connecting to the physical world ---wireless...
TRANSCRIPT
![Page 1: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/1.jpg)
Connecting to the Physical World---Wireless Communication
Wenyuan XuAssistant professor
University of South CarolinaDepartment of Computer Science and Engineering
June 4, 2011
1
![Page 2: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/2.jpg)
Roadmap
• Wireless Sensor Networks– Applications
• Wireless Networks 101
• RFID System
• Security and privacy:– Security and Privacy Analysis of Embedded Systems
Computer Science and Engineering 2
![Page 3: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/3.jpg)
Wireless networks
• “any type of network whose interconnections between nodes is implemented without the use of wires.”
• “generally implemented with some type of remote information transmission system that uses electromagnetic waves
Computer Science and Engineering
![Page 4: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/4.jpg)
Wireless Sensor Networks
2011年6月22日星期三
Computer Science and Engineering 4
![Page 5: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/5.jpg)
Wireless Sensor Architecture
• Interface between physical and digital worlds
• Self-powered devices– Battery-powered– Solar-powered
• Capabilities– Sensing– Built-in processing– Radio communication
• Mobile, localization (optional)
Computer Science and Engineering 5
LimitedLifetime
Calibration,Supervision…
Slow processingLimited memory
10 kbps –1 Mbps,3 – 100 m, Lossy Transmission
![Page 6: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/6.jpg)
Wireless Sensor Networks
6
http://graphics.stanford.edu
Computer Science and Engineering
• No network administrators! Cheap!• Wirelessly-Networked• self-organizing• Automatic data reporting
![Page 7: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/7.jpg)
Application Areas
• Environment monitoring• Seismic activity detection; planetary exploration• Industrial monitoring and control• Structural health monitoring• Social studies; healthcare and medical research• Homeland security and military applications; surveillance,• Detection of chemical/biological agents• New areas keep emerging.
Computer Science and Engineering 7
![Page 8: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/8.jpg)
Environment Monitoring - Great Duck Islands
• 150 sensing nodes deployed throughout the island relay data temperature, pressure, humidity, …) to a central device.
• Data are made available on the Internet through a satellite link
Computer Science and Engineering 8
UC Berkeley/College of the Atlanta
![Page 9: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/9.jpg)
Environment Monitoring - ZebraNet
Data
Base station (car or plane)
Data
Data
Store-and-forward communications
Data
Tracking node radio and GPS
• Special GPS-equipped collars are attached to zebras
• Data exchanged with peer-to-peer info swaps• Coming across a few zebras gives access to the
dataComputer Science and Engineering
Princeton University
![Page 10: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/10.jpg)
Volcano Monitoring in Ecuador
• Motes with seismic sensors deployed on active volcano in Ecuador• Science dictates: large spatial separation, time synchronization.• Nature of the application allows triggered data collection rather than
continuous.
Computer Science and Engineering 10
Harvard, Univ. of New Hampshire, Univ. of NC
![Page 11: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/11.jpg)
Structure Monitoring Using sensors
Computer Science and Engineering 11
Static sensors
Moving sensorData collection Processed Data
Juan Caicedo, Civil and Environment Engineering
![Page 12: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/12.jpg)
Microclimate Monitoring in MogaoGrottoes
• MoGao Grottoes contains 492 decorated caves with murals and sculptures
• The temperature, humidity, and CO2 may affect the murals and sculptures
• Goal: Schedule the visitor tourist paths to control the environment inside the caves
Computer Science and Engineering
![Page 13: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/13.jpg)
Microclimate Monitoring in MogaoGrottoes,
• Requirements:– Measurements: temperature, humidity, CO2– Wireless networks– Real time– Long-term
• 2 AA battery for 6 months
– Cheap– Easy to Maintain
1Km
0.8Km
Computer Science and Engineering
![Page 14: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/14.jpg)
• Communication range: 100m• Sensor accuracy
• Temperature: 0.3 ,
• Humidity:1.8%• CO2 sensors:
• 0~2000PPM:3%• 0~5000PPM:5%
Microclimate Monitoring in MogaoGrottoes,
Wireless Sensors
Sensors in Caves
Computer Science and Engineering
![Page 15: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/15.jpg)
• Data sink communication range:
1. Short range >100m2. Long range >1km• Data Router range > 1km
Microclimate Monitoring in MogaoGrottoes,Sensors in Caves
![Page 16: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/16.jpg)
Visitors vs. humidity & CO2
Computer Science and Engineering 16
![Page 17: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/17.jpg)
Hardware
• Typical characteristics of a WSN device• slow processor speeds (< 10 MHz) • low memory (< 10KB RAM) • low bandwidth radio (< 250kbps) • limited battery power ( < 4000 mAh)
• WSN operating systems and applications must co-exist within these limited resources– efficiency is critical !
• WSN are deployed in harsh environments (both physical and security)– Robust and secure
Computer Science and Engineering 17
![Page 18: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/18.jpg)
18
UC Berkeley Family of Motes
![Page 19: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/19.jpg)
19
Mica2 and Mica2Dot• ATmega128 CPU
– Self-programming– 128KB Instruction EEPROM– 4KB Data EEPROM
• Chipcon CC1000– Manchester encoding– Tunable frequency
• 315, 433 or 900MHz– 38K or 19K baud
• Lower power consumption– 2 AA batteries
• Expansion– 51 pin I/O Connector
1 inch
![Page 20: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/20.jpg)
20
MTS300CA Sensor Board
![Page 21: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/21.jpg)
21
Programming Board (MIB510)
![Page 22: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/22.jpg)
22
Hardware Setup Overview
![Page 23: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/23.jpg)
Our Sensors
Computer Science and Engineering 23
![Page 24: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/24.jpg)
Wireless Sensor Networks
• Research challenges– Networking– Wireless communication– Energy constraints– Data processing– Scalability– Harsh environment– Reliability
Computer Science and Engineering 24
![Page 25: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/25.jpg)
Wireless Communication 101
Computer Science and Engineering
~
Transmitter Receiver
EM Waves
~
![Page 26: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/26.jpg)
Wireless Communication
26
Bob AliceHello … Hi …
Computer Science and Engineering
![Page 27: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/27.jpg)
Interference
27
Bob AliceHello … Hi …
Hey hey heyhey…
Mr. X
Computer Science and Engineering
![Page 28: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/28.jpg)
Spectrum
• Radio Frequency – a EM signal with frequency between 3 kHz and 300 GHz• Spectrum – national resource under government control (usually split between
commercial and military)
Computer Science and Engineering 28
λ
![Page 29: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/29.jpg)
Spectrum Allocation
![Page 30: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/30.jpg)
Spectrum Allocation
• Unlicensed spectrum (US)
ISM = Industrial, Scientific and MedicalU-NII = Unlicensed National Information Infrastructure
![Page 31: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/31.jpg)
Antennas
• “Interface” between the transmitter (receiver) and channel
EMPIRICAL OBSERVATION:
For efficient transmission antenna needs to be longer than 1/10 of the wavelength.
f λ λ/10
AM Radio 600-1500 KHz 500-200m 20m
UHF(TV) 0.3-3 GHz 1-0.1m 0.01m
Mobile Phone 824-2000 MHz 0.36-0.158m 0.015m
LEO Satellite 1.6 GHz 0.188m 0.0188m
λ
![Page 32: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/32.jpg)
“Naughty” Electromagnetic Waves
• Objects in the environment– Reflection– Diffraction– Scattering
• Multi-path: Multiple signal copies added together– Attenuated– Delayed– Phase shifted
• Frequency selective fading• Flat fading• Ultimately causes ISI which limits
performance
1 1 2 2( ) ( ) ( ) ... ( )m md t h s t h s t h s t
![Page 33: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/33.jpg)
Wireless communication underwater?
• EM waves have medium dependent properties– Speed (refraction)– Resonance (absorption)– Reflection– Scattering
• Propagation in water:– 915 MHz: 1046 dB attenuation per meter
Positions of the center of antennas
+: above the water surface-: below the water surface
Sender (inch) 8 3 0 0 -3 3
Receiver (inch) 8 3 3 0 3 -3
RSS (dBm)-73.66 -76.55 79.82 -82.17
N/A -90.41
PDR100% 100% 99% 98% 0 85%
![Page 34: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/34.jpg)
RFID
Computer Science and Engineering 34
![Page 35: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/35.jpg)
What is Radio Frequency identification (RFID)?
Computer Science and Engineering 35
Tags (transponders)Attached to objects, “call out” identifying dataon a special radio frequency
02.3DFEX4.78AF51
EasyToll card #816
Reader (transceiver)Reads data off the tagswithout direct contact
Radio signal (contactless)Range: from 3-5 inches to 3 yards
DatabaseMatches tag IDs tophysical objects
An automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags.
![Page 36: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/36.jpg)
RFID Tags
• A Tag is a transponder which receives a radio signal and in response to it sends out a radio signal.– Tag contains an antenna, and a small chip that stores a small amount of data– Tag can be programmed at manufacture or on installation– Tag is powered by the high power electromagnetic field generated by the
antennas – usually in doorways– The field allows the chip/antenna to reflect back an extremely weak signal
containing the data– Collision Detection – recognition of multiple tags in the read range –is
employed to separately read the individual tags
Computer Science and Engineering
![Page 37: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/37.jpg)
RFID Tag Attributes
Active RFID Passive RFIDTag Power Source Internal to tag Energy transferred using
RF from reader
Tag Battery Yes No
Availability of power Continuous Only in field of reader
Required signal strength to Tag
Very Low Very High
Range Up to 100m Up to 3-5m, usually less
Multi-tag reading 1000’s of tags recognized – up to 100mph
Few hundred within 3m of reader
Data Storage Up to 128Kb or read/write with sophisticated search and access
128 bytes of read/write
Computer Science and Engineering
![Page 38: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/38.jpg)
Readers
• An RFID reader is a device that is used to interrogate an RFID tag. The reader has an antenna that emits radio waves; the tag responds by sending back its data.
• The reader has two basic components –– A scanning antenna– A transceiver with a decoder to interpret the data
Computer Science and Engineering
![Page 39: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/39.jpg)
Applications
• Personal:– Automatic toll collection– Building access control– Exxon/Mobil Speedpass– Library check– Pet Identification
• Business– Asset management– Shipping– Pallet and container tracking– Tracking re-usable containers– Document management– Inventory management– In-transit visibility– Warranty and maintenance– Retail shelf management and checkout
Computer Science and Engineering
![Page 40: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/40.jpg)
Sensor/RFID
• Gentag: a cell phone based post-operative orthopedic surgery monitoring kit• Near field communication (NFC) diagnostic platform
• an ultra-linear NFC-MEMS hybrid chip– 1mm mercury (Hg) precision– 0.1 C temperature accuracy.
Computer Science and Engineering 40
![Page 41: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/41.jpg)
Wireless Security and Privacy
Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire
Pressure Monitoring System Case Study
"Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study," USENIX Security Symposium,
2010
Computer Science and Engineering 41
![Page 42: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/42.jpg)
Wireless in Automobiles
• Wireless increasingly connected to CAN bus in automobiles– Web-based vehicle-immobilization system – MyRate from insurance companies to collect
data– “iChange” controls the car via an iPhone– More in-car wireless sensor networks
42Computer Science and Engineering
![Page 43: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/43.jpg)
Tire Pressure Monitoring System (TPMS)
• What is TPMS?– Monitors tire-pressure in real time– Alerts drivers if underinflated– To increase safety and fuel economy– Indirect TPMS vs. direct TPMS
• National Highway Transportation Safety Administration (NHTSA) mandates TPMS. Virtually, all new cars sold or manufactured after 2007 in US are equipped with wireless TPMS.
43Computer Science and Engineering
![Page 44: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/44.jpg)
Misuse 1: Car Tracking
Computer Science and Engineering 44
![Page 45: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/45.jpg)
Misuse 2: Trick The Driver To Stop
$$Stop?
Computer Science and Engineering 45
![Page 46: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/46.jpg)
TPMS — To Be Discovered
• What are the communication protocol details? – How difficult to reverse engineer?– Messages encrypted? Authenticated?
• How easy to eavesdrop TPMS communication?– What is the range?– Travel speeds, car’s metal body, message rate,
transmission power
• How easy to spoof TPMS communication?– What is the range? – ECU filters/rejects suspicious packets?– How much damage can spoofing accomplish?
• What can be done to protect TPMS communication?
46Computer Science and Engineering
![Page 47: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/47.jpg)
TPMS — From the Public Domain
• Communication protocols– Link Sensor IDs with TPMS ECU– Sensors ECU 315/433Mhz
• ECU filters packets based on IDs
– Sensors can be waken up by• ECU sensors 125kHz
• Travel at high speeds (>40 km/h)
47
Tire pressure sensors
Receiving antennas
TPMS electric control unit (ECU)
Computer Science and Engineering
![Page 48: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/48.jpg)
Security and Privacy Analysis Step 1: Reverse-engineering
• Proprietary protocols – Security through obscurity?
• Equipment
• Goal– Modulation schemes– Encoding schemes– Message formats (encrypted?)
Universal Software Radio Peripheral (USRP)
Sensors: TPS-A and TPS-B
ATEQ VT55
Agilent Vector Signal Analyzer (VSA)
Computer Science and Engineering
![Page 49: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/49.jpg)
Reverse-Engineering Walk-Through• Reverse engineering steps
– Capture packet transmission– Demodulate and decode data– Determine packet format
• Observations– Reverse engineering possible– No encryption
49
Triggered sensors at 125 kHz
Responded at 315 MHz
Captured RF transmission at
315 MHz
Determined Modulation
ASK
Encoding Scheme
Manchester
Determined Message Format
32-bit or 28-bit
How likely that two cars have the same ID? 1015 cars with Pc = 1%.
Computer Science and Engineering
![Page 50: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/50.jpg)
Security and Privacy Analysis Step 2: Eavesdrop capability
• How likely to eavesdrop?– Cars travel at high speeds– Cars’ metal bodies shield RF– TPMS message rate (1 per 60s-90s)– Low transmission power (battery)
• Eavesdropping System– Used USRP only, no VSA– Used low noise amplifier (LNA)– Reused decoders from RE– Developed a live decoder/eavesdropper
50
Low noise amplifier (LNA)
Computer Science and Engineering
![Page 51: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/51.jpg)
Demonstration of Live Eavesdropping
Computer Science and Engineering 51
Sensor ID 884368A2
![Page 52: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/52.jpg)
Exp. 1: Eavesdropping Distance
• Scenarios– USRP + cheap antenna– USRP + LNA ($75) + cheap antenna
• Observations– Able to decode packets, if RSS (received signal strength) > Ambient noise floor– LNA boosts the decoding range from 10.7m to 40m
52Computer Science and Engineering
![Page 53: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/53.jpg)
Exp. 2: Eavesdropping Distance and Angle
• Setup– USRP at origin – Car moved parallel to the x-axis (1.5m apart)
• Observations– The widest range is 9.1 meters– Sniffed at over 70mph speed
Computer Science and Engineering 53
Detectable region
USRP location
![Page 54: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/54.jpg)
Feasibility of Tracking
• Passive tracking– Complete location tracking is difficult– Given: 1 packet per 60 seconds, eavesdropping range 9 meters– A car at 60km/h 110 sniffers
• Active tracking– Activation signal makes the tracking easier– Send the activation signal at 125kHz– The sniffer places down the road– Experiments
• Obtained timing data: USRP + TVRX (315MHz)+ LFRX (125kHz)
• Validation: ATEQ VT55 (activator) + USRP (sniffer); the car traveled at 35km/h.
54
Tracking via TPMS• Independent of LOS hidden• Higher technical requirement to deactivate TPMS
Tracking via License Plate Capture Cameras (LPCC)• Requires LOS visible camera mounting location• Affected by weather• Less technical sophistication to hide license plates
Computer Science and Engineering
![Page 55: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/55.jpg)
Security and Privacy Analysis Step 3: Packet Spoofing
• How likely to spoof TPMS communication?– Is the in-car radio able to pick up spoofing packets from outside the vehicle or a neighboring vehicle?– Security mechanisms in ECU?
• Will ECU filter/reject suspicious packets?• How long will ECU recover from the spoofing?
• Spoofing System– Frequency mixer– Reused eavesdropper from step 2– Developed a packet generator
• Include a proper checksum• Contain the alarm flag
55
Obtain sensor ID, type, and tire
pressure
Modulate (ASK) Encode (Manchester)
Transmit at 315Mhz with
frequency mixer
Frequency mixer
Computer Science and Engineering
![Page 56: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/56.jpg)
Spoofing Validation
• Tested on two equipment:– ATEQ VT55 validates packet structure– A car (TPS-A) validates ECU’s logic
• 40 packets per minute
Computer Science and Engineering 56
![Page 57: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/57.jpg)
Spoofing Validation
• Tested on two equipment:– ATEQ VT55 validates packet structure– A car (TPS-A) validates ECU’s logic
• 40 packets per minute
• Observations– No authentication– No input validation
– Warning lights only depend on the alarm flag, not the real pressure– Large range: 38 meters with a cheap antenna without any amplifier– Inter-vehicle Spoofing is feasible; travel speed 55 km/h and 110 km/h
Computer Science and Engineering 57
TPMS-LPW light Vehicle's warning light
![Page 58: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/58.jpg)
Disabled TPMS ECU
• Timer and window-based filtering opens vulnerabilities• Broke TPMS ECU purely by spoofing! Replaced the ECU at the dealership.
58Computer Science and Engineering
![Page 59: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/59.jpg)
Conclusions
• Wireless sensor networks are the bridge to the physical world and make the remote sensing feasible.
• Designing wireless sensor networks is challenging
• Designing wireless sensor networks is even more challenging for intertidal zones more fun!
• Security is not a concern yet, how about future?
Computer Science and Engineering 59
![Page 60: Connecting to the Physical World ---Wireless Communicationrs1.sze.hu/.../hallgatoknak/TPMS/wireless_Wenyuantalk.pdf · 2011-08-12 · Connecting to the Physical World---Wireless Communication](https://reader034.vdocuments.net/reader034/viewer/2022042203/5ea3bc0677c965425e275773/html5/thumbnails/60.jpg)
Acknowledge & References
• Brian Helmuth, USC• Yabo Dong, Zhejiang University• Xia Ming, Zhejiang University of Technology• Marco Gruteser, Rutgers University• Wade Trappe, Rutgers University
• Some of the slides are borrowed from web.
Computer Science and Engineering 60