1 00:00:00,000 --> 00:00:02,417 HUNTER: Hey, everyone, thanks for coming. 2 00:00:02,417 --> 00:00:05,876 Today I want to talk about security and cognitive radio networks. 3 00:00:05,876 --> 00:00:07,501 There are a lot of companies now spending a lot 4 00:00:07,501 --> 00:00:09,999 of money on a prediction and the prediction is that 5 00:00:09,999 --> 00:00:12,751 over the next ten years the number of connected devices and 6 00:00:12,751 --> 00:00:17,250 the amount of data that they're going to use is going to increase very fast. 7 00:00:17,542 --> 00:00:21,000 So new protocol and specifications and hardware is being developed 8 00:00:21,000 --> 00:00:24,501 to deal with this engineering problem of how do we add billions 9 00:00:24,501 --> 00:00:26,999 of more devices to networks that are congested, 10 00:00:26,999 --> 00:00:29,626 especially wireless networks. 11 00:00:30,709 --> 00:00:32,999 A lot of times when these new protocols are 12 00:00:32,999 --> 00:00:36,999 designed it's important to think about how we make sure data integrity 13 00:00:36,999 --> 00:00:38,834 is maintained. 14 00:00:38,999 --> 00:00:41,083 In the networks I'm going to talk about today, a lot 15 00:00:41,083 --> 00:00:43,584 of thought has gone into it. 16 00:00:44,334 --> 00:00:48,876 The way research works is we start out with a system that's deployed 17 00:00:48,876 --> 00:00:52,709 and someone discovers a problem with it and we talk about it 18 00:00:52,709 --> 00:00:56,584 and everyone freaks out and it's up to the vendor or whoever 19 00:00:56,584 --> 00:00:59,709 is responsible to repair it and everyone relaxes 20 00:00:59,709 --> 00:01:02,792 until it happens all over again. 21 00:01:02,792 --> 00:01:07,459 So we had this cyclical band aiding of almost everything that we interact 22 00:01:07,459 --> 00:01:11,250 with and in cognitive radio networks it's far enough 23 00:01:11,250 --> 00:01:16,999 along to where there are deployments in the field but not so far along where 24 00:01:16,999 --> 00:01:20,834 if we discover problems with it we can actually make 25 00:01:20,834 --> 00:01:23,999 suggestions to how things should be changed 26 00:01:23,999 --> 00:01:28,876 and it's not going to affect billions of people yet. 27 00:01:28,999 --> 00:01:31,999 But to understand how we can make the improvements first we have 28 00:01:31,999 --> 00:01:35,209 to understand the system we're talking about. 29 00:01:35,667 --> 00:01:38,083 Initially we had radio, you have a transmitter and receiver 30 00:01:38,083 --> 00:01:40,999 and if you want to change how the radio operates you have 31 00:01:40,999 --> 00:01:43,999 to turn a nobody and you have to be standing physically and 32 00:01:43,999 --> 00:01:47,417 the knob turns only so far one way or the other. 33 00:01:49,792 --> 00:01:53,167 Now we can turn those nobodies in software and do it remote 34 00:01:53,167 --> 00:01:57,626 and we can control how far the nobody one way or another. 35 00:01:57,751 --> 00:02:00,999 The next logical step is cognitive radio which 36 00:02:00,999 --> 00:02:05,375 is adding a feedback loop into the radio itself and it's capable 37 00:02:05,375 --> 00:02:08,999 of observing its surroundings and changing itself, 38 00:02:08,999 --> 00:02:12,459 its own parameters to optimize whatever it's trying 39 00:02:12,459 --> 00:02:15,292 to do and we have a bunch of these today, 40 00:02:15,292 --> 00:02:18,918 and we have cognitive radio network. 41 00:02:18,918 --> 00:02:21,999 So not only are individual radios talking among themselves trying 42 00:02:21,999 --> 00:02:24,999 to understand how they can increase their performance 43 00:02:24,999 --> 00:02:28,083 but they can talk to each other and they can talk back 44 00:02:28,083 --> 00:02:31,417 to a central base station somewhere and inform each other 45 00:02:31,417 --> 00:02:33,584 about what's going on so another word 46 00:02:33,584 --> 00:02:38,834 for this might be adopt active network where they're teaching each other. 47 00:02:41,876 --> 00:02:44,083 To actually send information in the layer it's important 48 00:02:44,083 --> 00:02:45,959 to understand this. 49 00:02:48,999 --> 00:02:53,292 To actually send information over to a wave, we can define it 50 00:02:53,292 --> 00:02:58,542 by three parameters, the frequency, how often a certain point reappears, 51 00:02:58,542 --> 00:03:01,209 amplitude and its phase. 52 00:03:01,626 --> 00:03:04,792 By fiddling with one or more of these parameters we call that 53 00:03:04,792 --> 00:03:08,959 modulation so that's how we represent information in a wave. 54 00:03:09,083 --> 00:03:11,167 There are lots of ways you can do modulation, 55 00:03:11,167 --> 00:03:14,542 of course, if we start out with a wave like this, the top 56 00:03:14,542 --> 00:03:17,999 is the time domain and the bottom is the frequency domain, 57 00:03:17,999 --> 00:03:21,542 if we frequency modulate this, we see the frequency is changing 58 00:03:21,542 --> 00:03:24,292 with time and in the frequency domain we can see 59 00:03:24,292 --> 00:03:26,209 the frequencies. 60 00:03:26,667 --> 00:03:30,250 There are more complicated ways to do this, too, for instance, this 61 00:03:30,250 --> 00:03:33,501 is amplitude modulation and it's difficult to see how this 62 00:03:33,501 --> 00:03:36,999 is going on but there are lots of different ways and each form 63 00:03:36,999 --> 00:03:39,999 of modulation has different trade offs. 64 00:03:39,999 --> 00:03:41,999 So by changing individual parameters in each form 65 00:03:41,999 --> 00:03:44,918 of modulation we can trade off things like how fast it 66 00:03:44,918 --> 00:03:49,250 will go versus the bandwidth it will take up and stuff like that. 67 00:03:51,584 --> 00:03:54,959 So it's the "hyped" up word for what you might describe 68 00:03:54,959 --> 00:03:57,959 as something that controls and commands individual 69 00:03:57,959 --> 00:03:59,876 cognitive modes. 70 00:04:04,250 --> 00:04:06,375 These are examples of some of these. 71 00:04:06,709 --> 00:04:09,417 You will notice that these are all in different layers 72 00:04:09,417 --> 00:04:12,834 of abstraction so some of them are in the physical layer and some 73 00:04:12,834 --> 00:04:15,876 of them are higher and some of them depend on each other so 74 00:04:15,876 --> 00:04:18,459 the cognitive engine is trying to accomplish a task, 75 00:04:18,459 --> 00:04:22,459 let's say minimizing interference and maximizing data rate. 76 00:04:22,999 --> 00:04:26,501 We would call that its objective function and these are examples 77 00:04:26,501 --> 00:04:28,999 of inputs it would have. 78 00:04:28,999 --> 00:04:31,292 When I change those inputs it's going to change the output 79 00:04:31,292 --> 00:04:35,999 of this function and it's going to minimize or maximize this function. 80 00:04:37,375 --> 00:04:41,999 This is a three dimensional example, normally you would have way 81 00:04:41,999 --> 00:04:46,375 more than three dimensions, so it would be impossible to view it 82 00:04:46,375 --> 00:04:51,417 like this, but something it might use is gradient decent or other simple 83 00:04:51,417 --> 00:04:55,626 machine learning techniques, and this works relatively well 84 00:04:55,626 --> 00:04:58,999 but there are dangers of hitting local maximums 85 00:04:58,999 --> 00:05:03,709 and minimums instead of global and there are other techniques it can 86 00:05:03,709 --> 00:05:07,167 use, another one is game theory and this works well 87 00:05:07,167 --> 00:05:11,792 because spectrum is a resource that is being fought over by lots 88 00:05:11,792 --> 00:05:16,542 of people and we can model this in game theory easily. 89 00:05:17,876 --> 00:05:23,459 One of the ways we can do this is to try to achieve Pareto optimality. 90 00:05:23,459 --> 00:05:26,667 Which means if you've got a single cognitive radio network 91 00:05:26,667 --> 00:05:30,417 in a room by itself and there is no one else there, there 92 00:05:30,417 --> 00:05:33,667 is nothing it can do, no change it can make that 93 00:05:33,667 --> 00:05:37,959 will increase its performance without decreasing the performance 94 00:05:37,959 --> 00:05:39,999 of another node. 95 00:05:39,999 --> 00:05:43,125 So this is the idealized case where you win every time. 96 00:05:43,125 --> 00:05:45,626 Now in real life, of course, this is never true. 97 00:05:45,626 --> 00:05:49,334 You're always competing with other people and maybe there are 98 00:05:49,334 --> 00:05:54,083 malicious users on the network in that case you can attempt 99 00:05:54,083 --> 00:05:58,292 to do a Nash equilibrium and you're basically trying 100 00:05:58,292 --> 00:06:01,083 to not lose ally time. 101 00:06:01,584 --> 00:06:03,542 As long as everyone is using the same strategy there 102 00:06:03,542 --> 00:06:06,375 is no change that any player can make on their strategy that 103 00:06:06,375 --> 00:06:09,999 will not tea increase the strategy of another player. 104 00:06:09,999 --> 00:06:14,209 This gets difficult to achieve in real life so you can a approximate it. 105 00:06:14,375 --> 00:06:16,876 But the point is there are ways that 106 00:06:16,876 --> 00:06:20,542 a cognitive convention can optimize this. 107 00:06:21,999 --> 00:06:25,542 Back in the 1800s when wireless telegraph 108 00:06:25,542 --> 00:06:27,876 was showing up. 109 00:06:28,375 --> 00:06:31,709 It was really, really spectrally inefficient. 110 00:06:35,125 --> 00:06:38,250 So when operators were trying to talk to each other they would have 111 00:06:38,250 --> 00:06:40,459 to listen to see if there was anyone there and 112 00:06:40,459 --> 00:06:43,459 if there wasn't then they could start talk. 113 00:06:43,876 --> 00:06:49,125 As you could imagine this ended up not working very well at all and 114 00:06:49,125 --> 00:06:54,292 in fact one of the more of common messages people sent was 115 00:06:54,292 --> 00:07:01,834 "GTO, OM, QRT, which stood for go to heck old man I'm trying to transmit. 116 00:07:01,876 --> 00:07:05,501 They would quell at each other until someone gave way 117 00:07:05,501 --> 00:07:09,375 and someone can transmit and this was a big problem when 118 00:07:09,375 --> 00:07:13,959 the Titanic started sinking, because the shore transmitters were 119 00:07:13,959 --> 00:07:18,918 interfering with the ship rescue efforts so in 1912 the FCC was created 120 00:07:18,918 --> 00:07:22,292 and this created licensing and now people realized 121 00:07:22,292 --> 00:07:26,167 to make sure that no one is interfering with each other, 122 00:07:26,167 --> 00:07:30,999 we need to have licenses, everyone is responsible for their own chunk 123 00:07:30,999 --> 00:07:35,542 of spectrum and you're not allowed to transmit where anyone else 124 00:07:35,542 --> 00:07:40,626 is ask this worked well and especially in the 80s and 90s when cell phone 125 00:07:40,626 --> 00:07:45,417 companies started becoming big and they aggressively started lobbying 126 00:07:45,417 --> 00:07:49,125 Congress to divide more of the spectrum it was divided 127 00:07:49,125 --> 00:07:52,584 up and rudimentary sharing began because as long 128 00:07:52,584 --> 00:07:56,209 as you're not obviously in the same physical location 129 00:07:56,209 --> 00:07:59,918 or operating at the same time then you're not going 130 00:07:59,918 --> 00:08:02,918 to interfere with each other. 131 00:08:03,792 --> 00:08:07,751 Now recently something interesting has happened. 132 00:08:07,999 --> 00:08:13,250 Back in the 90s when people started seeing this problem of, okay, 133 00:08:13,250 --> 00:08:18,083 maybe we should figure out how to ration the spectrum, 134 00:08:18,083 --> 00:08:22,417 people began setting up spectrum observe to hers, 135 00:08:22,417 --> 00:08:27,250 a spectrum a lot of the spectrum that people are buying 136 00:08:27,250 --> 00:08:31,584 isn't actually used or at least not efficiently, 137 00:08:31,584 --> 00:08:36,999 so recently several years ago, the FCC after being petitioned 138 00:08:36,999 --> 00:08:40,083 by Google decided to make unlicensed 139 00:08:40,083 --> 00:08:45,375 the old analog TV channels so this is called TV white space 140 00:08:45,375 --> 00:08:49,999 and Google was the primary push of that. 141 00:08:50,083 --> 00:08:52,584 So the problem is because the licenses are not 142 00:08:52,584 --> 00:08:56,918 the same where every, the availability of stuff like white space isn't available 143 00:08:56,918 --> 00:08:59,083 everywhere so this is a plot of one channel 144 00:08:59,083 --> 00:09:02,584 across the United States and all the blue is where it's available 145 00:09:02,584 --> 00:09:05,876 and the green is where it's not available. 146 00:09:05,876 --> 00:09:07,542 So as you change channels the availability 147 00:09:07,542 --> 00:09:10,292 of the frequency changes as well. 148 00:09:10,542 --> 00:09:12,667 So this is the entire United States. 149 00:09:12,667 --> 00:09:13,459 It's a little deceiving on this plot 150 00:09:13,459 --> 00:09:17,083 because it's not plotting defensibly, it's plotting channels and colors, 151 00:09:17,083 --> 00:09:20,083 and you can see it's mostly around big cities but in the rest 152 00:09:20,083 --> 00:09:22,167 of the United States. 153 00:09:22,167 --> 00:09:24,918 Like in the middle of the desert there are no TV channels 154 00:09:24,918 --> 00:09:27,292 out there so why not use it? 155 00:09:27,292 --> 00:09:32,999 And there are several companies that have begun taking advantage of this. 156 00:09:32,999 --> 00:09:35,709 The FCC has set up specific databases 157 00:09:35,709 --> 00:09:40,292 with Microsoft and Spectrum Bridge and Google and you query these 158 00:09:40,292 --> 00:09:45,959 databases, and you tell them where you are and they will return to you a list 159 00:09:45,959 --> 00:09:50,918 of the frequencies you can use without paying for them. 160 00:09:50,918 --> 00:09:53,125 And Microsoft and Google have started using this 161 00:09:53,125 --> 00:09:58,209 in something called" super wifi "which is basically taking 80211 and shifting it 162 00:09:58,209 --> 00:10:02,999 down to these frequencies down it's in UHF, so it's 500 and 600 megahertz 163 00:10:02,999 --> 00:10:07,501 And they're doing trials there are 40 installations in the United States, 164 00:10:07,501 --> 00:10:11,542 and they have trials going all over Africa, Kenya, South Africa, 165 00:10:11,542 --> 00:10:15,042 Tanzania, Singapore, Senegal, everywhere. 166 00:10:17,417 --> 00:10:21,334 This is really interesting, but there are other uses for this as well. 167 00:10:21,334 --> 00:10:23,125 There is a company in France called Sig Fox, 168 00:10:23,125 --> 00:10:26,999 rather than use this as another way to do wifi are trying to use this 169 00:10:26,999 --> 00:10:31,000 for long range wireless sensors that are really low power. 170 00:10:31,501 --> 00:10:34,083 So rather than connect people in a traditional network; 171 00:10:34,083 --> 00:10:37,751 they're connecting, for instance, farmers who need to measure 172 00:10:37,751 --> 00:10:41,250 the moisture of their field, and you've got a large area, this 173 00:10:41,250 --> 00:10:44,042 is the stuff they're working on. 174 00:10:44,167 --> 00:10:46,584 So especially for these low power devices, 175 00:10:46,584 --> 00:10:49,375 we need new protocols and new ways to deal 176 00:10:49,375 --> 00:10:54,209 with these interesting physical and political properties. 177 00:10:54,459 --> 00:10:57,125 So there is another company in England called Newall that 178 00:10:57,125 --> 00:11:00,167 is developing a protocol called" Weightless "and it's 179 00:11:00,167 --> 00:11:03,667 interesting because it's set up as a special interest group, 180 00:11:03,667 --> 00:11:06,999 but as a private special interest group. 181 00:11:06,999 --> 00:11:10,501 Blue Tooth did the same thing so if you want to contribute to the spec, 182 00:11:10,501 --> 00:11:13,501 you have to pay a bunch of money. 183 00:11:13,501 --> 00:11:15,292 And in the case of Blue Tooth you paid a bunch 184 00:11:15,292 --> 00:11:17,709 of money to contribute, and once they released 185 00:11:17,709 --> 00:11:20,792 the spec you can download that for free. 186 00:11:20,999 --> 00:11:24,918 Weightless is working different and if you want to read the spec, 187 00:11:24,918 --> 00:11:28,667 they have now released version 1.0; it costs almost $1,000, and 188 00:11:28,667 --> 00:11:31,999 they claim it's an open spec so I'm not really sure how 189 00:11:31,999 --> 00:11:34,834 that works, but I hope they perhaps take a turn 190 00:11:34,834 --> 00:11:37,751 because I'm sure there would be people interested 191 00:11:37,751 --> 00:11:41,751 in knowing how this works and poking around at it. 192 00:11:41,792 --> 00:11:43,542 Now I briefly want to talk about the kinds 193 00:11:43,542 --> 00:11:47,999 of attacks that specifically apply to cognitive radio networks. 194 00:11:48,083 --> 00:11:50,501 A lot of traditional network attacks will work 195 00:11:50,501 --> 00:11:55,167 on cognitive radio networks but they work in different ways. 196 00:11:55,751 --> 00:11:57,999 I'm not going to numerate every single attack 197 00:11:57,999 --> 00:12:00,626 but give you the kind of things you have to think 198 00:12:00,626 --> 00:12:02,834 about what dealing with networks like this 199 00:12:02,834 --> 00:12:05,667 because it takes different thinking. 200 00:12:05,999 --> 00:12:09,959 I'm sure one attack everyone in here is familiar with is a replay attack, 201 00:12:09,959 --> 00:12:12,999 you take traffic off the network and store it and play it back 202 00:12:12,999 --> 00:12:14,999 at a regular time. 203 00:12:16,083 --> 00:12:22,083 In a regular network that can be bad if you don't handle it right. 204 00:12:22,709 --> 00:12:24,501 But in a cognitive network it can be a good thing 205 00:12:24,501 --> 00:12:26,999 because it's constantly deciding how it can optimize and make better 206 00:12:26,999 --> 00:12:29,709 improvements and not interfere with others. 207 00:12:29,709 --> 00:12:31,999 So if it sees traffic returning to it that it 208 00:12:31,999 --> 00:12:35,542 is already seeing it may assume one of two things, there 209 00:12:35,542 --> 00:12:39,959 is a routing problem, especially if it's an ad hoc network or there 210 00:12:39,959 --> 00:12:43,999 is a weird RF thing happening, perhaps it's seeing a reflection 211 00:12:43,999 --> 00:12:48,709 off a large surface or something and it may adjust for it. 212 00:12:48,709 --> 00:12:50,709 So taking advantage the assumptions that 213 00:12:50,709 --> 00:12:55,250 the cognitive engine makes is a large attack surface. 214 00:12:55,250 --> 00:12:59,918 One of the more obvious methods you may think of is changing 215 00:12:59,918 --> 00:13:04,959 the observation that individual nodes can see. 216 00:13:05,083 --> 00:13:08,751 So if a legitimate node can observe an incumbent on some channel and 217 00:13:08,751 --> 00:13:11,709 the way it would do that, several different ways, 218 00:13:11,709 --> 00:13:15,999 it can use something as simple as energy thresholding. 219 00:13:15,999 --> 00:13:18,626 So if there is a power above a threshold that decides there 220 00:13:18,626 --> 00:13:21,876 is a person there, or it can use more complicated ways, 221 00:13:21,876 --> 00:13:25,250 for instance, cyclostationery analysis or wave load analysis 222 00:13:25,250 --> 00:13:28,667 and it can characterize the signal more. 223 00:13:28,751 --> 00:13:31,250 I'm not going to go into this work because the math 224 00:13:31,250 --> 00:13:35,542 is hairy but it discovers there is a person there, and it will forward 225 00:13:35,542 --> 00:13:39,250 the message along the network until it hits a compromised node 226 00:13:39,250 --> 00:13:41,792 in which case the message can be changed 227 00:13:41,792 --> 00:13:45,876 and once this is forwarded along to the base station this can cause 228 00:13:45,876 --> 00:13:50,999 different decisions to be made and this can do one of the two things. 229 00:13:50,999 --> 00:13:52,834 First of all it means the real incumbent is going 230 00:13:52,834 --> 00:13:56,209 to be ignored and you can turn the network into your own jammer 231 00:13:56,209 --> 00:13:58,876 and the other advantage is that you don't have 232 00:13:58,876 --> 00:14:01,918 to transmit anything to make it work. 233 00:14:01,918 --> 00:14:04,999 So rather than setting up your own radio and potentially be try 234 00:14:04,999 --> 00:14:08,250 angulated or something, you can simply change traffic 235 00:14:08,250 --> 00:14:11,918 to change what happen to be observations. 236 00:14:12,209 --> 00:14:16,334 A simpler version would be routing disruption, another attack that 237 00:14:16,334 --> 00:14:18,999 is well documented in traditional networks 238 00:14:18,999 --> 00:14:23,667 but if a node starts dropping packets or completely drops off the network, 239 00:14:23,667 --> 00:14:26,959 then this can be really bad for the cognitive engine 240 00:14:26,959 --> 00:14:31,083 because if that particular area physically where the node is located 241 00:14:31,083 --> 00:14:36,959 is collecting valuable data then it's now blind in that part of the network. 242 00:14:36,959 --> 00:14:42,334 So that can drastically change how the entire network will behave. 243 00:14:42,876 --> 00:14:43,626 By the way you don't need 244 00:14:43,626 --> 00:14:46,292 a complicated exploit to make a small node especially 245 00:14:46,292 --> 00:14:49,334 the kinds that are typically used in sensor networks to act 246 00:14:49,334 --> 00:14:52,459 like a black hole, a baseball bat will work to take the node 247 00:14:52,459 --> 00:14:54,250 off the network. 248 00:14:54,999 --> 00:14:58,417 The civil attack, another originally designed for peer 249 00:14:58,417 --> 00:15:02,792 to peer networks, another idea being if you have a trust relationship 250 00:15:02,792 --> 00:15:06,626 between individual nodes or the base station that you can take 251 00:15:06,626 --> 00:15:10,626 advantage of that by taking over additional nodes or adding more 252 00:15:10,626 --> 00:15:12,542 to the network. 253 00:15:12,667 --> 00:15:15,459 So especially in these cases it's really important 254 00:15:15,459 --> 00:15:20,083 to know who you can trust information from and when you can trust that 255 00:15:20,083 --> 00:15:21,834 it's real. 256 00:15:21,999 --> 00:15:23,667 So keeping track of individual nodes and 257 00:15:23,667 --> 00:15:27,459 whether or not they're being suspicious is important. 258 00:15:27,459 --> 00:15:30,417 So if you get enough of your own nodes on the network, 259 00:15:30,417 --> 00:15:34,584 then you now have basically voting majority and you can vouch 260 00:15:34,584 --> 00:15:38,709 for compromised nodes on behalf of each other. 261 00:15:38,709 --> 00:15:41,999 In this way you can indirectly control the decisions that the network 262 00:15:41,999 --> 00:15:44,459 is going to make because you can feed it whatever you 263 00:15:44,459 --> 00:15:47,999 want it to hear and then you can get a pretty good idea of what it's going 264 00:15:47,999 --> 00:15:50,167 to have to do in response. 265 00:15:50,626 --> 00:15:55,834 A priority attack is another interesting attack that 266 00:15:55,834 --> 00:16:03,250 another interesting attack that is perhaps unique to this network. 267 00:16:03,792 --> 00:16:07,083 The idea is that you've got sensors in different places, like, let's say, 268 00:16:07,083 --> 00:16:09,999 you've got a sensor in a laboratory that's measuring, 269 00:16:09,999 --> 00:16:13,542 you know, the moisture of a fern or something and then you've got 270 00:16:13,542 --> 00:16:15,667 another sensor in the same network that 271 00:16:15,667 --> 00:16:18,999 is measuring toxic fume levels in the lab. 272 00:16:19,083 --> 00:16:22,667 Clearly the one that's measuring fume levels should be much higher priority 273 00:16:22,667 --> 00:16:25,999 than the one measuring moisture in the plant. 274 00:16:25,999 --> 00:16:29,959 So by exploiting by telling the cognitive engine that you're 275 00:16:29,959 --> 00:16:34,584 a higher priority than you are, you can derive resources away 276 00:16:34,584 --> 00:16:37,999 from places that really need it. 277 00:16:38,375 --> 00:16:40,626 Especially in these cases where you're sharing 278 00:16:40,626 --> 00:16:43,709 spectrum there is a finite amount of resources to go 279 00:16:43,709 --> 00:16:46,999 around and it's easy to clamp those off. 280 00:16:48,083 --> 00:16:52,501 Whenever people are designing hardware, especially these networks, 281 00:16:52,501 --> 00:16:55,999 it's really, really easy when you're designing small 282 00:16:55,999 --> 00:16:59,667 nodes to Rationalize weak crypt toe and the reason this 283 00:16:59,667 --> 00:17:03,834 is because if you're working on a micro controller and writing 284 00:17:03,834 --> 00:17:07,584 an assembly and you're trying to squeeze every cycle out, 285 00:17:07,584 --> 00:17:12,751 it can be easy to say, who is going to try to break into this? 286 00:17:12,751 --> 00:17:16,709 Or, it doesn't really matter if someone is able to read this traffic, and a lot 287 00:17:16,709 --> 00:17:19,083 of it comes down to speed versus security 288 00:17:19,083 --> 00:17:22,667 because in a network like this you have more overhead so 289 00:17:22,667 --> 00:17:25,501 understanding what trade off to be made is hard 290 00:17:25,501 --> 00:17:29,250 but it's important and it's easy to screw up. 291 00:17:29,250 --> 00:17:32,125 Data privacy on normal networks is important, but on these networks 292 00:17:32,125 --> 00:17:35,959 is give us you more information about the nodes themselves than 293 00:17:35,959 --> 00:17:38,709 perhaps on a regular note work. 294 00:17:38,709 --> 00:17:41,709 For instance, location can be easier to discover 295 00:17:41,709 --> 00:17:45,999 for an individual node because the spectrum its observing 296 00:17:45,999 --> 00:17:48,999 is specific to where it is. 297 00:17:49,125 --> 00:17:51,751 Individual trees and buildings and stuff 298 00:17:51,751 --> 00:17:56,250 around specific nodes can drastically affect the spectrum they're observing 299 00:17:56,250 --> 00:17:59,999 and you can characterize that and you can figure out where 300 00:17:59,999 --> 00:18:04,999 they are and this can be bad if you're trying to keep that secure. 301 00:18:05,709 --> 00:18:08,292 So this, I think, primary user emulation 302 00:18:08,292 --> 00:18:12,125 is the most challenging attack we're going to have to deal 303 00:18:12,125 --> 00:18:15,292 with in these kinds of networks. 304 00:18:16,083 --> 00:18:20,751 I should plain a primary user in the context of the FCC. 305 00:18:20,751 --> 00:18:23,626 What they talk about is a TV transmitter who owns 306 00:18:23,626 --> 00:18:28,083 the license, they would be the primary user and everyone sharing 307 00:18:28,083 --> 00:18:31,709 the spectrum is the secondary user. 308 00:18:31,918 --> 00:18:34,792 So normally you look up the database and that tells you 309 00:18:34,792 --> 00:18:38,709 the primary users and you go, okay, if they're want on this list 310 00:18:38,709 --> 00:18:42,459 they may be a primary user so this is an exploit of technology 311 00:18:42,459 --> 00:18:46,626 and policy because the problem is as the law stands there is no way 312 00:18:46,626 --> 00:18:49,250 to authenticate a primary user so if you set 313 00:18:49,250 --> 00:18:53,083 up a radio and broadcast episodes of" Happy Days "in the milled 314 00:18:53,083 --> 00:18:56,999 of network you can dos the network off the air and even though 315 00:18:56,999 --> 00:19:01,083 the network may suspect you're doing something bad there is nothing 316 00:19:01,083 --> 00:19:03,959 they can do about it because they have to get 317 00:19:03,959 --> 00:19:05,918 out of your way. 318 00:19:06,083 --> 00:19:10,999 So figuring out how to deal with this is tricky and there are papers written 319 00:19:10,999 --> 00:19:14,999 on special cases of this but no one has figured out how 320 00:19:14,999 --> 00:19:19,083 to deal with it and I think it's going to require algorithms 321 00:19:19,083 --> 00:19:22,999 for characterizing real primary users and policy change 322 00:19:22,999 --> 00:19:27,626 on how you are able to did he text them and what you can do once 323 00:19:27,626 --> 00:19:31,999 you discover they're there because at this point once you are 324 00:19:31,999 --> 00:19:35,876 dosed off, it becomes a jamming problem and you can use 325 00:19:35,876 --> 00:19:40,209 a spectrum to get around that but it's not ideal. 326 00:19:41,250 --> 00:19:45,334 Those are not every possible attack, those are general ideas and similarly 327 00:19:45,334 --> 00:19:48,083 these are general ideas on countermeasures for how 328 00:19:48,083 --> 00:19:51,999 to deal with these things and not all of this has been enumerated yet 329 00:19:51,999 --> 00:19:55,667 but there are key important ideas that we're going to have to think 330 00:19:55,667 --> 00:19:58,751 of when trying to solve these issues. 331 00:19:58,999 --> 00:20:01,959 The first is using cooperative intrusion detections. 332 00:20:02,083 --> 00:20:03,999 Traditionally we see a single intrusion did 333 00:20:03,999 --> 00:20:06,834 he techs system but in the case where you've got 334 00:20:06,834 --> 00:20:09,751 a budget of nodes that are all talking to each other 335 00:20:09,751 --> 00:20:12,834 because they can inform each other, they should be able 336 00:20:12,834 --> 00:20:15,999 to inform each other about each other. 337 00:20:15,999 --> 00:20:17,999 So not only are they observing the spectrum in general 338 00:20:17,999 --> 00:20:21,334 but they should be observing each other's behavior and keeping each 339 00:20:21,334 --> 00:20:23,250 other accountable. 340 00:20:23,250 --> 00:20:25,626 If they observe strange traffic they need 341 00:20:25,626 --> 00:20:29,167 to adjust their functions accordingly. 342 00:20:29,959 --> 00:20:33,000 Device reputation is another important thing. 343 00:20:33,626 --> 00:20:36,999 By keeping track of the quality of the spectrum that each individual 344 00:20:36,999 --> 00:20:40,959 node is receiving again as well as their traffic, then you can build 345 00:20:40,959 --> 00:20:44,667 the trust function and you can sort of weight your decisions based 346 00:20:44,667 --> 00:20:47,417 on that and this is not only something malicious, 347 00:20:47,417 --> 00:20:51,542 if there is something physically wrong with a node and it starts reading 348 00:20:51,542 --> 00:20:55,250 a weird spectrum that's another reason why you need to know, okay, 349 00:20:55,250 --> 00:20:59,792 we should factor these observations less into our decisions. 350 00:21:00,501 --> 00:21:04,999 And device location, again, is another important aspect for this, 351 00:21:04,999 --> 00:21:10,834 because physically physical security on nodes like this is a big deal. 352 00:21:11,083 --> 00:21:14,584 Having physical access to them, even a single node can significantly 353 00:21:14,584 --> 00:21:19,167 affect the network and change the decisions that are being made. 354 00:21:20,125 --> 00:21:21,999 So why does this matter? 355 00:21:21,999 --> 00:21:24,709 Why should we work on these problems? 356 00:21:24,751 --> 00:21:28,918 This plot here has been probably seen by I would guess every major 357 00:21:28,918 --> 00:21:32,709 networking executive in the entire world and this is showing, 358 00:21:32,709 --> 00:21:34,999 of course, the mobile data predictions 359 00:21:34,999 --> 00:21:37,999 over the next couple of years. 360 00:21:37,999 --> 00:21:41,709 Cisco is predicting insane numbers, they're saying by 2020 there 361 00:21:41,709 --> 00:21:45,083 will be 50 billion devices connected together on the network, 362 00:21:45,083 --> 00:21:47,417 right now there are 10. 363 00:21:49,083 --> 00:21:52,501 There are a lot of companies that are predicting 364 00:21:52,501 --> 00:21:56,709 and freaking out and preparing for what they think is going 365 00:21:56,709 --> 00:22:00,209 to be a really big deal so it almost doesn't matter 366 00:22:00,209 --> 00:22:04,334 whether or not this actually happens, because they're sort 367 00:22:04,334 --> 00:22:10,083 of self fulfilling prophesy, so I think this is relevant either way. 368 00:22:12,584 --> 00:22:17,083 You can see the fragments right now, 3 kilohertz to 300 gigahertz so this 369 00:22:17,083 --> 00:22:20,375 is the solution, chopping it up into smaller pieces 370 00:22:20,375 --> 00:22:24,375 and we can't keep doing this and eventually we're going to have 371 00:22:24,375 --> 00:22:27,083 to figure out how to deal with this so this 372 00:22:27,083 --> 00:22:30,999 is another application I think of cognitive radio specifically 373 00:22:30,999 --> 00:22:33,375 is cell phone towers. 374 00:22:33,375 --> 00:22:36,751 As the density increases and we see the proliferation 375 00:22:36,751 --> 00:22:41,125 of femtocells, they're getting closer and closer together and 376 00:22:41,125 --> 00:22:44,542 if you've got one in every house you're going 377 00:22:44,542 --> 00:22:48,250 to have problem and manufacture these are beginning 378 00:22:48,250 --> 00:22:52,626 to do simple cognitive aspects to them where they will try 379 00:22:52,626 --> 00:22:57,834 to avoid each other and I'm only seeing that as continuing to increase 380 00:22:57,834 --> 00:23:02,334 because it's going to let them be more efficient. 381 00:23:02,999 --> 00:23:04,918 So to sort of do experiments with this and play 382 00:23:04,918 --> 00:23:07,083 around with this we need tools. 383 00:23:07,083 --> 00:23:11,250 If you've ever done work in RF before, what comes to mind 384 00:23:11,250 --> 00:23:14,999 is the USRP which is this neat little radio and it's 385 00:23:14,999 --> 00:23:18,584 a little expensive, the down side. 386 00:23:18,584 --> 00:23:22,083 I've written some experimental cognative engine code 387 00:23:22,083 --> 00:23:27,083 in a new radio and I have a link at the end to it if you want 388 00:23:27,083 --> 00:23:29,417 to play with it. 389 00:23:29,709 --> 00:23:32,999 This is good for acting like sort of the base station that 390 00:23:32,999 --> 00:23:36,792 will make decisions and command smaller nodes. 391 00:23:36,792 --> 00:23:38,792 However if you're trying to do experiments 392 00:23:38,792 --> 00:23:41,999 with the network then you typically need multiple nodes and maybe you 393 00:23:41,999 --> 00:23:44,584 can afford one USRP but you probably can't afford five 394 00:23:44,584 --> 00:23:45,999 of them. 395 00:23:45,999 --> 00:23:50,459 So the other end of this is the really, really cheap XB type thing which 396 00:23:50,459 --> 00:23:54,584 is a wireless module, you put data in one side and it comes 397 00:23:54,584 --> 00:23:58,417 out the other side and it's cheap so you can buy a bunch 398 00:23:58,417 --> 00:24:02,709 but they're not frequency agile and they're not customizable, 399 00:24:02,709 --> 00:24:05,999 you can't control them very well. 400 00:24:06,167 --> 00:24:08,167 So I wanted something in between. 401 00:24:09,083 --> 00:24:12,334 There wasn't really anything at the time so I built something. 402 00:24:12,876 --> 00:24:18,459 So I built this board that I called" level "and it goes from 30 megahertz 403 00:24:18,459 --> 00:24:23,792 to 400 megahertz and it outputs minimal Watts, uses a chip MI, 404 00:24:23,792 --> 00:24:27,125 and it's compatible with PI's really cool 405 00:24:27,125 --> 00:24:33,334 off the the she will mesh networking stack called Simplicity. 406 00:24:33,542 --> 00:24:37,334 It fits on the shield and they cost about $100. 407 00:24:40,542 --> 00:24:42,250 This is what it look like. 408 00:24:42,667 --> 00:24:45,709 I will go over the topology here. 409 00:24:46,292 --> 00:24:52,375 This is the CC 430 which is micro controller, 410 00:24:52,375 --> 00:25:01,417 by Texas Instruments, it's got a core in it, 110 CC 1 and it's good 411 00:25:01,417 --> 00:25:09,209 for doing low power stuff, this is an analog devices, this 412 00:25:09,209 --> 00:25:12,751 is a wide ban VCL. 413 00:25:14,250 --> 00:25:18,999 Those are mixed together in this ADEX 10L, a passive mixer 414 00:25:18,999 --> 00:25:24,999 and because it uses a single antenna, it has two RF switches controlled 415 00:25:24,999 --> 00:25:27,999 by GPO on the MS 430 so you can switch 416 00:25:27,999 --> 00:25:34,125 from transmit mode and it runs through filters and ample fires. 417 00:25:34,125 --> 00:25:40,083 I added these two things that are optionally populated, 418 00:25:40,083 --> 00:25:46,999 these are directional couplers and these basically let you tap 419 00:25:46,999 --> 00:25:51,626 into the signal directly and these ADF 4351 420 00:25:51,626 --> 00:25:57,999 without going through the mixer and filters and amplifier, 421 00:25:57,999 --> 00:26:06,792 and I thought it would be cool if you could interact with other devices. 422 00:26:07,876 --> 00:26:12,209 Your wifi can't do stuff in 500 megahertz and I was working 423 00:26:12,209 --> 00:26:16,459 in TV white space and I wanted to play around with this, 424 00:26:16,459 --> 00:26:19,459 and I realize they have break out boards 425 00:26:19,459 --> 00:26:22,876 for pretty much everything and it fits right 426 00:26:22,876 --> 00:26:27,542 on there and once you've depacketized whatever you're receiving 427 00:26:27,542 --> 00:26:30,999 on the top board then you send it over serial 428 00:26:30,999 --> 00:26:36,584 to a shield which would typically do all the hard parts for you and turn it 429 00:26:36,584 --> 00:26:41,626 into 8211 or whatever you want so this is on a wifi shield and this 430 00:26:41,626 --> 00:26:44,584 is on an ether net shield. 431 00:26:46,292 --> 00:26:50,918 This board by the way is still I would consider it a prototype. 432 00:26:51,876 --> 00:26:55,626 I don't have a way to mass manufacturer them right now 433 00:26:55,626 --> 00:27:00,334 however, code and schematics are all on GitHub and I will link that 434 00:27:00,334 --> 00:27:04,751 at the end and if there is enough interest we can see what we 435 00:27:04,751 --> 00:27:06,125 can do. 436 00:27:10,209 --> 00:27:14,083 The hack RF, launched a few days ago, the Blade RF, 437 00:27:14,083 --> 00:27:19,375 on Kick Starter this year earlier, and there is another board called 438 00:27:19,375 --> 00:27:23,751 the myriad RF which is a neat little board that it's not 439 00:27:23,751 --> 00:27:26,999 as frequency agile as the other two boards 440 00:27:26,999 --> 00:27:32,542 but it's really neat and so all three of these are good tools for playing 441 00:27:32,542 --> 00:27:36,792 with this and all three of them didn't exist when I was 442 00:27:36,792 --> 00:27:42,083 designing my board which is why I didn't use any of them. 443 00:27:43,375 --> 00:27:45,709 So what's next? 444 00:27:47,167 --> 00:27:52,501 The spectrum crunch things, people will say it's I am meant 445 00:27:52,501 --> 00:27:56,292 and some will say we have more time than we 446 00:27:56,292 --> 00:28:02,709 thought, there are new techniques that people are using that may buy us 447 00:28:02,709 --> 00:28:04,584 more time. 448 00:28:06,083 --> 00:28:09,292 But here is what we know. 449 00:28:09,292 --> 00:28:11,417 We know that a lot of these companies that have 450 00:28:11,417 --> 00:28:14,375 a whole lot of money are investing a lot of money 451 00:28:14,375 --> 00:28:17,083 in cognative radio networks. 452 00:28:17,083 --> 00:28:21,501 They've been doing experiments in turning cell phone towers 453 00:28:21,501 --> 00:28:27,167 into cognative nodes and I think that we're at a unique time because, 454 00:28:27,167 --> 00:28:31,959 like I said, these are deployed to the point where there 455 00:28:31,959 --> 00:28:36,999 is actually real networks in the field right now. 456 00:28:37,250 --> 00:28:40,751 In France with Seg Fox they have at this point thousands 457 00:28:40,751 --> 00:28:44,209 of devices connect to paying customers and there are 458 00:28:44,209 --> 00:28:48,918 dozens and dozens of installations in the United States right now, 459 00:28:48,918 --> 00:28:53,918 West Virginia University just a couple of weeks ago started serving wifi 460 00:28:53,918 --> 00:28:58,542 to their dorms over TV white space and we're at this cool time where 461 00:28:58,542 --> 00:29:01,167 the networks exist but they're not used 462 00:29:01,167 --> 00:29:04,542 by so many millions of people that it's too late 463 00:29:04,542 --> 00:29:08,083 to change fundamentally how they work. 464 00:29:08,083 --> 00:29:12,209 So I think by attacking these problems and 465 00:29:12,209 --> 00:29:17,876 by trying to solve these I mean nontrivial issues, 466 00:29:17,876 --> 00:29:25,292 be it either technological or political, we can really get we can be 467 00:29:25,292 --> 00:29:33,083 on our way toward making sort of the next generation network. 468 00:29:33,999 --> 00:29:37,417 Making sure that we are able to deal with whatever the result 469 00:29:37,417 --> 00:29:40,999 of these predictions ends up being, thank you. 470 00:29:40,999 --> 00:29:43,334 (Applause.) If you want code, or schematics or slides, 471 00:29:43,334 --> 00:29:46,083 then there's where you get it.