Practical Covert Channels for WiFi Systems

TL;DR

This paper investigates practical WiFi covert channels by analyzing physical layer exploitation, assessing their feasibility, bandwidth, and detectability through extensive performance evaluations.

Contribution

It provides the first practical analysis of WiFi covert channels focusing on physical layer techniques, including design options, feasibility, and detection methods.

Findings

Covert channels can achieve significant bandwidth in WiFi systems.

Certain physical layer features can be exploited for covert communication.

Detection of covert channels varies with the adversary's capabilities.

Abstract

Wireless covert channels promise to exfiltrate information with high bandwidth by circumventing traditional access control mechanisms. Ideally, they are only accessible by the intended recipient and---for regular system users/operators---indistinguishable from normal operation. While a number of theoretical and simulation studies exist in literature, the practical aspects of WiFi covert channels are not well understood. Yet, it is particularly the practical design and implementation aspect of wireless systems that provides attackers with the latitude to establish covert channels: the ability to operate under adverse conditions and to tolerate a high amount of signal variations. Moreover, covert physical receivers do not have to be addressed within wireless frames, but can simply eavesdrop on the transmission. In this work, we analyze the possibilities to establish covert channels in WiFi systems with emphasis on exploiting physical layer characteristics. We discuss design alternatives for selected covert channel approaches and study their feasibility in practice. By means of an extensive performance analysis, we compare the covert channel bandwidth. We further evaluate the possibility of revealing the introduced covert channels based on different detection capabilities.