1d14d06e5SXianjun Jiao<!-- 2d14d06e5SXianjun JiaoAuthor: Xianjun jiao 3d14d06e5SXianjun JiaoSPDX-FileCopyrightText: 2021 UGent 4d14d06e5SXianjun JiaoSPDX-License-Identifier: AGPL-3.0-or-later 5d14d06e5SXianjun Jiao--> 6d14d06e5SXianjun Jiao 759cf43beSJiao Xianjun[Openwifi CSI fuzzer for authorized sensing and covert channels](https://arxiv.org/pdf/2105.07428.pdf) (accepted by ACM WiSec 2021) 88e3dc371SJiao Xianjun 9d954043eSJiao XianjunCSI (Channel State Information) of WiFi systems is available in some WiFi chips and can be used for sensing the environment (keystrokes, people, object) passively and secretly. 10d14d06e5SXianjun Jiao 11*035b3a04SJiao Xianjun## Concept 12*035b3a04SJiao Xianjun 13b49db4c5SXianjun JiaoHow could a CSI fuzzer stop unauthorized sensing? 14b49db4c5SXianjun Jiao 15b49db4c5SXianjun Jiao 16b49db4c5SXianjun Jiao 17b49db4c5SXianjun JiaoCSI fuzzer implementation principle. 18b49db4c5SXianjun Jiao 19b49db4c5SXianjun Jiao 20b49db4c5SXianjun Jiao 21*035b3a04SJiao Xianjun## Demo instructions 22*035b3a04SJiao Xianjun 23*035b3a04SJiao XianjunThanks to the full-duplex capability and CSI extraction feature of openwifi, you can monitor the artificial channel response via [side channel](./csi.md) by Tx-Rx over the air coupling without affecting the normal operation/traffic of openwifi. Before the self-monitoring, the auto-mute during Tx needs to be disabled. 24*035b3a04SJiao Xianjun 25*035b3a04SJiao XianjunThe full demo steps are: 26*035b3a04SJiao Xianjun 27*035b3a04SJiao Xianjun``` 28*035b3a04SJiao Xianjunssh [email protected] 29*035b3a04SJiao Xianjun(password: openwifi) 30*035b3a04SJiao Xianjun 31*035b3a04SJiao Xianjuncd openwifi 32*035b3a04SJiao Xianjun 33*035b3a04SJiao Xianjun./fosdem-11ag.sh 34*035b3a04SJiao Xianjun(setup openwifi AP) 35*035b3a04SJiao Xianjun 36*035b3a04SJiao Xianjun./sdrctl dev sdr0 set reg xpu 1 1 37*035b3a04SJiao Xianjun(Disable auto-muting to listen self-TX) 38*035b3a04SJiao Xianjun 39*035b3a04SJiao Xianjuninsmod side_ch.ko num_eq_init=0 40*035b3a04SJiao Xianjun 41*035b3a04SJiao Xianjun./side_ch_ctl wh1h2001 42*035b3a04SJiao Xianjun./side_ch_ctl wh6hffffffff 43*035b3a04SJiao Xianjun(Let's only monitor self-beacon-TX CSI over-the-air loopback) 44*035b3a04SJiao Xianjun 45*035b3a04SJiao Xianjun./side_ch_ctl g1 46*035b3a04SJiao Xianjun``` 47*035b3a04SJiao XianjunGo to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. You should see the over-the-air loopback CSI when CSI fuzzer is not enabled. Then stop the python3 side_info_display.py script to ease the next step. 48*035b3a04SJiao Xianjun 49*035b3a04SJiao XianjunStart another ssh session to the openwifi board: 50*035b3a04SJiao Xianjun``` 51*035b3a04SJiao Xianjunssh [email protected] 52*035b3a04SJiao Xianjun(password: openwifi) 53*035b3a04SJiao Xianjun 54*035b3a04SJiao Xianjuncd openwifi 55*035b3a04SJiao Xianjun 56*035b3a04SJiao Xianjun./csi_fuzzer_scan.sh 1 57*035b3a04SJiao Xianjun(CSI fuzzer applies possible artificial CSI by scanning all values) 58*035b3a04SJiao Xianjun(csi_fuzzer.sh is called. Please read both scripts to understand these commands) 59*035b3a04SJiao Xianjun``` 60*035b3a04SJiao Xianjun 61*035b3a04SJiao XianjunGo to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. Now you should see that CSI keeps changing like in this [video](https://youtu.be/aOPYwT77Qdw). 62*035b3a04SJiao Xianjun 63*035b3a04SJiao Xianjun# Further explanation on parameters 64*035b3a04SJiao Xianjun 65b49db4c5SXianjun JiaoCSI fuzzer in openwifi system architecture and related commands. 66b49db4c5SXianjun Jiao 67b49db4c5SXianjun Jiao 68b49db4c5SXianjun Jiao 69*035b3a04SJiao Xianjun# Example fuzzed CSI 70b49db4c5SXianjun Jiao 71b49db4c5SXianjun JiaoCSI self-monitoring before fuzzing. 72d14d06e5SXianjun Jiao 73d14d06e5SXianjun Jiao 74d14d06e5SXianjun Jiao 75b49db4c5SXianjun JiaoCSI self-monitoring after fuzzing command: `csi_fuzzer.sh 1 45 0 13` 76d14d06e5SXianjun Jiao 77d14d06e5SXianjun Jiao 78b49db4c5SXianjun Jiao 79b49db4c5SXianjun Jiao`csi_fuzzer_scan.sh` can scan the c1 and c2 in different styles/modes by calling `csi_fuzzer.sh`. 80
