Connecting to the Physical World ---Wireless...

Connecting to the Physical World---Wireless Communication

Wenyuan XuAssistant professor

University of South CarolinaDepartment of Computer Science and Engineering

June 4, 2011

1

Roadmap

• Wireless Sensor Networks– Applications

• Wireless Networks 101

• RFID System

• Security and privacy:– Security and Privacy Analysis of Embedded Systems

Computer Science and Engineering 2

Wireless networks

• “any type of network whose interconnections between nodes is implemented without the use of wires.”

• “generally implemented with some type of remote information transmission system that uses electromagnetic waves

Computer Science and Engineering

Wireless Sensor Networks

2011年6月22日星期三


Wireless Sensor Architecture

• Interface between physical and digital worlds

• Self-powered devices– Battery-powered– Solar-powered

• Capabilities– Sensing– Built-in processing– Radio communication

• Mobile, localization (optional)


LimitedLifetime

Calibration,Supervision…

Slow processingLimited memory

10 kbps –1 Mbps,3 – 100 m, Lossy Transmission


6

http://graphics.stanford.edu


• No network administrators! Cheap!• Wirelessly-Networked• self-organizing• Automatic data reporting

Application Areas

• Environment monitoring• Seismic activity detection; planetary exploration• Industrial monitoring and control• Structural health monitoring• Social studies; healthcare and medical research• Homeland security and military applications; surveillance,• Detection of chemical/biological agents• New areas keep emerging.


Environment Monitoring - Great Duck Islands

• 150 sensing nodes deployed throughout the island relay data temperature, pressure, humidity, …) to a central device.

• Data are made available on the Internet through a satellite link


UC Berkeley/College of the Atlanta

Environment Monitoring - ZebraNet

Data

Base station (car or plane)

Data

Data

Store-and-forward communications

Data

Tracking node radio and GPS

• Special GPS-equipped collars are attached to zebras

• Data exchanged with peer-to-peer info swaps• Coming across a few zebras gives access to the

dataComputer Science and Engineering

Princeton University

Volcano Monitoring in Ecuador

• Motes with seismic sensors deployed on active volcano in Ecuador• Science dictates: large spatial separation, time synchronization.• Nature of the application allows triggered data collection rather than

continuous.


Harvard, Univ. of New Hampshire, Univ. of NC

Structure Monitoring Using sensors


Static sensors

Moving sensorData collection Processed Data

Juan Caicedo, Civil and Environment Engineering

Microclimate Monitoring in MogaoGrottoes

• MoGao Grottoes contains 492 decorated caves with murals and sculptures

• The temperature, humidity, and CO2 may affect the murals and sculptures

• Goal: Schedule the visitor tourist paths to control the environment inside the caves


Microclimate Monitoring in MogaoGrottoes,

• Requirements:– Measurements: temperature, humidity, CO2– Wireless networks– Real time– Long-term

• 2 AA battery for 6 months

– Cheap– Easy to Maintain

1Km

0.8Km


• Communication range: 100m• Sensor accuracy

• Temperature: 0.3 ，

• Humidity:1.8%• CO2 sensors:

• 0~2000PPM:3%• 0~5000PPM:5%

Microclimate Monitoring in MogaoGrottoes,

Wireless Sensors

Sensors in Caves


• Data sink communication range:

1. Short range >100m2. Long range >1km• Data Router range > 1km

Microclimate Monitoring in MogaoGrottoes,Sensors in Caves

Visitors vs. humidity & CO2


Hardware

• Typical characteristics of a WSN device• slow processor speeds (< 10 MHz) • low memory (< 10KB RAM) • low bandwidth radio (< 250kbps) • limited battery power ( < 4000 mAh)

• WSN operating systems and applications must co-exist within these limited resources– efficiency is critical !

• WSN are deployed in harsh environments (both physical and security)– Robust and secure


18

UC Berkeley Family of Motes

19

Mica2 and Mica2Dot• ATmega128 CPU

– Self-programming– 128KB Instruction EEPROM– 4KB Data EEPROM

• Chipcon CC1000– Manchester encoding– Tunable frequency

• 315, 433 or 900MHz– 38K or 19K baud

• Lower power consumption– 2 AA batteries

• Expansion– 51 pin I/O Connector

1 inch

20

MTS300CA Sensor Board

21

Programming Board (MIB510)

22

Hardware Setup Overview

Our Sensors



• Research challenges– Networking– Wireless communication– Energy constraints– Data processing– Scalability– Harsh environment– Reliability


Wireless Communication 101


~

Transmitter Receiver

EM Waves

~

Wireless Communication

26

Bob AliceHello … Hi …


Interference

27

Bob AliceHello … Hi …

Hey hey heyhey…

Mr. X


Spectrum

• Radio Frequency – a EM signal with frequency between 3 kHz and 300 GHz• Spectrum – national resource under government control (usually split between

commercial and military)


λ

Spectrum Allocation

Spectrum Allocation

• Unlicensed spectrum (US)

ISM = Industrial, Scientific and MedicalU-NII = Unlicensed National Information Infrastructure

Antennas

• “Interface” between the transmitter (receiver) and channel

EMPIRICAL OBSERVATION:

For efficient transmission antenna needs to be longer than 1/10 of the wavelength.

f λ λ/10

AM Radio 600-1500 KHz 500-200m 20m

UHF(TV) 0.3-3 GHz 1-0.1m 0.01m

Mobile Phone 824-2000 MHz 0.36-0.158m 0.015m

LEO Satellite 1.6 GHz 0.188m 0.0188m

λ

“Naughty” Electromagnetic Waves

• Objects in the environment– Reflection– Diffraction– Scattering

• Multi-path: Multiple signal copies added together– Attenuated– Delayed– Phase shifted

• Frequency selective fading• Flat fading• Ultimately causes ISI which limits

performance

1 1 2 2( ) ( ) ( ) ... ( )m md t h s t h s t h s t

Wireless communication underwater?

• EM waves have medium dependent properties– Speed (refraction)– Resonance (absorption)– Reflection– Scattering

• Propagation in water:– 915 MHz: 1046 dB attenuation per meter

Positions of the center of antennas

+: above the water surface-: below the water surface

Sender (inch) 8 3 0 0 -3 3

Receiver (inch) 8 3 3 0 3 -3

RSS (dBm)-73.66 -76.55 79.82 -82.17

N/A -90.41

PDR100% 100% 99% 98% 0 85%

RFID


What is Radio Frequency identification (RFID)?


Tags (transponders)Attached to objects, “call out” identifying dataon a special radio frequency

02.3DFEX4.78AF51

EasyToll card #816

Reader (transceiver)Reads data off the tagswithout direct contact

Radio signal (contactless)Range: from 3-5 inches to 3 yards

DatabaseMatches tag IDs tophysical objects

An automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags.

RFID Tags

• A Tag is a transponder which receives a radio signal and in response to it sends out a radio signal.– Tag contains an antenna, and a small chip that stores a small amount of data– Tag can be programmed at manufacture or on installation– Tag is powered by the high power electromagnetic field generated by the

antennas – usually in doorways– The field allows the chip/antenna to reflect back an extremely weak signal

containing the data– Collision Detection – recognition of multiple tags in the read range –is

employed to separately read the individual tags


RFID Tag Attributes

Active RFID Passive RFIDTag Power Source Internal to tag Energy transferred using

RF from reader

Tag Battery Yes No

Availability of power Continuous Only in field of reader

Required signal strength to Tag

Very Low Very High

Range Up to 100m Up to 3-5m, usually less

Multi-tag reading 1000’s of tags recognized – up to 100mph

Few hundred within 3m of reader

Data Storage Up to 128Kb or read/write with sophisticated search and access

128 bytes of read/write


Readers

• An RFID reader is a device that is used to interrogate an RFID tag. The reader has an antenna that emits radio waves; the tag responds by sending back its data.

• The reader has two basic components –– A scanning antenna– A transceiver with a decoder to interpret the data


Applications

• Personal:– Automatic toll collection– Building access control– Exxon/Mobil Speedpass– Library check– Pet Identification

• Business– Asset management– Shipping– Pallet and container tracking– Tracking re-usable containers– Document management– Inventory management– In-transit visibility– Warranty and maintenance– Retail shelf management and checkout


Sensor/RFID

• Gentag: a cell phone based post-operative orthopedic surgery monitoring kit• Near field communication (NFC) diagnostic platform

• an ultra-linear NFC-MEMS hybrid chip– 1mm mercury (Hg) precision– 0.1 C temperature accuracy.


Wireless Security and Privacy

Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire

Pressure Monitoring System Case Study

"Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study," USENIX Security Symposium,

2010


Wireless in Automobiles

• Wireless increasingly connected to CAN bus in automobiles– Web-based vehicle-immobilization system – MyRate from insurance companies to collect

data– “iChange” controls the car via an iPhone– More in-car wireless sensor networks

42Computer Science and Engineering

Tire Pressure Monitoring System (TPMS)

• What is TPMS?– Monitors tire-pressure in real time– Alerts drivers if underinflated– To increase safety and fuel economy– Indirect TPMS vs. direct TPMS

• National Highway Transportation Safety Administration (NHTSA) mandates TPMS. Virtually, all new cars sold or manufactured after 2007 in US are equipped with wireless TPMS.


Misuse 1: Car Tracking


Misuse 2: Trick The Driver To Stop

$$Stop?


TPMS — To Be Discovered

• What are the communication protocol details? – How difficult to reverse engineer?– Messages encrypted? Authenticated?

• How easy to eavesdrop TPMS communication?– What is the range?– Travel speeds, car’s metal body, message rate,

transmission power

• How easy to spoof TPMS communication?– What is the range? – ECU filters/rejects suspicious packets?– How much damage can spoofing accomplish?

• What can be done to protect TPMS communication?


TPMS — From the Public Domain

• Communication protocols– Link Sensor IDs with TPMS ECU– Sensors ECU 315/433Mhz

• ECU filters packets based on IDs

– Sensors can be waken up by• ECU sensors 125kHz

• Travel at high speeds (>40 km/h)

47

Tire pressure sensors

Receiving antennas

TPMS electric control unit (ECU)


Security and Privacy Analysis Step 1: Reverse-engineering

• Proprietary protocols – Security through obscurity?

• Equipment

• Goal– Modulation schemes– Encoding schemes– Message formats (encrypted?)

Universal Software Radio Peripheral (USRP)

Sensors: TPS-A and TPS-B

ATEQ VT55

Agilent Vector Signal Analyzer (VSA)


Reverse-Engineering Walk-Through• Reverse engineering steps

– Capture packet transmission– Demodulate and decode data– Determine packet format

• Observations– Reverse engineering possible– No encryption

49

Triggered sensors at 125 kHz

Responded at 315 MHz

Captured RF transmission at

315 MHz

Determined Modulation

ASK

Encoding Scheme

Manchester

Determined Message Format

32-bit or 28-bit

How likely that two cars have the same ID? 1015 cars with Pc = 1%.


Security and Privacy Analysis Step 2: Eavesdrop capability

• How likely to eavesdrop?– Cars travel at high speeds– Cars’ metal bodies shield RF– TPMS message rate (1 per 60s-90s)– Low transmission power (battery)

• Eavesdropping System– Used USRP only, no VSA– Used low noise amplifier (LNA)– Reused decoders from RE– Developed a live decoder/eavesdropper

50

Low noise amplifier (LNA)


Demonstration of Live Eavesdropping


Sensor ID 884368A2

Exp. 1: Eavesdropping Distance

• Scenarios– USRP + cheap antenna– USRP + LNA ($75) + cheap antenna

• Observations– Able to decode packets, if RSS (received signal strength) > Ambient noise floor– LNA boosts the decoding range from 10.7m to 40m


Exp. 2: Eavesdropping Distance and Angle

• Setup– USRP at origin – Car moved parallel to the x-axis (1.5m apart)

• Observations– The widest range is 9.1 meters– Sniffed at over 70mph speed


Detectable region

USRP location

Feasibility of Tracking

• Passive tracking– Complete location tracking is difficult– Given: 1 packet per 60 seconds, eavesdropping range 9 meters– A car at 60km/h 110 sniffers

• Active tracking– Activation signal makes the tracking easier– Send the activation signal at 125kHz– The sniffer places down the road– Experiments

• Obtained timing data: USRP + TVRX (315MHz)+ LFRX (125kHz)

• Validation: ATEQ VT55 (activator) + USRP (sniffer); the car traveled at 35km/h.

54

Tracking via TPMS• Independent of LOS hidden• Higher technical requirement to deactivate TPMS

Tracking via License Plate Capture Cameras (LPCC)• Requires LOS visible camera mounting location• Affected by weather• Less technical sophistication to hide license plates


Security and Privacy Analysis Step 3: Packet Spoofing

• How likely to spoof TPMS communication?– Is the in-car radio able to pick up spoofing packets from outside the vehicle or a neighboring vehicle?– Security mechanisms in ECU?

• Will ECU filter/reject suspicious packets?• How long will ECU recover from the spoofing?

• Spoofing System– Frequency mixer– Reused eavesdropper from step 2– Developed a packet generator

• Include a proper checksum• Contain the alarm flag

55

Obtain sensor ID, type, and tire

pressure

Modulate (ASK) Encode (Manchester)

Transmit at 315Mhz with

frequency mixer

Frequency mixer


Spoofing Validation

• Tested on two equipment:– ATEQ VT55 validates packet structure– A car (TPS-A) validates ECU’s logic

• 40 packets per minute


Spoofing Validation

• Tested on two equipment:– ATEQ VT55 validates packet structure– A car (TPS-A) validates ECU’s logic

• 40 packets per minute

• Observations– No authentication– No input validation

– Warning lights only depend on the alarm flag, not the real pressure– Large range: 38 meters with a cheap antenna without any amplifier– Inter-vehicle Spoofing is feasible; travel speed 55 km/h and 110 km/h


TPMS-LPW light Vehicle's warning light

Disabled TPMS ECU

• Timer and window-based filtering opens vulnerabilities• Broke TPMS ECU purely by spoofing! Replaced the ECU at the dealership.


Conclusions

• Wireless sensor networks are the bridge to the physical world and make the remote sensing feasible.

• Designing wireless sensor networks is challenging

• Designing wireless sensor networks is even more challenging for intertidal zones more fun!

• Security is not a concern yet, how about future?


Acknowledge & References

• Brian Helmuth, USC• Yabo Dong, Zhejiang University• Xia Ming, Zhejiang University of Technology• Marco Gruteser, Rutgers University• Wade Trappe, Rutgers University

• Some of the slides are borrowed from web.


Date post:	23-Apr-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Connecting to the Physical World ---Wireless...

Documents