Practical Covert Channels for WiFi Systems

Practical Covert Channels for WiFi Systems

Jiska Classen , Matthias Schulz , and Matthias Hollick These authors contributed equally to this work. Secure Mobile Networking Lab
Technische Universität Darmstadt
{jclassen, mschulz, mhollick}

Wireless covert channels promise to exfiltrate information with high bandwidth by circumventing traditional access control mechanisms. Ideally, they are only accessible by the intended recipient and—for regular system users/operators—indistinguishable from normal operation. While a number of theoretical and simulation studies exist in literature, the practical aspects of WiFi covert channels are not well understood. Yet, it is particularly the practical design and implementation aspect of wireless systems that provides attackers with the latitude to establish covert channels: the ability to operate under adverse conditions and to tolerate a high amount of signal variations. Moreover, covert physical receivers do not have to be addressed within wireless frames, but can simply eavesdrop on the transmission. In this work, we analyze the possibilities to establish covert channels in WiFi systems with emphasis on exploiting physical layer characteristics. We discuss design alternatives for selected covert channel approaches and study their feasibility in practice. By means of an extensive performance analysis, we compare the covert channel bandwidth. We further evaluate the possibility of revealing the introduced covert channels based on different detection capabilities.


I Introduction

Wireless transmissions are broadly used, although properly securing them remains an issue. Typically, applications resorting to communications are protected by allowing information leakage only to authorized channels such as data transmission to permitted applications. Communication is often controlled by firewalls. However, potential adversaries might outsmart this protection and nevertheless leak information by setting up a covert channel; hidden within inconspicuous actions. For example, they could modify the application layer camouflaging text within an image on a shared storage, or they could alter the lower layers, e. g., within network protocols and timing.

When hiding information on upper layers only a few variations such as using reserved bits or changing transmission timings are possible; since a firewall would easily any other type of modification [23]. In contrast, physical wireless transmissions are not plain bits but symbols containing a high amount of noise and random signal variations. Snatching raw data out of the air results in a very large amount of data compared to upper layer capturing, still not revealing if the recording contained hidden information or not. Regular WiFi receivers are designed to reconstruct the signal despite variations, hence their performance does not significantly decrease when additional information is embedded. Due to the wireless broadcast nature, frames can contain oblivious sender and receiver addresses to not be suspicious to other network participants—and still be received by attackers. For instance, an online banking application could establish a secure connection to a server but maliciously publish login data over a covert wireless physical channel.

WiFi covert channels have been mostly studied in theory and simulation [10]. Practical evaluations are scarce due to the complexity of modifying existing network interface cards (NICs), the work of Dutta et al. [6] being an exception. We close this gap: in our work, we evaluate practical covert channels on the Wireless Open-Access Research Platform (WARP)[2] as well as off-the-shelf wireless NICsas legitimate receivers. Using WARP, we are able to utilize the same orthogonal frequency-division multiplexing (OFDM)modulation schemes as in 802.11a/g. Our covert channels can be easily adapted to OFDM-based wireless communication systems such as LTE, DVB-T, and upcoming standards like LTE Advanced. We aim at remaining compatible with the 802.11a/g standard and having little to no performance decrease on off-the-shelf receivers. Our contributions are as follows:

  1. We analyze the IEEE 802.11a/g physical layer with respect to promising anchors for covert channels on frame level and symbol level.

  2. We propose, analyze, and practically implement two novel covert channels. We study the performance in simulation and practice.

  3. We analyze and improve two known covert channels; we practically implement them for the first time and study the performance in simulation and practice.

  4. We compare the performance of all four covert channels and discuss practical limitations.

This paper is structured as follows: We introduce concepts behind WiFi covert channels in LABEL:*sec:background. System and security assumptions are defined in LABEL:*sec:overview. In LABEL:*sec:implementation, covert channels and their performance in practice are analyzed. LABEL:*sec:evaluation evaluates and discusses results. In LABEL:*sec:relatedwork we survey related work. Finally, we conclude our results in LABEL:*sec:conclusion.

Ii Background

In the following, we introduce the concept of covert channels and basic 802.11a/g physical layer operation.

Ii-a Covert Channels

A first definition of covert channels is given in [15] with a focus on information exchange between programs. Channels are categorized as:

Fig. 1: 802.11a/g modulation and demodulation
  • legitimate: information required to manage the program,

  • storage: information provided to the program, however, attackers might have access to it, and

  • covert: never intended for information exchange.

The idea of covert channels is similar to that of steganography, where messages are hidden within ordinary objects. In case cryptography is forbidden within a network, covert channels can be used to hide encrypted communication.

A covert channel consists of Alice, the sending attacker, who wants to communicate with Bob, the receiving attacker, while being observed by Wendy, a warden. Wendy’s legitimate goal is to detect if Alice and Bob exchanged information. In a wireless channel, positions of Alice, Bob, and Wendy are arbitrary—Wendy might be closer to Alice than Bob. Alice and Bob try to obscure the transmitted information to hinder Wendy from detection. Alice will typically send legitimate traffic to other stations and embed the covert channel. In contrast, communication between Alice and Bob is obvious in a cryptographic system and does not constitute an attack, but Eve wants to illegitimately decipher their communication.

Covert channels are implementable with and without keys. Kerckhoff’s law from cryptography is applicable to information hiding: the system has to be secure when everything except the key is public. Given this criteria, hiding information by relying on an unknown embedding algorithm is insecure. A wireless covert channel based on a public algorithm but private key should be indistinguishable from noise. Covert channels are often combined with cryptography to make information look like noise or to add a further security measure.

Ii-B Ofdm

Physical layers of modern communication standards are based on orthogonal frequency-division multiplexing (OFDM). To efficiently use the available transmission bandwidth while still being able to correct channel distortions, the transmission band is divided into subcarriers (SCs). On each of these subcarriers, symbols are transmitted by defining amplitude and phase of the subcarrier frequencies for the duration of each symbol . Limiting the length of each symbol leads to additional frequency components in the form of sinc functions around each subcarrier. To avoid inter-carrier interference (ICI), the spacing ensures that each subcarrier is placed on the zero-crossings of the sinc functions of all others, leading to orthogonality. During transmission, the signal suffers from frequency-selective phase and amplitude changes (fading), that can be corrected at the receiver. However, fading also implies a delay spread leading to the reception of multiple time delayed copies of the transmitted signal. To avoid inter-symbol interference (ISI), a guard interval is inserted between two symbols, normally containing a continuation called cyclic prefix (CP)of the symbol.

Fig. 2: BER baseline for WiFi frames before and after coding on an AWGNchannel with varying SNR

Ii-C IEEE 802.11a/g physical layer

In the following, we take a closer look at the frame structure as well as at the OFDM-based transceiver blocks of 802.11a/g systems as illustrated in LABEL:*fig:modem. The presented components are also required for more advanced standards.

For transmission, media access control (MAC)layer data bits are scrambled to avoid consecutive ones or zeros, encoded for bit error correction, and interleaved for distribution over multiple subcarriers. This bit stream is mapped to symbols describing amplitude and phase of their subcarrier. Depending on the modulation order (bits per symbol) and the coding rate, eight gross transfer rates between 6 and 54 Mbps are defined in the WiFi standard [20]. In LABEL:*fig:ber-raw-effective-awgn, we illustrate the achievable bit error rates (BERs)on a plain AWGNchannel before and after coding. The used modulation scheme is documented in the signal field (SIG)that is always encoded with 6 Mbps.

Using the Inverse Fast Fourier Transform (IFFT), subcarriers are modulated according to symbol definitions resulting in a time-domain signal in the baseband. Before upconversion to the transmission frequency, a preamble consisting of a short training field (STF)and a long training field (LTF)is prepended to every OFDMframe. A receiver needs the STFto adjust the gain of its low-noise amplifier (LNA), and the LTFto estimate and correct channel effects on each subcarrier. Due to frequency differences in and as well as frequency shifts due to the Doppler effect, carrier frequency offset (CFO)occurs, which breaks the orthogonality between subcarriers and hence requires correction. Coarse CFOcorrection makes use of the repetitive structure of either STFor LTF, while fine CFOcorrection uses pilot symbols that are transmitted on four subcarriers of the OFDMdata symbols.

Iii System Overview

In this section, we introduce a security model for wireless covert channels and describe our measurement setup.

Iii-a Security Model

To secure a system against covert channels, there are two main procedures: either detecting or blocking them. Blocking can be implemented by a wireless jammer [3, 21], though jamming all wireless transmissions including legitimate ones is not an option. Since there are no further processing steps between sending and receiving a signal, there is no possibility to filter signal variations for covert channel blocking. Detecting covert channels to take further actions such as jamming or sender identification does not prevent legitimate wireless transmissions. Sending attackers could be identified using localization methods or device fingerprinting; however, fingerprints can be modified [17], and localization requires multiple antennas.

A covert channel should be secure against detection, even if the information hiding mechanism is known. Detection security limits the capacity of covert channels. Legitimate wireless transmissions containing a covert data have to be indistinguishable from regular transmissions. Yet, the overall wireless capacity is limited and a high capacity covert channel might noticeably reduce legitimate throughput.

Layer 1 detection. On the physical layer, detection requires software defined radios (SDRs)or signal analyzers to capture the raw waveforms to measure error vector magnitudes (EVMs), CFOs, and SNRs. A detector could compare these measurements to a benchmark set of typical values in wireless transmissions, and check which of them deviate significantly from a certain margin of statistical tolerance. Hence, an attacker should aim at keeping variations with respect to the signal relatively low, and let them only be remarkable in case a secret key is known, thus following Kerckhoff’s principle; which is reducing the actual possible covert channel throughput.

In this paper, we aim at showing the potential of practical and 802.11a/g compliant covert channels. Providing an upper bound of performance, we do not implement statistical detection countermeasures; however, we give some intuition into how they work in each channel covert description.

Layer 2 detection. An upper layer detector is using off-the-shelf wireless NICs. Even though this is not sufficient equipment to record ongoing transmissions on the physical layer, information passed to upper layers might indicate whether a covert channel is present.

Frames are validated on reception using the frame check sequence (FCS)[20]. If it fails, the frame is dropped by default. Higher layers can only rely on irregularities in timing or throughput to detect covert channels. In our evaluation, we enable the capture of those frames having failed FCSchecks using radiotap headers [1] to calculate actual BERs. Radiotap headers are supported by various chipsets and forward additional information, such as the transmission’s center frequency, RF signal and noise power at the antenna, and the FCS. Detectors can correlate all this information, for instance, an increase of packet loss despite a constant RF signal power. Still, radiotap headers do not provide the raw signal. Applying Kerckhoff’s law, information passed to upper layers is often insufficient for detecting high throughput covert channels.

(a) Transmitter
(b) Receivers

WARP Transmitter

WARP Transmitter

WARP Receiver

WARP Receiver

Laptop Receiver

Laptop Receiver

5 m

5 m

(c) Panorama of the lab setup.
Fig. 3: Antenna setup for practical measurements.

Iii-B Setup

We analyze the performance of covert channels in simulation and practice using the following setups.

Iii-B1 Simulation

We evaluate if the proposed covert channels are feasible utilizing diverse channel models: A (no fading), B (residential), D (typical office), and E (large office) defined in [7] and commonly used for WiFi simulations. To each model, we add white Gaussian noise (AWGN) and base our results on 1000 Monte-Carlo simulations.

Iii-B2 Practical Setup

Since simulations might disregard the behavior of real hardware, we evaluate all covert channels in our lab environment (see LABEL:*fig:indoor_scenario). This evaluation is twofold. We use WARPsto transmit and receive 802.11g frames between Alice and Bob with covert channels. On the receiver we can extract and analyze both, the WiFi frame content and the covert channel. Hence, the WARPreceiver can be considered as detector (Wendy) on Layer 1 as well as on the covert channel receiver (Bob). The signal processing on both nodes is implemented in MATLAB which connects to the WARPsusing WARPLab 7.5.0.

To analyze the effect on off-the-shelf WiFi devices, we use a laptop as detector (Wendy) on Layer 2 with a Qualcom Atheros AR9285 Wireless Network Adapter (revision 01) that we run in monitor mode with radiotap headers.

Iv Covert Channels

In what follows, we present four practical covert channels for the physical layer of 802.11a/g.

  1. A covert channel utilizing the Short Training Field in combination with Phase Shift Keying (STF PSK).

  2. A covert channel utilizing the Carrier Frequency Offset with Frequency Shift Keying (CFO FSK).

  3. A covert channel using 802.11a/g with additional subcarriers conforming to the 802.11n spectrum mask (Camouflage Subcarriers).

  4. A covert channel replacing parts of the OFDMCyclic Prefix (Cyclic Prefix Replacement).

The schemes “STF PSK” and “CFO FSK” are new, “Camouflage Subcarriers” and “Cyclic Prefix Replacement” are extensions and improvements to [11] and [10], respectively. To the best of our knowledge, none of the approaches were put into practice before.

Iv-a Short Training Field with Phase Shift Keying (STF PSK)

Each 802.11a/g frame starts with the same STFin the preamble, which is used for frame detection, automatic gain control (AGC), and coarse CFOestimation. STFmanipulations must preserve these capabilities at the receiver, otherwise the signal can not be demodulated. Implementing a covert channel in the STFallows to insert one symbol per WiFi frame that is impossible to block even after detection.

Iv-A1 Implementation

The STFcontains binary phase-shift keying (BPSK)symbols that are shifted by 45 as illustrated in LABEL:*fig:stf-psk. We insert our covert channel by introducing an additional phase shift into all STFsymbols. As phase shifts do not change the power and correlation properties of the STF, it can still be used for AGCand packet detection. Additionally, the periodicity required for CFOcorrection is preserved.

Per WiFi frame, we insert one phase shift. Depending on the number of bits we intend to encode, we vary the number of possible phase shift values mapped to bits using Gray coding. To extract the covert channel information, the receiver needs to compensate the channel effects in the STFusing the LTFchannel estimation.

Then, can be extracted and demapped to bits. In LABEL:*fig:stf-psk-mes, we illustrate this process with 32 possible phase shifts (32-PSK illustrated by black dots). The red circles mark the original STFsymbol positions, and the cloud of blue dots are the received STFsymbols from which we extract the phase difference to the original symbol positions.

Iv-A2 Performance

Assuming we transmit WiFi frames with STFphase shift keying (PSK)covert data over AWGNchannels without fading, we can reach the BERsillustrated in LABEL:*fig:ber-raw-covert-stf-psk. The more bits we encode in the STF, the smaller the distance between the phase steps. This results in an increased BER. For a typical 25 dB SNR, 6 covert bits per STFcan be hidden with less than 0.1% covert channel BER.

To evaluate the STFPSKperformance in fading channels, we perform simulations with channel models B, D, and E with a fixed SNRof 25 dB introduced by AWGN. In LABEL:*fig:ber-cc-sim-stf-psk, we illustrate the results from 32-PSK (5 bits/symbol) to 256-PSK (8 bits/symbol). We observe that transmissions up to 64-PSK modulation are always error free, while higher modulation orders result in more bit errors, especially when the effects of fading increase. In our lab, we measure that all modulation orders up to 128-PSK have low median error rates as illustrated in LABEL:*fig:ber-cc-mes-stf-psk. We conclude that one can transfer roughly 6 to 7 bits per frame with very low BER.

The achievable throughput of the covert channel strongly depends on the number of WiFi frames transmitted per second. For this scheme, short frames such as ACK and CTS (both 14 bytes long and sent at least at 36 Mbit/s) are ideal, since one 4 s long OFDM-symbol sequence holds the complete MAClayer payload. Note that increasing frame rates without a plausible reason might help Wendy to detect information exchanges. Combined with STF(4 s), LTF(8 s) and signal field (4 s), the complete frame is 16 s long; resulting in a gross frame rate of 62,500 frames/s. Using 64-PSK the STFPSKcovert channel achieves a gross bitrate of 375 kbit/s.

(a) theoretical
(b) measurement
Fig. 4: STF PSK symbols are shifted by to encode bits.
Fig. 5: Raw BERof the covert channel implemented as STFPSKscheme over an AWGNchannel for different amounts of bits per frame.
(a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
(b) WARP-to-WARP measurement with 54 Mbps WiFi frames.
Fig. 6: BER of the STF PSK covert channel.
Fig. 7: We introduce artificial CFO into each OFDMsymbol in the baseband.
Fig. 8: Frequency offset measurement of each received OFDMsymbol showing the binary shift keying modulation.
Fig. 9: Raw BERof the CFOFSKcovert channel over AWGNchannels with different .

Iv-A3 Detection

Layer 1. A physical layer detector needs to perform the same steps as the covert channel receiver mentioned above. Those steps are not accomplished in regular WiFi receivers and require a custom SDR-based implementation or a spectrum/signal analyzer. To lower the detection probability, a transmitter can map bits only to small phase changes, which results in reduced covert channel throughput. As the secret information is already transmitted before it can be detected, a wireless jammer cannot be used to block the covert channel transmission without destroying every WiFi frame.

Layer 2. As mentioned above, a phase shift in the STFdoes not influence the functionality of the STFat the receiver. To verify this, we compared BERsof received WiFi frames with and without covert channel and were not able to distinguish between them. Neither in simulation, nor in practice when receiving with a WARPor off-the-shelf WiFi card.

Iv-B Carrier Frequency Offset with Frequency Shift Keying (CFO FSK)

A WiFi baseband signal is upconverted to the carrier frequency with and downconverted using (see LABEL:*fig:cfo). Their difference results in CFO, which needs to be corrected, together with additional CFOdue to the Doppler effect. WiFi receivers are capable of correcting CFOsby tracking the pilots that are inserted into each OFDMsymbol. We introduce an artificial at the transmitter as covert channel. Regular WiFi receivers silently correct , while covert channel receivers can extract the hidden information.

Iv-B1 Implementation

To encode bits, the transmitter maps them to the two frequencies , each with a symbol length of an OFDMsymbol (4 s). The resulting complex waveform is multiplied with the time-domain signal of the WiFi frames in the baseband. This shifts each OFDMsymbol by in the frequency-domain, depending on the encoded bit.

A covert channel receiver estimates the phase shifts of the pilot symbols for each OFDMsymbol, as illustrated in LABEL:*fig:frequency-offset-illustration. The covert CFOchanges are superimposed by an additional slowly varying CFO. To extract bits despite further CFOcomponents, the receiver first lowpass filters the CFOestimate and uses it as a threshold for a hard decision decoder. The six outer bits on both sides are discarded as they contain many bit errors. The lowpass filter is implemented as 20-tap finite impulse response (FIR)filter, which requires at least 60 OFDMsymbols to work correctly.

Iv-B2 Performance

In the simulations we add a fixed 50 kHz CFOfor both AWGNand fading channels as well as a 15 Hz maximum Doppler spread for the fading channels B, D, and E, representing environmental movement. The resulting AWGNcovert rates for different values in LABEL:*fig:ber-covert-raw-cfo-fsk show that stronger CFOchanges enhance the covert channel. As illustrated in LABEL:*fig:ber-cc-sim-cfo-fsk, stronger multipath effects lead to higher covert BERs. Especially in the model E, a of more than 10 kHz is required to keep the BERslow. In WARP-to-WARP measurements with 54 Mbps WiFi frames, for =1 kHz, the average covert BER is 15%—for 5 kHz no errors occur, which is comparable to the AWGNsimulation results.

The BERsof the WiFi frames in both simulation (LABEL:*fig:ber-wifi-sim-cfo-fsk) and practice (LABEL:*fig:ber-wifi-mes-cfo-fsk) show that—up to 10 kHz —there is almost no increase in the BERsat the detector. To avoid detection, the lowest working should be chosen, which is 5 kHz in our lab. By encoding 1 bit per 4 s OFDMsymbol, the covert throughput is 250 kbit/s.

Fig. 10: CFO FSK covert channel simulation with 24 Mbps WiFi frames (SNR = 25 dB).
(a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
(b) WARP-to-WARP/Laptop 54 Mbps legitimate receiver.
Fig. 11: CFO FSK BER at the legitimate receiver.

Iv-B3 Detection

Layer 1. Every WiFi receiver estimates and corrects CFOs. However, those measurements are normally directly discarded during signal processing. As shown in LABEL:*fig:frequency-offset-illustration, receivers capable of analyzing CFOchanges over time can directly detect the binary pattern. Using lower values hardens detection but increases error probabilities on the covert channel.

Layer 2. Our simulated and practical results in LABEL:*fig:ber-wifi-cfo-fsk show that large CFOchanges drastically increase BERsin all channel models. However, in our setup 5 kHz is sufficient for covert transmissions without increasing errors in the WiFi frame reception. Furthermore, could slowly be increased to stealthily reach a working point to prevent detectable sudden BERchanges. Hence, CFOfrequency shift keying (FSK)can be undetectable on Layer 2, if configured carefully.

Iv-C Camouflage Subcarriers

The camouflage subcarrier covert channel hides information in subcarriers used in other protocol variants. In 802.11a/g, 52 subcarriers are used for 48 data and 4 pilot transmissions, while 802.11n utilizes 56 subcarriers in the same band. The additional 4 subcarriers can be utilized in 802.11a/g transmissions as covert channel. At plain sight the spectra look like valid 802.11n frames (as depicted in LABEL:*fig:hips-spectra). A regular 802.11a/g/n WiFi receiver does not sense the number of used subcarriers, but only checks the signal field at the beginning frame and continues decoding according to the 802.11a/g standard, simply ignoring camouflage subcarriers. Using additional subcarriers was proposed in [11], yet, without the constraint to mimic another protocol version.

Iv-C1 Implementation

We replace the 802.11a/g LTFwith the 802.11n HT-LTF, which is still correlating with the LTF, thus allowing a proper timing synchronization at the receiver. Additionally, the covert receiver can estimate the channel effects of the camouflage subcarriers.

Iv-C2 Performance

When comparing LABEL:*fig:ber-covert-raw-hips to LABEL:*fig:ber-raw-effective-awgn, it is obvious that the covert subcarriers perform very similar to the normal subcarriers. Depending on channel effects and output filters, it might happen that the outer subcarriers have a slightly different performance, though. Covert subcarrier performance for different channel models is depicted in LABEL:*fig:ber-cc-sim-sc. Assuming camouflage and normal subcarrier performance are similar, the covert channel performance is 8.3 % of the normal channel throughput.

In our experiments, we vary the rate of the camouflage subcarriers, while keeping the rate of the regular WiFi data fixed. LABEL:*fig:ber-cc-sim-sc compares simulation results of camouflage subcarriers. Experimental results are not illustrated—the WARP-to-WARP channel in our lab is quite good and no errors occur in the camouflage subcarriers for all modulation orders.

Iv-C3 Detection

Layer 1. A Layer 1 detector that can decode the signal field is able to determine if the number of subcarriers within the signal is correct. However, only checking the spectrum will not reveal the covert channel, as it is still valid and conforms to the standard 802.11n.

Layer 2. A Layer 2 detector has insufficient information since neither normal subcarrier performance decreases nor interference with neighboring channels occurs. Even further subcarriers can be used to increase covert channel throughput as long as the neighboring channels do not overlap, but this could be easily detected on Layer 1. Our results show that adding camouflage subcarriers does neither increase BERsin simulation nor in practice.

Iv-D Cyclic Prefix Replacement

Multipath effects and timing offsets during demodulation cause overlapping OFDMsymbol parts, called inter-symbol interference (ISI). In 802.11a/g, a cyclic prefix (CP)is prepended to symbols in order to reduce ISI. At reception, this CPis not decoded. Nevertheless, the CPmight still be larger than the actual ISIand, hence, can be used as a covert channel.

Fig. 12: Spectra of both regular 802.11g frames and camouflage subcarrier frames fit into 20 MHz WiFi channels.
Fig. 13: Raw BERof the camouflage subcarriers over AWGN.
Fig. 14: BER of covert camouflage subcarriers in simulation with 24 Mbps WiFi frames (SNR = 25 dB).
Fig. 15: CPreplacement methods compared.
Fig. 16: Raw BERof the Cyclic Prefix Replacement covert channel over AWGN channels.

A simulation in [10] replaces the complete CPwith covert symbols. This results in a normal channel with up to 54 Mbit/s according to 802.11a/g and an additional covert channel achieving 13.5 Mbit/s, since the CPlength is of the normal symbol. The channel performs well as the simulations are limited to AWGNchannels with neither fading nor ISI. Hence, the CPis not required at all. In practice, we could not reproduce such optimistic results.

Iv-D1 Implementation

There are basically two ways of embedding data in the CP. In the first approach, four CPsare combined to obtain a symbol of regular length. In a practical channel instead of the AWGNchannel proposed in  [10], fading effects disturb samples near to concatenation points. A solution is shown in LABEL:*fig:cutting, where the covert symbols are distributed to multiple CPswith some overlapping samples. First simulation results, however, show that more concatenations lead to more disturbances (e.g. due to the Doppler effect) making this approach impractical.

The second approach decreases the Fast Fourier Transform (FFT)size to a maximum of the actual CP length, automatically leading to less subcarriers as depicted in LABEL:*fig:short-fft. Even though only of the subcarriers are used in a 16-point FFTcompared to the normal symbol’s 64-point FFT, 12 symbols are usable by replacing the full CP. Using four CPs, 48 symbols can be used for data transmission—analogous to the first approach. To reduce the ISIwith regular OFDMsymbols, the covert channel FFTsize can be reduced to 8, 4, or 2 at the cost of covert throughput. Prepending a CPto the covert channel in the CP(called CPCP) even removes ISIinside the covert channel. In our experiments, we add a CPCP of 2 samples to the CP replacement scheme.

Iv-D2 Performance

The performance of the CPreplacement covert channel is very high. LABEL:*fig:ber-raw-stf-psk compares BERsfor different CPreplacement strategies in an AWGNchannel. Replacing shorter parts of the CPresults in more errors. Adding a CPCP does not help in an AWGNchannel because the channel does not introduce ISI. In contrast, in the multipath channel simulations illustrated in LABEL:*fig:ber-cc-sim-cpreplacement, the CPCP significantly decreases the covert channel BERs. In our lab environment, the CPCP is required and very effective: it reduces the BERto 0% as shown in LABEL:*fig:ber-cc-mes-cpreplacement. Depending on the actual amount of multipath effects, a higher CPCP length is reasonable.

Throughput of full CP replacement is 25 % of the corresponding WiFi frame throughput, if multipath effects are neglected. For CP replacement, the maximum throughput is reduced to 12.5% of the WiFi frame throughput. Hence, even with the CPCP improvement for less transmission errors, this covert channel has good performance.

(a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
(b) WARP-to-WARP measurement with 54 Mbps WiFi frames.
Fig. 17: BER of covert CPreplacement.
(a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
(b) WARP-to-WARP/Laptop measurement with 54 Mbps WiFi frames.
Fig. 18: BER of WiFi frames with CPreplacement at legitimate receivers.
Fig. 19: The spectrum of CP Replacement frames has higher out-of-band transmissions than regular frames.
Covert Channel Section Conclusion
STF PSK Sec. IV-A Introduces phase shift to STF; immune to reactive jamming; no influence on WiFi BER; 1 PSK symbol per frame; max. covert rate 375 kBit/s for 64-PSK
CFO FSK Sec. IV-B Introduces artificial CFO; tunable for no influence on Wifi BER; 1 bit per OFDM symbol; max. covert rate 250 kBit/s for 5 kHz FSK
Subcarriers Sec. IV-C Uses four additional subcarriers from 802.11n; no influence on WiFi BER; 4 QAM symbols per OFDMsymbol; max. covert rate 4.5 Mbit/s for 54 Mbit/s WiFi frames.
Cyclic Prefix
Replacement Sec. IV-D (Partial) replacement of the cyclic prefix; no influence on WiFi BERin line-of-sight channels, but affected by multiplath effects; 12 (full CP rep.)/6 (half CP rep.) QAM symbols per OFDMsymbol; max. covert rate 6.75 Mbit/s for CP with CPCP
TABLE I: Summary of the analyzed covert channels. The exemplary performance values use our lab setup. Covert and
legitimate channel have a median raw BERof below 0.1% and use optimal settings for the covert channel.

Iv-D3 Detection

Layer 1. A physical layer detector can compare the last 16 samples of an OFDMsymbol with its cyclic prefix, which should be similar except for ISIdamage.

Replacing parts of the original CP slightly increases out-of-band emissions that might be visible in a spectrum analyzer—but they are still within the spectral mask (see LABEL:*fig:cp-spectra).

Layer 2. Since the CPis removed before further processing on Layer 2, the only visible effect is an increased BERin rich multipath environments. A Layer 2 detector cannot measure the actual channel coefficients and thus, cannot distinguish whether a high BERis caused by a covert channel or not.

As expected, in the multipath channels the legitimate BERsignificantly increases at complete CPreplacement. However, we could not measure negative effects of CP replacement for channel models B, and D, as our results in LABEL:*fig:ber-wifi-sim-cpreplament show. In the practical measurements in LABEL:*fig:ber-wifi-mes-cpreplament, only a full CPreplacement has a negative effect on bit errors, especially when using off-the-shelf NICs. Hence, attackers should replace less than CP in typical environments to avoid detection.

V Evaluation and Discussion

Next, we compare results and discuss the pros and cons of the investigated covert channels, summarized in LABEL:*tab:sim_overview.

All covert channels introduced in this paper can be combined. Since they modify different parts of OFDMsymbols, the overall performance when enabling all covert channels at once is their cumulative performance. This comes at the cost of an increased detectability, see LABEL:*sec:detectability on how to lower detectability. If detected, Wendy either tries to decode the covert channel or to block it, for example, using a wireless firewall such as WiFire [21]. The STF PSK covert channel is special, because even in case of detection it cannot be blocked.

V-a Covert Channel Performance

A fair comparison of the covert channels is demanding, since they behave differently depending on the channel models, legitimate traffic, etc. The simulated AWGNchannel is overly optimistic compared to our lab setup, while channel model B is rather similar to our lab setup and yields comparable performance for the covert channels. Hence, we present empirical results for our lab measurements with a raw BERof 0.1%, which can easily be corrected with basic coding schemes. Simulated channels D and E include effects not observable in our lab, hence yielding significantly harsher conditions for both covert and legitimate channel.

Layer 1 spectrum n n y/n y (p)
Layer 1 constellations y (p) y (p) n y
Layer 1 decoding n n y y
Layer 2 BER n y (p) n y (p)
TABLE II: Detectability comparison: detectable (y),
not detectable (n), detectability/performance trade-off (p).

Some covert channel rates are frame-based while others are symbol-based. Depending on this, either the maximum or minimum frame size is optimal to increase performance. The minimum frame size is 14 bytes for clear to send (CTS)and ACK frames. Data frames can have a maximum frame size of up to 2338 bytes, assuming an unencrypted 802.11a/g data frame consisting of a MACheader (typically 30 bytes), a MAC service data unit (MSDU)(0-2304 bytes), and a FCS(4 bytes) [20]. Delays between frames depend on contention in the MAClayer and on frame types, hence we omit them in our exemplary calculation in LABEL:*tab:sim_overview—as they are omitted when claiming an 802.11a/g maximum gross data rate of 54 Mbit/s. Choosing minimum or maximum frame size on Layer 2 might be suspicious to attackers, thus this is only a reference for the optimal case. For low detection probability, the covert channel should be embedded in everyday network traffic.

V-B Detection Probability

LABEL:*tab:detectability summarizes a comparison of the detectability of all the proposed covert channels. Detectability is subject to the choice of the covert channel parameters; configuring the covert channel for lower throughput can facilitate to evade detection.

Layer 1. A Layer 1 detector might take a look at the spectrum and IQ constellation diagrams with a spectrum/signal analyzer. In case the Layer 1 detector must compare properties in the time domain, a SDRsupported analysis is optimal.

In the spectrum, CPreplacement is visible since it introduces distortions into the CP, which violate a smooth signal continuation in it. camouflage subcarriers can be detected, but since their spectrum is valid for 802.11n, the signal field has to be decoded to identify the frame type.

When analyzing IQ constellations per symbol, all covert channels can be detected. However, camouflage subcarriers can only be identified as such if the signal field is decoded and checked. CPreplacement is visible in the symbols after cutting off the CP, when Wendy is in a multipath-rich environment. Detection probability for STF PSK and CFO FSK can be lowered by reducing , respectively CFO.

Layer 2 A Layer 2 detector can only see an increasing BER: if the covert channel is switched on and off immediately, BERchanges are visible on Layer 2. Hence, STF PSK and camouflage subcarriers, which do not increase the normal channel BER, are not detectable on Layer 2. To reduce the detection probability of CFO FSK, reducing CFO helps. Replacing shorter parts of the CPhelps to diminish distortions in multipath-rich environments leading to lower overall BERs.

Vi Related Work

The idea of hiding information in wireless network traffic is not new. Most schemes are designed for the data link layer or higher, using reserved fields, time delays, or packet corruptions. An approach for transmitting data in corrupted frames was first proposed in [18]; cryptographic information identifying corrupted frames is exchanged in advance using Wired Equivalent Privacy (WEP)cipher initialization vectors (IVs)and MAC addresses. WEPIVsare implemented in [8], but without making covert data match the same probability distribution as IVs. In [16], reserved fields are proposed for 802.15.4 covert channels. An 802.11 MAC layer analysis on campus traffic in [12] evaluated utilizable fields due to randomness and high occurrence, proposing the Frame Control Field (FCF)More Frag, Retry, PwrMgt, More Data as well as the 802.11 header fields Duration/ID and FCS. In [13], timings of Retry bits indicating retransmissions are used to encode information. Hiding wireless access points by swapping fields with an Atheros and madwifi-ng is realized in [5].

Wireless physical layer covert channels are rare, but they are more generic. Hence, related work in this area is not only on 802.11g but on OFDMbased systems in general. In [11], the usage of additional subcarriers in LTE and WiMAX is evaluated in simulation. The model assumes that covert sender and normal sender are different identities, therefore their timing offset impacts subcarrier orthogonality. 802.11n physical layer steganography using the CPis proposed in [10]. In a simple AWGNbased simulation, they archive a data rate as high as of the normal channel without degradation.

To the best of our knowledge, there is only one wireless physical layer covert channel that was put into practice: dirty IQ constellations for 802.11a/g [6]. The authors define four IQ constellations in addition to the four raw QPSK points. This way, they can reach up to the same covert throughput as normal throughput. To circumvent detection, they modified constellations to use a Gaussian distribution, and compared them to regular noisy signals. However, when we tried to reproduce their results including the obfuscation mechanism, we had to cope with a high amount of bit errors, especially in more complex channel models.

A related topic to covert channels is watermarking of signals, allowing for identification and authorization on a physical layer basis. For this, an authentication tag is embedded. In [19], cognitive radio primary users add phase noise to QPSK symbols to authenticate themselves while maintaining backward compatibility to secondary users who are not aware of this scheme. A similar scheme for a non-return-to-zero encoding is proposed in [14] by embedding authentication tags in redundant information reducing ISI. A fingerprint can also be added to the channel state before sending, assuming only small channel changes between transmissions, users knowing the previous channel state can extract the fingerprint [9]. The QPSK scheme is secured against user emulation attacks in [4] by adapting the phase distortion to the current SNR. However, all these schemes were only verified in simulations. A practical implementation adding further IQ constellations as in [6] without Gaussian distribution is shown in [22].

Vii Conclusion

In this paper, we show that physical layer WiFi covert channels are feasible in practice. We design novel covert channels and improve known ones. Our work is—to the best of our knowledge—the first one to characterize various OFDM-based covert channels in practical settings. Based on our results, we discuss pros and cons of the covert channels with respect to their performance as well as their detectability. With this, we provide a first compendium for practical physical layer WiFi covert channels, which facilitates the understanding of this potential attack vector.


This work has been funded by the German Research Foundation (DFG) in the Collaborative Research Center (SFB) 1053 “MAKI – Multi-Mechanism-Adaptation for the Future Internet” and by LOEWE CASED. We thank Halis Altug, Athiona Xhoga and Stephan Pfistner for the implementation of the first prototypes.


  • [1] Radiotap.
  • [2] WARP project.
  • [3] E. Bayraktaroglu, C. King, X. Liu, G. Noubir, R. Rajaraman, and B. Thapa. Performance of IEEE 802.11 under jamming. Mobile Networks and Applications, 18(5):678–696, 2013.
  • [4] K. M. Borle, B. Chen, and W. Du. A physical layer authentication scheme for countering primary user emulation attack. In International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 2935–2939. IEEE, 2013.
  • [5] L. Butti and F. Veysset. Wi-Fi Advanced Stealth. Proceedings Black Hat US, Aug 2006.
  • [6] A. Dutta, D. Saha, D. Grunwald, and D. Sicker. Secret agent radio: Covert communication through dirty constellations. In M. Kirchner and D. Ghosal, editors, Information Hiding, volume 7692 of Lecture Notes in Computer Science, pages 160–175. Springer, 2013.
  • [7] V. Erceg et al. TGn channel models. IEEE 802.11-03/940r4, 2004.
  • [8] L. Frikha and Z. Trabelsi. A new covert channel in WiFi networks. In Third International Conference on Risks and Security of Internet and Systems (CRiSIS), pages 255–260, Oct 2008.
  • [9] N. Goergen, W. S. Lin, K. R. Liu, and T. C. Clancy. Authenticating MIMO transmissions using channel-like fingerprinting. In Global Telecommunications Conference (GLOBECOM), pages 1–6. IEEE, 2010.
  • [10] S. Grabski and K. Szczypiorski. Steganography in OFDM symbols of fast IEEE 802.11n networks. In Security and Privacy Workshops (SPW), pages 158–164. IEEE, 2013.
  • [11] Z. Hijaz and V. Frost. Exploiting OFDM systems for covert communication. In Military Communications Conference (MILCOM), pages 2149–2155, Oct 2010.
  • [12] C. Krätzer, J. Dittmann, A. Lang, and T. Kühne. WLAN steganography: a first practical review. In Proceedings of the 8th workshop on Multimedia and security, pages 17–22. ACM, 2006.
  • [13] C. Krätzer, J. Dittmann, and R. Merkel. WLAN steganography revisited. In Electronic Imaging, pages 681903–681903. International Society for Optics and Photonics, 2008.
  • [14] V. Kumar, J.-M. Park, T. C. Clancy, and K. Bian. PHY-layer authentication using hierarchical modulation and duobinary signaling. In International Conference on Computing, Networking and Communications (ICNC), pages 782–786. IEEE, 2014.
  • [15] B. W. Lampson. A note on the confinement problem. Commun. ACM, 16(10):613–615, Oct 1973.
  • [16] D. Martins and H. Guyennet. Attacks with steganography in PHY and MAC layers of 802.15.4 protocol. In Fifth International Conference on Systems and Networks Communications (ICSNC), pages 31–36, Aug 2010.
  • [17] S. U. Rehman, K. W. Sowerby, and C. Coghill. Analysis of impersonation attacks on systems using RF fingerprinting and low-end receivers. Journal of Computer and System Sciences, 80(3):591 – 601, 2014. Special Issue on Wireless Network Intrusion.
  • [18] K. Szczypiorski. HICCUPS: hidden communication system for corrupted networks. In International Multi-Conference on Advanced Computer Systems, pages 31–40, 2003.
  • [19] X. Tan, K. Borle, W. Du, and B. Chen. Cryptographic link signatures for spectrum usage authentication in cognitive radio. In Proceedings of the fourth ACM conference on Wireless network security, pages 79–90. ACM, 2011.
  • [20] The Institute of Electrical and Electronic Engineers, Inc. IEEE standard 802.11-2012. IEEE Standard for Information technology, 2012.
  • [21] M. Wilhelm, I. Martinovic, J. B. Schmitt, and V. Lenders. WiFire: a firewall for wireless networks. In Proc. SIGCOMM, 2011.
  • [22] P. L. Yu, J. S. Baras, and B. M. Sadler. Physical-layer authentication. Transactions on Information Forensics and Security, 3(1):38–51, 2008.
  • [23] S. Zander, G. Armitage, and P. Branch. A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys Tutorials, 9(3):44–57, Third 2007.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description