Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones
Simon Birnbach, Richard Baker,
Ivan Martinovic
2017 NDSS
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
2/20
Let’s Talk About Drones
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
3/20
Why Should We Care?
n Ignore physical access restrictions n High-quality camera equipment n Spy tools in the hands of everybody n Privacy invasions by drones get more common
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
4/20
How to Detect?
n Various approaches ¨ Optical sensors ¨ Acoustic cameras ¨ High-frequency radar
n Expensive hardware needed n Goal: Design cheap detection system
¨ Radio Frequency
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
5/20
Adversary Model
n Unmodified consumer drone ¨ Controlled over WiFi ¨ Streams live video
n Objective: Capture video through window
¨ Line-of-Sight (LOS) to window needed
n No direct access to premises
dl
ds
OutsideInside
dl: Launch distance ds: Surveillance distance
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
6/20
General Idea
n Off-the-shelf WiFi receiver n Placement in window
¨ Guarantees LOS
n Access restrictions ¨ Drone starts further away ¨ Forces attacker to fly higher
n Challenges ¨ Received signal strength (RSS) à noisy data
¨ Unknown flight behavior ¨ Early detection
dl
ds
OutsideInside
dl: Launch distance ds: Surveillance distance
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
7/20
System Overview
n Pre-processing n Statistical tests
¨ Presence à Drone nearby
n Attack analysis ¨ Attack phases à Approach à Surveillance à Escape
¨ Proximity à Closeness to window
Flow
separation
Throughput/
Packet-rate
filtering
Pre-processing
Movement
test
Free-space
propagation
test
Statistical tests
Attack phase
determination
Proximity
alert
Attack analysis
Presence,
Attack phase,
Proximity
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
8/20
Pre-Processing
Flow
separation
Throughput/
Packet-rate
filtering
Pre-processing
Movement
test
Free-space
propagation
test
Statistical tests
Attack phase
determination
Proximity
alert
Attack analysis
Presence,
Attack phase,
Proximity
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
9/20
Statistical Tests
Flow
separation
Throughput/
Packet-rate
filtering
Pre-processing
Movement
test
Free-space
propagation
test
Statistical tests
Attack phase
determination
Proximity
alert
Attack analysis
Presence,
Attack phase,
Proximity
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
10/20
Statistical Tests
Attacker has to: ¨ …overcome physical access restrictions
à Drone is flying high above ground ¨ …establish LOS to the window
à changes of multipath effects à we expect far less multipath effects due to strong LOS component (compared with ground-based transmitters)
¨ …move towards the window à RSS increases as drone approaches
n Detection method based on statistical tests: ¨ Testing for flying: Closer to free-space propagation than non-flying
transmitters ¨ Testing for approaching & movement: significant RSS changes as
distance to receiver varies
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
11/20
Statistical Tests
n Free-space propagation (FSP) ¨ RSS depends on distance and receiver noise ¨ Only noise varies in short time frame ws (<0.1s)
n Movement ¨ More distance variation than noise in longer interval wl (>1s)
n Compute standard deviation of RSS measurements
n Noise threshold t ¨ Derived from background noise
A drone is detected if: 𝑠(𝑤↓𝑠 )<𝑡 & 𝑡<𝑠(𝑤↓𝑙 )
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
12/20
Statistical Tests
FSP test
Movement test
Noise threshold
A drone is detected if: 𝑠(𝑤↓𝑠 )<𝑡 & 𝑡<𝑠(𝑤↓𝑙 )
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
13/20
Attack Analysis
Flow
separation
Throughput/
Packet-rate
filtering
Pre-processing
Movement
test
Free-space
propagation
test
Statistical tests
Attack phase
determination
Proximity
alert
Attack analysis
Presence,
Attack phase,
Proximity
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
14/20
Attack Analysis
n Approach detection ¨ Increase in RSS difference shows drone is approaching
n Proximity alert ¨ User gets warned if RSS difference exceeds threshold
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
15/20
System Output
Flow
separation
Throughput/
Packet-rate
filtering
Pre-processing
Movement
test
Free-space
propagation
test
Statistical tests
Attack phase
determination
Proximity
alert
Attack analysis
Presence,
Attack phase,
Proximity
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
16/20
Experiment Setup
n Executed in secluded farmhouse n Drones: DJI Phantom 3 Standard, Parrot Bebop n Receiver: Raspberry Pi with WiPi stick mounted in window
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
17/20
System Challenges
Normal behavior
Erratic approach
Not constantly approaching
Establishes LOS very late
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
18/20
Straight Approach
Launch Approach Surveillance
Escape
FSP test
Movement test
Noise threshold
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
19/20
Detection Distances
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
20/20
Conclusion
n Developed method to detect drone privacy invasions n Implemented on cheap hardware n Real-world experiment with variety of approach patterns
shows feasibility n Good performance, minimal detection distance 48m
Thank you for your attention! Questions?
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
21/20
Backup slides
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
22/20
Multipath effects
Drone
Ground-based transmitter
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
23/20
System Parameters
n Surveillance distance n Launch distance n Maximal drone speed
¨ Determines FSP test window size
n Set of drone movement speeds ¨ Determines movement test window sizes
n Noise threshold ¨ Derived from background noise
n Proximity threshold ¨ Derived from surveillance distance
Parameter Example values
ds 1m
dl 50m
ws 0.1s
wl 5s, 10s, 15s, 30s
t √2 ∙1.75dB
𝜎p 10dB
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
24/20
NLOS Approach
Launch Approach Surveillance
Escape
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
25/20
Zig-zag
(1) (2) (3) (4)
0
2
4
6
8
4.0 4.5 5.0 5.5 6.0Time (min)
Stan
dard
dev
iatio
n (d
Bm)
Legend10s5s
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
26/20
Back-and-Forth
(1) (2) (3) (4)
0.0
2.5
5.0
7.5
10.0
1 2 3Time (min)
Stan
dard
dev
iatio
n (d
Bm)
Legend30s5s
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
27/20
Stationary in static environment
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
28/20
Stationary in dynamic environment
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
29/20
Moving indoors
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
30/20
Moving outdoors
Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS
31/20
Ground approach