Sirus Shahini (University of Utah), Robert Ricci (University of Utah)

Many locations, especially in urban areas, are quite noisy with WiFi traffic. In addition to data traffic, WiFi stations send management and control frames that can easily exceed several hundred frames per second just in one small area. These WiFi environments present the opportunity to transmit data through hiding it within the noise components that can be normal parts of benign transmissions.
In this paper, we show how one particular feature of WiFi, the Timing Synchronization Function (TSF), can be exploited to create a fertile and robust channel for embedding secret signals. We take advantage of the fact that there is always some degree of imprecision reflected in time synchronization of WiFi stations.
We present CHAOS, a new covert channel strategy to embed data bits in WiFi beacon frames using unmodified standard WiFi hardware. CHAOS makes use of the noise properties inherent in WiFi in two ways: First, it encodes information in the ordering of beacon frames, taking advantage of the fact that there is no natural or required ordering of beacons. Second, it makes use of a timing channel in the form of the TSF timestamp in management headers, imitating the natural imprecision of timing in real base stations to encode data in a way that is statistically similar to unmodified frames. CHAOS's parameters can be adjusted to configure data rate, the covert channel stability and frame miss rate; using our suggested settings, it is able to robustly broadcast secret data at 520 bits/s. We also show that TSF has substantial potential for further exploitation, sketching a correlation attack that uses it to map clients to base stations.

View More Papers

Vision: Comparison of AI-assisted Policy Development Between Professionals and...

Rishika Thorat (Purdue University), Tatiana Ringenberg (Purdue University)

Read More

Heimdall: Towards Risk-Aware Network Management Outsourcing

Yuejie Wang (Peking University), Qiutong Men (New York University), Yongting Chen (New York University Shanghai), Jiajin Liu (New York University Shanghai), Gengyu Chen (Carnegie Mellon University), Ying Zhang (Meta), Guyue Liu (Peking University), Vyas Sekar (Carnegie Mellon University)

Read More

All your (data)base are belong to us: Characterizing Database...

Kevin van Liebergen (IMDEA Software Institute), Gibran Gomez (IMDEA Software Institute), Srdjan Matic (IMDEA Software Institute), Juan Caballero (IMDEA Software Institute)

Read More

LLMPirate: LLMs for Black-box Hardware IP Piracy

Vasudev Gohil (Texas A&M University), Matthew DeLorenzo (Texas A&M University), Veera Vishwa Achuta Sai Venkat Nallam (Texas A&M University), Joey See (Texas A&M University), Jeyavijayan Rajendran (Texas A&M University)

Read More