Robust PHY-layer Signaling and Enhanced Security for Wi-Fi Systems

Abstract

Wi-Fi is a key component of the wireless ecosystem. It is the predominant technology for indoor wireless access and increasingly for outdoor use, with ubiquitous deployment for networks at enterprise, healthcare, public safety, residential buildings, smart factories, offices, restaurants, and many more. Its prevalence relies on continuous advancements in its efficiency, capacity, coverage, and security. To improve these aspects, Wi-Fi protocols have rapidly evolved over the past two decades, incorporating more advanced features, specified by a series of IEEE 802.11 standards. Seamless support of these features while maintaining compatibility and interoperability with earlier Wi-Fi generations necessitates robust Physical (PHY)-layer signaling. Such signaling plays a crucial role in frame processing and channel access by conveying essential parameters, e.g., frame length, transmission rate, connection bandwidth, beamforming capabilities, etc. Moreover, PHY-layer signaling has the potential to facilitate PHY-layer authentication and encryption. Despite its clear benefits, existing Wi-Fi PHY-layer signaling introduces high overhead due to the extended Signaling (SIG) fields of the frame header. Moreover, legacy devices cannot decode newly added SIG fields that are tailored for advanced features, thus limiting their functionality. Furthermore, existing Wi-Fi PHY-layer signaling lacks adequate protection for confidentiality, authenticity, and integrity. These vulnerabilities along with other inherent problems in the PHY-layer implementations of Wi-Fi standards have exposed Wi-Fi systems to various attacks. This dissertation focuses on developing novel robust PHY-layer signaling for Wi-Fi, and exploring security threats that target PHY-layer signaling and their countermeasures. We first propose a novel and robust PHY-layer signaling mechanism for recent generations of Wi-Fi that are built on Orthogonal Frequency Division Multiplexing (OFDM) and Multiple-Input-Multiple-Output (MIMO). More specifically, we develop a scheme called Extensible Preamble Modulation (eP-Mod), which enables Wi-Fi devices to embed user-defined signaling bits within the Short Training Fields (STFs) of the preamble. To strike a balance between capacity and reliability, we explore multiple eP-Mod variants that adapt to channel conditions and leverage MIMO diversity and multiplexing gains. We then extend eP-Mod to different MIMO schemes, channel widths, and OFDM-based IEEE 802.11 standards while maintaining low design complexity. Most importantly, our redesigned STFs satisfy the stringent IEEE standards' requirements on the preamble functions, including frame detection and synchronization. Therefore, STF with eP-Mod offers a robust PHY-layer signaling approach without compromising the primary functions of the standardized preamble. Furthermore, our scheme is backward-compatible with legacy (eP-Mod-unaware) devices. Through numerical analysis, extensive simulations, and hardware experiments, we demonstrate the practicality and reliability of eP-Mod. Next, we study adversarial attacks on existing PHY-layer signaling mechanism. We uncover vulnerabilities in standardized Wi-Fi preambles, including predictability, weak integrity, and lack of authenticity and confidentiality guarantees. We craft three Preamble Injection and Spoofing (PrInS) attacks that exploit these vulnerabilities along with the PHY-layer receive state machine and the capture effect. In PrInS attacks, an adversary can inject forged preambles without payloads, aiming to disrupt legitimate receptions or force deferral of legitimate transmissions. As a countermeasure, we propose to customize and randomize STFs of the preamble using eP-Mod so that a Wi-Fi device can authenticate a received preamble. Accordingly, we enhance the receive state machine to incorporate the preamble authentication and following mitigation steps. We then introduce a novel SIG tampering (SIGTAM) attack against the crucial SIGs of the preamble. In SIGTAM, an adversary transmits a carefully crafted adversarial signal on select subcarriers of the targeted SIGs while remaining resilient to integrity validation, channel impairments, and synchronization errors. We also introduce a selective jamming attack on the SIGs, called SIGJAM, to demonstrate the superiority of SIGTAM in terms of power efficiency and efficacy. To defend against the SIGTAM attack, we propose a scheme that detects the attack, identifies affected subcarriers, and recovers legitimate SIGs. In our experiments and simulations, PrInS and SIGTAM attacks are shown to lead to high frame discard and error rates, low channel utilization, poor throughput, and high latency. Besides, these attacks are stealthy and energy-efficient, as the adversarial signal only lasts for a few microseconds and may span narrow and dynamic bands. This poses challenges to their detection. Nevertheless, these attacks can be detected by our proposed approaches with nearly 100\% probability in most scenarios. Moreover, SIGs can be successfully recovered from the SIGTAM attack except for attacks with marginal normalized energy. Our defense mechanisms are shown to have no impact on the performance of the Wi-Fi system. Finally, we utilize machine learning (ML) techniques to detect and classify smart jamming on Wi-Fi systems. While our initial focus is on preamble jamming, pilot jamming, and interleaving jamming, our approach can be generalized to selective attacks like SIGTAM and SIGJAM. To deal with the time-frequency selectivity of smart jamming, we apply the continuous wavelet transform (CWT) to partially overlapped segments of the received in-phase and quadrature (I/Q) samples for feature extraction. The scalogram of the CWT is used as input to a deep convolutional neural network (DCNN) classifier that determines the type of smart jamming attack. Our solution achieves high accuracy in detecting and classifying these jamming attacks even at a high signal-to-jamming power ratio (SJR), with robustness against variants of preamble jamming and pilot jamming. Notably, the proposed scalogram-based classifier outperforms the spectrogram-based classifier, especially in the high SJR regime.