When examining the eavesdropping vulnerability of massive MIMO systems, Rayleigh fading channels are usually assumed. While Rayleigh fading channels represent the extreme multi-path scenario, real-world channels depend on fewer paths between the transmitter and the receiver. As a result, analysis based on Rayleigh fading channels does not reveal the potential eavesdropping vulnerabilities in the real world. Indeed, we observed a performance gap between the Rayleigh fading model prediction and the measured channels in our earlier results. To better understand the eavesdropping in real-world massive MIMO systems, analysis based on major paths is required. The key activity over the past year was to study the massive MIMO eavesdropping scenario considering the paths from the BS to the intended user and the eavesdropper both analytically and experimentally.
This project targeted to study the potential passive eavesdropping vulnerabilities of massive MIMO systems in the line-of-sight (LoS) scenario. Specifically, we examine how the BS array geometry and Bob and Eve geometry affect eavesdropping resilience.
We consider a downlink scenario in which the BS (Alice) transmits to a user (Bob) with a rectangular array with nR rows and nC columns. Specifically, we consider Bob has a direct LoS path from the BS. In addition, an eavesdropper (Eve), whose goal is to intercept the Alice-Bob link, also has a direct LoS path from the BS. Given the array geometry (number of rows and columns, antenna spacing) and Bob and Eve geometry (Bob and Eve’s azimuth elevation angles), the LoS channel from the BS to Bob and to Eve can be determined.
In the extreme case in which Bob and Eve share the same path (the same angle-of-departure from Alice) in a strong LoS environment, Bob’s channel and Eve’s channel is highly correlated, resulting a huge eavesdropping advantage for Eve. Indeed, prior works have shown that Bob’s channel and Eve’s channel remain correlated when they share a same path, and the average secrecy capacity does not increase with BS antenna size when Bob and Eve locate at the same angle.
While prior works demonstrated Eve’s advantage when she shares the same paths with Bob, we consider a more general strategy set that Eve only shares the elevation angle or azimuth angle with Bob. Since 2D antenna array at the BS enhances link directionality in azimuth and elevation angles respectively, we hypothesized that Eve could also benefit from sharing only azimuth or elevation angle, not only when she shares the exact same path with Bob. If such vulnerability can be demonstrated, it reveals an escalating eavesdropping threat in the massive MIMO system as Eve can purposely position herself in a much larger predictable location set than constraining herself to the exact same angle as Bob as prior works suggested.
Our goal is to investigate whether sharing only the elevation angle or azimuth angle is a beneficial strategy for Eve in the LoS scenario. Also, we study the subsequent questions such as how the effectiveness of this relaxed location strategy compared to the stricter exact angle sharing strategy, and how the threat scales with the strength of the LoS path.
To study the potential eavesdropping vulnerability when Bob and Eve share the elevation angle or azimuth angle in the LoS scenario, we employ a mixed approach of mathematical formulation, numerical analysis, and experimental study.
First, we formulate the LoS eavesdropping scenario mathematically and examine how the channel correlation changes as BS antenna array increases number of columns or rows. Our first key finding is that when Eve shares the same elevation angle with Bob, the LoS channel correlation between Bob and Eve remains fixed despite increasing rows of antennas. In a strong LoS scenario, the LoS channel correlation largely represents the actual channel correlation, suggesting that Eve’s SNR grows with Bob’s SNR when they share the same elevation angle. The intuitive reason of this weakness is that when more rows of antennas are added to the BS, although the beam directionality increases in the elevation angle, the directionality is predictable in the LoS scenario so that Eve also receives a boost in signal strength by simply position herself at the same elevation angle as Bob. In comparison, for the well-studied Rayleigh fading channels (no LoS scenario), the channel correlation between Bob and Eve decreases with increasing BS array size, implying Eve enjoys less beamforming gain as BS employs a larger antenna array.
While we demonstrate Eve’s advantage when sharing only the elevation angle in the LoS scenario, this advantage, however, is not at the same level as the advantage Eve would get if she shares the exactly same LoS angle as Bob. In prior work, the average secrecy capacity does not increase with BS antenna size when Bob and Eve locate at the same angle. In contrast, when Bob and Eve share the same elevation angle, the secrecy capacity still scales with the BS antenna size, only slower due to the persistent channel correlation.
Next, with the same mathematical formulation, we find that sharing azimuth angle does not result in the same eavesdropping benefit for Eve as sharing the elevation angle. Specifically, the LoS channel correlation between Bob and Eve does not remain fixed for Bob and Eve at the same azimuth angle as the BS increases more columns of antennas, implying that Eve does not have a predictable gain by staying at the same azimuth angle as Bob. While sharing the elevation angle and sharing the azimuth angle seem to be similar at the first sight, they actually represent different eavesdropping strategies. We can easily see the difference of the two strategies when visualize a specific azimuth angle or elevation angle. The locations with the same elevation angle form a cone shape, whereas the locations with the same azimuth angle form a plane. Once we realize that sharing the azimuth angle is a strategy different from sharing the elevation angle, it is not surprising that sharing the azimuth angle does not result in the same eavesdropping advantage when sharing the elevation angle.
To further study the eavesdropping advantage in the LoS scenario due to the elevation angle sharing strategy, we simulate the massive MIMO LoS eavesdropping with Rician fading channels, which capture a LoS path along with other scattered paths. Specifically, Monte Carlo simulation is used to explore Bob SNR and Eve SNR ranges for various Bob-Eve pairs at the same elevation angle. From the simulation, we find that given the total BS transmit power is fixed, Eve’s SNR decreases with more columns of antennas, but increases when the BS adds more rows of antennas, as predicted by the mathematical model. When the BS adds more rows of antennas, the directionality of the beam increases in the azimuth domain. As a result, for Eve sharing only the elevation angle, her SNR is suppressed with increasing directionality in the azimuth domain. In contrast, sharing the elevation angle allows Eve to enjoy the beamforming gain in the elevation domain as the BS increases more rows of antennas.
We also validate the elevation angle sharing threat using over-the-air channel measurements. Specifically, the channels between a BS with a rectangular antenna array of 96 elements and 8 users at the same elevation angle were measured in both indoor LoS and outdoor LoS scenario. The BS antenna array has 8 elements in a row with total 12 rows. From the measured channel, we find that Eve’s SNR increases as the BS adds new rows of antennas. Furthermore, the Eve SNR growth becomes faster in the outdoor LoS scenario in which a stronger LoS is present, validating our earlier analysis.
In this project, we demonstrate an eavesdropping strategy in the LoS scenario unknown before. The elevation angle sharing strategy is a rather flexible requirement for the eavesdropper, and yet has shown to be effective in a LoS scenario. Due to the low requirement of the strategy, the threat is hard to detect or prevent. While limiting the row size of the antenna array at the BS can be a solution, it sacrifices the spatial resolution in the elevation domain at the same time. As a result, LoS, or more generally path sharing, adds to the imperfections in the practical world, resulting in eavesdropping vulnerabilities that cannot be ignored.
Publication:
C.-Yi Yeh, Y. Ghasempour, D. Mittleman, and E. Knightly, “Security in Terahertz WLANs with Leaky Wave Antennas,” in Proceedings of ACM WiSec 2020, July 2020.