## PHY-based Location Distinction

### Overview

We have developed a location distinction technology that allows a single access point to detect with high reliability any change in position of a WiFi device in its network.

This technology is meant to improve security - both network security and physical security. Location distinction detects an impersonation attack, i.e., when another WiFi device uses your credentials to impersonate a legitimate device and gain access to its private information, because the access point can see that the request is coming from a device at a new location. Physical security is improved because an RTLS system can detect a change in location even when the device's location is not able to be located (because it is not in range of multiple access points), or can detect a change in position before the localization algorithm can say that the device's coordinate has changed.

Location distinction is not localization. Most localization algorithms require three access points to estimate location; and even then, are only accurate to within 3-5 meters. Our technology does not estimate position - it detects a change in position. A change on the order of a wavelength (12 cm for 2.4 GHz signals) or more is readily detected. Our technology is infrastructure-based and does not require any change in WiFi devices. We do not need an accelerometer to be added to a device. Furthermore, it is highly robust to attacks.

The method requires a minor change in the access point receiver. We call an averaged estimate of the channel impulse response the link signature. In current receivers, data to calculate a link signature is calculated, but then discarded, because it does not contain information about the received data. To perform location distinction, the channel response, i.e., the link signature, must be accessible.

We have developed an implementation of a WiFi access point on a USRP v1 software-defined radio which does not discard this information, and instead, saves and uses the calculated link signature in the location distinction algorithm. This project is related to our project to build a full-bandwidth 802.11b receiver for gnu-radio.

We have also implemented a receiver on a MIMO National Instruments VSA/VSG measurement device and used it to measure link signatures with multiple antennas at the transmitter and the receiver.

### Motivation

Two examples of the need for location distinction are as follows:

• Active RFID tags are placed on boxes and equipment in warehouses and in factories in order to know where it is at all times, an application called real-time location services (RTLS). But localization requires (at least) triple-coverage of all parts of a building. Multipath and shadowing increase location errors for such systems. Further, signal-strength localization methods can be 'faked', which is a security issue for systems that aim to increase physical security. We could use robust detection of a change in location to provide an additional layer of security, especially if it can be done with less than triple-coverage.
• An impersonation attack in a wireless network occurs when an attacker obtains your credentials and uses them to access your private information. Faria and Cheriton (2006) pointed out that MAC-address spoofing is a problem in WLANs. Traditional crypto methods are subject to node compromise. We could use a secure location distinction method to provide additional security against replication attacks.

### Technology

1. Uniqueness: The link signature changes as a function of transmitter and receiver locations
3. Spoof-proof: An attacker isn't able to obtain an arbitrary link signature simultaneously at multiple access points
4. Efficiency: A change in location does not require multiple receivers or continuous transmission
5. Infrastructure-based: Does not require any change in the user device
6. Our research group has been experimentally verifying these properties in real-world WiFi channels, using our testbed implementation.

### Methodology

A detailed description is given in our Mobicom 2007 paper, but the basic approach is to form from the received signal a sampled estimate of the channel impulse response. A multipath channel between transmitter $i$ and receiver $j$ is modeled as,

$$h_{i,j}(\tau) = \sum_{l=1}^L \alpha_l e^{j\phi_l} \delta(\tau-\tau_l),$$

where $\alpha_l$ and $\phi_l$ are the amplitude and phase of the $l$th multipath component, $\tau_l$ is its time delay, $L$ is the total number of multipath, and $\delta(\tau)$ is the Dirac delta function. Essentially, the filter impulse response is the superposition of many impulses, each one representing a single path in the multiple paths of a link. Each impulse is delayed by the path delay, and multiplied by the amplitude and phase of that path.

We denote $\mathbf{h}^{(n)}_{i,j}$ to be the $n$th sampled estimate of $h_{i,j}(\tau)$. By saving a history of these temporal link signature vectors $\mathbf{h}^{(n)}_{i,j}$ for $n=1, \ldots, N-1$, we store recent values of the channel impulse response with the transmitter at location $i$. Then, when a new signal is measured with temporal link signature $\mathbf{h}^{(N)}_{i,j}$, we can quantitatively compare it with the history. This quantification, discussed in the Mobicom paper, is a distance $d$.

The final step of the algorithm is detection. We compare $d$ to a threshold $\gamma$. When the threshold is exceeded, we declare that the new signal came from a different transmitter location. In the other case, when $d < \gamma$, we declare that the signal came from the same location.

### Related Research

Other approaches to using physical-layer measurements to identify a transmitter location:

1. D. B. Faria and D. R. Cheriton. Radio-layer security: Detecting identity-based attacks in wireless networks using signalprints. In Proc. 5th ACM Workshop on Wireless Security (WiSe'06), pages 43-52, Sept. 2006.
2. Z. Li, W. Xu, R. Miller, and W. Trappe. Securing wireless systems via lower layer enforcements. In Proc. 5th ACM Workshop on Wireless Security (WiSe'06), pages 33-42, Sept. 2006.

Ref [1] uses received signal strength (RSS) at multiple receivers to form a 'signalprint' of a transmitter location. Ref [2] uses multiple frequency tones to measure a channel response.

### Experimental Results

Data is available from a study that appeared in the paper, Experimental performance evaluation of location distinction for MIMO links, by D. Maas, N. Patwari, S.K. Kasera, D. Wasden, and M. Jensen, which appeared in the Proc. 4th IEEE International Conference on Communication Systems and Networks (COMSNETS) 2012:

In this work, many 2 by 2 MIMO CIRs are measured between each possible transmitter and receiver location shown in this map.

From this and other data, we can see that 2 by 2 MIMO channel offers highly reliable location distinction. The figure to the left shows that the metric we compute, E, stays close to zero when the transceiver is in the same location, but is far from zero at all other locations. We have used the data to evaluate many of the design constraints in a MIMO location distinction system, including number of antennas at TX and RX, the bandwidth, two different metrics, and the distance between two locations needed to distinguish a change.

We used an extensive measurement set, which is now publicly available on our Measured CIR Data Set wiki. This campaign measured multiple channel impulse responses (CIR) for every pair-wise channel in a 44-node network, a total of more than 9300 CIR measurements.

From the results, we can see how a temporal link signature changes over time, and also when the transmitter location changes. Effectively, we can determine:

1. when a change in position causes a significantly different link signature to be measured (a Detection), and
2. when normal changes in the channel over time cause a link signature from a stationary transmitter to be falsely detected to be from a different location (a False Alarm).

The measurements allow us to quantify the probability of detection vs. the probability of false alarm, the key tradeoff in any detection algorithm. The following figures compare the performance of the temporal link signature method with the performance of the RSS-only signalprint method of Faria and Cheriton (2006). They also compare the results when using 1, 2, or 3 receivers to measure the PHY characteristic.

A video of the change metric GUI during the demonstration.

### Implementation

We demonstrate the real-time performance of the location distinction system prototype at the University of Utah. The video below shows the "change metric" at the location distinction server. Each packet transmitted by the device allows the access points to measure a new link signature. The server calculates the difference between the latest link signatures and the previously recorded link signatures. When the change metric jumps, the server decides that the WiFi device has changed position. During the demo, our team moves a WiFi device among several different positions. Immediately after each move, the system detects a large change and you see a large jump in the change metric.

This technology can be used for location-based authentication, to detect impersonation attacks. An impersonation attack is when an attacker uses a WiFi device to eavesdrop on a legitimate user's packets, determine its identity, and attempt to appear like the legitimate user to the network in order to gain access to the legitimate user's private data.

A diagram of the demonstration setup.

Linksys router used as transmitter, positions marked in red.