OFDM-based JCAS under Attack: The Dual Threat of Spoofing and Jamming in WLAN Sensing

TL;DR

The paper analyzes vulnerabilities in OFDM-based WLAN sensing within joint communication and sensing (JCAS), exposing dual threats: target spoofing and deceptive jamming. It develops a math-driven framework that leverages known OFDM symbols, time-frequency synchronization, and channel estimation to manipulate the surveillance range-Doppler map (RDM) through artificial targets and ICI via forced synchronization and CFO. Numerical and experimental results (using SDR platforms) demonstrate the feasibility of sophisticated attacks, including overcrowding, selective target injection, and covert preceding/forced synchronization, and identify critical thresholds in jammer power and CFO differences for effective disruption. The work highlights the need for secure WLAN sensing designs, robust synchronization, and adaptive defenses to mitigate these perceptual attacks in OFDM-based JCAS systems with practical implications for indoor localization and transportation security.

Abstract

This study reveals the vulnerabilities of Wireless Local Area Networks (WLAN) sensing, under the scope of joint communication and sensing (JCAS), focusing on target spoofing and deceptive jamming techniques. We use orthogonal frequency-division multiplexing (OFDM) to explore how adversaries can exploit WLAN's sensing capabilities to inject false targets and disrupt normal operations. Unlike traditional methods that require sophisticated digital radio-frequency memory hardware, we demonstrate that much simpler software-defined radios can effectively serve as deceptive jammers in WLAN settings. Through comprehensive modeling and practical experiments, we show how deceptive jammers can manipulate the range-Doppler map (RDM) by altering signal integrity, thereby posing significant security threats to OFDM-based JCAS systems. Our findings comprehensively evaluate jammer impact on RDMs and propose several jamming strategies that vary in complexity and detectability.

Figures (15)

• Figure 1: Jammer scenario topology with relevant line-of-sight (LOS) distances $d_{ab}$, $d_{ea}$, and $d_{eb}$, and LOS angles $\theta_0^{(a)}$, $\theta_0^{b}$, and $\theta_0$. Alice operates as a pulsed radar by continuously transmitting the same OFDM symbol of duration $T_o$, with a PRI of $T_s\gg T_o$.
• Figure 2: During a sensing measurement instance, Alice transmits an NDPA and an NDP, separated by SIFS seconds. Only the last field of the NDP, VHT-LTF, is used in channel estimation for sensing.
• Figure 3: Different signal alignment cases during jamming. Green and red boxes correspond to Alice and Eve signals, respectively, while $\Delta_\tau$ and $T_o$ are the delay spread and OFDM symbol duration, respectively.
• Figure 4: Different jamming strategies to achieve Eve's goals.
• Figure 5: Six RDMs are provided. The first column shows the surveillance and artificial RDMs in isolation. The second column corresponds to jammed RDMs with A1 and A2 strategies. The third column corresponds to the methods in zhang21b, adapted and implemented for sensing. As a comparison, surveillance RDM and artificial RDM correspond to case 3 and case 1 types of time alignments, respectively.