Modern society relies upon the safe and secure operation of wireless communication links in several computing systems, from personal devices to public infrastructure. These wireless access links utilize Bluetooth and WiFi radios, and enable users to remotely access and monitor computing systems, conveniently and at a safe distance. For instance, equipment on the grid can be remotely accessed, and COVID exposure information can be obtained at a safe distance using wireless links.
Unfortunately, these wireless access links have also made our computing systems less secure — attackers can gain unauthorized access, or remotely track these systems through these legitimate wireless links. Furthermore, attackers even implant their own illicit wireless links to gain access to personal equipment and critical infrastructure alike, e.g., payment card skimmers at gas stations.
In order to secure these wireless access links, we need to understand if attackers are gaining unauthorized access by hiding illicit links, and if attackers are performing targeted attacks on popular wireless access links. Wireless scanning-based auditing can be a potential solution to develop insights about the above security and privacy problems. However, there are several challenges to utilizing wireless scan information for this auditing, that bring to question the feasibility of wireless scanning as a security approach. In particular, wireless scans provide limited information and the wireless access links are extremely diverse, making targeted auditing of particular wireless link a needle in a haystack problem. Furthermore, these links are spread across large metropolitan areas needing us to do wardriving wireless scanning, but the existing scanning tools are extremely slow to discover all devices, making it tough to reliably scan for all wireless access link real-world locations.
In this dissertation, I perform several large scale field measurement studies of real-world wireless access links, by performing wireless scanning based auditing across entire metropolitan areas. I study actual security and privacy scenarios to demonstrate the feasibility of wireless scanning based targeted auditing as a tool to defend against attacks on wireless access links. I also analyze the practical challenges and limitations of performing such targeted auditing, from the perspectives of attackers and defenders. In summary, I defend the following thesis statement: To defend wireless access links spread across urban areas, it is feasible to: 1) use link layer scan information to identify illicit wireless links, 2) use physical layer information in wireless signals to attack a target wireless device, and 3) scan reliably for all wireless access links when wardriving using low-cost commodity hardware