-
Anti-Tamper Radio meets Reconfigurable Intelligent Surface for System-Level Tamper Detection
Authors:
Maryam Shaygan Tabar,
Johannes Kortz,
Paul Staat,
Harald Elders-Boll,
Christof Paar,
Christian Zenger
Abstract:
Many computing systems need to be protected against physical attacks using active tamper detection based on sensors. One technical solution is to employ an ATR (Anti-Tamper Radio) approach, analyzing the radio wave propagation effects within a protected device to detect unauthorized physical alterations. However, ATR systems face key challenges in terms of susceptibility to signal manipulation att…
▽ More
Many computing systems need to be protected against physical attacks using active tamper detection based on sensors. One technical solution is to employ an ATR (Anti-Tamper Radio) approach, analyzing the radio wave propagation effects within a protected device to detect unauthorized physical alterations. However, ATR systems face key challenges in terms of susceptibility to signal manipulation attacks, limited reliability due to environmental noise, and regulatory constraints from wide bandwidth usage.
In this work, we propose and experimentally evaluate an ATR system complemented by an RIS to dynamically reconfigure the wireless propagation environment. We show that this approach can enhance resistance against signal manipulation attacks, reduce bandwidth requirements from several~GHz down to as low as 20 MHz, and improve robustness to environmental disturbances such as internal fan movements.
Our work demonstrates that RIS integration can strengthen the ATR performance to enhance security, sensitivity, and robustness, recognizing the potential of smart radio environments for ATR-based tamper detection
△ Less
Submitted 18 March, 2025;
originally announced March 2025.
-
Key Exchange in the Quantum Era: Evaluating a Hybrid System of Public-Key Cryptography and Physical-Layer Security
Authors:
Paul Staat,
Meik Dörpinghaus,
Azadeh Sheikholeslami,
Christof Paar,
Gerhard Fettweis,
Dennis Goeckel
Abstract:
Today's information society relies on cryptography to achieve security goals such as confidentiality, integrity, authentication, and non-repudiation for digital communications. Here, public-key cryptosystems play a pivotal role to share encryption keys and create digital signatures. However, quantum computers threaten the security of traditional public-key cryptosystems as they can tame computatio…
▽ More
Today's information society relies on cryptography to achieve security goals such as confidentiality, integrity, authentication, and non-repudiation for digital communications. Here, public-key cryptosystems play a pivotal role to share encryption keys and create digital signatures. However, quantum computers threaten the security of traditional public-key cryptosystems as they can tame computational problems underlying the schemes, i.e., discrete logarithm and integer factorization. The prospective arrival of capable-enough quantum computers already threatens today's secret communication in terms of their long-term secrecy when stored to be later decrypted. Therefore, researchers strive to develop and deploy alternative schemes.
In this work, evaluate a key exchange protocol based on combining public-key schemes with physical-layer security, anticipating the prospect of quantum attacks. If powerful quantum attackers cannot immediately obtain private keys, legitimate parties have a window of short-term secrecy to perform a physical-layer jamming key exchange (JKE) to establish a long-term shared secret. Thereby, the protocol constraints the computation time available to the attacker to break the employed public-key cryptography. In this paper, we outline the protocol, discuss its security, and point out challenges to be resolved.
△ Less
Submitted 17 December, 2024;
originally announced December 2024.
-
Spatial-Domain Wireless Jamming with Reconfigurable Intelligent Surfaces
Authors:
Philipp Mackensen,
Paul Staat,
Stefan Roth,
Aydin Sezgin,
Christof Paar,
Veelasha Moonsamy
Abstract:
Wireless communication infrastructure is a cornerstone of modern digital society, yet it remains vulnerable to the persistent threat of wireless jamming. Attackers can easily create radio interference to overshadow legitimate signals, leading to denial of service. The broadcast nature of radio signal propagation makes such attacks possible in the first place, but at the same time poses a challenge…
▽ More
Wireless communication infrastructure is a cornerstone of modern digital society, yet it remains vulnerable to the persistent threat of wireless jamming. Attackers can easily create radio interference to overshadow legitimate signals, leading to denial of service. The broadcast nature of radio signal propagation makes such attacks possible in the first place, but at the same time poses a challenge for the attacker: The jamming signal does not only reach the victim device but also other neighboring devices, preventing precise attack targeting.
In this work, we solve this challenge by leveraging the emerging RIS technology, for the first time, for precise delivery of jamming signals. In particular, we propose a novel approach that allows for environment-adaptive spatial control of wireless jamming signals, granting a new degree of freedom to perform jamming attacks. We explore this novel method with extensive experimentation and demonstrate that our approach can disable the wireless communication of one or multiple victim devices while leaving neighboring devices unaffected. Notably, our method extends to challenging scenarios where wireless devices are very close to each other: We demonstrate complete denial-of-service of a Wi-Fi device while a second device located at a distance as close as 5 mm remains unaffected, sustaining wireless communication at a data rate of 25 Mbit/s. Lastly, we conclude by proposing potential countermeasures to thwart RIS-based spatial domain wireless jamming attacks.
△ Less
Submitted 17 December, 2024; v1 submitted 21 February, 2024;
originally announced February 2024.
-
Stealing Maggie's Secrets -- On the Challenges of IP Theft Through FPGA Reverse Engineering
Authors:
Simon Klix,
Nils Albartus,
Julian Speith,
Paul Staat,
Alice Verstege,
Annika Wilde,
Daniel Lammers,
Jörn Langheinrich,
Christian Kison,
Sebastian Sester-Wehle,
Daniel Holcomb,
Christof Paar
Abstract:
Intellectual Property (IP) theft is a cause of major financial and reputational damage, reportedly in the range of hundreds of billions of dollars annually in the U.S. alone. Field Programmable Gate Arrays (FPGAs) are particularly exposed to IP theft, because their configuration file contains the IP in a proprietary format that can be mapped to a gate-level netlist with moderate effort. Despite th…
▽ More
Intellectual Property (IP) theft is a cause of major financial and reputational damage, reportedly in the range of hundreds of billions of dollars annually in the U.S. alone. Field Programmable Gate Arrays (FPGAs) are particularly exposed to IP theft, because their configuration file contains the IP in a proprietary format that can be mapped to a gate-level netlist with moderate effort. Despite this threat, the scientific understanding of this issue lacks behind reality, thereby preventing an in-depth assessment of IP theft from FPGAs in academia. We address this discrepancy through a real-world case study on a Lattice iCE40 FPGA found inside iPhone 7. Apple refers to this FPGA as Maggie. By reverse engineering the proprietary signal-processing algorithm implemented on Maggie, we generate novel insights into the actual efforts required to commit FPGA IP theft and the challenges an attacker faces on the way. Informed by our case study, we then introduce generalized netlist reverse engineering techniques that drastically reduce the required manual effort and are applicable across a diverse spectrum of FPGA implementations and architectures. We evaluate these techniques on six benchmarks that are representative of different FPGA applications and have been synthesized for Xilinx and Lattice FPGAs, as well as in an end-to-end white-box case study. Finally, we provide a comprehensive open-source tool suite of netlist reverse engineering techniques to foster future research, enable the community to perform realistic threat assessments, and facilitate the evaluation of novel countermeasures.
△ Less
Submitted 3 September, 2024; v1 submitted 11 December, 2023;
originally announced December 2023.
-
RIS-Jamming: Breaking Key Consistency in Channel Reciprocity-based Key Generation
Authors:
Guyue Li,
Paul Staat,
Haoyu Li,
Markus Heinrichs,
Christian Zenger,
Rainer Kronberger,
Harald Elders-Boll,
Christof Paar,
Aiqun Hu
Abstract:
Channel Reciprocity-based Key Generation (CRKG) exploits reciprocal channel randomness to establish shared secret keys between wireless terminals. This new security technique is expected to complement existing cryptographic techniques for secret key distribution of future wireless networks. In this paper, we present a new attack, reconfigurable intelligent surface (RIS) jamming, and show that an a…
▽ More
Channel Reciprocity-based Key Generation (CRKG) exploits reciprocal channel randomness to establish shared secret keys between wireless terminals. This new security technique is expected to complement existing cryptographic techniques for secret key distribution of future wireless networks. In this paper, we present a new attack, reconfigurable intelligent surface (RIS) jamming, and show that an attacker can prevent legitimate users from agreeing on the same key by deploying a malicious RIS to break channel reciprocity. Specifically, we elaborate on three examples to implement the RIS jamming attack: Using active nonreciprocal circuits, performing time-varying controls, and reducing the signal-to-noise ratio. The attack effect is then studied by formulating the secret key rate with a relationship to the deployment of RIS. To resist such RIS jamming attacks, we propose a countermeasure that exploits wideband signals for multipath separation. The malicious RIS path is distinguished from all separated channel paths, and thus the countermeasure is referred to as contaminated path removal-based CRKG(CRP-CRKG). We present simulation results, showing that legitimate users under RIS jamming are still able to generate secret keys from the remaining paths. We also experimentally demonstrate the RIS jamming attack by using commodity Wi-Fi devices in conjunction with a fabricated RIS prototype. In our experiments, we were able to increase the average bit disagreement ratio (BDR) of raw secret keys by 20%. Further, we successfully demonstrate the proposed CRP-CRKG countermeasure to tackle RIS jamming in wideband systems as long as the source of randomness and the RIS propagation paths are separable.
△ Less
Submitted 10 April, 2024; v1 submitted 13 March, 2023;
originally announced March 2023.
-
Analog Physical-Layer Relay Attacks with Application to Bluetooth and Phase-Based Ranging
Authors:
Paul Staat,
Kai Jansen,
Christian Zenger,
Harald Elders-Boll,
Christof Paar
Abstract:
Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as…
▽ More
Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement. In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car and a smart lock. Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.
△ Less
Submitted 4 April, 2022; v1 submitted 14 February, 2022;
originally announced February 2022.
-
Reconfigurable Intelligent Surface for Physical Layer Key Generation: Constructive or Destructive?
Authors:
Guyue Li,
Lei Hu,
Paul Staat,
Harald Elders-Boll,
Christian Zenger,
Christof Paar,
Aiqun Hu
Abstract:
Physical layer key generation (PKG) is a promising means to provide on-the-fly shared secret keys by exploiting the intrinsic randomness of the radio channel. However, the performance of PKG is highly dependent on the propagation environments. Due to its feature of controlling the wireless environment, reconfigurable intelligent surface~(RIS) is appealing to be applied in PKG. In this paper, in co…
▽ More
Physical layer key generation (PKG) is a promising means to provide on-the-fly shared secret keys by exploiting the intrinsic randomness of the radio channel. However, the performance of PKG is highly dependent on the propagation environments. Due to its feature of controlling the wireless environment, reconfigurable intelligent surface~(RIS) is appealing to be applied in PKG. In this paper, in contrast to the existing literature, we investigate both the constructive and destructive effects of RIS on the PKG scheme. For the constructive aspect, we have identified static and wave-blockage environments as two RIS-empowered-PKG applications in future wireless systems. In particular, our experimental results in a static environment showed that RIS can enhance the entropy of the secret key, achieving a key generation rate (KGR) of 97.39 bit/s with a bit disagreement rate (BDR) of 0.083. In multi-user systems where some remote users are in worse channel conditions, the proposed RIS-assisted PKG algorithm improves the sum secret key rate by more than 2 dB, compared to the literature. Furthermore, we point out that RIS could be utilized by an attacker to perform new jamming and leakage attacks and give countermeasures, respectively. Finally, we outline future research directions for PKG systems in light of the RIS.
△ Less
Submitted 7 April, 2022; v1 submitted 18 December, 2021;
originally announced December 2021.
-
Anti-Tamper Radio: System-Level Tamper Detection for Computing Systems
Authors:
Paul Staat,
Johannes Tobisch,
Christian Zenger,
Christof Paar
Abstract:
A whole range of attacks becomes possible when adversaries gain physical access to computing systems that process or contain sensitive data. Examples include side-channel analysis, bus probing, device cloning, or implanting hardware Trojans. Defending against these kinds of attacks is considered a challenging endeavor, requiring anti-tamper solutions to monitor the physical environment of the syst…
▽ More
A whole range of attacks becomes possible when adversaries gain physical access to computing systems that process or contain sensitive data. Examples include side-channel analysis, bus probing, device cloning, or implanting hardware Trojans. Defending against these kinds of attacks is considered a challenging endeavor, requiring anti-tamper solutions to monitor the physical environment of the system. Current solutions range from simple switches, which detect if a case is opened, to meshes of conducting material that provide more fine-grained detection of integrity violations. However, these solutions suffer from an intricate trade-off between physical security on the one side and reliability, cost, and difficulty to manufacture on the other. In this work, we demonstrate that radio wave propagation in an enclosed system of complex geometry is sensitive against adversarial physical manipulation. We present an anti-tamper radio (ATR) solution as a method for tamper detection, which combines high detection sensitivity and reliability with ease-of-use. ATR constantly monitors the wireless signal propagation behavior within the boundaries of a metal case. Tamper attempts such as insertion of foreign objects, will alter the observed radio signal response, subsequently raising an alarm. The ATR principle is applicable in many computing systems that require physical security such as servers, ATMs, and smart meters. As a case study, we use 19" servers and thoroughly investigate capabilities and limits of the ATR. Using a custom-built automated probing station, we simulate probing attacks by inserting needles with high precision into protected environments. Our experimental results show that our ATR implementation can detect 16 mm insertions of needles of diameter as low as 0.1 mm under ideal conditions. In the more realistic environment of a running 19" server, we demonstrate reliable [...]
△ Less
Submitted 16 December, 2021;
originally announced December 2021.
-
IRShield: A Countermeasure Against Adversarial Physical-Layer Wireless Sensing
Authors:
Paul Staat,
Simon Mulzer,
Stefan Roth,
Veelasha Moonsamy,
Markus Heinrichs,
Rainer Kronberger,
Aydin Sezgin,
Christof Paar
Abstract:
Wireless radio channels are known to contain information about the surrounding propagation environment, which can be extracted using established wireless sensing methods. Thus, today's ubiquitous wireless devices are attractive targets for passive eavesdroppers to launch reconnaissance attacks. In particular, by overhearing standard communication signals, eavesdroppers obtain estimations of wirele…
▽ More
Wireless radio channels are known to contain information about the surrounding propagation environment, which can be extracted using established wireless sensing methods. Thus, today's ubiquitous wireless devices are attractive targets for passive eavesdroppers to launch reconnaissance attacks. In particular, by overhearing standard communication signals, eavesdroppers obtain estimations of wireless channels which can give away sensitive information about indoor environments. For instance, by applying simple statistical methods, adversaries can infer human motion from wireless channel observations, allowing to remotely monitor premises of victims. In this work, building on the advent of intelligent reflecting surfaces (IRSs), we propose IRShield as a novel countermeasure against adversarial wireless sensing. IRShield is designed as a plug-and-play privacy-preserving extension to existing wireless networks. At the core of IRShield, we design an IRS configuration algorithm to obfuscate wireless channels. We validate the effectiveness with extensive experimental evaluations. In a state-of-the-art human motion detection attack using off-the-shelf Wi-Fi devices, IRShield lowered detection rates to 5% or less.
△ Less
Submitted 7 April, 2022; v1 submitted 3 December, 2021;
originally announced December 2021.
-
Mirror Mirror on the Wall: Wireless Environment Reconfiguration Attacks Based on Fast Software-Controlled Surfaces
Authors:
Paul Staat,
Harald Elders-Boll,
Markus Heinrichs,
Christian Zenger,
Christof Paar
Abstract:
The intelligent reflecting surface (IRS) is a promising new paradigm in wireless communications for meeting the growing connectivity demands in next-generation mobile networks. IRS, also known as software-controlled metasurfaces, consist of an array of adjustable radio wave reflectors, enabling smart radio environments, e.g., for enhancing the signal-to-noise ratio (SNR) and spatial diversity of w…
▽ More
The intelligent reflecting surface (IRS) is a promising new paradigm in wireless communications for meeting the growing connectivity demands in next-generation mobile networks. IRS, also known as software-controlled metasurfaces, consist of an array of adjustable radio wave reflectors, enabling smart radio environments, e.g., for enhancing the signal-to-noise ratio (SNR) and spatial diversity of wireless channels. Research on IRS to date has been largely focused on constructive applications. In this work, we demonstrate for the first time that the IRS provides a practical low-cost toolkit for attackers to easily perform complex signal manipulation attacks on the physical layer in real time. We introduce the environment reconfiguration attack (ERA) as a novel class of jamming attacks in wireless radio networks. Here, an adversary leverages the IRS to rapidly vary the electromagnetic propagation environment to disturb legitimate receivers. The IRS gives the adversary a key advantage over traditional jamming: It no longer has to actively emit jamming signals, instead the IRS reflects existing legitimate signals. In addition, the adversary doesn't need any knowledge about the legitimate channel. We thoroughly investigate the ERA in wireless systems based on the widely employed orthogonal frequency division multiplexing (OFDM) modulation. We present insights into the attack through analytical analysis, simulations, as well as experiments. Our results show that the ERA allows to severely degrade the available data rates even with reasonably small IRS sizes. Finally, we implement an attacker setup and demonstrate a practical ERA to slow down an entire Wi-Fi network.
△ Less
Submitted 3 August, 2021; v1 submitted 4 July, 2021;
originally announced July 2021.
-
Full-Duplex meets Reconfigurable Surfaces: RIS-assisted SIC for Full-Duplex Radios
Authors:
Simon Tewes,
Markus Heinrichs,
Paul Staat,
Rainer Kronberger,
Aydin Sezgin
Abstract:
Reconfigurable intelligent surfaces (RIS) are a key enabler of various new applications in 6G smart radio environments. By utilizing an RIS prototype system, this paper aims to enhance self-interference (SI) cancellation for in-band full-duplex (FD) communication systems. SI suppression is a crucial requirement for FD communication as the SI severely limits the performance of a node by shadowing t…
▽ More
Reconfigurable intelligent surfaces (RIS) are a key enabler of various new applications in 6G smart radio environments. By utilizing an RIS prototype system, this paper aims to enhance self-interference (SI) cancellation for in-band full-duplex (FD) communication systems. SI suppression is a crucial requirement for FD communication as the SI severely limits the performance of a node by shadowing the received signal from a distant node with its own transmit signal. To this end, we propose to assist SI cancellation by exploiting an RIS to form a suitable cancellation signal in the analog domain. Building upon a 256-element RIS prototype, we present results of RIS-assisted SI cancellation from a practical testbed. Given an initial analog isolation of 44 dB provided by the antenna design, we are able to cancel the leaked signal by an additional 59 dB in the narrowband case, resulting in an overall SI suppression of 103 dB without additional digital cancellation. The presented case study shows promising performance to build an FD communication system on this foundation.
△ Less
Submitted 4 March, 2022; v1 submitted 26 May, 2021;
originally announced May 2021.
-
Intelligent Reflecting Surface-Assisted Wireless Key Generation for Low-Entropy Environments
Authors:
Paul Staat,
Harald Elders-Boll,
Markus Heinrichs,
Rainer Kronberger,
Christian Zenger,
Christof Paar
Abstract:
Physical layer key generation is a promising candidate for cryptographic key establishment between two wireless communication parties. It offers information-theoretic security and is an attractive alternative to public-key techniques. Here, the inherent randomness of wireless radio channels is used as a shared entropy source to generate cryptographic key material. However, practical implementation…
▽ More
Physical layer key generation is a promising candidate for cryptographic key establishment between two wireless communication parties. It offers information-theoretic security and is an attractive alternative to public-key techniques. Here, the inherent randomness of wireless radio channels is used as a shared entropy source to generate cryptographic key material. However, practical implementations often suffer from static channel conditions which exhibit a limited amount of randomness. In the past, considerable research efforts have been made to address this fundamental limitation. However, current solutions are not generic or require dedicated hardware extensions such as reconfigurable antennas. In this paper, we propose a novel wireless key generation architecture based on randomized channel responses from an intelligent reflecting surface (IRS). Due to its passive nature, a cooperative IRS is well-suited to provide randomness for conventional resource-constrained radios. We conduct the first practical studies to successfully demonstrate IRS-based physical-layer key generation with an OFDM system. In a static environment, using a single subcarrier only, our IRS-assisted prototype system achieves a key generation rate (KGR) of 97.39 bps with 6.5% key disagreement rate (KDR) after quantization, while passing standard randomness tests.
△ Less
Submitted 6 March, 2021; v1 submitted 13 October, 2020;
originally announced October 2020.
