0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/561 Thanks! 1 00:00:09,040 --> 00:00:11,119 The next talk is going to be by 2 00:00:11,120 --> 00:00:13,179 Yizkor, who's working at 3 00:00:13,180 --> 00:00:15,459 the university in Darmstadt as 4 00:00:15,460 --> 00:00:17,979 a PhD student and 5 00:00:17,980 --> 00:00:20,019 mainly working on physical layer 6 00:00:20,020 --> 00:00:22,239 security, and you might also know 7 00:00:22,240 --> 00:00:24,429 her from 8 00:00:24,430 --> 00:00:26,949 embroidery, embroidery machines, 9 00:00:26,950 --> 00:00:29,109 difficult work and past 10 00:00:29,110 --> 00:00:31,059 C.C.C. game shows. 11 00:00:31,060 --> 00:00:33,279 But today she's talking about 12 00:00:33,280 --> 00:00:36,009 building and breaking wireless security. 13 00:00:36,010 --> 00:00:37,229 Give her a warm welcome. 14 00:00:45,960 --> 00:00:47,879 Welcome to my talk about bidding and 15 00:00:47,880 --> 00:00:50,189 breaking Violet's security, 16 00:00:50,190 --> 00:00:52,619 so I have five section 17 00:00:52,620 --> 00:00:55,169 first, I will show you some hardware 18 00:00:55,170 --> 00:00:57,539 and then I will talk about wireless 19 00:00:57,540 --> 00:00:59,789 tenants, because this is a very 20 00:00:59,790 --> 00:01:01,889 physical focused talk and 21 00:01:01,890 --> 00:01:03,779 we will need to speak around them to 22 00:01:03,780 --> 00:01:05,488 understand how to break and build 23 00:01:05,489 --> 00:01:06,899 wireless security. 24 00:01:06,900 --> 00:01:09,059 And in the end, I will give you some 25 00:01:09,060 --> 00:01:10,949 hints on how to get started during the 26 00:01:10,950 --> 00:01:11,950 Congress. 27 00:01:12,980 --> 00:01:15,769 So first, the hardware. 28 00:01:15,770 --> 00:01:18,469 So for a long time, 29 00:01:18,470 --> 00:01:20,749 the only way to do such things 30 00:01:20,750 --> 00:01:23,089 that I'm going to show you today was very 31 00:01:23,090 --> 00:01:25,129 expensive hardware like spectrum 32 00:01:25,130 --> 00:01:27,559 analyzers or oscilloscopes. 33 00:01:27,560 --> 00:01:29,959 And the problem is that private 34 00:01:29,960 --> 00:01:32,089 people cannot afford this and you have 35 00:01:32,090 --> 00:01:35,479 to go to university or big labs. 36 00:01:35,480 --> 00:01:37,549 But many of you got the radio 37 00:01:37,550 --> 00:01:39,649 badge during the camp. 38 00:01:39,650 --> 00:01:41,869 And there's also 39 00:01:41,870 --> 00:01:44,629 another thing that you can buy called 40 00:01:44,630 --> 00:01:46,699 Karif. And they go up 41 00:01:46,700 --> 00:01:48,769 to six gigahertz or four gigahertz 42 00:01:48,770 --> 00:01:51,199 for the radio bitch, and it has the same 43 00:01:51,200 --> 00:01:53,629 rate of 20 percent less per second, 44 00:01:53,630 --> 00:01:56,119 which means you can even transmit 45 00:01:56,120 --> 00:01:58,249 and receive Wi-Fi with it. 46 00:01:58,250 --> 00:02:00,409 So very cool hardware 47 00:02:00,410 --> 00:02:02,539 and you can also buy it if you don't have 48 00:02:02,540 --> 00:02:03,539 one. The hacker. 49 00:02:03,540 --> 00:02:05,689 If so, but some 50 00:02:05,690 --> 00:02:07,679 of you might say, well, 200 years, it's 51 00:02:07,680 --> 00:02:09,859 still too much because 52 00:02:09,860 --> 00:02:10,879 I'm just a student. 53 00:02:10,880 --> 00:02:12,379 And there's another option, which is 54 00:02:12,380 --> 00:02:14,659 Stevie Nicks, and you can still 55 00:02:14,660 --> 00:02:15,889 do great things with them. 56 00:02:15,890 --> 00:02:18,169 So they are in a range 57 00:02:18,170 --> 00:02:20,329 where you can do things like 58 00:02:20,330 --> 00:02:22,579 decoding car keys, decoding 59 00:02:22,580 --> 00:02:24,709 bus transmissions, decoding 60 00:02:24,710 --> 00:02:25,990 GSM, for example. 61 00:02:27,080 --> 00:02:29,329 And then there is a 62 00:02:29,330 --> 00:02:31,189 cheap option for transmissions. 63 00:02:31,190 --> 00:02:33,259 The Raspberry Pi, where you can just 64 00:02:33,260 --> 00:02:35,599 connect one of the GBI options to a long 65 00:02:35,600 --> 00:02:37,849 antenna wire, and then 66 00:02:37,850 --> 00:02:40,609 you just modulate a signal on the CPI 67 00:02:40,610 --> 00:02:42,919 open and you get the low frequency 68 00:02:42,920 --> 00:02:44,149 signal. 69 00:02:44,150 --> 00:02:46,409 However, it's not the nicest signal. 70 00:02:46,410 --> 00:02:48,499 So if you want to have something 71 00:02:48,500 --> 00:02:49,669 cheap, yeah, OK. 72 00:02:49,670 --> 00:02:51,919 But it's not the best option to do this. 73 00:02:53,670 --> 00:02:55,949 So just to get a short 74 00:02:55,950 --> 00:02:57,659 imagination, how many of you have any of 75 00:02:57,660 --> 00:02:59,669 this hardware just mentioned to you? 76 00:02:59,670 --> 00:03:00,719 Wow, great. 77 00:03:04,430 --> 00:03:06,709 So now I'm going to talk about 78 00:03:06,710 --> 00:03:08,629 the concept of violence, it's 79 00:03:10,280 --> 00:03:12,499 so violent, Chenna can 80 00:03:12,500 --> 00:03:14,499 be imagined as fun. 81 00:03:14,500 --> 00:03:16,309 So you have Alice and she is transmitting 82 00:03:16,310 --> 00:03:18,829 a sine wave and 83 00:03:18,830 --> 00:03:20,959 towards the receiver, Bob 84 00:03:20,960 --> 00:03:23,269 or Charlie or whoever, 85 00:03:23,270 --> 00:03:25,279 this amplitude first gets lower. 86 00:03:25,280 --> 00:03:27,439 So the signal power is not that much 87 00:03:27,440 --> 00:03:28,609 anymore. 88 00:03:28,610 --> 00:03:31,009 And over distance, 89 00:03:31,010 --> 00:03:33,529 you also get within the sine wave 90 00:03:33,530 --> 00:03:35,179 a phase shift. 91 00:03:35,180 --> 00:03:37,259 So the channel between Ellerson 92 00:03:37,260 --> 00:03:39,589 Pop basically is the amplitude 93 00:03:39,590 --> 00:03:40,590 and phase change. 94 00:03:42,660 --> 00:03:44,879 And now the next thing is 95 00:03:44,880 --> 00:03:47,009 that there is even more than 96 00:03:47,010 --> 00:03:48,989 just a line of sight. 97 00:03:48,990 --> 00:03:51,239 So there is, for example, 98 00:03:51,240 --> 00:03:53,399 on walls, you have absorption, but 99 00:03:53,400 --> 00:03:55,439 also you might get a reflection on a 100 00:03:55,440 --> 00:03:57,779 wall. And at this 101 00:03:57,780 --> 00:04:00,209 point in time, you have two paths 102 00:04:00,210 --> 00:04:02,909 which might hit a receiver 103 00:04:02,910 --> 00:04:04,379 and at a receiver. 104 00:04:04,380 --> 00:04:06,839 This happens with the time offset and 105 00:04:06,840 --> 00:04:09,269 this looks like a very strong 106 00:04:09,270 --> 00:04:12,659 signal, first 107 00:04:12,660 --> 00:04:14,249 in the time domain, and then you might 108 00:04:14,250 --> 00:04:16,499 get a lower copy of the signal 109 00:04:16,500 --> 00:04:18,449 from the second path and so on. 110 00:04:18,450 --> 00:04:20,518 So you get the impulse response 111 00:04:20,519 --> 00:04:22,018 in a time domain. 112 00:04:22,019 --> 00:04:24,539 And the next part is that 113 00:04:24,540 --> 00:04:25,560 you also get 114 00:04:26,730 --> 00:04:29,039 a frequency response, 115 00:04:29,040 --> 00:04:31,199 which means dispatch, the effects 116 00:04:31,200 --> 00:04:32,879 are different per frequency. 117 00:04:32,880 --> 00:04:35,489 So, for example, if you have a prism, 118 00:04:35,490 --> 00:04:37,709 then, you know, let's just test different 119 00:04:37,710 --> 00:04:39,809 frequency components which break in a 120 00:04:39,810 --> 00:04:41,999 prism and you get the same 121 00:04:42,000 --> 00:04:43,919 effect for different frequencies and 122 00:04:43,920 --> 00:04:44,529 objects. 123 00:04:44,530 --> 00:04:46,799 So you also get a frequency response 124 00:04:46,800 --> 00:04:48,899 because you have different parts per 125 00:04:48,900 --> 00:04:51,599 frequency and 126 00:04:51,600 --> 00:04:54,059 even worse transmitters and receivers 127 00:04:54,060 --> 00:04:54,999 and objects in between. 128 00:04:55,000 --> 00:04:56,759 They all might move. 129 00:04:56,760 --> 00:04:58,979 And you can think of a moving 130 00:04:58,980 --> 00:05:01,289 transmitter of shrinking like 131 00:05:01,290 --> 00:05:03,419 a shrink, a sine wave in one direction 132 00:05:03,420 --> 00:05:05,639 and in the other direction. 133 00:05:05,640 --> 00:05:07,719 That is. So you have a frequency offset 134 00:05:07,720 --> 00:05:10,109 just from moving objects in between. 135 00:05:10,110 --> 00:05:12,239 And all these things are path effects, 136 00:05:12,240 --> 00:05:13,240 which you can measure. 137 00:05:14,370 --> 00:05:16,199 And now the question is, OK, we have all 138 00:05:16,200 --> 00:05:18,329 these measurements, but how can we use 139 00:05:18,330 --> 00:05:21,119 this to break wireless security? 140 00:05:21,120 --> 00:05:23,609 So typically network security 141 00:05:23,610 --> 00:05:24,549 is done as follows. 142 00:05:24,550 --> 00:05:26,669 So you have an upper layer and you have 143 00:05:26,670 --> 00:05:28,199 some cryptography there. 144 00:05:28,200 --> 00:05:31,079 And on the upper layer, the problem is, 145 00:05:31,080 --> 00:05:33,179 well, you have, for example, tearless 146 00:05:33,180 --> 00:05:35,279 or repair to and whatever you do 147 00:05:35,280 --> 00:05:37,469 there, you always get some bits 148 00:05:37,470 --> 00:05:39,659 and output and these 149 00:05:39,660 --> 00:05:41,939 bits. Then I just transferred into a 150 00:05:41,940 --> 00:05:42,839 form. 151 00:05:42,840 --> 00:05:45,239 And the waveform in the end 152 00:05:45,240 --> 00:05:47,459 is the thing that leaves the antenna 153 00:05:47,460 --> 00:05:49,499 and nobody really cares about this. 154 00:05:50,880 --> 00:05:53,069 So first of all, cryptography 155 00:05:53,070 --> 00:05:54,719 has a big problem, which is 156 00:05:54,720 --> 00:05:55,799 eavesdropping. 157 00:05:55,800 --> 00:05:57,839 And you can assume if you eavesdrop 158 00:05:57,840 --> 00:06:00,029 something today, you can decrypt 159 00:06:00,030 --> 00:06:02,309 it in 20 years for very, very 160 00:06:02,310 --> 00:06:04,169 sure just because of computation power. 161 00:06:04,170 --> 00:06:06,359 And if there is some other flaw 162 00:06:06,360 --> 00:06:07,949 in the implementation, maybe even 163 00:06:07,950 --> 00:06:10,049 earlier, and everybody in a 164 00:06:10,050 --> 00:06:12,119 wireless transmission range can 165 00:06:12,120 --> 00:06:14,759 just eavesdrop without being noticed 166 00:06:14,760 --> 00:06:17,160 and decode the signal later. 167 00:06:18,180 --> 00:06:20,339 The next problem is that if 168 00:06:20,340 --> 00:06:22,979 you have multiple eavesdroppers, 169 00:06:22,980 --> 00:06:25,679 they can locate the signal source. 170 00:06:25,680 --> 00:06:28,739 And the problem there is 171 00:06:28,740 --> 00:06:30,839 that the signal source then is 172 00:06:30,840 --> 00:06:33,179 no more. And it's just, you 173 00:06:33,180 --> 00:06:36,059 know, the position and privacy is gone. 174 00:06:36,060 --> 00:06:38,339 And also multiple or better antennas can 175 00:06:38,340 --> 00:06:40,679 enhance the transmit the reception 176 00:06:40,680 --> 00:06:42,180 range for the eavesdropper. 177 00:06:44,010 --> 00:06:45,600 And you can also 178 00:06:46,650 --> 00:06:48,690 inject signals, which means 179 00:06:49,710 --> 00:06:51,989 normally at a receiver 180 00:06:51,990 --> 00:06:53,309 or signals just add up. 181 00:06:53,310 --> 00:06:55,529 And if there is a low and a high signal 182 00:06:55,530 --> 00:06:58,079 that just adds up and the receiver 183 00:06:58,080 --> 00:07:00,569 just has an automatic gain, control 184 00:07:00,570 --> 00:07:02,389 takes the strongest signal and is happy. 185 00:07:02,390 --> 00:07:04,769 So whatever you have, 186 00:07:04,770 --> 00:07:06,299 the one who is sending, let's say the 187 00:07:06,300 --> 00:07:07,979 loudest, is the one who will be 188 00:07:07,980 --> 00:07:08,980 interpreted 189 00:07:10,950 --> 00:07:13,029 and maybe many, many people. 190 00:07:13,030 --> 00:07:15,779 You thought this is the main topic 191 00:07:15,780 --> 00:07:18,059 of this talk, which is protocol, reverse 192 00:07:18,060 --> 00:07:19,499 engineering, but it is not. 193 00:07:19,500 --> 00:07:21,599 However, I'm just shortly telling 194 00:07:21,600 --> 00:07:23,309 you about it because this might be your 195 00:07:23,310 --> 00:07:24,779 expectation. 196 00:07:24,780 --> 00:07:26,849 So normally you 197 00:07:26,850 --> 00:07:28,559 just see some wireless transmissions 198 00:07:28,560 --> 00:07:29,609 going on. 199 00:07:29,610 --> 00:07:31,829 You are eavesdropping, and 200 00:07:31,830 --> 00:07:34,109 then you try to find out the bits in 201 00:07:34,110 --> 00:07:36,479 the signal, which is most of the time 202 00:07:36,480 --> 00:07:38,339 not that complicated because there are so 203 00:07:38,340 --> 00:07:40,469 many popular modulation schemes 204 00:07:40,470 --> 00:07:43,439 and you just try some popular things 205 00:07:43,440 --> 00:07:46,229 and then you try to make up some bits 206 00:07:46,230 --> 00:07:48,569 to the actual 207 00:07:48,570 --> 00:07:50,079 content that you are expecting. 208 00:07:50,080 --> 00:07:52,319 So, for example, you say this thing 209 00:07:52,320 --> 00:07:54,569 might be a bust up display 210 00:07:54,570 --> 00:07:56,609 and, you know, names of bus stops and 211 00:07:56,610 --> 00:07:58,949 then you try to map it and just see 212 00:07:58,950 --> 00:08:01,139 what I did two years 213 00:08:01,140 --> 00:08:02,969 ago. And she did it with a simple device, 214 00:08:02,970 --> 00:08:05,039 pietistic, nothing else, and she 215 00:08:05,040 --> 00:08:07,460 decode at the bus stop display. 216 00:08:09,300 --> 00:08:11,399 So another thing is 217 00:08:11,400 --> 00:08:13,259 what I'm holding, which is also still a 218 00:08:13,260 --> 00:08:14,489 little bit upper layer. 219 00:08:14,490 --> 00:08:16,829 So you might have an electronic passport 220 00:08:16,830 --> 00:08:19,319 and you might have a server 221 00:08:19,320 --> 00:08:21,509 in between and then a 222 00:08:21,510 --> 00:08:23,549 reader. And even if they have some 223 00:08:23,550 --> 00:08:25,859 signatures, you can still forward 224 00:08:25,860 --> 00:08:27,629 everything and 225 00:08:28,650 --> 00:08:30,479 it's working and you can eavesdrop on 226 00:08:30,480 --> 00:08:32,999 transmission between the passport 227 00:08:33,000 --> 00:08:33,928 and the reader. 228 00:08:33,929 --> 00:08:36,359 However, this takes some milliseconds 229 00:08:36,360 --> 00:08:38,459 and some milliseconds with speed 230 00:08:38,460 --> 00:08:41,639 of light, with just the speed of wireless 231 00:08:41,640 --> 00:08:42,239 vaisse. 232 00:08:42,240 --> 00:08:44,549 Transmissions would be thousands 233 00:08:44,550 --> 00:08:46,859 of kilometers, so you might 234 00:08:46,860 --> 00:08:49,379 want to measure the time and now 235 00:08:49,380 --> 00:08:51,149 the idea of measuring the time becomes 236 00:08:51,150 --> 00:08:52,150 more physical. 237 00:08:53,010 --> 00:08:54,929 But there has been some cryptographic 238 00:08:54,930 --> 00:08:56,849 protocols and people say, wow, it's so 239 00:08:56,850 --> 00:08:58,609 secure, we proved it. 240 00:08:58,610 --> 00:09:01,079 For example, you just have 241 00:09:01,080 --> 00:09:03,629 big challenges and you say 242 00:09:03,630 --> 00:09:04,630 a receiver is 243 00:09:05,700 --> 00:09:08,189 has to first read a bit before 244 00:09:08,190 --> 00:09:10,789 you can spoof the bit again. 245 00:09:10,790 --> 00:09:12,989 And what you can also do 246 00:09:12,990 --> 00:09:15,269 on wireless face the bit 247 00:09:15,270 --> 00:09:17,159 actually less of a form. 248 00:09:17,160 --> 00:09:19,289 And you might just read the 249 00:09:19,290 --> 00:09:21,389 first few percent of the waveform, 250 00:09:21,390 --> 00:09:23,159 let's say the first 20 percent of the 251 00:09:23,160 --> 00:09:24,329 waveform. 252 00:09:24,330 --> 00:09:26,489 And then you can say for pretty sure 253 00:09:26,490 --> 00:09:28,979 it might be a one or a zero. 254 00:09:28,980 --> 00:09:31,319 And this means you can shorten 255 00:09:31,320 --> 00:09:33,569 the time of interpreting a bit and 256 00:09:33,570 --> 00:09:35,849 spoofing it again, which means you can 257 00:09:35,850 --> 00:09:37,949 shorten the distance or actually 258 00:09:37,950 --> 00:09:40,289 travel in time and predict something 259 00:09:40,290 --> 00:09:42,119 before you actually should be able to 260 00:09:42,120 --> 00:09:43,559 predict it. 261 00:09:43,560 --> 00:09:45,779 And this is a very 262 00:09:45,780 --> 00:09:47,519 big problem. For example, if you have a 263 00:09:47,520 --> 00:09:49,859 car key and you can shorten the distance 264 00:09:49,860 --> 00:09:52,049 and the distance measurement, it's a big 265 00:09:52,050 --> 00:09:53,050 issue. 266 00:09:54,900 --> 00:09:56,789 And another thing that I wanted to show 267 00:09:56,790 --> 00:09:59,249 you is reactive Chien-Ming. 268 00:09:59,250 --> 00:10:01,769 Reactive Chien-Ming means you have 269 00:10:01,770 --> 00:10:04,319 multiple participants 270 00:10:04,320 --> 00:10:06,089 in the network and you want to jam 271 00:10:06,090 --> 00:10:08,319 certain things in this network. 272 00:10:08,320 --> 00:10:10,109 For example, you might only want to Jim 273 00:10:10,110 --> 00:10:12,389 Ellis. And whenever you see Elissa's 274 00:10:12,390 --> 00:10:14,759 make a dress, you jam into 275 00:10:14,760 --> 00:10:16,829 her frame and 276 00:10:16,830 --> 00:10:18,239 break it. 277 00:10:18,240 --> 00:10:20,309 And the nice thing about wi fi 278 00:10:20,310 --> 00:10:22,409 is that wi fi actually 279 00:10:22,410 --> 00:10:24,539 tries to avoid collisions. 280 00:10:24,540 --> 00:10:26,609 And the more collisions happen 281 00:10:26,610 --> 00:10:28,289 and the more packets don't get through 282 00:10:28,290 --> 00:10:30,659 the network, the worse the situation 283 00:10:30,660 --> 00:10:32,699 gets because it just things well, there's 284 00:10:32,700 --> 00:10:34,109 much contention. 285 00:10:34,110 --> 00:10:36,539 And then she has a off time and increases 286 00:10:36,540 --> 00:10:38,969 the time slots in which she tries to 287 00:10:38,970 --> 00:10:40,409 send again. 288 00:10:40,410 --> 00:10:42,509 And she's even sending less often and 289 00:10:42,510 --> 00:10:44,309 less often because all her transmissions 290 00:10:44,310 --> 00:10:46,479 fair and you take just 291 00:10:46,480 --> 00:10:48,509 test them less often and gets all the 292 00:10:48,510 --> 00:10:49,529 bandwidth. 293 00:10:49,530 --> 00:10:51,779 And you can do this, for example. 294 00:10:51,780 --> 00:10:54,059 Also, if you just break some wi fi 295 00:10:54,060 --> 00:10:56,189 firmware and you can get 296 00:10:56,190 --> 00:10:57,749 all the bandwidth for just fifteen 297 00:10:57,750 --> 00:10:58,750 dollars. Great. 298 00:11:00,870 --> 00:11:03,599 And you might also be some security 299 00:11:03,600 --> 00:11:05,819 jamming. And there is the idea 300 00:11:05,820 --> 00:11:08,249 of just jamming everything around you. 301 00:11:08,250 --> 00:11:10,319 So you just have a communication 302 00:11:10,320 --> 00:11:12,599 and then you can say if 303 00:11:12,600 --> 00:11:14,999 this jam signal 304 00:11:15,000 --> 00:11:17,279 is sort of random generated 305 00:11:17,280 --> 00:11:19,200 by a key, then 306 00:11:20,640 --> 00:11:23,099 everybody who has the key can substract 307 00:11:23,100 --> 00:11:25,889 the sort of random signal again because 308 00:11:25,890 --> 00:11:28,109 he or she can calculate 309 00:11:28,110 --> 00:11:29,849 it and then subtract it and just 310 00:11:29,850 --> 00:11:31,589 subtractive to sickness a zero. 311 00:11:31,590 --> 00:11:33,689 And you have no more noise in 312 00:11:33,690 --> 00:11:36,179 the transmission from the data source, 313 00:11:36,180 --> 00:11:38,339 which is overlapped by the jamming 314 00:11:38,340 --> 00:11:39,340 signal. 315 00:11:40,470 --> 00:11:42,659 However, it's an attack for 316 00:11:42,660 --> 00:11:44,969 this. So actually this was used 317 00:11:44,970 --> 00:11:46,409 to build authorization and 318 00:11:46,410 --> 00:11:49,199 confidentiality. But there is an attack 319 00:11:49,200 --> 00:11:51,299 because if you have two ecovillage 320 00:11:51,300 --> 00:11:53,819 channels towards the chamar, 321 00:11:53,820 --> 00:11:55,979 then you get two times the same jamming 322 00:11:55,980 --> 00:11:58,229 signal on both antennas. 323 00:11:58,230 --> 00:12:01,139 We have the same face and amplitude 324 00:12:01,140 --> 00:12:02,579 in the signal. 325 00:12:02,580 --> 00:12:04,679 However, the data source, which you can 326 00:12:04,680 --> 00:12:07,199 see there, has two different distances, 327 00:12:07,200 --> 00:12:10,019 which means two different channels. 328 00:12:10,020 --> 00:12:11,160 So you have 329 00:12:13,260 --> 00:12:15,539 a slight face offset 330 00:12:15,540 --> 00:12:17,909 in this. And when you not 331 00:12:17,910 --> 00:12:20,579 subtract the two received 332 00:12:20,580 --> 00:12:22,859 eavesdropping signals from each other, 333 00:12:22,860 --> 00:12:25,379 then the jamming signal just gets zero 334 00:12:25,380 --> 00:12:26,279 again. 335 00:12:26,280 --> 00:12:28,799 But the data 336 00:12:28,800 --> 00:12:31,079 signal adds up because of the Festschrift 337 00:12:31,080 --> 00:12:33,179 so you can reconstruct 338 00:12:33,180 --> 00:12:35,279 everything even though there was 339 00:12:35,280 --> 00:12:36,280 a jamming signal. 340 00:12:39,030 --> 00:12:41,219 And another scary thing is 341 00:12:41,220 --> 00:12:43,889 actually seeing through walls with Wi-Fi. 342 00:12:43,890 --> 00:12:45,899 So normally you would build a radar 343 00:12:45,900 --> 00:12:48,479 system which scans 344 00:12:48,480 --> 00:12:49,480 through 345 00:12:50,550 --> 00:12:52,409 different positions and then you get 346 00:12:52,410 --> 00:12:53,549 reflectance. 347 00:12:53,550 --> 00:12:55,319 However, you can also do this with a 348 00:12:55,320 --> 00:12:56,939 single antenna, like on your radio, a 349 00:12:56,940 --> 00:12:58,769 bitch. And from 350 00:13:00,450 --> 00:13:02,849 then then you get reflections from 351 00:13:02,850 --> 00:13:05,099 objects and objects 352 00:13:05,100 --> 00:13:07,229 are moving. There is stable. 353 00:13:07,230 --> 00:13:08,999 There is everything is not moving. 354 00:13:09,000 --> 00:13:10,919 Only people are moving in the building 355 00:13:10,920 --> 00:13:12,539 and they have reflections. 356 00:13:12,540 --> 00:13:14,759 And you can think of this the same 357 00:13:14,760 --> 00:13:17,279 way as off a radar system 358 00:13:17,280 --> 00:13:19,379 because of the symmetric channel, 359 00:13:19,380 --> 00:13:21,029 because the channel is valid in both 360 00:13:21,030 --> 00:13:22,739 directions. 361 00:13:22,740 --> 00:13:24,869 And by this you can actually 362 00:13:24,870 --> 00:13:26,729 identify and track movements and you can 363 00:13:26,730 --> 00:13:28,509 even do something like just the 364 00:13:28,510 --> 00:13:29,759 communication through voice. 365 00:13:29,760 --> 00:13:31,889 So, you know, that's a person and the 366 00:13:31,890 --> 00:13:33,329 person is sitting on a couch. 367 00:13:36,330 --> 00:13:38,789 And it gets even more scary because 368 00:13:38,790 --> 00:13:40,979 something is that you can do as you can 369 00:13:40,980 --> 00:13:43,049 with more antennas, even direct 370 00:13:43,050 --> 00:13:45,599 live lip movements approval's 371 00:13:45,600 --> 00:13:47,549 or loud speaker movements, because the 372 00:13:47,550 --> 00:13:49,829 membrane is vibrating and 373 00:13:49,830 --> 00:13:52,229 even more scary on your phone, 374 00:13:52,230 --> 00:13:54,569 the audio chip and the Wi-Fi 375 00:13:54,570 --> 00:13:56,669 chip are located very close 376 00:13:56,670 --> 00:13:58,379 to each other. And when you have Wi-Fi 377 00:13:58,380 --> 00:14:01,589 transmissions via you 378 00:14:01,590 --> 00:14:03,659 have a phone call, then the 379 00:14:03,660 --> 00:14:05,879 audio of the phone call cost us the Wi-Fi 380 00:14:05,880 --> 00:14:07,139 chip to vibrate. 381 00:14:07,140 --> 00:14:09,329 And these vibrations can be measured 382 00:14:09,330 --> 00:14:11,259 to reconstruct your audio. 383 00:14:11,260 --> 00:14:13,619 And it's all working through voice. 384 00:14:13,620 --> 00:14:14,850 You don't see the attacker, 385 00:14:18,060 --> 00:14:19,060 OK? 386 00:14:25,750 --> 00:14:27,879 And because this might have been a bit 387 00:14:27,880 --> 00:14:30,109 scary, I'm also going 388 00:14:30,110 --> 00:14:32,169 now to my second part of the talk, which 389 00:14:32,170 --> 00:14:34,899 is how we can build security 390 00:14:34,900 --> 00:14:37,269 if vapes 391 00:14:37,270 --> 00:14:39,369 so we might have 392 00:14:39,370 --> 00:14:40,539 cryptography or not. 393 00:14:40,540 --> 00:14:42,579 We might have some bits in the end and we 394 00:14:42,580 --> 00:14:44,679 will try to do the magic on 395 00:14:44,680 --> 00:14:45,680 the waveform. 396 00:14:46,750 --> 00:14:47,949 So what can we do? 397 00:14:47,950 --> 00:14:49,389 Something that you might know from 398 00:14:49,390 --> 00:14:51,469 cryptography is different than 399 00:14:51,470 --> 00:14:53,919 one time pet, which basically 400 00:14:53,920 --> 00:14:56,109 means that you have a key, which is as 401 00:14:56,110 --> 00:14:58,239 long as your plaintext and the 402 00:14:58,240 --> 00:15:00,489 key is only used once. 403 00:15:00,490 --> 00:15:03,009 And for example, it has a bug 404 00:15:03,010 --> 00:15:05,079 and it is Bob, a key, which is one 405 00:15:05,080 --> 00:15:07,299 terabyte large, and they exchange 406 00:15:07,300 --> 00:15:09,309 information until they reach the one 407 00:15:09,310 --> 00:15:10,719 terabyte limit and then they need to 408 00:15:10,720 --> 00:15:12,189 exchange another key before they can 409 00:15:12,190 --> 00:15:13,629 exchange more data. 410 00:15:13,630 --> 00:15:15,729 The good thing about this is that an 411 00:15:15,730 --> 00:15:17,649 eavesdropper cannot do any calculation on 412 00:15:17,650 --> 00:15:20,259 this. So if you have an NSA attack, 413 00:15:20,260 --> 00:15:22,929 for example, with unlimited calculation 414 00:15:22,930 --> 00:15:25,029 resources, the attacker will 415 00:15:25,030 --> 00:15:26,199 not be successful. 416 00:15:26,200 --> 00:15:28,299 However, in practice, you would need 417 00:15:28,300 --> 00:15:30,609 to share your key with 418 00:15:30,610 --> 00:15:32,589 all servers that you have contact with. 419 00:15:32,590 --> 00:15:35,199 So it's very impractical 420 00:15:35,200 --> 00:15:37,179 and it's symmetric. So another key for 421 00:15:37,180 --> 00:15:38,180 each server 422 00:15:39,850 --> 00:15:41,949 in the violence domain there, something 423 00:15:41,950 --> 00:15:44,319 similar, Divino 424 00:15:44,320 --> 00:15:46,389 via China, where you have 425 00:15:46,390 --> 00:15:48,309 the assumption that each channel is 426 00:15:48,310 --> 00:15:49,269 different. 427 00:15:49,270 --> 00:15:51,339 And this means that the 428 00:15:51,340 --> 00:15:53,169 channel between Ellyson, Pop and Ellis' 429 00:15:53,170 --> 00:15:55,239 and the eavesdropper might be 430 00:15:55,240 --> 00:15:57,729 different in the way that if 431 00:15:57,730 --> 00:15:59,889 is, for example, 10 percent information 432 00:15:59,890 --> 00:16:01,869 that Bob would get. 433 00:16:01,870 --> 00:16:04,059 And this 10 percent information 434 00:16:04,060 --> 00:16:06,309 advantage can be used for confidential 435 00:16:06,310 --> 00:16:08,049 data transmission. 436 00:16:08,050 --> 00:16:10,419 However, in practice, 437 00:16:10,420 --> 00:16:12,159 the problem is that we don't know the 438 00:16:12,160 --> 00:16:13,909 position of the eavesdropping and you 439 00:16:13,910 --> 00:16:16,299 might have multiple antennas or 440 00:16:16,300 --> 00:16:18,489 a very good antenna and might not 441 00:16:18,490 --> 00:16:19,939 have a disadvantage. 442 00:16:19,940 --> 00:16:22,299 So it's hard to estimate 443 00:16:22,300 --> 00:16:24,360 your advantage over the eavesdropping. 444 00:16:26,590 --> 00:16:28,509 But this doesn't matter if you do 445 00:16:28,510 --> 00:16:29,989 extraction with the same thing. 446 00:16:29,990 --> 00:16:32,889 So you say sheknows are 447 00:16:32,890 --> 00:16:35,199 symmetric or reciprocal, 448 00:16:35,200 --> 00:16:37,269 and this means that you can 449 00:16:37,270 --> 00:16:40,479 generate symmetric keys out of a channel. 450 00:16:40,480 --> 00:16:42,249 So you have to face an empty IT 451 00:16:42,250 --> 00:16:44,049 information and all the other responses 452 00:16:44,050 --> 00:16:45,819 that I told you about. 453 00:16:45,820 --> 00:16:47,889 And you can really build Keest from that 454 00:16:47,890 --> 00:16:50,849 and Houston in upper layer protocols. 455 00:16:50,850 --> 00:16:52,899 The only problem is if you implement 456 00:16:52,900 --> 00:16:54,999 this, for example, with the received 457 00:16:55,000 --> 00:16:56,949 signal strength indicator of which is 458 00:16:56,950 --> 00:16:59,889 propagated by Fed chips to upper layers, 459 00:16:59,890 --> 00:17:02,289 this is just an added value and 460 00:17:02,290 --> 00:17:04,358 it can even be predictive depending 461 00:17:04,359 --> 00:17:05,440 on your distance. 462 00:17:06,550 --> 00:17:08,618 So you shouldn't use the received signal 463 00:17:08,619 --> 00:17:09,618 strength, for example. 464 00:17:09,619 --> 00:17:11,348 But there is good metrics that you can 465 00:17:11,349 --> 00:17:12,349 use for this. 466 00:17:14,020 --> 00:17:16,239 And to build confidentiality, you can 467 00:17:16,240 --> 00:17:18,429 also use covert channels, 468 00:17:18,430 --> 00:17:20,949 which means you are not doing something 469 00:17:20,950 --> 00:17:23,019 like encryption, but you just try to hide 470 00:17:23,020 --> 00:17:24,219 information. 471 00:17:24,220 --> 00:17:25,449 And normally when you have a 472 00:17:25,450 --> 00:17:27,159 transmission, then you have, for example, 473 00:17:27,160 --> 00:17:29,149 different phases and then two or three 474 00:17:29,150 --> 00:17:30,429 presenting bits. 475 00:17:30,430 --> 00:17:32,499 So let's say the yellow 476 00:17:32,500 --> 00:17:34,839 cloud is the thing, which actually 477 00:17:34,840 --> 00:17:37,029 was one point at the transmission 478 00:17:37,030 --> 00:17:39,069 representing the bits 00. 479 00:17:39,070 --> 00:17:40,990 And then at reception 480 00:17:42,280 --> 00:17:44,469 you will get another thing, which 481 00:17:44,470 --> 00:17:46,779 means a cloud 482 00:17:46,780 --> 00:17:48,399 because of the channel, the channel 483 00:17:48,400 --> 00:17:50,679 modified slightly 484 00:17:50,680 --> 00:17:52,959 the the transmission at the receiver. 485 00:17:52,960 --> 00:17:55,329 And you can introduce some 486 00:17:55,330 --> 00:17:57,939 more artificial noise to actually 487 00:17:57,940 --> 00:18:00,489 encode some data in 488 00:18:00,490 --> 00:18:02,199 this and hide it. 489 00:18:02,200 --> 00:18:04,089 And as long as you keep within these 490 00:18:04,090 --> 00:18:06,699 squares, this is not propagated 491 00:18:06,700 --> 00:18:07,629 to any appliance. 492 00:18:07,630 --> 00:18:09,669 No transmission errors occur. 493 00:18:09,670 --> 00:18:11,769 And if you do this in a good 494 00:18:11,770 --> 00:18:14,079 way so that the statistics 495 00:18:14,080 --> 00:18:16,239 are still OK of this 496 00:18:16,240 --> 00:18:18,519 error, then you might even 497 00:18:18,520 --> 00:18:20,859 not be detected by a software defined 498 00:18:20,860 --> 00:18:21,860 radio if this 499 00:18:23,350 --> 00:18:25,119 and something else is just happening. 500 00:18:25,120 --> 00:18:26,799 I already told it for short. 501 00:18:26,800 --> 00:18:29,859 In the time traveling's scenario, 502 00:18:29,860 --> 00:18:31,809 you can use this for authentication and 503 00:18:31,810 --> 00:18:33,999 authorization, but I would only 504 00:18:34,000 --> 00:18:35,859 use it as a second factor because you 505 00:18:35,860 --> 00:18:37,629 never know if someone is there who can 506 00:18:37,630 --> 00:18:39,519 slightly shorten the time for some 507 00:18:39,520 --> 00:18:40,520 reason. 508 00:18:41,470 --> 00:18:43,779 And another thing you can use is 509 00:18:43,780 --> 00:18:46,029 device fingerprinting, because each 510 00:18:46,030 --> 00:18:47,030 device is 511 00:18:49,300 --> 00:18:51,519 when it's filled, manufactured, has 512 00:18:51,520 --> 00:18:53,259 some differences. 513 00:18:53,260 --> 00:18:55,119 And these differences also 514 00:18:56,170 --> 00:18:58,329 will change the transmission behavior. 515 00:18:58,330 --> 00:19:00,039 Everything is still within the standard. 516 00:19:00,040 --> 00:19:02,259 But you can first of all identify 517 00:19:02,260 --> 00:19:04,929 devices so you can track a device 518 00:19:04,930 --> 00:19:07,029 and you can also classify 519 00:19:07,030 --> 00:19:09,219 devices, which means you can say this 520 00:19:09,220 --> 00:19:11,349 device is from this vendor, this device 521 00:19:11,350 --> 00:19:13,119 is from the other vendor, and maybe you 522 00:19:13,120 --> 00:19:15,309 just exclude 523 00:19:15,310 --> 00:19:17,229 some vendors from your network if you 524 00:19:17,230 --> 00:19:18,639 want this. 525 00:19:18,640 --> 00:19:20,769 The only problem here is 526 00:19:20,770 --> 00:19:22,479 that you really need a very good 527 00:19:22,480 --> 00:19:24,889 measurement of this. 528 00:19:24,890 --> 00:19:27,499 Fingerprint, because otherwise 529 00:19:27,500 --> 00:19:30,209 some properties might be easily spoofed, 530 00:19:30,210 --> 00:19:32,060 so you really need a good measurement. 531 00:19:34,310 --> 00:19:36,529 So and there's even more, which I 532 00:19:36,530 --> 00:19:38,869 only will tell in very short, 533 00:19:38,870 --> 00:19:41,000 for example, you can build and 534 00:19:43,040 --> 00:19:45,829 it for pacemakers 535 00:19:45,830 --> 00:19:48,140 and other implantable devices, 536 00:19:50,000 --> 00:19:52,099 which protects you from 537 00:19:52,100 --> 00:19:54,299 terrorists. So it just varied in addition 538 00:19:54,300 --> 00:19:56,569 to sending a signal or you can 539 00:19:56,570 --> 00:19:58,639 build integrity with an of coding 540 00:19:58,640 --> 00:20:00,709 or you can implement 541 00:20:00,710 --> 00:20:02,269 oblivious transfer protocols on the 542 00:20:02,270 --> 00:20:04,279 physical layer. And you can also do 543 00:20:04,280 --> 00:20:06,589 location fingerprinting because of 544 00:20:06,590 --> 00:20:08,049 all these different channels. 545 00:20:09,770 --> 00:20:11,839 And now the question is where to start? 546 00:20:11,840 --> 00:20:14,209 There are people here who are thinking 547 00:20:14,210 --> 00:20:16,279 about these things, at least to some 548 00:20:16,280 --> 00:20:18,589 extent. So there is 549 00:20:18,590 --> 00:20:21,409 one assembling the data, 23 550 00:20:21,410 --> 00:20:23,539 Connellsville, which 551 00:20:23,540 --> 00:20:25,489 is located close to the food. 552 00:20:25,490 --> 00:20:27,379 Then there's the radio assembly from the 553 00:20:27,380 --> 00:20:29,509 radio, which they are in 554 00:20:29,510 --> 00:20:31,079 all three. 555 00:20:31,080 --> 00:20:33,379 And if you are just listening 556 00:20:33,380 --> 00:20:35,509 right now, you can also just get a ham 557 00:20:35,510 --> 00:20:37,429 radio license. And it's not too hard. 558 00:20:37,430 --> 00:20:39,679 It's just a multiple choice test 559 00:20:39,680 --> 00:20:41,119 and it's not expensive. 560 00:20:41,120 --> 00:20:42,769 So you should do it. 561 00:20:42,770 --> 00:20:44,839 And then you are allowed to transmit on 562 00:20:44,840 --> 00:20:47,959 frequencies, on lots of frequencies, 563 00:20:47,960 --> 00:20:50,029 and maybe you just want 564 00:20:50,030 --> 00:20:52,279 to record something like all your cockies 565 00:20:52,280 --> 00:20:54,379 and then share it to experts and ask 566 00:20:54,380 --> 00:20:56,839 them about these things. 567 00:20:56,840 --> 00:20:58,969 Or maybe you are 568 00:20:58,970 --> 00:21:01,009 still a student and then maybe your 569 00:21:01,010 --> 00:21:02,579 university is offering something. 570 00:21:02,580 --> 00:21:04,519 So at least in doubt that we're offering 571 00:21:04,520 --> 00:21:06,649 lectures. And there's also a mailing 572 00:21:06,650 --> 00:21:08,779 list on this topic that I could offer 573 00:21:08,780 --> 00:21:11,149 people. And they are also talking 574 00:21:11,150 --> 00:21:13,429 about which university 575 00:21:13,430 --> 00:21:15,529 is doing ham radio or software defined 576 00:21:15,530 --> 00:21:16,530 radio things. 577 00:21:18,110 --> 00:21:19,589 So thank you for listening. 578 00:21:19,590 --> 00:21:21,500 And now I will take questions. 579 00:21:35,680 --> 00:21:37,779 I see no one running to 580 00:21:37,780 --> 00:21:38,860 the microphones. 581 00:21:40,630 --> 00:21:42,819 Well, maybe I have just been talking 582 00:21:42,820 --> 00:21:43,869 too fast. 583 00:21:46,030 --> 00:21:48,639 The Internet has any questions? 584 00:21:48,640 --> 00:21:49,599 Yeah, sort of. 585 00:21:49,600 --> 00:21:51,789 So does 586 00:21:51,790 --> 00:21:54,159 he do two point one X, 587 00:21:54,160 --> 00:21:56,499 so IAPT less help against 588 00:21:56,500 --> 00:21:57,500 eavesdropping? 589 00:21:58,400 --> 00:22:00,759 Well, not really, because on the physical 590 00:22:00,760 --> 00:22:03,319 layer, you can always eavesdrop, 591 00:22:03,320 --> 00:22:05,599 it's I mean, the question 592 00:22:05,600 --> 00:22:08,059 actually is if there is 593 00:22:08,060 --> 00:22:08,989 decryption or not. 594 00:22:08,990 --> 00:22:10,879 And I mean, of course, encryption helps 595 00:22:10,880 --> 00:22:12,859 you against eavesdropping, but it does 596 00:22:12,860 --> 00:22:15,109 not help you from actually recording 597 00:22:15,110 --> 00:22:17,329 the bits. And you might decode them, 598 00:22:17,330 --> 00:22:19,319 as I said, in 20 years. 599 00:22:19,320 --> 00:22:21,589 So whenever you see a standard which is 600 00:22:21,590 --> 00:22:23,749 older than 20 years, I assume 601 00:22:23,750 --> 00:22:25,519 it is broken and maybe it's just not 602 00:22:25,520 --> 00:22:28,009 published because of some legal reasons. 603 00:22:30,620 --> 00:22:33,559 Now, there's someone on microphone one. 604 00:22:33,560 --> 00:22:35,539 Uh, have you ever played around with the 605 00:22:35,540 --> 00:22:36,540 use up here? 606 00:22:37,790 --> 00:22:38,779 A little bit. 607 00:22:38,780 --> 00:22:41,179 Normally, I'm using another platform, 608 00:22:41,180 --> 00:22:43,789 which is called VoIP, and, 609 00:22:43,790 --> 00:22:45,949 um, but it's about the same 610 00:22:45,950 --> 00:22:46,950 thing. 611 00:22:47,420 --> 00:22:49,379 But is it cheaper? 612 00:22:49,380 --> 00:22:51,529 No, it's seven thousand instead of seven 613 00:22:51,530 --> 00:22:52,530 hundred. 614 00:22:54,740 --> 00:22:57,169 And microphone 615 00:22:57,170 --> 00:22:58,170 four, please. 616 00:22:59,810 --> 00:23:02,959 I was wondering if any of these attacks 617 00:23:02,960 --> 00:23:03,859 do you know if they were already 618 00:23:03,860 --> 00:23:06,019 implemented on open 619 00:23:06,020 --> 00:23:08,120 source firmware or drivers 620 00:23:09,170 --> 00:23:10,309 on nado 211? 621 00:23:11,360 --> 00:23:13,849 Yes. So there is, 622 00:23:13,850 --> 00:23:16,099 for example, in mentation for 623 00:23:17,240 --> 00:23:19,909 just the Wi-Fi protocol for 624 00:23:19,910 --> 00:23:21,979 use up here and RF 625 00:23:21,980 --> 00:23:23,659 and it's working on the radio, which I 626 00:23:23,660 --> 00:23:24,679 already tried it. 627 00:23:24,680 --> 00:23:27,169 You can find it on GetUp 628 00:23:27,170 --> 00:23:28,219 for the attacks. 629 00:23:28,220 --> 00:23:29,220 I mean, 630 00:23:31,160 --> 00:23:33,049 all the things I should have at least 631 00:23:33,050 --> 00:23:35,059 some implementation papers. 632 00:23:35,060 --> 00:23:37,189 So there are some sources on the bottom, 633 00:23:37,190 --> 00:23:39,349 but I don't know which of 634 00:23:39,350 --> 00:23:40,339 them are open source. 635 00:23:40,340 --> 00:23:42,439 So some of them are, but I don't know if 636 00:23:42,440 --> 00:23:43,440 all of them are. 637 00:23:45,650 --> 00:23:47,930 And microphone number three, please. 638 00:23:49,100 --> 00:23:50,119 Thanks. 639 00:23:50,120 --> 00:23:52,279 First, thanks for the talk. 640 00:23:52,280 --> 00:23:54,139 If you have a repeater in your network, 641 00:23:54,140 --> 00:23:55,609 shouldn't shouldn't shouldn't you be able 642 00:23:55,610 --> 00:23:57,709 to locate yourself 643 00:23:57,710 --> 00:23:59,659 better than any other so that you can 644 00:23:59,660 --> 00:24:00,710 exclude any structure? 645 00:24:02,090 --> 00:24:04,219 Why should I be able to exclude 646 00:24:04,220 --> 00:24:06,859 an eavesdropper if I can locate myself? 647 00:24:06,860 --> 00:24:08,969 If it's if it's possible to 648 00:24:08,970 --> 00:24:11,089 to calculate where you are, you 649 00:24:11,090 --> 00:24:12,769 should be able to just give yourself the 650 00:24:12,770 --> 00:24:13,069 signal. 651 00:24:13,070 --> 00:24:14,070 Right. 652 00:24:14,300 --> 00:24:17,269 Yes, but the eavesdropper is passive. 653 00:24:17,270 --> 00:24:19,309 I mean, this is not sending anything, 654 00:24:19,310 --> 00:24:20,749 it's just a receiver. 655 00:24:20,750 --> 00:24:22,819 How should you know if the receiver. 656 00:24:24,970 --> 00:24:27,819 OK, one 657 00:24:27,820 --> 00:24:29,770 microphone, one, please. 658 00:24:31,060 --> 00:24:32,079 Thanks for the talk 659 00:24:33,160 --> 00:24:35,409 as part of an authentication 660 00:24:35,410 --> 00:24:37,029 protocol. 661 00:24:37,030 --> 00:24:39,489 Couldn't we use hardware that implements 662 00:24:39,490 --> 00:24:41,319 directed antennas to provide extra 663 00:24:41,320 --> 00:24:43,929 security by locking out eavesdroppers, 664 00:24:43,930 --> 00:24:45,429 by not providing them with the signal in 665 00:24:45,430 --> 00:24:46,789 the first place? 666 00:24:46,790 --> 00:24:49,029 Yes. So there 667 00:24:49,030 --> 00:24:50,859 has been, for example, the new 60 668 00:24:50,860 --> 00:24:51,969 gigahertz standard. 669 00:24:51,970 --> 00:24:54,489 It has this very narrow 670 00:24:54,490 --> 00:24:55,490 antenna beams, 671 00:24:56,620 --> 00:24:59,079 but you still get reflections. 672 00:24:59,080 --> 00:25:01,149 So, um, 673 00:25:01,150 --> 00:25:03,669 we really did it in experiments 674 00:25:03,670 --> 00:25:05,289 and we measured that. 675 00:25:05,290 --> 00:25:07,419 You get, for example, if you have a cup 676 00:25:07,420 --> 00:25:09,599 in the middle of a transmission, then it 677 00:25:09,600 --> 00:25:12,579 has a surface which is also 678 00:25:12,580 --> 00:25:14,919 bent some some of the rest 679 00:25:14,920 --> 00:25:16,119 like round. 680 00:25:16,120 --> 00:25:18,309 And so you can just put simple 681 00:25:18,310 --> 00:25:20,439 objects in the room, which cause 682 00:25:20,440 --> 00:25:22,660 reflections that you still can eavesdrop 683 00:25:25,090 --> 00:25:26,739 and the Internet again. 684 00:25:28,210 --> 00:25:30,249 So you said something about a receiver 685 00:25:30,250 --> 00:25:32,349 fingerprint. Can you give an example for 686 00:25:32,350 --> 00:25:34,689 that receiver? 687 00:25:34,690 --> 00:25:36,909 I said transmitter fingerprint. 688 00:25:36,910 --> 00:25:39,039 OK, so 689 00:25:39,040 --> 00:25:41,109 they are asking for an example apart from 690 00:25:41,110 --> 00:25:42,110 the Mac address. 691 00:25:44,310 --> 00:25:46,379 How but to make a dress, I mean, to 692 00:25:46,380 --> 00:25:48,719 make a dress is still above 693 00:25:48,720 --> 00:25:50,459 the physical layer. 694 00:25:50,460 --> 00:25:52,919 So a fingerprint would be, 695 00:25:52,920 --> 00:25:55,049 for example, when you switch 696 00:25:56,280 --> 00:25:58,529 your device on when 697 00:25:58,530 --> 00:26:00,659 sending, then you have a certain 698 00:26:00,660 --> 00:26:03,179 characteristic how the signal starts 699 00:26:03,180 --> 00:26:05,789 when turning on the device. 700 00:26:05,790 --> 00:26:07,349 This might be a characteristic. 701 00:26:10,030 --> 00:26:12,429 And microphone one, 702 00:26:12,430 --> 00:26:14,959 I think you have you already tested 703 00:26:14,960 --> 00:26:17,169 the voice eavesdropping and 704 00:26:17,170 --> 00:26:19,359 how complicated it is. 705 00:26:19,360 --> 00:26:21,489 I didn't test it, but 706 00:26:21,490 --> 00:26:23,289 there is a video on YouTube. 707 00:26:23,290 --> 00:26:25,569 So this has been published on maybe 708 00:26:25,570 --> 00:26:28,209 come in this year during September, 709 00:26:28,210 --> 00:26:30,369 I think will become has been and 710 00:26:30,370 --> 00:26:32,470 just Google the 711 00:26:33,640 --> 00:26:36,729 Viper Matri and Moby come 712 00:26:36,730 --> 00:26:38,080 and there's the video. 713 00:26:39,100 --> 00:26:40,439 Thank you. 714 00:26:40,440 --> 00:26:42,879 And microphone for 715 00:26:42,880 --> 00:26:45,279 that. It's naturally trivial to locate 716 00:26:45,280 --> 00:26:48,279 a single omnidirectional source 717 00:26:48,280 --> 00:26:49,279 for an article. 718 00:26:49,280 --> 00:26:51,489 All the fancy things I can do to consume 719 00:26:51,490 --> 00:26:54,359 up and put my position was 720 00:26:54,360 --> 00:26:57,039 was directed or multiple 721 00:26:57,040 --> 00:26:58,269 Sondos. 722 00:26:58,270 --> 00:27:00,339 You mean you want to obfuscate your own 723 00:27:00,340 --> 00:27:01,569 location? Yes. 724 00:27:01,570 --> 00:27:03,739 Where I'm standing from because I was 725 00:27:03,740 --> 00:27:04,749 single. 726 00:27:04,750 --> 00:27:07,389 So yes, 727 00:27:07,390 --> 00:27:09,429 let's say it's possible you can craft 728 00:27:09,430 --> 00:27:11,709 another signal, other locations, but 729 00:27:11,710 --> 00:27:14,199 I would really call it a kind of antenna. 730 00:27:14,200 --> 00:27:16,149 So if you have an eavesdropper having 731 00:27:16,150 --> 00:27:17,709 more antennas, then you can still be 732 00:27:17,710 --> 00:27:18,729 localized and so on. 733 00:27:18,730 --> 00:27:21,009 So it's a question of costs. 734 00:27:21,010 --> 00:27:22,429 Not not really. 735 00:27:22,430 --> 00:27:24,219 So maybe you have more antennas than the 736 00:27:24,220 --> 00:27:25,809 eavesdropper. OK, then you are safe 737 00:27:25,810 --> 00:27:27,699 again, then Detropia as Montanas and so 738 00:27:27,700 --> 00:27:28,809 on. 739 00:27:28,810 --> 00:27:29,810 Thank you. 740 00:27:31,510 --> 00:27:34,159 Um, I see no more questions. 741 00:27:34,160 --> 00:27:36,279 One more question on microphone number 742 00:27:36,280 --> 00:27:37,280 four. 743 00:27:38,980 --> 00:27:41,139 And you briefly mentioned something about 744 00:27:41,140 --> 00:27:43,329 a warm house, probably use 745 00:27:43,330 --> 00:27:46,119 some kind of bridging to connect 746 00:27:46,120 --> 00:27:48,219 devices that aren't supposed 747 00:27:48,220 --> 00:27:50,049 to be connected because they're too far 748 00:27:50,050 --> 00:27:51,050 away. 749 00:27:51,670 --> 00:27:54,339 Do any real world systems actually detect 750 00:27:54,340 --> 00:27:56,559 this kind of attack or can 751 00:27:56,560 --> 00:27:58,929 you just basically use it to 752 00:27:58,930 --> 00:28:00,879 fake your password? 753 00:28:00,880 --> 00:28:03,009 And someone 754 00:28:03,010 --> 00:28:04,899 who actually has the password is somebody 755 00:28:04,900 --> 00:28:07,069 completely different for 756 00:28:07,070 --> 00:28:08,829 that scenario that I showed with the 757 00:28:08,830 --> 00:28:11,139 passport. It's working and 758 00:28:11,140 --> 00:28:13,479 it's also working for our Menza 759 00:28:13,480 --> 00:28:15,579 cards at my university. 760 00:28:15,580 --> 00:28:17,719 So there's lots of things which are 761 00:28:17,720 --> 00:28:19,809 working. There's maybe 762 00:28:19,810 --> 00:28:21,519 also things that do distance bonding and 763 00:28:21,520 --> 00:28:22,899 then it's not working, of course. 764 00:28:22,900 --> 00:28:24,969 And students in our troop implemented 765 00:28:24,970 --> 00:28:26,379 this. So you can really download the 766 00:28:26,380 --> 00:28:28,329 source, install the app on your phone and 767 00:28:28,330 --> 00:28:29,330 do this. 768 00:28:30,010 --> 00:28:31,010 Thank you. 769 00:28:32,410 --> 00:28:34,659 So no, 770 00:28:34,660 --> 00:28:36,939 actually. And does the Internet 771 00:28:36,940 --> 00:28:39,249 have any questions anymore? 772 00:28:39,250 --> 00:28:41,709 No questions in the room anymore. 773 00:28:41,710 --> 00:28:44,229 So why would you want a 774 00:28:44,230 --> 00:28:47,649 finished before the time is over? 775 00:28:47,650 --> 00:28:48,549 Thank you very much. 776 00:28:48,550 --> 00:28:50,290 And give a warm hand to discuss.