-
Weak-Jamming Detection in IEEE 802.11 Networks: Techniques, Scenarios and Mobility
Authors:
Martijn Hanegraaf,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
State-of-the-art solutions detect jamming attacks ex-post, i.e., only when jamming has already disrupted the wireless communication link. In many scenarios, e.g., mobile networks or static deployments distributed over a large geographical area, it is often desired to detect jamming at the early stage, when it affects the communication link enough to be detected but not sufficiently to disrupt it (…
▽ More
State-of-the-art solutions detect jamming attacks ex-post, i.e., only when jamming has already disrupted the wireless communication link. In many scenarios, e.g., mobile networks or static deployments distributed over a large geographical area, it is often desired to detect jamming at the early stage, when it affects the communication link enough to be detected but not sufficiently to disrupt it (detection of weak jamming signals). Under such assumptions, devices can enhance situational awareness and promptly apply mitigation, e.g., moving away from the jammed area in mobile scenarios or changing communication frequency in static deployments, before jamming fully disrupts the communication link. Although some contributions recently demonstrated the feasibility of detecting low-power and weak jamming signals, they make simplistic assumptions far from real-world deployments. Given the current state of the art, no evidence exists that detection of weak jamming can be considered with real-world communication technologies. In this paper, we provide and comprehensively analyze new general-purpose strategies for detecting weak jamming signals, compatible by design with one of the most relevant communication technologies used by commercial-off-the-shelf devices, i.e., IEEE 802.11. We describe two operational modes: (i) binary classification via Convolutional Neural Networks and (ii) one-class classification via Sparse Autoencoders. We evaluate and compare the proposed approaches with the current state-of-the-art using data collected through an extensive real-world experimental campaign in three relevant environments. At the same time, we made the dataset available to the public. Our results demonstrate that detecting weak jamming signals is feasible in all considered real-world environments, and we provide an in-depth analysis considering different techniques, scenarios, and mobility patterns.
△ Less
Submitted 26 May, 2025;
originally announced May 2025.
-
Cyber Spectrum Intelligence: Security Applications, Challenges and Road Ahead
Authors:
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Cyber Spectrum Intelligence (SpecInt) is emerging as a concept that extends beyond basic {\em spectrum sensing} and {\em signal intelligence} to encompass a broader set of capabilities and technologies aimed at monitoring the use of the radio spectrum and extracting information. SpecInt merges traditional spectrum sensing techniques with Artificial Intelligence (AI) and parallel processing to enha…
▽ More
Cyber Spectrum Intelligence (SpecInt) is emerging as a concept that extends beyond basic {\em spectrum sensing} and {\em signal intelligence} to encompass a broader set of capabilities and technologies aimed at monitoring the use of the radio spectrum and extracting information. SpecInt merges traditional spectrum sensing techniques with Artificial Intelligence (AI) and parallel processing to enhance the ability to extract and correlate simultaneous events occurring on various frequencies, allowing for a new wave of intelligence applications.
This paper provides an overview of the emerging SpecInt research area, characterizing the system architecture and the most relevant applications for cyber-physical security. We identify five subcategories of spectrum intelligence for cyber-physical security, encompassing Device Intelligence, Channel Intelligence, Location Intelligence, Communication Intelligence, and Ambient Intelligence. We also provide preliminary results based on an experimental testbed showing the viability, feasibility, and potential of this emerging application area. Finally, we point out current research challenges and future directions paving the way for further research in this domain.
△ Less
Submitted 7 January, 2025;
originally announced January 2025.
-
Detection of Aerial Spoofing Attacks to LEO Satellite Systems via Deep Learning
Authors:
Jos Wigchert,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Detecting spoofing attacks to Low-Earth-Orbit (LEO) satellite systems is a cornerstone to assessing the authenticity of the received information and guaranteeing robust service delivery in several application domains. The solutions available today for spoofing detection either rely on additional communication systems, receivers, and antennas, or require mobile deployments. Detection systems workin…
▽ More
Detecting spoofing attacks to Low-Earth-Orbit (LEO) satellite systems is a cornerstone to assessing the authenticity of the received information and guaranteeing robust service delivery in several application domains. The solutions available today for spoofing detection either rely on additional communication systems, receivers, and antennas, or require mobile deployments. Detection systems working at the Physical (PHY) layer of the satellite communication link also require time-consuming and energy-hungry training processes on all satellites of the constellation, and rely on the availability of spoofed data, which are often challenging to collect. Moreover, none of such contributions investigate the feasibility of aerial spoofing attacks launched via drones operating at various altitudes. In this paper, we propose a new spoofing detection technique for LEO satellite constellation systems, applying anomaly detection on the received PHY signal via autoencoders. We validate our solution through an extensive measurement campaign involving the deployment of an actual spoofer (Software-Defined Radio) installed on a drone and injecting rogue IRIDIUM messages while flying at different altitudes with various movement patterns. Our results demonstrate that the proposed technique can reliably detect LEO spoofing attacks launched at different altitudes, while state-of-the-art competing approaches simply fail. We also release the collected data as open source, fostering further research on satellite security.
△ Less
Submitted 22 May, 2025; v1 submitted 20 December, 2024;
originally announced December 2024.
-
HidePrint: Hiding the Radio Fingerprint via Random Noise
Authors:
Gabriele Oligeri,
Savio Sciancalepore
Abstract:
Radio Frequency Fingerprinting (RFF) techniques allow a receiver to authenticate a transmitter by analyzing the physical layer of the radio spectrum. Although the vast majority of scientific contributions focus on improving the performance of RFF considering different parameters and scenarios, in this work, we consider RFF as an attack vector to identify and track a target device.
We propose, im…
▽ More
Radio Frequency Fingerprinting (RFF) techniques allow a receiver to authenticate a transmitter by analyzing the physical layer of the radio spectrum. Although the vast majority of scientific contributions focus on improving the performance of RFF considering different parameters and scenarios, in this work, we consider RFF as an attack vector to identify and track a target device.
We propose, implement, and evaluate HidePrint, a solution to prevent tracking through RFF without affecting the quality of the communication link between the transmitter and the receiver. HidePrint hides the transmitter's fingerprint against an illegitimate eavesdropper by injecting controlled noise in the transmitted signal. We evaluate our solution against state-of-the-art image-based RFF techniques considering different adversarial models, different communication links (wired and wireless), and different configurations. Our results show that the injection of a Gaussian noise pattern with a standard deviation of (at least) 0.02 prevents device fingerprinting in all the considered scenarios, thus making the performance of the identification process indistinguishable from the random guess while affecting the Signal-to-Noise Ratio (SNR) of the received signal by only 0.1 dB. Moreover, we introduce selective radio fingerprint disclosure, a new technique that allows the transmitter to disclose the radio fingerprint to only a subset of intended receivers. This technique allows the transmitter to regain anonymity, thus preventing identification and tracking while allowing authorized receivers to authenticate the transmitter without affecting the quality of the transmitted signal.
△ Less
Submitted 10 November, 2024;
originally announced November 2024.
-
On the Reliability of Radio Frequency Fingerprinting
Authors:
Muhammad Irfan,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Radio Frequency Fingerprinting (RFF) offers a unique method for identifying devices at the physical (PHY) layer based on their RF emissions due to intrinsic hardware differences. Nevertheless, RFF techniques depend on the ability to extract information from the PHY layer of the radio spectrum by resorting to Software Defined Radios (SDR). Previous works have highlighted the so-called ``Day-After-T…
▽ More
Radio Frequency Fingerprinting (RFF) offers a unique method for identifying devices at the physical (PHY) layer based on their RF emissions due to intrinsic hardware differences. Nevertheless, RFF techniques depend on the ability to extract information from the PHY layer of the radio spectrum by resorting to Software Defined Radios (SDR). Previous works have highlighted the so-called ``Day-After-Tomorrow'' effect, i.e., an intrinsic issue of SDRs leading to a fingerprint mutation following a radio power cycle. In this work, we extend such a study by demonstrating that fingerprint mutations appear every time a new FPGA image is reloaded, i.e., when the SDR initiates a new communication. In this context, we provide an in-depth analysis of the reliability of RFF over multiple FPGA image reloading operations, highlighting its ephemeral and mutational nature. We introduce a methodology for abstracting fingerprint mutations into a graph and provide a theoretical framework for assessing fingerprint reliability. Our results show that the common assumption of considering the RF fingerprint as unique and always persistent is incorrect. By combining real-world measurements, high-performance SDRs, and state-of-the-art deep learning techniques, we experimentally demonstrate that radio devices feature multiple fingerprints that can be clustered according to shared features. Moreover, we show that the RF fingerprint is a time-independent probabilistic phenomenon, which requires the collection of multiple samples to achieve the necessary reliability.
△ Less
Submitted 17 August, 2024;
originally announced August 2024.
-
Obfuscated Location Disclosure for Remote ID Enabled Drones
Authors:
Alessandro Brighente,
Mauro Conti,
Matthijs Schotsman,
Savio Sciancalepore
Abstract:
The Remote ID (RID) regulation recently introduced by several aviation authorities worldwide (including the US and EU) forces commercial drones to regularly (max. every second) broadcast plaintext messages on the wireless channel, providing information about the drone identifier and current location, among others. Although these regulations increase the accountability of drone operations and impro…
▽ More
The Remote ID (RID) regulation recently introduced by several aviation authorities worldwide (including the US and EU) forces commercial drones to regularly (max. every second) broadcast plaintext messages on the wireless channel, providing information about the drone identifier and current location, among others. Although these regulations increase the accountability of drone operations and improve traffic management, they allow malicious users to track drones via the disclosed information, possibly leading to drone capture and severe privacy leaks. In this paper, we propose Obfuscated Location disclOsure for RID-enabled drones (OLO-RID), a solution modifying and extending the RID regulation while preserving drones' location privacy. Rather than disclosing the actual drone's location, drones equipped with OLO-RID disclose a differentially private obfuscated location in a mobile scenario. OLO-RID also extends RID messages with encrypted location information, accessible only by authorized entities and valuable to obtain the current drone's location in safety-critical use cases. We design, implement, and deploy OLO-RID on a Raspberry Pi 3 and release the code of our implementation as open-source. We also perform an extensive performance assessment of the runtime overhead of our solution in terms of processing, communication, memory, and energy consumption. We show that OLO-RID can generate RID messages on a constrained device in less than 0.16 s while also requiring a minimal energy toll on a relevant device (0.0236% of energy for a DJI Mini 2). We also evaluate the utility of the proposed approach in the context of three reference use cases involving the drones' location usage, demonstrating minimal performance degradation when trading off location privacy and utility for next-generation RID-compliant drone ecosystems.
△ Less
Submitted 19 July, 2024;
originally announced July 2024.
-
Preventing Radio Fingerprinting through Low-Power Jamming
Authors:
Muhammad Irfan,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Radio Frequency fingerprinting enables a passive receiver to recognize and authenticate a transmitter without the need for cryptographic tools. Authentication is achieved by isolating specific features of the transmitted signal that are unique to the transmitter's hardware. Much research has focused on improving the effectiveness and efficiency of radio frequency fingerprinting to maximize its per…
▽ More
Radio Frequency fingerprinting enables a passive receiver to recognize and authenticate a transmitter without the need for cryptographic tools. Authentication is achieved by isolating specific features of the transmitted signal that are unique to the transmitter's hardware. Much research has focused on improving the effectiveness and efficiency of radio frequency fingerprinting to maximize its performance in various scenarios and conditions, while little research examined how to protect devices from being subject to radio fingerprinting in the wild.
In this paper, we explore a novel point of view. We examine the threat posed by radio frequency fingerprinting, which facilitates the unauthorized identification of wireless devices in the field by malicious entities. We also suggest a method to sanitize the transmitted signal of its fingerprint using a low-power jammer, deployed on purpose to improve devices' anonymity on the channel while still guaranteeing the link's quality of service. Our experimental results and subsequent analysis demonstrate that a low-power jammer can effectively block a malicious eavesdropper from identifying a device without affecting the quality of the wireless link, thereby restoring the privacy of the user when accessing the radio spectrum.
△ Less
Submitted 2 April, 2025; v1 submitted 11 July, 2024;
originally announced July 2024.
-
Radio Frequency Fingerprinting via Deep Learning: Challenges and Opportunities
Authors:
Saeif Al-Hazbi,
Ahmed Hussain,
Savio Sciancalepore,
Gabriele Oligeri,
Panos Papadimitratos
Abstract:
Radio Frequency Fingerprinting (RFF) techniques promise to authenticate wireless devices at the physical layer based on inherent hardware imperfections introduced during manufacturing. Such RF transmitter imperfections are reflected into over-the-air signals, allowing receivers to accurately identify the RF transmitting source. Recent advances in Machine Learning, particularly in Deep Learning (DL…
▽ More
Radio Frequency Fingerprinting (RFF) techniques promise to authenticate wireless devices at the physical layer based on inherent hardware imperfections introduced during manufacturing. Such RF transmitter imperfections are reflected into over-the-air signals, allowing receivers to accurately identify the RF transmitting source. Recent advances in Machine Learning, particularly in Deep Learning (DL), have improved the ability of RFF systems to extract and learn complex features that make up the device-specific fingerprint. However, integrating DL techniques with RFF and operating the system in real-world scenarios presents numerous challenges, originating from the embedded systems and the DL research domains. This paper systematically identifies and analyzes the essential considerations and challenges encountered in the creation of DL-based RFF systems across their typical development life-cycle, which include (i) data collection and preprocessing, (ii) training, and finally, (iii) deployment. Our investigation provides a comprehensive overview of the current open problems that prevent real deployment of DL-based RFF systems while also discussing promising research opportunities to enhance the overall accuracy, robustness, and privacy of these systems.
△ Less
Submitted 15 April, 2024; v1 submitted 25 October, 2023;
originally announced October 2023.
-
Watch Nearby! Privacy Analysis of the People Nearby Service of Telegram
Authors:
Maurantonio Caprolu,
Savio Sciancalepore,
Aleksandar Grigorov,
Velyan Kolev,
Gabriele Oligeri
Abstract:
People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearb…
▽ More
People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearby service. Through an extensive measurement campaign run by spoofing the user's location all over the world, we reverse-engineer the algorithm adopted by People Nearby to compute distances between users. Although the service protects against precise user localization, we demonstrate that location privacy is always lower than the one declared by Telegram of 500 meters. Specifically, we discover that location privacy is a function of the geographical position of the user. Indeed, the radius of the location privacy area (localization error) spans between 400 meters (close to the equator) and 128 meters (close to the poles), with a difference of up to 75% (worst case) compared to what Telegram declares. After our responsible disclosure, Telegram updated the FAQ associated with the service. Finally, we provide some solutions and countermeasures that Telegram can implement to improve location privacy. In general, the reported findings highlight the significant privacy risks associated with using People Nearby service.
△ Less
Submitted 20 October, 2023;
originally announced October 2023.
-
Jamming Detection in Low-BER Mobile Indoor Scenarios via Deep Learning
Authors:
Savio Sciancalepore,
Fabrice Kusters,
Nada Khaled Abdelhadi,
Gabriele Oligeri
Abstract:
The current state of the art on jamming detection relies on link-layer metrics. A few examples are the bit-error-rate (BER), the packet delivery ratio, the throughput, and the increase in the signal-to-noise ratio (SNR). As a result, these techniques can only detect jamming \emph{ex-post}, i.e., once the attack has already taken down the communication link. These solutions are unfit for mobile dev…
▽ More
The current state of the art on jamming detection relies on link-layer metrics. A few examples are the bit-error-rate (BER), the packet delivery ratio, the throughput, and the increase in the signal-to-noise ratio (SNR). As a result, these techniques can only detect jamming \emph{ex-post}, i.e., once the attack has already taken down the communication link. These solutions are unfit for mobile devices, e.g., drones, which might lose the connection to the remote controller, being unable to predict the attack.
Our solution is rooted in the idea that a drone unknowingly flying toward a jammed area is experiencing an increasing effect of the jamming, e.g., in terms of BER and SNR. Therefore, drones might use the above-mentioned phenomenon to detect jamming before the decrease of the BER and the increase of the SNR completely disrupt the communication link. Such an approach would allow drones and their pilots to make informed decisions and maintain complete control of navigation, enhancing security and safety.
This paper proposes Bloodhound+, a solution for jamming detection on mobile devices in low-BER regimes. Our approach analyzes raw physical-layer information (I-Q samples) acquired from the wireless channel. We assemble this information into grayscale images and use sparse autoencoders to detect image anomalies caused by jamming attacks. To test our solution against a wide set of configurations, we acquired a large dataset of indoor measurements using multiple hardware, jamming strategies, and communication parameters. Our results indicate that Bloodhound+ can detect indoor jamming up to 20 meters from the jamming source at the minimum available relative jamming power, with a minimum accuracy of 99.7\%. Our solution is also robust to various sampling rates adopted by the jammer and to the type of signal used for jamming.
△ Less
Submitted 12 December, 2023; v1 submitted 19 June, 2023;
originally announced June 2023.
-
The Day-After-Tomorrow: On the Performance of Radio Fingerprinting over Time
Authors:
Saeif Alhazbi,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
The performance of Radio Frequency (RF) Fingerprinting (RFF) techniques is negatively impacted when the training data is not temporally close to the testing data. This can limit the practical implementation of physical-layer authentication solutions. To circumvent this problem, current solutions involve collecting training and testing datasets at close time intervals -- this being detrimental to t…
▽ More
The performance of Radio Frequency (RF) Fingerprinting (RFF) techniques is negatively impacted when the training data is not temporally close to the testing data. This can limit the practical implementation of physical-layer authentication solutions. To circumvent this problem, current solutions involve collecting training and testing datasets at close time intervals -- this being detrimental to the real-life deployment of any physical-layer authentication solution. We refer to this issue as the Day-After-Tomorrow (DAT) effect, being widely attributed to the temporal variability of the wireless channel, which masks the physical-layer features of the transmitter, thus impairing the fingerprinting process.
In this work, we investigate the DAT effect shedding light on its root causes. Our results refute previous knowledge by demonstrating that the DAT effect is not solely caused by the variability of the wireless channel. Instead, we prove that it is also due to the power cycling of the radios, i.e., the turning off and on of the radios between the collection of training and testing data. We show that state-of-the-art RFF solutions double their performance when the devices under test are not power cycled, i.e., the accuracy increases from about 0.5 to about 1 in a controlled scenario. Finally, we show how to mitigate the DAT effect in real-world scenarios, through pre-processing of the I-Q samples. Our experimental results show a significant improvement in accuracy, from approximately 0.45 to 0.85. Additionally, we reduce the variance of the results, making the overall performance more reliable.
△ Less
Submitted 17 October, 2023; v1 submitted 9 May, 2023;
originally announced May 2023.
-
$A^2RID$ -- Anonymous Direct Authentication and Remote Identification of Commercial Drones
Authors:
Eva Wisse,
Pietro Tedeschi,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
The recent worldwide introduction of RemoteID (RID) regulations forces all Unmanned Aircrafts (UAs), a.k.a. drones, to broadcast in plaintext on the wireless channel their identity and real-time location, for accounting and monitoring purposes. Although improving drones' monitoring and situational awareness, the RID rule also generates significant privacy concerns for UAs' operators, threatened by…
▽ More
The recent worldwide introduction of RemoteID (RID) regulations forces all Unmanned Aircrafts (UAs), a.k.a. drones, to broadcast in plaintext on the wireless channel their identity and real-time location, for accounting and monitoring purposes. Although improving drones' monitoring and situational awareness, the RID rule also generates significant privacy concerns for UAs' operators, threatened by the ease of tracking of UAs and related confidentiality and privacy concerns connected with the broadcasting of plaintext identity information. In this paper, we propose $A^2RID$, a protocol suite for anonymous direct authentication and remote identification of heterogeneous commercial UAs. $A^2RID$ integrates and adapts protocols for anonymous message signing to work in the UA domain, coping with the constraints of commercial drones and the tight real-time requirements imposed by the RID regulation. Overall, the protocols in the $A^2RID$ suite allow a UA manufacturer to pick the configuration that best suits the capabilities and constraints of the drone, i.e., either a processing-intensive but memory-lightweight solution (namely, $CS-A^2RID$) or a computationally-friendly but memory-hungry approach (namely, $DS-A^2RID$). Besides formally defining the protocols and formally proving their security in our setting, we also implement and test them on real heterogeneous hardware platforms, i.e., the Holybro X-500 and the ESPcopter, releasing open-source the produced code. For all the protocols, we demonstrated experimentally the capability of generating anonymous RemoteID messages well below the time bound of $1$ second required by RID, while at the same time having quite a limited impact on the energy budget of the drone.
△ Less
Submitted 1 February, 2023; v1 submitted 21 October, 2022;
originally announced October 2022.
-
Hide and Seek -- Preserving Location Privacy and Utility in the Remote Identification of Unmanned Aerial Vehicles
Authors:
Alessandro Brighente,
Mauro Conti,
Savio Sciancalepore
Abstract:
Due to the frequent unauthorized access by commercial drones to Critical Infrastructures (CIs) such as airports and oil refineries, the US-based Federal Avionics Administration (FAA) recently published a new specification, namely RemoteID. The aforementioned rule mandates that all Unmanned Aerial Vehicles (UAVs) have to broadcast information about their identity and location wirelessly to allow fo…
▽ More
Due to the frequent unauthorized access by commercial drones to Critical Infrastructures (CIs) such as airports and oil refineries, the US-based Federal Avionics Administration (FAA) recently published a new specification, namely RemoteID. The aforementioned rule mandates that all Unmanned Aerial Vehicles (UAVs) have to broadcast information about their identity and location wirelessly to allow for immediate invasion attribution. However, the enforcement of such a rule poses severe concerns on UAV operators, especially in terms of location privacy and tracking threats, to name a few. Indeed, by simply eavesdropping on the wireless channel, an adversary could know the precise location of the UAV and track it, as well as obtaining sensitive information on path source and destination of the UAV. In this paper, we investigate the trade-off between location privacy and data utility that can be provided to UAVs when obfuscating the broadcasted location through differential privacy techniques. Leveraging the concept of Geo-Indistinguishability (Geo-Ind), already adopted in the context of Location-Based Services (LBS), we show that it is possible to enhance the privacy of the UAVs without preventing CI operators to timely detect unauthorized invasions. In particular, our experiments showed that when the location of an UAV is obfuscated with an average distance of 1.959 km, a carefully designed UAV detection system can detect 97.9% of invasions, with an average detection delay of 303.97 msec. The UAVs have to trade-off such enhanced location privacy with a non-negligible probability of false positives, i.e., being detected as invading while not really invading the no-fly zone. UAVs and CI operators can solve such ambiguous situations later on through the help of the FAA, being this latter the only one that can unveil the actual location of the UAV.
△ Less
Submitted 27 May, 2022;
originally announced May 2022.
-
Satellite-Based Communications Security: A Survey of Threats, Solutions, and Research Challenges
Authors:
Pietro Tedeschi,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
Satellite-based Communication systems are gaining renewed momentum in Industry and Academia, thanks to innovative services introduced by leading tech companies and the promising impact they can deliver towards the global connectivity objective tackled by early 6G initiatives. On the one hand, the emergence of new manufacturing processes and radio technologies promises to reduce service costs while…
▽ More
Satellite-based Communication systems are gaining renewed momentum in Industry and Academia, thanks to innovative services introduced by leading tech companies and the promising impact they can deliver towards the global connectivity objective tackled by early 6G initiatives. On the one hand, the emergence of new manufacturing processes and radio technologies promises to reduce service costs while guaranteeing outstanding communication latency, available bandwidth, flexibility, and coverage range. On the other hand, cybersecurity techniques and solutions applied in SATCOM links should be updated to reflect the substantial advancements in attacker capabilities characterizing the last two decades. However, business urgency and opportunities are leading operators towards challenging system trade-offs, resulting in an increased attack surface and a general relaxation of the available security services. In this paper, we tackle the cited problems and present a comprehensive survey on the link-layer security threats, solutions, and challenges faced when deploying and operating SATCOM systems.Specifically, we classify the literature on security for SATCOM systems into two main branches, i.e., physical-layer security and cryptography schemes.Then, we further identify specific research domains for each of the identified branches, focusing on dedicated security issues, including, e.g., physical-layer confidentiality, anti-jamming schemes, anti-spoofing strategies, and quantum-based key distribution schemes. For each of the above domains, we highlight the most essential techniques, peculiarities, advantages, disadvantages, lessons learned, and future directions.Finally, we also identify emerging research topics whose additional investigation by Academia and Industry could further attract researchers and investors, ultimately unleashing the full potential behind ubiquitous satellite communications.
△ Less
Submitted 29 July, 2022; v1 submitted 21 December, 2021;
originally announced December 2021.
-
PAST-AI: Physical-layer Authentication of Satellite Transmitters via Deep Learning
Authors:
Gabriele Oligeri,
Simone Raponi,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
Physical-layer security is regaining traction in the research community, due to the performance boost introduced by deep learning classification algorithms. This is particularly true for sender authentication in wireless communications via radio fingerprinting. However, previous research efforts mainly focused on terrestrial wireless devices while, to the best of our knowledge, none of the previou…
▽ More
Physical-layer security is regaining traction in the research community, due to the performance boost introduced by deep learning classification algorithms. This is particularly true for sender authentication in wireless communications via radio fingerprinting. However, previous research efforts mainly focused on terrestrial wireless devices while, to the best of our knowledge, none of the previous work took into consideration satellite transmitters. The satellite scenario is generally challenging because, among others, satellite radio transducers feature non-standard electronics (usually aged and specifically designed for harsh conditions). Moreover, the fingerprinting task is specifically difficult for Low-Earth Orbit (LEO) satellites (like the ones we focus in this paper) since they orbit at about 800Km from the Earth, at a speed of around 25,000Km/h, thus making the receiver experiencing a down-link with unique attenuation and fading characteristics. In this paper, we propose PAST-AI, a methodology tailored to authenticate LEO satellites through fingerprinting of their IQ samples, using advanced AI solutions. Our methodology is tested on real data -- more than 100M I/Q samples -- collected from an extensive measurements campaign on the IRIDIUM LEO satellites constellation, lasting 589 hours. Results are striking: we prove that Convolutional Neural Networks (CNN) and autoencoders (if properly calibrated) can be successfully adopted to authenticate the satellite transducers, with an accuracy spanning between 0.8 and 1, depending on prior assumptions. The proposed methodology, the achieved results, and the provided insights, other than being interesting on their own, when associated to the dataset that we made publicly available, will also pave the way for future research in the area.
△ Less
Submitted 12 October, 2020;
originally announced October 2020.
-
GNSS Spoofing Detection via Opportunistic IRIDIUM Signals
Authors:
Gabriele Oligeri,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
In this paper, we study the privately-own IRIDIUM satellite constellation, to provide a location service that is independent of the GNSS. In particular, we apply our findings to propose a new GNSS spoofing detection solution, exploiting unencrypted IRIDIUM Ring Alert (IRA) messages that are broadcast by IRIDIUM satellites. We firstly reverse-engineer many parameters of the IRIDIUM satellite conste…
▽ More
In this paper, we study the privately-own IRIDIUM satellite constellation, to provide a location service that is independent of the GNSS. In particular, we apply our findings to propose a new GNSS spoofing detection solution, exploiting unencrypted IRIDIUM Ring Alert (IRA) messages that are broadcast by IRIDIUM satellites. We firstly reverse-engineer many parameters of the IRIDIUM satellite constellation, such as the satellites speed, packet interarrival times, maximum satellite coverage, satellite pass duration, and the satellite beam constellation, to name a few. Later, we adopt the aforementioned statistics to create a detailed model of the satellite network. Subsequently, we propose a solution to detect unintended deviations of a target user from his path, due to GNSS spoofing attacks. We show that our solution can be used efficiently and effectively to verify the position estimated from standard GNSS satellite constellation, and we provide constraints and parameters to fit several application scenarios. All the results reported in this paper, while showing the quality and viability of our proposal, are supported by real data. In particular, we have collected and analyzed hundreds of thousands of IRA messages, thanks to a measurement campaign lasting several days. All the collected data ($1000+$ hours) have been made available to the research community. Our solution is particularly suitable for unattended scenarios such as deserts, rural areas, or open seas, where standard spoofing detection techniques resorting to crowd-sourcing cannot be used due to deployment limitations. Moreover, contrary to competing solutions, our approach does not resort to physical-layer information, dedicated hardware, or multiple receiving stations, while exploiting only a single receiving antenna and publicly-available IRIDIUM transmissions. Finally, novel research directions are also highlighted.
△ Less
Submitted 18 June, 2020;
originally announced June 2020.
-
Noise2Weight: On Detecting Payload Weight from Drones Acoustic Emissions
Authors:
Omar Adel Ibrahim,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
The increasing popularity of autonomous and remotely-piloted drones have paved the way for several use-cases, e.g., merchandise delivery and surveillance. In many scenarios, estimating with zero-touch the weight of the payload carried by a drone before its physical approach could be attractive, e.g., to provide an early tampering detection.
In this paper, we investigate the possibility to remote…
▽ More
The increasing popularity of autonomous and remotely-piloted drones have paved the way for several use-cases, e.g., merchandise delivery and surveillance. In many scenarios, estimating with zero-touch the weight of the payload carried by a drone before its physical approach could be attractive, e.g., to provide an early tampering detection.
In this paper, we investigate the possibility to remotely detect the weight of the payload carried by a commercial drone by analyzing its acoustic fingerprint. We characterize the difference in the thrust needed by the drone to carry different payloads, resulting in significant variations of the related acoustic fingerprint. We applied the above findings to different use-cases, characterized by different computational capabilities of the detection system. Results are striking: using the Mel-Frequency Cepstral Coefficients (MFCC) components of the audio signal and different Support Vector Machine (SVM) classifiers, we achieved a minimum classification accuracy of 98% in the detection of the specific payload class carried by the drone, using an acquisition time of 0.25 s---performances improve when using longer time acquisitions.
All the data used for our analysis have been released as open-source, to enable the community to validate our findings and use such data as a ready-to-use basis for further investigations.
△ Less
Submitted 4 May, 2020;
originally announced May 2020.
-
Security in Energy Harvesting Networks: A Survey of Current Solutions and Research Challenges
Authors:
Pietro Tedeschi,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
The recent advancements in hardware miniaturization capabilities have boosted the diffusion of systems based on Energy Harvesting (EH) technologies, as a means to power embedded wireless devices in a sustainable and low-cost fashion. Despite the undeniable management advantages, the intermittent availability of the energy source and the limited power supply has led to challenging system trade-offs…
▽ More
The recent advancements in hardware miniaturization capabilities have boosted the diffusion of systems based on Energy Harvesting (EH) technologies, as a means to power embedded wireless devices in a sustainable and low-cost fashion. Despite the undeniable management advantages, the intermittent availability of the energy source and the limited power supply has led to challenging system trade-offs, resulting in an increased attack surface and a general relaxation of the available security services.
In this paper, we survey the security issues, applications, techniques, and challenges arising in wireless networks powered via EH technologies. We explore the vulnerabilities of EH networks, and we provide a comprehensive overview of the scientific literature, including attack vectors, cryptography techniques, physical-layer security schemes for data secrecy, and additional physical-layer countermeasures. For each of the identified macro-areas, we compare the scientific contributions across a range of shared features, indicating the pros and cons of the described techniques, the research challenges, and a few future directions. Finally, we also provide an overview of the emerging topics in the area, such as Non-Orthogonal Multiple Access (NOMA) and Rate-Splitting Multiple Access (RSMA) schemes, and Intelligent Reconfigurable Surfaces, that could trigger the interest of industry and academia and unleash the full potential of pervasive EH wireless networks.
△ Less
Submitted 19 August, 2020; v1 submitted 22 April, 2020;
originally announced April 2020.
-
Vessels Cybersecurity: Issues, Challenges, and the Road Ahead
Authors:
Maurantonio Caprolu,
Roberto Di Pietro,
Simone Raponi,
Savio Sciancalepore,
Pietro Tedeschi
Abstract:
Vessels cybersecurity is recently gaining momentum, as a result of a few recent attacks to vessels at sea. These recent attacks have shacked the maritime domain, which was thought to be relatively immune to cyber threats. The cited belief is now over, as proved by recent mandates issued by the International Maritime Organization (IMO). According to these regulations, all vessels should be the subj…
▽ More
Vessels cybersecurity is recently gaining momentum, as a result of a few recent attacks to vessels at sea. These recent attacks have shacked the maritime domain, which was thought to be relatively immune to cyber threats. The cited belief is now over, as proved by recent mandates issued by the International Maritime Organization (IMO). According to these regulations, all vessels should be the subject of a cybersecurity risk analysis, and technical controls should be adopted to mitigate the resulting risks. This initiative is laudable since, despite the recent incidents, the vulnerabilities and threats affecting modern vessels are still unclear to operating entities, leaving the potential for dreadful consequences of further attacks just a matter of "when", not "if". In this contribution, we investigate and systematize the major security weaknesses affecting systems and communication technologies adopted in modern vessels. Specifically, we describe the architecture and main features of the different systems, pointing out their main security issues, and specifying how they were exploited by attackers to cause service disruption and relevant financial losses. We also identify a few countermeasures to the introduced attacks. Finally, we highlight a few research challenges to be addressed by industry and academia to strengthen vessels security.
△ Less
Submitted 4 March, 2020;
originally announced March 2020.
-
MAGNETO: Fingerprinting USB Flash Drives via Unintentional Magnetic Emissions
Authors:
Omar Adel Ibrahim,
Savio Sciancalepore,
Gabriele Oligeri,
Roberto Di Pietro
Abstract:
Universal Serial Bus (USB) Flash Drives are nowadays one of the most convenient and diffused means to transfer files, especially when no Internet connection is available. However, USB flash drives are also one of the most common attack vectors used to gain unauthorized access to host devices. For instance, it is possible to replace a USB drive so that when the USB key is connected, it would instal…
▽ More
Universal Serial Bus (USB) Flash Drives are nowadays one of the most convenient and diffused means to transfer files, especially when no Internet connection is available. However, USB flash drives are also one of the most common attack vectors used to gain unauthorized access to host devices. For instance, it is possible to replace a USB drive so that when the USB key is connected, it would install passwords stealing tools, root-kit software, and other disrupting malware. In such a way, an attacker can steal sensitive information via the USB-connected devices, as well as inject any kind of malicious software into the host.
To thwart the above-cited raising threats, we propose MAGNETO, an efficient, non-interactive, and privacy-preserving framework to verify the authenticity of a USB flash drive, rooted in the analysis of its unintentional magnetic emissions. We show that the magnetic emissions radiated during boot operations on a specific host are unique for each device, and sufficient to uniquely fingerprint both the brand and the model of the USB flash drive, or the specific USB device, depending on the used equipment. Our investigation on 59 different USB flash drives---belonging to 17 brands, including the top brands purchased on Amazon in mid-2019---, reveals a minimum classification accuracy of 98.2% in the identification of both brand and model, accompanied by a negligible time and computational overhead. MAGNETO can also identify the specific USB Flash drive, with a minimum classification accuracy of 91.2%. Overall, MAGNETO proves that unintentional magnetic emissions can be considered as a viable and reliable means to fingerprint read-only USB flash drives. Finally, future research directions in this domain are also discussed.
△ Less
Submitted 12 September, 2020; v1 submitted 14 February, 2020;
originally announced February 2020.
-
Road Traffic Poisoning of Navigation Apps: Threats and Countermeasures
Authors:
Simone Raponi,
Savio Sciancalepore,
Gabriele Oligeri,
Roberto Di Pietro
Abstract:
Assisted-navigation applications have a relevant impact on our daily life. However, technological progress in virtualization technologies and Software-Defined Radios recently enabled new attack vectors, namely, road traffic poisoning. These attacks open up several dreadful scenarios, which are addressed in this contribution by identifying the associated challenges and proposing innovative counterm…
▽ More
Assisted-navigation applications have a relevant impact on our daily life. However, technological progress in virtualization technologies and Software-Defined Radios recently enabled new attack vectors, namely, road traffic poisoning. These attacks open up several dreadful scenarios, which are addressed in this contribution by identifying the associated challenges and proposing innovative countermeasures.
△ Less
Submitted 5 May, 2021; v1 submitted 12 February, 2020;
originally announced February 2020.
-
Short-Range Audio Channels Security: Survey of Mechanisms, Applications, and Research Challenges
Authors:
Maurantonio Caprolu,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
Short-range audio channels have a few distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic…
▽ More
Short-range audio channels have a few distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic channels are increasingly used also to launch attacks against systems and devices, leading to security concerns that could thwart their adoption. To provide a rigorous, scientific, security-oriented review of the field, in this paper we survey and classify methods, applications, and use-cases rooted on short-range audio channels for the provisioning of security services---including Two-Factor Authentication techniques, pairing solutions, device authorization strategies, defense methodologies, and attack schemes. Moreover, we also point out the strengths and weaknesses deriving from the use of short-range audio channels. Finally, we provide open research issues in the context of short-range audio channels security, calling for contributions from both academia and industry.
△ Less
Submitted 28 January, 2020; v1 submitted 9 January, 2020;
originally announced January 2020.
-
BrokenStrokes: On the (in)Security of Wireless Keyboards
Authors:
Gabriele Oligeri,
Savio Sciancalepore,
Simone Raponi,
Roberto Di Pietro
Abstract:
Wireless devices resorting to event-triggered communications have been proved to suffer critical privacy issues, due to the intrinsic leakage associated with radio-frequency (RF) emissions. In this paper, we move the attack frontier forward by proposing BrokenStrokes: an inexpensive, easy to implement, efficient, and effective attack able to detect the typing of a pre-defined keyword by only eaves…
▽ More
Wireless devices resorting to event-triggered communications have been proved to suffer critical privacy issues, due to the intrinsic leakage associated with radio-frequency (RF) emissions. In this paper, we move the attack frontier forward by proposing BrokenStrokes: an inexpensive, easy to implement, efficient, and effective attack able to detect the typing of a pre-defined keyword by only eavesdropping the communication channel used by the wireless keyboard. BrokenStrokes proves itself to be a particularly dreadful attack: it achieves its goal when the eavesdropping antenna is up to 15 meters from the target keyboard, regardless of the encryption scheme, the communication protocol, the presence of radio noise, and the presence of physical obstacles. While we detail the attack in three current scenarios and discuss its striking performance--its success probability exceeds 90% in normal operating conditions--, we also provide some suggestions on how to mitigate it. The data utilized in this paper have been released as open-source to allow practitioners, industries, and academia to verify our claims and use them as a basis for further developments.
△ Less
Submitted 21 May, 2020; v1 submitted 9 October, 2019;
originally announced October 2019.
-
PiNcH: an Effective, Efficient, and Robust Solution to Drone Detection via Network Traffic Analysis
Authors:
Savio Sciancalepore,
Omar Adel Ibrahim,
Gabriele Oligeri,
Roberto Di Pietro
Abstract:
We propose PiNcH, a methodology to detect the presence of a drone, its current status, and its movements by leveraging just the communication traffic exchanged between the drone and its Remote Controller (RC). PiNcH is built applying standard classification algorithms to the eavesdropped traffic, analyzing features such as packets inter-arrival time and size. PiNcH is fully passive and it requires…
▽ More
We propose PiNcH, a methodology to detect the presence of a drone, its current status, and its movements by leveraging just the communication traffic exchanged between the drone and its Remote Controller (RC). PiNcH is built applying standard classification algorithms to the eavesdropped traffic, analyzing features such as packets inter-arrival time and size. PiNcH is fully passive and it requires just cheap and general-purpose hardware. To evaluate the effectiveness of our solution, we collected real communication traces originated by a drone running the widespread ArduCopter open-source firmware, currently mounted on-board of a wide range (30+) of commercial amateur drones. We tested our solution against different publicly available wireless traces. The results prove that PiNcH can efficiently and effectively: (i) identify the presence of the drone in several heterogeneous scenarios; (ii) identify the current state of a powered-on drone, i.e., flying or lying on the ground; (iii) discriminate the movements of the drone; and, finally, (iv) enjoy a reduced upper bound on the time required to identify a drone with the requested level of assurance. The effectiveness of PiNcH has been also evaluated in the presence of both heavy packet loss and evasion attacks. In this latter case, the adversary modifies on purpose the profile of the traffic of the drone-RC link to avoid the detection. In both the cited cases, PiNcH continues enjoying a remarkable performance. Further, the comparison against state of the art solution confirms the superior performance of PiNcH in several scenarios. Note that all the drone-controller generated data traces have been released as open-source, to allow replicability and foster follow-up. Finally, the quality and viability of our solution, do prove that network traffic analysis can be successfully adopted for drone identification and status discrimination.
△ Less
Submitted 7 December, 2019; v1 submitted 11 January, 2019;
originally announced January 2019.
-
SOS - Securing Open Skies
Authors:
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
Automatic Dependent Surveillance - Broadcast (ADS-B) is the next generation communication technology selected for allowing commercial and military aircraft to deliver flight information to both ground base stations and other airplanes. Today, it is already on-board of 80% of commercial aircraft, and it will become mandatory by the 2020 in the US and the EU. ADS-B has been designed without any secu…
▽ More
Automatic Dependent Surveillance - Broadcast (ADS-B) is the next generation communication technology selected for allowing commercial and military aircraft to deliver flight information to both ground base stations and other airplanes. Today, it is already on-board of 80% of commercial aircraft, and it will become mandatory by the 2020 in the US and the EU. ADS-B has been designed without any security consideration --- messages are delivered wirelessly in clear text and they are not authenticated. In this paper we propose Securing Open Skies (SOS), a lightweight and standard-compliant framework for securing ADS-B technology wireless communications. SOS leverages the well-known \muTESLA protocol, and includes some modifications necessary to deal with the severe bandwidth constraints of the ADS-B communication technology. In addition, SOS is resilient against message injection attacks, by recurring to majority voting techniques applied on central community servers. Overall, SOS emerges as a lightweight security solution, with a limited bandwidth overhead, that does not require any modification to the hardware already deployed. Further, SOS is standard compliant and able to reject active adversaries aiming at disrupting the correct functioning of the communication system. Finally, comparisons against state-of-the-art solutions do show the superior quality and viability of our solution.
△ Less
Submitted 27 November, 2018; v1 submitted 24 September, 2018;
originally announced September 2018.
