Security of THz Angularly Dispersive Links

Future 6G networks promise hundred-GHz scale bandwidths thanks to the large spectrum availability above 100 GHz. Unlike current communication systems, large-bandwidth directional transmissions are subject to angular dispersion, in which different carrier frequencies emit towards different angles. Unfortunately, this property can potentially yield advantages to Eve as it creates a widening spatial footprint. In my thesis, I perform the first security analysis for angularly dispersive directional links. Using a combination of theoretical, analytical, and experimental approaches, my work provides a deep understanding of angularly dispersive links under eavesdropping. To this end, I employ a leaky-wave antenna (LWA), which is an antenna with the angular dispersion property as shown in the figure, in our study.

Achieving Security for Angularly Dispersive Links

We first show that, contrary to lower band non-angularly dispersive links, THz-scale links with angular dispersion exhibit an unprecedented security conundrum: Namely, with angular dispersion, a larger bandwidth creates a wider beamwidth, suggesting a higher data rate is only achieved at the price of degraded security. Moreover, when Eve is angularly away from Bob, she will receive some frequencies even stronger than Bob will. Our approach, surprisingly, nearly eliminates this security penalty. Our key observation is that since different frequencies emit towards slightly different directions for angularly dispersive links, Eve cannot receive all frequency channels simultaneously, and thus Alice and Bob can always use a subset of frequency channels to enable secure transmissions. To exploit the a priori known heterogeneous frequency channels, we further demonstrate that joint coding across frequency channels is required. We evaluate the secrecy performance of a secure coding strategy by the resulting insecure region, defined as the spatial region within which the message is leaked, at least partially, to Eve, and is shown as the enclosed region in the figure below. We demonstrate that when Alice employs a cross-frequency coding strategy (termed J-SCADL), it exploits the fact that Eve cannot intercept all frequency channels simultaneously and provides a surprisingly consistent insecure region despite the widening signal footprint when the bandwidth increases. Thus, higher data rate with little secure penalty can be realized. In comparison, independent coding per channel (termed I-SCADL) results in leakage in a subset of frequency channels in which Eve can better intercept, causing an undesirable expansion in insecure area with higher data rate. In experiments, we further demonstrate cross-channel coding’s advantage in addressing practical beam irregularities and asymmetry. Our results reveal security properties not observed in conventional directional links for future wideband transmissions and emphasize the importance of a co-design of counter-measure strategy and physical layer properties.

• • C.-Y. Yeh, Y. Ghasempour, Y. Amarasinghe, D. M. Mittleman, and E. W. Knightly, “Security in Terahertz WLANs with Leaky Wave Antennas,” in Proceedings of ACM WiSec 2020, Linz (Virtual Event), Austria, July 2020.

Sensing Enhanced Security

A sophisticated adversary could exploit the quasi-optical nature of THz beams and employ an object scattering attack in which Eve carefully places an object to reflect signals from Alice to Bob to her location. We showed how Bob can detect even small-scale objects in the middle and estimate their angular location by analyzing the THz-scale spectral fingerprint. The idea is that each location in the spatial domain has a unique frequency signature that can be known a priori based on the antenna’s physics. When Eve places an object that blocks part of the beam, it results in a frequency-selective attenuation at Bob depending on the object’s angular location. By comparing the received spectrum to the known frequency signature without blockage, we demonstrate experimentally that Bob can estimate both the center and the size of the object. Our results show that sensing offers Alice and Bob necessary information for link security.

• • Ghasempour, C.-Y. Yeh, R. Shrestha, Y. Amarasinghe, D. M. Mittleman, and E. W. Knightly, “LeakyTrack: Non-Coherent Single-Antenna Nodal and Environmental Mobility Tracking with a Leaky-Wave Antenna,” in Proceedings of ACM SenSys 2020, Yokohama (Virtual), Japan, November 2020.

Experimental Study of Passive Eavesdropping in Massive MIMO

Massive MIMO (large antenna array) base stations (BS’s) are a key feature of emerging 5G and 6G networks. They are believed to have the potential to thwart passive eavesdropping as they create highly focused transmissions. Indeed, the threat of passive eavesdropping has been shown to be negligible when the transmit antenna size approaches infinity for idealized independent Rayleigh channels. We perform the world’s first experimental study of Massive MIMO eavesdropping. Using a 96-element ArgosV2 BS shown on the right, we identify new vulnerabilities to the eavesdropper (Eve): First, we demonstrate that, not only does the intended receiver Bob’s SNR increases with array size, but unfortunately, contrary to the idealized channel model, Eve’s SNR also increases with array size due to channel correlation in her measurements. We further demonstrate how Eve can gain by optimizing her position, not only by being nomadic and searching for the most favorable position, but also via exploiting predictable line-of-sight (LoS) positional vulnerabilities. Specifically, we discovered Eve’s advantage by simply sharing the elevation angle with Bob in the LoS scenario. Finally, we demonstrate that Eve’s advantage due to channel correlation can increase with more eavesdropping antennas in the worst case when she knows the beamforming vector and her channel from Alice. Thus, our experiments demonstrate multiple eavesdropping threats in practical massive MIMO networks, contrary to the widely adopted belief of large antenna arrays being resistant to passive eavesdropping.

• • C.-Y. Yeh and E. W. Knightly. “Eavesdropping in Massive MIMO: New Vulnerabilities and Countermeasures,” IEEE Transactions on Wireless Communications, 20(10):6536-6550, October 2021.
  • C.-Y. Yeh, and E. W. Knightly. “Feasibility of Passive Eavesdropping in Massive MIMO: An Experimental Approach,” in Proceedings of IEEE CNS 2018, Beijing, China, May 2018.

 

Security of Highly-Directional THz Link

Millimeter-wave to THz bands spanning from 100 GHz to 1 THz are a key spectrum frontier for 6G networking and sensing. Highly directional “pencil beams” in such bands are expected to yield Tb/sec data rates and security. Prior works generally consider that Eve’s antenna must be located within the broadcast sector of the transmitting antenna, leading to the conclusion that eavesdropping becomes essentially impossible when the transmitted signal has sufficiently high directionality. We perform the world’s first experimental demonstration of THz eavesdropping and show that the conventional wisdom is unfortunately not true. Our experiments consider a strong adversary that places an object within the pencil beam to scatter or reflect radiation towards Eve, who is located outside of the beam’s footprint as shown in the right figure. We realize narrow beams with horn antennas having beamwidth from 1.6° to 7.8° for frequencies from 100 GHz to 400 GHz. We find that eavesdropping becomes increasingly difficult with narrower beam, as the object inevitably blocks a significant portion of radiation to Bob, which raises an alarm for Alice and Bob. Yet, we demonstrate that eavesdropping is still possible without significantly disturbing the main link using a combination of specular reflector, precise 0ff-axis object placement, and receiver alignment as shown in the left figure. Our results demonstrate that a narrow pencil-like beam does not guarantee immunity from eavesdropping considering an agile eavesdropper.

• • Ma, Jianjun, Rabi Shrestha, Jacob Adelberg, Chia-Yi Yeh, Zahed Hossain, Edward Knightly, Josep Miquel Jornet, and Daniel M. Mittleman. “Security and eavesdropping in terahertz wireless links.” Nature 563, 89-93, October 2018.

 

Energy-Efficient Cross-Layer Jamming Attack against TCP in 802.11 WLAN (Slides)