Practical Covert Channels for WiFi Systems

Wireless covert channels promise to exfiltrate information with high bandwidth by circumventing traditional access control mechanisms. Ideally, they are only accessible by the intended recipient and---for regular system users/operators---indistinguishable from normal operation. While a number of theoretical and simulation studies exist in literature, the practical aspects of WiFi covert channels are not well understood. Yet, it is particularly the practical design and implementation aspect of wireless systems that provides attackers with the latitude to establish covert channels: the ability to operate under adverse conditions and to tolerate a high amount of signal variations. Moreover, covert physical receivers do not have to be addressed within wireless frames, but can simply eavesdrop on the transmission. In this work, we analyze the possibilities to establish covert channels in WiFi systems with emphasis on exploiting physical layer characteristics. We discuss design alternatives for selected covert channel approaches and study their feasibility in practice. By means of an extensive performance analysis, we compare the covert channel bandwidth. We further evaluate the possibility of revealing the introduced covert channels based on different detection capabilities.