Realizing an 802.11-based covert timing channel using off-the-shelf wireless cards

By using covert channels, a malicious entity can hide messages within regular traffic and can thereby circumvent security mechanisms. This same method of obfuscation can be used by legitimate users to transmit messages over hostile networks. A promising area for covert channels is wireless networks employing carrier sense multiple access with collision avoidance (CSMA/CA) (e.g., 802.11 networks). These schemes introduce randomness in the network that provides good cover for a covert timing channel. Hence, by exploiting the random back-off in distributed coordination function (DCF) of 802.11, we realize a relatively high bandwidth covert timing channel for 802.11 networks, called Covert-DCF. As opposed to many works in the literature focusing on theory and simulations, Covert-DCF is the first fully implemented covert timing channel for 802.11 MAC using off-the-self wireless cards. In this paper, we introduce the design and implementation of Covert-DCF that is transparent to the users of the shared medium. We also evaluate the performance of Covert-DCF and provide discussions on the feasibility of this technique in a real world scenario.