Practical Covert Channels for WiFi Systems

Jiska Classen ∗ , Matthias Schulz ∗ , and Matthias Hollick

Secure Mobile Networking Lab
Technische Universität Darmstadt
{jclassen, mschulz, mhollick}@seemoo.tu-darmstadt.de

Abstract—Wireless covert channels promise to exfiltrate in- instance, an online banking application could establish a secure
formation with high bandwidth by circumventing traditional connection to a server but maliciously publish login data over
access control mechanisms. Ideally, they are only accessible by a covert wireless physical channel.
the intended recipient and—for regular system users/operators— WiFi covert channels have been mostly studied in theory
indistinguishable from normal operation. While a number of
arXiv:1505.01081v1 [cs.NI] 5 May 2015

theoretical and simulation studies exist in literature, the practical

and simulation [10]. Practical evaluations are scarce due to
aspects of WiFi covert channels are not well understood. Yet, it the complexity of modifying existing network interface cards
is particularly the practical design and implementation aspect (NICs), the work of Dutta et al. [6] being an exception.
of wireless systems that provides attackers with the latitude to We close this gap: in our work, we evaluate practical covert
establish covert channels: the ability to operate under adverse channels on the Wireless Open-Access Research Platform
conditions and to tolerate a high amount of signal variations. (WARP)[2] as well as off-the-shelf wireless NICs as legitimate
Moreover, covert physical receivers do not have to be addressed receivers. Using WARP, we are able to utilize the same
within wireless frames, but can simply eavesdrop on the transmis- orthogonal frequency-division multiplexing (OFDM) modu-
sion. In this work, we analyze the possibilities to establish covert lation schemes as in 802.11a/g. Our covert channels can be
channels in WiFi systems with emphasis on exploiting physical easily adapted to OFDM-based wireless communication sys-
layer characteristics. We discuss design alternatives for selected
covert channel approaches and study their feasibility in practice.
tems such as LTE, DVB-T, and upcoming standards like LTE
By means of an extensive performance analysis, we compare the Advanced. We aim at remaining compatible with the 802.11a/g
covert channel bandwidth. We further evaluate the possibility standard and having little to no performance decrease on off-
of revealing the introduced covert channels based on different the-shelf receivers. Our contributions are as follows:
detection capabilities. 1) We analyze the IEEE 802.11a/g physical layer with
respect to promising anchors for covert channels on
I. I NTRODUCTION frame level and symbol level.
Wireless transmissions are broadly used, although properly 2) We propose, analyze, and practically implement two
securing them remains an issue. Typically, applications resort- novel covert channels. We study the performance in
ing to communications are protected by allowing information simulation and practice.
leakage only to authorized channels such as data transmission 3) We analyze and improve two known covert channels;
to permitted applications. Communication is often controlled we practically implement them for the first time and
by firewalls. However, potential adversaries might outsmart study the performance in simulation and practice.
this protection and nevertheless leak information by setting 4) We compare the performance of all four covert chan-
up a covert channel; hidden within inconspicuous actions. For nels and discuss practical limitations.
example, they could modify the application layer camouflaging This paper is structured as follows: We introduce concepts
text within an image on a shared storage, or they could alter behind WiFi covert channels in Section II. System and security
the lower layers, e. g., within network protocols and timing. assumptions are defined in Section III. In Section IV, covert
When hiding information on upper layers only a few channels and their performance in practice are analyzed. Sec-
variations such as using reserved bits or changing transmis- tion V evaluates and discusses results. In Section VI we survey
sion timings are possible; since a firewall would easily any related work. Finally, we conclude our results in Section VII.
other type of modification [23]. In contrast, physical wireless
transmissions are not plain bits but symbols containing a II. BACKGROUND
high amount of noise and random signal variations. Snatching In the following, we introduce the concept of covert
raw data out of the air results in a very large amount of channels and basic 802.11a/g physical layer operation.
data compared to upper layer capturing, still not revealing if A. Covert Channels
the recording contained hidden information or not. Regular
A first definition of covert channels is given in [15] with
WiFi receivers are designed to reconstruct the signal despite
a focus on information exchange between programs. Channels
variations, hence their performance does not significantly
are categorized as:
decrease when additional information is embedded. Due to
the wireless broadcast nature, frames can contain oblivious • legitimate: information required to manage the pro-
sender and receiver addresses to not be suspicious to other gram,
network participants—and still be received by attackers. For • storage: information provided to the program, how-
ever, attackers might have access to it, and
∗ These authors contributed equally to this work. • covert: never intended for information exchange.
The idea of covert channels is similar to that of steganography, C. IEEE 802.11a/g physical layer
where messages are hidden within ordinary objects. In case In the following, we take a closer look at the frame
cryptography is forbidden within a network, covert channels structure as well as at the OFDM-based transceiver blocks
can be used to hide encrypted communication. of 802.11a/g systems as illustrated in Figure 1. The presented
A covert channel consists of Alice, the sending attacker, components are also required for more advanced standards.
who wants to communicate with Bob, the receiving attacker, For transmission, media access control (MAC) layer data
while being observed by Wendy, a warden. Wendy’s legitimate bits are scrambled to avoid consecutive ones or zeros, encoded
goal is to detect if Alice and Bob exchanged information. In for bit error correction, and interleaved for distribution over
a wireless channel, positions of Alice, Bob, and Wendy are multiple subcarriers. This bit stream is mapped to symbols
arbitrary—Wendy might be closer to Alice than Bob. Alice describing amplitude and phase of their subcarrier. Depending
and Bob try to obscure the transmitted information to hinder on the modulation order (bits per symbol) and the coding rate,
Wendy from detection. Alice will typically send legitimate eight gross transfer rates between 6 and 54 Mbps are defined in
traffic to other stations and embed the covert channel. In the WiFi standard [20]. In Figure 2, we illustrate the achievable
contrast, communication between Alice and Bob is obvious bit error rates (BERs) on a plain AWGN channel before and
in a cryptographic system and does not constitute an attack, after coding. The used modulation scheme is documented in
but Eve wants to illegitimately decipher their communication. the signal field (SIG) that is always encoded with 6 Mbps.
Covert channels are implementable with and without keys. Using the Inverse Fast Fourier Transform (IFFT), subcarri-
Kerckhoff’s law from cryptography is applicable to informa- ers are modulated according to symbol definitions resulting in
tion hiding: the system has to be secure when everything a time-domain signal in the baseband. Before upconversion
except the key is public. Given this criteria, hiding information to the transmission frequency, a preamble consisting of a
by relying on an unknown embedding algorithm is insecure. A short training field (STF) and a long training field (LTF) is
wireless covert channel based on a public algorithm but private prepended to every OFDM frame. A receiver needs the STF
key should be indistinguishable from noise. Covert channels to adjust the gain of its low-noise amplifier (LNA), and the LTF
are often combined with cryptography to make information to estimate and correct channel effects on each subcarrier. Due
look like noise or to add a further security measure. to frequency differences in fc,tx and fc,rx as well as frequency
shifts due to the Doppler effect, carrier frequency offset (CFO)
B. OFDM occurs, which breaks the orthogonality between subcarriers
Physical layers of modern communication standards are and hence requires correction. Coarse CFO correction makes
based on orthogonal frequency-division multiplexing (OFDM). use of the repetitive structure of either STF or LTF, while fine
To efficiently use the available transmission bandwidth while CFO correction uses pilot symbols that are transmitted on four
still being able to correct channel distortions, the transmission subcarriers of the OFDM data symbols.
band is divided into subcarriers (SCs). On each of these subcar-
riers, symbols are transmitted by defining amplitude and phase
of the subcarrier frequencies for the duration of each symbol
Tsym . Limiting the length of each symbol leads to additional BPSK
frequency components in the form of sinc functions around 100 QPSK
each subcarrier. To avoid inter-carrier interference (ICI), the 16-QAM
spacing ∆f = 1/Tsym ensures that each subcarrier is placed 10−1 64-QAM
BER

on the zero-crossings of the sinc functions of all others, leading no FEC

to orthogonality. During transmission, the signal suffers from 10−2
1/2 FEC

frequency-selective phase and amplitude changes (fading), 2/3 FEC

that can be corrected at the receiver. However, fading also 10−3

3/4 FEC

implies a delay spread leading to the reception of multiple 5 10 15 20 25 30 35 40

time delayed copies of the transmitted signal. To avoid inter- SNRdB

symbol interference (ISI), a guard interval is inserted between
two symbols, normally containing a continuation called cyclic Fig. 2: BER baseline for WiFi frames before and after coding
prefix (CP) of the symbol. on an AWGN channel with varying SNR

exp(2πfc,tx t)
STF LTF ...
TX
Channel
H Insert Add Insert Symbol Bit Stream
PA DAC IFFT Data
STF, LTF CP Pilots Mapper Construct.
RX

LNA ADC Coarse Symbol Delete FFT H Estimate Symbol Bit Stream Data
AGC CFO Timing CP Fine CFO Demap. Reconstr.

STF Raw Effective

Level BER BER
exp(2πfc,rx t)
Fig. 1: 802.11a/g modulation and demodulation
 III. S YSTEM OVERVIEW
In this section, we introduce a security model for wireless
covert channels and describe our measurement setup.

A. Security Model
To secure a system against covert channels, there are two (a) Transmitter (b) Receivers
main procedures: either detecting or blocking them. Blocking
can be implemented by a wireless jammer [3], [21], though WARP Transmitter WARP Receiver
jamming all wireless transmissions including legitimate ones 5m
is not an option. Since there are no further processing steps Laptop Receiver
between sending and receiving a signal, there is no possi-
bility to filter signal variations for covert channel blocking.
Detecting covert channels to take further actions such as (c) Panorama of the lab setup.
jamming or sender identification does not prevent legitimate Fig. 3: Antenna setup for practical measurements.
wireless transmissions. Sending attackers could be identified Kerckhoff’s law, information passed to upper layers is often
using localization methods or device fingerprinting; however, insufficient for detecting high throughput covert channels.
fingerprints can be modified [17], and localization requires
multiple antennas. B. Setup
A covert channel should be secure against detection, even We analyze the performance of covert channels in simula-
if the information hiding mechanism is known. Detection tion and practice using the following setups.
security limits the capacity of covert channels. Legitimate 1) Simulation: We evaluate if the proposed covert channels
wireless transmissions containing a covert data have to be are feasible utilizing diverse channel models: A (no fading), B
indistinguishable from regular transmissions. Yet, the overall (residential), D (typical office), and E (large office) defined in
wireless capacity is limited and a high capacity covert channel [7] and commonly used for WiFi simulations. To each model,
might noticeably reduce legitimate throughput. we add white Gaussian noise (AWGN) and base our results
Layer 1 detection. On the physical layer, detection re- on 1000 Monte-Carlo simulations.
quires software defined radios (SDRs) or signal analyzers to 2) Practical Setup: Since simulations might disregard the
capture the raw waveforms to measure error vector magnitudes behavior of real hardware, we evaluate all covert channels
(EVMs), CFOs, and SNRs. A detector could compare these in our lab environment (see Figure 3). This evaluation is
measurements to a benchmark set of typical values in wireless twofold. We use WARPs to transmit and receive 802.11g
transmissions, and check which of them deviate significantly frames between Alice and Bob with covert channels. On the
from a certain margin of statistical tolerance. Hence, an receiver we can extract and analyze both, the WiFi frame
attacker should aim at keeping variations with respect to content and the covert channel. Hence, the WARP receiver
the signal relatively low, and let them only be remarkable can be considered as detector (Wendy) on Layer 1 as well as
in case a secret key is known, thus following Kerckhoff’s on the covert channel receiver (Bob). The signal processing
principle; which is reducing the actual possible covert channel on both nodes is implemented in MATLAB which connects to
throughput. the WARPs using WARPLab 7.5.0.
In this paper, we aim at showing the potential of practical To analyze the effect on off-the-shelf WiFi devices, we
and 802.11a/g compliant covert channels. Providing an upper use a laptop as detector (Wendy) on Layer 2 with a Qualcom
bound of performance, we do not implement statistical detec- Atheros AR9285 Wireless Network Adapter (revision 01) that
tion countermeasures; however, we give some intuition into we run in monitor mode with radiotap headers.
how they work in each channel covert description.
IV. C OVERT C HANNELS
Layer 2 detection. An upper layer detector is using off-
the-shelf wireless NICs. Even though this is not sufficient In what follows, we present four practical covert channels
equipment to record ongoing transmissions on the physi- for the physical layer of 802.11a/g.
cal layer, information passed to upper layers might indicate 1) A covert channel utilizing the Short Training Field in
whether a covert channel is present. combination with Phase Shift Keying (STF PSK).
Frames are validated on reception using the frame check 2) A covert channel utilizing the Carrier Frequency
sequence (FCS) [20]. If it fails, the frame is dropped by Offset with Frequency Shift Keying (CFO FSK).
default. Higher layers can only rely on irregularities in timing 3) A covert channel using 802.11a/g with additional
or throughput to detect covert channels. In our evaluation, subcarriers conforming to the 802.11n spectrum mask
we enable the capture of those frames having failed FCS (Camouflage Subcarriers).
checks using radiotap headers [1] to calculate actual BERs. 4) A covert channel replacing parts of the OFDM Cyclic
Radiotap headers are supported by various chipsets and for- Prefix (Cyclic Prefix Replacement).
ward additional information, such as the transmission’s center The schemes “STF PSK” and “CFO FSK” are new, “Cam-
frequency, RF signal and noise power at the antenna, and the ouflage Subcarriers” and “Cyclic Prefix Replacement” are
FCS. Detectors can correlate all this information, for instance, extensions and improvements to [11] and [10], respectively.
an increase of packet loss despite a constant RF signal power. To the best of our knowledge, none of the approaches were
Still, radiotap headers do not provide the raw signal. Applying put into practice before.
A. Short Training Field with Phase Shift Keying (STF PSK) I ∆Φ
Each 802.11a/g frame starts with the same STF in the
preamble, which is used for frame detection, automatic gain Q
control (AGC), and coarse CFO estimation. STF manipulations
must preserve these capabilities at the receiver, otherwise the
signal can not be demodulated. Implementing a covert channel (a) theoretical (b) measurement
in the STF allows to insert one symbol per WiFi frame that is
impossible to block even after detection. Fig. 4: STF PSK symbols are shifted by ∆φ to encode bits.
1) Implementation: The STF contains binary phase-shift
keying (BPSK) symbols that are shifted by 45◦ as illustrated BPSK QPSK
in Figure 4a. We insert our covert channel by introducing an −1 8-PSK 16-PSK
10
additional phase shift ∆φ into all STF symbols. As phase shifts

BER
32-PSK 64-PSK
do not change the power and correlation properties of the STF, 10−2 128-PSK 256-PSK
it can still be used for AGC and packet detection. Additionally, 512-PSK 1024-PSK
the periodicity required for CFO correction is preserved. 10−3
5 10 15 20 25 30 35 40
Per WiFi frame, we insert one phase shift. Depending on
the number of bits we intend to encode, we vary the number of SNRdB
possible phase shift values mapped to bits using Gray coding.
Fig. 5: Raw BER of the covert channel implemented as STF
To extract the covert channel information, the receiver needs
PSK scheme over an AWGN channel for different amounts of
to compensate the channel effects in the STF using the LTF
bits per frame.
channel estimation.
Then, ∆φ can be extracted and demapped to bits. In
Figure 4b, we illustrate this process with 32 possible phase 60 %

Covert Channel BER

shifts (32-PSK illustrated by black dots). The red circles mark 50 %

256-PSK
the original STF symbol positions, and the cloud of blue dots 40 %
30 %
are the received STF symbols from which we extract the phase

128-PSK
20 %

32-PSK
64-PSK
difference to the original symbol positions. 10 %
2) Performance: Assuming we transmit WiFi frames with 0%
STF phase shift keying (PSK) covert data over AWGN chan- AWGN B D E
nels without fading, we can reach the BERs illustrated in Channel Model
Figure 5. The more bits we encode in the STF, the smaller the
distance between the phase steps. This results in an increased (a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
BER. For a typical 25 dB SNR, 6 covert bits per STF can be 60 %
Covert Channel BER

hidden with less than 0.1% covert channel BER. 50 %

To evaluate the STF PSK performance in fading channels, 40 %
we perform simulations with channel models B, D, and E with 30 %
a fixed SNR of 25 dB introduced by AWGN. In Figure 6a, we 20 %
10 %
illustrate the results from 32-PSK (5 bits/symbol) to 256-PSK
0%
(8 bits/symbol). We observe that transmissions up to 64-PSK
2 4 8 16 32 64 128 256 512 1024
modulation are always error free, while higher modulation
orders result in more bit errors, especially when the effects PSK Modulation Order
of fading increase. In our lab, we measure that all modulation (b) WARP-to-WARP measurement with 54 Mbps WiFi frames.
orders up to 128-PSK have low median error rates as illustrated
in Figure 6b. We conclude that one can transfer roughly 6 to Fig. 6: BER of the STF PSK covert channel.
7 bits per frame with very low BER.
The achievable throughput of the covert channel strongly
depends on the number of WiFi frames transmitted per second. receivers and require a custom SDR-based implementation or
For this scheme, short frames such as ACK and CTS (both a spectrum/signal analyzer. To lower the detection probability,
14 bytes long and sent at least at 36 Mbit/s) are ideal, since a transmitter can map bits only to small phase changes, which
one 4 µs long OFDM-symbol sequence holds the complete results in reduced covert channel throughput. As the secret
MAC layer payload. Note that increasing frame rates without information is already transmitted before it can be detected, a
a plausible reason might help Wendy to detect information wireless jammer cannot be used to block the covert channel
exchanges. Combined with STF (4 µs), LTF (8 µs) and signal transmission without destroying every WiFi frame.
field (4 µs), the complete frame is 16 µs long; resulting in a Layer 2. As mentioned above, a phase shift in the STF
gross frame rate of 62,500 frames/s. Using 64-PSK the STF does not influence the functionality of the STF at the receiver.
PSK covert channel achieves a gross bitrate of 375 kbit/s. To verify this, we compared BERs of received WiFi frames
3) Detection: Layer 1. A physical layer detector needs with and without covert channel and were not able to dis-
to perform the same steps as the covert channel receiver men- tinguish between them. Neither in simulation, nor in practice
tioned above. Those steps are not accomplished in regular WiFi when receiving with a WARP or off-the-shelf WiFi card.
B. Carrier Frequency Offset with Frequency Shift Keying 60 %

Covert Channel BER

50 %
(CFO FSK) 40 %
A WiFi baseband signal is upconverted to the carrier fre- 30 %
quency fc with fc,tx ≈ fc and downconverted using fc,rx ≈ fc 20 %

10 kHz
20 kHz
1 kHz
5 kHz
(see Figure 7). Their difference results in CFO, which needs to 10 %
be corrected, together with additional CFO due to the Doppler 0%
AWGN B D E
effect. WiFi receivers are capable of correcting CFOs by
tracking the pilots that are inserted into each OFDM symbol. Channel Model
We introduce an artificial fCFO at the transmitter as covert
channel. Regular WiFi receivers silently correct fCFO , while Fig. 10: CFO FSK covert channel simulation with 24 Mbps
covert channel receivers can extract the hidden information. WiFi frames (SNR = 25 dB).
35 %
1) Implementation: To encode bits, the transmitter maps 30 %

no covert channel
Frame BER
25 %
them to the two frequencies ±∆CFO , each with a symbol length 20 %
of an OFDM symbol (4 µs). The resulting complex waveform 15 %

20 kHz
is multiplied with the time-domain signal of the WiFi frames

10 kHz
10 %

1 kHz
5 kHz
5%
in the baseband. This shifts each OFDM symbol by ±∆CFO 0%
in the frequency-domain, depending on the encoded bit. AWGN B D E
A covert channel receiver estimates the phase shifts of Channel Model
the pilot symbols for each OFDM symbol, as illustrated in
Figure 8. The covert CFO changes are superimposed by an (a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
additional slowly varying CFO. To extract bits despite further 35 %
CFO components, the receiver first lowpass filters the CFO

no covert channel
30 %

Frame BER
25 %
estimate and uses it as a threshold for a hard decision decoder. 20 %
The six outer bits on both sides are discarded as they contain

20 kHz
15 %

10 kHz
many bit errors. The lowpass filter is implemented as 20-tap 10 %

1 kHz
5 kHz
5%
finite impulse response (FIR) filter, which requires at least 60 0%
OFDM symbols to work correctly. WARP raw BER WARP eff. BER WiFi eff. BER

(b) WARP-to-WARP/Laptop 54 Mbps legitimate receiver.

2) Performance: In the simulations we add a fixed 50 kHz Fig. 11: CFO FSK BER at the legitimate receiver.
CFO for both AWGN and fading channels as well as a 15 Hz
maximum Doppler spread for the fading channels B, D, and E, 3) Detection: Layer 1. Every WiFi receiver estimates and
representing environmental movement. The resulting AWGN corrects CFOs. However, those measurements are normally
covert rates for different ∆CFO values in Figure 9 show that directly discarded during signal processing. As shown in
stronger CFO changes enhance the covert channel. As illus- Figure 8, receivers capable of analyzing CFO changes over
trated in Figure 10, stronger multipath effects lead to higher time can directly detect the binary pattern. Using lower ∆CFO
covert BERs. Especially in the model E, a ∆CFO of more than values hardens detection but increases error probabilities on
10 kHz is required to keep the BERs low. In WARP-to-WARP the covert channel.
measurements with 54 Mbps WiFi frames, for ∆CFO =1 kHz, Layer 2. Our simulated and practical results in Figure 11
the average covert BER is 15%—for ∆CFO ≥5 kHz no errors show that large CFO changes drastically increase BERs in
occur, which is comparable to the AWGN simulation results. all channel models. However, in our setup 5 kHz ∆CFO is
The BERs of the WiFi frames in both simulation (Fig- sufficient for covert transmissions without increasing errors
ure 11a) and practice (Figure 11b) show that—up to 10 kHz in the WiFi frame reception. Furthermore, ∆CFO could slowly
∆CFO —there is almost no increase in the BERs at the detector. be increased to stealthily reach a working point to prevent
To avoid detection, the lowest working ∆CFO should be chosen, detectable sudden BER changes. Hence, CFO frequency shift
which is 5 kHz in our lab. By encoding 1 bit per 4 µs OFDM keying (FSK) can be undetectable on Layer 2, if configured
symbol, the covert throughput is 250 kbit/s. carefully.
filtered CFO 1000 Hz 10000 Hz
Frequency Offset

0
CFO 100 5000 Hz 20000 Hz
BER

−1
fCFO fc,tx fc,rx
10−2
−2
TX RX 20 40 60 80 100 5 10 15 20 25 30 35 40

... ... OFDM Symbol SNRdB

Fig. 8: Frequency offset measurement Fig. 9: Raw BER of the CFO FSK
Fig. 7: We introduce artificial CFO fCFO of each received OFDM symbol show- covert channel over AWGN channels
into each OFDM symbol in the baseband. ing the binary shift keying modulation. with different ∆CFO .
C. Camouflage Subcarriers 20 MHz mask with CS w/o CS

Spectrum [dBr]
The camouflage subcarrier covert channel hides informa- 0
tion in subcarriers used in other protocol variants. In 802.11a/g,
52 subcarriers are used for 48 data and 4 pilot transmis- −20

sions, while 802.11n utilizes 56 subcarriers in the same band.

−40
The additional 4 subcarriers can be utilized in 802.11a/g
transmissions as covert channel. At plain sight the spectra −30 −20 −10 0 10 20 30
look like valid 802.11n frames (as depicted in Figure 12). A
Frequency [MHz]
regular 802.11a/g/n WiFi receiver does not sense the number
of used subcarriers, but only checks the signal field at the Fig. 12: Spectra of both regular 802.11g frames and camou-
beginning frame and continues decoding according to the flage subcarrier frames fit into 20 MHz WiFi channels.
802.11a/g standard, simply ignoring camouflage subcarriers.
Using additional subcarriers was proposed in [11], yet, without 100
BPSK
the constraint to mimic another protocol version. QPSK
1) Implementation: We replace the 802.11a/g LTF with 10−1 16-QAM

BER
the 802.11n HT-LTF, which is still correlating with the LTF, 64-QAM
thus allowing a proper timing synchronization at the receiver. 10−2
Additionally, the covert receiver can estimate the channel
effects of the camouflage subcarriers. 10−3
5 10 15 20 25 30 35 40
2) Performance: When comparing Figure 13 to Figure 2,
it is obvious that the covert subcarriers perform very similar SNRdB
to the normal subcarriers. Depending on channel effects and
Fig. 13: Raw BER of the camouflage subcarriers over AWGN.
output filters, it might happen that the outer subcarriers have a
slightly different performance, though. Covert subcarrier per- 35 %
Covert Channel BER 30 %
formance for different channel models is depicted in Figure 14.
25 %
Assuming camouflage and normal subcarrier performance are
20 %
similar, the covert channel performance is 8.3 % of the normal

64-QAM
15 %
channel throughput.

16-QAM
10 %
QPSK
BPSK
In our experiments, we vary the rate of the camouflage sub- 5%
carriers, while keeping the rate of the regular WiFi data fixed. 0%
AWGN B D E
Figure 14 compares simulation results of camouflage subcar-
riers. Experimental results are not illustrated—the WARP-to- Channel Model
WARP channel in our lab is quite good and no errors occur
in the camouflage subcarriers for all modulation orders. Fig. 14: BER of covert camouflage subcarriers in simulation
with 24 Mbps WiFi frames (SNR = 25 dB).
3) Detection: Layer 1. A Layer 1 detector that can decode
the signal field is able to determine if the number of subcarriers Covert ... f
(TX)
within the signal is correct. However, only checking the
spectrum will not reveal the covert channel, as it is still valid
Covert
and conforms to the standard 802.11n. +
Normal
Layer 2. A Layer 2 detector has insufficient information
since neither normal subcarrier performance decreases nor Covert t
interference with neighboring channels occurs. Even further (RX)
(b) Effect of a smaller
subcarriers can be used to increase covert channel throughput (a) CP cutting and embedding within FFT size for covert sym-
as long as the neighboring channels do not overlap, but this one subcarrier in the time-domain. bols within one CP.
could be easily detected on Layer 1. Our results show that
adding camouflage subcarriers does neither increase BERs in Fig. 15: CP replacement methods compared.
simulation nor in practice. 100
BPSK
QPSK
D. Cyclic Prefix Replacement 10−1 16-QAM
Multipath effects and timing offsets during demodulation
BER

64-QAM
cause overlapping OFDM symbol parts, called inter-symbol in- 10−2
full CP rep.
terference (ISI). In 802.11a/g, a cyclic prefix (CP) is prepended 1/2 CP rep.

to symbols in order to reduce ISI. At reception, this CP is not 1/4 CP rep.

10−3
decoded. Nevertheless, the CP might still be larger than the 5 10 15 20 25 30 35 40
actual ISI and, hence, can be used as a covert channel. SNRdB
A simulation in [10] replaces the complete CP with
covert symbols. This results in a normal channel with up Fig. 16: Raw BER of the Cyclic Prefix Replacement covert
to 54 Mbit/s according to 802.11a/g and an additional covert channel over AWGN channels.
channel achieving 13.5 Mbit/s, since the CP length is 1/4 of the
 Covert Channel BER
normal symbol. The channel performs well as the simulations

CP with CPCP
CP no CPCP
40 %
are limited to AWGN channels with neither fading nor ISI. 30 %
Hence, the CP is not required at all. In practice, we could not 20 %

full CP
reproduce such optimistic results. 10 %

1/2

1/2
1) Implementation: There are basically two ways of em- 0%
bedding data in the CP. In the first approach, four CPs are AWGN B D E
combined to obtain a symbol of regular length. In a practical Channel Model
channel instead of the AWGN channel proposed in [10], (a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
fading effects disturb samples near to concatenation points.
A solution is shown in Figure 15a, where the covert symbols
are distributed to multiple CPs with some overlapping samples.

Covert Channel BER

40 %
First simulation results, however, show that more concatena- 30 %
tions lead to more disturbances (e.g. due to the Doppler effect) 20 %
making this approach impractical. 10 %
The second approach decreases the Fast Fourier Transform 0%
(FFT) size to a maximum of the actual CP length, automat- full CP 1/2 CP no CPCP 1/2 CP with CPCP
ically leading to less subcarriers as depicted in Figure 15b. CP replacement scheme
Even though only 1/4 of the subcarriers are used in a 16-
(b) WARP-to-WARP measurement with 54 Mbps WiFi frames.
point FFT compared to the normal symbol’s 64-point FFT,
12 symbols are usable by replacing the full CP. Using four Fig. 17: BER of covert CP replacement.
CPs, 48 symbols can be used for data transmission—analogous
to the first approach. To reduce the ISI with regular OFDM
symbols, the covert channel FFT size can be reduced to 8, 35 %

1/2 CP with CPCP

no covert channel
30 %

1/2 CP no CPCP
4, or 2 at the cost of covert throughput. Prepending a CP to Frame BER
25 %
the covert channel in the CP (called CPCP) even removes ISI 20 %
15 %
inside the covert channel. In our experiments, we add a CPCP

full CP
10 %
5%
of 2 samples to the 1/2 CP replacement scheme. 0%
2) Performance: The performance of the CP replacement AWGN B D E
covert channel is very high. Figure 16 compares BERs for Channel Model
different CP replacement strategies in an AWGN channel. Re- (a) Simulation with 24 Mbps WiFi frames (SNR = 25 dB).
placing shorter parts of the CP results in more errors. Adding a
CPCP does not help in an AWGN channel because the channel
35 %
CP with CPCP
no covert channel

does not introduce ISI. In contrast, in the multipath channel

CP no CPCP

30 %
simulations illustrated in Figure 17a, the CPCP significantly
Frame BER

25 %
20 %
decreases the covert channel BERs. In our lab environment,
full CP

15 %
the CPCP is required and very effective: it reduces the BER to 10 %
5%
0% as shown in Figure 17b. Depending on the actual amount
1/2

1/2

0%
of multipath effects, a higher CPCP length is reasonable. WARP raw BER WARP eff. BER WiFi eff. BER
Throughput of full CP replacement is 25 % of the cor- (b) WARP-to-WARP/Laptop measurement with 54 Mbps WiFi
responding WiFi frame throughput, if multipath effects are frames.
neglected. For 1/2 CP replacement, the maximum throughput Fig. 18: BER of WiFi frames with CP replacement at legiti-
is reduced to 12.5% of the WiFi frame throughput. Hence, mate receivers.
even with the CPCP improvement for less transmission errors,
this covert channel has good performance.
3) Detection: Layer 1. A physical layer detector can 20 MHz mask with rep. w/o rep.
Spectrum [dBr]

compare the last 16 samples of an OFDM symbol with its 10−1

cyclic prefix, which should be similar except for ISI damage.
Replacing parts of the original CP slightly increases out-of- 10−3
band emissions that might be visible in a spectrum analyzer—
−30 −20 −10 0 10 20 30
but they are still within the spectral mask (see Figure 19).
Layer 2. Since the CP is removed before further processing Frequency [MHz]
on Layer 2, the only visible effect is an increased BER in rich Fig. 19: The spectrum of CP Replacement frames has higher
multipath environments. A Layer 2 detector cannot measure out-of-band transmissions than regular frames.
the actual channel coefficients and thus, cannot distinguish
whether a high BER is caused by a covert channel or not.
As expected, in the multipath channels the legitimate BER show. In the practical measurements in Figure 18b, only a full
significantly increases at complete CP replacement. However, CP replacement has a negative effect on bit errors, especially
we could not measure negative effects of 1/2 CP replacement when using off-the-shelf NICs. Hence, attackers should replace
for channel models B, and D, as our results in Figure 18a less than 1/2 CP in typical environments to avoid detection.
 V. E VALUATION AND D ISCUSSION optimal case. For low detection probability, the covert channel
Next, we compare results and discuss the pros and cons of should be embedded in everyday network traffic.
the investigated covert channels, summarized in Table I.
All covert channels introduced in this paper can be com- B. Detection Probability
bined. Since they modify different parts of OFDM symbols, Table II summarizes a comparison of the detectability of
the overall performance when enabling all covert channels at all the proposed covert channels. Detectability is subject to the
once is their cumulative performance. This comes at the cost choice of the covert channel parameters; configuring the covert
of an increased detectability, see subsection V-B on how to channel for lower throughput can facilitate to evade detection.
lower detectability. If detected, Wendy either tries to decode Layer 1. A Layer 1 detector might take a look at the
the covert channel or to block it, for example, using a wireless spectrum and IQ constellation diagrams with a spectrum/signal
firewall such as WiFire [21]. The STF PSK covert channel is analyzer. In case the Layer 1 detector must compare properties
special, because even in case of detection it cannot be blocked. in the time domain, a SDR supported analysis is optimal.
In the spectrum, CP replacement is visible since it intro-
A. Covert Channel Performance duces distortions into the CP, which violate a smooth signal
A fair comparison of the covert channels is demanding, continuation in it. camouflage subcarriers can be detected, but
since they behave differently depending on the channel models, since their spectrum is valid for 802.11n, the signal field has
legitimate traffic, etc. The simulated AWGN channel is overly to be decoded to identify the frame type.
optimistic compared to our lab setup, while channel model B is When analyzing IQ constellations per symbol, all covert
rather similar to our lab setup and yields comparable perfor- channels can be detected. However, camouflage subcarriers can
mance for the covert channels. Hence, we present empirical only be identified as such if the signal field is decoded and
results for our lab measurements with a raw BER of 0.1%, checked. CP replacement is visible in the symbols after cutting
which can easily be corrected with basic coding schemes. off the CP, when Wendy is in a multipath-rich environment.
Simulated channels D and E include effects not observable Detection probability for STF PSK and CFO FSK can be
in our lab, hence yielding significantly harsher conditions for lowered by reducing ∆Φ, respectively ∆CFO.
both covert and legitimate channel. Layer 2 A Layer 2 detector can only see an increasing
Some covert channel rates are frame-based while others BER: if the covert channel is switched on and off immediately,
are symbol-based. Depending on this, either the maximum BER changes are visible on Layer 2. Hence, STF PSK and
or minimum frame size is optimal to increase performance. camouflage subcarriers, which do not increase the normal
The minimum frame size is 14 bytes for clear to send (CTS) channel BER, are not detectable on Layer 2. To reduce the
and ACK frames. Data frames can have a maximum frame detection probability of CFO FSK, reducing ∆CFO helps.
size of up to 2338 bytes, assuming an unencrypted 802.11a/g Replacing shorter parts of the CP helps to diminish distortions
data frame consisting of a MAC header (typically 30 bytes), a in multipath-rich environments leading to lower overall BERs.
MAC service data unit (MSDU) (0-2304 bytes), and a FCS (4
bytes) [20]. Delays between frames depend on contention in VI. R ELATED W ORK
the MAC layer and on frame types, hence we omit them in our The idea of hiding information in wireless network traffic
exemplary calculation in Table I—as they are omitted when is not new. Most schemes are designed for the data link
claiming an 802.11a/g maximum gross data rate of 54 Mbit/s. layer or higher, using reserved fields, time delays, or packet
Choosing minimum or maximum frame size on Layer 2 might corruptions. An approach for transmitting data in corrupted
be suspicious to attackers, thus this is only a reference for the frames was first proposed in [18]; cryptographic information
identifying corrupted frames is exchanged in advance using
STF CFO CS CP Wired Equivalent Privacy (WEP) cipher initialization vectors
Layer 1 spectrum n n y/n y (p) (IVs) and MAC addresses. WEP IVs are implemented in [8],
Layer 1 constellations y (p) y (p) n y
Layer 1 decoding n n y y but without making covert data match the same probability
Layer 2 BER n y (p) n y (p) distribution as IVs. In [16], reserved fields are proposed for
802.15.4 covert channels. An 802.11 MAC layer analysis
TABLE II: Detectability comparison: detectable (y), on campus traffic in [12] evaluated utilizable fields due to
not detectable (n), detectability/performance trade-off (p). randomness and high occurrence, proposing the Frame Control
Covert Channel Section Conclusion
STF PSK Sec. IV-A Introduces phase shift to STF; immune to reactive jamming; no influence on WiFi BER; 1 PSK symbol per frame; max.
covert rate 375 kBit/s for 64-PSK
CFO FSK Sec. IV-B Introduces artificial CFO; tunable for no influence on Wifi BER; 1 bit per OFDM symbol; max. covert rate 250 kBit/s for
5 kHz FSK
Camouflage Sec. IV-C Uses four additional subcarriers from 802.11n; no influence on WiFi BER; 4 QAM symbols per OFDM symbol; max. covert
Subcarriers rate 4.5 Mbit/s for 54 Mbit/s WiFi frames.
Cyclic Prefix Sec. IV-D (Partial) replacement of the cyclic prefix; no influence on WiFi BER in line-of-sight channels, but affected by multiplath
Replacement effects; 12 (full CP rep.)/6 (half CP rep.) QAM symbols per OFDM symbol; max. covert rate 6.75 Mbit/s for 1/2 CP with
CPCP

TABLE I: Summary of the analyzed covert channels. The exemplary performance values use our lab setup. Covert and
legitimate channel have a median raw BER of below 0.1% and use optimal settings for the covert channel.
Field (FCF) More Frag, Retry, PwrMgt, More Data as well as R EFERENCES
the 802.11 header fields Duration/ID and FCS. In [13], timings [1] Radiotap. radiotap.org.
of Retry bits indicating retransmissions are used to encode [2] WARP project. warpproject.org.
information. Hiding wireless access points by swapping fields [3] E. Bayraktaroglu, C. King, X. Liu, G. Noubir, R. Rajaraman, and
with an Atheros and madwifi-ng is realized in [5]. B. Thapa. Performance of IEEE 802.11 under jamming. Mobile
Wireless physical layer covert channels are rare, but they Networks and Applications, 18(5):678–696, 2013.
are more generic. Hence, related work in this area is not [4] K. M. Borle, B. Chen, and W. Du. A physical layer authentication
scheme for countering primary user emulation attack. In International
only on 802.11g but on OFDM based systems in general. In Conference on Acoustics, Speech and Signal Processing (ICASSP),
[11], the usage of additional subcarriers in LTE and WiMAX pages 2935–2939. IEEE, 2013.
is evaluated in simulation. The model assumes that covert [5] L. Butti and F. Veysset. Wi-Fi Advanced Stealth. Proceedings Black
sender and normal sender are different identities, therefore Hat US, Aug 2006.
their timing offset impacts subcarrier orthogonality. 802.11n [6] A. Dutta, D. Saha, D. Grunwald, and D. Sicker. Secret agent radio:
physical layer steganography using the CP is proposed in [10]. Covert communication through dirty constellations. In M. Kirchner and
In a simple AWGN based simulation, they archive a data rate D. Ghosal, editors, Information Hiding, volume 7692 of Lecture Notes
in Computer Science, pages 160–175. Springer, 2013.
as high as 1/4 of the normal channel without degradation.
[7] V. Erceg et al. TGn channel models. IEEE 802.11-03/940r4, 2004.
To the best of our knowledge, there is only one wireless
[8] L. Frikha and Z. Trabelsi. A new covert channel in WiFi networks. In
physical layer covert channel that was put into practice: dirty Third International Conference on Risks and Security of Internet and
IQ constellations for 802.11a/g [6]. The authors define four Systems (CRiSIS), pages 255–260, Oct 2008.
IQ constellations in addition to the four raw QPSK points. [9] N. Goergen, W. S. Lin, K. R. Liu, and T. C. Clancy. Authen-
This way, they can reach up to the same covert throughput ticating MIMO transmissions using channel-like fingerprinting. In
as normal throughput. To circumvent detection, they modified Global Telecommunications Conference (GLOBECOM), pages 1–6.
constellations to use a Gaussian distribution, and compared IEEE, 2010.
them to regular noisy signals. However, when we tried to [10] S. Grabski and K. Szczypiorski. Steganography in OFDM symbols
of fast IEEE 802.11n networks. In Security and Privacy Workshops
reproduce their results including the obfuscation mechanism, (SPW), pages 158–164. IEEE, 2013.
we had to cope with a high amount of bit errors, especially in [11] Z. Hijaz and V. Frost. Exploiting OFDM systems for covert commu-
more complex channel models. nication. In Military Communications Conference (MILCOM), pages
A related topic to covert channels is watermarking of 2149–2155, Oct 2010.
signals, allowing for identification and authorization on a phys- [12] C. Krätzer, J. Dittmann, A. Lang, and T. Kühne. WLAN steganography:
ical layer basis. For this, an authentication tag is embedded. a first practical review. In Proceedings of the 8th workshop on
In [19], cognitive radio primary users add phase noise to Multimedia and security, pages 17–22. ACM, 2006.
QPSK symbols to authenticate themselves while maintaining [13] C. Krätzer, J. Dittmann, and R. Merkel. WLAN steganography revisited.
In Electronic Imaging, pages 681903–681903. International Society for
backward compatibility to secondary users who are not aware Optics and Photonics, 2008.
of this scheme. A similar scheme for a non-return-to-zero [14] V. Kumar, J.-M. Park, T. C. Clancy, and K. Bian. PHY-layer authenti-
encoding is proposed in [14] by embedding authentication tags cation using hierarchical modulation and duobinary signaling. In Inter-
in redundant information reducing ISI. A fingerprint can also national Conference on Computing, Networking and Communications
be added to the channel state before sending, assuming only (ICNC), pages 782–786. IEEE, 2014.
small channel changes between transmissions, users knowing [15] B. W. Lampson. A note on the confinement problem. Commun. ACM,
the previous channel state can extract the fingerprint [9]. The 16(10):613–615, Oct 1973.
QPSK scheme is secured against user emulation attacks in [16] D. Martins and H. Guyennet. Attacks with steganography in PHY and
MAC layers of 802.15.4 protocol. In Fifth International Conference on
[4] by adapting the phase distortion to the current SNR. Systems and Networks Communications (ICSNC), pages 31–36, Aug
However, all these schemes were only verified in simulations. 2010.
A practical implementation adding further IQ constellations as [17] S. U. Rehman, K. W. Sowerby, and C. Coghill. Analysis of imperson-
in [6] without Gaussian distribution is shown in [22]. ation attacks on systems using RF fingerprinting and low-end receivers.
Journal of Computer and System Sciences, 80(3):591 – 601, 2014.
VII. C ONCLUSION Special Issue on Wireless Network Intrusion.
In this paper, we show that physical layer WiFi covert [18] K. Szczypiorski. HICCUPS: hidden communication system for cor-
rupted networks. In International Multi-Conference on Advanced
channels are feasible in practice. We design novel covert Computer Systems, pages 31–40, 2003.
channels and improve known ones. Our work is—to the best of
[19] X. Tan, K. Borle, W. Du, and B. Chen. Cryptographic link signatures
our knowledge—the first one to characterize various OFDM- for spectrum usage authentication in cognitive radio. In Proceedings of
based covert channels in practical settings. Based on our the fourth ACM conference on Wireless network security, pages 79–90.
results, we discuss pros and cons of the covert channels with ACM, 2011.
respect to their performance as well as their detectability. With [20] The Institute of Electrical and Electronic Engineers, Inc. IEEE standard
this, we provide a first compendium for practical physical layer 802.11-2012. IEEE Standard for Information technology, 2012.
WiFi covert channels, which facilitates the understanding of [21] M. Wilhelm, I. Martinovic, J. B. Schmitt, and V. Lenders. WiFire: a
this potential attack vector. firewall for wireless networks. In Proc. SIGCOMM, 2011.
[22] P. L. Yu, J. S. Baras, and B. M. Sadler. Physical-layer authentication.
Transactions on Information Forensics and Security, 3(1):38–51, 2008.
ACKNOWLEDGMENTS
This work has been funded by the German Research Foundation (DFG) in the [23] S. Zander, G. Armitage, and P. Branch. A survey of covert channels and
Collaborative Research Center (SFB) 1053 “MAKI – Multi-Mechanism-Adaptation for countermeasures in computer network protocols. IEEE Communications
the Future Internet” and by LOEWE CASED. We thank Halis Altug, Athiona Xhoga and Surveys Tutorials, 9(3):44–57, Third 2007.
Stephan Pfistner for the implementation of the first prototypes.