Demonstrating and Mitigating the Risk of an FEC-Based Hardware Trojan in Wireless Networks

Abstract

We discuss the threat that malicious circuitry (a.k.a. hardware Trojan) poses in wireless communications and propose a remedy for mitigating the risk. First, we present and theoretically analyze a stealthy hardware Trojan embedded in the forward error correction (FEC) block of an 802.11a/g transceiver. FEC seeks to shield the transmitted signal against noise and other imperfections. This capability, however, may be exploited by a hardware Trojan to establish a covert communication channel with a knowledgeable rogue receiver. At the same time, the unsuspecting legitimate receiver continues to correctly recover the original message, despite experiencing a slight reduction in signal-to-noise ratio (SNR) and, therefore, remains oblivious to the attack. Next, we implement this hardware Trojan on an experimental setup based on the Wireless Open Access Research Platform (WARP) and we demonstrate (i) attack robustness, i.e., the ability of the rogue receiver to correctly receive the leaked information and (ii) attack inconspicuousness, i.e., imperceptible impact on the legitimate transmission. Lastly, we theoretically analyze and experimentally evaluate a Trojan-agnostic detection mechanism, namely, channel noise profiling, which monitors the noise distribution to identify inconsistencies caused by hardware Trojans, regardless of their implementation details. The effectiveness of channel noise profiling is experimentally assessed using the proposed hardware Trojan under various channel conditions and a different covert Wi-Fi attack previously proposed in the literature.