Matthias Schulz scite author profile

Abstract-Wireless covert channels promise to exfiltrate information with high bandwidth by circumventing traditional access control mechanisms. Ideally, they are only accessible by the intended recipient and-for regular system users/operatorsindistinguishable from normal operation. While a number of theoretical and simulation studies exist in literature, the practical aspects of WiFi covert channels are not well understood. Yet, it is particularly the practical design and implementation aspect of wireless systems that provides attackers with the latitude to establish covert channels: the ability to operate under adverse conditions and to tolerate a high amount of signal variations. Moreover, covert physical receivers do not have to be addressed within wireless frames, but can simply eavesdrop on the transmission. In this work, we analyze the possibilities to establish covert channels in WiFi systems with emphasis on exploiting physical layer characteristics. We discuss design alternatives for selected covert channel approaches and study their feasibility in practice. By means of an extensive performance analysis, we compare the covert channel bandwidth. We further evaluate the possibility of revealing the introduced covert channels based on different detection capabilities.

show abstract

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Schulz¹,

Loch²,

Hollick³

2014

View full text Add to dashboard Cite

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Mantz

Classen

Schulz

et al. 2019

View full text Add to dashboard Cite

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered.We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework-outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and highperformance. Hence, it provides a portable low-cost research platform.InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware. CCS CONCEPTS• Security and privacy → Mobile and wireless security; • Networks → Link-layer protocols.

show abstract

Reliability issues of GaN based high voltage power devices

Wuerfl

Bahat‐Treidel

Brunner

et al. 2011

Microelectronics Reliability

View full text Add to dashboard Cite

Using Channel State Information for Tamper Detection in the Internet of Things

Bağcı

Roedig

Martinovic

et al. 2015

View full text Add to dashboard Cite

The Internet of Things (IoT) is increasingly used for critical applications and securing the IoT has become a major concern. Among other issues it is important to ensure that tampering with IoT devices is detected. Many IoT devices use WiFi for communication and Channel State Information (CSI) based tamper detection is a valid option. Each 802.11n WiFi frame contains a preamble which allows a receiver to estimate the impact of the wireless channel, the transmitter and the receiver on the signal. The estimation result-the CSI-is used by a receiver to extract the transmitted information. However, as the CSI depends on the communication environment and the transmitter hardware, it can be used as well for security purposes. If an attacker tampers with a transmitter it will have an e↵ect on the CSI measured at a receiver. Unfortunately not only tamper events lead to CSI fluctuations; movement of people in the communication environment has an impact too. We propose to analyse CSI values of a transmission simultaneously at multiple receivers to improve distinction of tamper and movement events. A moving person is expected to have an impact on some but not all communication links between transmitter and the receivers. A tamper event impacts on all links between transmitter and the receivers. The paper describes the necessary algorithms for the proposed tamper detection method. In particular we analyse the tamper detection capability in practical deployments with varying intensity of people movement. In our experiments the proposed system deployed in a busy o ce environment was capable to detect 53% of tamper events (T P R = 53%) while creating zero false alarms (F P R = 0%).

show abstract

Massive reactive smartphone-based jamming using arbitrary waveforms and adaptive power control

Schulz

Gringoli

Steinmetzer

et al. 2017

View full text Add to dashboard Cite

It is not commonly known that o-the-shelf smartphones can be converted into versatile jammers. To understand how those jammers work and how well they perform, we implemented a jamming rmware for the Nexus 5 smartphone. e rmware runs on the real-time processor of the Wi-Fi chip and allows to reactively jam Wi-Fi networks in the 2.4 and 5 GHz bands using arbitrary waveforms stored in IQ sample bu ers. is allows us to generate a pilot-tone jammer on o-the-shelf hardware. Besides a simple reactive jammer, we implemented a new acknowledging jammer that selectively jams only targeted data streams of a node while keeping other data streams of the same node owing. To lower the increased power consumption of this jammer, we implemented an adaptive power control algorithm. We evaluated our implementations in friendly jamming scenarios to oppress non-compliant Wi-Fi transmissions and to protect otherwise vulnerable devices in industrial setups. Our results show that we can selectively hinder Wi-Fi transmissions in the vicinity of our jamming smartphone leading to an increased throughput for other nodes or no blockage of non-targeted streams on a jammed node. Consuming less than 300 mW when operating the reactive jammer allows mobile operation for more than 29 hours. Our implementation demonstrates that jamming communications was never that simple and available for every smartphone owner, while still allowing surgical jamming precision and energy e ciency. Nevertheless, it involves the danger of abuse by malicious a ackers that may take over hundreds of devices to massively jam Wi-Fi networks in wide areas.

show abstract

An advanced voltage droop control concept for grid-tied and autonomous DC microgrids

Ott

Han

Wunder

et al. 2015

View full text Add to dashboard Cite

Droop Control has been a well-established control technique both in AC and DC power distribution grids for many years, because it provides a simple way to equally distribute the load current between remote power sources. With the increasing demand for low voltage DC microgrids supplying high-reliability equipment, like servers in data centers, to work both grid-tied and autonomously without a connection to the AC mains and fueled only by local renewable and conventional power sources, voltage droop control is facing new challenges. With power equipment being delivered from several manufacturers the demand for a communication less control scheme that only uses the voltage at the terminal point or the converter output current as an indicator how the control set point should be changed in order to satisfy the energy demand of the loads arises. In consequence, the commissioning time of the DC microgrid is greatly reduced since all components can be simply plugged together without the need for adaptions. An outline for such an inherently autonomous voltage droop control scheme to keep the system voltage within a narrow band of ± 10 % of its 380 VDC nominal value is given in the following paper by describing voltage droop control modelling basics and the selection of characteristic droop curves for different kinds of power sources as well as by giving simulative results from a small-scale DC microgrid

show abstract

12 3 4 5 6

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Matthias Schulz

Compressive Millimeter-Wave Sector Selection in Off-the-Shelf IEEE 802.11ad Devices

Practical covert channels for WiFi systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Reliability issues of GaN based high voltage power devices

Using Channel State Information for Tamper Detection in the Internet of Things

Massive reactive smartphone-based jamming using arbitrary waveforms and adaptive power control

An advanced voltage droop control concept for grid-tied and autonomous DC microgrids

Contact Info

Product

Resources

About