2720 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 10, OCTOBER 2019 Demonstrating and Mitigating the Risk of an FEC-Based Hardware Trojan in Wireless Networks Kiruba Sankaran Subramani , Student Member, IEEE, Angelos Antonopoulos , Member, IEEE, Ahmed Attia Abotabl, Member, IEEE, Aria Nosratinia , Fellow, IEEE, and Yiorgos Makris , Senior Member, IEEE Abstract— We discuss the threat that malicious circuitry (a.k.a. since an attacker does not need to obtain physical access to hardware Trojan) poses in wireless communications and pro- their nodes. pose a remedy for mitigating the risk. First, we present and To mitigate security and privacy concerns, most wireless theoretically analyze a stealthy hardware Trojan embedded in the forward error correction (FEC) block of an 802.11a/g communication networks employ some form of encryption to transceiver. FEC seeks to shield the transmitted signal against protect the confidentiality of the information communicated noise and other imperfections. This capability, however, may be over a public channel [1]. Interestingly, while this provides exploited by a hardware Trojan to establish a covert commu- the user with an –often misleading– sense of security, it also nication channel with a knowledgeable rogue receiver. At the entices attackers, who know that valuable secret informa- same time, the unsuspecting legitimate receiver continues to cor- rectly recover the original message, despite experiencing a slight tion is stored and exchanged between communicating nodes. reduction in signal-to-noise ratio (SNR) and, therefore, remains Hence, wireless networks have been the target of intense oblivious to the attack. Next, we implement this hardware attacks [3]–[9], the majority of which are staged via software Trojan on an experimental setup based on the Wireless Open or firmware modifications that leverage communication pro- Access Research Platform (WARP) and we demonstrate (i) attack tocol vulnerabilities, all the way down to the physical (PHY) robustness, i.e., the ability of the rogue receiver to correctly receive the leaked information and (ii) attack inconspicuousness, layer. i.e., imperceptible impact on the legitimate transmission. Lastly, Beyond the attacks exploiting legitimate capabilities of we theoretically analyze and experimentally evaluate a Trojan- software and firmware, however, hardware-induced vulnerabil- agnostic detection mechanism, namely, channel noise profiling, ities introduce a dangerous new dimension for compromising which monitors the noise distribution to identify inconsistencies security and privacy of wireless networks. Such vulnerabili- caused by hardware Trojans, regardless of their implementation details. The effectiveness of channel noise profiling is experimen- ties, wherein the hardware itself serves as the attack surface tally assessed using the proposed hardware Trojan under various by exploiting malicious integrated circuit (IC) modifications channel conditions and a different covert Wi-Fi attack previously known as hardware Trojans, have recently emerged due proposed in the literature. to globalization of the electronics supply chain [10]–[15]. Index Terms— Channel noise profiling, forward error correc- Accordingly, hardware Trojans have become a topic of intense tion encoder, hardware Trojans, wireless networks. investigation by academic researchers, industry, and govern- I. INTRODUCTION mental entities alike [16], who are realizing the repercussions IRELESS networks have become an inseparable part of of deploying Trojan-infested ICs in sensitive applications (e.g. Weveryday life and are now prevalent in most electronic military, financial, infrastructure) and are developing appropri- systems. With over 6.8 billion mobile phone subscribers ate remedies. worldwide [1] and over 30 billion Internet of Things (IoT) Motivated to address the serious threat that hardware devices expected by 2020 [2], security and privacy concerns Trojans pose on wireless networks, in [17] we presented a have, inevitably, become paramount. Such concerns are accen- preliminary study of (i) a FEC-based Trojan, which stages tuated by the fact that wireless networks exchange sensitive an attack in an 802.11a/g network and leaks sensitive information over public channels and are, therefore, an appeal- information to a rogue receiver, and (ii) a Trojan-agnostic ing target. Indeed, staging such attacks is far more plausible detection method, which leverages the noise characteris- tics to detect malicious hardware. Herein, we extend this Manuscript received June 14, 2018; revised November 4, 2018; accepted study by theoretically analyzing the operation and impact February 1, 2019. Date of publication February 22, 2019; date of current version June 14, 2019. This work was supported by the National Science of the FEC-based Trojan on the legitimate communica- Foundation (NSF) under Grant 1514050. The associate editor coordinat- tion link and experimentally validating the effectiveness ing the review of this manuscript and approving it for publication was of the proposed detection mechanism over various channel Prof. Jean-Luc Danger. (Corresponding author: Yiorgos Makris.) K. S. Subramani, A. Nosratinia and Y. Makris are with the Department conditions, as well as for an additional hardware Trojan of Electrical and Computer Engineering, The University of Texas at Dal- implementation. las, Richardson, TX 75080 USA (e-mail: [email protected]; Specifically, compared with [17], in this paper we make the [email protected]; [email protected]). A. Antonopoulos is with u-blox Athens S.A., Maroussi, 15125 Athens, following additional contributions: Greece (e-mail: [email protected]). A. A. Abotabl is with the Samsung SOC Research and Development • Laboratory, San Diego, CA 92121 USA (e-mail: [email protected]). Analytically describe the Trojan operation and its impact Digital Object Identifier 10.1109/TIFS.2019.2900906 on the legitimate transmission. 1556-6013 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. Authorized licensed use limited to: Aria Nosratinia. Downloaded on August 20,2020 at 14:49:49 UTC from IEEE Xplore. Restrictions apply. SUBRAMANI et al.: DEMONSTRATING AND MITIGATING THE RISK OF AN FEC-BASED HARDWARE TROJAN 2721 Fig. 2. FEC operation. Fig. 1. Threat model. significantly affecting its quality. In other words, legitimate • Investigate the effect of rogue data on Quadrature Ampli- and rogue data must be transmitted at the same time, thereby tude Modulation (QAM) with respect to its position in the increasing the net data transmitted by the Trojan-infested transmitted symbol. transmitter, compared with the Trojan-free version. In essence, • Experimentally demonstrate the trade-off between Trojan this requires an increase in the outgoing data rate of the inconspicuousness and attack robustness. Trojan-infested transmitter, while it continues to operate within • Analytically describe and experimentally verify the effec- its circuit and wireless standard specifications. Interestingly, tiveness of channel noise profiling under various channel practical wireless devices facilitate such malicious activity conditions using over-the-air experiments. because they rarely operate at their specification boundaries. • Validate the Trojan-agnostic characteristic of channel Rather, due to a number of reasons outlined below, there noise profiling by demonstrating its ability to detect a typically exists a margin between the device operating point different, previously published hardware Trojan attack on and the above mentioned boundaries, wherein the hardware wireless networks. Trojan finds room to hide. Such reasons include: Overall, the proposed FEC-based attack exposes the ability • Optimal transmission may not be pursued due to Intellec- of hardware Trojans to establish high-throughput, rogue com- tual Property (IP) considerations, standards compliance, munication channels in complex, standards-compliant wireless or other such reasons. links, while remaining covert and undetectable by commonly • Optimal reception requires maximum likelihood decoders employed test methods. Similarly, the proposed channel noise which have very high computational complexity. Many profiling method provides a general and effective defense systems choose simpler decoding instead. mechanism which does not assume knowledge of the hardware • The optimal transmission parameters are tied to channel Trojan specifics and which may not be tampered with by the conditions which are imperfectly known to transmitter attacker, as it is implemented on the receiver side. and receiver. The remainder of this paper is structured as follows. The • Circuits are designed conservatively to reduce cost and threat model is discussed in Section II. The FEC-based Trojan increase yield in the presence of process variations. attack along with a theoretical analysis and simulation-based characterization of its operation are presented in Section III. III. FEC-BASED HARDWARE TROJAN ATTACK The proposed defense mechanism is introduced and its the- We now proceed to describe the FEC-based hardware Trojan oretical analysis is provided in Section IV. An experimental attack in the context of an IEEE 802.11a/g network [18].1 setup for evaluating effectiveness of both the proposed attack First, the general concept of the FEC-based hardware Trojan is and defense is described