1d14d06e5SXianjun Jiao<!-- 2d14d06e5SXianjun JiaoAuthor: Xianjun jiao 3d14d06e5SXianjun JiaoSPDX-FileCopyrightText: 2021 UGent 4d14d06e5SXianjun JiaoSPDX-License-Identifier: AGPL-3.0-or-later 5d14d06e5SXianjun Jiao--> 6d14d06e5SXianjun Jiao 7*40bf1ed9SJiao Xianjun- [ACM WiSec 2021. Openwifi CSI fuzzer for authorized sensing and covert channels](https://dl.acm.org/doi/pdf/10.1145/3448300.3468255) 8*40bf1ed9SJiao Xianjun- [Privacy Protection in WiFi Sensing via CSI Fuzzing](https://ieeexplore.ieee.org/abstract/document/10818006) 98e3dc371SJiao Xianjun 10d954043eSJiao XianjunCSI (Channel State Information) of WiFi systems is available in some WiFi chips and can be used for sensing the environment (keystrokes, people, object) passively and secretly. 11d14d06e5SXianjun Jiao 12035b3a04SJiao Xianjun## Concept 13035b3a04SJiao Xianjun 14b49db4c5SXianjun JiaoHow could a CSI fuzzer stop unauthorized sensing? 15b49db4c5SXianjun Jiao 16b49db4c5SXianjun Jiao 17b49db4c5SXianjun Jiao 18b49db4c5SXianjun JiaoCSI fuzzer implementation principle. 19b49db4c5SXianjun Jiao 20b49db4c5SXianjun Jiao 21b49db4c5SXianjun Jiao 22035b3a04SJiao Xianjun## Demo instructions 23035b3a04SJiao Xianjun 2490a96182SXianjun JiaoThanks to the full-duplex capability and CSI extraction feature of openwifi, you can monitor the artificial channel response via [side channel](./csi.md) by Tx-Rx over the air coupling without affecting the normal operation/traffic of openwifi. Before fuzzing the CSI, please follow [WiFi CSI radar via self CSI capturing](radar-self-csi.md) app note to setup normal self CSI monitoring. 25035b3a04SJiao Xianjun 2690a96182SXianjun JiaoThen, start another ssh session to the openwifi board: 27035b3a04SJiao Xianjun``` 28035b3a04SJiao Xianjunssh [email protected] 29035b3a04SJiao Xianjun(password: openwifi) 30035b3a04SJiao Xianjun 31035b3a04SJiao Xianjuncd openwifi 32035b3a04SJiao Xianjun 33035b3a04SJiao Xianjun./csi_fuzzer_scan.sh 1 34035b3a04SJiao Xianjun(CSI fuzzer applies possible artificial CSI by scanning all values) 35035b3a04SJiao Xianjun(csi_fuzzer.sh is called. Please read both scripts to understand these commands) 36035b3a04SJiao Xianjun``` 37035b3a04SJiao Xianjun 3890a96182SXianjun JiaoNow you should see that CSI keeps changing like in this [video](https://youtu.be/aOPYwT77Qdw). 39035b3a04SJiao Xianjun 40035b3a04SJiao Xianjun# Further explanation on parameters 41035b3a04SJiao Xianjun 42b49db4c5SXianjun JiaoCSI fuzzer in openwifi system architecture and related commands. 43b49db4c5SXianjun Jiao 44b49db4c5SXianjun Jiao 45b49db4c5SXianjun Jiao 46035b3a04SJiao Xianjun# Example fuzzed CSI 47b49db4c5SXianjun Jiao 48b49db4c5SXianjun JiaoCSI self-monitoring before fuzzing. 49d14d06e5SXianjun Jiao 50d14d06e5SXianjun Jiao 51d14d06e5SXianjun Jiao 5290a96182SXianjun JiaoCSI self-monitoring after fuzzing command: `./csi_fuzzer.sh 1 45 0 13` 53d14d06e5SXianjun Jiao 54d14d06e5SXianjun Jiao 55b49db4c5SXianjun Jiao 56b49db4c5SXianjun Jiao`csi_fuzzer_scan.sh` can scan the c1 and c2 in different styles/modes by calling `csi_fuzzer.sh`. 57
