An Experimental Study of Secret Key Generation For Passive Wi-Fi Wearable Devices Mohammad Hossein Chinaei, Vijay Sivaraman, Diethelm Ostry Electrical Engineering and Telecommunications, University of New South Wales, Sydney, Australia Emails:{m.chinaei, vijay}@unsw.edu.au, diet.ostry@csiro.au Abstract—Passive Wi-Fi is a technology to generate 802.11b transmissions using backscatter communication, with power consumption 10000x lower than existing Wi-Fi chipsets. Since wearable devices are typically limited in resources such as power and storage, classical cryptographic security schemes are problematic for them. We instead propose to use wireless channel characteristics to secure data transfer. It has been shown that communicating wireless transceivers are able to generate shared secret keys by measuring channel characteristics at a single frequency. These methods are not applicable to passive Wi-Fi, which uses two different frequencies. In this paper, we describe a method to generate a shared secret key based on wireless channel characteristics in the passive Wi-Fi scenario where the two parties are using dual frequencies. I. I NTRODUCTION Backscatter or passive communication system is defined as a system in which a transceiver (termed the reader) sends out an incident signal to the passive device (”the tag”) and receives a modified version reflected back by the tag. In this scenario the tag is a resource-constrained node without the usual active RF transmitter architecture for data transmission. Instead, it imposes data modulation on the RF field it reflects from transmissions by the reader. This revolutionary method, called passive Wi-Fi, was recently proposed in [1], which implements a passive communication network capable of Wi- Fi transmission. The passive Wi-Fi tag utilises backscatter communication rather the power-consuming RF transmitter function, and is potentially able to reach an 11 Mbps data bit rate while consuming 10000 times lower power than current active Wi-Fi devices. Wearable devices are required to be small and light, and therefore can be severely constrained in computation capabil- ity, memory, communication, and battery resources. The need for ultra-low power consumption, small size and compatibility with current Wi-Fi devices make passive Wi-Fi a very attrac- tive and practical option for body-worn sensor networks. How- ever these wearable IoT devices may be transmitting critical personal and medical information. One of the most important challenges for these devices is to find feasible low-power security schemes to protect them against attack. Classical cryptographic schemes for establishing a secret key between the two ends consume significant computational resources making them generally unsuitable for ultra-low power tags. Shared key generation based on channel characteristics is however a promising scheme and has been well studied in the literature. Previous work (eg our previous paper [2]), shows that this approach has high potential in sensor networks where nodes have severely limited computational and power resources. The information-theoretic aspects of key bit gener- ation based on symmetric channel properties is studied in [3], [4]. The authors show that it is possible to extract identical information from the wireless channel at each end of the link, the information is unique to the legitimate parties, and can be used to generate a secret key. The eavesdropper however cannot learn any information about the shared key by listening to channel. In this paper we introduce a new scheme to generate a shared secret key in a passive Wi-Fi scenario and use software- defined radios to demonstrate the approach. Unlike the conven- tional secret key generation methods which measure channel characteristics at a single frequency, our proposed method uses channel measurements at the two different frequencies used in the passive Wi-Fi scenario and utilises them to generate a secret key shared by both legitimate parties. We have imple- mented our technique on Universal Software Radio Peripheral (USRP) platforms to assess the scheme experimentally. II. SECRET KEY GENERATION TECHNIQUE As in [5], the system model consists of a reader and a passive tag. The reader uses the Bluetooth protocol to generate a single-tone continuous wave (CW) at a certain frequency lying outside the desired Wi-Fi channel and radiates it toward the tag. The tag itself performs Wi-Fi modulation to generate a packet at baseband. The tag modulates the reflection cross- section of its antenna with this packet. The received out-of- band CW signal is thus shifted in frequency, modulated, and re-radiated in the desired Wi-Fi channel. The backscattered packet is a standard Wi-Fi packet in a standard Wi-Fi channel, and is fully compatible with commercial Wi-Fi devices. Since the reader utilises Bluetooth technology to transmit the CW signal and Wi-Fi to receive the backscattered packets, the method has been called inter-technology backscatter [5]. In the basic system, information is sent in plaintext from tag to reader. Confidentiality, integrity and authenticity of the message are not provided and the message could be compromised by any malicious entity in the vicinity of the tag and reader. For new sensor technology to succeed in real world scenarios such as wearable sensor networks and IOT devices, it must be supported by sufficiently powerful security features to protect against plausible attacks. To avoid high computational power consumption and a trusted third party to set a pair of keys between legitimate