Connecting to the Physical World---Wireless Communication
Wenyuan XuAssistant professor
University of South CarolinaDepartment of Computer Science and Engineering
June 4, 2011
1
Roadmap
• Wireless Sensor Networks– Applications
• Wireless Networks 101
• RFID System
• Security and privacy:– Security and Privacy Analysis of Embedded Systems
Computer Science and Engineering 2
Wireless networks
• “any type of network whose interconnections between nodes is implemented without the use of wires.”
• “generally implemented with some type of remote information transmission system that uses electromagnetic waves
Computer Science and Engineering
Wireless Sensor Networks
2011年6月22日星期三
Computer Science and Engineering 4
Wireless Sensor Architecture
• Interface between physical and digital worlds
• Self-powered devices– Battery-powered– Solar-powered
• Capabilities– Sensing– Built-in processing– Radio communication
• Mobile, localization (optional)
Computer Science and Engineering 5
LimitedLifetime
Calibration,Supervision…
Slow processingLimited memory
10 kbps –1 Mbps,3 – 100 m, Lossy Transmission
Wireless Sensor Networks
6
http://graphics.stanford.edu
Computer Science and Engineering
• No network administrators! Cheap!• Wirelessly-Networked• self-organizing• Automatic data reporting
Application Areas
• Environment monitoring• Seismic activity detection; planetary exploration• Industrial monitoring and control• Structural health monitoring• Social studies; healthcare and medical research• Homeland security and military applications; surveillance,• Detection of chemical/biological agents• New areas keep emerging.
Computer Science and Engineering 7
Environment Monitoring - Great Duck Islands
• 150 sensing nodes deployed throughout the island relay data temperature, pressure, humidity, …) to a central device.
• Data are made available on the Internet through a satellite link
Computer Science and Engineering 8
UC Berkeley/College of the Atlanta
Environment Monitoring - ZebraNet
Data
Base station (car or plane)
Data
Data
Store-and-forward communications
Data
Tracking node radio and GPS
• Special GPS-equipped collars are attached to zebras
• Data exchanged with peer-to-peer info swaps• Coming across a few zebras gives access to the
dataComputer Science and Engineering
Princeton University
Volcano Monitoring in Ecuador
• Motes with seismic sensors deployed on active volcano in Ecuador• Science dictates: large spatial separation, time synchronization.• Nature of the application allows triggered data collection rather than
continuous.
Computer Science and Engineering 10
Harvard, Univ. of New Hampshire, Univ. of NC
Structure Monitoring Using sensors
Computer Science and Engineering 11
Static sensors
Moving sensorData collection Processed Data
Juan Caicedo, Civil and Environment Engineering
Microclimate Monitoring in MogaoGrottoes
• MoGao Grottoes contains 492 decorated caves with murals and sculptures
• The temperature, humidity, and CO2 may affect the murals and sculptures
• Goal: Schedule the visitor tourist paths to control the environment inside the caves
Computer Science and Engineering
Microclimate Monitoring in MogaoGrottoes,
• Requirements:– Measurements: temperature, humidity, CO2– Wireless networks– Real time– Long-term
• 2 AA battery for 6 months
– Cheap– Easy to Maintain
1Km
0.8Km
Computer Science and Engineering
• Communication range: 100m• Sensor accuracy
• Temperature: 0.3 ,
• Humidity:1.8%• CO2 sensors:
• 0~2000PPM:3%• 0~5000PPM:5%
Microclimate Monitoring in MogaoGrottoes,
Wireless Sensors
Sensors in Caves
Computer Science and Engineering
• Data sink communication range:
1. Short range >100m2. Long range >1km• Data Router range > 1km
Microclimate Monitoring in MogaoGrottoes,Sensors in Caves
Visitors vs. humidity & CO2
Computer Science and Engineering 16
Hardware
• Typical characteristics of a WSN device• slow processor speeds (< 10 MHz) • low memory (< 10KB RAM) • low bandwidth radio (< 250kbps) • limited battery power ( < 4000 mAh)
• WSN operating systems and applications must co-exist within these limited resources– efficiency is critical !
• WSN are deployed in harsh environments (both physical and security)– Robust and secure
Computer Science and Engineering 17
18
UC Berkeley Family of Motes
19
Mica2 and Mica2Dot• ATmega128 CPU
– Self-programming– 128KB Instruction EEPROM– 4KB Data EEPROM
• Chipcon CC1000– Manchester encoding– Tunable frequency
• 315, 433 or 900MHz– 38K or 19K baud
• Lower power consumption– 2 AA batteries
• Expansion– 51 pin I/O Connector
1 inch
20
MTS300CA Sensor Board
21
Programming Board (MIB510)
22
Hardware Setup Overview
Our Sensors
Computer Science and Engineering 23
Wireless Sensor Networks
• Research challenges– Networking– Wireless communication– Energy constraints– Data processing– Scalability– Harsh environment– Reliability
Computer Science and Engineering 24
Wireless Communication 101
Computer Science and Engineering
~
Transmitter Receiver
EM Waves
~
Wireless Communication
26
Bob AliceHello … Hi …
Computer Science and Engineering
Interference
27
Bob AliceHello … Hi …
Hey hey heyhey…
Mr. X
Computer Science and Engineering
Spectrum
• Radio Frequency – a EM signal with frequency between 3 kHz and 300 GHz• Spectrum – national resource under government control (usually split between
commercial and military)
Computer Science and Engineering 28
λ
Spectrum Allocation
Spectrum Allocation
• Unlicensed spectrum (US)
ISM = Industrial, Scientific and MedicalU-NII = Unlicensed National Information Infrastructure
Antennas
• “Interface” between the transmitter (receiver) and channel
EMPIRICAL OBSERVATION:
For efficient transmission antenna needs to be longer than 1/10 of the wavelength.
f λ λ/10
AM Radio 600-1500 KHz 500-200m 20m
UHF(TV) 0.3-3 GHz 1-0.1m 0.01m
Mobile Phone 824-2000 MHz 0.36-0.158m 0.015m
LEO Satellite 1.6 GHz 0.188m 0.0188m
λ
“Naughty” Electromagnetic Waves
• Objects in the environment– Reflection– Diffraction– Scattering
• Multi-path: Multiple signal copies added together– Attenuated– Delayed– Phase shifted
• Frequency selective fading• Flat fading• Ultimately causes ISI which limits
performance
1 1 2 2( ) ( ) ( ) ... ( )m md t h s t h s t h s t
Wireless communication underwater?
• EM waves have medium dependent properties– Speed (refraction)– Resonance (absorption)– Reflection– Scattering
• Propagation in water:– 915 MHz: 1046 dB attenuation per meter
Positions of the center of antennas
+: above the water surface-: below the water surface
Sender (inch) 8 3 0 0 -3 3
Receiver (inch) 8 3 3 0 3 -3
RSS (dBm)-73.66 -76.55 79.82 -82.17
N/A -90.41
PDR100% 100% 99% 98% 0 85%
RFID
Computer Science and Engineering 34
What is Radio Frequency identification (RFID)?
Computer Science and Engineering 35
Tags (transponders)Attached to objects, “call out” identifying dataon a special radio frequency
02.3DFEX4.78AF51
EasyToll card #816
Reader (transceiver)Reads data off the tagswithout direct contact
Radio signal (contactless)Range: from 3-5 inches to 3 yards
DatabaseMatches tag IDs tophysical objects
An automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags.
RFID Tags
• A Tag is a transponder which receives a radio signal and in response to it sends out a radio signal.– Tag contains an antenna, and a small chip that stores a small amount of data– Tag can be programmed at manufacture or on installation– Tag is powered by the high power electromagnetic field generated by the
antennas – usually in doorways– The field allows the chip/antenna to reflect back an extremely weak signal
containing the data– Collision Detection – recognition of multiple tags in the read range –is
employed to separately read the individual tags
Computer Science and Engineering
RFID Tag Attributes
Active RFID Passive RFIDTag Power Source Internal to tag Energy transferred using
RF from reader
Tag Battery Yes No
Availability of power Continuous Only in field of reader
Required signal strength to Tag
Very Low Very High
Range Up to 100m Up to 3-5m, usually less
Multi-tag reading 1000’s of tags recognized – up to 100mph
Few hundred within 3m of reader
Data Storage Up to 128Kb or read/write with sophisticated search and access
128 bytes of read/write
Computer Science and Engineering
Readers
• An RFID reader is a device that is used to interrogate an RFID tag. The reader has an antenna that emits radio waves; the tag responds by sending back its data.
• The reader has two basic components –– A scanning antenna– A transceiver with a decoder to interpret the data
Computer Science and Engineering
Applications
• Personal:– Automatic toll collection– Building access control– Exxon/Mobil Speedpass– Library check– Pet Identification
• Business– Asset management– Shipping– Pallet and container tracking– Tracking re-usable containers– Document management– Inventory management– In-transit visibility– Warranty and maintenance– Retail shelf management and checkout
Computer Science and Engineering
Sensor/RFID
• Gentag: a cell phone based post-operative orthopedic surgery monitoring kit• Near field communication (NFC) diagnostic platform
• an ultra-linear NFC-MEMS hybrid chip– 1mm mercury (Hg) precision– 0.1 C temperature accuracy.
Computer Science and Engineering 40
Wireless Security and Privacy
Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire
Pressure Monitoring System Case Study
"Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study," USENIX Security Symposium,
2010
Computer Science and Engineering 41
Wireless in Automobiles
• Wireless increasingly connected to CAN bus in automobiles– Web-based vehicle-immobilization system – MyRate from insurance companies to collect
data– “iChange” controls the car via an iPhone– More in-car wireless sensor networks
42Computer Science and Engineering
Tire Pressure Monitoring System (TPMS)
• What is TPMS?– Monitors tire-pressure in real time– Alerts drivers if underinflated– To increase safety and fuel economy– Indirect TPMS vs. direct TPMS
• National Highway Transportation Safety Administration (NHTSA) mandates TPMS. Virtually, all new cars sold or manufactured after 2007 in US are equipped with wireless TPMS.
43Computer Science and Engineering
Misuse 1: Car Tracking
Computer Science and Engineering 44
Misuse 2: Trick The Driver To Stop
$$Stop?
Computer Science and Engineering 45
TPMS — To Be Discovered
• What are the communication protocol details? – How difficult to reverse engineer?– Messages encrypted? Authenticated?
• How easy to eavesdrop TPMS communication?– What is the range?– Travel speeds, car’s metal body, message rate,
transmission power
• How easy to spoof TPMS communication?– What is the range? – ECU filters/rejects suspicious packets?– How much damage can spoofing accomplish?
• What can be done to protect TPMS communication?
46Computer Science and Engineering
TPMS — From the Public Domain
• Communication protocols– Link Sensor IDs with TPMS ECU– Sensors ECU 315/433Mhz
• ECU filters packets based on IDs
– Sensors can be waken up by• ECU sensors 125kHz
• Travel at high speeds (>40 km/h)
47
Tire pressure sensors
Receiving antennas
TPMS electric control unit (ECU)
Computer Science and Engineering
Security and Privacy Analysis Step 1: Reverse-engineering
• Proprietary protocols – Security through obscurity?
• Equipment
• Goal– Modulation schemes– Encoding schemes– Message formats (encrypted?)
Universal Software Radio Peripheral (USRP)
Sensors: TPS-A and TPS-B
ATEQ VT55
Agilent Vector Signal Analyzer (VSA)
Computer Science and Engineering
Reverse-Engineering Walk-Through• Reverse engineering steps
– Capture packet transmission– Demodulate and decode data– Determine packet format
• Observations– Reverse engineering possible– No encryption
49
Triggered sensors at 125 kHz
Responded at 315 MHz
Captured RF transmission at
315 MHz
Determined Modulation
ASK
Encoding Scheme
Manchester
Determined Message Format
32-bit or 28-bit
How likely that two cars have the same ID? 1015 cars with Pc = 1%.
Computer Science and Engineering
Security and Privacy Analysis Step 2: Eavesdrop capability
• How likely to eavesdrop?– Cars travel at high speeds– Cars’ metal bodies shield RF– TPMS message rate (1 per 60s-90s)– Low transmission power (battery)
• Eavesdropping System– Used USRP only, no VSA– Used low noise amplifier (LNA)– Reused decoders from RE– Developed a live decoder/eavesdropper
50
Low noise amplifier (LNA)
Computer Science and Engineering
Demonstration of Live Eavesdropping
Computer Science and Engineering 51
Sensor ID 884368A2
Exp. 1: Eavesdropping Distance
• Scenarios– USRP + cheap antenna– USRP + LNA ($75) + cheap antenna
• Observations– Able to decode packets, if RSS (received signal strength) > Ambient noise floor– LNA boosts the decoding range from 10.7m to 40m
52Computer Science and Engineering
Exp. 2: Eavesdropping Distance and Angle
• Setup– USRP at origin – Car moved parallel to the x-axis (1.5m apart)
• Observations– The widest range is 9.1 meters– Sniffed at over 70mph speed
Computer Science and Engineering 53
Detectable region
USRP location
Feasibility of Tracking
• Passive tracking– Complete location tracking is difficult– Given: 1 packet per 60 seconds, eavesdropping range 9 meters– A car at 60km/h 110 sniffers
• Active tracking– Activation signal makes the tracking easier– Send the activation signal at 125kHz– The sniffer places down the road– Experiments
• Obtained timing data: USRP + TVRX (315MHz)+ LFRX (125kHz)
• Validation: ATEQ VT55 (activator) + USRP (sniffer); the car traveled at 35km/h.
54
Tracking via TPMS• Independent of LOS hidden• Higher technical requirement to deactivate TPMS
Tracking via License Plate Capture Cameras (LPCC)• Requires LOS visible camera mounting location• Affected by weather• Less technical sophistication to hide license plates
Computer Science and Engineering
Security and Privacy Analysis Step 3: Packet Spoofing
• How likely to spoof TPMS communication?– Is the in-car radio able to pick up spoofing packets from outside the vehicle or a neighboring vehicle?– Security mechanisms in ECU?
• Will ECU filter/reject suspicious packets?• How long will ECU recover from the spoofing?
• Spoofing System– Frequency mixer– Reused eavesdropper from step 2– Developed a packet generator
• Include a proper checksum• Contain the alarm flag
55
Obtain sensor ID, type, and tire
pressure
Modulate (ASK) Encode (Manchester)
Transmit at 315Mhz with
frequency mixer
Frequency mixer
Computer Science and Engineering
Spoofing Validation
• Tested on two equipment:– ATEQ VT55 validates packet structure– A car (TPS-A) validates ECU’s logic
• 40 packets per minute
Computer Science and Engineering 56
Spoofing Validation
• Tested on two equipment:– ATEQ VT55 validates packet structure– A car (TPS-A) validates ECU’s logic
• 40 packets per minute
• Observations– No authentication– No input validation
– Warning lights only depend on the alarm flag, not the real pressure– Large range: 38 meters with a cheap antenna without any amplifier– Inter-vehicle Spoofing is feasible; travel speed 55 km/h and 110 km/h
Computer Science and Engineering 57
TPMS-LPW light Vehicle's warning light
Disabled TPMS ECU
• Timer and window-based filtering opens vulnerabilities• Broke TPMS ECU purely by spoofing! Replaced the ECU at the dealership.
58Computer Science and Engineering
Conclusions
• Wireless sensor networks are the bridge to the physical world and make the remote sensing feasible.
• Designing wireless sensor networks is challenging
• Designing wireless sensor networks is even more challenging for intertidal zones more fun!
• Security is not a concern yet, how about future?
Computer Science and Engineering 59
Acknowledge & References
• Brian Helmuth, USC• Yabo Dong, Zhejiang University• Xia Ming, Zhejiang University of Technology• Marco Gruteser, Rutgers University• Wade Trappe, Rutgers University
• Some of the slides are borrowed from web.
Computer Science and Engineering 60