a bonus, knowing how mobile networks work is optional. You can still learn everything relevant as a part of your thesis. Don't hesitate to contact me if you are interested in a security/resilience-related thesis in the 6G/Open RAN field! [1] https://www.o-ran.org

  2023 In progress

Limits of CSI-based keylogging on 10-digit number pads

Supervisor: Matthias Gazzari Jakob Link

...

  2022 In progress

Android Wireless Subsystem Security

Supervisor: Jiska Classen

Earliest start date: February 2023 Wireless interfaces are an attack surface for zero-click remote code execution vulnerabilities. Typically, an attacker would try to find a parsing issue within a wireless chip or in a low-level wireless stack component within the operating system, and then escalate further. Thus, it is of importance to research these interfaces. Android is available for many platforms with different hardware. Vendors add custom hardware adaption layers for compatibility with Android. However, these interfacing layers are vendor-specific and proprietary. Detailed knowledge about interfaces between components enables security research [1] and building tooling to customize wireless chips and stacks [2, 3]. Due to the proprietary nature of these interfaces, many of them remain undocumented. We have a couple of yet to be researched wireless interfaces, as well as researched interfaces that would profit from developing better tooling. We offer experience within the Google ecosystem as well as OEMs (Samsung, etc.), including reverse-engineering tips for firmware and user-space daemons. Additionally, due to supervising a lot of theses in this area, we have a collection of example thesis about how to reverse engineer and fuzz such interfaces. We also have rooted up-to-date Android smartphones. For your own safety and security, these are designated research devices and not meant for private usage. When researching a new interface, it is common to uncover new vulnerabilities, which you will report within Google's vulnerability reward program or the OEM's program, and you might be rewarded a bug bounty. We also encourage and financially support you presenting your results at a scientific or security conference. Please contact us for more details and choosing a task that suits a thesis. A B.Sc. thesis would usually advance tooling for something previously reverse engineered (see [1]), and a M.Sc. thesis is about reverse-engineering an interface and developing tools (see [2]). The precise topic will be tailored to your previous experience. It is recommended to have a reverse-engineering background, e.g., previous participation in CTFs. Depending on the topic, either a strong programming background is required (develop an open-source tool for an Android interface) or a good understanding of software/hardware security is mandatory (fuzzing a protocol, implementing a firmware attack, …). We are currently getting many requests for this topic area. Please only contact us if you plan to start your thesis by February 2023 or later, or if you have sufficient background knowledge to work on a topic on your own (e.g., are already familiar with Android hacking and don't need an introduction). [1] ARIstoteles: iOS Baseband Interface Protocol Analysis [2] InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering [3] Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications.

  2022 In progress

Exploring a Digital Intermediary for Smart Home Privacy Communications

Supervisor: Matthias Gazzari

...

  2022 Completed

ECG-PPG A Comparison of Biometric Identification

Supervisor: Matthias Gazzari

With the rise of the IoT and the usage of mobile devices, the need for improved security for those devices becomes more critical. Beyond regular passwords several other forms of identification such as biometric identification, have been introduced. They can offer increased convenience and less vulnerability to spoofing attacks. Most common forms of applied biometric identification include iris, face and fingerprint scanners that see most use in smartphones. But there has been an increasing interested in methods that utilize physiological signals of the human body. electrocardiogram (ECG) and photoplethysmogram (PPG) are among them and are the main point of interest for this work. They come with inherent advantages like being difficult to reproduce and can not be forgotten like a password. Gathering records of the two signal types has become easier over the years and can now be performed with wearables like the Apple Watch. This opens new options for this field of research. My work focuses on analyzing and reimplementing existing approaches for ECG and PPG based biometric identification systems and comparing them to deduct similarities, differences, strengths and weaknesses. To achieve this two convolutional neural network (CNN) based ECG implementations and one PPG implementation that utilizes handcrafted feature extraction were adapted to work on a shared dataset that contain synchronized ECG & PPG data from the private SAPE and the public BIDMC database. This database was then used for evaluation of the systems. In addition commonly used biometric methods and databases were analyzed to aid in the final evaluation. High rates of accuracy were reached and compared to literature that utilized similar datasets.

  2022 Completed

Repurposing Wi-Fi Chips as Software-defined Radio Receivers

Supervisor: Jakob Link

Broadcom FullMac Wi-Fi Chips offer the possibility to configure its internals such that IQ samples can be fetched at several stages in the RX chain. This opens up the opportunity to repurpose those Wi-Fi Chips as Software-defined Receivers. As the firmare is proprietary and the configuration is non-trivial, reverse engineering of the underlying processes are required. In this thesis, we try to better understand the possible configuration options, tackle bottlenecks like memory and bus bandwidth restrictions, and create a tool that abstracts the SDR RX feature to end-users. You should have experience with C, Reverse Egineering and interest in hardware features of RF receiver chains.

  2022 In progress

Collecting a Real-World Dataset of Private Patterns for Stream Processing Systems

Supervisor: Mikhail Fomichev

The Internet of Things (IoT) shows a clear shift towards analyzing streaming data (collected by IoT devices) using so-called stream processing systems (SPSs) that infer knowledge from these data in (near) real-time. Such SPSs work on the notion of events detected from sensor data, e.g., a user is standing, jogging, or eating. The SPSs raise serious privacy concerns, as they not only ignore user privacy but also pose new threats to it. For example, a sequence of seemingly nonsensitive events, like "swallow" --> "drink" --> "lay down", can reveal a sensitive private pattern of taking medicine. A few privacy-preserving mechanisms (PPMs) exist to address the private patterns' threat, but they need to be validated on realistic datasets containing a number of private patterns that are captured by various sensor data, e.g., IMU, ECG/EMG, and heart rate. To date such datasets do not exist. Hence, collecting one would the main goal of this thesis, which will be a big step towards validating existing and designing new PPMs that tackle the threat of private patterns in SPSs. The precise topic addressing the above research goal would be tailored depending on your skillset. However, a hands-on experience with data collection using smart devices (phones, watches, IoT sensors) and/or user studies is a strong plus. [1, 2] are exemplary data collection studies, which can serve as an inspiration for this work. [1] FallAllD: An Open Dataset of Human Falls and Activities of Daily Living for Classical and Deep Learning Applications [2] Case Studies Using Shimmer Sensors

  2022 Completed

LoRaWAN in Disaster Scenarios

Supervisor: Frank Hessel

LoRa comes with characteristics beneficial in crisis situations, like its long range and the low power consumption, which allows to run running devices on batteries significantly longer than, e.g., cellular base stations. However, LoRaWAN does not benefit from these characteristics, as it depends on a centralized, cloud-based network server infrastructure. If gateways can no longer access the backing network, forwarding stops and the network fails in the affected region. This thesis investigates collaboration between gateways to transparently forward frames from LoRaWAN devices in regions suffering from an outage of the backing network.

  2022 Completed

Comparison of Side-Channel Touchlogging Attacks using Wearables

Supervisor: Matthias Gazzari

Although many research papers about touchlogging attacks, which are leveraging wearable devices as a side-channel to log keys being typed on a smartphone, exist, there is no concise summary of those attacks, their advantages & limitations, and different scenarios and evaluation setups make comparisons difficult or unfair. Therefore, one has to sort through countless articles and papers to see if an approach has already been evaluated in a specific scenario or can not fairly compare two good performing approaches because the evaluation setup differs drastically between the two. This thesis provides a framework combining five of the most common approaches for touchlogging attacks in four different typing scenarios and eight ways the user is wearing the wearable device. With this framework and its evaluation, a concise overview and quick, fair comparisons between the most common approaches to touchlogging are presented.

  2022 In progress

Low-Power Network Support for the Recovery of Collapsed 6G Systems

Supervisor: Leon Würsching Frank Hessel

A resilient 6G network will be prepared for different failure scenarios and can absorb incidents to a certain level. However, there may be incidents that cannot be absorbed, e.g., a failure of the entire 6G core network due to a large-scale cyber attack. Further possible consequences of such an incident include a large-scale power outage affecting either parts or even the entire mobile network. In this type of scenario, the 6G network would collapse and split into smaller networks. Such a small network could, e.g., consist of a single isolated base station running on emergency power, and the users connected to it. From here, isolated basestations have to reconnect with other base stations to recover some functionality of the 6G network. However, the need to conserve energy further complicates the recovery process because base stations are running on emergency power. This thesis evaluates how such a recovery process of the 6G network can be supported with ad-hoc low-power networks. In this thesis, the student will explore how isolated base stations can coordinate the reconnection of isolated base stations via a low-power network. This includes discussing and choosing a suitable lower-layer protocol as a basis for the low-power network implementing a basic consensus protocol to make distributed decisions testing the developed protocol in simulation.

  2022 Completed

Enterprise Authentication Systems

Supervisor: Florentin Putz

Enterprise Authentication Systems

  2022 Completed

Smartphone Pairing Schemes

Supervisor: Florentin Putz

...

  2022 Completed

Evaluation of UWB

Supervisor: Heinrich

We want to evaluate current UWB devices

  2022 Completed

Impact of Multi-Path Effects on Acoustic Keylogging Systems

Supervisor: Matthias Gazzari Florentin Putz

...

  2022 Completed

Updating Heterogeneous LoRaWAN Nodes Using A Modular LoRaWAN-Stack

Supervisor: Frank Hessel

The LoRaWAN 1.0 has been shown to suffer from security vulnerabilities which require updating the LoRaWAN implementation on respective sensor nodes. However, updating the firmware of LoRaWAN end devices is a demanding task, as data rate and duty cycle limit the throughput to only a few kilobytes per second. Heterogeneity amongst sensors exacerbates the situation by requiring dedicated images for each sensor type. The thesis addresses both problems by improving the updatability of LoRaWAN end devices by allowing to replace single functions of the LoRaWAN stack with architecture-independent drop-ins based on WebAssembly.

  2022 Completed

Practical Evaluation of LoRaWAN in IIoT Environments

Supervisor: Frank Hessel

  2022 Completed

Reverse Engineering and Emulating Broadcom's WiFi Real-Time Core Peripherals

Supervisor: Jakob Link David Noel Breuer

Broadcom/Cypress WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine (PSM). It is directly connected to the chip's PHY components as well as its non-real-time related parts. Successful attacks on the D11 core would therefore pose a high risk on the whole device. Especially, as the chip is constantly exposed over its wireless interface. Although the D11 core's architecture and instruction set are mostly proprietary, disassembling and assembling of microcodes (D11's firmware) is possible due to previous reverse engineering efforts. This in turn allows analyzing, modifying and on-chip debugging of microcodes. However, the current related processes are error-prone and time consuming. To improve those tasks, a basic emulator that can interpret the proprietary instruction set and perform corresponding calculations and memory/register accesses was designed and implemented in prior work. But, in order to properly run microcodes on the emulator, several peripherals (e.g. timers, crypto engine, tx/rx engines, PHY interface, ...) that directly influence the PSM's flow need to be emulated additionally. In this thesis, we want to analyze peripherals that are directly connected to the D11 core and simulate their behavior to the existing emulator. C and Assembly skills are recommended, as well as experience and/or interest on reverse engineering, IEEE 802.11 MAC, and low-level programming.

  2022 Completed

Implementation and Evaluation of Short-Range Aerial Acoustic Communication Systems for Smartphones

Supervisor: Florentin Putz

...

  2022 Completed

Emulating Broadcom's D11 Core

Supervisor: Jakob Link

Cypress/Broadcom WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine. The D11 core's architecture and instruction set are proprietary. Reverse engineering efforts already disclosed a sufficient subset of the instruction set to allow disassembling and assembling of microcodes(firmware of the D11 core) for specific core revisions. Still, analyzing, modifying, and debugging microcodes on-chip is error-prone and time consuming. Emulating the D11 core can be used as support for such tasks. In this thesis, we want to gain more knowledge about the D11 core's functionalities by further reverse engineering its internals, and implement an emulator that supports its instruction set and eases debugging of microcodes.

  2022 Completed

Channel Characterization for Aerial Acoustic Communication Systems

Supervisor: Florentin Putz

...

  2022 Completed

Limits on Inferring Handwritten Characters using Wearables

Supervisor: Matthias Gazzari

Recent studies have shown that handwritten characters can be distinguished from each other with a high accuracy leading to security threats such as impersonation, side-channel attacks or just building systems to mirror handwritten characters to digital space. Most of these studies just focused on the character recording and building (complex) systems around the classification of these handwritten characters, resulting in sparse data sets with only specialized hardware in restricted settings. With these specialized settings and hardware, it’s not clear what limitations might impact the accuracy of classification, let it be the type of sensor of the general writing style of a person and if these researches also apply to consumer hardware or general settings like writing with a simple pen on paper. The results of this work aim to set clear limitations and settings for the recording of handwritten characters while using a simple pen and paper setting with multiple consumer devices. Sampling a data set full of handwritten lower-case characters with the usage of multiple consumer wearables in different positions on the forearm, while limiting the speed and size of a character drawn, are processed and calculated into several time-domain and frequency-domain features to be classified by different machine learning methods resulting in accuracies of 20 % to 22 % for the IMU data, 15 % to 17 % for the EMG data and 16 % to 20 % for a mixed approach. The results are in the range of current state-of-the-art findings adjusted for the size of classifiers used, so the defined limitations in this work might give a direction to which limitations are more useful in the scenario of classifying characters based on signal data using consumer devices.

  2022 Available now

Generalized Network Coded Cooperation in High Density LoRa-Networks

Supervisor: Luis Alves Frank Hessel

The wireless channel is a non-linear and time-varying system. Thus, it represents a harsh environment to conduct transfers of information. One of the variables that predict the outage performance of transmissions over the wireless channel is the diversity order, where systems with higher diversity order experience a lower outage probability at a specific signal-to-noise ratio (SNR). Diversity can be achieved through several means, with the most simple being repetitions (retransmissions) of the same information over different instances of the wireless medium, i.e. over another time period or frequency. One very relevant means is the use of multiple antennas, which adds diversity by also incorporating a spatial element. However, this element can also be obtained when devices with transmissions to a common destination aid each other with retransmitting their partner's information frames. That is the concept behind cooperative communication: achieving a spatial diversity gain without requiring multiple antennas on each device [1]. Network Coded Cooperation (NCC) is a more complex cooperative technique whereby devices perform linear combinations of the data contained in their own and their partner's information frame, creating a parity frame. This allows for an even higher diversity order gain without requiring any additional transmissions beyond the standard information and cooperative phases seen in cooperative communications [2]. This kind of technique can therefore be especially useful in scenarios where multiple devices share a common base station and require energy-efficient communications, such as in LoRa-based networks. LoRa is a prime modulation technique for enabling Low-Power Wide Area Networks (LPWANs), providing adequate interference prevention, relatively low power consumption, and long range. These benefits, however, do not scale well with increases in the network density [3]. Note that, in these high-density scenarios, increasing diversity by simply realizing more transmissions results in an increased collision probability, i.e. even higher interference. For LoRa-networks, this also means the network loses maximum range. Given that the number of connected devices is expected to balloon in this decade, LoRa-based protocols must be adapted to mitigate high levels of interference. It has been shown that using NCC can produce positive results in the high-density scenario LoRa-based network when associated with a fast inter-device transmission of information frames using high rate frequency shift-keying (FSK). However, previous analyses were purely theoretical and limited to evaluating a two-way cooperation process [3]. This thesis will tackle the empirical and theoretical challenges of implementing generalized network-coded cooperation on LoRa-based networks. Cooperation will be expanded to include multiple devices within the cooperation range, which will generate a higher diversity order for the uplink transmissions. The student is expected to be programing LoRa devices based on either the SX1272 or SX1276 transceivers to validate their results. If you have any interest in the described topic, please do not hesitate to get in touch. [1] Cooperative communication in wireless networks [2] Multiuser Cooperative Diversity Through Network Coding Based on Classical Coding Theory [3] Network-Coded Cooperative LoRa Network with D2D Communication

  2022 In progress

Reconfigurable Intelligent Surfaces in LoRa-based Networks for Large-scale IoT

Supervisor: Luis Alves Allyson Sim

LoRa is a prime modulation technique to enable Low-Power Wide Area Networks (LPWANs), providing adequate interference prevention, relatively low power consumption, and long range. These benefits, however, do not scale well with increases in the network density [1]. This represents an obstacle to achieving massive connectivity, seen as an important part of the future of wireless communications. A surging technology that could mitigate the impacts of interference in LoRa-based networks is the so-called Reconfigurable Intelligent Surface (RIS). A passive element composed of meta-surfaces that can change characteristics of an impinging electromagnetic wave [2], the RIS concept allows the power of a received signal to be boosted through matching waveforms (i.e. phase delays) of otherwise destructive multi-path reflections. This thesis will focus on the possible application of RIS in a LoRa-based network and will study the theoretical modeling of its impacts on the network performance, measured through energy efficiency and network range. If you are interested in this work, please do not hesitate to get in contact. [1] Scalability Analysis of a LoRa Network Under Co-SF and Inter-SF Interference in Large-scale IoT Applications [2] Reconfigurable Intelligent Surfaces for 6G Systems: Principles, Applications, and Research Directions

  2022 Available now

Privacy-preserving beamforming using reinforcement learning

Supervisor: Luis Fernando Abanto

In this thesis we consider the downlink of a wireless communication system. In particular, there is a base station transmitting information to multiple legitimate users in the presence of eavesdroppers which may compromise users’ privacy by capturing information sent from the base station. The goal of the thesis is to maximize the privacy degree of all legitimate users while ensuring that the eavesdroppers remain as oblivious as possible. To fulfill this, the base station leverages beamforming and reinforcement learning (RL). A specific objective of this thesis is to develop a practical RL algorithm with low latency and compare its performance against other approaches, e.g., based on convex optimization, which in general can be more time-consuming. Required knowledge: reinforcement learning, wireless communications, signal processing (desirable)

  2022 In progress

Hiding User Private Attributes Using Machine Learning

Supervisor: Mikhail Fomichev

The ubiquity of IoT sensors enables customized user services such as smart health or smart home. Recently, the advances in machine learning have been exploited to discover private user attributes (e.g., gender, age) from sensor data collected for different purposes such as activity recognition, violating user’s privacy. Two recent works [1, 2] utilize state-of-the-art machine learning techniques to suppress private user attributes in sensor data while maintaining the utility of the target application (e.g., target activity recognition remains accurate). In this thesis, we will critically evaluate the above proposals, with respect to their security (can other private attributes be learned on these data), generalizability (would they still work on a slightly different sensor data?), and deployability (can such approaches run on edge devices?). The precise topic addressing the above research goal would be tailored depending on your skillset. However, a solid background in machine learning and data mining is required in addition to a thorough understanding of privacy issues stemming from sensor data (also known as inference attacks). [1] Protecting Sensory Data against Sensitive Inferences [2] Preventing Sensitive Information Leakage from Mobile Sensor Signals via Integrative Transformation

  2022 In progress

Discovering Oversensing Privacy Issues in Smart IoT Environments

Supervisor: Mikhail Fomichev

The proliferation of the IoT makes numerous smart devices equipped with rich sensing capabilities part of our everyday life. These sensors enable customized services by measuring a user’s ambient environment such as a fitness tracker recording daily activities (e.g., jogging), allowing users who exercise a lot to get an insurance discount. However, the ubiquity of sensing raises the problem of oversensing [1], namely inferring user’s sensitive attributes or behaviors (e.g., health conditions, political orientation) from the sensor data that was collected for benign purposes. In this thesis, we will explore the landscape of oversensing, focusing on the following problem: how to discover the oversensing issues in various sensor data in a scalable (i.e., automated) way? The precise topic addressing the above research goal would be tailored depending on your skillset. However, a solid background in machine learning and data mining is required in addition to a thorough understanding of privacy issues stemming from sensor data (also known as inference attacks). [1] How to Curtail Oversensing in the Home

  2022 Available now

Beam management in mmWave full duplex joint sensing and communication system

Supervisor: Lu Wang Arash Asadi

Joint Sensing and Communication technology is one of the key 6G technologies. It makes your phone/vehicle/device smarter with the function of sensing and communication simultaneously [1]. By beaming the transmitted data in a direct way, both sensing and communication performance can be improved. If you are interested in the beam-related design in the joint sensing and communication system, feel free to contact us. Research objective: 1. Sensing parameters estimation 2. Beam management(searching/tracking) and beamforming design 3. full duplex joint sensing and communication system design Expected gain of knowledge: Wireless communication [1] Y. Cui, F. Liu, X. Jing and J. Mu, "Integrating Sensing and Communications for Ubiquitous IoT: Applications, Trends, and Challenges," in IEEE Network, vol. 35, no. 5, pp. 158-167, September/October 2021.

  2022 Available now

mmWave full duplex joint sensing and communication design

Supervisor: Lu Wang Arash Asadi

Joint Sensing and Communication technology is one of the key 6G technologies. It makes your phone/vehicle/device, etc., smarter with the function of sensing and communication simultaneously [1]. Configuring this technology in mmWave band, better performance such as higher date rate can be realized. If you are interested in the joint sensing and communication system design, feel free to contact us. Research objective: 1. Sensing parameters estimation 2. full duplex joint sensing and communication system design Expected gain of knowledge: Wireless communication [1] Y. Cui, F. Liu, X. Jing and J. Mu, "Integrating Sensing and Communications for Ubiquitous IoT: Applications, Trends, and Challenges," in IEEE Network, vol. 35, no. 5, pp. 158-167, September/October 2021.

  2022 Available now

Privacy and Security Implications of Cross-Modal Transformations on Human-Centric Sensor Data

Supervisor: Matthias Gazzari

This topic is about implementing a cross-modal transformation model on a chosen pair of human-centric sensors (sensors which are worn by or close to humans), for recreating one stream of sensor data based on the other one. The ultimate goal of this thesis is to evaluate the performance of such a model with respect to the privacy and/or security implications. Contact me if you are interested and/or have a cool idea for a specific pair of sensors relevant for violating the privacy and/or the security of a human being. Experience with machine learning and/or signal processing is required. A good understanding of sensors and their measured physical quantities is strongly recommended.

  2022 Available now

CSMA/CD for Wi-Fi

Supervisor: Robin Klose

Motivation Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is a technique used in wired networks like Ethernet (IEEE 802.3) to improve network performance by efficient medium access. When a collision is detected, the colliding nodes terminate their transmissions to keep the collision time as short as possible. This effectively improves the utilization of the transmission medium, since less time is spent in collisions and the time between transmission attempts is reduced. In wireless networks, however, CSMA/CD is generally assumed to be impractical due to the physical characteristics of the wireless channel. In fact, the power of a signal degrades by orders of magnitudes on its way from transmitter to receiver due to free space path loss and signal propagation effects, such as attenuation and reflections. Therefore, even if a transmitter was equipped with a separate receive antenna, its own transmission would typically drown out the weak signals from other transmitters, which would render the detection of weak signals impossible. Nevertheless, recent research has demonstrated that self-interference cancellation techniques become feasible, which allows to design full-duplex radios [1]. This might effectively be key to the design of CSMA/CD for IEEE 802.11-based networks, allowing for enhanced network performance under high load conditions [2]. [1] Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh Bharadia, Siddharth Seth, Kannan Srinivasan, Philip Levis, Sachin Katti, and Prasun Sinha. “Practical, Real-Time, Full Duplex Wireless”, 17th annual international conference on Mobile computing and networking (ACM MobiCom '11). Las Vegas, Nevada, USA, 2011, pp. 301-312. [2] Konstantinos Voulgaris, Athanasios Gkelias, Imran Ashraf, Mischa Dohler and A. H. Aghvami. “Throughput Analysis of Wireless CSMA/CD for a Finite User Population”, IEEE Vehicular Technology Conference, Montreal, Quebec, CA, 2006, pp. 1-5. Goal Literature review: Review different self-interference cancellation techniques and assess their suitability for 802.11-based networks. Also review literature relating to channel access techniques. CSMA/CD design: Make a conceptual design of a fully-fledged CSMA/CD mechanism, which also takes practical limitations into account, such as settling times of gain controls. Your design may also employ correlation techniques to detect weak signals from far-away nodes. Implementation: Implement your CSMA/CD design on a software-defined radio. Self-interference cancellation might require a combination of well-considered antenna placement on the device, analog cancellation in the RF band, and digital cancellation in the baseband. Your implementation may be based on GNU Radio and USRP, or on WARP. Evaluation: Evaluate the performance of individual components of your implementation (e.g., the self-interference cancellation gain), as well as the overall performance of CSMA/CD nodes in a real network, as compared to conventional CSMA/CA.

  2022 Available now

Unsupervised learning from video segmentation to person/object tracking in wireless networks

Supervisor: Arash Asadi

There is a large body of work on using commercial wireless devices to detect, identify and localize people as well as their motion, gestures, and even vital signs. The underlying techniques span from machine learning techniques to signal processing and Radar. To some extent, the impact of a person's body/motion on the wireless signals can resemble an image/video. While there has been extensive use of advanced Machine learning techniques for people/object tracking in videos, there is very little work on using these techniques in the wireless domain. For example, applying the works presented here (https://www.youtube.com/watch?v=tSBWZ6nYld0) to wireless sensing. If you find this interesting, send me an email to discuss further details.

  2022 Available now

Preserving Privacy against WiFi Sensing

Supervisor: Arash Asadi

Your WiFi router is constantly monitoring the surrounding. You can analyze the channel state information to detect the location and even trajectory of people in their homes. There are many other applications including detecting heartbeat, breathing rate, reading lips, etc. If you are interested in implementing one of these systems using real hardware and finding solutions to fight against it, send me an email. Note that these are rather challenging topics as they require good knowledge of communication as well as signal processing. Research objective WiFi Sensing countermeasures Expected gain of knowledge Wireless communication, Signal processing

  2022 Available now

Going against the tide: Using interpretable machine learning instead of black box DNN for wireless sensing

Supervisor: Arash Asadi

Your WiFi router is constantly monitoring the surrounding. You can analyze the channel state information to detect the location and even trajectory of people in their homes. The majority of these works leverage black box machine learning, which questions their reliability. While many believe that the black box models provide higher performance and are less complex, new studies suggest otherwise [1]. If you are interesting to go against the tide and prove interpretable learning can perform similar to black box model in wireless sensing, send me an email. Research objective: Explanation methods for WiFi Sensing Expected gain of knowledge: Wireless communication, Interpretable machine learning [1] C. Rudin, “Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead,” Nat Mach Intell, vol. 1, no. 5, pp. 206–215, 2019, doi: 10.1038/s42256-019-0048-x.

  2022 Available now

FPGA development and experimental analysis of beamforming and beam-tracking in 6G networks

Supervisor: Arash Asadi Waqar Ahmed

Millimeter-wave frequencies (30-300 GHz) will be dominating 6G communications, providing users with tens of Gbps data rates. However, communication at such high frequencies requires using highly directional beams to compensate for the propagation loss. In our group, we have access to unique software-defined radios capable of communication at 70 GHz with 4GHz of bandwidth. If you are interested in performing experimental studies in this area and contributing to the research in the next generation of mobile networks, this could be your topic. Research objective: Test and development of agile beamforming/tracking for 6G systems Expected gain of knowledge: Wireless communication, FPGA programming

  2021 In progress

Glitching Wireless Chips

Supervisor: Jiska Classen

Glitching is a method that allows bypassing security checks in firmware running on chips. Dropping voltage or inducing an electromagnetic field for a very short moment causes the chip to behave differently. For example, the chip might skip a check in the secure bootloader, allowing an attacker to run arbitrary firmware. This is of special interest for wireless security research. Instead of re-implementing protocols on software-defined radios, we can modify existing firmware to test very specific security assumptions in an otherwise unmodified environment. We have a lab with various equipment suitable for glitching, such as oscilloscopes, the ChipWhisperer and the ChipShouter. Thus, the thesis will require you to do at least some parts of the work onsite. However, we also have some ChipWhisperer Nanos etc., in case you want to do parts of the work from home. Required background knowledge is either electrical engineering or IT security. Can be done as both, either B.Sc. thesis or M.Sc. thesis, depending on the amount/complexity of chips.

  2021 Completed

FIDO2 Platform Authenticators

Supervisor: Florentin Putz

...

  2021 Completed

Evaluation of Acoustic Communication Schemes

Supervisor: Florentin Putz

...

  2021 Completed

Evaluation of Ultra-Wideband for Secure Device Pairing

Supervisor: Alexander Heinrich Florentin Putz

Evaluation of Ultra-Wideband for Secure Device Pairing

  2023 Completed

Finger Detection of Keystrokes from RGB Video Streams

Supervisor: Matthias Gazzari

To research the security impact of side-channel keylogging attacks, we need suitable datasets containing the sensor data and the pressed keys. However, when our side-channel targets the user through acceleration, EMG, or other wearable sensors, we might want additional ground truth about the users’ activity, e.g., a representation of which finger was used to type a certain key. This data makes it possible to directly correlate the sensor readings with the activity that caused them, which could help develop more accurate and robust keylogging models. Previous work in this area focused more on stand-alone virtual input devices that do not reflect real-world keyboards or require expensive motion tracking hardware to track finger positions. In this thesis, we design, implement and evaluate a system that can infer finger usage from a monocular RGB video of a user typing on an unmodified keyboard. Our evaluation shows that our implementation can accurately label the hand usage for over 96 % of keystrokes and the finger usage for over 97 % of keystrokes. As such, our system can be a helpful aid in the creation of new datasets for research into keylogging side-channels.

  2021 Completed

Analyzing the Deployment of Device-Specific Android Security Features

Supervisor: Florentin Putz

Analyzing the Deployment of Device-Specific Android Security Features

  2021 Completed

Investigating the Pitfalls of FIDO2 Usability in Practice

Supervisor: Florentin Putz

  2021 Completed

Handwriting Recognition using IMU and EMG Sensor Data

Supervisor: Matthias Gazzari

With the rise of wrist-worn devices like smartwatches and fitness trackers and the integration of Inertial Measurement Unit (IMU) sensors questions about the privacy impact of their recorded data arise which often gets little attention in privacy considerations. Worn on the wrist one possible impact is a possible eavesdropper inferring the handwriting done by the wearer of the device using the collected IMU data. Another use case is the deliberate digitizing of handwriting by users wearing such devices. In this case it is also feasible for the user to wear an additional device to improve the digitizing. In this thesis we investigate both the possible privacy impact and the possibilities for a deliberate digitizing of handwriting done on paper based on IMU sensor data recorded on a smartwatch. Furthermore, we collect Electromyography (EMG) sensor data using an armlet worn on the lower arm to analyze if the original recognition results can be improved utilizing these data. We design and conduct a data study aimed at mirroring everyday circumstances using an Apple Watch and a Thalmic Myo armlet to record the necessary data. Additionally, the original handwriting of the study participants is digitized by writing on paper on top of a Wacom Bamboo Slate tablet. We use the recorded continuous streams of IMU and EMG data to classify the written letters using the 1-Nearest Neighbor (1NN) algorithm in combination with the Dynamic Time Warping (DTW) algorithm. Our model achieves widely varying results depending on the writer and an overall accuracy of 0.28. Very low accuracies for the classification based on EMG data prevent us from evaluating possible improvements when combining both data types. Our findings suggest that the recognition depends on the writing style of the individual user and more research is required to make the handwriting recognition based on IMU or EMG data applicable to writing in everyday life.

  2021 Available now

Software Defined Wireless Networks

Supervisor: Bastian Bloessl

I work a lot with Software Defined Radio, in particular GNU Radio. Talk to me, if you are interested in: Implementing or testing a standard or proprietary technology. Real-time signal processing (e.g., scheduling or benchmarking). Hardware acceleration (SIMD, FPGA, or GPU). Distributed signal processing. If you are excited about one of these topics, we can come up with a Bachelor or Master thesis that matches your interest.

  2021 Completed

3D Positioning and Posture detection using iOS

Supervisor: Arash Asadi

Modern smartphones contain many sensors and frameworks that can capture the surrounding world.Capable mobile processors, machine learning and frameworks allow us to capture the pose of a human with very little extra work. We are looking for a student that wants to work with augmented reality and extend the posture detection system in iOS with a 3D positioning system. The software may combine multiple iPhones at different locations to enhance tracking. In the end, such a system allows to quickly create dataset necessary for WiFi sensing, create interactive games and more. A small introduction to the available frameworks has been given on WWDC 2020. Starting at minute 13 the video shows what is already possible today. https://developer.apple.com/videos/play/wwdc2020/10653/

  2021 Available now

Preserving Privacy against WiFi Sensing

Supervisor: Arash Asadi

Your WiFi router is constantly monitoring the surrounding. You can analyze the channel state information to detect location and even trajectory of people in their homes. There are many other applications including detecting heartbeat, breathing rate, reading lips, etc. If you interested in implementing one of these systems using real hardware and finding solutions to fight against it, send me an email. Note that these are rather challenging topics as they require good knowledge of communication as well as signal processing. Research objective WiFi Sensing countermeasures Expected gain of knowledge Wireless communication, Signal processing, Physical layer privacy

  2021 Completed

Protecting Heartbeat and Respiration Information in WiFi Sensing Applications

Supervisor: Arash Asadi

  2021 Completed

Security Analysis of Neighbor Awareness Networking-capable Wi-Fi Firmware using Fuzzing

Supervisor: Lars Almon

  2021 Completed

Protocol Design for Energy-Efficient Broadcast Tree Contruction in Wireless Ad-Hoc Networks

Supervisor: Robin Klose

  2021 In progress

iPhone Baseband

Supervisor: Jiska Classen

  2021 In progress

iOS CommCenter Protocol Analysis

Supervisor: Jiska Classen

  2021 In progress

iOS CommCenter Fuzzing

Supervisor: Jiska Classen

  2021 In progress

iOS Bluetooth Security

Supervisor: Jiska Classen

  2021 Completed

Very Pwnable Network: Reverse Engineering and Vulnerability Analysis of AnyConnect for Linux

Supervisor: Jiska Classen

  2021 In progress

Responsible Disclosure im IoT-Sektor

Supervisor: Jiska Classen

  2021 In progress

Practical Analysis of Friendly Jamming to Augment the Security of Industrial Remote Control Systems

Supervisor: Jiska Classen

  2021 In progress

Improving State Coverage in Bluetooth Fuzzing

Supervisor: Jiska Classen

  2021 Completed

Attacks on Wireless Coexistence

Supervisor: Jiska Classen

  2021 In progress

AnyConnect and VPN Security on iOS

Supervisor: Jiska Classen

  2021 Completed

A Full-Band Bluetooth Sniffer for a Software-Defined Radio

Supervisor: Bastian Bloessl Jiska Classen

  2020 Completed

Speeding up and hardening zero-interaction pairing by utilizing off-the-shelf IoT actuators

Supervisor: Mikhail Fomichev

  2020 Completed

Delay-Tolerant LoRaWAN with mobile Gateways and SatCom Backhaul

Supervisor: Lars Almon

  2020 Completed

LoRa for Smart Street Lamps

Supervisor: Lars Almon

  2020 Completed

Circumventing ECG Authentication with Deep Generative Models based on PPG Pulse Data

Supervisor: Matthias Gazzari

Electrocardiogram (ECG) biometrics is a steadily growing and increasingly popular field of research. In this work, we propose a novel attack scenario in which we train a generative model to uncover and spoof the ECG of a victim by merely observing another cardiovascular signal of the victim: their photoplethysmogram (PPG). For the model, we propose a conditional generative adversarial network (cGAN) with a U-Net style generator and least-squares loss. Since current training datasets do not fall into the off-the-person category, we additionally collect a custom dataset of synchronized PPG and ECG measurements. It features 33 recordings by 31 participants with a median age of 28. We evaluate the model against a baseline by Zhu et al. Our model has a lead over the baseline with a mean relative root-mean-square error (rRMSE) of 0.47 vs. 0.49 on the TBME-RR dataset but lacks behind on our own dataset with a mean rRMSE of 0.61 vs. 0.55. The evaluation demonstrates that the cGAN is able to properly recreate the overall characteristics and noise of the ground truth. In the proposed attack scenario, the model yields an overall success rate of up to 26 % against a neural-network-based authentication system.

  2020 Completed

Low-Latency Flooding in IEEE 802.11g Networks through Concurrent Broadcasting with Wireless Synchronization using WARP Software-Defined Radios

Supervisor: Robin Klose

  2020 Completed

Keylogging Side-Channel Attacks on Bluetooth Timestamps: A Timing Analysis of Keystrokes on Apple Magic Keyboards

Supervisor: Matthias Gazzari Jiska Classen

In the past several timing attacks have been applied to recover sensitive input on keyboards. If these kind of attacks could be migrated to the wireless communication of keyboards, this would make the use of wireless keyboards less secure. In this thesis we apply a timing attack on the Bluetooth communication of the Apple Magic Keyboard by recording the time between consecutive Bluetooth packets and recover the typing with a Hidden Markov Model (HMM). With this attack we are able to shrink the search space of random passwords by a factor of 5 to 10, which considerably speeds up exhaustive search.

  2020 Completed

The Latency--Throughput Tradeoff of GPP-based SDRs

Supervisor: Bastian Bloessl

  2020 Completed

GNU Radio Runtime Performance Evaluation

Supervisor: Bastian Bloessl

  2020 Completed

Analysis of Apple's crowdsourced location tracking system

Supervisor: Milan Stute

  2020 Completed

Prevalence Analysis of Dark Patterns in Newsletters

Supervisor: Matthias Gazzari

The dependence on online shopping makes consumers to popular targets of malicious intents. With a vast understanding of the human psyche, dark patterns are capable of leading consumers to perform actions which they would not do under normal circumstances, such as evoking buying pressure or giving away sensitive data. In this thesis, we focus on the detection of dark patterns, especially the Social Proof, Misdirection, Scarcity, and Urgency patterns using multinomial naïve Bayes, support-vector machine, k-nearest neighbor, and random forest, as well as state-of-the-art transfer learning methods like ULMFiT and DistilBERT. For this purpose, we utilize a collection of 1818 classified dark patterns. First, we perform nested cross-validations for all algorithms for valuable insights that we need for the model selection. Overall we achieve a balanced accuracy of 0.926 on average, whereas all models, except for k-nearest neighbor, perform similarly well. Then, with the gained knowledge, we demonstrate that dark patterns can indeed be detected using machine learning techniques. At last, using our fine-tuned models, we reveal the existence of dark patterns in a collection of newsletter emails, with a performance of 0.436 balanced accuracy. Thus we conclude, that this work provides essential insights into the fact that dark patterns exist in hitherto unnoticed fields and how more sophisticated methods are crucial to combat such patterns.

  2020 Completed

Implementation and Analysis of a Keystroke Dynamics Authentication System

Supervisor: Matthias Gazzari

Password based authentication systems face many problems in today’s time. Data breaches and users selecting weak passwords raised the need for different authentication methods or a second factor. Popular methods include fingerprint or face detection and second factors like access or transaction codes. But there are less explored systems that use keystroke dynamics authentication. In this bachelor thesis we analyze existing keystroke dynamics authentication systems. To get a better understanding we implement such a system. Using datasets that are publicly available our system reaches a false acceptance rate (FAR) of 14 % and a false rejection rate (FRR) of 28 %. Having an own keystroke dynamics authentication systems we can then perform an evaluation in terms of usability in practice. Based on this evaluation we discuss in which cases such a system is a suitable and secure way for authentication. We conclude that in general keystroke dynamics authentication systems are a convenient and secure way for an additional security factor. But we also distinguish existing challenges like when users have different computers (with different keyboards) or use auto-fill functions of password managers. And we state ideas on how our system’s performance could be improved and challenges could be faced.

  2020 Completed

Wi-Fi Sharing for All: Reverse Engineering and Breaking the Apple Wi-Fi Password Sharing Protocol

Supervisor: Milan Stute

Modern devices provide more and more functionality, simplifying everyday tasks. Obscured from the user are the complex, proprietary, and undocumented protocol stacks, most of them always listening in the background. In this thesis, we take a look at one of these features, Apple Wi-Fi Password Sharing, which enables users to share the Wi-Fi password to guests in their home. We publish documentation of involved frameworks, describe the actual protocol, and search for vulnerabilities. Besides one implementation bug, we find multiple small flaws in the protocol and user interface, which we combine into two attacks, a denial-of-service attack, which crashes the iOS settings app, and a man-in-the-middle attack, which spoofs the victim into an attacker-controlled Wi-Fi network.

  2020 Completed

Advanced Mitigation and Response Methods in the Context of Automotive Ethernet Security

  2020 Completed

VPN in a Mobile Environment: Security, Privacy, and Usability

Supervisor: Jiska Classen

  2020 Completed

ToothPicker: Enabling Over-the-Air and In-Process Fuzzing Within Apple's Bluetooth Ecosystem

Supervisor: Jiska Classen

  2020 Completed

Remote Code Patching Framework for a TETRA Base Station

Supervisor: Jiska Classen

  2020 Completed

Practical Security Analysis of IoT Ecosystems

Supervisor: Jiska Classen

  2020 Completed

Practical Bluetooth RNG Analysis

Supervisor: Jiska Classen

  2020 Completed

Polypyus: Firmware History Based Binary Diffing

Supervisor: Jiska Classen

  2020 Completed

Fuzzing a TETRA Base Station via Binary Patching

Supervisor: Jiska Classen

  2020 Completed

Bluetooth Low Energy Sniffing

Supervisor: Bastian Bloessl Jiska Classen

  2020 Completed

Applicability of IoT Security Frameworks as Guidelines for Penetration Testing

Supervisor: Jiska Classen Max Maass

  2020 Completed

Analyzing the macOS Bluetooth Stack

Supervisor: Jiska Classen

  2019 Completed

Analyzing Apple’s Private Wireless Communication Protocols with a Focus on Security and Privacy

Supervisor: Milan Stute

  2019 Completed

Communicating Privacy and Security issues

Supervisor: Max Maass

.

  2019 Completed

Creating an indoor simulation tool witha realistic antenna model for an IEEE 802.11ad 60 GHz devices

Supervisor: Allyson Sim Lars Almon

  2019 Completed

Detecting Extension Abuse in the Wild

Supervisor: Max Maass

.

  2019 Completed

Security Analysis of LoRaWAN: An Experimental Evaluation of Attacks

Supervisor: Lars Almon Flor Maria Alvarez Zurita

Low-power wide-area networks (LPWAN) are becoming the wireless backbone for modern business processes and municipal administration. LoRaWAN, which stands for long-range wide-area network, is a recent medium access control (MAC) layer protocol competing for this market. It stands out by its open operator model and a novel modulation technique. With LoRaWAN and other communication technologies are becoming a dependency for more and more aspects of today's society, the question for their security and reliability comes up. Previous researches on the topic have already revealed vulnerabilities in the first LoRaWAN specification, which have been partly mitigated in the most recent LoRaWAN 1.1. However, related studies often provide only theoretical results or consider practical scenarios only on a specific, small scale. In this thesis, we present a LoRaWAN security evaluation framework that allows field-testing the security and reliability characteristics of actual LoRaWAN deployments. This provides not only reproducible results but also allows making a comparison between defined versions of the specification and LoRaWAN software. Before expounding implementation details, we provide a literature survey on LoRaWAN vulnerabilities and attacks to identify interesting aspects for further evaluation. From our experimental results, we show that jamming is a serious threat to the availability of LoRaWAN networks. Furthermore, we demonstrate the practical applicability of two replay attacks against a selection of LoRaWAN software and illustrate why they will remain relevant for years due to backward compatibility.

  2019 Completed

Security Evaluation of LoRaWAN Network Servers using Fuzzing

Supervisor: Lars Almon

Low Power Wide Area Network (LPWAN) technologies like Long Range Wide Area Network (LoRaWAN) are used for creating low maintenance sensor networks in many scenarios. The central part of a LoRaWAN is the Network Server (NS). Previous security research often focused on conceptual security issues in the protocol, this work evaluates fuzzing, the security testing using semi-valid random messages, as a technique to find vulnerabilities in NSs. We investigate the situation of practical network deployments and software in use. Then we derive an approach for a general fuzzing framework for NSs. We present our fuzzer implementation in detail and describe experiments we conducted with an example network server. The results show that this network server was susceptible to a denial of service attack. We therefore conclude that fuzzing is an appropriate tool for making LoRaWANs more secure by uncovering vulnerabilities in NSs.

  2019 Completed

nextoyou - a zero-interactiion co-presence detection scheme based on Channel State Information

Supervisor: Mikhail Fomichev

  2019 In progress

Communicating Privacy and Security issues

Supervisor: Jiska Classen

  2019 Completed

Bluetooth Mesh Network Security Analysis: An Experimental Evaluation of Attacks Using Btlejack

Supervisor: Flor Maria Alvarez Zurita Lars Almon

  2019 Completed

PrivacyMail – Analyzing the Email Tracking Ecosystem

Supervisor: Max Maass

  2019 In progress

TETRA Base Station Binary Patching

Supervisor: Jiska Classen

  2019 Completed

Intercom Security

Supervisor: Lars Almon Jiska Classen

Intercom security analysis.

  2019 In progress

Bluetooth Entropy

Supervisor: Jiska Classen

  2019 In progress

Bluetooth Controller Emulation and Fuzzing

Supervisor: Jiska Classen

  2019 Completed

PrivacyGraph – A Holistic View of the Online Tracking Ecosystem

Supervisor: Max Maass

.

  2019 Completed

Applicability of Penetration Testing Guides for the Internet of Things

Supervisor: Max Maass

  2019 Completed

Smart Home Security

Supervisor: Max Maass

  2019 Completed

Practical Evaluation of LoRa in Multihop Networks

Supervisor: Lars Almon

Practical Evaluation of LoRa in Multihop Networks

  2019 Completed

Implementation of a Linux User-space Neighbor Awareness Networking Protocol Stack

Supervisor: Lars Almon

Implementation of a Linux User-space Neighbor Awareness Networking Protocol Stack

  2019 Completed

Analyzing Email Privacy

Supervisor: Max Maass

  2019 Completed

Advanced TSCH Scheduling Mechanisms for Wireless Sensor Networks

Supervisor: Dingwen Yuan

  2019 Completed

Practical Performance Analysis of Neighbor Awareness Networking

Supervisor: Lars Almon Milan Stute

  2019 Completed

Inferring Keystrokes from Myo Armband Electromyographic and Inertial Measurement Unit Data

Supervisor: Max Maass

Mobile devices, such as phones and wearables, include an increasing variety of more and more accurate sensors, only part of which the users can control to a certain extent to protect their privacy. In the meantime, mostly with respect to the accelerometer and gyroscope sensors of smartwatches, various keylogging side-channel attacks have been described in literature, demonstrating that sensitive information like passwords can be inferred from the data recorded by these sensors. In this thesis, we take a closer look at the Myo armband, a wearable device worn on the upper part of the forearm containing an accelerometer, a gyroscope, a magnetometer and eight electromyographic (EMG) sensors for measuring muscle activity. In particular, we investigate whether the EMG data supports the recognition of finger movements sufficiently to detect new keystrokes of the same person or of previously unseen typists. We create a dataset based on both keystroke and sensor data collected from 27 volunteers wearing two Myo armbands while typing on a physical keyboard. In order to detect keystrokes based on this data, we apply supervised learning approaches utilizing a random forest, a convolutional neural network (CNN) adaptation of WaveNet and a convolutional recurrent neural network (CRNN). We estimate the predictive performance, achieving a mean f1 score of 0.75 for the CRNN in the within-subject scope and an f1 score of about 0.61 for the between-subject scope, independent of the chosen model. These estimates are validated in a proof of concept, achieving a mean f1 score of 0.64 for the CRNN in the within-subject scope and a mean f1 score of 0.65 for the WaveNet adaptation on an unseen person in the between-subject scope.

  2019 Completed

Security Analysis of IoT Ecosystems

  2019 Completed

Secure Device Pairing Using Short-Range Acoustic Communication

Supervisor: Flor Maria Alvarez Zurita Jiska Classen

  2019 Completed

PowerPC Binary Patching and dissecting of TETRA Base Station

Supervisor: Jiska Classen

  2019 Completed

Fuzzing the Linux Bluetooth Stack

Supervisor: Jiska Classen

  2019 Completed

Dynamic Bluetooth Firmware Analysis

Supervisor: Jiska Classen

  2019 Completed

Analyzing Firmware and Cloud Security of a Premium IoT Ecosystem

Supervisor: Fabian Ullrich Jiska Classen

  2019 Completed

A researcher’s guide to the Fitbit Ionic smartwatch

Supervisor: Jiska Classen Daniel Wegemer

  2019 Completed

A Study on Proprietary Communication Protocols Used in TETRA Hardware Components

Supervisor: Jiska Classen

  2018 Completed

Security Aspects of the Apple Wireless Direct Link Protocol

Supervisor: Milan Stute

  2018 Completed

Separation of Channel Coefficients in Concurrent Wi-Fi Transmissions using Deep Neural Networks

Supervisor: Robin Klose

  2018 Completed

Design of a Secure DIAMETER Edge Agent - study of the capabilities and performances of a DEA, with a PoC implementation

  2018 Completed

Combining WiFi, Bluetooth and BLE: Limitations and synergy effects of using Google Nearby Connections 2.0

Supervisor: Lars Almon

Now most of the smartphones are equipped with different wireless interfaces namely Wi-Fi, Bluetooth, BLE, Ad-hoc Wi-Fi, and NFC. These different interfaces have different weaknesses and strengths. Bluetooth is suited for low bandwidth and short-range communication. Bluetooth Low Energy(BLE) on the other hand is aimed at devices which have limited power supply and need to transfer data in short intervals. Wi-Fi is well suited for high bandwidth, low-latency communication with increased ranges. By utilizing the combination of these interfaces, we can enhance the performance of offline peer-to-peer connectivity. The number of devices using the Internet is growing at a rapid rate, creating traffic congestion especially by using multimedia services. we can offload and distribute this traffic using high performance peer-to-peer connectivity. With the growing need of Infrastructureless network in the remote or disaster-stricken area, better device-to-device communication could prove to be life-saving. Nearby Connections 2.0 is the new offline peer-to-peer, high bandwidth low latency API from Google. It uses a combination of Wi-Fi Direct, BLE and Bluetooth to create reliable and fast connections. In this thesis, we evaluate Nearby Connections against all three interfaces it uses. We execute 4 experiments with different network parameters to analyze the limitations and benefits of using Nearby Connections. By varying different parameters we maximize the performance of each interface to observe the behavior of Nearby Connections. Our evaluation results indicate that this is in fact not the case with Nearby Connections. It does not adjust itself to get the best out of underlying interfaces. We show the limitations of Nearby Connections API. However, it performed better than both Bluetooth and BLE but against Wi-Fi Direct it performed way below the par.

  2018 Completed

Desynchronization Attacks and Mitigations for the Apple Wireless Direct Link Protocol

Supervisor: Milan Stute

  2018 Completed

Learning the Beams: Efficient Millimeter-Wave Beam-Steering Techniques

Supervisor: Daniel Steinmetzer

Motivation Beam-steering is the backbone of millimeter-wave (mm-wave) networks and key to achieve data-rates of multiple gigabit per second. Nodes must steer their antennas so that they maximize the signal gain towards the intended communication partner. The state-of-the-art to find the best antenna configuration is to probe all possible antenna configurations. This process caused high overhead, especially in case of mobility when parameters must be adjusted continuously. Goal In this thesis, you apply machine learning techniques to find the antenna parameters most suitable for probing and select the optimal configuration with low overhead. Implementation and evaluation in this thesis, should be performed by means of our mm-wave testbed platform with off-the-shelf IEEE 802.11ad devices. Experience with Linux, wireless network configuration, proper tools, and scripting languages is highly recommended.

  2018 Completed

Draining Mallory and Sybil: DoS-resistant Disruption-Tolerant Networks

Supervisor: Milan Stute

Description Disruption-Tolerant Networks (DTNs) can be used as a communication means in the emergency context when communication infrastructure is unavailable. In DTNs, mobile user devices such as smartphones act as “data mules”: they store, carry and forward messages. Unfortunately, the “storing” part is especially vulnerable to denial-of-service (DoS) attacks since an attacker can flood the network with bogus information and, thus, replace or purge valid messages from a node’s buffer. In this thesis, you will implement and evaluate a novel, DoS-resistant buffer management scheme in IBR-DTN [1], DTN implementation written in C++, which also runs on standard Android smartphones. [1] IBR-DTN. https://github.com/ibrdtn/ibrdtn.

  2018 Completed

Evaluation of MAC protocols for wireless sensor networks

Supervisor: Dingwen Yuan

  2018 Completed

Learning the Beams: Applying Evolution Algorithms for Optimized IEEE 802.11 ad Beamtraining

Supervisor: Daniel Steinmetzer

  2018 Completed

Wifi-based Key Encryption on Android Smartphones

Supervisor: Matthias Schulz Daniel Steinmetzer

  2018 Completed

Practical Low-Layer Attacks on IEEE802.11ad by Modified WiFi Firmware

Supervisor: Daniel Steinmetzer

Motivation Millimeter-Wave (mm-wave) communication systems such as IEEE 802.11ad use directional beams that need to be trained prior to establishing a high-throughput connection. Such beam training protocols--the backbone of mm-wave communications--have a high impacts of the security of performance. Jamming or manipulating the frames associated with the beam steering might prevent a connection from being established or steer the beam for an adversary's benefit. We already obtained access to a WiFi chip of state-of-the-art routers at firmware level. Goal A bachelor or master thesis is this area might extend our current framework and integrate, for example, packet injection or jamming to launch and evaluate the aforementioned attacks. Students should not be afraid of analyzing binary data and assembly instructions. Experience with IDA Pro is recommended.

  2018 Completed

60 Ghz Channel Models: From Theory to Practice (and Back Again)

Supervisor: Daniel Steinmetzer

Motivation The channel characteristics of millimeter-wave communication systems at 60 GHz differ those in lower frequency bands and require a fundamental rethinking of network design. To investigate such aspects of network performance, we developed a raytracing based simulation framework to predict the signal quality in arbitrary environments. However, the internals in the simulation are based on theoretical considerations and models. So far, simulation results have not been compared to realistic measurements. Goal In this thesis, your task is to extend our simulation framework [1] in MATLAB and/or Python and compare results with realistic measurements performed with common IEEE 802.11ad router hardware. We expect that impairments due to cheap antenna and RF circuit design lead to divergences from simulation. Can you adapt the simulation to provide more realistic outcomes? [1] mmTrace: ray-tracing based millimeter-wave propagation simulation

  2018 Completed

Hacking Bluetooth Firmware of WiFi Combo Chips in Mobile Devices

Supervisor: Matthias Schulz

  2018 Completed

Processing and evaluation of the smarter field test about delay-tolerant networks in the event of an disaster

Supervisor: Lars Almon

This thesis is about the processing and evaluation of the data generated by the Smartphone-based Communication Networks for Emergency Response (smarter) project. The smarter project is a research project that investigates the use of Delay Tolerant Networks (DTNs) as a method of communication for the civil population during a disaster situation. During this thesis the recorded data is transferred into a format readable by the simulator The Opportunistic Network Environment Simulator (The ONE), so that the field experiment can be repeated as often as required. This makes it possible to easily compare the data with that of other projects or to combine it with data genera ted by the simulator. The thesis also highlights some difficulties that may occure during the analysis and execution of field experiments.

  2018 Completed

Performance Comparision of Packet Schemes for Mutually Hidden Messages

Supervisor: Max Maass

  2018

Separation of Channel Coefficients with Deep Neural Networks

Supervisor: Robin Klose

Motivation The separation of channel coefficients is a time-consuming operation. In this thesis project, we are going to explore the suitability of deep neural networks (DNNs) to speed up a specific PHY-related optimization task Goal The goal of this project is to explore the suitability of DNNs to separate channel coefficients. The project main goals are: Research the literature about uses of DNNs in other optimization problems Explore suitable DNN configurations for the envisioned task Evaluate the DNN's performance in terms of accuracy and speed

  2018 Completed

Analyzing Vulnerability and Privacy Data from the PrivacyScore platform

Supervisor: Max Maass

Motivation Every day new cyber security vulnerabilities are discovered and reported, which indicate weak security standards adapted by websites. The main aim of a hacker is to steal sensitive information by exploiting these vulnerabilities. The information and data compromised can be very costly and damaging for an organization. Hence, due to ever evolving tactics of the hackers and the changing cyber threat landscape, it is very important for an organization to be aware of the security vulnerabilities. Until now, most of the work which is done allows to discover the vulnerabilities in web applications and anticipate the vulnerabilities exploits. Different techniques are used in this regard, including machine learning, evaluating inter-module relationships, and application of data analytics. All of these approaches have a common goal, which is to discover existing and new vulnerabilities and predict them for future. Some solutions consider evaluating the application code by performing static or dynamic analysis and finding vulnerabilities. However, a very critical question in this whole scenario arises, as to what we can do after a vulnerability is discovered? How to find similar vulnerabilities in the system and share this information with others for proactive resolution of the vulnerabilities? In this regard, data analysis of security vulnerabilities can provide a wealth of information. It can provide efficient vulnerability assessment by analyzing the existing vulnerability data

  2018 Completed

Privacy als Wettbewerbsfaktor? Analyse der Reaktionen von Unternehmen auf Privacy-Score-Bewertungen

Supervisor: Max Maass

  2018 Completed

NEAT-TCP: Generation of TCP Congestion Control through Neuroevolution of Augmenting Topologies for Wireless Multi-Hop Networks

Supervisor: Robin Klose

Motivation TCP performance in wireless multi-hop networks (WMNs) is hard to achieve due to losses on the wireless channel, interferences and limited resources at individual nodes. Recent research has proposed a simple neural network (NN) structure with one input layer, two hidden layers, and one output layer that efficiently applies congestion control and that results in significant performance improvements compared to conventional TCP variants [1]. Further, NeuroEvolution of Augmenting Topologies (NEAT) is a method based on evolutionary algorithms that can outperform fixed-topology NNs in reinforcement learning tasks. We expect that NEAT may improve the performance of manually crafted NNs like iTCP even further. Goal The goal of this project is to assess the ability of NEAT to further improve the performance of an iTCP-based congestion control algorithm in the context of WMNs. The project main goals are: Implement iTCP in a network simulation environment (ns-3) Use NEAT to generate a modified NN structure for congestion control Compare the performance of the modified congestion control to the initial iTCP-based version [1] A. B. M. Alim Al Islam and Vijay Raghunathan, “iTCP: an intelligent TCP with neural network based end-to-end congestion control for ad-hoc multi-hop wireless mesh networks”, Wireless Networks, Volume 21, Issue 2, pp. 581–610, February 2015. doi: 10.1007/s11276-014-0799-6 [2] Kenneth O. Stanley and Risto Miikkulainen, “Evolving Neural Networks through Augmenting Topologies”, Evolutionary Computation 10:2, pp. 99-127, MIT Press, 2002. doi: 10.1162/106365602320169811

  2018 Completed

Implementing a WiFi Jammer on a Raspberry Pi

Supervisor: Matthias Schulz

  2018 Completed

Experimental Evaluation on Inband Device-to-Device Communication in LTE

Supervisor: Arash Asadi

  2018 Completed

Practical Broadcast Tree Construction with Potential Game for Energy-Efficient Data Dissemination in Ad-Hoc Networks

Supervisor: Robin Klose

Motivation This project addresses the problem of energy-efficient data dissemination from a source node to all other nodes in a wireless multi-hop network. Mahdi Mousavi et al. from the Communications Engineering Lab at TU Darmstadt have devised a decentralized algorithm towards this goal that is based on game theory [1]. While simulation results have shown that this mechanism significantly outperforms other conventional flooding mechanisms, its practical applicability still remains unexplored. Goal The goal of this thesis project is to design a practical protocol that runs the game theoretical algorithm in [1] and to evaluate its performance in a network simulation environment. The project main goals are: Analyze the game theoretical algorithm [1] for limiting assumptions Devise a practical protocol for broadcast tree construction that is based on [1] Implement this protocol in a simulation environment (ns-3) Evaluate the energy efficiency of the constructed broadcast tree in comparison to conventional flooding techniques while taking the protocol overhead into account [1] Mahdi Mousavi, Hussein Al-Shatri, Matthias Wichtlhuber, David Hausheer and Anja Klein, “Energy-Efficient Data Dissemination in Ad Hoc Networks: Mechanism Design with Potential Game”, 2015 International Symposium on Wireless Communication Systems (ISWCS), Brussels, 2015, pp. 616-620. doi: 10.1109/ISWCS.2015.7454421

  2018 Completed

Using Physical Unclonable Functions (PUFs) for Data-Link Layer Authenticity Verification to Mitigate Attacks on IEEE 802.11ad Beam Training

Supervisor: Daniel Steinmetzer

  2018 Completed

Practical Defense Against Pollution Attacks in Network Coding-based Systems

Supervisor: Milan Stute

Motivation Network Coding has many positives properties that make it especially suitable for Wireless Multihop Networks [1]. Network Coding can be used to increase the effective capacity of the network, by coding (simplest form: bit-wise XOR) together packets of different flows and forwarding them in a single broadcast transmission to their intended receivers, e.g., [2]. It can also be used within a single flow to improve forward error correction (FEC) and, thus, increase transmission reliability, e.g., [3]. Unfortunately, systems based on Network Coding are easy targets for a number of attacks, and even easier to disrupt than protocols based on traditional forwarding [4]. Goal In this thesis, you will familiarize yourself with the concept of Network Coding and analyize potential threats to both inter- and intra-flow Network Coding. Based on this, you will design and implement practical security measures. The design should then be validated against a number of different attacks.

  2018 Completed

Experimental Evaluation of Mobile Attacks on Ad hoc Routing Protocols

Supervisor: Milan Stute

  2018 Completed

Testing the Efficacy of Vulnerability Disclosure over different Channels

Supervisor: Max Maass

  2018 Completed

Sicherheit funkferngesteuerter Rangierlokomotiven

Supervisor: Jiska Classen

  2018 Completed

Security Analysis and Firmware Modification of Fitbit Fitness Trackers

Supervisor: Jiska Classen

  2018 Completed

InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering

Supervisor: Matthias Schulz Jiska Classen

  2018 Completed

Angriffsanalyse einer TETRA-Basisstation

Supervisor: Jiska Classen

  2018 Completed

Analysing and Evaluating Interface, Communication, and Web Security in Productive IoT Ecosystems

Supervisor: Jiska Classen Max Maass

  2017 Completed

Reverse Engineering the Apple Auto Unlock Protocol

Supervisor: Matthias Schulz

  2017 Completed

Estimating Global MANET Metrics Based on Locally Observed Information

Supervisor: Robin Klose

Motivation Knowledge of global network state is crucial for several innovative network optimization techniques. Essentially, incorporating knowledge about the overall network state into locally made decisions at decentralized nodes might improve the overall network performance. A node might for instance perform transitions between network mechanisms that are optimized for certain network conditions. However, an individual node's scope of the network is limited in practice since it is able to overhear the wireless channel only locally, and explicit notification about global network state would result in large overhead. Therefore, we seek to extend a node's view into the network by means of machine learning techniques. Goal The goal of this thesis is to estimate global metrics of a mobile ad-hoc network (MANET) by means of locally overheard information in a network simulation environment. Literature review: Identify network optimization techniques that rely on global network knowledge and extract their requirements. Define metrics: Make a list of global network properties that should be classified or estimated. Identification of features: Identify potential features that can be obtained by traffic monitoring. Features that comprise relevant information about distant nodes might for instance be obtained by inspecting packet headers of the higher layers (e.g., network layer and transport layer). Feature engineering and machine learning: Select and engineer features that can be obtained by overhearing the wireless channel. Implementation: Run experiments with the ns-3 network simulator and evaluate the estimator's performance.

  2017 Completed

Self-Replicating Malware for Wi-Fi Chips

Supervisor: Matthias Schulz

  2017 Completed

Understanding the Apple Auto Unlock Protocol

Supervisor: Milan Stute

Description Abstract of final thesis: The Apple Watch provides the ability to automatically unlock a device running macOS when in proximity. The underlying proprietary protocol is called Auto Unlock (AU) and differs from other smart locking techniques. It uses a combination of two wireless technologies: Bluetooth Low Energy (BLE) and IEEE 802.11, to facilitate secure proximity detection. In this work we analyze the protocol by using reverse engineering and dynamic debugging. We show that AU uses both standardized protocols as well as proprietary techniques to implement a secure distance bounding protocol. With this knowledge, we discuss attack vectors and conduct a successful Man-in-the-Middle (MitM) attack on the protocol. Furthermore, we provide a starting point to allow implementations on other platforms by specifying the protocol and establish the foundation for further attacks.

  2017 Completed

Investigating practical man-in-the-middle network attacks on IEEE 802.11 ad

Supervisor: Daniel Steinmetzer

  2017 Completed

Wi-Fi based Covert Channels on Android Smartphones

Supervisor: Matthias Schulz

  2017 Completed

Evaluation of Latency Reduction Techniques for 5th Generation Mobile Network

Supervisor: Arash Asadi

  2017 Completed

Extension of the Open Visible Light Communication Driver for Linux

  2017 Completed

ACE security profiles for the IoT

  2017 Completed

Securing SCADA Protocols

  2017 Completed

OAuth 2.0 for IoT: IPsec channel establishment and authorized resource access in the IoT

Supervisor: Max Maass

To secure the Internet of Things (IoT) while keeping its interoperability with today’s Internet is crucial to unleash the full potential of the IoT. Authentication and Authorization are fundamental guarantees to enable further security and operational challenges. To fulfill these guarantees in complex and diverse scenarios, we propose a solution based on the Authentication and Authorization for Constrained Environments (ACE) Framework, a token-based authorization, and authorization. Our solution, the IPsec profile for ACE, builds on the IPsec protocol suite and the Internet Engineering Task Force (IETF) IoT stack to provide network layer security and IPsec channel establishment based on token provisioning for constrained devices. The Direct Provisioning (DP) of Security Association (SA), symmetric-based authenticated establishment (Internet Key Exchange Protocol version 2 (IKEv2) in Pre-Shared Key (PSK) mode), and asymmetric key-based authenticated establishment (IKEv2 in Certificate-based Public Key (CPK) mode) are specified as ways to establish SAs, i.e., IPsec channels. We provide an implementation for Contiki, an Operating System (OS) for constrained devices such as the Zolertia Firefly. Furthermore, we evaluate our protocol design providing an lower bound for the performance of the profile. The evaluation includes network latency and processing time, energy consumption, memory footprint and packet sizes for the different SA establishment methods. The results provide a benchmark for the different protocol steps as well as aggregated measures for each of the evaluated setups. Our evaluation showed that the DP establishment has the smallest memory footprint and ACE packet size, and at the same time the highest performance. In the other hand, the authenticated establishment featuring IKEv2 in CPK mode, shows the largest memory footprint and packet size, together with the lowest performance of the three SA establishment methods. The trade-off regarding Random Access Memory (RAM) and Read-Only Memory (ROM) footprint, power consumption and network latency and processing time and security guarantees are also described.

  2017 Completed

Reverse Engineering the Apple Wireless Direct Link Protocol

Supervisor: Milan Stute Flor Maria Alvarez Zurita

Apple Wireless Direct Link (AWDL) is a proprietary and undocumented 802.11 based peer-to-peer protocol. It is implemented in all of Apple's operating systems. In this thesis a reverse engineering method using binary analysis complemented by runtime analysis with traces and logs was applied. We found that each device in AWDL provides its own channel sequence. An elected master node is used to synchronize these sequences. Outside these windows of time, devices can use their wireless radio for other protocols or save energy by turning it off. Each node adapts its channel sequence, e.g. depending on network load, shifting the ratio between infrastructure and peer-to-peer Wi-Fi. This thesis also provides a first analysis of AWDL, includes the frame format documentation and presents a Wireshark dissector and a prototype implementation for AWDL.

  2017 Completed

Collide, Collate, Collect: Recognizing Senders in Wireless Collisions

Supervisor: Robin Klose

Description With wireless mobile IEEE 802.11a/g networks, collisions are currently inevitable despite effective counter measures. This work proposes an approach to detect the MAC addresses of transmitting stations in case of a collision, and measures its practical feasibility. Recognizing senders using cross-correlation in the time domain worked surprisingly well in simulations using Additive White Gaussian Noise (AWGN) and standard Matlab channel models. Real-world experiments using software-defined radios also showed promising results in spite of decreased accuracy due to channel effects. During the experiments, various Modulation and Coding Schemes (MCSs) and scrambler initialization values were compared. Knowledge about which senders were transmitting leading up to a collision could help develop new improvements to the 802.11 MAC coordination function, or serve as a feature for learning-based algorithms. Motivation Collisions on wireless networks most likely lead to packet losses. Current network protocols typically recover from these situations by retransmissions. In doing so, the overall network capacity is reduced and the network delay increases with the amount and duration of collisions. However, collided frames may still reveal valuable information that might be suitable for advanced protocol designs. Goal Detect frame alignments of collided frames at the PHY. Devise techniques to detect known data, such as MAC header fields. Analyze real network scenarios with respect to collisions, classify observed events (e.g., pairs of hidden terminals) and generate statistics.

  2017 Completed

Decompilation and Automated Analysis of b43 Assembly Code used in Broadcom WiFi Chips

  2017 Completed

Practical use of network coding to sustain robustness in secure mobile ad hoc communication

  2017 Completed

Neighbor Discovery and Maintenance under Mobility in mmWave-based Mesh Networks

Supervisor: Daniel Steinmetzer Milan Stute

  2017 Completed

Secure localization and distance bounding with IEEE 802.11

Supervisor: Matthias Schulz

  2017 Completed

Modification of LTE firmwares on Smartphones

  2017 Completed

Implementation of a Contextual Framework for Secure Device Pairing Methods on Android

Supervisor: Mikhail Fomichev

Motivation With the proliferation of numerous personal gadgets and smart devices, device pairing has become prominent in introducing security to such a diverse environment. Clearly, the process of secure device pairing is much more ambiguous than previously thought. This stems from the fact that there is no coherent vision of the pairing problem among the research community. To this end, we see that there is a plethora of various pairing protocols that have been proposed many of which are insecure or fail to work in practice. Clearly, there is no single winner in a device pairing race. Goal Correspondingly, one solution to such a problem is to support several pairing methods. However, from a user prospective this may create an additional burden. On top of that, some pairing protocols may be less appropriate security‐wise in certain scenarios. For instance, if a paring method relies on audio but is used in a noisy environment, this creates an additional attack vector or causes reliability issues. Another example are visual paring techniques used in a public place, which can be subject to shoulder surfing. Overall, in this thesis you will research which contextual information that can be gathered by a modern smartphone can augment in secure device pairing. We already have a working Android implementation which performs different methods of device pairing. More specifically, your task is to identify which factors can be potentially hazardous or beneficial for a certain pairing method in a particular scenario. The context that we are going to incorporate includes both the environmental information as well as the user input (feedback, preferences, etc.). Hence, you'll take measurements on the smartphone to rate the environmental information, and perform a small user study (20-30 users) on the device pairing usability.

  2017 Completed

Design, Implementation and Evaluation of a Privacy-preserving Framework for Trust Inference on Android

Supervisor: Mikhail Fomichev

  2017 Completed

Nexman-based Wireless Penetration Testing Suite for Android

Supervisor: Matthias Schulz

  2017 Completed

Design, Implementation and Evaluation of Realistic Scenarios and Movement Models for Natural Disasters Using Simulations for Delay Tolerant Networks

Supervisor: Milan Stute Max Maass

Description Seeing the continuous increase in natural disasters around the world, many people are contemplating how to contribute helping those in need. Among them are several computer scientists who fulfil their share by developing technology which enables fast and reliable communication in disaster areas. We were inspired by their work and thus wanted to further improve the state-of-the-art. DTN is a specific technology which can be used for the creation of alternative networks in disaster areas, where conventional ones are unavailable due to the inevitable destructions implied by the disaster. Given that such technology is usually evaluated within network simulators we exclusively focus on improving the state-of-the-art of movement models and scenarios utilized within such simulators. The very random driven, and thus not realistic, state-of-the-art is improved by our contribution in the form of a fully designed, implemented, and evaluated realistic natural disaster movement model with underlying scenarios. The results of our evaluation indicate that previously published results might be too optimistic. Thus, further approximations to reality are inevitable for more accurate simulation of DTN, in the goal to ultimately obtain better and more realistic results.

  2017 Completed

TETRA Security Analysis by Fuzzing

Supervisor: Jiska Classen

  2017 Completed

Improving a Linux Device Driver for Visible Light Communication

Supervisor: Jiska Classen

  2017 Completed

Implementierung des unteren MAC-Layers für die OpenVLC Hardware

Supervisor: Jiska Classen

  2017 Completed

Implementation of a Physical Layer for Visible Light Communication using the OpenVLC platform

Supervisor: Jiska Classen

  2017 Completed

Detecting WiFi Covert Channels

Supervisor: Jiska Classen

  2017 Completed

Design and Evaluation of a Hybrid SDR Testbed For Visible Light Communication and Wi-Fi

Supervisor: Jiska Classen

  2017 Completed

Absicherung von SCADA-Protokollen

Supervisor: Jiska Classen

  2016 Completed

A Framework for Adaptive Energy-efficient Neighbour Discovery in Oppertunistic Networks

Supervisor: Flor Maria Alvarez Zurita

  2016 Completed

Implementation of infrastructureless BFPSI on Android

  2016 In progress

60 GHz Millimeter Wave Medium Access Control

Supervisor: Allyson Sim

Description The state-of-the art of the channel access sharing in millimeter-wave and non-millimeter wave communications. Define the challenges that are important to have an optimal sharing between medium access. Development of a simulation tool or a simple test-bed to analyze the result of the proposed technique. Motivation Due to the limitation of bandwidth at the lower frequency band and extreme increase in the demand for high quality multimedia content transmission, 60 GHz serves a key solution to this problem. Further, 60 GHz is foreseen to be the upcoming frequency for Wifi networks. However, there are many interesting challenges for medium access due to the unique propagation at this frequency. Vision This project is aimed to find out the solution to the sharing the different medium accesses techniques based on the data traffic.

  2016 In progress

Concurrent transmission D2D millimeter-wave

Supervisor: Allyson Sim

Motivation Directional transmission used for millimeter wave communication arises many challenges. However, extreme spatial sharing of the millimeter wave spectrum boost the throughput per area by a significant amount. The increase in per area throughput is nevertheless still an open research! Goal Literature review on the existing concurrent wireless transmission in microwave and millimeter wave. Identify the challenges of concurrent transmission using millimeter wave. New contribution Propose possible ways to solve the problem found OR Evaluation of concurrent transmission using off-the-shelf devices.

  2016 Completed

Secure Context Migration between IEEE 802.11 Networks

Supervisor: Marc Werner

  2016 Completed

Probe request tracking in WiFi firmware

Supervisor: Matthias Schulz

  2016 Completed

Reactive, Smaratphone-based Jammer for IEEE 802.11 Networks

  2016 Completed

Secure key exchange protocol for a group communication during emergency responses

Supervisor: Flor Maria Alvarez Zurita

  2016 Completed

Utilizing Secure Elements to Establish Authentication in MANETs on Android

  2016 Completed

Design and Implementation of a Service-Oriented Architecture for Large-Scale Testbed Management

Supervisor: Marc Werner

Description Wireless Multihop Network testbeds are often distributed over large physical areas and have many devices which renders management challenging. A multitude of diverse frameworks are available to assist in the management of such testbeds. Properties like scalability, heterogeneous hardware support and effortless testbed configuration are a self-evident goal for these frameworks. However, this combination is hard to achieve and the exact requirements vary for different testbeds. Instead of providing a completely new and tailored experimentation framework, I propose Panopticon, a service oriented management framework, providing a lower layer to intercept and improve existing functionality. It slices large, distributed testbeds into dynamically sized subunits, offering a granular choice in testbed experimentation frameworks for every slice. Such an exper- imentation framework can be selected regarding the exact experiment’s requirements and not as a compromise between all available testbed components. Panopticon’s list of services can be extended, offering simple entry points for new, custom implementations. It is a framework federating network enabled infrastructures.

  2016 Completed

Energy efficient WiFi analysis framework on smartphones

Supervisor: Milan Stute

  2016 Completed

Unified Multi-modal Secure Device Pairing for Infrastructure and Ad-hoc Networks Bachelor Thesis

Supervisor: Daniel Steinmetzer

Motivation Todays technologies heavily rely on wireless communications. Our mobile devices connect to infrastructure devices such as wireless routers, perform ad-hoc connections among each other and connect to peripheral devices such as smart watches, fitness tracker and headsets. However, since security is essential in most application scenarios, authentication is a big challenge. To join a wireless network pre-shared credentials are required. Pairing in proximity via bluetooth requires the same pin to be entered on both devices. This proceeding is inconvenient and differs for different kinds of devices. Although, user-friendly and secure pairing mechanisms utilizing multi-modal technologies are proposed, no unified solution exists, yet. Goal In this thesis you elaborate different kind of pairing mechanism and analyze their security regarding various attacks. You design a unified multi-modal pairing protocol and implement a prototype on Android. Your protocol combines pairing strategies over different communication technologies (e.g. WiFi, Bluetooth, NFC, sound, light) and selects a suitable subset matching the devices capabilities. Since some strategies are easier to intercept than others, your protocol attests the paring procedure for retrospective trust estimation in application context. With your proposal we show that a unified multi-modal paring is feasible for both infrastructure and ad-hoc networks with flexible security requirements.

  2016 Completed

Unified Multi-Modal Device Pairing in Infrastructure and Ad-hoc networks

Supervisor: Daniel Steinmetzer

  2016 Completed

A Systemfor Privacy-Preserving Mobile Health and Fitness Data Sharing: Design, Implementation and Evaluation

  2016 Completed

Reverse Engineering Apple's Multipeer Connectivity Framework and Implementation on the Android platform

Supervisor: Matthias Schulz

  2016 Completed

Enabling Seamless Transitions betweegn Cyrptographically Secured

Supervisor: Marc Werner

  2016 Completed

TETRA Fuzzing

Supervisor: Jiska Classen

  2016 Completed

Location Privacy of Digital Trunked Radio

Supervisor: Jiska Classen Robin Klose

  2015 Completed

Infecting the Wire: Wireless Eavesdropping, Packet Injection and Reactive Jamming on Wired 10Base-T IEEE 802.3 Ehternet Networks

  2015 Completed

Privacy and anonymity risks on Android

  2015 Completed

Performance evaluation of an anonymous communication system on a mobile device

  2015 Completed

Implementation and Evaluation of PUF-based Cryptographic Kex Generation Schemes on FPGA

  2015 Completed

Design and Evaluation of a supervised machine learning based Intrusion Detection System for WSN

Supervisor: Michael Riecker

  2015 Completed

Securing Efficient Network Flooding and Time Synchronization for Ultra-Low Latency Communication in Wireless Sensor Networks

  2015 Completed

Design and Implementation of lichtweight attestation for embedded systems

  2015 Completed

Intrusion Detection using Data Mining

  2015 Completed

Audio-based Covert Channels on Smartphones

  2015 Completed

Wireless Eavesdropping and Pocket Injection in Ethernet Networks

Supervisor: Matthias Schulz

  2015 Completed

Secure Transitions

Supervisor: Marc Werner

  2015 Completed

Design, Implementation and Evaluation of a System Information Service

  2014 Completed

Measuring the Impact of Denial of Service Attacks on Wireless Sensor

  2014 Completed

Protecting User Privacy by Learning from Mobile Communication Data

  2014 Completed

Design, Integration and Evaluation of Real-time Notifications

  2014 Completed

Network ID: Self-Provisioning Service Proxy

Supervisor: Marc Werner

  2014 Completed

Let's go WARP: Integrating the Click Modular Router and the Wireless Open-Access Research Platform

Supervisor: Matthias Schulz

  2014 Completed

Delay-tolerant routing for emergency networks

Supervisor: Michael Noisternig

  2014 Completed

Signal Pre-Processing in a Physical Layer Based Key Management System for Wireless Communications

  2014 Completed

Statistically analysing the Impact of

Supervisor: Michael Riecker

  2014 Completed

Security Analysis of Physical Layor Key Exchange Mechanism

  2014 Completed

Implementation and Detection of culluding injection attacks by means of active probing

  2014 Completed

Decentralized Privacy-preserving Location Mechanism

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2014 Completed

Corridor Building in Wireless Multihop Networks

  2014 Completed

Outlier Detection in Wireless Sensor Networks

Supervisor: Michael Riecker

  2014 Completed

Realtime aggregation and spatial visualization of emergency messages

  2013 Completed

Security Mechanisms for Emergency Response Networks

  2013 Completed

Design, Implementation and Evaluation of Incentive Schemes for Mobile Sensing Applications

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2013 Completed

Physical layer path signatures for wireless multihop networks

  2013 Completed

Improving of the detection mechanism of an open-source intrusion detection system

Supervisor: Rodrigo do Carmo

  2013 Completed

Practical Physical Layer Security in MIMO Systems using Software Defined Radios

  2013 Completed

Implementation of a cross-layer technique for an OFDM-based Wiresell Mesh Network

  2013 Completed

Geographic Routing Based on Physical Layer Information for Wireless Multihop Networks

  2012 Completed

Performance-based Intrusion Detection in Wireless Sensor Networks

Supervisor: Michael Riecker

  2012 Completed

Mobile Phones as Sensors for Intrusion Detection in Wireless Mesh Networks

  2012 Completed

Secure Modular Protokolls for Wireless Multihop Networks

  2012 Completed

Implementation and Evaluation of Opportunistic Mobile Ad Hoc Networks

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2012 Completed

Design, Implementation, and Evaluation of User Interfaces for Decentralized Privacy-Preserving Mechanisms

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2012 Completed

Towards Strong Anonymity in Delay-Tolerant Networks

  2012 Completed

Increasing Privacy Awareness through Intuitive Interfaces for Participatory Sensing Applications

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2012 Completed

Methods for Trust Assessment in Participatory Sensing Scenarios

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2012 Completed

Secure Monitoring of Wireless Sensor Networks

Supervisor: Michael Riecker Dingwen Yuan

  2012 Completed

On the Efficiency of Privacy-preserving Path Hiding for Participatory Sensing Applications

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2012 Completed

Dynamic Subchannel Allocation in OFDMA-Based Wireless Mesh Networks

  2012 Completed

Decentralized Trust Models for Participatory Sensing

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2011 Completed

Privacy-aware Tasking for Participatory Sensing Applications

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing. Dr. N. Repp

  2011 Completed

Machine Learning-based Anomaly Detection in Wireless Sensor Networks

Supervisor: Michael Riecker

  2011 Completed

A Framework for Privacy Metrics in Participatory Sensing Scenarios

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2011 Completed

Improving Link Quality in Wireless Sensor Networks

  2011 Completed

Generation, Distribution and Verification of Sensor-based Credentials for Participatory Sensing Scenarios

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2011 Completed

Methods to Identify and Classify Social Links: Design and Implementation

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2011 Completed

Implementation and Evaluation of a Mechanism to Preserve Location Privacy in Participatory Sensing Scenarios

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2011 Completed

Anonymity and Reputation in Participatory Sensing

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.

  2011 Completed

Security Solutions for Geographic Routing in Wireless Multihop Networks

  2011 Completed

Realization of a Testbed and Analysis of Attacks against Routing Mechanisms in Mobile Ad hoc Networks

  2010 Completed

Mitigating Attacks on IEEE 802.11s Security Mechanisms

  2010 Completed

Fine-gained Access Control Enabling Privacy Support in Participatory Sensing

Supervisor: Delphine Christin, Jun.-Prof. Dr-Ing.