Harald Elders-Boll

Paul Staat, Kai Jansen, Christian Zenger et al.

Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement. In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car and a smart lock. Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.

Paul Staat, Harald Elders-Boll, Markus Heinrichs et al.

The intelligent reflecting surface (IRS) is a promising new paradigm in wireless communications for meeting the growing connectivity demands in next-generation mobile networks. IRS, also known as software-controlled metasurfaces, consist of an array of adjustable radio wave reflectors, enabling smart radio environments, e.g., for enhancing the signal-to-noise ratio (SNR) and spatial diversity of wireless channels. Research on IRS to date has been largely focused on constructive applications. In this work, we demonstrate for the first time that the IRS provides a practical low-cost toolkit for attackers to easily perform complex signal manipulation attacks on the physical layer in real time. We introduce the environment reconfiguration attack (ERA) as a novel class of jamming attacks in wireless radio networks. Here, an adversary leverages the IRS to rapidly vary the electromagnetic propagation environment to disturb legitimate receivers. The IRS gives the adversary a key advantage over traditional jamming: It no longer has to actively emit jamming signals, instead the IRS reflects existing legitimate signals. In addition, the adversary doesn't need any knowledge about the legitimate channel. We thoroughly investigate the ERA in wireless systems based on the widely employed orthogonal frequency division multiplexing (OFDM) modulation. We present insights into the attack through analytical analysis, simulations, as well as experiments. Our results show that the ERA allows to severely degrade the available data rates even with reasonably small IRS sizes. Finally, we implement an attacker setup and demonstrate a practical ERA to slow down an entire Wi-Fi network.

Paul Staat, Harald Elders-Boll, Markus Heinrichs et al.

Physical layer key generation is a promising candidate for cryptographic key establishment between two wireless communication parties. It offers information-theoretic security and is an attractive alternative to public-key techniques. Here, the inherent randomness of wireless radio channels is used as a shared entropy source to generate cryptographic key material. However, practical implementations often suffer from static channel conditions which exhibit a limited amount of randomness. In the past, considerable research efforts have been made to address this fundamental limitation. However, current solutions are not generic or require dedicated hardware extensions such as reconfigurable antennas. In this paper, we propose a novel wireless key generation architecture based on randomized channel responses from an intelligent reflecting surface (IRS). Due to its passive nature, a cooperative IRS is well-suited to provide randomness for conventional resource-constrained radios. We conduct the first practical studies to successfully demonstrate IRS-based physical-layer key generation with an OFDM system. In a static environment, using a single subcarrier only, our IRS-assisted prototype system achieves a key generation rate (KGR) of 97.39 bps with 6.5% key disagreement rate (KDR) after quantization, while passing standard randomness tests.