-
Effect of detachment on Magnum-PSI ELM-like pulses: I. Direct observations and qualitative results
Authors:
Fabio Federici,
Bruce Lipschultz,
Gijs R. A. Akkermans,
Kevin Verhaegh,
Matthew L. Reinke,
Ivo G. J. Classen,
Magnum-PSI Team
Abstract:
Conditions similar to those at the end of the divertor leg in a tokamak were replicated in the linear plasma machine Magnum-PSI. The neutral pressure in the target chamber is then increased to cause the target to transition from an attached to a detached state. Superimposed to this steady state regime, ELM-like pulses are reproduced, resulting in a sudden increase in plasma temperature and density…
▽ More
Conditions similar to those at the end of the divertor leg in a tokamak were replicated in the linear plasma machine Magnum-PSI. The neutral pressure in the target chamber is then increased to cause the target to transition from an attached to a detached state. Superimposed to this steady state regime, ELM-like pulses are reproduced, resulting in a sudden increase in plasma temperature and density, such that the heat flux increases transiently by half an order of magnitude. Visible light emission, target thermography, and Thomson scattering are used to demonstrate that the higher the neutral pressure the more energy is removed from the ELM-like pulse in the volume. If the neutral pressure is sufficiently high, the ELM-like pulse can be prevented from affecting the target and the plasma energy is fully dissipated in the volume instead (ID 4 in Table 1). The visible light images allow the division of the ELM-plasma interaction process of ELM energy dissipation into 3 "stages" ranging from no dissipation to full dissipation (the target plasma is detached). In the second publication related to this study, spectroscopic data is analysed with a Bayesian approach, to acquire insights into the significance of molecular processes in dissipating the plasma energy and particles.
△ Less
Submitted 30 April, 2024;
originally announced April 2024.
-
Effect of detachment on Magnum-PSI ELM-like pulses: II. Spectroscopic analysis and role of molecular assisted reactions
Authors:
Fabio Federici,
Bruce Lipschultz,
Gijs R. A. Akkermans,
Kevin Verhaegh,
Matthew L. Reinke,
Ray Chandra,
Chris Bowman,
Ivo G. J. Classen,
the Magnum-PSI Team
Abstract:
The linear plasma machine Magnum-PSI can replicate similar conditions to those found in a tokamak at the end of the divertor leg. A dedicated capacitor bank, in parallel to the plasma source, can release a sudden burst of energy, leading to a rapid increase in plasma temperature and density, resulting in a transient heat flux increase of half of an order of magnitude, a so called ELM-like pulse. T…
▽ More
The linear plasma machine Magnum-PSI can replicate similar conditions to those found in a tokamak at the end of the divertor leg. A dedicated capacitor bank, in parallel to the plasma source, can release a sudden burst of energy, leading to a rapid increase in plasma temperature and density, resulting in a transient heat flux increase of half of an order of magnitude, a so called ELM-like pulse. Throughout both the steady state and the pulse, the neutral pressure in the target chamber is then increased, causing the target to transition from an attached to a detached state. In the first paper related to this study\cite{Federici} direct measurements of the plasma properties are used to qualitatively determine the effect of detachment on the ELM-like pulse. This is used to show the importance of molecular assisted reactions. Molecular processes, and especially molecular activated dissociation, are found to be important in the exchange of potential energy with the plasma, while less so in radiating the energy from the ELM-like pulse. At low target chamber pressure, the plasma generated via ionisation during the part of the ELM-like pulse with the higher temperature is more than that produced by the plasma source, a unique case in linear machines. At high target chamber pressure molecular activated recombination contributes up to a third of the total recombination rate, contributing to the reduction of the target particle flux. Some metrics that estimate the energy lost by the plasma per interactions with neutrals, potentially relevant for the portion of the tokamak divertor leg below $\sim10eV$, are then tentatively obtained.
△ Less
Submitted 26 December, 2023;
originally announced December 2023.
-
An Interpretable Machine Learning Model with Deep Learning-based Imaging Biomarkers for Diagnosis of Alzheimer's Disease
Authors:
Wenjie Kang,
Bo Li,
Janne M. Papma,
Lize C. Jiskoot,
Peter Paul De Deyn,
Geert Jan Biessels,
Jurgen A. H. R. Claassen,
Huub A. M. Middelkoop,
Wiesje M. van der Flier,
Inez H. G. B. Ramakers,
Stefan Klein,
Esther E. Bron
Abstract:
Machine learning methods have shown large potential for the automatic early diagnosis of Alzheimer's Disease (AD). However, some machine learning methods based on imaging data have poor interpretability because it is usually unclear how they make their decisions. Explainable Boosting Machines (EBMs) are interpretable machine learning models based on the statistical framework of generalized additiv…
▽ More
Machine learning methods have shown large potential for the automatic early diagnosis of Alzheimer's Disease (AD). However, some machine learning methods based on imaging data have poor interpretability because it is usually unclear how they make their decisions. Explainable Boosting Machines (EBMs) are interpretable machine learning models based on the statistical framework of generalized additive modeling, but have so far only been used for tabular data. Therefore, we propose a framework that combines the strength of EBM with high-dimensional imaging data using deep learning-based feature extraction. The proposed framework is interpretable because it provides the importance of each feature. We validated the proposed framework on the Alzheimer's Disease Neuroimaging Initiative (ADNI) dataset, achieving accuracy of 0.883 and area-under-the-curve (AUC) of 0.970 on AD and control classification. Furthermore, we validated the proposed framework on an external testing set, achieving accuracy of 0.778 and AUC of 0.887 on AD and subjective cognitive decline (SCD) classification. The proposed framework significantly outperformed an EBM model using volume biomarkers instead of deep learning-based features, as well as an end-to-end convolutional neural network (CNN) with optimized architecture.
△ Less
Submitted 15 August, 2023;
originally announced August 2023.
-
Interpretable Forecasting of Physiology in the ICU Using Constrained Data Assimilation and Electronic Health Record Data
Authors:
David Albers,
Melike Sirlanci,
Matthew Levine,
Jan Claassen,
Caroline Der Nigoghossian,
George Hripcsak
Abstract:
Prediction of physiologic states are important in medical practice because interventions are guided by predicted impacts of interventions. But prediction is difficult in medicine because the generating system is complex and difficult to understand from data alone, and the data are sparse relative to the complexity of the generating processes due to human costs of data collection. Computational mac…
▽ More
Prediction of physiologic states are important in medical practice because interventions are guided by predicted impacts of interventions. But prediction is difficult in medicine because the generating system is complex and difficult to understand from data alone, and the data are sparse relative to the complexity of the generating processes due to human costs of data collection. Computational machinery can potentially make prediction more accurate, but, working within the constraints of realistic clinical data makes robust inference difficult because the data are sparse, noisy and nonstationary. This paper focuses on prediction given sparse, non-stationary, electronic health record data in the intensive care unit (ICU) using data assimilation, a broad collection of methods that pairs mechanistic models with inference machinery such as the Kalman filter. We find that to make inference with sparse clinical data accurate and robust requires advancements beyond standard DA methods combined with additional machine learning methods. Specifically, we show that combining the newly developed constrained ensemble Kalman filter with machine learning methods can produce substantial gains in robustness and accuracy while minimizing the data requirements. We also identify limitations of Kalman filtering methods that lead to new problems to be overcome to make inference feasible in clinical settings using realistic clinical data.
△ Less
Submitted 10 May, 2023;
originally announced May 2023.
-
Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones
Authors:
Jiska Classen,
Alexander Heinrich,
Robert Reith,
Matthias Hollick
Abstract:
When an iPhone is turned off, most wireless chips stay on. For instance, upon user-initiated shutdown, the iPhone remains locatable via the Find My network. If the battery runs low, the iPhone shuts down automatically and enters a power reserve mode. Yet, users can still access credit cards, student passes, and other items in their Wallet. We analyze how Apple implements these standalone wireless…
▽ More
When an iPhone is turned off, most wireless chips stay on. For instance, upon user-initiated shutdown, the iPhone remains locatable via the Find My network. If the battery runs low, the iPhone shuts down automatically and enters a power reserve mode. Yet, users can still access credit cards, student passes, and other items in their Wallet. We analyze how Apple implements these standalone wireless features, working while iOS is not running, and determine their security boundaries. On recent iPhones, Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) keep running after power off, and all three wireless chips have direct access to the secure element. As a practical example what this means to security, we demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.
△ Less
Submitted 12 May, 2022;
originally announced May 2022.
-
Very Pwnable Network: Cisco AnyConnect Security Analysis
Authors:
Gerbert Roitburd,
Matthias Ortmann,
Matthias Hollick,
Jiska Classen
Abstract:
Corporate Virtual Private Networks (VPNs) enable users to work from home or while traveling. At the same time, VPNs are tied to a company's network infrastructure, forcing users to install proprietary clients for network compatibility reasons. VPN clients run with high privileges to encrypt and reroute network traffic. Thus, bugs in VPN clients pose a substantial risk to their users and in turn th…
▽ More
Corporate Virtual Private Networks (VPNs) enable users to work from home or while traveling. At the same time, VPNs are tied to a company's network infrastructure, forcing users to install proprietary clients for network compatibility reasons. VPN clients run with high privileges to encrypt and reroute network traffic. Thus, bugs in VPN clients pose a substantial risk to their users and in turn the corporate network. Cisco, the dominating vendor of enterprise network hardware, offers VPN connectivity with their AnyConnect client for desktop and mobile devices. While past security research primarily focused on the AnyConnect Windows client, we show that Linux and iOS are based on different architectures and have distinct security issues. Our reverse engineering as well as the follow-up design analysis and fuzzing reveal 13 new vulnerabilities. Seven of these are located in the Linux client. The root cause for privilege escalations on Linux is anchored so deep in the client's architecture that it only got patched with a partial workaround. A similar analysis on iOS uncovers three AnyConnect-specific bugs as well as three general issues in iOS network extensions, which apply to all kinds of VPNs and are not restricted to AnyConnect.
△ Less
Submitted 11 February, 2022;
originally announced February 2022.
-
Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation
Authors:
Jiska Classen,
Francesco Gringoli,
Michael Hermann,
Matthias Hollick
Abstract:
Modern mobile devices feature multiple wireless technologies, such as Bluetooth, Wi-Fi, and LTE. Each of them is implemented within a separate wireless chip, sometimes packaged as combo chips. However, these chips share components and resources, such as the same antenna or wireless spectrum. Wireless coexistence interfaces enable them to schedule packets without collisions despite shared resources…
▽ More
Modern mobile devices feature multiple wireless technologies, such as Bluetooth, Wi-Fi, and LTE. Each of them is implemented within a separate wireless chip, sometimes packaged as combo chips. However, these chips share components and resources, such as the same antenna or wireless spectrum. Wireless coexistence interfaces enable them to schedule packets without collisions despite shared resources, essential to maximizing networking performance. Today's hardwired coexistence interfaces hinder clear security boundaries and separation between chips and chip components. This paper shows practical coexistence attacks on Broadcom, Cypress, and Silicon Labs chips deployed in billions of devices. For example, we demonstrate that a Bluetooth chip can directly extract network passwords and manipulate traffic on a Wi-Fi chip. Coexistence attacks enable a novel type of lateral privilege escalation across chip boundaries. We responsibly disclosed the vulnerabilities to the vendors. Yet, only partial fixes were released for existing hardware since wireless chips would need to be redesigned from the ground up to prevent the presented attacks on coexistence.
△ Less
Submitted 10 December, 2021;
originally announced December 2021.
-
Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging
Authors:
Patrick Leu,
Giovanni Camurati,
Alexander Heinrich,
Marc Roeschlin,
Claudio Anliker,
Matthias Hollick,
Srdjan Capkun,
Jiska Classen
Abstract:
We present the first over-the-air attack on IEEE 802.15.4z High-Rate Pulse Repetition Frequency (HRP) Ultra-WideBand (UWB) distance measurement systems. Specifically, we demonstrate a practical distance reduction attack against pairs of Apple U1 chips (embedded in iPhones and AirTags), as well as against U1 chips inter-operating with NXP and Qorvo UWB chips. These chips have been deployed in a wid…
▽ More
We present the first over-the-air attack on IEEE 802.15.4z High-Rate Pulse Repetition Frequency (HRP) Ultra-WideBand (UWB) distance measurement systems. Specifically, we demonstrate a practical distance reduction attack against pairs of Apple U1 chips (embedded in iPhones and AirTags), as well as against U1 chips inter-operating with NXP and Qorvo UWB chips. These chips have been deployed in a wide range of phones and cars to secure car entry and start and are projected for secure contactless payments, home locks, and contact tracing systems. Our attack operates without any knowledge of cryptographic material, results in distance reductions from 12m (actual distance) to 0m (spoofed distance) with attack success probabilities of up to 4%, and requires only an inexpensive (USD 65) off-the-shelf device. Access control can only tolerate sub-second latencies to not inconvenience the user, leaving little margin to perform time-consuming verifications. These distance reductions bring into question the use of UWB HRP in security-critical applications.
△ Less
Submitted 9 November, 2021;
originally announced November 2021.
-
Happy MitM: Fun and Toys in Every Bluetooth Device
Authors:
Jiska Classen,
Matthias Hollick
Abstract:
Bluetooth pairing establishes trust on first use between two devices by creating a shared key. Similar to certificate warnings in TLS, the Bluetooth specification requires warning users upon issues with this key, because this can indicate ongoing Machine-in-the-Middle (MitM) attacks. This paper uncovers that none of the major Bluetooth stacks warns users, which violates the specification. Clear wa…
▽ More
Bluetooth pairing establishes trust on first use between two devices by creating a shared key. Similar to certificate warnings in TLS, the Bluetooth specification requires warning users upon issues with this key, because this can indicate ongoing Machine-in-the-Middle (MitM) attacks. This paper uncovers that none of the major Bluetooth stacks warns users, which violates the specification. Clear warnings would protect users from recently published and potential future security issues in Bluetooth authentication and encryption.
△ Less
Submitted 16 August, 2021;
originally announced August 2021.
-
Cross-Cohort Generalizability of Deep and Conventional Machine Learning for MRI-based Diagnosis and Prediction of Alzheimer's Disease
Authors:
Esther E. Bron,
Stefan Klein,
Janne M. Papma,
Lize C. Jiskoot,
Vikram Venkatraghavan,
Jara Linders,
Pauline Aalten,
Peter Paul De Deyn,
Geert Jan Biessels,
Jurgen A. H. R. Claassen,
Huub A. M. Middelkoop,
Marion Smits,
Wiro J. Niessen,
John C. van Swieten,
Wiesje M. van der Flier,
Inez H. G. B. Ramakers,
Aad van der Lugt
Abstract:
This work validates the generalizability of MRI-based classification of Alzheimer's disease (AD) patients and controls (CN) to an external data set and to the task of prediction of conversion to AD in individuals with mild cognitive impairment (MCI). We used a conventional support vector machine (SVM) and a deep convolutional neural network (CNN) approach based on structural MRI scans that underwe…
▽ More
This work validates the generalizability of MRI-based classification of Alzheimer's disease (AD) patients and controls (CN) to an external data set and to the task of prediction of conversion to AD in individuals with mild cognitive impairment (MCI). We used a conventional support vector machine (SVM) and a deep convolutional neural network (CNN) approach based on structural MRI scans that underwent either minimal pre-processing or more extensive pre-processing into modulated gray matter (GM) maps. Classifiers were optimized and evaluated using cross-validation in the ADNI (334 AD, 520 CN). Trained classifiers were subsequently applied to predict conversion to AD in ADNI MCI patients (231 converters, 628 non-converters) and in the independent Health-RI Parelsnoer data set. From this multi-center study representing a tertiary memory clinic population, we included 199 AD patients, 139 participants with subjective cognitive decline, 48 MCI patients converting to dementia, and 91 MCI patients who did not convert to dementia. AD-CN classification based on modulated GM maps resulted in a similar AUC for SVM (0.940) and CNN (0.933). Application to conversion prediction in MCI yielded significantly higher performance for SVM (0.756) than for CNN (0.742). In external validation, performance was slightly decreased. For AD-CN, it again gave similar AUCs for SVM (0.896) and CNN (0.876). For prediction in MCI, performances decreased for both SVM (0.665) and CNN (0.702). Both with SVM and CNN, classification based on modulated GM maps significantly outperformed classification based on minimally processed images. Deep and conventional classifiers performed equally well for AD classification and their performance decreased only slightly when applied to the external cohort. We expect that this work on external validation contributes towards translation of machine learning to clinical practice.
△ Less
Submitted 26 May, 2021; v1 submitted 16 December, 2020;
originally announced December 2020.
-
Tomographic reconstruction of the runaway distribution function in TCV using multispectral synchrotron images
Authors:
T. A. Wijkamp,
A. Perek,
J. Decker,
B. Duval,
M. Hoppe,
G. Papp,
U. A. Sheikh,
I. G. J. Classen,
R. J. E. Jaspers,
the TCV team,
the EUROfusion MST1 team
Abstract:
Synchrotron radiation observed in a quiescent TCV runaway discharge is studied using filtered camera images targeting three distinct wavelength intervals. Through the tomographic SART procedure the high momentum, high pitch angle part of the spatial and momentum distribution of these relativistic particles is reconstructed. Experimental estimates of the distribution are important for verification…
▽ More
Synchrotron radiation observed in a quiescent TCV runaway discharge is studied using filtered camera images targeting three distinct wavelength intervals. Through the tomographic SART procedure the high momentum, high pitch angle part of the spatial and momentum distribution of these relativistic particles is reconstructed. Experimental estimates of the distribution are important for verification and refinement of formation-, decay- and transport-models underlying runaway avoidance and mitigation strategy design. Using a test distribution it is demonstrated that the inversion procedure provides estimates accurate to within a few tens of percent in the region of phase-space contributing most to the synchrotron image. We find that combining images filtered around different parts of the emission spectrum widens the probed part of momentum-space and reduces reconstruction errors. Next, the SART algorithm is used to obtain information on the spatiotemporal runaway momentum distribution in a selected TCV discharge. The momentum distribution is found to relax towards an avalanche-like exponentially decaying profile. Anomalously high pitch angles and a radial profile increasing towards the edge are found for the most strongly emitting particles in the distribution. Pitch angle scattering by toroidal magnetic field ripple is consistent with this picture. An alternative explanation is the presence of high frequency instabilities in combination with the formation of a runaway shell at the edge of the plasma.
△ Less
Submitted 5 February, 2021; v1 submitted 30 October, 2020;
originally announced November 2020.
-
Firmware Insider: Bluetooth Randomness is Mostly Random
Authors:
Jörn Tillmanns,
Jiska Classen,
Felix Rohrbach,
Matthias Hollick
Abstract:
Bluetooth chips must include a Random Number Generator (RNG). This RNG is used internally within cryptographic primitives but also exposed to the operating system for chip-external applications. In general, it is a black box with security-critical authentication and encryption mechanisms depending on it. In this paper, we evaluate the quality of RNGs in various Broadcom and Cypress Bluetooth chips…
▽ More
Bluetooth chips must include a Random Number Generator (RNG). This RNG is used internally within cryptographic primitives but also exposed to the operating system for chip-external applications. In general, it is a black box with security-critical authentication and encryption mechanisms depending on it. In this paper, we evaluate the quality of RNGs in various Broadcom and Cypress Bluetooth chips. We find that the RNG implementation significantly changed over the last decade. Moreover, most devices implement an insecure Pseudo-Random Number Generator (PRNG) fallback. Multiple popular devices, such as the Samsung Galaxy S8 and its variants as well as an iPhone, rely on the weak fallback due to missing a Hardware Random Number Generator (HRNG). We statistically evaluate the output of various HRNGs in chips used by hundreds of millions of devices. While the Broadcom and Cypress HRNGs pass advanced tests, it remains indistinguishable for users if a Bluetooth chip implements a secure RNG without an extensive analysis as in this paper. We describe our measurement methods and publish our tools to enable further public testing.
△ Less
Submitted 30 June, 2020;
originally announced June 2020.
-
Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
Authors:
Jan Ruge,
Jiska Classen,
Francesco Gringoli,
Matthias Hollick
Abstract:
Wireless communication standards and implementations have a troubled history regarding security. Since most implementations and firmwares are closed-source, fuzzing remains one of the main methods to uncover Remote Code Execution (RCE) vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from several shortcomings, such as constrained speed, limited repeatability, and restricte…
▽ More
Wireless communication standards and implementations have a troubled history regarding security. Since most implementations and firmwares are closed-source, fuzzing remains one of the main methods to uncover Remote Code Execution (RCE) vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from several shortcomings, such as constrained speed, limited repeatability, and restricted ability to debug. In this paper, we present Frankenstein, a fuzzing framework based on advanced firmware emulation, which addresses these shortcomings. Frankenstein brings firmware dumps "back to life", and provides fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing method is sufficient to maintain interoperability with the attached operating system, hence triggering realistic full-stack behavior. We demonstrate the potential of Frankenstein by finding three zero-click vulnerabilities in the Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many Samsung smartphones, the Raspberry Pis, and many others.
Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that crashes multiple operating system kernels and a design flaw in the Bluetooth 5.2 specification that allows link key extraction from the host. Turning off Bluetooth will not fully disable the chip, making it hard to defend against RCE attacks. Moreover, when testing our chip-based vulnerabilities on those devices, we find BlueFrag, a chip-independent Android RCE.
△ Less
Submitted 17 June, 2020;
originally announced June 2020.
-
DEMO: Attaching InternalBlue to the Proprietary macOS IOBluetooth Framework
Authors:
Davide Toldo,
Jiska Classen,
Matthias Hollick
Abstract:
In this demo, we provide an overview of the macOS Bluetooth stack internals and gain access to undocumented low-level interfaces. We leverage this knowledge to add macOS support to the InternalBlue firmware modification and wireless experimentation framework.
In this demo, we provide an overview of the macOS Bluetooth stack internals and gain access to undocumented low-level interfaces. We leverage this knowledge to add macOS support to the InternalBlue firmware modification and wireless experimentation framework.
△ Less
Submitted 29 May, 2020;
originally announced May 2020.
-
DEMO: Extracting Physical-Layer BLE Advertisement Information from Broadcom and Cypress Chips
Authors:
Jiska Classen,
Matthias Hollick
Abstract:
Multiple initiatives propose utilizing Bluetooth Low Energy (BLE) advertisements for contact tracing and SARS-CoV-2 exposure notifications. This demo shows a research tool to analyze BLE advertisements; if universally enabled by the vendors, the uncovered features could improve exposure notifications for everyone. We reverse-engineer the firmware-internal implementation of BLE advertisements on Br…
▽ More
Multiple initiatives propose utilizing Bluetooth Low Energy (BLE) advertisements for contact tracing and SARS-CoV-2 exposure notifications. This demo shows a research tool to analyze BLE advertisements; if universally enabled by the vendors, the uncovered features could improve exposure notifications for everyone. We reverse-engineer the firmware-internal implementation of BLE advertisements on Broadcom and Cypress chips and show how to extract further physical-layer information at the receiver. The analyzed firmware works on hundreds of millions of devices, such as all iPhones, the European Samsung Galaxy S series, and Raspberry Pis.
△ Less
Submitted 29 May, 2020;
originally announced May 2020.
-
Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication
Authors:
Florentin Putz,
Flor Álvarez,
Jiska Classen
Abstract:
Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate devices. This requires a common hardware interface, which limits the use of existing SDP systems. We propose to use short-range acoustic communication for the initial pairing. Audio hardware is commonly available on existing off-the-shelf devices and can be accessed from user space without requiring firmware or hardware m…
▽ More
Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate devices. This requires a common hardware interface, which limits the use of existing SDP systems. We propose to use short-range acoustic communication for the initial pairing. Audio hardware is commonly available on existing off-the-shelf devices and can be accessed from user space without requiring firmware or hardware modifications. We improve upon previous approaches by designing Acoustic Integrity Codes (AICs): a modulation scheme that provides message authentication on the acoustic physical layer. We analyze their security and demonstrate that we can defend against signal cancellation attacks by designing signals with low autocorrelation. Our system can detect overshadowing attacks using a ternary decision function with a threshold. In our evaluation of this SDP scheme's security and robustness, we achieve a bit error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on Android smartphones, we demonstrate pairing between different smartphone models.
△ Less
Submitted 10 August, 2020; v1 submitted 18 May, 2020;
originally announced May 2020.
-
Lost and Found: Stop** Bluetooth Finders from Leaking Private Information
Authors:
Mira Weller,
Jiska Classen,
Fabian Ullrich,
Denis Waßmann,
Erik Tews
Abstract:
A Bluetooth finder is a small battery-powered device that can be attached to important items such as bags, keychains, or bikes. The finder maintains a Bluetooth connection with the user's phone, and the user is notified immediately on connection loss. We provide the first comprehensive security and privacy analysis of current commercial Bluetooth finders. Our analysis reveals several significant s…
▽ More
A Bluetooth finder is a small battery-powered device that can be attached to important items such as bags, keychains, or bikes. The finder maintains a Bluetooth connection with the user's phone, and the user is notified immediately on connection loss. We provide the first comprehensive security and privacy analysis of current commercial Bluetooth finders. Our analysis reveals several significant security vulnerabilities in those products concerning mobile applications and the corresponding backend services in the cloud. We also show that all analyzed cloud-based products leak more private data than required for their respective cloud services.
Overall, there is a big market for Bluetooth finders, but none of the existing products is privacy-friendly. We close this gap by designing and implementing PrivateFind, which ensures locations of the user are never leaked to third parties. It is designed to run on similar hardware as existing finders, allowing vendors to update their systems using PrivateFind.
△ Less
Submitted 17 May, 2020;
originally announced May 2020.
-
MagicPairing: Apple's Take on Securing Bluetooth Peripherals
Authors:
Dennis Heinze,
Jiska Classen,
Felix Rohrbach
Abstract:
Device pairing in large Internet of Things (IoT) deployments is a challenge for device manufacturers and users. Bluetooth offers a comparably smooth trust on first use pairing experience. Bluetooth, though, is well-known for security flaws in the pairing process. In this paper, we analyze how Apple improves the security of Bluetooth pairing while still maintaining its usability and specification c…
▽ More
Device pairing in large Internet of Things (IoT) deployments is a challenge for device manufacturers and users. Bluetooth offers a comparably smooth trust on first use pairing experience. Bluetooth, though, is well-known for security flaws in the pairing process. In this paper, we analyze how Apple improves the security of Bluetooth pairing while still maintaining its usability and specification compliance. The proprietary protocol that resides on top of Bluetooth is called MagicPairing. It enables the user to pair a device once with Apple's ecosystem and then seamlessly use it with all their other Apple devices. We analyze both, the security properties provided by this protocol, as well as its implementations. In general, MagicPairing could be adapted by other IoT vendors to improve Bluetooth security. Even though the overall protocol is well-designed, we identified multiple vulnerabilities within Apple's implementations with over-the-air and in-process fuzzing.
△ Less
Submitted 14 May, 2020;
originally announced May 2020.
-
Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices
Authors:
Jiska Classen,
Matthias Hollick
Abstract:
Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system's driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running insid…
▽ More
Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system's driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke.
△ Less
Submitted 2 May, 2019;
originally announced May 2019.
-
InternalBlue - Bluetooth Binary Patching and Experimentation Framework
Authors:
Dennis Mantz,
Jiska Classen,
Matthias Schulz,
Matthias Hollick
Abstract:
Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular,…
▽ More
Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered.
We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform.
InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware.
△ Less
Submitted 2 May, 2019;
originally announced May 2019.
-
Breaking Fitness Records without Moving: Reverse Engineering and Spoofing Fitbit
Authors:
Hossein Fereidooni,
Jiska Classen,
Tom Spink,
Paul Patras,
Markus Miettinen,
Ahmad-Reza Sadeghi,
Matthias Hollick,
Mauro Conti
Abstract:
Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange f…
▽ More
Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.
△ Less
Submitted 28 June, 2017;
originally announced June 2017.
-
Practical Covert Channels for WiFi Systems
Authors:
Jiska Classen,
Matthias Schulz,
Matthias Hollick
Abstract:
Wireless covert channels promise to exfiltrate information with high bandwidth by circumventing traditional access control mechanisms. Ideally, they are only accessible by the intended recipient and---for regular system users/operators---indistinguishable from normal operation. While a number of theoretical and simulation studies exist in literature, the practical aspects of WiFi covert channels a…
▽ More
Wireless covert channels promise to exfiltrate information with high bandwidth by circumventing traditional access control mechanisms. Ideally, they are only accessible by the intended recipient and---for regular system users/operators---indistinguishable from normal operation. While a number of theoretical and simulation studies exist in literature, the practical aspects of WiFi covert channels are not well understood. Yet, it is particularly the practical design and implementation aspect of wireless systems that provides attackers with the latitude to establish covert channels: the ability to operate under adverse conditions and to tolerate a high amount of signal variations. Moreover, covert physical receivers do not have to be addressed within wireless frames, but can simply eavesdrop on the transmission. In this work, we analyze the possibilities to establish covert channels in WiFi systems with emphasis on exploiting physical layer characteristics. We discuss design alternatives for selected covert channel approaches and study their feasibility in practice. By means of an extensive performance analysis, we compare the covert channel bandwidth. We further evaluate the possibility of revealing the introduced covert channels based on different detection capabilities.
△ Less
Submitted 5 May, 2015;
originally announced May 2015.
-
Energetic particle instabilities in fusion plasmas
Authors:
S E Sharapov,
B Alper,
H L Berk,
D N Borba,
B N Breizman,
C D Challis,
I G J Classen,
E M Edlund,
J Eriksson,
A Fasoli,
E D Fredrickson,
G Y Fu,
M Garcia-Munoz,
T Gassner,
K Ghantous,
V Goloborodko,
N N Gorelenkov,
M P Gryaznevich,
S Hacquin,
W W Heidbrink,
C Hellesen,
V G Kiptily,
G J Kramer,
P Lauber,
M K Lilley
, et al. (19 additional authors not shown)
Abstract:
Remarkable progress has been made in diagnosing energetic particle instabilities on present-day machines and in establishing a theoretical framework for describing them. This overview describes the much improved diagnostics of Alfven instabilities and modelling tools developed world-wide, and discusses progress in interpreting the observed phenomena. A multi-machine comparison is presented giving…
▽ More
Remarkable progress has been made in diagnosing energetic particle instabilities on present-day machines and in establishing a theoretical framework for describing them. This overview describes the much improved diagnostics of Alfven instabilities and modelling tools developed world-wide, and discusses progress in interpreting the observed phenomena. A multi-machine comparison is presented giving information on the performance of both diagnostics and modelling tools for different plasma conditions outlining expectations for ITER based on our present knowledge.
△ Less
Submitted 31 October, 2013;
originally announced October 2013.
-
A methodology for detecting and exploring non-convulsive seizures in patients with SAH
Authors:
D J Albers,
J Claassen,
M J Schmidt,
G Hripcsak
Abstract:
A methodology for understanding and de- tecting nonconvulsive seizures in individuals with sub- arachnoid hemorrhage is introduced. Specifically, begin- ning with an EEG signal, the power spectrum is esti- mated yielding a multivariate time series which is then ana- lyzed using empirical orthogonal functional analysis. This methodology allows for easy identification and observation of seizures tha…
▽ More
A methodology for understanding and de- tecting nonconvulsive seizures in individuals with sub- arachnoid hemorrhage is introduced. Specifically, begin- ning with an EEG signal, the power spectrum is esti- mated yielding a multivariate time series which is then ana- lyzed using empirical orthogonal functional analysis. This methodology allows for easy identification and observation of seizures that are otherwise only identifiable though ex- pert analysis of the raw EEG.
△ Less
Submitted 30 May, 2013;
originally announced May 2013.
-
ac Losses in a Finite Z Stack Using an Anisotropic Homogeneous-Medium Approximation
Authors:
John R Clem,
J. H. Claassen,
Yasunori Mawatari
Abstract:
A finite stack of thin superconducting tapes, all carrying a fixed current I, can be approximated by an anisotropic superconducting bar with critical current density Jc=Ic/2aD, where Ic is the critical current of each tape, 2a is the tape width, and D is the tape-to-tape periodicity. The current density J must obey the constraint \int J dx = I/D, where the tapes lie parallel to the x axis and ar…
▽ More
A finite stack of thin superconducting tapes, all carrying a fixed current I, can be approximated by an anisotropic superconducting bar with critical current density Jc=Ic/2aD, where Ic is the critical current of each tape, 2a is the tape width, and D is the tape-to-tape periodicity. The current density J must obey the constraint \int J dx = I/D, where the tapes lie parallel to the x axis and are stacked along the z axis. We suppose that Jc is independent of field (Bean approximation) and look for a solution to the critical state for arbitrary height 2b of the stack. For c<|x|<a we have J=Jc, and for |x|<c the critical state requires that Bz=0. We show that this implies \partial J/\partial x=0 in the central region. Setting c as a constant (independent of z) results in field profiles remarkably close to the desired one (Bz=0 for |x|<c) as long as the aspect ratio b/a is not too small. We evaluate various criteria for choosing c, and we show that the calculated hysteretic losses depend only weakly on how c is chosen. We argue that for small D/a the anisotropic homogeneous-medium approximation gives a reasonably accurate estimate of the ac losses in a finite Z stack. The results for a Z stack can be used to calculate the transport losses in a pancake coil wound with superconducting tape.
△ Less
Submitted 29 August, 2007;
originally announced August 2007.
-
Evidence for High-Temperature Superconductivity in Doped Laser-Processed Sr-Ru-O
Authors:
A. M. Gulian,
K. S. Wood,
D. Van Vechten,
J. Claassen,
R. J. Soulen, Jr.,
S. Qadri,
M. Osofsky,
A. Lucarelli,
G. Luepke,
G. R. Badalyan,
V. S. Kuzanyan,
A. S. Kuzanyan,
V. R. Nikoghosyan
Abstract:
We have discovered that samples of a new material produced by special processing of crystals of Sr2RuO4 (which is known to be a triplet superconductor with Tc values ~1.0-1.5K) exhibit signatures of superconductivity (zero DC resistance and expulsion of magnetic flux) at temperatures exceeding 200K. The special processing includes deposition of a silver coating and laser micromachining; Ag dopin…
▽ More
We have discovered that samples of a new material produced by special processing of crystals of Sr2RuO4 (which is known to be a triplet superconductor with Tc values ~1.0-1.5K) exhibit signatures of superconductivity (zero DC resistance and expulsion of magnetic flux) at temperatures exceeding 200K. The special processing includes deposition of a silver coating and laser micromachining; Ag do** and enhanced oxygen are observed in the resultant surface layer. The transition, whether measured resistively or by magnetic field expulsion, is broad. When the transition is registered by resistive methods, the critical temperature is markedly reduced when the measuring current is increased. The resistance disappears by about 190K. The highest value of Tc registered by magneto-optical visualization is about 220K and even higher values (up to 250K) are indicated from the SQUID-magnetometer measurements.
△ Less
Submitted 12 September, 2005;
originally announced September 2005.
-
Effects of the Two- Gap Nature on the Microwave Conductivity of 39 K Polycrystalline MgB2 Films
Authors:
Sang Young Lee,
J. H. Lee,
Jung Hoon Han,
S. H. Moon,
H. N. Lee,
James C. Booth,
J. H. Claassen
Abstract:
The surface resistance (Rs) and the real part (sigma_1) of the microwave complex conductivity of a ~380 nm-thick polycrystalline MgB2 film with the critical temperature (Tc) of 39.3 K were investigated at ~8.5 GHz as a function of temperature. Two coherence peaks were observed in the sigma_1 versus temperature curve at temperatures of ~0.5 Tc and ~0.9 Tc, respectively, providing a direct evidenc…
▽ More
The surface resistance (Rs) and the real part (sigma_1) of the microwave complex conductivity of a ~380 nm-thick polycrystalline MgB2 film with the critical temperature (Tc) of 39.3 K were investigated at ~8.5 GHz as a function of temperature. Two coherence peaks were observed in the sigma_1 versus temperature curve at temperatures of ~0.5 Tc and ~0.9 Tc, respectively, providing a direct evidence for the two-gap nature of MgB2. The film appeared to have a pi-band gap energy of 1.8 meV. For the MgB2 film ion-milled down to the thickness of ~320 nm, two coherence peaks were still observed with the first conductivity peak at ~0.6 Tc. Reduction of Tc by 3 K and reduced normal-state conductivity at Tc were observed along with an enhanced pi-band gap energy of 2.1 meV and a reduced Rs at temperatures below 15 K for the ion-milled film.
Calculations based on the gap energies from the weak coupling Bardeen-Cooper-Schrieffer theory and the strong coupling theory suggest that both the sigma-band and the pi-band contribute to sigma_1 of the polycrystalline MgB2 films significantly. Our results are in contrast with the observation of single coherence peak at ~0.6 Tc and dominant role of the pi-band in the microwave conductivity of c-axis oriented MgB2 films as reported by ** et al. [Phys. Rev. Lett. 91, 127006 (2003)].
Variations in the inter-band coupling constants with the level of disorder can account for the different Tc and sigma_1 behavior for the as-grown and ion-milled films. Our results suggest that enhanced inter-band scattering can improve microwave properties of MgB2 filims at low temperatures due to the larger pi-band gap despite the reduction of Tc.
△ Less
Submitted 27 March, 2004;
originally announced March 2004.