Defending Against Vehicular Rogue APs

Transcription

1 This paper was presente as part of the main technical program at IEEE INFOCOM 2011 Defening Against Vehicular Rogue APs Hao Han, Fengyuan Xu, Chiu C. Tan, Yifan Zhang, Qun Li College of William an Mary, Williamsburg, VA, USA {hhan, fxu, cct, yzhang, Abstract This paper consiers vehicular rogue access points (APs) that rogue APs are set up in moving vehicles to mimic legitimate roasie APs to lure users to associate to them. Due to its mobility, a vehicular rogue AP is able to maintain a long connection with users. Thus, the aversary has more time to launch various attacks to steal users private information. We propose a practical etection scheme base on the comparison of Receive Signal Strength (RSS) to prevent users from connecting to rogue APs. The basic iea of our solution is to force APs (both legitimate an fake) to report their GPS locations an transmission powers in beacons. Base on such information, users can valiate whether the measure RSS matches the value estimate from the AP s location, transmission power, an its own GPS location. Furthermore, we consier the impact of path loss an shaowing an propose a metho base on rate aaption to eal with avance rogue APs. We implemente our etection technique on commercial off-the-shelf evices incluing wireless cars, antennas, an GPS moules to evaluate the efficacy of our scheme. I. INTRODUCTION The proliferation of IEEE access points (APs) in public spaces has provie users easy access to the Internet anytime an anywhere. Many city-wie wifi networks have alreay been eploye in the real worl. For instance, Google provies a free wireless Internet service to the city of Mountain View [1]. APs are also propose for eployment along the roa for vehicular networks. We believe future vehicles will be equippe with wireless capabilities that enable a car to communicate over the Internet through roasie APs (also known as Drive-thru Internet [2], [3]), an this will become a reality in the next few years. Due to the ubiquitous eployment of APs, the problem of rogue access points (also known as rogue APs) has emerge as a well recognize security issue. A rogue AP is a malicious AP that pretens to be a legitimate AP to inuce users to connect. Once an innocent user has associate to a rogue AP, the aversary can then launch various attacks by manipulating users packets. For example, the aversary can launch phishing attacks to reirect a user s web page request to a fake location, seeking to steal the user s private information such as bank account numbers an passwors. In a vehicular network, rogue APs can be classifie into two categories: static an mobile. In the first category, a rogue AP is set up at a fixe place, for example in public hotspots such as a builing facing a busy roa. Since this type of rogue AP usually keeps active for a long time an uses the same infrastructure to access Internet, it is relatively not ifficult for aministrators to etect such a rogue AP. Previous work [4] [14] has alreay propose several methos to etect static rogue APs. However, there is little work on how to efen against a mobile rogue AP where the rogue AP is set up in a moving vehicle to attract users on the roa. Due to its mobility, such a rogue AP is able to maintain a long connection with users. Thus, the aversary has more time to launch various attacks to steal users private information. Detecting a vehicular rogue AP is challenging because the uration for a vehicle connecte to any single AP is short. When the signal strength of a connecte AP is less than a threshol, the client has to take a hanoff [15] an re-associate to another AP with the strongest signal strength. Hence, the time left for the rogue AP etection is restricte. We nee a more efficient etecting scheme, since it is meaningless for a client to ientify a legitimate AP while such an AP is out of the communication range. In aition, it is more ifficult to prevent the installation of a vehicular rogue AP, since this type of rogue AP is always moving. Even if extensive sniffers are eploye along the roa, the vehicular rogue will have move to a ifferent location before the authority can etect it. Furthermore, we consier a sophisticate vehicular rogue AP, which can mimic the roasie AP to avoi simple etection. For example, we cannot simply use the uration of the association time to inicate whether a connecte AP is a rogue AP, since the aversary can control the rogue AP to reply fake messages irectly. Consiering the above challenges, we propose a practical etection scheme that prevents user from connecting to a vehicular rogue AP. Our solution imposes minimal moification to existing wireless stanar. The whole etection process relies on the knowlege of the transmission powers an the locations of APs in the vicinity. The clients leverage the receive signal strength (RSS) of beacons which are broacaste by the APs perioically, an tune the transmission rate of probe requests to etect rogue APs. To the best of our knowlege, we are the first to consier the vehicular rogue AP problem an propose a practical etection solution. Our main contributions are liste as follows: 1) We are the first to consier the vehicular rogue AP problem an emonstrate the feasibility of this type of rogue AP. 2) We propose a practical metho to efen against vehicular rogue APs incluing basic attacks an sophisticate attacks. Our solution is user-centric an can apply to base vehicular networks. Our metho can be implemente with little moification to current stanar. U.S. Government work not protecte by U.S. copyright 1665

2 x 3) We implement our schemes using commercial off-theshelf evices incluing wireless cars, antennas, an GPS moules. Also, we perform extensive experiments on realistic roa conitions to evaluate our schemes. The rest of the paper is organize as follows. Section II iscusses the relate work. Section III escribes some backgroun incluing motivation, problem formulation, an aversary moel respectively. Our etection algorithm is etaile in Section IV. Our implementation an evaluation results are presente in Section V. We iscuss the limitation of our solution in Section VI an conclue in Section VII. II. RELATED WORK The threat of rogue APs has attracte the attention of both inustrial an acaemic researchers. Previous research has been mainly focuse on etecting static rogue APs in an enterprise or a hotspot scenario. Typically, existing schemes can be classifie into to three categories. The first category relies on sniffers to monitor wireless traffic. These sniffers usually scan spectrum to examine the 2.4 an 5GHz frequencies. Once etecting any traffic from unauthorize APs, they will alert the aministrator. This approach usually emans well controlle infrastructure such as enterprise networks, where the aministrator can easily eploy sniffers an cut off the access of rogue APs to Internet. Some commercial proucts [16] [18] have been evelope following this technique. In acaemic community, an architecture for iagnosing various faults in WLAN incluing rogue APs, is presente in [10], where multiple APs an mobile clients installing a special iagnostic software cooperate to perform RF monitoring. In [13], another monitoring infrastructure calle DAIR is propose, where USB wireless aapters are attache to esktop machines for capturing more comprehensive traffic to reuce false etection rate. Different from this type of solution, our efening scheme oes not reply on sniffers. That is because a small amount of sniffers may not catch vehicular rogue APs well, but extensive eployment of sniffers is impractical. The technique use in the secon category is leveraging fingerprints to ientify rogue APs. Since an avance aversary can easily spoof a rogue AP s MAC aress, SSID, venor name, an configuration to escape from the etection, the previous work often aopte the fingerprints that cannot be easily forge. For example, the work by [19] calculate every AP s clock skew by collecting their beacons an probe responses. Since clock skew is ifficult to forge, any AP with unknown clock skew is ientifie as a rogue AP. In aition to clock skew, RSS values [20], raio frequency variations [21] are also use. However, a major rawback of this type of schemes is that the AP valiation requires to access a atabase containing the fingerprints of all legitimate APs. This atabase may not be available for en users before they connect to the AP. Our solution iffers from such schemes in that we o not assume the clients know the fingerprints of legitimate APs in avance. Therefore, our etection scheme can apply to not only network aministrators but also en users who use the wireless network for the first time. The last category exploits the features of wireless traffic to etect the presence of rogue APs [4] [6], [9]. In [4], a practical timing base scheme is propose. The metho employs the roun trip time between user an local DNS server to etect rogue APs without assistance from network aministrators. [11] utilizes the immeiate switch connecting rogue APs to measure roun trip time of TCP traffic. Other work by [12], [14] uses the spacing between packets to istinguish wireless networks from wire networks. In [6], inter-arrival time of ACK-pair is use to etect rogue APs. In [9], wire verifier an wireless sniffers are eploye at the same time to etect layer-3 rogue APs. Since we consier a new type of rogue AP, it is unclear whether previous solutions coul work in vehicular networks. Although some schemes might work, it may spen much time on analyzing the network traffic. Our solution is more efficient an en-user centric. III. BACKGROUND In this section, we iscuss some backgroun to our vehicular rogue AP problem, incluing problem formulation, motivation an aversary moel. A. Problem formulation When a vehicular client tries to access Internet through roasie APs, the client will first scan all wireless channels. After scanning, the client coul iscover multiple APs within its communication range, where some APs are legitimate an some are rogue. Accoring to current stanar, a client will pick the AP with strongest signal strength to associate. To inuce clients, the aversary will choose to rive a car along the roa with a rogue AP insie. Since the rogue AP is closer to vehicular clients, the rogue AP s signal strength is very likely to be greater than a roasie AP. In aition, a sophisticate aversary coul control the rogue AP elicately to avoi etection. For example, the aversary can forge a vali SSID an MAC aress, or irectly reply fake messages without accessing Internet first to avoi some timing-base etections. The objective of this paper is to help clients to avoi associating to such a smart vehicular rogue AP. Our solution can be viewe as a complementary part to existing AP selection policies. Fig. 1. Rogue AP (a) Rogue AP (b) x Roasie AP Cell tower Illustration of two typical setups for vehicular rogue APs 1666

3 Vehicular rogue AP is assume to be launche in a car with two wireless interfaces. The first interface pretens to be a vali AP, an the other interface is use to connect to Internet. Fig. 1 illustrates two typical setups for a vehicular rogue AP. In the first setting (a), the rogue AP is equippe with two wireless aapters: the first aapter is configure to AP moe, whereas the secon aapter is set to station moe for connection to a real roasie AP. Nevertheless, the rogue AP oes not reply on roasie APs. In the alternative setting (b), the first interface still pretens to be an AP, but the secon interface connects to a cellular tower. For both settings, a brige is set between two interfaces. Once a packet is receive by the first interface, it will be forware to the secon interface, an vice versa. The aversary may choose either setting to launch attacks. We seek to etect rogue APs uner both settings. In this paper, we o not consier AP is capable of using RADIUS-base 802.1X authentication of users, since it requires each vehicle to have the correct key to access the network. While this may be possible, for example, every car when registere with the DMV is issue the appropriate creentials, it is unclear how well this will work in practice. Thus, we only consier the open network where any car can connect. B. Practicality of vehicular rogue APs Fig. 2. Demonstration of the feasibility of vehicular rogue APs To emonstrate vehicular rogue AP is a feasible threat, we set up a testbe shown in Fig. 2, where three laptops an two vehicles are use. The first laptop configure as a roasie AP is place at location C. An external antenna connecte to such a laptop is mounte on the top of a laer in the height of 2 meters. A vehicular rogue AP an a vehicular client rive from location A to B, each with a laptop insie an an external antenna mounte on the roof. They maintaine the istance of 10 meters away from each other. The length between A an B is approximately 500 meters. From the vehicular client s view, we measure the RSS of beacons broacaste by both roasie AP an the vehicular rogue AP. Fig. 3 shows the results, where the x-axis enotes the elapse time an the y-axis presents the RSS values. As we see, the vehicular rogue AP is easy to maintain relatively larger RSS values than the roasie AP. It is true that a client will be attracte by the vehicular rogue, since the client will always pick the AP with the strongest signal strength to associate. Note that both the roasie AP an the vehicular rogue use the same maximum transmission power Roasie AP Vehicular AP Elapse time (sec) Fig. 3. Measure RSS of the roasie AP an the vehicular rogue from location A to B C. Aversary moel Recall that the goal of vehicular rogues is to inuce clients to connect. If any client associates to a vehicular rogue, the aversary succees. Next are several assumptions of vehicular rogue APs. First, we assume that the aversary uses offthe-shelf harware to set up a vehicular rogue. The rogue AP is able to transmit a packet with arbitrary transmission (TX) power, an inject any packet with any content (incluing changing the MAC heaer). For example, the aversary is able to forge fake re-associate frames to force clients to re-select APs immeiately. Secon, we assume the aversary cannot moify the firmware of harware evices. In other wors, the rogue AP cannot control ACK frames. Although any frame incluing the ACK can be generate, the ACK cannot be sent back to the client within an ACK timeout. It is reporte that the time interval between ata an ACK is a SIFS (10 µs in g [22]). Software (not firmware) ACK cannot be prepare within such a interval [23]. Last, the aversary is able to provie whatever fake information to clients. For example, the aversary can monitor the wireless channels to learn the SSID an MAC aress of a legitimate AP, an then set up its rogue AP with the same information. Base on the assumptions escribe above, the aversary has two types of attacks. Basic attack In the basic attack, the vehicular rogue always broacasts beacons with the maximum TX power. That is because the maximum power will lea to the strongest signal strength with which the vehicular rogue has most probability to attract users to connect. The avantage of the basic attack is its easy setup. Without any complicate configuration, the basic attack can be launche anytime an anywhere. Avance attack The avance attack iffers from the basic attack in two aspects. First, the avance aversary 1667

4 is able to perform backgroun preparation before creating a vehicular rogue AP. The backgroun preparation inclues profiling the RSS values of roasie APs, investigating the roa conitions (e.g. the roa irection, lanes, intersection an so on) an traffic conitions. Secon, the avance aversary targets a specific area of the roa. By tuning the TX power carefully, the aversary forges the signal strength receive in the target area, so that it appears to be real. Compare with the basic attack, the avance attack is more time-consuming, but is more ifficult to be etecte. IV. OUR SOLUTION Our vehicular rogue AP etection scheme emans slight moification to APs that each AP embes its GPS location an TX power in every beacon. The GPS location inicates the AP s coorinates in the form of a latitue-longitue pair. The TX power presents the effective isotropic-raiate power (EIRP) which equals to the power level plus antenna gain an minus cable loss. This two pieces of information can be obtaine by the aministrator in avance, or obtaine from wireless river automatically. A user will then use them to etect vehicular rogues. Note that the stanar allows us to a variable-length information elements at the en of each beacon frame. The form of information elements is shown in Fig. 4. Furthermore, if an AP uses static TX power, this two pieces of information can be manually set in the SSID fiel without any moification to APs. For example, a vali SSID is like W-M_Wireless, ( , ), 20Bm. bytes 1 Element ID Fig Length length (in bytes) Content Format of information elements A. Defening against the basic attacks Since a roasie AP has to report its TX power an GPS location. The aversary will have to ecie what values shoul be appene in beacons. In the basic attack, the aversary is assume to inuce users in an opportunistic manner. Hence, choosing the maximum power is the best strategy for them. However, the aversary shoul not report its actual GPS location, since this location inicates that the AP is in the mile of the roa. A user can easily etect it. Therefore, the aversary must report a fake AP location. Fig. 5 shows three possibilities. Upon receiving a beacon, the client then obtains AP s reporte location, TX power, an a measure RSS. After knowing the reporte GPS location as well as its own GPS location, the client can then calculate the istance between the AP an itself. Base on that istance, TX power, an RSS, our algorithm is use to etermine whether the teste AP is a rogue AP. The main iea is as follows. Let an enote the actual an reporte istance between the rogue AP an the client separately. Suppose the aversary picke a location reporte location (1) < reporte location (2) = reporte location (3) > Fig. 5. Illustration of basic attacks, where triangle, circle, an cross enote vehicular rogue AP, vehicular client, an reporte location respectively such that < (see Fig. 5 (1)). The client is expecte to receive beacons with abnormally large RSS values. On the other han, if > (see Fig. 5 (3)), the RSS values are abnormally less than the expectation. Here, the abnormality is efine as exceeing (i.e. less than the lower boun or greater than the upper boun) a vali range of RSS values erive from the path loss moel. We aopt a common path loss moel [24] consiering two factors that may incur signal attenuation: path loss an shaowing. The path loss is the attenuation of electromagnetic signal propagating through space. The moel assumes the path loss (PL) is exponentially proportional to the transmit-receive istance, PL() γ. The shaowing that is cause by obstacles between the transmitter an receiver that attenuate signal power through absorption, reflection, scattering, an iffraction. The receive signal strength P r in Bm is then given by P r = P t (10γlog 10 ()+c+x δ ) (Bm), (1) where P t is the transmission power in Bm. Variable γ, the path loss exponent, etermines the rate of attenuation when the signal propagating through the space. Variablec is a correction constant which escribes the aitional loss or gain in the moel. VariableX δ is a ranom variable escribing the shaow faing which makes the receive signal strength ifferent from the mean preicte path loss. Fiel measurements have verifie this variation to be environment epenable an follows lognormal istribution [24]. Algorithm 1 presents our solution to efen against basic attacks. We use clt to enote a client an ap to enote a teste AP with the strongest signal strength iscovere by the client. If ap passe the algorithm, the client will terminate the test an connect to that AP. Otherwise, the client will continue the algorithm on next AP until all the APs are teste. Eventually if no AP can pass the algorithm, the client will keep un-associate until a new AP is scanne. In Algorithm 1, the client first collects n beacons from ap an measure RSS values. Meanwhile, AP s TX powers an GPS locations, as well as client s GPS locations, are recore (in line 1). Then, the client calculates the istance from the AP (in line 2). It is notice that the upate of GPS usually is slower than the 1668

5 Algorithm 1 Detecting Basic Rogue APs 1: Listen n beacons from the teste ap an recor {rss i }, {power i }, {gps ap i }, an {gps clt i } for each beacon 2: istance i = gps ap i gps clt i 3: for k = 1 to n 2 o 4: if rss k rss k+1 an rss k+1 rss k+2 > τ then 5: rss k+1 (rss k +rss k+2 )/2 6: en if 7: en for 8: Use maximum likelihoo estimation to calculate ˆγ by Eq. 2 an Eq. 3 9: if (ˆγ < lower boun ) or (ˆγ > upper boun) then 10: ap is a rogue AP 11: en if beacon interval. Thus, multiple beacons may have the same coorinates. To improve accuracy, we apply interpolation to consecutive GPS ata. For example, consier the following segment of GPS coorinates inclue in consecutive beacons: (x 1,y 1 ), (x 2,y 2 ), (x 3,y 3 ), (x 4,y 4 ), (x 5,y 5 ) Suppose the meian three coorinates have the same value (i.e. x 2 = x 3 = x 4 an y 2 = y 3 = y 4 ), since GPS was not upate at that time. After applying the interpolation, we obtain where an (x 1,y 1 ), (x 2,y 2 ), (x 3,y 3 ), (x 4,y 4 ), (x 5,y 5 ) (x 3,y 3) = (x 2 + x 5 x 2 3,y 2 + y 5 y 2 ) 3 (x 4,y 4 ) = (x (x 5 x 2 ),y (y 5 y 2 ) ). 3 3 The etaile coe of interpolation is ignore. Next, the loop from line 3 to 7 is use to filter out the extreme RSS values cause by environment interference. The client checks consecutive three RSS values. If the ifference between the meian value an the first/last value excees a threshol τ, the meian value is replace by the average of its previous an next values. After smoothing, we fit RSS values, istances, an TX powers into our path loss moel (i.e. Eq. 1), an use maximum likelihoo estimation (MLE) to estimate the parameter γ of the moel. Without fitting, the variations of measure GPS an RSS ata may lea to etection errors in practice. To minimize the square error, the estimation of γ can be obtaine by n f(ˆγ,ĉ) = (RSS i Pt i +10ˆγlog 10 ( i )+ĉ) 2. i=1 Differentiating f(ˆγ,ĉ) an setting it to be zero, the value of ˆγ an ĉ can be erive as follows, ˆγ = n i=1 (RSS i Pt i +ĉ)log 10 ( i ) n i=1 10(log 10 ( i)) 2 (2) ĉ = n i=1 (RSS i Pt i +10ˆγlog 10 ( i )) n (3) If ˆγ excees an empirical boun, we suspect the teste ap to be rogue. Previous work has pointe out that the path loss exponent normally ranges from 2 to 6 [25], where 2 is for propagation in free space, an 6 is for relatively lossy environment. Therefore, we heuristically set the lower boun of γ to 2 an the upper boun to 6. Last, in the case that =, our algorithm cannot istinguish the rogue AP. However, we argue that the cars are continuously moving, the aversary cannot maintain this conition. Therefore, this conition is safe to be ignore. B. Defening against avance attacks A more sophisticate aversary can launch avance attacks which require more preparations than basic attacks. For example, the aversary can set up a stationary AP at a specific location an rive along the roa to profile RSS values from that AP. The aversary ynamically tweaks the TX power to make the RSS receive at a esire target area similar to the profile values. Then, the rogue AP reports such a location. Within the targete area, the client cannot use RSS to etect the rogue AP, since the RSS values appear to come from the reporte location. To efen against the avance attacks, our algorithm requires the client to actively sen probe request frames to the AP with the TX power inclue in beacons but ifferent bitrates. In stanar, ifferent moulation schemes support the packet transmission with multi-rates. IEEE a uses a multi-carrier moulation scheme (OFDM), where ifferent ata rates will use ifferent moulation formats (BPSK, QPSK, QAM) accoringly. IEEE b uses irect sequence sprea spectrum (DSSS) moulation. For the 1Mbps an 2Mbps ata rates, the moulation format is set to DBPSK an DQPSK respectively. For 5.5Mbps an 11 Mbps, there are two coing schemes: CCK an PBCC, where CCK is manatory an PBCC is optional. The etails are escribe in Table I [26]. TABLE I MODULATIONS FOR A/G Rates (Mbps) stanar Moulation RX sensitivity (Bm) a/g BPSK/OFDM a/g BPSK/OFDM a/g QPSK/OFDM a/g QPSK/OFDM a/g QAM-16/OFDM a/g QAM-16/OFDM a/g QAM-64/OFDM a/g QAM-64/OFDM -65 As we see, ifferent transmission rate requires ifferent receiver (RX) sensitivity. Accoring to stanar, a receiver cannot emoulate the packet with RSS less than the RX sensitivity. Thus, we can sen packets with varying transmission rates to test if the AP is within a certain istance at which a corresponing rate can be emoulate with an acceptable bit error rate (BER). If the AP is out of the range of such a bit rate, the client cannot receive any ACK frame. 1669

6 Otherwise, the client can receive the ACK frame. Base on that, we can verify if the AP reporte its location honestly. client (1) < Fig. 6. range of a bit rate targete area reporte loation range of a bit rate targete area reporte location (2) > Illustration of avance attacks Next, we consier two situations of avance attacks (shown in Fig. 6): (1) the reporte location is far away from the targete area, whereas the istance between AP s actual location an the targete area is closer (i.e. < ); (2) opposite to the first situation (i.e. > ). In the first conition, the aversary shoul use a relatively small TX power, since the actual istance is closer than the reporte. In other wors, the reporte TX power is greater than the actual TX power. Suppose there is a client within the targete area. If such a client starts a transmission with RX sensitivity greater than the receive RSS, it is expecte that the packet will not be emoulate at the reporte location. As illustrate in Fig. 6 (1), the big circle epicts the range of the transmission rate. Within the circle, the packet can be emoulate. Out of the circle, the packet cannot be emoulate. Here, the client can receive ACKs. That implies the teste AP shoul not be locate at the reporte location. Hence, the teste AP is suspecte to be a rogue AP. In the secon situation that >, the client will transmit a probe request with a transmission rate whose RX sensitivity is less than the receive RSS. It is expecte the teste AP will reply ACKs. However, the client oes not receive the ACK. Thus, the teste AP is also suspecte to be a rogue AP. At last, ue to the similar reason mentione in previous subsection, we o not consier the situation that =. Algorithm 2 escribes our scheme to efen against avance attacks, where some functions are escribe in Table II. function name sen(x) pre(x) next(x) ratio(x) rateset[i] TABLE II FUNCTION DESCRIPTION notation return the RX sensitivity (Bm) of a bit-rate x return the bit-rate slightly slower than the bit-rate x return the bit-rate slightly faster than the bit-rate x return the ratio of the number of ACKs replie to the number of probe requests transmitte with bit-rate x return the ith rate in rateset In the algorithm, the client tries multiple bit-rates (smaller an larger rates) to verify both cases that > an <. Since the ACK may be corrupte by noisy environment, the client oes not receive the ACK not only because of the e emoulation of probe requests, but also ue to the lost ACKs. Therefore, multiple rouns are use to reuce the errors. Algorithm 2 Detecting Avance Rogue APs proceure 1: ajust tx power (rss, pt) if rss > sen(48mbps) then return pt (rss sen(36mbps)+sen(48mbps) 2 ) else return pt en if proceure 2: return bitrate set (rss, pt) if rss > sen(48mbps) then return {24Mbps, 36Mbps, 48Mbps, 54Mbps} else rate s.t. sen(pre(rate)) rss i an sen(rate) > rss i return {pre(pre(rate)), pre(rate), rate, next(rate)} en if 1: Initialize pass k to false where k [1,4] 2: for i = 1 to n o 3: Receive a beacon an recor rss i an pt i 4: txpower ajust tx power (rss i, pt i ) 5: rateset return bitrate set (rss i, pt i ) 6: for j = 1 to m o 7: Ranomly pick a rate x from rateset 8: Transmit a probe request with rate x an txpower 9: en for 10: en for 11: for k = 1 to 4 o 12: pass k trueif ratio(rateset[k]) > θ 13: en for 14: if pass 1 = true an pass 2 = true an pass 3 = false an pass 4 = false then 15: The teste AP is a legitimate AP 16: else 17: The teste AP is a rogue AP 18: en if During the test, a client receives n beacons from an AP, an sensmprobe requests to that AP right after each beacon. After that, the client will make a ecision whether to associate to that AP. The ecision is base on the ACK reply ratio (which is referre to the ratio of the number of receive ACKs to the number of transmitte probe requests). Particularly, once a client receives a beacon from an AP, the client will measure the RSS an extract the TX power. Then, the client etermines a set of bit-rates consisting of four bit-rates. Two rates have greater RX sensitivity than the measure RSS, whereas the other two rates have the less RX sensitivity. Note that if the RSS is greater than 48Mbps, the client cannot fin two higher rates since the maximum rate is 54Mbps. In that case, the client must reuces the TX power (see proceure 1). This is verifie in practice that 10Bm reuction in TX power will lea to 10Bm ecrease in RSS if the istance between sener an receiver is not far away. 1670

7 Next, the client ranomly picks a rate from the rate set to transmit a probe request frame. It is expecte that the AP can emoulate two lower bit-rates but on two higher bit-rates. For each rate in the set, the client will compute an ACK reply ratio. If the ratio is greater than a threshol θ, it is eeme that the AP can emoulate packets with such a rate. If two lower bit-rates excee θ but two higher bit-rates are less than θ, the client will associate to that AP. Otherwise, the AP is suspecte to be rogue. Variables n, m, an θ are three ajustable parameters in our algorithm. Accoring to our experimental results, we heuristically set that m = n = 10 an θ = 50%. Lastly, our avance etection algorithm relies on a relatively symmetric wireless channel. This is a reasonable assumption also mentione in [27]. The symmetric channel means that the path loss between a transmitter an a receiver is similar. With the same transmission power, both the sener an receiver are suppose to receive packets with similar RSS values. To verify if this assumption is vali in outoor vehicular networks, we conucte the experiment by recoring the RSS values at both sener an receiver sies in moving vehicles. The results are shown in 7. As we see, the majority of the RSS pairs are within 3 Bm. Besies that, experimental results presente in evaluation section also show our schemes work in practice. Fig Receiver sie Sener sie Timestamp Illustration of symmetric channel in outoor vehicular scenario V. EVALUATION In this section, we escribe the setup of our experiments, followe by the experimental results. A. Experimental setup The experiments have three components: a roasie AP, a vehicular rogue AP, an a client. Roasie AP A laptop connecte with an external omniantenna an a GPS receiver (see Fig. 8-left) mounte on the top of a laer (in height of 2m) is configure as a roasie AP. The laptop was running a generic Linux kernel with the latest mawifi river (svn r4128). The wireless car is set to monitor moe which is easier for us to inject beacons with aitional information such as GPS location an TX power. In our implementation, the fiel of GPS location has 18 bytes incluing 1 byte element ID, 1 byte length, 8 bytes latitue, an 8 bytes longitue. The fiel of TX power contains 1 byte element ID, 1 byte length, an 1 byte power value. The whole beacon packet is irectly elivere to the wireless river through libpcap [28]. Fig. 8. Illustration of experimental equipment Vehicular rogue AP For ease of setup, we i not set up the Internet access for the vehicular rogue AP, since it oes not affect the experiments. The configuration of our vehicular rogue AP is similar to the roasie AP except that the external antenna an the GPS receiver are mounte on the roof of the car (see Fig. 8-right). For basic attacks, the TX power is fixe by executing comman iwconfig txpower [value] with the maximum power value. For avance attacks, tuning TX power per packet is achieve through raiotap heaer. In Linux, MAC layer allows arbitrary injecte packet compose in the following format: [raiotap heaer] + [ieee80211 heaer] + [payloa]. In the raiotap heaer, two types of argument are use by injection packet, namelyieee80211_radiotap_rate an IEEE80211_RADIOTAP_DMB_TX_POWER. By filling the ifferent value, the packet can be transmitte with the esire power level. Note that to control per-packet TX power, hal_tpc must be enable while loaing the mawifi moule. Another laptop with GPS moule an external antenna is configure as a client. Similar to the APs, the client also sets the wireless interface to monitor moe. Sening an receiving packets are achieve by libpcap. Per-packet bit-rate control is one by raiotap heaer. Table III presents all the equipment use in our experiments. Name Laptop GPS Wireless car Antenna TABLE III EQUIPMENT DESCRIPTION Notation Lenovo T61 with 2.0GHz processor an 1G RAM GlobalSat BU-353 USB GPS receiver CB9-GP Carbus a/b/g using Atheros chipset 7 Bi MA24-7N magnetic-mount omniirectional The experiments are conucte in an outoor parking lot, where we can freely rive along the roa or stop to collect measurements. We took two sets of experiment to evaluate our vehicular rogue AP etection schemes. The first set of experiments is for the basic attack. We set up a roasie AP near the roa, an a vehicular rogue AP riving in front of a client. Both the roasie AP an the vehicular rogue AP use the same maximum TX power to transmit beacons. In the secon set of experiments, we seek to test our solution to 1671

8 avance attacks, but the ifference is that the roasie AP, the vehicular rogue AP, an the client are all eploye stationary. Here, we o not conuct the experiment in moving vehicles. The reason is that we optimistically assume the vehicular rogue AP always tunes the TX power to make the RSS to look like real. However, it is ifficult for the aversary to o that in practice. Therefore, for simplicity, we just investigate our scheme in several snapshots. Note that all the experiments were conucte extensively. We achieve similar results. The following section presents the etail. B. Evaluation results 1) Basic attack evaluation: In this experiment, the roasie AP is static, whereas the vehicular rogue AP an the client are moving. We first test if the legitimate roasie AP can pass our algorithms. The left figure of Fig. 9 shows the RSS values of the roasie AP measure by the client an the istance between the AP an the client. Note that, the whole test was performe over 30 secons. We ignore the perios from the starting point to 15 secons an from 25 secons to 30 secons. That is because the RSS values measure in these perios are too weak for a client to connect. The right figure shows the fitting results of our algorithms for the perio from 15 secons to 20 secons. As we see, ˆγ = 3.06 that is within the vali range. Therefore, the AP is not a rogue. Distance (m) Elapse time (secon) Elapse time (secon) Fig Fitting RSS measure from 15s to 20s γ=3.06, c= Elapse time (sec) Results of our algorithms in the case of the legitimate AP To perform meaningful comparison, we assume the aversary reporte the same location as the roasie AP. In that case, the istance between the client an the reporte location (i.e. ) varies as shown in the left of Fig. 10, but the actual istance (i.e. ) keeps about 3 4 meters. Thus, fitting incorrect istance into the pass loss moel will lea to the large eparture from the vali range of moel parameters. The right figure in Fig. 10 presents the incorrect fitting results. It is seen that the calculate ˆγ equals to Therefore, such an AP is a rogue AP. Distance (m) Distance bewteen reporte location an client Elapse time (secon) Elapse time (secon) Fig Fitting RSS measure from 0s to 30s γ= , c= Elapse time (sec) Results of our algorithm in case of the basic attack 2) Avance attack evaluation: Since the avance attacks are more complicate, we separate our evaluation into two cases. In the first case that <, the sophisticate aversary will ecrease its TX power to make the RSS smaller, so that it appears to come from the reporte location rather than the actual location. To verify if the probe requests can be emoulate at the reporte location, we physically set an AP there. Thus, we have two APs at both reporte location an actual location. It is expecte that only the legitimate AP cannot emoulate packets with two low rates but can emoulate packets with the other two high rates. The opposite is true of rogue APs. Fig. 11 shows the results, where = 42.67m an is set to three values of 7.4m, 22.3m, an 37.5m respectively. As we see, all s e in passing our algorithms, even the aversary tunes the TX power carefully. Percentage of ACK receive (%) The case of < pass AP Bit rate (Mbps) Fig. 11. Case 1: < where the istance between the reporte location (we physically set an AP there) an the client is that = 42.67m. The istance between the vehicular rogue AP i an the client is 1 = 7.4m, 2 = 22.3m, an 3 = 37.5m respectively. The reporte TX power is 20Bm. The aversary will tune its TX power to make the mean RSS at client sie to be 68 Bm. Percentage of ACK receive (%) AP 1 2 The case of > pass Bit rate (Mbps) Fig. 12. Case 2: > where the istance between the reporte location (we physically set an AP there) an the client is that = 6.32m. The istance between two locations of the rogue an the client are 1 = 17.7m an 2 = 30.3m respectively. In the secon case that >, the aversary must increase the TX power to make the RSS larger. Again, an AP was set up in the reporte location ( = 6.32m). Such an AP use 14Bm as the reporte TX power to broacast beacons. The mean RSS value receive by the client was -60Bm, which 1672

9 was greater than the RX sensitivity of 48Mbps (say -66Bm). Following our secon algorithm, the client then reuce TX power (6Bm) to transmit probe requests. Next, the vehicular rogue was place at two further locations with istance that 1 = 17.7m an 2 = 30.3m. The client use the same power 6Bm to test the vehicular rogue. The results are shown in Fig. 12. As we see, only the legitimate AP can emoulate the two high rates but on the other two low rates. Hence, the rogues are successfully etermine. VI. DISCUSSION Our solution makes use of physical characteristic such as path loss an RX sensitivity to etermine the iscrepancy between the rogue AP s actual location an its reporte location. This makes our solution vulnerable to the following factors. One factor is when the aversary picks its fake location that is very close to its current location. In other wors, is some very small value. From our experience, this is approximate 5 meters. When this happens, our scheme is unable to etect the rogue AP. However, in practice, this attack is not easily launche. The reason is that the vehicular rogue has to be continuously moving, an will quickly exten the istance between an. For example, a vehicular rogue traveling with 60 miles per hour will have travele approximately 27 meters in one secon. Thus, the winow of opportunity for the aversary to launch this attack is very small. The other factor is that outoor wireless channel conition is unpreictable. While our solution relies on the well-known signal propagation moels. It is inevitable that there will be instances where the actual conitions eviate from the moels. When this happens, our solution will not be able to etermine the rogue AP as well. We can mitigate by aopting a more accurate moel in our solution (Algorithm 1 line 8). In aition, it is unclear how well the aversary can take avantage of this limitation since the aversary is unable to preict the channel conitions as well. Finally, base on our eployment experiences, we observe that our scheme o not work as well in locations where there are a lot of builings. This suggests that our vehicular rogue AP etection will be more suitable for interstate highways which have less physical obstacles, an less so for ense urban areas. unfortunately, ue to safety concerns, we were unable to conuct experiments in highway environments. VII. CONCLUSION The ease of setting up a successful rogue AP in vehicular makes this form of wireless attack a particularly serious security problem in vehicular networks. In this paper, we are the first to emonstrate the feasibility of this type of rogue APs, an present a practical efening schemes to prevent the users to connect to vehicular rogues. We implement our approach on commercially available harware, an perform extensive real worl experiments to evaluate our solutions. ACKNOWLEDGMENT The authors woul like to thank all the reviewers for their helpful comments. This project was supporte in part by US National Science Founation grants CNS , an CAREER Awar CNS REFERENCES [1] Google Mountain View. [Online]. Available: [2] V. Bychkovsky, B. Hull, A. K. Miu, H. Balakrishnan, an S. Maen, A Measurement Stuy of Vehicular Internet Access Using In Situ Wi-Fi Networks, in 12th ACM MOBICOM Conf., Los Angeles, CA, September [3] J. Ott an D. Kutscher, Drive-thru internet: Ieee b for automobile users, in INFOCOM, [4] H. Han, B. Sheng, C. Tan, Q. Li, an S. Lu, A measurement base rogue AP etection scheme, in The 28th IEEE International Conference on Computer Communications, Rio e Janeiro, Brazil, [5] L. Ma, A. Y. Teymorian, an X. Cheng, A hybri rogue access point protection framework for commoity Wi-Fi networks, in Infocom [6] W. Wei, K. Suh, B. Wang, Y. Gu, J. Kurose, an D. Towsley, Passive online rogue access point etection using sequential hypothesis testing with TCP ACK-pairs, in IMC [7] W. Wei, S. Jaiswal, J. F. Kurose, an D. F. Towsley, Ientifying traffic from passive measurements using iterative bayesian inference, in INFOCOM, [8] A. Venkataraman an R. Beyah, Rogue access point etection using innate characteristics of the mac, in SecureComm [9] H. Yin, G. Chen, an J. Wang, Detecting protecte layer-3 rogue APs, in Broanets [10] A. Aya, P. Bahl, R. Chanra, an L. Qiu, Architecture an techniques for iagnosing faults in IEEE infrastructure networks, in Mobicom [11] L. Watkins, R. Beyah, an C. Corbett, A passive approach to rogue access point etection, in Globecom [12] R. Beyah, S. Kangue, G. Yu, B. Stricklan, an J. Copelan, Rogue access point etection using temporal traffic characteristics, in Globecom [13] P. Bahl, R. Chanra, J. Pahye, L. Ravinranath, M. Singh, A. Wolman, an B. Zill, Enhancing the security of corporate Wi-Fi networks using DAIR, in MobiSys [14] S. Shetty, M. Song, an L. Ma, Rogue access point etection by analyzing network traffic characteristics, in Milcom [15] A. Giannoulis, M. Fiore, an E. W. Knightly, Supporting vehicular mobility in urban multi-hop wireless networks, in MobiSys, [16] Air efence. [Online]. Available: [17] Air magnet. [Online]. Available: [18] Air wave. [Online]. Available: [19] S. Jana an S. Kasera, On fast an accurate etection of unauthorize wireless access points using clock skews, in Mobicom [20] Y. Sheng, K. Tan, G. Chen, D. Kotz, an A. Campbell., Detecting MAC layer spoofing using receive signal strength, in Infocom [21] V. Brik, S. Banerjee, M. Gruteser, an S. Oh, Wireless evice ientification with raiometric signatures, in Mobicom [22] D. Vassis, G. Kormentzas, A. N. Rouskas, an I. Maglogiannis, The ieee g stanar fo high ata rate wlans, IEEE Network, vol. 19, no. 3, pp , [23] M. Neufel, J. Fifiel, C. Doerr, an A. S. andirk Grunwal, Softmac - flexible wireless research platform, in HotNets-IV, [24] A. Golsmith, Wireless Communications. Cambrige University Press, [25] J. Turkka an M. Renfors, Path loss measurements for a non-line-ofsight mobile-to-mobile environment, in ITST, [26] J. Yee an H. Pezeshki-Esfahani, Unerstaning wireless lan performance trae-offs, Communication Systems esign, pp , [27] G. Ju, X. Wang, an P. Steenkiste, Efficient channel-aware rate aaptation in ynamic environments, in MobiSys, [28] Libpcap. [Online]. Available: