wi-fly?: detecting privacy invasion attacks by consumer drones · 2019-01-22 · simon birnbach,...

Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones

Simon Birnbach, Richard Baker,

Ivan Martinovic

2017 NDSS

Simon Birnbach, Wi-Fly?: Detecting Privacy Invasion Attacks by Consumer Drones, 2017 NDSS

2/20

Let’s Talk About Drones


3/20

Why Should We Care?

n  Ignore physical access restrictions n  High-quality camera equipment n  Spy tools in the hands of everybody n  Privacy invasions by drones get more common


4/20

How to Detect?

n  Various approaches ¨ Optical sensors ¨ Acoustic cameras ¨ High-frequency radar

n  Expensive hardware needed n  Goal: Design cheap detection system

¨ Radio Frequency


5/20

Adversary Model

n  Unmodified consumer drone ¨ Controlled over WiFi ¨ Streams live video

n  Objective: Capture video through window

¨ Line-of-Sight (LOS) to window needed

n  No direct access to premises

dl

ds

OutsideInside

dl: Launch distance ds: Surveillance distance


6/20

General Idea

n  Off-the-shelf WiFi receiver n  Placement in window

¨ Guarantees LOS

n  Access restrictions ¨ Drone starts further away ¨ Forces attacker to fly higher

n  Challenges ¨ Received signal strength (RSS) à noisy data

¨ Unknown flight behavior ¨ Early detection

dl

ds

OutsideInside

dl: Launch distance ds: Surveillance distance


7/20

System Overview

n  Pre-processing n  Statistical tests

¨ Presence à Drone nearby

n  Attack analysis ¨ Attack phases à Approach à Surveillance à Escape

¨ Proximity à Closeness to window

Flow

separation

Throughput/

Packet-rate

filtering

Pre-processing

Movement

test

Free-space

propagation

test

Statistical tests

Attack phase

determination

Proximity

alert

Attack analysis

Presence,

Attack phase,

Proximity


8/20

Pre-Processing

Flow

separation

Throughput/

Packet-rate

filtering

Pre-processing

Movement

test

Free-space

propagation

test

Statistical tests

Attack phase

determination

Proximity

alert

Attack analysis

Presence,

Attack phase,

Proximity


9/20

Statistical Tests

Flow

separation

Throughput/

Packet-rate

filtering

Pre-processing

Movement

test

Free-space

propagation

test

Statistical tests

Attack phase

determination

Proximity

alert

Attack analysis

Presence,

Attack phase,

Proximity


10/20

Statistical Tests

Attacker has to: ¨ …overcome physical access restrictions

à Drone is flying high above ground ¨ …establish LOS to the window

à changes of multipath effects à we expect far less multipath effects due to strong LOS component (compared with ground-based transmitters)

¨ …move towards the window à RSS increases as drone approaches

n  Detection method based on statistical tests: ¨ Testing for flying: Closer to free-space propagation than non-flying

transmitters ¨ Testing for approaching & movement: significant RSS changes as

distance to receiver varies


11/20

Statistical Tests

n  Free-space propagation (FSP) ¨ RSS depends on distance and receiver noise ¨ Only noise varies in short time frame ws (<0.1s)

n  Movement ¨ More distance variation than noise in longer interval wl (>1s)

n  Compute standard deviation of RSS measurements

n  Noise threshold t ¨ Derived from background noise

A drone is detected if: 𝑠(𝑤↓𝑠 )<𝑡 & 𝑡<𝑠(𝑤↓𝑙 )


12/20

Statistical Tests

FSP test

Movement test

Noise threshold

A drone is detected if: 𝑠(𝑤↓𝑠 )<𝑡 & 𝑡<𝑠(𝑤↓𝑙 )


13/20

Attack Analysis

Flow

separation

Throughput/

Packet-rate

filtering

Pre-processing

Movement

test

Free-space

propagation

test

Statistical tests

Attack phase

determination

Proximity

alert

Attack analysis

Presence,

Attack phase,

Proximity


14/20

Attack Analysis

n  Approach detection ¨ Increase in RSS difference shows drone is approaching

n  Proximity alert ¨ User gets warned if RSS difference exceeds threshold


15/20

System Output

Flow

separation

Throughput/

Packet-rate

filtering

Pre-processing

Movement

test

Free-space

propagation

test

Statistical tests

Attack phase

determination

Proximity

alert

Attack analysis

Presence,

Attack phase,

Proximity


16/20

Experiment Setup

n  Executed in secluded farmhouse n  Drones: DJI Phantom 3 Standard, Parrot Bebop n  Receiver: Raspberry Pi with WiPi stick mounted in window


17/20

System Challenges

Normal behavior

Erratic approach

Not constantly approaching

Establishes LOS very late


18/20

Straight Approach

Launch Approach Surveillance

Escape

FSP test

Movement test

Noise threshold


19/20

Detection Distances


20/20

Conclusion

n  Developed method to detect drone privacy invasions n  Implemented on cheap hardware n  Real-world experiment with variety of approach patterns

shows feasibility n  Good performance, minimal detection distance 48m

Thank you for your attention! Questions?

[email protected]


21/20

Backup slides


22/20

Multipath effects

Drone

Ground-based transmitter


23/20

System Parameters

n  Surveillance distance n  Launch distance n  Maximal drone speed

¨ Determines FSP test window size

n  Set of drone movement speeds ¨ Determines movement test window sizes

n  Noise threshold ¨ Derived from background noise

n  Proximity threshold ¨ Derived from surveillance distance

Parameter Example values

ds 1m

dl 50m

ws 0.1s

wl 5s, 10s, 15s, 30s

t √2 ∙1.75dB

𝜎p 10dB


24/20

NLOS Approach

Launch Approach Surveillance

Escape


25/20

Zig-zag

(1) (2) (3) (4)

0

2

4

6

8

4.0 4.5 5.0 5.5 6.0Time (min)

Stan

dard

dev

iatio

n (d

Bm)

Legend10s5s


26/20

Back-and-Forth

(1) (2) (3) (4)

0.0

2.5

5.0

7.5

10.0

1 2 3Time (min)

Stan

dard

dev

iatio

n (d

Bm)

Legend30s5s


27/20

Stationary in static environment


28/20

Stationary in dynamic environment


29/20

Moving indoors


30/20

Moving outdoors


31/20

Ground approach

wi-fly?: detecting privacy invasion attacks by consumer drones · 2019-01-22 · simon birnbach,...

Documents