ACM WiSec 2021. Openwifi CSI fuzzer for authorized sensing and covert channels
CSI (Channel State Information) of WiFi systems is available in some WiFi chips and can be used for sensing the environment (keystrokes, people, object) passively and secretly.
How could a CSI fuzzer stop unauthorized sensing?
CSI fuzzer implementation principle.
Thanks to the full-duplex capability and CSI extraction feature of openwifi, you can monitor the artificial channel response via side channel by Tx-Rx over the air coupling without affecting the normal operation/traffic of openwifi. Before fuzzing the CSI, please follow WiFi CSI radar via self CSI capturing app note to setup normal self CSI monitoring.
Then, start another ssh session to the openwifi board:
ssh [email protected]
(password: openwifi)
cd openwifi
./csi_fuzzer_scan.sh 1
(CSI fuzzer applies possible artificial CSI by scanning all values)
(csi_fuzzer.sh is called. Please read both scripts to understand these commands)
Now you should see that CSI keeps changing like in this video.
CSI fuzzer in openwifi system architecture and related commands.
CSI self-monitoring before fuzzing.
CSI self-monitoring after fuzzing command: ./csi_fuzzer.sh 1 45 0 13
csi_fuzzer_scan.sh can scan the c1 and c2 in different styles/modes by calling csi_fuzzer.sh.