Attacks on Public WLAN based Positioning Systems

Attacks on Public WLAN based Positioning Systems

In this work, we study the security of public WLAN-based positioning systems. Specifically, we investigate the Skyhook positioning system, available on PCs and used on a number of mobile platforms, including Apple’s iPod touch and iPhone. By implementing and analyzing several kinds of attacks, we demonstrate that this system is vulnerable to location spoofing and location database manipulation. In both, the attacker can arbitrarily change the result of the localization at the victim device, by either impersonating remote infrastructure or by tampering with the service database. Our attacks can easily be replicated and we conjecture that-without appropriate countermeasures-public WLAN-based positioning should therefore be used with caution in safety-critical contexts. We further discuss several approaches for securing WLAN-based positioning systems. Categories and Subject Descriptors In the last decade, researchers have proposed a number of WLAN positioning techniques for (local area) wireless networks [7,12,23,54]. The applications of these techniques are broad and range from improving networking functions (i.e., position-based routing) to enabling location-related applications (e.g., access control and data harvesting). WLAN positioning systems are now being commercialized and are being used as a substitution and/or complement to the Global Positioning System . One such system is the Wi-Fi positioning system (WPS) from Skyhook , available for PCs (as a plug-in) and on a number of mobile platforms, including the Apple iPod touch and iPhone as well as Nokia mobile phones based on Symbian . The resulting position can also be used by other services, such as the CyberAngel Security and Recovery System . The Skyhook WPS relies on existing WLAN access points for localization of devices that have 802.11a/b/g wireless interfaces. In WPS, a mobile device collects information about all visible WLAN access points in its vicinity, sends this information to the Skyhook location database which replies with a position estimate based on the aggregated information. The position estimate can then be directly used by a mapping application like Google maps or can be combined with other sources of location information, such as those from GSM stations or GPS. Positioning systems by Mexens [31] and the Fraunhofer institute [17] have a similar mode of operation. We call these systems public WLAN-based positioning systems, since they rely on public WLAN access points which are not under control of the service operator that provides the positioning service. In this work, we analyze the security of public WLANbased positioning systems. Using the example of the Skyhook WPS, we demonstrate that such positioning systems are vulnerable to location-spoofing attacks: by jamming and replaying localization signals, an attacker can convince a device that it is at a position which is different from its actual physical position. Public WLAN-based positioning systems also rely on large databases that contain information about the position of the infrastructure. This information is often gathered by using the data reported by the users-either manually or automated during the positioning process. We show that this basic principle makes the Skyhook WPS vulnerable to database manipulation attacks, which can equally be used for location spoofing. We further discuss possible approaches for securing public positioning systems and show their potential advantages and drawbacks, given the constraints of the application scenarios in which they are used. By performing these attacks, we demonstrate the limitations of Skyhook and similar positioning systems, in terms of the guarantees that they provide and the applications that they can be used for. Given the relative simplicity of the attacks and the availability of the equipment used to perform the attacks, we conclude that, without appropriate modifications, these positioning systems cannot be used in security- and safety-critical applications

Free download research paper



free research papers-wlan-11