Absolute Security with Diverse Radiation Minima
In an eavesdropping scenario, it has been shown that the transmitter Alice can zero-force (steer her radiation null) to an eavesdropper Eve to secure the transmission, but only when Alice knows Eve's channel. We propose the Absolute Security approach that achieves security without the stringent requirement of knowledge about Eve. Our Absolute Security approach relies on (i) diverse radiation minima over different frequency channels and (ii) a linear secure coding across all frequency channels. The radiation minima create what we called "blind regions" within which Eve cannot even detect the transmitted signal. The secure coding ensures that, whenever Eve fails to detect one frequency channel, she cannot obtain any information about the individual message Alice sends to the receiver Bob. Together, the blind region of the total transmission expands with more frequency channels. With enough frequency channels, we show that the blind region can expand to almost all locations except the spatial regions near Bob, allowing secure transmission without specific knowledge about Eve's location, as long as she is within the blind region.
A. Cohen, R. G. L. D’Oliveira, C.-Y. Yeh, H. Guerboukha, R. Shrestha, Z. Fang, E. W. Knightly, M. Médard, and D. M. Mittleman, “Absolute Security in High-Frequency Wireless Links,” in Proceedings of IEEE Conference on Communications and Network Security (CNS), Austin, TX, October 2022. (paper, slides)
Security of THz Angularly Dispersive Links
Future 6G networks promise hundred-GHz scale bandwidths thanks to the large spectrum availability above 100 GHz. Unlike current communication systems, large-bandwidth directional transmissions are subject to angular dispersion, in which different carrier frequencies emit towards different angles. Unfortunately, this property can potentially yield advantages to Eve as it creates a widening spatial footprint. In my thesis, I perform the first security analysis for angularly dispersive directional links. Using a combination of theoretical, analytical, and experimental approaches, my work provides a deep understanding of angularly dispersive links under eavesdropping. To this end, I employ a leaky-wave antenna (LWA), which is an antenna with the angular dispersion property as shown in the figure, in our study.
Achieving Security for Angularly Dispersive Links
Fast or Secure, Not Both?
We first show that, contrary to lower band non-angularly dispersive links, THz-scale links with angular dispersion exhibit an unprecedented security conundrum: Namely, with angular dispersion, a larger bandwidth creates a wider beamwidth, suggesting a higher data rate is only achieved at the price of degraded security. Moreover, when Eve is angularly away from Bob, she will receive some frequencies even stronger than Bob will. Our approach, surprisingly, nearly eliminates this security penalty.
SCADL: Proposed Cross-Channel Coding Strategy
Our key observation is that since different frequencies emit towards slightly different directions for angularly dispersive links, Eve cannot receive all frequency channels simultaneously, and thus Alice and Bob can always use a subset of frequency channels to enable secure transmissions.
Our approach, termed SCADL (Secure Coding for Angularly Dispersive Links) is a cross-channel coding strategy that exploits the fact that Eve cannot intercept all frequency channels simultaneously. As a baseline, we specify ICB (Independently Coded Baseline), which requires Alice to code independently per frequency channel.
We evaluate the secrecy performance of a secure coding strategy by the resulting insecure region, defined as the spatial region within which the message is leaked, at least partially, to Eve, and is shown as the enclosed region in the figure below.
We demonstrate, both in model-driven results and experiments, that when Alice employs a cross-frequency coding strategy (SCADL), it provides a surprisingly consistent insecure region despite the widening signal footprint when the bandwidth increases. Thus, higher data rate with little secure penalty can be realized. In comparison, independent coding per channel (termed ICB) results in leakage in a subset of frequency channels in which Eve can better intercept, causing an undesirable expansion in insecure area with higher data rate.
Our results reveal security properties not observed in conventional directional links for future wideband transmissions and emphasize the importance of a co-design of counter-measure strategy and physical layer properties.
C.-Y. Yeh, A. Cohen, R. G. L. D’Oliveira, M. Medard, D. M. Mittleman, and E. W. Knightly, “Secure Coding for Angularly Dispersive Terahertz Links: from Theoretical Foundations to Experiments,” in Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022), San Antonio, TX, May 2022. (paper, slides, teaser video, presentation)
C.-Y. Yeh, Y. Ghasempour, Y. Amarasinghe, D. M. Mittleman, and E. W. Knightly, “Security in Terahertz WLANs with Leaky Wave Antennas,” in Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2020), Linz (Virtual), Austria, July 2020. (paper, slides, teaser video, presentation)
Sensing Enhanced Security
Object Scattering Attack Detection
A sophisticated adversary could exploit the quasi-optical nature of THz beams and employ an object scattering attack in which Eve carefully places an object to reflect signals from Alice to Bob to her location. We showed how Bob can detect even small-scale objects in the middle and estimate their angular location by analyzing the THz-scale spectral fingerprint. The idea is that each location in the spatial domain has a unique frequency signature that can be known a priori based on the antenna’s physics. When Eve places an object that blocks part of the beam, it results in a frequency-selective attenuation at Bob depending on the object’s angular location. By comparing the received spectrum to the known frequency signature without blockage, we demonstrate experimentally that Bob can estimate both the center and the size of the object. Our results show that sensing offers Alice and Bob necessary information for link security.
Y. Ghasempour, C.-Y. Yeh, R. Shrestha, Y. Amarasinghe, D. M. Mittleman, and E. W. Knightly, “LeakyTrack: Non-Coherent Single-Antenna Nodal and Environmental Mobility Tracking with a Leaky-Wave Antenna,” in Proceedings of ACM SenSys 2020, Yokohama (Virtual), Japan, November 2020. (paper, presentation)
Experimental Security Study for Highly Directional Links
Highly directional links are often cited as inherently resilient to passive eavesdropping, despite a lack of empirical evidence. In our work, we experimentally study eavesdropping of highly directional links generated by large antenna arrays and THz antennas and demonstrate practical eavesdropping threats despite the highly focused transmissions.
Massive MIMO
Massive MIMO (large antenna array) base stations (BS’s) are a key feature of emerging 5G and 6G networks. They are believed to have the potential to thwart passive eavesdropping as they create highly focused transmissions. Indeed, the threat of passive eavesdropping has been shown to be negligible when the transmit antenna size approaches infinity for idealized independent Rayleigh channels. We perform the world’s first experimental study of Massive MIMO eavesdropping.
Using a 96-element ArgosV2 BS shown above, we identify new vulnerabilities to the eavesdropper (Eve):
First, we demonstrate that, not only does the intended receiver Bob’s SNR increases with array size, but unfortunately, contrary to the idealized channel model, Eve’s SNR also increases with array size due to channel correlation in her measurements.
We further demonstrate how Eve can gain by optimizing her position, not only by being nomadic and searching for the most favorable position, but also via exploiting predictable line-of-sight (LoS) positional vulnerabilities. Specifically, we discovered Eve’s advantage by simply sharing the elevation angle with Bob in the LoS scenario.
Finally, we demonstrate that Eve’s advantage due to channel correlation can increase with more eavesdropping antennas in the worst case when she knows the beamforming vector and her channel from Alice.
Our experiments demonstrate multiple eavesdropping threats in practical massive MIMO networks, contrary to the widely adopted belief of large antenna arrays being resistant to passive eavesdropping.
C.-Y. Yeh and E. W. Knightly. “Eavesdropping in Massive MIMO: New Vulnerabilities and Countermeasures,” IEEE Transactions on Wireless Communications, 20(10):6536-6550, October 2021. (paper)
C.-Y. Yeh, and E. W. Knightly. “Feasibility of Passive Eavesdropping in Massive MIMO: An Experimental Approach,” n Proceedings of IEEE Conference on Communications and Network Security (CNS), Beijing, China, May 2018. (paper, slides)
THz Pencil Beam
Millimeter-wave to THz bands spanning from 100 GHz to 1 THz are a key spectrum frontier for 6G networking and sensing. Highly directional “pencil beams” in such bands are expected to yield Tb/sec data rates and security. Prior works generally consider that Eve’s antenna must be located within the broadcast sector of the transmitting antenna, leading to the conclusion that eavesdropping becomes essentially impossible when the transmitted signal has sufficiently high directionality. We perform the world’s first experimental demonstration of THz eavesdropping and show that the conventional wisdom is unfortunately not true.
Our experiments consider a strong adversary that places an object within the pencil beam to scatter or reflect radiation towards Eve, who is located outside of the beam’s footprint as shown in the figure above. We realize narrow beams with horn antennas having beamwidth from 1.6° to 7.8° for frequencies from 100 GHz to 400 GHz. We find that eavesdropping becomes increasingly difficult with narrower beam, as the object inevitably blocks a significant portion of radiation to Bob, which raises an alarm for Alice and Bob. Yet, we demonstrate that eavesdropping is still possible without significantly disturbing the main link using a combination of specular reflector, precise off-axis object placement, and receiver alignment as shown in the figure below. Our results demonstrate that a narrow pencil-like beam does not guarantee immunity from eavesdropping considering an agile eavesdropper.