1d14d06e5SXianjun Jiao<!-- 2d14d06e5SXianjun JiaoAuthor: Xianjun jiao 3d14d06e5SXianjun JiaoSPDX-FileCopyrightText: 2021 UGent 4d14d06e5SXianjun JiaoSPDX-License-Identifier: AGPL-3.0-or-later 5d14d06e5SXianjun Jiao--> 6d14d06e5SXianjun Jiao 7*50c96272SJiao Xianjun[ACM WiSec 2021. Openwifi CSI fuzzer for authorized sensing and covert channels](https://dl.acm.org/doi/pdf/10.1145/3448300.3468255) 88e3dc371SJiao Xianjun 9d954043eSJiao XianjunCSI (Channel State Information) of WiFi systems is available in some WiFi chips and can be used for sensing the environment (keystrokes, people, object) passively and secretly. 10d14d06e5SXianjun Jiao 11035b3a04SJiao Xianjun## Concept 12035b3a04SJiao Xianjun 13b49db4c5SXianjun JiaoHow could a CSI fuzzer stop unauthorized sensing? 14b49db4c5SXianjun Jiao 15b49db4c5SXianjun Jiao 16b49db4c5SXianjun Jiao 17b49db4c5SXianjun JiaoCSI fuzzer implementation principle. 18b49db4c5SXianjun Jiao 19b49db4c5SXianjun Jiao 20b49db4c5SXianjun Jiao 21035b3a04SJiao Xianjun## Demo instructions 22035b3a04SJiao Xianjun 23035b3a04SJiao XianjunThanks to the full-duplex capability and CSI extraction feature of openwifi, you can monitor the artificial channel response via [side channel](./csi.md) by Tx-Rx over the air coupling without affecting the normal operation/traffic of openwifi. Before the self-monitoring, the auto-mute during Tx needs to be disabled. 24035b3a04SJiao Xianjun 25035b3a04SJiao XianjunThe full demo steps are: 26035b3a04SJiao Xianjun 27035b3a04SJiao Xianjun``` 28035b3a04SJiao Xianjunssh [email protected] 29035b3a04SJiao Xianjun(password: openwifi) 30035b3a04SJiao Xianjun 31035b3a04SJiao Xianjuncd openwifi 32035b3a04SJiao Xianjun 33035b3a04SJiao Xianjun./fosdem-11ag.sh 34035b3a04SJiao Xianjun(setup openwifi AP) 35035b3a04SJiao Xianjun 36035b3a04SJiao Xianjun./sdrctl dev sdr0 set reg xpu 1 1 37035b3a04SJiao Xianjun(Disable auto-muting to listen self-TX) 38035b3a04SJiao Xianjun 39035b3a04SJiao Xianjuninsmod side_ch.ko num_eq_init=0 40035b3a04SJiao Xianjun 41035b3a04SJiao Xianjun./side_ch_ctl wh1h2001 42035b3a04SJiao Xianjun./side_ch_ctl wh6hffffffff 43035b3a04SJiao Xianjun(Let's only monitor self-beacon-TX CSI over-the-air loopback) 44035b3a04SJiao Xianjun 45035b3a04SJiao Xianjun./side_ch_ctl g1 46035b3a04SJiao Xianjun``` 47035b3a04SJiao XianjunGo to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. You should see the over-the-air loopback CSI when CSI fuzzer is not enabled. Then stop the python3 side_info_display.py script to ease the next step. 48035b3a04SJiao Xianjun 49035b3a04SJiao XianjunStart another ssh session to the openwifi board: 50035b3a04SJiao Xianjun``` 51035b3a04SJiao Xianjunssh [email protected] 52035b3a04SJiao Xianjun(password: openwifi) 53035b3a04SJiao Xianjun 54035b3a04SJiao Xianjuncd openwifi 55035b3a04SJiao Xianjun 56035b3a04SJiao Xianjun./csi_fuzzer_scan.sh 1 57035b3a04SJiao Xianjun(CSI fuzzer applies possible artificial CSI by scanning all values) 58035b3a04SJiao Xianjun(csi_fuzzer.sh is called. Please read both scripts to understand these commands) 59035b3a04SJiao Xianjun``` 60035b3a04SJiao Xianjun 61035b3a04SJiao XianjunGo to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. Now you should see that CSI keeps changing like in this [video](https://youtu.be/aOPYwT77Qdw). 62035b3a04SJiao Xianjun 63035b3a04SJiao Xianjun# Further explanation on parameters 64035b3a04SJiao Xianjun 65b49db4c5SXianjun JiaoCSI fuzzer in openwifi system architecture and related commands. 66b49db4c5SXianjun Jiao 67b49db4c5SXianjun Jiao 68b49db4c5SXianjun Jiao 69035b3a04SJiao Xianjun# Example fuzzed CSI 70b49db4c5SXianjun Jiao 71b49db4c5SXianjun JiaoCSI self-monitoring before fuzzing. 72d14d06e5SXianjun Jiao 73d14d06e5SXianjun Jiao 74d14d06e5SXianjun Jiao 75b49db4c5SXianjun JiaoCSI self-monitoring after fuzzing command: `csi_fuzzer.sh 1 45 0 13` 76d14d06e5SXianjun Jiao 77d14d06e5SXianjun Jiao 78b49db4c5SXianjun Jiao 79b49db4c5SXianjun Jiao`csi_fuzzer_scan.sh` can scan the c1 and c2 in different styles/modes by calling `csi_fuzzer.sh`. 80
