Aanjhan Ranganathan

Evangelos Bitsikas, Adam Belfki, Aanjhan Ranganathan

M2M deployments such as drone swarms demand mission-critical communication: km-scale range, strong per-device identity and mutual authentication, and deterministic QoS for bandwidth-intensive payloads. Cellular 5G uniquely satisfies all of these, yet it has seen limited adoption in autonomous fleets. The barrier is not capability but resilience: today's 5G networks assume fixed infrastructure, and when the base station fails, recovery is uniquely complex. Unlike simpler wireless protocols where devices can transparently switch nodes, 5G failure requires reconstructing distributed state such as authentication contexts, QoS bindings, tunnels, and RRC state machines across the fleet, a process that no existing system automates. We present Dyna-5G, which makes this happen. Dyna-5G is the first 5G Standalone-compliant framework for dynamic role switching in M2M fleets, where any device can assume the role of 5G Core, RAN, or UE at runtime. It orchestrates failure detection, leader selection, and coordinated state teardown and re-establishment, all without modifying 3GPP protocols. We evaluate Dyna-5G on a high-fidelity software emulation testbed, with Open5GS and srsRAN, across hundreds of trials with up to 10 drones. Control-plane overhead averages 0.47 Mb/s (approximately 0.47% of a 100 Mb/s bearer), while failure recovery completes in about 2.5 s, of which approximately 86% is due to stack-dependent cellular procedures. Dyna-5G's orchestration logic itself adds only about 175 ms per reconfiguring role. All tested missions complete successfully, even under injected leader crashes.

Harshad Sathaye, Gerald LaMountain, Pau Closas et al.

It is well-known that GPS is vulnerable to signal spoofing attacks. Although several spoofing detection techniques exist, they are incapable of mitigation and recovery from stealthy attackers. In this work, we present SemperFi, a single antenna GPS receiver capable of tracking legitimate GPS satellite signals and estimating the true location even during a spoofing attack. The main challenge in building SemperFi is, unlike most wireless systems where \emph{the data} contained in the wireless signals is important, GPS relies on the time of arrival (ToA) of satellite signals. SemperFi is capable of distinguishing spoofing signals and recovering legitimate GPS signals that are even completely overshadowed by a strong adversary. We exploit the short-term stability of inertial sensors to identify the spoofing signal and extend the successive interference cancellation algorithm to preserve the legitimate signal's ToA. We implement SemperFi in GNSS-SDR, an open-source software-defined GNSS receiver, and evaluate its performance using UAV simulators, real drones, a variety of real-world GPS datasets, and various embedded platforms. Our evaluation results indicate that in many scenarios, SemperFi can identify adversarial peaks by executing flight patterns that are less than 50 m long and recover the true location within 10 seconds (Jetson Xavier). We show that our receiver is secure against stealthy attackers who exploit inertial sensor errors and execute seamless takeover attacks. We design SemperFi as a pluggable module capable of generating a spoofer-free GPS signal for processing on any commercial-off-the-shelf GPS receiver available today. Finally, we release our implementation to the community for usage and further research.

Narmeen Shafqat, Daniel J. Dubois, David Choffnes et al.

Zigbee is an energy-efficient wireless IoT protocol that is increasingly being deployed in smart home settings. In this work, we analyze the privacy guarantees of Zigbee protocol. Specifically, we present ZLeaks, a tool that passively identifies in-home devices or events from the encrypted Zigbee traffic by 1) inferring a single application layer (APL) command in the event's traffic, and 2) exploiting the device's periodic reporting pattern and interval. This enables an attacker to infer user's habits or determine if the smart home is vulnerable to unauthorized entry. We evaluated ZLeaks' efficacy on 19 unique Zigbee devices across several categories and 5 popular smart hubs in three different scenarios; controlled RF shield, living smart-home IoT lab, and third-party Zigbee captures. We were able to i) identify unknown events and devices (without a-priori device signatures) using command inference approach with 83.6% accuracy, ii) automatically extract device's reporting signatures, iii) determine known devices using the reporting signatures with 99.8% accuracy, and iv) identify APL commands in a public capture with 91.2% accuracy. In short, we highlight the trade-off between designing a low-power, low-cost wireless network and achieving privacy guarantees. We have also released ZLeaks tool for the benefit of the research community.

Patrick Leu, Ivan Puddu, Aanjhan Ranganathan et al.

Low-power wide area networks (LPWANs), such as LoRa, are fast emerging as the preferred networking technology for large-scale Internet of Things deployments (e.g., smart cities). Due to long communication range and ultra low power consumption, LPWAN-enabled sensors are today being deployed in a variety of application scenarios where sensitive information is wirelessly transmitted. In this work, we study the privacy guarantees of LPWANs, in particular LoRa. We show that, although the event-based duty cycling of radio communication, i.e., transmission of radio signals only when an event occurs, saves power, it inherently leaks information. This information leakage is independent of the implemented crypto primitives. We identify two types of information leakage and show that it is hard to completely prevent leakage without incurring significant additional communication and computation costs.

Sashank Narain, Aanjhan Ranganathan, Guevara Noubir

Location information is critical to a wide-variety of navigation and tracking applications. Today, GPS is the de-facto outdoor localization system but has been shown to be vulnerable to signal spoofing attacks. Inertial Navigation Systems (INS) are emerging as a popular complementary system, especially in road transportation systems as they enable improved navigation and tracking as well as offer resilience to wireless signals spoofing, and jamming attacks. In this paper, we evaluate the security guarantees of INS-aided GPS tracking and navigation for road transportation systems. We consider an adversary required to travel from a source location to a destination, and monitored by a INS-aided GPS system. The goal of the adversary is to travel to alternate locations without being detected. We developed and evaluated algorithms that achieve such goal, providing the adversary significant latitude. Our algorithms build a graph model for a given road network and enable us to derive potential destinations an attacker can reach without raising alarms even with the INS-aided GPS tracking and navigation system. The algorithms render the gyroscope and accelerometer sensors useless as they generate road trajectories indistinguishable from plausible paths (both in terms of turn angles and roads curvature). We also designed, built, and demonstrated that the magnetometer can be actively spoofed using a combination of carefully controlled coils. We implemented and evaluated the impact of the attack using both real-world and simulated driving traces in more than 10 cities located around the world. Our evaluations show that it is possible for an attacker to reach destinations that are as far as 30 km away from the true destination without being detected. We also show that it is possible for the adversary to reach almost 60-80% of possible points within the target region in some cities.

Hildur Ólafsdóttir, Aanjhan Ranganathan, Srdjan Capkun

Multicarrier phase-based ranging is fast emerging as a cost-optimized solution for a wide variety of proximity-based applications due to its low power requirement, low hardware complexity and compatibility with existing standards such as ZigBee and 6LoWPAN. Given potentially critical nature of the applications in which phase-based ranging can be deployed (e.g., access control, asset tracking), it is important to evaluate its security guarantees. Therefore, in this work, we investigate the security of multicarrier phase-based ranging systems and specifically focus on distance decreasing relay attacks that have proven detrimental to the security of proximity-based access control systems (e.g., vehicular passive keyless entry and start systems). We show that phase-based ranging, as well as its implementations, are vulnerable to a variety of distance reduction attacks. We describe different attack realizations and verify their feasibility by simulations and experiments on a commercial ranging system. Specifically, we successfully reduced the estimated range to less than 3 m even though the devices were more than 50 m apart. We discuss possible countermeasures against such attacks and illustrate their limitations, therefore demonstrating that phase-based ranging cannot be fully secured against distance decreasing attacks.

Der-Yeuan Yu, Aanjhan Ranganathan, Ramya Jayaram Masti et al.

The Location Service (LCS) proposed by the telecommunication industry is an architecture that allows the location of mobile devices to be accessed in various applications. We explore the use of LCS in location-enhanced server authentication, which traditionally relies on certificates. Given recent incidents involving certificate authorities, various techniques to strengthen server authentication were proposed. They focus on improving the certificate validation process, such as pinning, revocation, or multi-path probing. In this paper, we propose using the server's geographic location as a second factor of its authenticity. Our solution, SALVE, achieves location-based server authentication by using secure DNS resolution and by leveraging LCS for location measurements. We develop a TLS extension that enables the client to verify the server's location in addition to its certificate. Successful server authentication therefore requires a valid certificate and the server's presence at a legitimate geographic location, e.g., on the premises of a data center. SALVE prevents server impersonation by remote adversaries with mis-issued certificates or stolen private keys of the legitimate server. We develop a prototype implementation and our evaluation in real-world settings shows that it incurs minimal impact to the average server throughput. Our solution is backward compatible and can be integrated with existing approaches for improving server authentication in TLS.

Aanjhan Ranganathan, Hildur Ólafsdóttir, Srdjan Capkun

Global Positioning System (GPS) is used ubiquitously in a wide variety of applications ranging from navigation and tracking to modern smart grids and communication networks. However, it has been demonstrated that modern GPS receivers are vulnerable to signal spoofing attacks. For example, today it is possible to change the course of a ship or force a drone to land in an hostile area by simply spoofing GPS signals. Several countermeasures have been proposed in the past to detect GPS spoofing attacks. These countermeasures offer protection only against naive attackers. They are incapable of detecting strong attackers such as those capable of seamlessly taking over a GPS receiver, which is currently receiving legitimate satellite signals, and spoofing them to an arbitrary location. Also, there is no hardware platform that can be used to compare and evaluate the effectiveness of existing countermeasures in real-world scenarios. In this work, we present SPREE, which is, to the best of our knowledge, the first GPS receiver capable of detecting all spoofing attacks described in literature. Our novel spoofing detection technique called auxiliary peak tracking enables detection of even a strong attacker capable of executing the seamless takeover attack. We implement and evaluate our receiver against three different sets of GPS signal traces and show that SPREE constrains even a strong attacker (capable of seamless takeover attack) from spoofing the receiver to a location not more than 1 km away from its true location. This is a significant improvement over modern GPS receivers that can be spoofed to any arbitrary location. Finally, we release our implementation and datasets to the community for further research and development.

Ramya Jayaram Masti, Devendra Rai, Aanjhan Ranganathan et al.

Side channels remain a challenge to information flow control and security in modern computing platforms. Resource partitioning techniques that minimise the number of shared resources among processes are often used to address this challenge. In this work, we focus on multi-core platforms and we demonstrate that even seemingly strong isolation techniques based on dedicated cores and memory can be circumvented through the use of thermal side channels. Specifically, we show that the processor core temperature can be used both as a side channel as well as a covert communication channel even when the system implements strong spatial and temporal partitioning. Our experiments on an x86-based platform demonstrate covert thermal channels that achieve up to 12.5 bps and a weak side channel that can detect processes executed on neighbouring cores. This work therefore shows a limitation in the isolation that can be achieved on existing multi-core systems.

Aanjhan Ranganathan, Boris Danev, Srdjan Capkun

A distance bounding system guarantees an upper bound on the physical distance between a verifier and a prover. However, in contrast to a conventional wireless communication system, distance bounding systems introduce tight requirements on the processing delay at the prover and require high distance measurement precision making their practical realization challenging. Prior proposals of distance bounding systems focused primarily on building provers with minimal processing delays but did not consider the power limitations of provers and verifiers. However, in a wide range of applications (e.g., physical access control), provers are expected to be fully or semi-passive introducing additional constraints on the design and implementation of distance bounding systems. In this work, we propose a new physical layer scheme for distance bounding and leverage this scheme to implement a distance bounding system with a low-power prover. Our physical layer combines frequency modulated continuous wave (FMCW) and backscatter communication. The use of backscatter communication enables low power consumption at the prover which is critical for a number of distance bounding applications. By using the FMCW-based physical layer, we further decouple the physical distance estimation from the processing delay at the prover, thereby enabling the realization of the majority of distance bounding protocols developed in prior art. We evaluate our system under various attack scenarios and show that it offers strong security guarantees against distance, mafia and terrorist frauds. Additionally, we validate the communication and distance measurement characteristics of our system through simulations and experiments and show that it is well suited for short-range physical access control and payment applications.