No results match your search criteria.

  2023 Completed (February 2024)

Prototyping Public Warning Displays Based on E-Paper

Within the research center emergenCITY, we are looking for ways to keep people informed during crises which affect the power gird and/or communication networks. Integrating ePaper displays, which only low power and keep their information during interruption seem to be an interesting appraoch for this use case. This thesis implements a proof of concept for mounting such a display to the facade of a building.

Prototyping Public Warning Displays Based on E-Paper

  2024 Available now

Synced Realities: Wifi, Motion and Video

Recent years has seen tremendous progress in the capabilities of WiFi sensing systems. Using commercial off-the-shelf devices, such as routers or phones, WiFI signals can be used to make accurate predictions about their environments. The holy grail among all sensing methods is the 3d reconstruction [1] of people that move between WiFi devices. Powerful new machine learning techniques have renewed hope in making this endeavor possible. However, such approaches need data; lots of it, precisely labeled. At WISE and SEEMOO, we've developed a system for capturing multi-modal data—WiFi sensing, video, and sub-millimeter motion capture. If you're intrigued by the prospect of shaping high-quality datasets, delving into data processing intricacies, and contributing to meaningful research, this thesis opportunity offers a chance to be part of the evolving landscape of wireless sensing. Join us in exploring the potential of multi-modal sensing and redefining the boundaries of what's achievable! [1]: Geng, Jiaqi, Dong Huang, and Fernando De la Torre. "DensePose From WiFi." arXiv preprint arXiv:2301.00250 (2022).

Synced Realities: Wifi, Motion and Video

  2024 In progress

Bringing Rust to Broadcom WiFi SoCs

In this thesis, we develop a minimal firmware that initializes vital parts of Broadcom WiFi SoCs and provides a feature extendable base for future projects. We use the modern programming language Rust, which is performant like C but more secure by default, and still provides low-level access as required when designing such a system. Broadcom develops complex WiFi single-chip systems that can be found in million of devices like recent smartphones and access points. Those WiFi SoCs are running just as complex firmware. This proprietary firmware is originally written in C and only available as binary blob. A framework originally developed at SEEMOO by M. Schulz (Nexmon: The C-based Firmware Patching Framework) simplifies the process of modifying the firmware, but still, doing this correctly is a heavy and error prone task, mostly due to interference of the complex firmware and our modifications. In many cases, we don't need most parts of the original firmware and a minimal running system would benefit us, especially reducing interference with our additions. Besides coding in Rust, this work includes static and dynamic reverse engineering & analysis of code, drivers, and firmware. You should be confident with reading C code and open to learn new skills. Experience with hardware-near programming / microcontrollers is beneficial.

Bringing Rust to Broadcom WiFi SoCs

  2024 In progress

Reversing Broadcom's WiFi CSI Monitor

Channel State Information (CSI) is a metric describing amplitude and phase changes introduced by the communication channel between two devices. It is estimated for WiFi communication by default to compensate channel effects. Recent research shows that this metric can be used for sensing, e.g. localization, fingerprinting, or motion detection. However, CSI is typically not available to applications on consumer devices. Broadcom entered the game by providing a CSI monitor with some of its latest WiFi SoCs. These chips can be found on numerous Access Points. But, there is no public documentation of this feature's implementation nor usage. In this thesis, we analyze Broadcom's proprietary CSI monitor feature by dynamically and statically reverse engineering userland, driver, and firmware binaries and compare the results with state-of-the-art CSI extractors. You should be confident with the programming language C and with digging into unknown territories.

Reversing Broadcom's WiFi CSI Monitor

  2023 Available now

Software Defined Wireless Networks

I work a lot with Software Defined Radio, in particular, FutureSDR (on software side) and Ettus USRPs, Aaronia Spectran v6, and Xilinx RFSoCs (on hardware side). Talk to me, if you are interested in: Implementation and performance evaluation of a wireless standard or technology. Real-time signal processing (e.g., scheduling or benchmarking). Hardware acceleration (SIMD, FPGA, or GPU). Distributed signal processing. Open RAN. If you are excited about one of these topics, we can come up with a Bachelor or Master thesis that matches your interest.

  2023 In progress

App Services in Disrupted Cities

...

  2023 In progress

O-RAN Radio Unit Security

...

  2023 In progress

O-RAN Central Unit Security

...

  2023 In progress

Wireless PBFT-Based Consensus Protocols

...

  2023 Available now

Beam management in mmWave full duplex joint sensing and communication system

Joint Sensing and Communication technology is one of the key 6G technologies. It makes your phone/vehicle/device smarter with the function of sensing and communication simultaneously [1]. By beaming the transmitted data in a direct way, both sensing and communication performance can be improved. If you are interested in the beam-related design in the joint sensing and communication system, feel free to contact us. Research objective: 1. Sensing parameters estimation 2. Beam management(searching/tracking) and beamforming design 3. full duplex joint sensing and communication system design Expected gain of knowledge: Wireless communication [1] Y. Cui, F. Liu, X. Jing and J. Mu, "Integrating Sensing and Communications for Ubiquitous IoT: Applications, Trends, and Challenges," in IEEE Network, vol. 35, no. 5, pp. 158-167, September/October 2021.

  2023 Available now

mmWave full duplex joint sensing and communication design

Joint Sensing and Communication technology is one of the key 6G technologies. It makes your phone/vehicle/device, etc., smarter with the function of sensing and communication simultaneously [1]. Configuring this technology in mmWave band, better performance such as higher date rate can be realized. If you are interested in the joint sensing and communication system design, feel free to contact us. Research objective: 1. Sensing parameters estimation 2. full duplex joint sensing and communication system design Expected gain of knowledge: Wireless communication [1] Y. Cui, F. Liu, X. Jing and J. Mu, "Integrating Sensing and Communications for Ubiquitous IoT: Applications, Trends, and Challenges," in IEEE Network, vol. 35, no. 5, pp. 158-167, September/October 2021.

  2023 Available now

Privacy and Security Implications of Cross-Modal Transformations on Human-Centric Sensor Data

This topic is about implementing a cross-modal transformation model on a chosen pair of human-centric sensors (sensors which are worn by or close to humans), for recreating one stream of sensor data based on the other one. The ultimate goal of this thesis is to evaluate the performance of such a model with respect to the privacy and/or security implications. Contact me if you are interested and/or have a cool idea for a specific pair of sensors relevant for violating the privacy and/or the security of a human being. Experience with machine learning and/or signal processing is required. A good understanding of sensors and their measured physical quantities is strongly recommended.

  2023 Available now

Going against the tide: Using interpretable machine learning instead of black box DNN for wireless sensing

Your WiFi router is constantly monitoring the surrounding. You can analyze the channel state information to detect the location and even trajectory of people in their homes. The majority of these works leverage black box machine learning, which questions their reliability. While many believe that the black box models provide higher performance and are less complex, new studies suggest otherwise [1]. If you are interesting to go against the tide and prove interpretable learning can perform similar to black box model in wireless sensing, send me an email. Research objective: Explanation methods for WiFi Sensing Expected gain of knowledge: Wireless communication, Interpretable machine learning [1] C. Rudin, “Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead,” Nat Mach Intell, vol. 1, no. 5, pp. 206–215, 2019, doi: 10.1038/s42256-019-0048-x.

  2023 Available now

FPGA development and experimental analysis of beamforming and beam-tracking in 6G networks

Millimeter-wave frequencies (30-300 GHz) will be dominating 6G communications, providing users with tens of Gbps data rates. However, communication at such high frequencies requires using highly directional beams to compensate for the propagation loss. In our group, we have access to unique software-defined radios capable of communication at 70 GHz with 4GHz of bandwidth. If you are interested in performing experimental studies in this area and contributing to the research in the next generation of mobile networks, this could be your topic. Research objective: Test and development of agile beamforming/tracking for 6G systems Expected gain of knowledge: Wireless communication, FPGA programming

  2023 Available now

Preserving Privacy against WiFi Sensing

Your WiFi router is constantly monitoring the surrounding. You can analyze the channel state information to detect location and even trajectory of people in their homes. There are many other applications including detecting heartbeat, breathing rate, reading lips, etc. If you interested in implementing one of these systems using real hardware and finding solutions to fight against it, send me an email. Note that these are rather challenging topics as they require good knowledge of communication as well as signal processing. Research objective WiFi Sensing countermeasures Expected gain of knowledge Wireless communication, Signal processing, Physical layer privacy

  2023 Completed (December 2023)

Designing and developing a Bluetooth-based tracking detection for iOS

Development of the iOS version of AirGuard, focusing on a well-designed user interface and tracking detection for Tile and Samsung trackers

  2023 Available now

Preserving Privacy against WiFi Sensing

Your WiFi router is constantly monitoring the surrounding. You can analyze the channel state information to detect the location and even trajectory of people in their homes. There are many other applications including detecting heartbeat, breathing rate, reading lips, etc. If you are interested in implementing one of these systems using real hardware and finding solutions to fight against it, send me an email. Note that these are rather challenging topics as they require good knowledge of communication as well as signal processing. Research objective WiFi Sensing countermeasures Expected gain of knowledge Wireless communication, Signal processing

  2023 Available now

Unsupervised learning from video segmentation to person/object tracking in wireless networks

There is a large body of work on using commercial wireless devices to detect, identify and localize people as well as their motion, gestures, and even vital signs. The underlying techniques span from machine learning techniques to signal processing and Radar. To some extent, the impact of a person's body/motion on the wireless signals can resemble an image/video. While there has been extensive use of advanced Machine learning techniques for people/object tracking in videos, there is very little work on using these techniques in the wireless domain. For example, applying the works presented here (https://www.youtube.com/watch?v=tSBWZ6nYld0) to wireless sensing. If you find this interesting, send me an email to discuss further details.

  2023 Available now

CSMA/CD for Wi-Fi

Motivation Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is a technique used in wired networks like Ethernet (IEEE 802.3) to improve network performance by efficient medium access. When a collision is detected, the colliding nodes terminate their transmissions to keep the collision time as short as possible. This effectively improves the utilization of the transmission medium, since less time is spent in collisions and the time between transmission attempts is reduced. In wireless networks, however, CSMA/CD is generally assumed to be impractical due to the physical characteristics of the wireless channel. In fact, the power of a signal degrades by orders of magnitudes on its way from transmitter to receiver due to free space path loss and signal propagation effects, such as attenuation and reflections. Therefore, even if a transmitter was equipped with a separate receive antenna, its own transmission would typically drown out the weak signals from other transmitters, which would render the detection of weak signals impossible. Nevertheless, recent research has demonstrated that self-interference cancellation techniques become feasible, which allows to design full-duplex radios [1]. This might effectively be key to the design of CSMA/CD for IEEE 802.11-based networks, allowing for enhanced network performance under high load conditions [2]. [1] Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh Bharadia, Siddharth Seth, Kannan Srinivasan, Philip Levis, Sachin Katti, and Prasun Sinha. “Practical, Real-Time, Full Duplex Wireless”, 17th annual international conference on Mobile computing and networking (ACM MobiCom '11). Las Vegas, Nevada, USA, 2011, pp. 301-312. [2] Konstantinos Voulgaris, Athanasios Gkelias, Imran Ashraf, Mischa Dohler and A. H. Aghvami. “Throughput Analysis of Wireless CSMA/CD for a Finite User Population”, IEEE Vehicular Technology Conference, Montreal, Quebec, CA, 2006, pp. 1-5. Goal Literature review: Review different self-interference cancellation techniques and assess their suitability for 802.11-based networks. Also review literature relating to channel access techniques. CSMA/CD design: Make a conceptual design of a fully-fledged CSMA/CD mechanism, which also takes practical limitations into account, such as settling times of gain controls. Your design may also employ correlation techniques to detect weak signals from far-away nodes. Implementation: Implement your CSMA/CD design on a software-defined radio. Self-interference cancellation might require a combination of well-considered antenna placement on the device, analog cancellation in the RF band, and digital cancellation in the baseband. Your implementation may be based on GNU Radio and USRP, or on WARP. Evaluation: Evaluate the performance of individual components of your implementation (e.g., the self-interference cancellation gain), as well as the overall performance of CSMA/CD nodes in a real network, as compared to conventional CSMA/CA.

  2023 Completed (December 2023)

Privacy Preserving Data Collection Study

Developing an app that allows privacy preserving data collection. Performing a full data collection study.

  2023 Completed (December 2023)

Realisierung einer Pipeline zur automatisierten Massenanalyse von iOS-Apps

Bachelor Thesis, that required the development of an automated pipeline that can download and analyze iOS apps.

  2023 Completed (December 2023)

Deobfuscation of novel obfuscation algorithms

This thesis topic has been completed

  2023 Available from: April 2024

Apple Security and Privacy Aspects

Apple claims to manufacture the most secure smartphone. They implement many unique security and privacy features that cannot be found in other ecosystems. Outstanding and elaborated features are publicly described in their platform security guide, including high-level goals and underlying cryptographic primitives [1]. However, detailed documentation is missing. Often, iOS and macOS are assumed to be secure by design without questioning the underlying implementation. Within SEEMOO, proprietary features and interfaces were studied a lot. For example, we reverse-engineered Find My and AirDrop, which uncovered new security and privacy issues, and implemented the open-source clients OpenHaystack and OpenDrop. Moreover, we took a look at wireless interfaces and daemons, more specifically Bluetooth and the Intel cellular baseband, and published tools like the ToothPicker fuzzer and the ARIstoteles dissector. When analyzing a previously unexplored topic within Apple's ecosystem, it is likely to find security issues affecting more than a billion of users of the Apple ecosystem. Moreover, the knowledge gained during this process helps to open up proprietary interfaces and enable interaction with third-party devices. There are still a lot of open topics on all layers. The main expertise within SEEMOO are wireless protocols. However, you can also contact us if you want to look into other concepts, such as low-level hardware security (PAC, side channels, ...), biometric security (Face ID, ...), network security (Private Relay, fuzzing the network stack, ...), and more. Usually, picking a single feature and exploring it in depth will be sufficient for a B.Sc. or M.Sc. thesis. We offer experience within the Apple ecosystem and reverse-engineering tips for firmware, kernel, and user-space daemons, including the *OS Internals book series that documents iOS and macOS internals way beyond the official materials by Apple. Additionally, due to supervising a lot of theses in this area, we have a collection of example theses. We also have jailbroken iPhones and iPads, recent MacBooks, and other Apple devices. For your own safety and security, these are designated research devices and not meant for private usage. Note that we do not participate in the Apple research device program, meaning that you can set your own disclosure timeline when coordinating disclosure with Apple. In some cases, Apple might award you a bug bounty. We also encourage and financially support you presenting your results at a scientific or security conference. The precise topic will be tailored to your previous experience. It is recommended to have a reverse-engineering background, e.g., previous participation in CTFs. Depending on the topic, either a strong programming background is required (develop an open-source equivalent of one Apple feature) or a good understanding of software/hardware security is mandatory (fuzzing a protocol, implementing a hardware attack, ...). Please contact us for more details. We are currently getting many requests for this topic area. Please only contact us if you have a strong background in the previously mentioned areas. [1] Apple Platform Security, May 2021, https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

Apple Security and Privacy Aspects

  2023 In progress

Functional Analysis of Broadcom WiFi SoC Scan Cores

Recent Broadcom WiFi 6E/7 BCM43XX SoCs feature a dedicated Scan Core. It can be found on several modern smartphones, i.a. Samsung Galaxy S21 Ultra, S22 variations, Google Pixel 7 / 7 Pro, and Google Pixel 8 / 8 Pro. The Scan Core is advertised as a 2.4 GHz, 5 GHz, and 6 GHz channel performance enhancement, but the real technical properties are not publicly available. In this work, we perform an extensive analysis of the Scan Core's functionalities in- and outside of its intended use. Therefore, we make use of static and dynamic reverse engineering of related soft- and hardware components. A detailed understanding of the Scan Core's internals and peripherals possibly provides a new platform for research applications on WiFi SoCs that can run in parallel to default WiFi operation.

  2023 Completed (September 2023)

Limits of CSI-based keylogging on 10-digit number pads

...

  2023 In progress

Deployable Crisis Communication with Smartphones by Combining Acoustic and Radio Communication

...

  2022 Completed (August 2023)

Machine Learning Aided Penetration Testing: Concept of a Penetration Testing Automation Environment

Network penetration testing involves experienced techniques that require consideration of environment specific parameters and planning of conduct. Penetration testers should focus on novel vulnerabilities and spend their attention to interrelations regarding possible threats and risks to not lose time on repeating tasks. Reinforcement Learning (RL) is the key approach to make autonomous penetration testing practically applicable inside real-world computer networks. The literature describes attack path generation with a priori knowledge about the environment, simulation-only approaches without applicability to real-world computer networks or emulation-only approaches with no RL integration. This thesis optimizes, trains and evaluates RL agents for four benchmark scenarios with increasing size, complexity and heterogeneity of hosts, and a Proof of Concept (PoC) demonstrates the transferability of a simulation environment into an emulation environment. Creating a realistic emulation environment in which RL agents can apply their learned knowledge from the fast simulation environment allows delegation of repeatable tasks to the learned agent and let penetration testers focus on novel and individual aspects of the target network.

  2022 Completed (August 2023)

SpyFi: Deep Learning for CSI-based Keylogging Side Channel Attacks

Spying on what is typed on a keyboard with Wi-Fi signals sounds scary but might not be as far from reality as suspected. Wi-Fi-enabled devices constantly measure the communication channel conditions represented with Channel State Information (CSI). Finger and hand movements alter the wireless signal propagation characteristic and cause changes in the CSI over time. Prior work proves it is possible to correlate the patterns in a CSI time series to the motion of keys pressed on a keyboard. This leaking information from Wi-Fi signal distortions can be exploited in a side-channel keylogging attack. Typing is a prevalent activity when it comes to working with computers on a regular basis. Considering that what we type reveals not only private messages like emails or notes but also highly sensitive data such as passwords or banking information, this leaves a frightening prospect. In this thesis, we practically explore the potential threat of side-channel keylogging attacks with CSI by implementing and comparing the conventional method found in related work to deep learning-based approaches to infer keystrokes. Motivated by the fact that the use of deep learning models promises less effort in pre-processing and feature extraction, we apply deep learning approaches for the first time for CSI-based keylogging and extend the knowledge about the applications of Deep Neural Networks (DNNs). We create a dataset worth more than 24 hours of recording time with a controlled experimental setup to empirically evaluate the performance of the implemented keyloggers. Our results indicate the difficulties and limitations our keylogging models face, which renders keylogging attacks with Wi-Fi signals rather cumbersome for real-world attackers.

  2023 Completed (July 2023)

O-RAN Central Unit Resilience

...

  2023 Available from: April 2024

Protection mechanisms against unwanted tracking/stalking

The release of more Bluetooth item finders and key finders that use a vast finder network increased the risk for stalking and location tracking on people increases. Especially the Apple AirTag and Samsung SmartTag are dangerous devices since the manufacturers updated all their Smartphones to find and report these devices. We study the prevalence of this issue and try to create applications, algorithms, and datasets to help users identify trackers and disable them. With AirGuard, we created the first automatic tracking detection against AirTags for Android. Our project is open-source, and we continue to develop it to support other devices. If you are interested in tracking protection mechanisms innovative ways to identify all kinds of trackers and want to create software used by thousands of users, please reach out. Contact: Alexander Heinrich aheinrich@seemoo.tu-darmstadt.de Links: https://github.com/seemoo-lab/AirGuard https://play.google.com/store/apps/details?id=de.seemoo.at_tracking_detection.release

  2023 In progress

Fingerprinting Environments With Gas Sensors

...

  2023 Available now

Assorted Hardware Security Topics

I offer supervision mostly of hardware-based offensive security topics. Assist me and my team in getting access to the firmware of embedded systems, bypass security mechanisms and reverse engineer cutting-edge devices. Topics (can) involve building custom hardware (target boards, tools, experimental setups), reverse engineering firmware and more. Contact me if this sounds interesting to you. Experience with hardware (electronics, microcontrollers, circuit boards) is recommended.

  2023 Available now

Reverse Engineering Broadcom's Vector Application-Specific Instruction-Set Processor (VASIP)

Selected Broadcom Wi-Fi SoCs feature a Vector Application-Specific Instruction-Set Processor (VASIP). A brief description of one of its application areas can be found in the following patent: Inter-radio communications for scheduling or allocating time-varying frequency resources. The processor might be used to mitigate interference, support MU-MIMO operation, or in general help with computational complex tasks correlated to signal processing at the PHY layer. Understanding VASIP's functionalities and capabilities, paired with its positioning near the radio front-end, can open up a new practical platform for researchers with a large area of applications in the wireless field on real end-user devices. To gain more insight into this type of processor we offer several thesis topics, ranging from analyzing its default functionalities up to reverse engineering its instruction set. You should be comfortable with the C-language, digging in the unknown, signal processing, and improving your skill-set.

  2023 In progress

PicoWSDR: Low-cost Software-Defined Radio Receiver

Raspberry Pi's Pico W microcontroller board comes with a Broadcom / Infineon Wi-Fi SoC (CYW43439). The combination of the two offers a possibility to create a low-budget, but powerful, software-defined radio receiver. This work involves low-level programming, debugging and reverse engineering. You should be familiar with or ready to deep dive into microcontroller programming, the programming language C, firmware reverse engineering and patching. An understanding of radio frequency receiver architecture and signal processing is helpful.

PicoWSDR: Low-cost Software-Defined Radio Receiver

  2023 Completed (June 2023)

Routing in Disrupted Cities

...

  2023 In progress

Power Characterization of Acoustic Communication and Other Wireless Ad-Hoc Communication Technologies for Smartphones and the Internet of Things

...

  2023 In progress

Measuring Acoustic Communication Schemes

...

  2022 Completed (April 2023)

Low-Power Network Support for the Recovery of Collapsed 6G Systems

A resilient 6G network will be prepared for different failure scenarios and can absorb incidents to a certain level. However, there may be incidents that cannot be absorbed, e.g., a failure of the entire 6G core network due to a large-scale cyber attack. Further possible consequences of such an incident include a large-scale power outage affecting either parts or even the entire mobile network. In this type of scenario, the 6G network would collapse and split into smaller networks. Such a small network could, e.g., consist of a single isolated base station running on emergency power, and the users connected to it. From here, isolated basestations have to reconnect with other base stations to recover some functionality of the 6G network. However, the need to conserve energy further complicates the recovery process because base stations are running on emergency power. This thesis evaluates how such a recovery process of the 6G network can be supported with ad-hoc low-power networks. In this thesis, the student will explore how isolated base stations can coordinate the reconnection of isolated base stations via a low-power network. This includes discussing and choosing a suitable lower-layer protocol as a basis for the low-power network implementing a basic consensus protocol to make distributed decisions testing the developed protocol in simulation.

  2023 Completed (April 2023)

Machine Learning Based Data Rate Optimization for Mobile LoRaWAN Sensors

Adaptive Data Rate is a feature of LoRaWAN that allows to optimize the network performance by adjusting the data rate of end devices based on their current channel conditions. Current approaches to ADR optimization algorithms focus on static or low-mobile end devices, and the specification recommends to disable ADR for mobile devices, e.g. location trackers. To let these devices also benefit from ADR adjustments, this thesis suggests to implement a predictive ADR algorithm based on deep reinforcement learning. The algorithm is evaluated on a real-world data set captured in the city of Darmstadt.

  2023 In progress

Automated Surveillance Recognition in Smart Environments

This topic is about implementing various models to recognize the presence of as many smart things as possible based on sensor or other time series data. The goal of this topic is to compare and evaluate these models against each other in certain settings like in a smart home environment.

  2023 Completed

Continuous Fuzzing Integration Into State of the Art Development Processes for Improved Software Security

...

  2023 Available now

Acoustic Communication: Ubiquitous ad-hoc communication?

I offer challenging topics on all aspects of the acoustic physical layer, which allows smartphones to use their integrated audio hardware for aerial communication, similar to wireless radio communication. The main use case is short-range communication, e.g., for pairing.The advantage: We can implement custom physical layers without expensive SDRs. Contact me if you have any research ideas on this topic. Strong experience with signal processing is required.

  2022 Completed

Security of GPS Trackers (M.Sc.)

Contact: Alexander Heinrich

Security of GPS Trackers (M.Sc.)

  2022 In progress

Generalized Network Coded Cooperation in High Density LoRa-Networks

The wireless channel is a non-linear and time-varying system. Thus, it represents a harsh environment to conduct transfers of information. One of the variables that predict the outage performance of transmissions over the wireless channel is the diversity order, where systems with higher diversity order experience a lower outage probability at a specific signal-to-noise ratio (SNR). Diversity can be achieved through several means, with the most simple being repetitions (retransmissions) of the same information over different instances of the wireless medium, i.e. over another time period or frequency. One very relevant means is the use of multiple antennas, which adds diversity by also incorporating a spatial element. However, this element can also be obtained when devices with transmissions to a common destination aid each other with retransmitting their partner's information frames. That is the concept behind cooperative communication: achieving a spatial diversity gain without requiring multiple antennas on each device [1]. Network Coded Cooperation (NCC) is a more complex cooperative technique whereby devices perform linear combinations of the data contained in their own and their partner's information frame, creating a parity frame. This allows for an even higher diversity order gain without requiring any additional transmissions beyond the standard information and cooperative phases seen in cooperative communications [2]. This kind of technique can therefore be especially useful in scenarios where multiple devices share a common base station and require energy-efficient communications, such as in LoRa-based networks. LoRa is a prime modulation technique for enabling Low-Power Wide Area Networks (LPWANs), providing adequate interference prevention, relatively low power consumption, and long range. These benefits, however, do not scale well with increases in the network density [3]. Note that, in these high-density scenarios, increasing diversity by simply realizing more transmissions results in an increased collision probability, i.e. even higher interference. For LoRa-networks, this also means the network loses maximum range. Given that the number of connected devices is expected to balloon in this decade, LoRa-based protocols must be adapted to mitigate high levels of interference. It has been shown that using NCC can produce positive results in the high-density scenario LoRa-based network when associated with a fast inter-device transmission of information frames using high rate frequency shift-keying (FSK). However, previous analyses were purely theoretical and limited to evaluating a two-way cooperation process [3]. This thesis will tackle the empirical and theoretical challenges of implementing generalized network-coded cooperation on LoRa-based networks. Cooperation will be expanded to include multiple devices within the cooperation range, which will generate a higher diversity order for the uplink transmissions. The student is expected to be programing LoRa devices based on either the SX1272 or SX1276 transceivers to validate their results. If you have any interest in the described topic, please do not hesitate to get in touch. [1] Cooperative communication in wireless networks [2] Multiuser Cooperative Diversity Through Network Coding Based on Classical Coding Theory [3] Network-Coded Cooperative LoRa Network with D2D Communication

  2022 In progress

Android Wireless Subsystem Security

Earliest start date: February 2023 Wireless interfaces are an attack surface for zero-click remote code execution vulnerabilities. Typically, an attacker would try to find a parsing issue within a wireless chip or in a low-level wireless stack component within the operating system, and then escalate further. Thus, it is of importance to research these interfaces. Android is available for many platforms with different hardware. Vendors add custom hardware adaption layers for compatibility with Android. However, these interfacing layers are vendor-specific and proprietary. Detailed knowledge about interfaces between components enables security research [1] and building tooling to customize wireless chips and stacks [2, 3]. Due to the proprietary nature of these interfaces, many of them remain undocumented. We have a couple of yet to be researched wireless interfaces, as well as researched interfaces that would profit from developing better tooling. We offer experience within the Google ecosystem as well as OEMs (Samsung, etc.), including reverse-engineering tips for firmware and user-space daemons. Additionally, due to supervising a lot of theses in this area, we have a collection of example thesis about how to reverse engineer and fuzz such interfaces. We also have rooted up-to-date Android smartphones. For your own safety and security, these are designated research devices and not meant for private usage. When researching a new interface, it is common to uncover new vulnerabilities, which you will report within Google's vulnerability reward program or the OEM's program, and you might be rewarded a bug bounty. We also encourage and financially support you presenting your results at a scientific or security conference. Please contact us for more details and choosing a task that suits a thesis. A B.Sc. thesis would usually advance tooling for something previously reverse engineered (see [1]), and a M.Sc. thesis is about reverse-engineering an interface and developing tools (see [2]). The precise topic will be tailored to your previous experience. It is recommended to have a reverse-engineering background, e.g., previous participation in CTFs. Depending on the topic, either a strong programming background is required (develop an open-source tool for an Android interface) or a good understanding of software/hardware security is mandatory (fuzzing a protocol, implementing a firmware attack, …). We are currently getting many requests for this topic area. Please only contact us if you plan to start your thesis by February 2023 or later, or if you have sufficient background knowledge to work on a topic on your own (e.g., are already familiar with Android hacking and don't need an introduction). [1] ARIstoteles: iOS Baseband Interface Protocol Analysis [2] InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering [3] Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications.

  2022 In progress

Bluetooth Security Analysis on Windows

Earliest start date: February 2023 In the past, we looked into multiple Bluetooth stacks: iOS [3], macOS [2], Linux, and Android. However, Windows is still a partially blind spot. What is there yet: A basic understanding of the Windows Bluetooth stack and existing debug tools to look into all packets. Reversing and documentation of the Windows Bluetooth stack. This is a great base to get started with Bluetooth security analysis and reverse engineering on Windows. There are multiple tasks that would be interesting, which ones you choose depend on your skill level and if you want to work on a BSc or a MSc thesis. Hook the Windows kernel with WinDBG to not only log packets but also inject and modify packets. Write a fuzzer for the Windows Bluetooth stack. Implement or simulate known attacks on Bluetooth stacks to analyze how they were patched. Integrate this knowledge about the Bluetooth stack into InternalBlue [1], a Bluetooth firmware experimentation framework. For further reference, see: [1] InternalBlue Project on GitHub, https://github.com/seemoo-lab/internalblue [2] B.Sc. Thesis about porting InternalBlue to macOS, https://github.com/seemoo-lab/internalblue/blob/master/doc/macos_bluetooth_stack_thesis_davide_toldo.pdf [3] M.Sc. Thesis about fuzzing Bluetooth on iOS, https://github.com/seemoo-lab/toothpicker/blob/master/assets/toothpicker_thesis.pdf

Bluetooth Security Analysis on Windows

  2022 In progress

Power Usage Advisory System for eHUB Inhabitants

Within the research center emergenCITY, we investigate how ICT can be used to strengthen a cities resilience during crises, e.g. blackouts, instead of being another critical infrastructure which can fail. With our freshly renovated living lab eHUB, we want to learn how self-sustaining buildings, which generate a surplus of electrical energy on their own, can support this approach. The eHUB provides a PV system with a battery, ready for starting experiments with off-grid operation. What it still needs is an integrated Smart Home system which can learn from the inhabitants’ behavior and support them in managing their energy budget, and offer the surplus e.g. to neighbors, first responders, or other emergency relief activities. The house is currently equipped with a KNX-based system for controlling consumers and measuring energy production and consumption. Your task is to extend this system, so that it considers consumption and production, monitors activities within the house with their energy profile, includes external context information (e.g. to relate weather and expected power production), and interacts with the inhabitants. The interaction could happen for example by a (web) app, using wall-mounted displays or through a Smart Home Speaker/Hub developed in the project. We plan to use the interface for further experiments in the eHUB. Some of the skills that will be helpful for working on this topic are (you do not need to tick all boxes): UI, App or web design for creating a nice user interface No fear in working with hardware installations and embedded systems (e.g. Linux on Raspberry Pis, knowledge of KNX, MQTT, … is an advantage) Machine learning for creating predictive models Experience with user studies in case you want to use that as method for evaluation. This thesis will be supervised in cooperation with EINS.

Power Usage Advisory System for eHUB Inhabitants

  2022 Completed

ECG-PPG A Comparison of Biometric Identification

With the rise of the IoT and the usage of mobile devices, the need for improved security for those devices becomes more critical. Beyond regular passwords several other forms of identification such as biometric identification, have been introduced. They can offer increased convenience and less vulnerability to spoofing attacks. Most common forms of applied biometric identification include iris, face and fingerprint scanners that see most use in smartphones. But there has been an increasing interested in methods that utilize physiological signals of the human body. electrocardiogram (ECG) and photoplethysmogram (PPG) are among them and are the main point of interest for this work. They come with inherent advantages like being difficult to reproduce and can not be forgotten like a password. Gathering records of the two signal types has become easier over the years and can now be performed with wearables like the Apple Watch. This opens new options for this field of research. My work focuses on analyzing and reimplementing existing approaches for ECG and PPG based biometric identification systems and comparing them to deduct similarities, differences, strengths and weaknesses. To achieve this two convolutional neural network (CNN) based ECG implementations and one PPG implementation that utilizes handcrafted feature extraction were adapted to work on a shared dataset that contain synchronized ECG & PPG data from the private SAPE and the public BIDMC database. This database was then used for evaluation of the systems. In addition commonly used biometric methods and databases were analyzed to aid in the final evaluation. High rates of accuracy were reached and compared to literature that utilized similar datasets.

  2022 Completed

Repurposing Wi-Fi Chips as Software-defined Radio Receivers

Broadcom FullMac Wi-Fi Chips offer the possibility to configure its internals such that IQ samples can be fetched at several stages in the RX chain. This opens up the opportunity to repurpose those Wi-Fi Chips as Software-defined Receivers. As the firmare is proprietary and the configuration is non-trivial, reverse engineering of the underlying processes are required. In this thesis, we try to better understand the possible configuration options, tackle bottlenecks like memory and bus bandwidth restrictions, and create a tool that abstracts the SDR RX feature to end-users. You should have experience with C, Reverse Egineering and interest in hardware features of RF receiver chains.

  2022 Completed

Collecting a Real-World Dataset of Private Patterns for Stream Processing Systems

The Internet of Things (IoT) shows a clear shift towards analyzing streaming data (collected by IoT devices) using so-called stream processing systems (SPSs) that infer knowledge from these data in (near) real-time. Such SPSs work on the notion of events detected from sensor data, e.g., a user is standing, jogging, or eating. The SPSs raise serious privacy concerns, as they not only ignore user privacy but also pose new threats to it. For example, a sequence of seemingly nonsensitive events, like "swallow" --> "drink" --> "lay down", can reveal a sensitive private pattern of taking medicine. A few privacy-preserving mechanisms (PPMs) exist to address the private patterns' threat, but they need to be validated on realistic datasets containing a number of private patterns that are captured by various sensor data, e.g., IMU, ECG/EMG, and heart rate. To date such datasets do not exist. Hence, collecting one would the main goal of this thesis, which will be a big step towards validating existing and designing new PPMs that tackle the threat of private patterns in SPSs. The precise topic addressing the above research goal would be tailored depending on your skillset. However, a hands-on experience with data collection using smart devices (phones, watches, IoT sensors) and/or user studies is a strong plus. [1, 2] are exemplary data collection studies, which can serve as an inspiration for this work. [1] FallAllD: An Open Dataset of Human Falls and Activities of Daily Living for Classical and Deep Learning Applications [2] Case Studies Using Shimmer Sensors

  2022 Completed

LoRaWAN in Disaster Scenarios

LoRa comes with characteristics beneficial in crisis situations, like its long range and the low power consumption, which allows to run running devices on batteries significantly longer than, e.g., cellular base stations. However, LoRaWAN does not benefit from these characteristics, as it depends on a centralized, cloud-based network server infrastructure. If gateways can no longer access the backing network, forwarding stops and the network fails in the affected region. This thesis investigates collaboration between gateways to transparently forward frames from LoRaWAN devices in regions suffering from an outage of the backing network.

  2022 Completed

Comparison of Side-Channel Touchlogging Attacks using Wearables

Although many research papers about touchlogging attacks, which are leveraging wearable devices as a side-channel to log keys being typed on a smartphone, exist, there is no concise summary of those attacks, their advantages & limitations, and different scenarios and evaluation setups make comparisons difficult or unfair. Therefore, one has to sort through countless articles and papers to see if an approach has already been evaluated in a specific scenario or can not fairly compare two good performing approaches because the evaluation setup differs drastically between the two. This thesis provides a framework combining five of the most common approaches for touchlogging attacks in four different typing scenarios and eight ways the user is wearing the wearable device. With this framework and its evaluation, a concise overview and quick, fair comparisons between the most common approaches to touchlogging are presented.

  2022 Completed

Enterprise Authentication Systems

Enterprise Authentication Systems

  2022 Completed

Smartphone Pairing Schemes

...

  2022 Completed

Evaluation of UWB

We want to evaluate current UWB devices

  2022 Completed (July 2022)

Low-Latency Routing in Wireless Multi-Hop Networks through Concurrent Cooperative Transmission

Concurrent Cooperative Transmission (CCT) allows the dissemination of messages over multiple hops in a wireless network with many devices, while achieving excellent performance in terms of latency, reliability and throughput. With this, CCT can enable unprecedented applications and services that were infeasible in traditional wireless multi-hop networks (WMNs). In this thesis project, a low-latency routing protocol is designed and implemented that leverages CCT-based network flooding within corridors of a WMN for unicast traffic.

  2022 Completed (June 2022)

Updating Heterogeneous LoRaWAN Nodes Using A Modular LoRaWAN-Stack

The LoRaWAN 1.0 has been shown to suffer from security vulnerabilities which require updating the LoRaWAN implementation on respective sensor nodes. However, updating the firmware of LoRaWAN end devices is a demanding task, as data rate and duty cycle limit the throughput to only a few kilobytes per second. Heterogeneity amongst sensors exacerbates the situation by requiring dedicated images for each sensor type. The thesis addresses both problems by improving the updatability of LoRaWAN end devices by allowing to replace single functions of the LoRaWAN stack with architecture-independent drop-ins based on WebAssembly.

  2022 Completed

Practical Evaluation of LoRaWAN in IIoT Environments

  2022 Completed

Reverse Engineering and Emulating Broadcom's WiFi Real-Time Core Peripherals

Broadcom/Cypress WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine (PSM). It is directly connected to the chip's PHY components as well as its non-real-time related parts. Successful attacks on the D11 core would therefore pose a high risk on the whole device. Especially, as the chip is constantly exposed over its wireless interface. Although the D11 core's architecture and instruction set are mostly proprietary, disassembling and assembling of microcodes (D11's firmware) is possible due to previous reverse engineering efforts. This in turn allows analyzing, modifying and on-chip debugging of microcodes. However, the current related processes are error-prone and time consuming. To improve those tasks, a basic emulator that can interpret the proprietary instruction set and perform corresponding calculations and memory/register accesses was designed and implemented in prior work. But, in order to properly run microcodes on the emulator, several peripherals (e.g. timers, crypto engine, tx/rx engines, PHY interface, ...) that directly influence the PSM's flow need to be emulated additionally. In this thesis, we want to analyze peripherals that are directly connected to the D11 core and simulate their behavior to the existing emulator. C and Assembly skills are recommended, as well as experience and/or interest on reverse engineering, IEEE 802.11 MAC, and low-level programming.

  2022 Completed

Implementation and Evaluation of Short-Range Aerial Acoustic Communication Systems for Smartphones

...

  2022 Completed

Emulating Broadcom's D11 Core

Cypress/Broadcom WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine. The D11 core's architecture and instruction set are proprietary. Reverse engineering efforts already disclosed a sufficient subset of the instruction set to allow disassembling and assembling of microcodes(firmware of the D11 core) for specific core revisions. Still, analyzing, modifying, and debugging microcodes on-chip is error-prone and time consuming. Emulating the D11 core can be used as support for such tasks. In this thesis, we want to gain more knowledge about the D11 core's functionalities by further reverse engineering its internals, and implement an emulator that supports its instruction set and eases debugging of microcodes.

  2022 Completed

Channel Characterization for Aerial Acoustic Communication Systems

...

  2022 Completed

Limits on Inferring Handwritten Characters using Wearables

Recent studies have shown that handwritten characters can be distinguished from each other with a high accuracy leading to security threats such as impersonation, side-channel attacks or just building systems to mirror handwritten characters to digital space. Most of these studies just focused on the character recording and building (complex) systems around the classification of these handwritten characters, resulting in sparse data sets with only specialized hardware in restricted settings. With these specialized settings and hardware, it’s not clear what limitations might impact the accuracy of classification, let it be the type of sensor of the general writing style of a person and if these researches also apply to consumer hardware or general settings like writing with a simple pen on paper. The results of this work aim to set clear limitations and settings for the recording of handwritten characters while using a simple pen and paper setting with multiple consumer devices. Sampling a data set full of handwritten lower-case characters with the usage of multiple consumer wearables in different positions on the forearm, while limiting the speed and size of a character drawn, are processed and calculated into several time-domain and frequency-domain features to be classified by different machine learning methods resulting in accuracies of 20 % to 22 % for the IMU data, 15 % to 17 % for the EMG data and 16 % to 20 % for a mixed approach. The results are in the range of current state-of-the-art findings adjusted for the size of classifiers used, so the defined limitations in this work might give a direction to which limitations are more useful in the scenario of classifying characters based on signal data using consumer devices.

  2022 Available now

Privacy-preserving beamforming using reinforcement learning

In this thesis we consider the downlink of a wireless communication system. In particular, there is a base station transmitting information to multiple legitimate users in the presence of eavesdroppers which may compromise users’ privacy by capturing information sent from the base station. The goal of the thesis is to maximize the privacy degree of all legitimate users while ensuring that the eavesdroppers remain as oblivious as possible. To fulfill this, the base station leverages beamforming and reinforcement learning (RL). A specific objective of this thesis is to develop a practical RL algorithm with low latency and compare its performance against other approaches, e.g., based on convex optimization, which in general can be more time-consuming. Required knowledge: reinforcement learning, wireless communications, signal processing (desirable)

  2022 Completed

Discovering Oversensing Privacy Issues in Smart IoT Environments

The proliferation of the IoT makes numerous smart devices equipped with rich sensing capabilities part of our everyday life. These sensors enable customized services by measuring a user’s ambient environment such as a fitness tracker recording daily activities (e.g., jogging), allowing users who exercise a lot to get an insurance discount. However, the ubiquity of sensing raises the problem of oversensing [1], namely inferring user’s sensitive attributes or behaviors (e.g., health conditions, political orientation) from the sensor data that was collected for benign purposes. In this thesis, we will explore the landscape of oversensing, focusing on the following problem: how to discover the oversensing issues in various sensor data in a scalable (i.e., automated) way? The precise topic addressing the above research goal would be tailored depending on your skillset. However, a solid background in machine learning and data mining is required in addition to a thorough understanding of privacy issues stemming from sensor data (also known as inference attacks). [1] How to Curtail Oversensing in the Home

  2022 Completed

Hiding User Private Attributes Using Machine Learning

The ubiquity of IoT sensors enables customized user services such as smart health or smart home. Recently, the advances in machine learning have been exploited to discover private user attributes (e.g., gender, age) from sensor data collected for different purposes such as activity recognition, violating user’s privacy. Two recent works [1, 2] utilize state-of-the-art machine learning techniques to suppress private user attributes in sensor data while maintaining the utility of the target application (e.g., target activity recognition remains accurate). In this thesis, we will critically evaluate the above proposals, with respect to their security (can other private attributes be learned on these data), generalizability (would they still work on a slightly different sensor data?), and deployability (can such approaches run on edge devices?). The precise topic addressing the above research goal would be tailored depending on your skillset. However, a solid background in machine learning and data mining is required in addition to a thorough understanding of privacy issues stemming from sensor data (also known as inference attacks). [1] Protecting Sensory Data against Sensitive Inferences [2] Preventing Sensitive Information Leakage from Mobile Sensor Signals via Integrative Transformation

  2021 In progress

Glitching Wireless Chips

Glitching is a method that allows bypassing security checks in firmware running on chips. Dropping voltage or inducing an electromagnetic field for a very short moment causes the chip to behave differently. For example, the chip might skip a check in the secure bootloader, allowing an attacker to run arbitrary firmware. This is of special interest for wireless security research. Instead of re-implementing protocols on software-defined radios, we can modify existing firmware to test very specific security assumptions in an otherwise unmodified environment. We have a lab with various equipment suitable for glitching, such as oscilloscopes, the ChipWhisperer and the ChipShouter. Thus, the thesis will require you to do at least some parts of the work onsite. However, we also have some ChipWhisperer Nanos etc., in case you want to do parts of the work from home. Required background knowledge is either electrical engineering or IT security. Can be done as both, either B.Sc. thesis or M.Sc. thesis, depending on the amount/complexity of chips.

  2021 Completed

FIDO2 Platform Authenticators

...

  2021 Completed

Evaluation of Acoustic Communication Schemes

...

  2021 Completed

Evaluation of Ultra-Wideband for Secure Device Pairing

Evaluation of Ultra-Wideband for Secure Device Pairing

  2023 Completed (October 2021)

Finger Detection of Keystrokes from RGB Video Streams

To research the security impact of side-channel keylogging attacks, we need suitable datasets containing the sensor data and the pressed keys. However, when our side-channel targets the user through acceleration, EMG, or other wearable sensors, we might want additional ground truth about the users’ activity, e.g., a representation of which finger was used to type a certain key. This data makes it possible to directly correlate the sensor readings with the activity that caused them, which could help develop more accurate and robust keylogging models. Previous work in this area focused more on stand-alone virtual input devices that do not reflect real-world keyboards or require expensive motion tracking hardware to track finger positions. In this thesis, we design, implement and evaluate a system that can infer finger usage from a monocular RGB video of a user typing on an unmodified keyboard. Our evaluation shows that our implementation can accurately label the hand usage for over 96 % of keystrokes and the finger usage for over 97 % of keystrokes. As such, our system can be a helpful aid in the creation of new datasets for research into keylogging side-channels.

  2021 Completed (August 2021)

Video Broadcasting in IEEE 802.11 Multi-Hop Networks

Concurrent Cooperative Transmission (CCT) allows the dissemination of messages over multiple hops in a wireless network with many devices, while achieving excellent performance in terms of latency, reliability and throughput. With this, CCT can enable unprecedented applications and services that were infeasible in traditional wireless multi-hop networks (WMNs). In this thesis project, CCT-based network flooding is used to disseminate a video stream from a source node to many other nodes throughout a WMN. To this end, a customized IEEE 802.11 design for the wireless open-access research platform (WARP) v3 software-defined radio (SDR) is used, which was developed at SEEMOO to enable CCT-based network flooding. In this thesis, a server application is implemented that injects the packets of a video stream into a WMN consisting of WARP v3 SDRs. Further, a client application is implemented that re-constructs the video stream at the receiver side from the received packets. With this, mobile devices that are covered by the WMN shall be able to display the received video stream.

  2021 Completed

Analyzing the Deployment of Device-Specific Android Security Features

Analyzing the Deployment of Device-Specific Android Security Features

  2021 Completed (May 2021)

DNN-based Enhancements for Time-Variant Zero-Forcing

Time-Variant Zero-Forcing (TVZF) is an enhanced channel equalization technique that allows for decoding concurrent cooperative transmissions (CCTs) under relaxed time and frequency synchronization requirements. This thesis project explores the design of DNN-based processing components to realize TVZF in an IEEE 802.11 software decoder.

  2021 Completed

Investigating the Pitfalls of FIDO2 Usability in Practice

  2021 Completed

Handwriting Recognition using IMU and EMG Sensor Data

With the rise of wrist-worn devices like smartwatches and fitness trackers and the integration of Inertial Measurement Unit (IMU) sensors questions about the privacy impact of their recorded data arise which often gets little attention in privacy considerations. Worn on the wrist one possible impact is a possible eavesdropper inferring the handwriting done by the wearer of the device using the collected IMU data. Another use case is the deliberate digitizing of handwriting by users wearing such devices. In this case it is also feasible for the user to wear an additional device to improve the digitizing. In this thesis we investigate both the possible privacy impact and the possibilities for a deliberate digitizing of handwriting done on paper based on IMU sensor data recorded on a smartwatch. Furthermore, we collect Electromyography (EMG) sensor data using an armlet worn on the lower arm to analyze if the original recognition results can be improved utilizing these data. We design and conduct a data study aimed at mirroring everyday circumstances using an Apple Watch and a Thalmic Myo armlet to record the necessary data. Additionally, the original handwriting of the study participants is digitized by writing on paper on top of a Wacom Bamboo Slate tablet. We use the recorded continuous streams of IMU and EMG data to classify the written letters using the 1-Nearest Neighbor (1NN) algorithm in combination with the Dynamic Time Warping (DTW) algorithm. Our model achieves widely varying results depending on the writer and an overall accuracy of 0.28. Very low accuracies for the classification based on EMG data prevent us from evaluating possible improvements when combining both data types. Our findings suggest that the recognition depends on the writing style of the individual user and more research is required to make the handwriting recognition based on IMU or EMG data applicable to writing in everyday life.

  2021 Completed (March 2021)

Unlocking Apple's Auto Unlock – Enhancing Off-the-shelf Wi-Fi Firmware to Unlock Apple Devices

This thesis project offers solutions for collecting raw IQ samples on an off-the-shelf device, similar to the capabilities of a software-defined radio. To this end, the firmware of a full-MAC Wi-Fi chip is analyzed and modified to expose low-level functionality to the user space. The devised solutions are further used for an analysis of Apple's Auto Unlock feature.

  2021 Completed

3D Positioning and Posture detection using iOS

Modern smartphones contain many sensors and frameworks that can capture the surrounding world.Capable mobile processors, machine learning and frameworks allow us to capture the pose of a human with very little extra work. We are looking for a student that wants to work with augmented reality and extend the posture detection system in iOS with a 3D positioning system. The software may combine multiple iPhones at different locations to enhance tracking. In the end, such a system allows to quickly create dataset necessary for WiFi sensing, create interactive games and more. A small introduction to the available frameworks has been given on WWDC 2020. Starting at minute 13 the video shows what is already possible today. https://developer.apple.com/videos/play/wwdc2020/10653/

  2021 Completed

Protecting Heartbeat and Respiration Information in WiFi Sensing Applications

  2021 Completed

Security Analysis of Neighbor Awareness Networking-capable Wi-Fi Firmware using Fuzzing

  2021 In progress

iOS CommCenter Protocol Analysis

  2021 In progress

iOS CommCenter Fuzzing

  2021 In progress

iOS Bluetooth Security

  2021 Completed

Very Pwnable Network: Reverse Engineering and Vulnerability Analysis of AnyConnect for Linux

  2021 In progress

Responsible Disclosure im IoT-Sektor

  2021 In progress

Practical Analysis of Friendly Jamming to Augment the Security of Industrial Remote Control Systems

  2021 In progress

Improving State Coverage in Bluetooth Fuzzing

  2021 Completed

Attacks on Wireless Coexistence

  2021 In progress

AnyConnect and VPN Security on iOS

  2020 Completed

Speeding up and hardening zero-interaction pairing by utilizing off-the-shelf IoT actuators

  2020 Completed (November 2020)

Protocol Design for Energy-Efficient Broadcast Tree Contruction in Wireless Ad-Hoc Networks

This project addresses the problem of energy-efficient data dissemination from a source node to all other nodes in a wireless multi-hop network. Mahdi Mousavi et al. from the Communications Engineering Lab at TU Darmstadt have devised a decentralized algorithm towards this goal that is based on game theory [1]. While simulation results have shown that this mechanism significantly outperforms other conventional flooding mechanisms, its practical applicability still remains unexplored. The goal of this thesis project is to design a protocol that takes the practical limitations of wireless multi-hop networks into account. The protocol shall be evaluated in simulations using the ns-3 network simulator. [1] Mahdi Mousavi, Hussein Al-Shatri, Matthias Wichtlhuber, David Hausheer and Anja Klein, “Energy-Efficient Data Dissemination in Ad Hoc Networks: Mechanism Design with Potential Game”, 2015 International Symposium on Wireless Communication Systems (ISWCS), Brussels, 2015, pp. 616-620. doi: 10.1109/ISWCS.2015.7454421

  2020 Completed

Delay-Tolerant LoRaWAN with mobile Gateways and SatCom Backhaul

  2020 Completed

LoRa for Smart Street Lamps

  2020 Completed

Circumventing ECG Authentication with Deep Generative Models based on PPG Pulse Data

Electrocardiogram (ECG) biometrics is a steadily growing and increasingly popular field of research. In this work, we propose a novel attack scenario in which we train a generative model to uncover and spoof the ECG of a victim by merely observing another cardiovascular signal of the victim: their photoplethysmogram (PPG). For the model, we propose a conditional generative adversarial network (cGAN) with a U-Net style generator and least-squares loss. Since current training datasets do not fall into the off-the-person category, we additionally collect a custom dataset of synchronized PPG and ECG measurements. It features 33 recordings by 31 participants with a median age of 28. We evaluate the model against a baseline by Zhu et al. Our model has a lead over the baseline with a mean relative root-mean-square error (rRMSE) of 0.47 vs. 0.49 on the TBME-RR dataset but lacks behind on our own dataset with a mean rRMSE of 0.61 vs. 0.55. The evaluation demonstrates that the cGAN is able to properly recreate the overall characteristics and noise of the ground truth. In the proposed attack scenario, the model yields an overall success rate of up to 26 % against a neural-network-based authentication system.

  2020 Completed (September 2020)

Low-Latency Flooding in IEEE 802.11g Networks through Concurrent Broadcasting with Wireless Synchronization using WARP Software-Defined Radios

Concurrent cooperative transmission (CCT) is a fundamental technique to enable low-latency network flooding in wireless multi-hop networks (WMNs). In this thesis, a frequency synchronization method is implemented on the Field-Programmable Gate Array (FPGA) of the Wireless Open-Access Research Platform (WARP) v3 Software-Defined Radio (SDR) to facilitate the generation of CCTs with coherent interference in real-time.

  2020 Completed

Keylogging Side-Channel Attacks on Bluetooth Timestamps: A Timing Analysis of Keystrokes on Apple Magic Keyboards

In the past several timing attacks have been applied to recover sensitive input on keyboards. If these kind of attacks could be migrated to the wireless communication of keyboards, this would make the use of wireless keyboards less secure. In this thesis we apply a timing attack on the Bluetooth communication of the Apple Magic Keyboard by recording the time between consecutive Bluetooth packets and recover the typing with a Hidden Markov Model (HMM). With this attack we are able to shrink the search space of random passwords by a factor of 5 to 10, which considerably speeds up exhaustive search.

  2020 Completed

The Latency--Throughput Tradeoff of GPP-based SDRs

  2020 Completed

GNU Radio Runtime Performance Evaluation

  2020 Completed

Analysis of Apple's crowdsourced location tracking system

  2020 Completed

Prevalence Analysis of Dark Patterns in Newsletters

The dependence on online shopping makes consumers to popular targets of malicious intents. With a vast understanding of the human psyche, dark patterns are capable of leading consumers to perform actions which they would not do under normal circumstances, such as evoking buying pressure or giving away sensitive data. In this thesis, we focus on the detection of dark patterns, especially the Social Proof, Misdirection, Scarcity, and Urgency patterns using multinomial naïve Bayes, support-vector machine, k-nearest neighbor, and random forest, as well as state-of-the-art transfer learning methods like ULMFiT and DistilBERT. For this purpose, we utilize a collection of 1818 classified dark patterns. First, we perform nested cross-validations for all algorithms for valuable insights that we need for the model selection. Overall we achieve a balanced accuracy of 0.926 on average, whereas all models, except for k-nearest neighbor, perform similarly well. Then, with the gained knowledge, we demonstrate that dark patterns can indeed be detected using machine learning techniques. At last, using our fine-tuned models, we reveal the existence of dark patterns in a collection of newsletter emails, with a performance of 0.436 balanced accuracy. Thus we conclude, that this work provides essential insights into the fact that dark patterns exist in hitherto unnoticed fields and how more sophisticated methods are crucial to combat such patterns.

  2020 Completed

Implementation and Analysis of a Keystroke Dynamics Authentication System

Password based authentication systems face many problems in today’s time. Data breaches and users selecting weak passwords raised the need for different authentication methods or a second factor. Popular methods include fingerprint or face detection and second factors like access or transaction codes. But there are less explored systems that use keystroke dynamics authentication. In this bachelor thesis we analyze existing keystroke dynamics authentication systems. To get a better understanding we implement such a system. Using datasets that are publicly available our system reaches a false acceptance rate (FAR) of 14 % and a false rejection rate (FRR) of 28 %. Having an own keystroke dynamics authentication systems we can then perform an evaluation in terms of usability in practice. Based on this evaluation we discuss in which cases such a system is a suitable and secure way for authentication. We conclude that in general keystroke dynamics authentication systems are a convenient and secure way for an additional security factor. But we also distinguish existing challenges like when users have different computers (with different keyboards) or use auto-fill functions of password managers. And we state ideas on how our system’s performance could be improved and challenges could be faced.

  2020 Completed

Wi-Fi Sharing for All: Reverse Engineering and Breaking the Apple Wi-Fi Password Sharing Protocol

Modern devices provide more and more functionality, simplifying everyday tasks. Obscured from the user are the complex, proprietary, and undocumented protocol stacks, most of them always listening in the background. In this thesis, we take a look at one of these features, Apple Wi-Fi Password Sharing, which enables users to share the Wi-Fi password to guests in their home. We publish documentation of involved frameworks, describe the actual protocol, and search for vulnerabilities. Besides one implementation bug, we find multiple small flaws in the protocol and user interface, which we combine into two attacks, a denial-of-service attack, which crashes the iOS settings app, and a man-in-the-middle attack, which spoofs the victim into an attacker-controlled Wi-Fi network.

  2020 Completed

Advanced Mitigation and Response Methods in the Context of Automotive Ethernet Security

  2020 Completed

VPN in a Mobile Environment: Security, Privacy, and Usability

  2020 Completed

ToothPicker: Enabling Over-the-Air and In-Process Fuzzing Within Apple's Bluetooth Ecosystem

  2020 Completed

Remote Code Patching Framework for a TETRA Base Station

  2020 Completed

Practical Security Analysis of IoT Ecosystems

  2020 Completed

Practical Bluetooth RNG Analysis

  2020 Completed

Polypyus: Firmware History Based Binary Diffing

  2020 Completed

Fuzzing a TETRA Base Station via Binary Patching

  2020 Completed

Applicability of IoT Security Frameworks as Guidelines for Penetration Testing

  2020 Completed

Analyzing the macOS Bluetooth Stack

  2019 Completed

Analyzing Apple’s Private Wireless Communication Protocols with a Focus on Security and Privacy

  2019 Completed

Communicating Privacy and Security issues

.

  2019 Completed

Creating an indoor simulation tool witha realistic antenna model for an IEEE 802.11ad 60 GHz devices

  2019 Completed

Detecting Extension Abuse in the Wild

.

  2019 Completed (September 2019)

Security Analysis of LoRaWAN: An Experimental Evaluation of Attacks

Low-power wide-area networks (LPWAN) are becoming the wireless backbone for modern business processes and municipal administration. LoRaWAN, which stands for long-range wide-area network, is a recent medium access control (MAC) layer protocol competing for this market. It stands out by its open operator model and a novel modulation technique. With LoRaWAN and other communication technologies are becoming a dependency for more and more aspects of today's society, the question for their security and reliability comes up. Previous researches on the topic have already revealed vulnerabilities in the first LoRaWAN specification, which have been partly mitigated in the most recent LoRaWAN 1.1. However, related studies often provide only theoretical results or consider practical scenarios only on a specific, small scale. In this thesis, we present a LoRaWAN security evaluation framework that allows field-testing the security and reliability characteristics of actual LoRaWAN deployments. This provides not only reproducible results but also allows making a comparison between defined versions of the specification and LoRaWAN software. Before expounding implementation details, we provide a literature survey on LoRaWAN vulnerabilities and attacks to identify interesting aspects for further evaluation. From our experimental results, we show that jamming is a serious threat to the availability of LoRaWAN networks. Furthermore, we demonstrate the practical applicability of two replay attacks against a selection of LoRaWAN software and illustrate why they will remain relevant for years due to backward compatibility.

  2019 Completed

Security Evaluation of LoRaWAN Network Servers using Fuzzing

Low Power Wide Area Network (LPWAN) technologies like Long Range Wide Area Network (LoRaWAN) are used for creating low maintenance sensor networks in many scenarios. The central part of a LoRaWAN is the Network Server (NS). Previous security research often focused on conceptual security issues in the protocol, this work evaluates fuzzing, the security testing using semi-valid random messages, as a technique to find vulnerabilities in NSs. We investigate the situation of practical network deployments and software in use. Then we derive an approach for a general fuzzing framework for NSs. We present our fuzzer implementation in detail and describe experiments we conducted with an example network server. The results show that this network server was susceptible to a denial of service attack. We therefore conclude that fuzzing is an appropriate tool for making LoRaWANs more secure by uncovering vulnerabilities in NSs.

  2019 Completed

nextoyou - a zero-interactiion co-presence detection scheme based on Channel State Information

  2019 In progress

Communicating Privacy and Security issues

  2019 Completed

PrivacyMail – Analyzing the Email Tracking Ecosystem

  2019 In progress

TETRA Base Station Binary Patching

  2019 In progress

Bluetooth Entropy

  2019 In progress

Bluetooth Controller Emulation and Fuzzing

  2019 Completed

PrivacyGraph – A Holistic View of the Online Tracking Ecosystem

.

  2019 Completed

Applicability of Penetration Testing Guides for the Internet of Things

  2019 Completed

Smart Home Security

  2019 Completed

Practical Evaluation of LoRa in Multihop Networks

Practical Evaluation of LoRa in Multihop Networks

  2019 Completed

Implementation of a Linux User-space Neighbor Awareness Networking Protocol Stack

Implementation of a Linux User-space Neighbor Awareness Networking Protocol Stack

  2019 Completed

Analyzing Email Privacy

  2019 Completed

Advanced TSCH Scheduling Mechanisms for Wireless Sensor Networks

  2019 Completed

Practical Performance Analysis of Neighbor Awareness Networking

  2019 Completed

Inferring Keystrokes from Myo Armband Electromyographic and Inertial Measurement Unit Data

Mobile devices, such as phones and wearables, include an increasing variety of more and more accurate sensors, only part of which the users can control to a certain extent to protect their privacy. In the meantime, mostly with respect to the accelerometer and gyroscope sensors of smartwatches, various keylogging side-channel attacks have been described in literature, demonstrating that sensitive information like passwords can be inferred from the data recorded by these sensors. In this thesis, we take a closer look at the Myo armband, a wearable device worn on the upper part of the forearm containing an accelerometer, a gyroscope, a magnetometer and eight electromyographic (EMG) sensors for measuring muscle activity. In particular, we investigate whether the EMG data supports the recognition of finger movements sufficiently to detect new keystrokes of the same person or of previously unseen typists. We create a dataset based on both keystroke and sensor data collected from 27 volunteers wearing two Myo armbands while typing on a physical keyboard. In order to detect keystrokes based on this data, we apply supervised learning approaches utilizing a random forest, a convolutional neural network (CNN) adaptation of WaveNet and a convolutional recurrent neural network (CRNN). We estimate the predictive performance, achieving a mean f1 score of 0.75 for the CRNN in the within-subject scope and an f1 score of about 0.61 for the between-subject scope, independent of the chosen model. These estimates are validated in a proof of concept, achieving a mean f1 score of 0.64 for the CRNN in the within-subject scope and a mean f1 score of 0.65 for the WaveNet adaptation on an unseen person in the between-subject scope.

  2019 Completed

Security Analysis of IoT Ecosystems

  2019 Completed

PowerPC Binary Patching and dissecting of TETRA Base Station

  2019 Completed

Fuzzing the Linux Bluetooth Stack

  2019 Completed

Dynamic Bluetooth Firmware Analysis

  2019 Completed

A Study on Proprietary Communication Protocols Used in TETRA Hardware Components

  2018 Completed

Security Aspects of the Apple Wireless Direct Link Protocol

  2018 Completed (November 2018)

Separated Channel Estimation in Asynchronous Multi-User Wi-Fi Transmissions via Interpolation with Deep Neural Networks

The separation of channel coefficients in concurrent cooperative transmissions is a time-consuming operation. In this thesis project, we are going to explore the suitability of deep neural networks (DNNs) to speed up a specific PHY-related optimization task. Goal The goal of this project is to explore the suitability of DNNs to separate channel coefficients. The project main goals are: Research the literature about the uses of DNNs in other optimization problems Explore suitable DNN configurations for the envisioned task Evaluate the DNN's performance in terms of accuracy and speed

  2018 Completed

Design of a Secure DIAMETER Edge Agent - study of the capabilities and performances of a DEA, with a PoC implementation

  2018 Completed

Combining WiFi, Bluetooth and BLE: Limitations and synergy effects of using Google Nearby Connections 2.0

Now most of the smartphones are equipped with different wireless interfaces namely Wi-Fi, Bluetooth, BLE, Ad-hoc Wi-Fi, and NFC. These different interfaces have different weaknesses and strengths. Bluetooth is suited for low bandwidth and short-range communication. Bluetooth Low Energy(BLE) on the other hand is aimed at devices which have limited power supply and need to transfer data in short intervals. Wi-Fi is well suited for high bandwidth, low-latency communication with increased ranges. By utilizing the combination of these interfaces, we can enhance the performance of offline peer-to-peer connectivity. The number of devices using the Internet is growing at a rapid rate, creating traffic congestion especially by using multimedia services. we can offload and distribute this traffic using high performance peer-to-peer connectivity. With the growing need of Infrastructureless network in the remote or disaster-stricken area, better device-to-device communication could prove to be life-saving. Nearby Connections 2.0 is the new offline peer-to-peer, high bandwidth low latency API from Google. It uses a combination of Wi-Fi Direct, BLE and Bluetooth to create reliable and fast connections. In this thesis, we evaluate Nearby Connections against all three interfaces it uses. We execute 4 experiments with different network parameters to analyze the limitations and benefits of using Nearby Connections. By varying different parameters we maximize the performance of each interface to observe the behavior of Nearby Connections. Our evaluation results indicate that this is in fact not the case with Nearby Connections. It does not adjust itself to get the best out of underlying interfaces. We show the limitations of Nearby Connections API. However, it performed better than both Bluetooth and BLE but against Wi-Fi Direct it performed way below the par.

  2018 Completed

Desynchronization Attacks and Mitigations for the Apple Wireless Direct Link Protocol

  2018 Completed

Learning the Beams: Efficient Millimeter-Wave Beam-Steering Techniques

Motivation Beam-steering is the backbone of millimeter-wave (mm-wave) networks and key to achieve data-rates of multiple gigabit per second. Nodes must steer their antennas so that they maximize the signal gain towards the intended communication partner. The state-of-the-art to find the best antenna configuration is to probe all possible antenna configurations. This process caused high overhead, especially in case of mobility when parameters must be adjusted continuously. Goal In this thesis, you apply machine learning techniques to find the antenna parameters most suitable for probing and select the optimal configuration with low overhead. Implementation and evaluation in this thesis, should be performed by means of our mm-wave testbed platform with off-the-shelf IEEE 802.11ad devices. Experience with Linux, wireless network configuration, proper tools, and scripting languages is highly recommended.

  2018 Completed

Draining Mallory and Sybil: DoS-resistant Disruption-Tolerant Networks

Description Disruption-Tolerant Networks (DTNs) can be used as a communication means in the emergency context when communication infrastructure is unavailable. In DTNs, mobile user devices such as smartphones act as “data mules”: they store, carry and forward messages. Unfortunately, the “storing” part is especially vulnerable to denial-of-service (DoS) attacks since an attacker can flood the network with bogus information and, thus, replace or purge valid messages from a node’s buffer. In this thesis, you will implement and evaluate a novel, DoS-resistant buffer management scheme in IBR-DTN [1], DTN implementation written in C++, which also runs on standard Android smartphones. [1] IBR-DTN. https://github.com/ibrdtn/ibrdtn.

  2018 Completed

Evaluation of MAC protocols for wireless sensor networks

  2018 Completed

Learning the Beams: Applying Evolution Algorithms for Optimized IEEE 802.11 ad Beamtraining

  2018 Completed

60 Ghz Channel Models: From Theory to Practice (and Back Again)

Motivation The channel characteristics of millimeter-wave communication systems at 60 GHz differ those in lower frequency bands and require a fundamental rethinking of network design. To investigate such aspects of network performance, we developed a raytracing based simulation framework to predict the signal quality in arbitrary environments. However, the internals in the simulation are based on theoretical considerations and models. So far, simulation results have not been compared to realistic measurements. Goal In this thesis, your task is to extend our simulation framework [1] in MATLAB and/or Python and compare results with realistic measurements performed with common IEEE 802.11ad router hardware. We expect that impairments due to cheap antenna and RF circuit design lead to divergences from simulation. Can you adapt the simulation to provide more realistic outcomes? [1] mmTrace: ray-tracing based millimeter-wave propagation simulation

  2018 Completed

Practical Low-Layer Attacks on IEEE802.11ad by Modified WiFi Firmware

Motivation Millimeter-Wave (mm-wave) communication systems such as IEEE 802.11ad use directional beams that need to be trained prior to establishing a high-throughput connection. Such beam training protocols--the backbone of mm-wave communications--have a high impacts of the security of performance. Jamming or manipulating the frames associated with the beam steering might prevent a connection from being established or steer the beam for an adversary's benefit. We already obtained access to a WiFi chip of state-of-the-art routers at firmware level. Goal A bachelor or master thesis is this area might extend our current framework and integrate, for example, packet injection or jamming to launch and evaluate the aforementioned attacks. Students should not be afraid of analyzing binary data and assembly instructions. Experience with IDA Pro is recommended.

  2018 Completed

Hacking Bluetooth Firmware of WiFi Combo Chips in Mobile Devices

  2018 Completed

Processing and evaluation of the smarter field test about delay-tolerant networks in the event of an disaster

This thesis is about the processing and evaluation of the data generated by the Smartphone-based Communication Networks for Emergency Response (smarter) project. The smarter project is a research project that investigates the use of Delay Tolerant Networks (DTNs) as a method of communication for the civil population during a disaster situation. During this thesis the recorded data is transferred into a format readable by the simulator The Opportunistic Network Environment Simulator (The ONE), so that the field experiment can be repeated as often as required. This makes it possible to easily compare the data with that of other projects or to combine it with data genera ted by the simulator. The thesis also highlights some difficulties that may occure during the analysis and execution of field experiments.

  2018 Completed

Performance Comparision of Packet Schemes for Mutually Hidden Messages

  2018 Completed

Analyzing Vulnerability and Privacy Data from the PrivacyScore platform

Motivation Every day new cyber security vulnerabilities are discovered and reported, which indicate weak security standards adapted by websites. The main aim of a hacker is to steal sensitive information by exploiting these vulnerabilities. The information and data compromised can be very costly and damaging for an organization. Hence, due to ever evolving tactics of the hackers and the changing cyber threat landscape, it is very important for an organization to be aware of the security vulnerabilities. Until now, most of the work which is done allows to discover the vulnerabilities in web applications and anticipate the vulnerabilities exploits. Different techniques are used in this regard, including machine learning, evaluating inter-module relationships, and application of data analytics. All of these approaches have a common goal, which is to discover existing and new vulnerabilities and predict them for future. Some solutions consider evaluating the application code by performing static or dynamic analysis and finding vulnerabilities. However, a very critical question in this whole scenario arises, as to what we can do after a vulnerability is discovered? How to find similar vulnerabilities in the system and share this information with others for proactive resolution of the vulnerabilities? In this regard, data analysis of security vulnerabilities can provide a wealth of information. It can provide efficient vulnerability assessment by analyzing the existing vulnerability data

  2018 Completed

Privacy als Wettbewerbsfaktor? Analyse der Reaktionen von Unternehmen auf Privacy-Score-Bewertungen

  2018 Completed (March 2018)

NEAT-TCP: Generation of TCP Congestion Control through Neuroevolution of Augmenting Topologies for Wireless Multi-Hop Networks

TCP performance in wireless multi-hop networks (WMNs) is hard to achieve due to losses on the wireless channel, interference and limited resources at individual nodes. Recent research has proposed a simple neural network (NN) structure with one input layer, two hidden layers, and one output layer that efficiently applies congestion control and that results in significant performance improvements compared to conventional TCP variants [1]. Further, NeuroEvolution of Augmenting Topologies (NEAT) is a method based on evolutionary algorithms that can outperform fixed-topology NNs in reinforcement learning tasks. We expect that NEAT may improve the performance of manually crafted NNs like iTCP even further. Goal The goal of this project is to assess the ability of NEAT to further improve the performance of an iTCP-based congestion control algorithm in the context of WMNs. The project main goals are: Implement iTCP in a network simulation environment (ns-3) Use NEAT to generate a modified NN structure for congestion control Compare the performance of the modified congestion control to the initial iTCP-based version [1] A. B. M. Alim Al Islam and Vijay Raghunathan, “iTCP: an intelligent TCP with neural network based end-to-end congestion control for ad-hoc multi-hop wireless mesh networks”, Wireless Networks, Volume 21, Issue 2, pp. 581–610, February 2015. doi: 10.1007/s11276-014-0799-6 [2] Kenneth O. Stanley and Risto Miikkulainen, “Evolving Neural Networks through Augmenting Topologies”, Evolutionary Computation 10:2, pp. 99-127, MIT Press, 2002. doi: 10.1162/106365602320169811

  2017 Completed (March 2018)

Practical Broadcast Tree Construction with Potential Game for Energy-Efficient Data Dissemination in Ad-Hoc Networks

This thesis project addresses the problem of energy-efficient data dissemination from a source node to all other nodes in a wireless multi-hop network. Mahdi Mousavi et al. from the Communications Engineering Lab at TU Darmstadt have devised a decentralized algorithm towards this goal that is based on game theory [1]. While simulation results have shown that this mechanism significantly outperforms other conventional flooding mechanisms, its practical applicability still remains unexplored. Goal The goal of this thesis project is to design a practical protocol that runs the game theoretical algorithm in [1] and to evaluate its performance in a network simulation environment. The project main goals are: Analyze the game theoretical algorithm [1] for limiting assumptions Devise a practical protocol for broadcast tree construction that is based on [1] Implement this protocol in a simulation environment (ns-3) Evaluate the energy efficiency of the constructed broadcast tree in comparison to conventional flooding techniques while taking the protocol overhead into account [1] Mahdi Mousavi, Hussein Al-Shatri, Matthias Wichtlhuber, David Hausheer and Anja Klein, “Energy-Efficient Data Dissemination in Ad Hoc Networks: Mechanism Design with Potential Game”, 2015 International Symposium on Wireless Communication Systems (ISWCS), Brussels, 2015, pp. 616-620. doi: 10.1109/ISWCS.2015.7454421

  2018 Completed

Implementing a WiFi Jammer on a Raspberry Pi

  2018 Completed

Experimental Evaluation on Inband Device-to-Device Communication in LTE

  2018 Completed

Using Physical Unclonable Functions (PUFs) for Data-Link Layer Authenticity Verification to Mitigate Attacks on IEEE 802.11ad Beam Training

  2018 Completed

Practical Defense Against Pollution Attacks in Network Coding-based Systems

Motivation Network Coding has many positives properties that make it especially suitable for Wireless Multihop Networks [1]. Network Coding can be used to increase the effective capacity of the network, by coding (simplest form: bit-wise XOR) together packets of different flows and forwarding them in a single broadcast transmission to their intended receivers, e.g., [2]. It can also be used within a single flow to improve forward error correction (FEC) and, thus, increase transmission reliability, e.g., [3]. Unfortunately, systems based on Network Coding are easy targets for a number of attacks, and even easier to disrupt than protocols based on traditional forwarding [4]. Goal In this thesis, you will familiarize yourself with the concept of Network Coding and analyize potential threats to both inter- and intra-flow Network Coding. Based on this, you will design and implement practical security measures. The design should then be validated against a number of different attacks.

  2018 Completed

Experimental Evaluation of Mobile Attacks on Ad hoc Routing Protocols

  2018 Completed

Testing the Efficacy of Vulnerability Disclosure over different Channels

  2018 Completed

Sicherheit funkferngesteuerter Rangierlokomotiven

  2018 Completed

InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering

  2018 Completed

Angriffsanalyse einer TETRA-Basisstation

  2018 Completed

Analysing and Evaluating Interface, Communication, and Web Security in Productive IoT Ecosystems

  2018 Completed

Security Analysis and Firmware Modification of Fitbit Fitness Trackers

  2017 Completed

Reverse Engineering the Apple Auto Unlock Protocol

  2017 Completed

Self-Replicating Malware for Wi-Fi Chips

  2017 Completed

Understanding the Apple Auto Unlock Protocol

Description Abstract of final thesis: The Apple Watch provides the ability to automatically unlock a device running macOS when in proximity. The underlying proprietary protocol is called Auto Unlock (AU) and differs from other smart locking techniques. It uses a combination of two wireless technologies: Bluetooth Low Energy (BLE) and IEEE 802.11, to facilitate secure proximity detection. In this work we analyze the protocol by using reverse engineering and dynamic debugging. We show that AU uses both standardized protocols as well as proprietary techniques to implement a secure distance bounding protocol. With this knowledge, we discuss attack vectors and conduct a successful Man-in-the-Middle (MitM) attack on the protocol. Furthermore, we provide a starting point to allow implementations on other platforms by specifying the protocol and establish the foundation for further attacks.

  2017 Completed

Investigating practical man-in-the-middle network attacks on IEEE 802.11 ad

  2017 Completed

Wi-Fi based Covert Channels on Android Smartphones

  2017 Completed

Evaluation of Latency Reduction Techniques for 5th Generation Mobile Network

  2017 Completed

Extension of the Open Visible Light Communication Driver for Linux

  2017 Completed

ACE security profiles for the IoT

  2017 Completed

Securing SCADA Protocols

  2017 Completed

OAuth 2.0 for IoT: IPsec channel establishment and authorized resource access in the IoT

To secure the Internet of Things (IoT) while keeping its interoperability with today’s Internet is crucial to unleash the full potential of the IoT. Authentication and Authorization are fundamental guarantees to enable further security and operational challenges. To fulfill these guarantees in complex and diverse scenarios, we propose a solution based on the Authentication and Authorization for Constrained Environments (ACE) Framework, a token-based authorization, and authorization. Our solution, the IPsec profile for ACE, builds on the IPsec protocol suite and the Internet Engineering Task Force (IETF) IoT stack to provide network layer security and IPsec channel establishment based on token provisioning for constrained devices. The Direct Provisioning (DP) of Security Association (SA), symmetric-based authenticated establishment (Internet Key Exchange Protocol version 2 (IKEv2) in Pre-Shared Key (PSK) mode), and asymmetric key-based authenticated establishment (IKEv2 in Certificate-based Public Key (CPK) mode) are specified as ways to establish SAs, i.e., IPsec channels. We provide an implementation for Contiki, an Operating System (OS) for constrained devices such as the Zolertia Firefly. Furthermore, we evaluate our protocol design providing an lower bound for the performance of the profile. The evaluation includes network latency and processing time, energy consumption, memory footprint and packet sizes for the different SA establishment methods. The results provide a benchmark for the different protocol steps as well as aggregated measures for each of the evaluated setups. Our evaluation showed that the DP establishment has the smallest memory footprint and ACE packet size, and at the same time the highest performance. In the other hand, the authenticated establishment featuring IKEv2 in CPK mode, shows the largest memory footprint and packet size, together with the lowest performance of the three SA establishment methods. The trade-off regarding Random Access Memory (RAM) and Read-Only Memory (ROM) footprint, power consumption and network latency and processing time and security guarantees are also described.

  2017 Completed (August 2017)

Estimating Global MANET Metrics Based on Locally Observed Information

Knowledge of global network state is crucial for several innovative network optimization techniques. Essentially, incorporating knowledge about the overall network state into locally made decisions at decentralized nodes might improve the overall network performance. A node might for instance perform transitions between network mechanisms that are optimized for certain network conditions. However, an individual node's scope of the network is limited in practice since it is able to overhear the wireless channel only locally, and explicit notification about global network state would result in large overhead. Therefore, we seek to extend a node's view into the network by means of machine learning techniques. Goal The goal of this thesis is to estimate global metrics of a mobile ad-hoc network (MANET) by means of locally overheard information in a network simulation environment. Literature review: Identify network optimization techniques that rely on global network knowledge and extract their requirements. Define metrics: Make a list of global network properties that should be classified or estimated. Identification of features: Identify potential features that can be obtained by traffic monitoring. Features that comprise relevant information about distant nodes might for instance be obtained by inspecting packet headers of the higher layers (e.g., network layer and transport layer). Feature engineering and machine learning: Select and engineer features that can be obtained by overhearing the wireless channel. Implementation: Run experiments with the ns-3 network simulator and evaluate the estimator's performance.

  2017 Completed

Reverse Engineering the Apple Wireless Direct Link Protocol

Apple Wireless Direct Link (AWDL) is a proprietary and undocumented 802.11 based peer-to-peer protocol. It is implemented in all of Apple's operating systems. In this thesis a reverse engineering method using binary analysis complemented by runtime analysis with traces and logs was applied. We found that each device in AWDL provides its own channel sequence. An elected master node is used to synchronize these sequences. Outside these windows of time, devices can use their wireless radio for other protocols or save energy by turning it off. Each node adapts its channel sequence, e.g. depending on network load, shifting the ratio between infrastructure and peer-to-peer Wi-Fi. This thesis also provides a first analysis of AWDL, includes the frame format documentation and presents a Wireshark dissector and a prototype implementation for AWDL.

  2017 Completed (August 2017)

Collide, Collate, Collect: Recognizing Senders in Wireless Collisions

With wireless mobile IEEE 802.11a/g networks, collisions are currently inevitable despite effective counter measures. This work proposes an approach to detect the MAC addresses of transmitting stations in case of a collision, and measures its practical feasibility. Recognizing senders using cross-correlation in the time domain worked surprisingly well in simulations using Additive White Gaussian Noise (AWGN) and standard Matlab channel models. Real-world experiments using software-defined radios also showed promising results in spite of decreased accuracy due to channel effects. During the experiments, various Modulation and Coding Schemes (MCSs) and scrambler initialization values were compared. Knowledge about which senders were transmitting leading up to a collision could help develop new improvements to the 802.11 MAC coordination function, or serve as a feature for learning-based algorithms. Motivation Collisions on wireless networks most likely lead to packet losses. Current network protocols typically recover from these situations by retransmissions. In doing so, the overall network capacity is reduced and the network delay increases with the amount and duration of collisions. However, collided frames may still reveal valuable information that might be suitable for advanced protocol designs. Goal Detect frame alignments of collided frames at the PHY. Devise techniques to detect known data, such as MAC header fields. Analyze real network scenarios with respect to collisions, classify observed events (e.g., pairs of hidden terminals) and generate statistics.

  2017 Completed

Decompilation and Automated Analysis of b43 Assembly Code used in Broadcom WiFi Chips

  2017 Completed

Practical use of network coding to sustain robustness in secure mobile ad hoc communication

  2017 Completed

Secure localization and distance bounding with IEEE 802.11

  2017 Completed

Modification of LTE firmwares on Smartphones

  2017 Completed

Implementation of a Contextual Framework for Secure Device Pairing Methods on Android

Motivation With the proliferation of numerous personal gadgets and smart devices, device pairing has become prominent in introducing security to such a diverse environment. Clearly, the process of secure device pairing is much more ambiguous than previously thought. This stems from the fact that there is no coherent vision of the pairing problem among the research community. To this end, we see that there is a plethora of various pairing protocols that have been proposed many of which are insecure or fail to work in practice. Clearly, there is no single winner in a device pairing race. Goal Correspondingly, one solution to such a problem is to support several pairing methods. However, from a user prospective this may create an additional burden. On top of that, some pairing protocols may be less appropriate security‐wise in certain scenarios. For instance, if a paring method relies on audio but is used in a noisy environment, this creates an additional attack vector or causes reliability issues. Another example are visual paring techniques used in a public place, which can be subject to shoulder surfing. Overall, in this thesis you will research which contextual information that can be gathered by a modern smartphone can augment in secure device pairing. We already have a working Android implementation which performs different methods of device pairing. More specifically, your task is to identify which factors can be potentially hazardous or beneficial for a certain pairing method in a particular scenario. The context that we are going to incorporate includes both the environmental information as well as the user input (feedback, preferences, etc.). Hence, you'll take measurements on the smartphone to rate the environmental information, and perform a small user study (20-30 users) on the device pairing usability.

  2017 Completed

Design, Implementation and Evaluation of a Privacy-preserving Framework for Trust Inference on Android

  2017 Completed

Nexman-based Wireless Penetration Testing Suite for Android

  2017 Completed

Design, Implementation and Evaluation of Realistic Scenarios and Movement Models for Natural Disasters Using Simulations for Delay Tolerant Networks

Description Seeing the continuous increase in natural disasters around the world, many people are contemplating how to contribute helping those in need. Among them are several computer scientists who fulfil their share by developing technology which enables fast and reliable communication in disaster areas. We were inspired by their work and thus wanted to further improve the state-of-the-art. DTN is a specific technology which can be used for the creation of alternative networks in disaster areas, where conventional ones are unavailable due to the inevitable destructions implied by the disaster. Given that such technology is usually evaluated within network simulators we exclusively focus on improving the state-of-the-art of movement models and scenarios utilized within such simulators. The very random driven, and thus not realistic, state-of-the-art is improved by our contribution in the form of a fully designed, implemented, and evaluated realistic natural disaster movement model with underlying scenarios. The results of our evaluation indicate that previously published results might be too optimistic. Thus, further approximations to reality are inevitable for more accurate simulation of DTN, in the goal to ultimately obtain better and more realistic results.

  2017 Completed

TETRA Security Analysis by Fuzzing

  2017 Completed

Improving a Linux Device Driver for Visible Light Communication

  2017 Completed

Implementierung des unteren MAC-Layers für die OpenVLC Hardware

  2017 Completed

Implementation of a Physical Layer for Visible Light Communication using the OpenVLC platform

  2017 Completed

Detecting WiFi Covert Channels

  2017 Completed

Design and Evaluation of a Hybrid SDR Testbed For Visible Light Communication and Wi-Fi

  2017 Completed

Absicherung von SCADA-Protokollen

  2016 Completed

A Framework for Adaptive Energy-efficient Neighbour Discovery in Oppertunistic Networks

  2016 Completed

Implementation of infrastructureless BFPSI on Android

  2016 Completed

Secure Context Migration between IEEE 802.11 Networks

  2016 Completed

Probe request tracking in WiFi firmware

  2016 Completed

Reactive, Smaratphone-based Jammer for IEEE 802.11 Networks

  2016 Completed

Secure key exchange protocol for a group communication during emergency responses

  2016 Completed

Utilizing Secure Elements to Establish Authentication in MANETs on Android

  2016 Completed

Design and Implementation of a Service-Oriented Architecture for Large-Scale Testbed Management

Description Wireless Multihop Network testbeds are often distributed over large physical areas and have many devices which renders management challenging. A multitude of diverse frameworks are available to assist in the management of such testbeds. Properties like scalability, heterogeneous hardware support and effortless testbed configuration are a self-evident goal for these frameworks. However, this combination is hard to achieve and the exact requirements vary for different testbeds. Instead of providing a completely new and tailored experimentation framework, I propose Panopticon, a service oriented management framework, providing a lower layer to intercept and improve existing functionality. It slices large, distributed testbeds into dynamically sized subunits, offering a granular choice in testbed experimentation frameworks for every slice. Such an exper- imentation framework can be selected regarding the exact experiment’s requirements and not as a compromise between all available testbed components. Panopticon’s list of services can be extended, offering simple entry points for new, custom implementations. It is a framework federating network enabled infrastructures.

  2016 Completed

Energy efficient WiFi analysis framework on smartphones

  2016 Completed

Unified Multi-modal Secure Device Pairing for Infrastructure and Ad-hoc Networks Bachelor Thesis

Motivation Todays technologies heavily rely on wireless communications. Our mobile devices connect to infrastructure devices such as wireless routers, perform ad-hoc connections among each other and connect to peripheral devices such as smart watches, fitness tracker and headsets. However, since security is essential in most application scenarios, authentication is a big challenge. To join a wireless network pre-shared credentials are required. Pairing in proximity via bluetooth requires the same pin to be entered on both devices. This proceeding is inconvenient and differs for different kinds of devices. Although, user-friendly and secure pairing mechanisms utilizing multi-modal technologies are proposed, no unified solution exists, yet. Goal In this thesis you elaborate different kind of pairing mechanism and analyze their security regarding various attacks. You design a unified multi-modal pairing protocol and implement a prototype on Android. Your protocol combines pairing strategies over different communication technologies (e.g. WiFi, Bluetooth, NFC, sound, light) and selects a suitable subset matching the devices capabilities. Since some strategies are easier to intercept than others, your protocol attests the paring procedure for retrospective trust estimation in application context. With your proposal we show that a unified multi-modal paring is feasible for both infrastructure and ad-hoc networks with flexible security requirements.

  2016 Completed

Unified Multi-Modal Device Pairing in Infrastructure and Ad-hoc networks

  2016 Completed

A Systemfor Privacy-Preserving Mobile Health and Fitness Data Sharing: Design, Implementation and Evaluation

  2016 Completed

Reverse Engineering Apple's Multipeer Connectivity Framework and Implementation on the Android platform

  2016 Completed

Enabling Seamless Transitions betweegn Cyrptographically Secured

  2015 Completed

Infecting the Wire: Wireless Eavesdropping, Packet Injection and Reactive Jamming on Wired 10Base-T IEEE 802.3 Ehternet Networks

  2015 Completed

Privacy and anonymity risks on Android

  2015 Completed

Performance evaluation of an anonymous communication system on a mobile device

  2015 Completed

Implementation and Evaluation of PUF-based Cryptographic Kex Generation Schemes on FPGA

  2015 Completed

Design and Evaluation of a supervised machine learning based Intrusion Detection System for WSN

  2015 Completed

Securing Efficient Network Flooding and Time Synchronization for Ultra-Low Latency Communication in Wireless Sensor Networks

  2015 Completed

Design and Implementation of lichtweight attestation for embedded systems

  2015 Completed

Intrusion Detection using Data Mining

  2015 Completed

Audio-based Covert Channels on Smartphones

  2015 Completed

Wireless Eavesdropping and Pocket Injection in Ethernet Networks

  2015 Completed

Secure Transitions

  2015 Completed

Design, Implementation and Evaluation of a System Information Service

  2014 Completed

Measuring the Impact of Denial of Service Attacks on Wireless Sensor

  2014 Completed

Protecting User Privacy by Learning from Mobile Communication Data

  2014 Completed

Design, Integration and Evaluation of Real-time Notifications

  2014 Completed

Network ID: Self-Provisioning Service Proxy

  2014 Completed

Let's go WARP: Integrating the Click Modular Router and the Wireless Open-Access Research Platform

  2014 Completed

Delay-tolerant routing for emergency networks

  2014 Completed

Signal Pre-Processing in a Physical Layer Based Key Management System for Wireless Communications

  2014 Completed

Statistically analysing the Impact of

  2014 Completed

Security Analysis of Physical Layor Key Exchange Mechanism

  2014 Completed

Implementation and Detection of culluding injection attacks by means of active probing

  2014 Completed

Decentralized Privacy-preserving Location Mechanism

  2014 Completed

Corridor Building in Wireless Multihop Networks

  2014 Completed

Outlier Detection in Wireless Sensor Networks

  2014 Completed

Realtime aggregation and spatial visualization of emergency messages

  2013 Completed

Security Mechanisms for Emergency Response Networks

  2013 Completed

Design, Implementation and Evaluation of Incentive Schemes for Mobile Sensing Applications

  2013 Completed

Physical layer path signatures for wireless multihop networks

  2013 Completed

Improving of the detection mechanism of an open-source intrusion detection system

  2013 Completed

Practical Physical Layer Security in MIMO Systems using Software Defined Radios

  2013 Completed

Implementation of a cross-layer technique for an OFDM-based Wiresell Mesh Network

  2013 Completed

Geographic Routing Based on Physical Layer Information for Wireless Multihop Networks

  2012 Completed

Performance-based Intrusion Detection in Wireless Sensor Networks

  2012 Completed

Mobile Phones as Sensors for Intrusion Detection in Wireless Mesh Networks

  2012 Completed

Secure Modular Protokolls for Wireless Multihop Networks

  2012 Completed

Implementation and Evaluation of Opportunistic Mobile Ad Hoc Networks

  2012 Completed

Design, Implementation, and Evaluation of User Interfaces for Decentralized Privacy-Preserving Mechanisms

  2012 Completed

Towards Strong Anonymity in Delay-Tolerant Networks

  2012 Completed

Increasing Privacy Awareness through Intuitive Interfaces for Participatory Sensing Applications

  2012 Completed

Methods for Trust Assessment in Participatory Sensing Scenarios

  2012 Completed

On the Efficiency of Privacy-preserving Path Hiding for Participatory Sensing Applications

  2012 Completed

Dynamic Subchannel Allocation in OFDMA-Based Wireless Mesh Networks

  2012 Completed

Decentralized Trust Models for Participatory Sensing

  2011 Completed

Privacy-aware Tasking for Participatory Sensing Applications

  2011 Completed

Machine Learning-based Anomaly Detection in Wireless Sensor Networks

  2011 Completed

A Framework for Privacy Metrics in Participatory Sensing Scenarios

  2011 Completed

Improving Link Quality in Wireless Sensor Networks

  2011 Completed

Generation, Distribution and Verification of Sensor-based Credentials for Participatory Sensing Scenarios

  2011 Completed

Methods to Identify and Classify Social Links: Design and Implementation

  2011 Completed

Implementation and Evaluation of a Mechanism to Preserve Location Privacy in Participatory Sensing Scenarios

  2011 Completed

Anonymity and Reputation in Participatory Sensing

  2011 Completed

Security Solutions for Geographic Routing in Wireless Multihop Networks

  2011 Completed

Realization of a Testbed and Analysis of Attacks against Routing Mechanisms in Mobile Ad hoc Networks

  2010 Completed

Mitigating Attacks on IEEE 802.11s Security Mechanisms

  2010 Completed

Fine-gained Access Control Enabling Privacy Support in Participatory Sensing