<inline-formula> <tex-math notation="LaTeX">$CSIsnoop$ </tex-math> </inline-formula>: Inferring Channel State Information in Multi-User MIMO WLANs

Abstract

Channel state information (CSI) has been proposed to enhance physical layer security by functioning as a shared secret between a transmitter and a receiver, because it decorrelates over half wavelength distances and cannot be predicted based on locations of the transmitter and receiver in rich scattering environments. Consequently, CSI was employed to generate passwords, to authenticate the source of packets, and to inject artificial noise to thwart eavesdroppers. However, in this paper, we present CSIsnoop, and show that an attacker can infer CSI in a multi-user MIMO WLAN, even when both channel sounding sequences from the access point and CSI measurement feedback from the clients are encrypted during downlink (explicit) channel sounding, or when uplink (implicit) channel sounding is employed. The insights of CSIsnoop are that the CSI of clients can be computed based on transmit beamforming weights at the access point, and that the transmit beamforming weights can be estimated from downlink beamforming transmission. In other words, we reveal the fundamental conflict between using CSI to optimize PHY design by beamforming and ensuring the confidentiality of CSI. We implement CSIsnoop on a software defined radio and conduct experiments in various indoor environments. Our results show that on average CSIsnoop can infer CSI of the target client with an absolute normalized correlation of over 0.99, thereby urging reconsideration of the use of CSI as a tool to enhance physical layer security in multi-user MIMO WLANs.