Attacking and Defending Deep-Learning-Based Off-Device Wireless Positioning Systems

TL;DR

This work analyzes privacy and security risks of off-device CSI-based deep-learning positioning, showing that attackers can degrade localization accuracy by perturbing transmitted signals while maintaining standard-compliant operation and QoS. It introduces transmit-side perturbations and on-device adversarial attacks (white-box, transfer, pool, random) and evaluates defenses via adversarial training on real outdoor 5G Rel15 and indoor IEEE 802.11ac datasets. The results reveal substantial increases in localization error under attacks, with a nuanced trade-off between robustness and nominal accuracy, and they demonstrate that adversarial training can bolster resilience at the cost of some unperturbed performance. The findings highlight intrinsic privacy challenges in CSI-based localization and underscore the need for privacy-preserving mechanisms in future dense and mmWave wireless systems.

Abstract

Localization services for wireless devices play an increasingly important role in our daily lives and a plethora of emerging services and applications already rely on precise position information. Widely used on-device positioning methods, such as the global positioning system, enable accurate outdoor positioning and provide the users with full control over what services and applications are allowed to access their location information. In order to provide accurate positioning indoors or in cluttered urban scenarios without line-of-sight satellite connectivity, powerful off-device positioning systems, which process channel state information (CSI) measured at the infrastructure base stations or access points with deep neural networks, have emerged recently. Such off-device wireless positioning systems inherently link a user's data transmission with its localization, since accurate CSI measurements are necessary for reliable wireless communication -- this not only prevents the users from controlling who can access this information but also enables virtually everyone in the device's range to estimate its location, resulting in serious privacy and security concerns. We therefore propose on-device attacks against off-device wireless positioning systems in multi-antenna orthogonal frequency-division multiplexing systems while remaining standard compliant and minimizing the impact on quality-of-service, and we demonstrate their efficacy using real-world measured datasets for cellular outdoor and wireless LAN indoor scenarios. We also investigate defenses to counter such attack mechanisms, and we discuss the limitations and implications on protecting location privacy in existing and future wireless communication systems.

Figures (9)

• Figure 1: OFDM communication system. A wireless transmitter (left) generates symbols $\mathbf{s}\xspace$ in the frequency domain that are converted to the time domain followed by prepending a cyclic prefix (CP). The signal is then transmitted over the wireless channel. After removing the CP and conversion into the frequency-domain, the receiver (right) generates an estimate $\hat{\mathbf{h}\xspace}$ of the wireless channel, which is used for data detection as well as wireless positioning. Our attack pre-convolves the time-domain signal with a perturbation sequence $\bar{\mathbf{p}\xspace}$ that is kept constant for the duration of the entire OFDM packet.
• Figure 2: Neural network architecture for the outdoor 5G cellular scenario. The input is a CSI feature $\mathbf{f}\xspace$ and the output is a $30\times 30$ probability map $\mathbf{m}\xspace$.
• Figure 3: Real locations, estimated locations without perturbations, as well as white-box and randomly perturbed locations with $L_p=16$ for the test-set of the outdoor 5G cellular dataset. The x and y axes are in meters and show the relative position to the BS which is located at $(x,y)=(0,0)$. The color gradients help to visualize the position perturbation.
• Figure 4: Outdoor 5G cellular dataset with Feature 1: mean distance error (left) and median distance error (right) on the test-set for different adversarial attacks and with varying perturbation length $L_p$.
• Figure 5: Comparison of the test-set mean and median distance errors after performing the white-box attack on a model trained with the 5G cellular dataset on both feature functions $\mathsf{F_1}$ and $\mathsf{F}_2$ with and without adversarial training (AT).