Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Pilot-Attacks Can Enable Positive-Rate Covert Communications of Wireless Hardware Trojans

Serhat Bakirtas, Matthieu R. Bloch, Elza Erkip

TL;DR

This work analyzes a wireless covert-communication threat where a hardware Trojan embedded in a transmitter scales the pilot symbols to corrupt the legitimate receiver’s channel estimate. By exploiting the resulting estimation error, the Trojan can covertly communicate with a rogue receiver at a positive rate, operating in the linear regime as long as a nonzero detection budget exists, while preserving the legitimate Alice–Willie communication. The key contributions show that with $\delta_1>0$ the Trojan achieves a positive covert rate $R_T$ (subject to certain$\epsilon$ and $\Lambda_T$ constraints), and Willie's detection becomes a radiometer with a calculable threshold. In the zero-budget case ($\delta_1=0$), the Trojan cannot avoid the square-root law and must transmit at $R_T=O(n^{-1/2})$, highlighting the critical role of the channel-estimation phase in defending against hardware-Trojan threats in wireless systems.

Abstract

Hardware Trojans can inflict harm on wireless networks by exploiting the link margins inherent in communication systems. We investigate a setting in which, alongside a legitimate communication link, a hardware Trojan embedded in the legitimate transmitter attempts to establish communication with its intended rogue receiver. To illustrate the susceptibility of wireless networks against pilot attacks, we examine a two-phased scenario. In the channel estimation phase, the Trojan carries out a covert pilot scaling attack to corrupt the channel estimation of the legitimate receiver. Subsequently, in the communication phase, the Trojan exploits the ensuing imperfect channel estimation to covertly communicate with its receiver. By analyzing the corresponding hypothesis tests conducted by the legitimate receiver in both phases, we establish that the pilot scaling attack allows the Trojan to operate in the so-called "linear regime" i.e., covertly and reliably transmitting at a positive rate to the rogue receiver. Our results highlight the vulnerability of the channel estimation process in wireless communication systems against hardware Trojans.

Pilot-Attacks Can Enable Positive-Rate Covert Communications of Wireless Hardware Trojans

TL;DR

This work analyzes a wireless covert-communication threat where a hardware Trojan embedded in a transmitter scales the pilot symbols to corrupt the legitimate receiver’s channel estimate. By exploiting the resulting estimation error, the Trojan can covertly communicate with a rogue receiver at a positive rate, operating in the linear regime as long as a nonzero detection budget exists, while preserving the legitimate Alice–Willie communication. The key contributions show that with the Trojan achieves a positive covert rate (subject to certain and constraints), and Willie's detection becomes a radiometer with a calculable threshold. In the zero-budget case (), the Trojan cannot avoid the square-root law and must transmit at , highlighting the critical role of the channel-estimation phase in defending against hardware-Trojan threats in wireless systems.

Abstract

Hardware Trojans can inflict harm on wireless networks by exploiting the link margins inherent in communication systems. We investigate a setting in which, alongside a legitimate communication link, a hardware Trojan embedded in the legitimate transmitter attempts to establish communication with its intended rogue receiver. To illustrate the susceptibility of wireless networks against pilot attacks, we examine a two-phased scenario. In the channel estimation phase, the Trojan carries out a covert pilot scaling attack to corrupt the channel estimation of the legitimate receiver. Subsequently, in the communication phase, the Trojan exploits the ensuing imperfect channel estimation to covertly communicate with its receiver. By analyzing the corresponding hypothesis tests conducted by the legitimate receiver in both phases, we establish that the pilot scaling attack allows the Trojan to operate in the so-called "linear regime" i.e., covertly and reliably transmitting at a positive rate to the rogue receiver. Our results highlight the vulnerability of the channel estimation process in wireless communication systems against hardware Trojans.
Paper Structure (15 sections, 7 theorems, 82 equations, 2 figures)

This paper contains 15 sections, 7 theorems, 82 equations, 2 figures.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Main Results
  4. Covert Pilot Scaling & Willie's Channel Estimation Error
  5. Willie's Detection in the Communication Phase
  6. Covertly Transmitting At a Positive Power
  7. Willie's SINR Degradation
  8. Proof of Theorem \ref{['thm: main result 1']}
  9. Proof of Theorem \ref{['thm: main result 2']}
  10. Conclusion
  11. Proof of Lemma \ref{['lem: covert pilot scaling']}
  12. Proof of Proposition \ref{['prop: mmse estimate']}
  13. Proof of Lemma \ref{["lem: willie's optimal test"]}
  14. Proof of Lemma \ref{['lem: covert transmission']}
  15. Proof of Lemma \ref{['lem: square root law']}

Key Result

Theorem 1

(Achievable Covert Rate when $\delta_1>0$) Consider a detection budget$(\delta_1,\delta_2)$ with $\delta_1\in(0,1)$ and $\delta_2\in(0,1)$, and Alice's transmit power and rate pair as $(\Lambda_A,R_A)$. Assume Tom's scaling parameter $\epsilon$ and transmit power $\Lambda_T$ satisfy where Then, Tom can communicate with Eve covertly at any rate $R_T$ satisfying Additionally, if then, Tom's rate

Figures (2)

  • Figure 1: Legitimate transmitter, Alice, communicates with her intended (legitimate) receiver, Willie. Simultaneously, hardware Trojan, Tom, embedded in Alice, also communicates with his intended rogue receiver, Eve. Willie's objective is to decode Alice's signal $\bm{x}_A$ and detect the existence of any rogue signal $\bm{x}_T$.
  • Figure 2: A heatmap demonstrating the relationship between Tom's pilot scaling parameter $\epsilon$, his transmit power $\Lambda_T$, and the achievable covert rate $R_T$ given in Theorem \ref{['thm: main result 1']}, where colors indicate the values of $R_T$ across the range of $\epsilon$ and $\Lambda_T$ when Eve can perform interference cancellation (See Eq. \ref{['eq: main result condition 4']}). Here, $\alpha_W^2=\alpha_E^2=0.1$, $|h_W|^2=|h_E|^2=1$, $\sigma_W^2=\sigma_E^2=0.1$, $\delta_1=1/\sqrt{10}$, and $\Lambda_A = 20$ where Alice transmits at ($\approx$ 3.5 bpcu) $80\%$ of her capacity ($\approx 4.4$ bpcu) to Willie (See Eq. \ref{["eq: alice's rate"]}).

Theorems & Definitions (13)

  • Definition 1
  • Theorem 1
  • Theorem 2
  • Lemma 1
  • proof
  • Proposition 1
  • proof
  • Lemma 2
  • proof
  • Lemma 3
  • ...and 3 more