research-article

NICScatter: Backscatter as a Covert Channel in Mobile Devices

Authors:

Qian ZhangAuthors Info & Claims

MobiCom '17: Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking

Pages 356 - 367

https://doi.org/10.1145/3117811.3117814

Published: 04 October 2017 Publication History

Abstract

Today's mobile devices contain sensitive data, which raises concerns about data security. This paper discusses a covert channel threat on existing mobile systems. Through it, malware can wirelessly leak information without making network connections or emitting signals, such as sound, EMR, vibration, etc., that we can feel or are aware of. The covert channel is built on a communication method that we call NICScatter. NICScatter transmitter malware forces mobile devices, such as mobile phones, tablets or laptops, to reflect surrounding RF signals to covertly convey information. The operation is achieved by controlling the impedance of a device's wireless network interface card (NIC). Importantly, the operation requires no special privileges on current mobile OSs, which allows the malware to stealthily pass sensitive data to an attacker's nearby mobile device, which can then decode the signal and thus effectively gather the guarded data. Our experiments with different mobile devices show that the covert channel can achieve 1.6 bps and transmit as far as 2 meters. In a through-the-wall scenario, it can transmit up to 70 cm.

References

[1]

Android permissions. https://developer.android.com/reference/android/Manifest.permission.html.

[2]

D-link 2dbi antenna. https://www.amazon.com/D-Link-2dbi-Antenna-Wireless-Router/dp/B002XENHB0.

[3]

gnome-bluetooth source code. http://sources.debian.net/src/gnome-bluetooth/.

[4]

rfkill. https://www.kernel.org/doc/Documentation/rfkill.txt.

[5]

R&S® ZVB vector network analyzers. https://www.rohde-schwarz.com/us/product/zvb-productstartpage_63493--7990.html.

[6]

Ubuntu mobile. https://www.ubuntu.com/mobile.

[7]

Usrp n210. https://www.ettus.com/product/details/UN210-KIT.

[8]

Vert 2450 3dbi antenna. https://www.ettus.com/product/details/VERT2450.

[9]

Xcvr2450. https://kb.ettus.com/XCVR2450.

[10]

F. Adib, Z. Kabelac, D. Katabi, and R. C. Miller. 3d tracking via body radio reflections. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation, pages 317--329. USENIX Association, 2014.

Digital Library

[11]

F. Adib and D. Katabi. See through walls with wifi! SIGCOMM Comput. Commun. Rev., 43(4):75--86, Aug. 2013.

Digital Library

[12]

S. Cabuk, C. E. Brodley, and C. Shields. Ip covert timing channels: design and detection. In Proceedings of the 11th ACM conference on Computer and communications security, pages 178--187. ACM, 2004.

Digital Library

[13]

B. Carrara and C. Adams. On acoustic covert channels between air-gapped systems. In International Symposium on Foundations and Practice of Security, pages 3--16. Springer, 2014.

[14]

L. Deshotels. Inaudible sound as a covert channel in mobile devices. In WOOT, 2014.

Digital Library

[15]

W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):5, 2014.

Digital Library

[16]

V. D. Gligor. A guide to understanding covert channel analysis of trusted systems. The Center, 1994.

[17]

M. Guri, A. Kachlon, O. Hasson, G. Kedma, Y. Mirsky, and Y. Elovici. Gsmem: Data exfiltration from air-gapped computers over gsm frequencies. In USENIX Security, pages 849--864, 2015.

Digital Library

[18]

M. Guri, G. Kedma, A. Kachlon, and Y. Elovici. Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In MALWARE, pages 58--67. IEEE, 2014.

[19]

M. Guri, M. Monitz, Y. Mirski, and Y. Elovici. Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In Computer Security Foundations Symposium, pages 276--289. IEEE, 2015.

Digital Library

[20]

D. Halperin, W. Hu, A. Sheth, and D. Wetherall. Predictable 802.11 packet delivery from wireless channel measurements. In ACM SIGCOMM Computer Communication Review, volume 40, pages 159--170. ACM, 2010.

Digital Library

[21]

M. Hanspach and M. Goetz. On covert acoustical mesh networks in air. Journal of Communications, 8(11), 2013.

[22]

M. Hanspach and M. Goetz. Recent developments in covert acoustical communications. In Sicherheit, pages 243--254. Citeseer, 2014.

[23]

Y. Hayashi, N. Homma, M. Miura, T. Aoki, and H. Sone. A threat for tablet pcs in public space: Remote visualization of screen images using em emanation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 954--965. ACM, 2014.

Digital Library

[24]

P. Hu, P. Zhang, and D. Ganesan. Laissez-faire: Fully asymmetric backscatter communication. acm special interest group on data communication, 45(4):255--267, 2015.

Digital Library

[25]

V. Iyer, V. Talla, B. Kellogg, S. Gollakota, and J. Smith. Inter-technology backscatter: Towards internet connectivity for implanted devices. In SIGCOMM, pages 356--369. ACM, 2016.

Digital Library

[26]

B. Kellogg, A. Parks, S. Gollakota, J. R. Smith, and D. Wetherall. Wi-fi backscatter: Internet connectivity for rf-powered devices. ACM SIGCOMM Computer Communication Review, 44(4):607--618, 2015.

Digital Library

[27]

B. Kellogg, V. Talla, S. Gollakota, and J. R. Smith. Passive wi-fi: Bringing low power to wi-fi transmissions. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pages 151--164. USENIX Association, 2016.

Digital Library

[28]

M. G. Kuhn and R. J. Anderson. Soft tempest: Hidden data transmission using electromagnetic emanations. In International Workshop on Information Hiding, pages 124--142. Springer, 1998.

[29]

B. W. Lampson. A note on the confinement problem. Communications of the ACM, 16(10):613--615, 1973.

Digital Library

[30]

B. Li, S. Zhang, and S. Shen. Csi-based wifi-inertial state estimation.

[31]

V. Liu, A. Parks, V. Talla, S. Gollakota, D. Wetherall, and J. R. Smith. Ambient backscatter: wireless communication out of thin air. In SIGCOMM, pages 39--50. ACM, 2013.

Digital Library

[32]

R. J. Masti, D. Rai, A. Ranganathan, C. Müller, L. Thiele, and S. Capkun. Thermal covert channels on multi-core platforms. In USENIX Security, pages 865--880, 2015.

Digital Library

[33]

N. Matyunin, J. Szefer, S. Biedermann, and S. Katzenbeisser. Covert channels using mobile device's magnetic field sensors. In Asia and South Pacific Design Automation Conference, pages 525--532. IEEE, 2016.

[34]

P. V. Nikitin and K. V. S. Rao. Antennas and propagation in uhf rfid systems. In 2008 IEEE International Conference on RFID, pages 277--288, April 2008.

[35]

E. Novak, Y. Tang, Z. Hao, Q. Li, and Y. Zhang. Physical media covert channels on smart mobile devices. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, pages 367--378. ACM, 2015.

Digital Library

[36]

R. Schlegel, K. Zhang, X.-y. Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: a stealthy and context-aware sound trojan for smartphones. In NDSS, volume 11, pages 17--33, 2011.

[37]

W. Van Eck. Electromagnetic radiation from video display units: An eavesdropping risk? Computers & Security, 4(4):269--286, 1985.

Digital Library

[38]

J. Wang and D. Katabi. Dude, where's my card?: Rfid positioning that works with multipath and non-line of sight. acm special interest group on data communication, 43(4):51--62, 2013.

Digital Library

[39]

R. Want. An introduction to rfid technology. IEEE pervasive computing, 5(1):25--33, 2006.

Digital Library

[40]

P. Zhang, M. Rostami, P. Hu, and D. Ganesan. Enabling practical backscatter communication for on-body sensors. pages 370--383, 2016.

Digital Library

[41]

M. Zhao, F. Adib, and D. Katabi. Emotion recognition using wireless signals. In Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking, pages 95--108. ACM, 2016.

Digital Library

Cited By

Qin QChen KXie YLuo HFang DChen XGanesan DLane NShi W(2024)Pushing the Throughput Limit of OFDM-based Wi-Fi Backscatter CommunicationProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3690672(968-983)Online publication date: 4-Dec-2024
https://dl.acm.org/doi/10.1145/3636534.3690672
Liu BGu CHe SChen J(2024)LoPhy: A Resilient and Fast Covert Channel Over LoRa PHYIEEE/ACM Transactions on Networking10.1109/TNET.2024.339881432:5(3792-3807)Online publication date: Oct-2024
https://doi.org/10.1109/TNET.2024.3398814
Yang YGong W(2024)Universal WiFi Backscatter With Ambient Space-Time StreamsIEEE/ACM Transactions on Networking10.1109/TNET.2023.333692232:3(2042-2052)Online publication date: Jun-2024
https://doi.org/10.1109/TNET.2023.3336922
Show More Cited By

Index Terms

NICScatter: Backscatter as a Covert Channel in Mobile Devices
1. Networks
  1. Network types
    1. Cyber-physical networks
2. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

Inter-Technology Backscatter: Towards Internet Connectivity for Implanted Devices
SIGCOMM '16: Proceedings of the 2016 ACM SIGCOMM Conference

We introduce inter-technology backscatter, a novel approach that transforms wireless transmissions from one technology to another, on the air. Specifically, we show for the first time that Bluetooth transmissions can be used to create Wi-Fi and ZigBee-...
Sensing-enabled channels for hard-to-detect command and control of mobile devices
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

The proliferation of mobile computing devices has enabled immense opportunities for everyday users. At the same time, however, this has opened up new, and perhaps more severe, possibilities for attacks. In this paper, we explore a novel generation of ...
Wi-fi backscatter: internet connectivity for RF-powered devices
SIGCOMM '14: Proceedings of the 2014 ACM conference on SIGCOMM

RF-powered computers are small devices that compute and communicate using only the power that they harvest from RF signals. While existing technologies have harvested power from ambient RF sources (e.g., TV broadcasts), they require a dedicated gateway (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MobiCom '17: Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking

October 2017

628 pages

ISBN:9781450349161

DOI:10.1145/3117811

General Chair:
Kobus Van der Merwe
University of Utah
,
Program Chairs:
Ben Greenstein
Google, USA
,
Kannan Srinivasan
Ohio State University, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Huawei-HKUST Joint Laboratory
973 Project
RGC
ShanghaiTech University

Conference

MobiCom '17

Sponsor:

SIGMOBILE

MobiCom '17: The 23rd Annual International Conference on Mobile Computing and Networking

October 16 - 20, 2017

Utah, Snowbird, USA

Acceptance Rates

MobiCom '17 Paper Acceptance Rate 35 of 186 submissions, 19%;

Overall Acceptance Rate 440 of 2,972 submissions, 15%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
903
Total Downloads

Downloads (Last 12 months)57
Downloads (Last 6 weeks)8

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Qin QChen KXie YLuo HFang DChen XGanesan DLane NShi W(2024)Pushing the Throughput Limit of OFDM-based Wi-Fi Backscatter CommunicationProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3690672(968-983)Online publication date: 4-Dec-2024
https://dl.acm.org/doi/10.1145/3636534.3690672
Liu BGu CHe SChen J(2024)LoPhy: A Resilient and Fast Covert Channel Over LoRa PHYIEEE/ACM Transactions on Networking10.1109/TNET.2024.339881432:5(3792-3807)Online publication date: Oct-2024
https://doi.org/10.1109/TNET.2024.3398814
Yang YGong W(2024)Universal WiFi Backscatter With Ambient Space-Time StreamsIEEE/ACM Transactions on Networking10.1109/TNET.2023.333692232:3(2042-2052)Online publication date: Jun-2024
https://doi.org/10.1109/TNET.2023.3336922
Jin MHe YLiu YWang X(2024)Covert Communication With Acoustic NoiseIEEE/ACM Transactions on Networking10.1109/TNET.2023.328669232:1(207-221)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3286692
Li SLi SLiu QSong YZhang CLu L(2024)Watch Out Your Thumb Drive: Covert Data Theft From Portable Data Storage via BackscatterIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330560721:4(2434-2447)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3305607
Guri M(2024)Air-Gap Electromagnetic Covert ChannelIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330003521:4(2127-2144)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3300035
Liu JYu JZhang RWang SYang KAn J(2024)Intelligent Reflecting Surface-Aided Covert Ambient Backscatter CommunicationIEEE Transactions on Communications10.1109/TCOMM.2024.335644172:6(3558-3571)Online publication date: Jun-2024
https://doi.org/10.1109/TCOMM.2024.3356441
Niu JZhang LWang YZhou XChen J(2024)Toward Zero Blind-Zone Backscatter Communications: Real-Time System Design, Implementation, and Experimental EvaluationIEEE Wireless Communications10.1109/MWC.016.220056031:3(406-413)Online publication date: Jun-2024
https://doi.org/10.1109/MWC.016.2200560
Jiang MLiu XLi DGong W(2024)Efficient Two-Way Edge Backscatter with Commodity BluetoothIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621373(1791-1800)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621373
Jiang MGong W(2023)Dances with Blues: Harnessing Multi-Frequency Carriers for Commodity Bluetooth BackscatterProceedings of the ACM on Networking10.1145/36291331:CoNEXT3(1-20)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629133
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

EPUB

View this article in ePub.

Media

Figures

Other

Tables

View Table of Contents