CBL - Campus del Baix Llobregat

Projecte llegit

Títol: On the security of the IEEE 802.11 Fine Time Measurement (FTM) protocol

Estudiants que han llegit aquest projecte:


Departament: ENTEL

Títol: On the security of the IEEE 802.11 Fine Time Measurement (FTM) protocol

Data inici oferta: 03-07-2023     Data finalització oferta: 03-03-2024

Estudis d'assignació del projecte:
    MU MASTEAM 2015
Tipus: Individual
Lloc de realització: EETAC
Segon director/a (UPC): ZOLA, ENRICA VALERIA
Paraules clau:
Security, IEEE 802.11, FTM
Descripció del contingut i pla d'activitats:
The Fine Timing Measurement (FTM) procedure, defined in the IEEE 802.11-2016 standard and extended in the 802.11az amendment, specifies an indoor location mechanism based on Time of Flight (ToF). FTM allows an initiating station to perform ranging exchanges with a responding station (typically an Access Point) and compute its location based on them. However, the standard does not include security techniques to protect the exchange and provide services such as confidentiality, integrity and authentication.
The aim of this thesis is to analyze the security issues of the FTM procedure and evaluate the feasibility of specific attacks to the former by means of simulation.
Overview (resum en anglès):
Wi-Fi has been widely deployed around the world for more than 2 decades, and across that amount of time, the standard continues to improve in terms of bandwidth, security, etc. In 2016, the 802.11mc standard, also known as Fine Timing Measurement (FTM), was released, which proposes an improved method for indoor positioning using Wi-Fi.

FTM uses RTT (Round Trip-Time) measurements, as the basis to calculate the distances between an initiator device and a responder one; these measurements can be performed several times and with different responders, so that multilateration can be applied to determine the initiator's location. FTM was designed to allow the frames to be transmitted without associating to the Wi-Fi network; in other words, the frames are transmitted over the wireless network, without the need for the initiator to authenticate to the AP and without any encryption. This fact is key for FTM to work, because it focuses only on transporting the timing measurements and not heavy data transfers like internet navigation.

To compute the user's position using the captured data, the attacker applies the Passive TDOA technique, which was first proposed to passively calculate a device's own location without starting a new FTM session, just listening to the FTM exchanges of another user.

The purpose of this work is to demonstrate how accurate an attacker can be when estimating the victim's position under different scenarios and conditions while the victim is using FTM protocol, and to expose the time that it takes to do it. Also, this master thesis aims to quantify the impact of an FTM attack and to contribute to improving the FTM protocol's security.

To accomplish the goals mentioned on the paragraph below, this master thesis will simulate a Wi-Fi environment using a Python interpreter. In this simulation, the devices involved are the APs, the attacker device, and the victim device. For better understanding this thesis proposes splitting the layout into two models: the first, called model 1, is a small 6x6 test area, no error measurements involved. The APs are permanently set on each corner, the attacker device is set on one of the grid points and the victim device sweeps every point of the grid. Then, the model 2 is proposed, which is a 30x30 test area where the APs are set randomly on the grid, following the recommendations for Wi-Fi deployments. The attacker is placed randomly in the area and the victim performs sweeping at all the grid points.

After all calculations are completed, the results of model 1 and model 2 are analyzed using metrics like RMSE, mean error and standard deviation; time metrics are also included in this analysis.

This thesis is structured as follows. In Chapter 1, Fundamental Concepts, this thesis explores first the basics of the FTM procedure, how it works using RTT and how it's been used to estimate a user device location. Then, it describes Time Difference of Arrival (TDOA) principles and the Passive TDOA technique, which shows an interesting way to deal with many devices trying to send their timing measurements to the AP, affecting the total bandwidth of the wireless network.

Chapter 2, Methodology, covers the entire work environment simulation, using Python interpreter, and explains how many layout models and study cases will be done.

Chapter 3, Result and Analysis, exposes the results from both models and analyzes the model behavior under certain circumstances; model 1's results, show how the geometry of the test area and the positioning of the devices can make an impact on the results, and model 2 explores how the results change, when the devices are set randomly on a bigger test area, with ideal or realistic conditions.

Finally, Chapter 4, Conclusions, lists the analysis's conclusions and recommendations are proposed to help future studies for FTM security improvements.

© CBLTIC Campus del Baix Llobregat - UPC