ON THE SECURITY OF LOCATION DETERMINATION AND VERIFICATION METHODS FOR WIRELESS NETWORKS
Günther Lackner
IAIK - TU Graz, Austria
guenther.lackner@iaik.tugraz.at
Introduction
Conclusion
Free-air radio propagation nature of WLANs ...
... make them possible targets from outside secured perimeters.

Protection from physical access might not be possible...
... cryptographic mechanisms are widely deployed.
History  has shown....
... that these mechanisms can  be broken or bypassed.

e.g. WEP, social engineering...
As a consequence...
... wireless network security should not only rely on them!
Alternatives?
Location Awarness
Enable building/perimeter access restrictions

The network grants/denies access based on the client location

Attackers would need to penetrate the perimeter
Relies on Location Determination
Spatial Precision

Timely Resolution (mobile clients)

Reliability / Robustness

Trustworthy
Client Based
Location determination process is carried out by the device being located.

Data collection and position computation is handled by the client.

No support by or burden for the infrastructure
Advantages / Disadvantages
Great scalability
Decent base for many location based services


Energy critical for mobile devices
Security
Location can easily be spoofed by clients

Security has to be implemented at the infrastructure that has to be secured
Infrastructure Based
Location determination process is carried out by the infrastructure.

Data collection and position computation is handled by the infrastructure.

Could be done without any notice by the clients
Advantages / Disadvantages
No burden for the clients (limited energy/computational power)

Reduced scalability
Special Purpose Hardware/Software as part of the infrastructure
Security
Location is hard to spoof for attackers

Security is task of the trusted infrastructure
Hybrid Methods
Location determination process can be divided between clients and the infrastructure

Data collection and position computation tasks  can be divided.
Advantages / Disadvantages
Burden for the stakeholders can be divided according to the requirements, and the client properties
Good scalability
Can combine the advantages of client and infrastructure based methods

Special Purpose Hardware/Software as part of the infrastructure might be necessary
Security
Depends on the implementation/design details

From Infrastructure only to Client only
Triangulation
based on the geometric properties of the triangle
by determining the Direction of Arrival of a signal the location is computed
in 3D space at least three different points of view are needed
Advantages/Disadvantages
Can run in real-time, needs no apriori measurements

Special purpose hardware is needed
Directional antennas
Problems in non-line-of-sight scenarios, multipath propagation
Security
Hard to spoof if carried out by the infrastructure

High precission and timely resolution possible
Trilateration
based on the geometric properties of the triangle
distance of the source from the point of view is determined
in 2D space at least three different points of view are needed
Advantages/Disadvantages
Various signal properties can be used (e.g. Time of Arrival, Received Signal Strength)

Special purpose hardware is needed (if not based on RSS)
Problems in non-line-of-sight scenarios, multipath propagation
Security
Easy to confuse with amplifiers or directional antennas (still hard to spoof if anomaly detection is used)

Additional security techniques are needed
Scene Analysis
Can be seen as a kind of location fingerprinting
Data needs to be collected apriori and stored in "maps" (e.g. RSS map)
Advantages/Disadvantages
No special purpose hardware is needed

Maps need to be created apriori (for each sensor devise)
Maps need to be recalibrated regularly
Security
Robust against directional antennas and signal amplifiers

Anomaly detection needs to be deployed

Maps need to be confidential

Limited  precision
Proximity Based
Most basic approach
Proximity to some landmark determines the location (area)
e.g. location of the access point
Advantages/Disadvantages
No special purpose hardware is needed

Low spatial resolution

Many sensors needed if higher spatial resolution is intended (grid)
Security
Generally not suitable for security relevant system...

... unless combined with a location verification system.
Location Verification
Location Determination
The major concept is...
... the verification of location claims

Verifier usually part of the infrastructure
According to the "in-region verification problem"
Sastry, N., Shankar, U., and Wagner, D. (2003). Secure Verification of Location Claims. In Proceedings of the Fourth International Conference on Web Information Systems Engineering WiSE’03, pages 1–10.
First mentioned by Brands and Chaum, to verify the distance of the prover to a verifier (based on challenge-response time), 1993
Distance-Bounding Protocols
Extended by Capkun et al. (SECTOR protocol), mutual authentication using DBP, 2003
Vulnerabilities discovered and fixed by Singelee and Preneel, 2005
Parallel solution by Bussard, 2004
Capkun and Hubaux combined DB with multilateration, 2006
Rasmussen and Capkun present a practical implementation, 2010 (precision around 15cm)
Security of Distance Bounding
Measurement of propagation time of radio waves (speed of light)
Attacker is not able to mount a distance reduction attack

Extremely sensitive to processing delays (1 ns ~30cm)
Extremely fast hardware is needed
Not suitable for current WLAN standards, IEEE 802.11 a/b/g have a timely resolution of 1 µs ~300m
Published by Sastry, Shankar, and Wagner, 2003
Extremely lightweight
Does not need time synchronization cryptography or very precise clocks (mobile devices)

Requires RF and Ultrasound transceivers!

Similar to DBP but Ultrasound is used for the transmission between prover and verifier.
The Echo Protocol
Security of the Echo Protocol
Due to the use of Ultrasound, distance reduction attacks are possible (place a microphone and speaker in the controlled area)

Similar to DBPs but much more suitable to low cost devices
Published by Waters and Felten, 2003

Based on measuring RF round-trip-times

including party identification based on X.509 certificates and a PKI

Claimer and verifier are assumed to be tamper-proof
Proximity-Proving Protocol
Security of the Proximity-Proving Protocol
Resistant against distance-reduction attacks as it is based on triangulation

Uses the power of PKI systems

Incorporated authentication and identification into DBP


Require tamper proof devices

Require the availability of a PKI
Published by Graham and Gray 2009

Based on the DBP approach by Brands and Chaum

Relying on the aid of neighboring nodes (proof provider)

Verifier limits the possible area of the claimer by choosing neighboring proof providers

Devices are assumed to be
tamper-proof
SLVPGP
Security of SLVPGP
Does not mandatory need any infrastructure
May be deployed in ad-hoc networks (multiple nodes are needed as proof providers)

Can be seen as a variant of the Proximity-Proving Protocol
Resistant against distance reduction attacks


Need tamper proof devices
The Secure Location Verification Proof Gathering Protocol
Location Verification Methods
Current approaches are quite secure if based on secure location determination mechanism
Most methods are based on run-time which needs very precise clocks and very fast hardware
Or based on triangulation which also needs special purpose hardware
Expensive and Complex
Location Determination Methods
Most approaches are NOT suitable for security related systems
Either spatial precision is unsatisfying
Or they are too easy to trick
Triangulation seems the most suitable approach, needs  special purpose hardware
ON THE SECURITY OF LOCATION DETERMINATION AND VERIFICATION METHODS FOR WIRELESS NETWORKS
Günther Lackner
IAIK - TU Graz, Austria
guenther.lackner@iaik.tugraz.at
Thank you!