Beacon Stuffing WiFi Without Associations Ranveer Chandra Jitendra
Beacon Stuffing Wi-Fi Without Associations Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Alec Wolman
Purpose of Wi-Fi associations Which AP is serving client C? At any given point in time, there should be only one answer Responsibility for relaying downstream traffic Secondary purposes: PSM, capability negotiation “broadcast” applications: certain information is Inherently relevant to a particular location Largely independent of the receiving client ▪ e. g. not confidential
Wi-Fi Scanning Behavior Wi-Fi clients perform scans to discover nearby APs (disconnected and connected) Passive Scans ▪ Stations switch channels, listening for beacons Active Scans ▪ Stations send probe requests, listen for probe responses Networks Found Connected
Beacon Stuffing Low bandwidth communication protocol for IEEE 802. 11 (Wi-Fi) networks Construct a transport protocol by overloading beacons Clients receive information from nearby APs Even when they are disconnected When connected to another AP Primarily for “broadcast” applications Two way communication is also possible
Sample Applications Network Selection Localized Advertisements
Network Selection Beacons overloaded with Pricing Information Number of active users Other network utilization Information (e. g. 802. 11 k ) l Help end users or client software in making connection decisions
Wi-Fi Advertisements Delivery of advertisements over the Internet has become a huge market Ads are targeted – Relevant to the user Location-sensitive advertisements already becoming an important market Handheld devices with Wi-Fi are proliferating Embed advertisements in beacons Clients receive ads regardless of their connection status Implicitly location-sensitive “Push” model of ad delivery – improves privacy model Can include dynamic information e. g. 4 tables free, or 15 minute wait
Scenario Coffee. Day close to me. . Hmm! Wi. Fi Beacon Coffee Day Drink of the day is Hot Chocolate Client running our software I love Hot Choc! Go to Coffee. Day Ad. Center AP at Coffee. Day Within 250 m of Coffee. Day
Beacon-Stuffing Transport AP fragments each message and sends in successive beacons Client application performs reassembly, and presents the information to users Each fragment is of the form: <Unique. ID> - This identifies the specific message <Seq. No> - Fragment number <More Flag> - Boolean indicating whethere are more fragments in this message <Content> - Arbitrary byte stream (usually text)
How to send the fragments Three encoding strategies Overload the SSID Overload the BSSID Create a new Information Element
Use the beacon SSID field SSID is network name with 32 byte limit Pros User level client software is enough, no driver mods Cons Low Bandwidth Spams the user-interface (e. g. zero-config) Networks Found Connected
Use the beacon BSSID field BSSID length: only 6 bytes per beacon All messages can use the same SSID, say “Beacon. Transport” Client assembles message from multiple beacons Pros User level client software Avoids the spam problem Cons Very low bandwidth
Add a new Information. Element Each beacon carries a set of Information Elements Other management frames too (Probe Request, Probe Response) 802. 11 is extensible (sort-of) – Element IDs 32 -255 “reserved” Maximum length of an Information Element: 253 bytes Pros Moderate bandwidth Also avoids spam Feels less like an “ugly hack” Cons Requires driver modifications on most clients (except Vista)
Issues When a fragment is lost, so is entire message FEC, or probes to request retransmissions Throughput 100 ms is typical beacon interval, easy to adjust Airtime utilization Not necessary to send at lowest data rate Power management
Status & Future work We have built access point & client implementations on XP Recently finished version of client for Windows Mobile Future Test deployment (at MS? Or a local mall? ) Implement bi-directional communication (e. g. pub/sub for ads) Questions?
Backup slides
Advantages Clients receive beacons (hence ads) even when they are not connected to any network Clients receive beacons from other networks even when they are connected to a particular network Client need not send any information to the Access Point Can update Ad text to include dynamic information Ø Number of tickets left Ø Daily specials in a restaurant Ø Stock quotes
Distributing Coupons Starbucks: Get 10% off a Hot Chocolate Present coupon Discounted Coffee Step 1: Coupon Distribution Step 2: Coupon Validation User does not have to connect to the Internet!
Preventing forged Coupons Competitor’s AP sends fake coupons e. g. Tully’s AP sends invalid coupons for Starbucks Solution: ASP generates public-private key pair for all registered stores Coupon is encrypted with store’s private key ▪ E[coupon + time of validity]store_private_key ▪ Time of validity prevents replay of outdated coupons Store/ASP sends encrypted coupon to APs broadcasts encrypted coupons Clients validate coupon by decrypting with store’s public key
Models User awareness: Require user input AP tracking: Track which AP distributed the coupon Limited coupons: Limit number of distributed coupons AP not connected to Internet
- Slides: 20
