Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #12

Attacks on Physical-Layer Identification

Boris Danev, Heinrich Luecken, Srdjan Čapkun, and Karim Eldefrawy

2010 · ACM Conference on Wireless Network Security (WiSec)

  • Applied

What does the paper try to establish?

Can an attacker impersonate an enrolled wireless device by reproducing either the selected radio-frequency features used by a fingerprinter or the target's complete captured waveform?

What is the proposed answer?

In the evaluated laboratory settings, feature manipulation and radio-frequency replay make modulation-based fingerprints highly forgeable, while transient fingerprints can be replayed accurately over a cable but are harder to capture and reproduce over the air because antenna and channel effects alter the signal.

Abstract

Physical-layer identification of wireless devices, commonly referred to as Radio Frequency (RF) fingerprinting, is the process of identifying a device based on transmission imperfections exhibited by its radio transceiver. It can be used to improve access control in wireless networks, prevent device cloning and complement message authentication protocols. This paper studies the feasibility of performing impersonation attacks on the modulation-based and transient-based fingerprinting techniques. Both techniques are vulnerable to impersonation attacks; however, transient-based techniques are more difficult to reproduce due to the effects of the wireless channel and antenna in their recording process. We assess the feasibility of performing impersonation attacks by extensive measurements as well as simulations using collected data from wireless devices. We discuss the implications of our findings and how they affect current device identification techniques and related applications.

Provenance: Transcribed from the checked-in full-text PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence Medium

The paper implements two attack classes and reports controlled measurements with documented equipment, samples, metrics, and classifiers. The device sample and deployment conditions are narrow, raw data and code were not located, and no independent reproduction was audited.

Modulation-feature replay design and implementation Whole-signal replay and measurement setup Modulation-fingerprint attack results Transient-fingerprint replay results
Auditability High

A complete author/institutional copy is checked into the site with source route, page count, and SHA-256 identity. Experimental design and reported results are inspectable, although raw measurements and scripts are unavailable.

Institutional metadata and preserved full text Modulation-fingerprint attack results
Production provenance Medium

Named authorship, institutional preservation, and the publication record provide baseline provenance. Contributor roles, data lineage, laboratory logs, and revision history are not documented in the map.

Problem, attack classes, and contribution Institutional metadata and preserved full text Official peer-reviewed publication record
External scrutiny Medium

Publication at ACM WiSec provides venue scrutiny and later citations show continued attention, but this audit did not locate review reports, corrections, or an independent reproduction of the experiments.

Official peer-reviewed publication record Citation-count snapshot
Reception High

ResearchGate displayed 250 citations on 2026-07-11, which exceeds the rubric's 11-citation high threshold. The count is index-specific and citation polarity or use was not audited.

Citation-count snapshot
Contribution significance High

The work supplies an early concrete demonstration that physical-layer fingerprints can be adversarially replayed and has a large citation trail, while still carefully bounding its claims to tested techniques and equipment.

Problem, attack classes, and contribution Application implications, limitations, and open defenses Citation-count snapshot

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Attacks on physical-layer identification

An experimental security study showing that radio fingerprints treated as device identities can be imitated with feature-level or whole-waveform replay.

Problem, attack classes, and contribution
  1. contribution

    Central answer

    experimentally supported

    The tested modulation features are reproducible with high success, and even transient signals are replayable under controlled acquisition; channel-dependent capture makes the over-air transient attack more demanding, not categorically impossible.

    Modulation-fingerprint attack results Transient-fingerprint replay results
  2. scope System and adversary model explicitly scoped

    A fingerprinter stores reference fingerprints for enrolled devices and returns only accept or reject; the attacker's objective is to transmit frames classified as a target.

    Identification system and attacker knowledge
  3. method Attack implementation implemented

    The study manipulates three modulation features on software-defined radios and separately captures and retransmits complete RF frames with laboratory instrumentation.

    Modulation-feature replay design and implementation Whole-signal replay and measurement setup
  4. empirical evidence

    Modulation-fingerprint results

    measured

    With 80 frames per device, four-fold cross-validation, and threshold plus classifier tests, replaying frequency, I/Q-origin, and phase features achieved near-target distributions; reported 5-NN and SVM classification reached 100% in the tested cases.

    Modulation-fingerprint attack results
  5. empirical evidence

    Whole-signal replay results

    measured

    For modulation fingerprints, RF-replayed frames become nearly indistinguishable from genuine frames under the chosen similarity measure.

    Modulation-fingerprint attack results
  6. empirical evidence

    Transient-fingerprint boundary

    measured with boundary

    Transient waveforms from three Tmote Sky devices were reproduced accurately over a cable; attempts from a changed over-air location failed because the channel and antennas altered the captured signal.

    Transient-fingerprint replay results
  7. limitation group

    Limitations and transfer boundary

    explicitly reported

    The device sample is small, equipment is specialized, and outcomes depend on feature choice, classifier, threshold, antenna, channel, and attacker placement; transfer to commodity Wi-Fi hardware was left for future work.

    Application implications, limitations, and open defenses

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Problem, attack classes, and contribution Abstract and Section 1, PDF page 1
  2. Identification system and attacker knowledge Section 2, PDF pages 2-3
  3. Modulation-feature replay design and implementation Section 3, PDF pages 3-5
  4. Whole-signal replay and measurement setup Section 4, PDF page 5
  5. Modulation-fingerprint attack results Section 5.1 and Tables 1-4, PDF pages 6 and 8
  6. Transient-fingerprint replay results Section 5.2, PDF page 7
  7. Application implications, limitations, and open defenses Sections 6 and 8, PDF pages 8-9
  8. Official peer-reviewed publication record ACM WiSec 2010, DOI record
  9. Institutional metadata and preserved full text ETH Research Collection, handle 20.500.11850/20502
  10. Citation-count snapshot ResearchGate displayed Citations (250), observed 2026-07-11; coverage and version merging may differ from other indexes.