Search for: All records

Sensitive numbers play an unparalleled role in identification and authentication. Recent research has revealed plenty of side-channel attacks to infer keystrokes, which require either a training phase or a dictionary to build the relationship between an observed signal disturbance and a keystroke. However, training-based methods are unpractical as the training data about the victim are hard to obtain, while dictionary-based methods cannot infer numbers, which are not combined according to linguistic rules like letters are. We observe that typing a number creates not only a number of observed disturbances in space (each corresponding to a digit), but also a sequence of periods between each disturbance. Based upon existing work that utilizes inter-keystroke timing to infer keystrokes, we build a novel technique called WINK that combines the spatial and time domain information into a spatiotemporal feature of keystroke-disturbed wireless signals. With this spatiotemporal feature, WINK can infer typed numbers without the aid of any training. Experimental results on top of software-defined radio platforms show that WINK can vastly reduce the guesses required for breaking certain 6-digit PINs from 1 million to as low as 16, and can infer over 52% of user-chosen 6-digit PINs with less than 100 attempts. 

Due to the open nature of wireless medium, wireless communications are especially vulnerable to eavesdropping attacks. This paper designs a new wireless communication system to deal with eavesdropping attacks. The proposed system can enable a legitimate receiver to get desired messages and meanwhile an eavesdropper to hear ``fake" but meaningful messages by combining confidentiality and deception, thereby confusing the eavesdropper and achieving additional concealment that further protects exchanged messages. Towards this goal, we propose techniques that can conceal exchanged messages by utilizing wireless channel characteristics between the transmitter and the receiver, as well as techniques that can attract an eavesdropper to gradually approach a trap region, where the eavesdropper can get fake messages. We also provide both theoretical and empirical analysis of the established secure channel between the transmitter and the receiver. We develop a prototype system using Universal Software Defined Radio Peripherals (USRPs)Experimental results show that an eavesdropper at a trap location can receive fake information with a bit error rate (BER) close to 0, and the transmitter with multiple antennas can successfully deploy a trap area. 

Wireless security cameras are integral components of security systems used by military installations, corporations, and, due to their increased affordability, many private homes. These cameras commonly employ motion sensors to identify that something is occurring in their fields of vision before starting to record and notifying the property owner of the activity. In this paper, we discover that the motion sensing action can disclose the location of the camera through a novel wireless camera localization technique we call MotionCompass. In short, a user who aims to avoid surveillance can find a hidden camera by creating motion stimuli and sniffing wireless traffic for a response to that stimuli. With the motion trajectories within the motion detection zone, the exact location of the camera can be then computed. We develop an Android app to implement MotionCompass. Our extensive experiments using the developed app and 18 popular wireless security cameras demonstrate that for cameras with one motion sensor, MotionCompass can attain a mean localization error of around 5 cm with less than 140 seconds. This localization technique builds upon existing work that detects the existence of hidden cameras, to pinpoint their exact location and area of surveillance.