Injecting Reliable Radio Frequency Fingerprints Using Metasurface for The Internet of Things

The cost constraints on the manufacturing process of IoT transmitters have made the intrinsic variations caused by the components in it, unavoidable. In a typical Direct Conversion transmitter [9], which is commonly used in IoT transmitters, RFFs are produced by most of its functional components.

The digital to analog converters are often affected by integral non-linearity (INL). These nonlinear effects have been used as fingerprints [10]. Several variations can arise from the use of different signal processing techniques [11] in the transmitting hardware. These cannot be eliminated from the manufacturing process as they depend upon variable tolerances of the different device components. In the mixer part, the in-phase and the quadrature components are required to be at a specific phase angle apart (e.g., 90°). This imbalance between the in-phase and quadrature components have also been leveraged for RF fingerprinting [12]. The nonlinear characteristics of a PA often vary widely according to its average output [13], as the heat dissipation would alter the chip temperature and hence there would be device dependent signatures [14] present in the electromagnetic waves emitted by the transmitter. The RF front end that is the drive circuit along with the antenna and its effects on polarization and voltage has also been studied for RFFs [15]. Clock Jitter is another RFF [16], which remains fairly consistent over time, but the clock skews vary significantly across devices. Apart from these, observations have been made on turn-on and turn-off transient of the communication device. The energy envelope of the instantaneous transient signal has been researched as RFFs [16].

These RFFs have known vulnerabilities to two main types of replay attacks [17], the signal replay attack (receive and replay without modification), and feature replay attack (receive, analyze, generate and transmit). When the RF-fingerprinting features, modulation based RFF, and transient-based RFF were tested with feature replay attacks, it was found that modulation based RFFs can be feature replayed with almost 100 percent accuracy. This happens because of the simplicity of the modulation based features. Transient-based features have proven to be more effective. However, commercial wireless devices cannot capture the transient-based features as they do not have the required dynamic operating frequency range (They are generally processed from high frequencies).

This method uses intrinsic defect based properties to generate true random and unique numbers and apply these as a replacement for cryptographic codes. The most popular solution that came using this principle, applies physically unclonable functions (PUFs). PUF maps input challenges to output responses based on a function determined by inherent variations of that circuit. These responses are used in place of digital signature and are included in the communication packet transmitted by IoT devices for securing the communication between them [18]. The PUF based solutions are not really physical layer fingerprinting as they are digitally transmitting the signature with the sent packet and they are prone to machine learning based attacks [19].

RFFs are either too feeble to survive the wireless channel, or the variations are too simple or obvious and can be easily attacked. There exists a trade-off between reliability and security [20], mainly due to the wireless channel. A high spoofing resistance means that the system has a low noise resistance. Conversely, if an RFF is designed to detect even the most feeble variations, its reliability takes a hit, as the channel variations make the legitimate devices unrecognizable.

Typical experimental validations of RF-fingerprinting use either high-end measurement device (like software-defined radio [5]) or network analyzer) or use a line-of-sight (LOS) channel with high SNR [11]. When low-cost off-shelf devices are used (transmitter and receiver) in a noisy multipath channel, the distinguishability of the authenticating devices is greatly reduced [21]. This leads to the reduction of the user capacity of the RFFs.

Limited distinguishability and adverse effect of the channel leads to the usage of complicated data processing [22] or large time series data [21], including complex feature extraction mechanism for mining the RFFs. Noise and multipath components in the real world channel also adds to the complexity of RFF mining. Recently, an attempt to minimize the channel effects was proposed with the use of tunable FIR filter at the transmitter [5]. This FIR tuning required computation of the filter taps at the server, which are then downlinked back to the transmitter to improve the RFF accuracy. Although this improved the reliability, it increased the hardware and power cost of using a continuously tunable FIR filter in the hardware and a 3 step authentication procedure having security flaws.

Let us consider the mathematical model of an RF-Fingerprinting system. For an IoT network with $N$ nodes, let the $i^{th}$ node be transmitting a signal to the server. The received signal $r(t)$ received by the server can be formulated as:

$$r(t)=F_{i}\big{[}x(t)\big{]}\ast h(t)+\eta(t),$$

(1)

where $F_{i}[\cdot]$ is the transceiver effect imposed on user $i$, $x(t)$ is the transmitted signal, $h(t)$ is the wireless channel, and $\eta(t)$ is the noise. These features of each transceiver, i.e., $F_{i}[\cdot]$, are unique RFFs and can be observed from the electromagnetic waves that are emitted by it. However, with developing manufacturing processes, these intrinsic variations are diminishing. The variation caused due to the function $F_{i}[\cdot]$ diminishes and becomes indistinguishable from that of the other node, given practical environmental noise. This greatly reduces the user capacity of the RF-Fingerprinting system. Furthermore, if the threshold conditions are adjusted to accommodate such a minute variation, it would make the system unreliable.

In this paper, we propose to use ‘metasurface’ (A brief introduction about metasurface is given in section IV) to inject a controlled, well-intended RF Fingerprint, which is more prominent and can carry more complex features in the physical layer economically. Using the metasurface (Intelligent reflective surface) we create constructive signal additions at different frequencies within the same band. Our system is very energy efficient as it can work with no power or with few hundred micro-joules depending on the application. Furthermore, It can be built cheaply for $\$0.2$ or less. Our solution also makes the signature injection part of the transmitter non-intrusive, i.e., Our metasurface can be attached to the transmitter (IoT device) and is designed to induce electromagnetic changes in the waves that are emitted by the transmitter (an example application would be cellphone case or additional inexpensive cover for the IoT device). Since this is attached at the transmitter end, the function $F_{i}[\cdot]$ would be a convolution of the designed property induced by our metasurface $s(t)$.

Since our solution is a low cost accessary to the IoT devices aiding in its authentication, it is necessary to analyze the hardware components of the IoT transmitter with the objective to find the answer to two important questions. The primary one is

a) Can a security signature be injected into the wireless physical layer by changing the existing hardware?

To answer this question let us consider the injection of such a signature by making changes specifically in the passband of the transmitted signal. In a typical IoT transmitter such as the direct conversion transmitter [9] shown in figure 2, the digital to analog converter (DAC’s)takes in data bits as in-phase and quadrature components. The output of the DAC is then filtered and sent to a mixer, where the baseband is up-converted to RF frequency. The Mixers are driven I and Q local oscillator inputs. The output is then passed through a power amplifier (PA) and is sent to the antenna drive circuit via a bandpass filter (BPF reduces out of band emissions). All the existing RFFS are created due to the imperfections in the above-mentioned components [23].

To create controlled perturbations of any of these respective components is not easy. Power Amplifiers of IoT transmitters are carefully designed with the tradeoff between nonlinearity and power-efficiency [24]. The power amplifier distortions, even though are hardware signatures, can result in a performance loss; hence, they are carefully designed in a certain operating point [24]. Thus designing a variation in PAs is too complicated, given the constraints of it affecting the performance. Similarly, reconfigurable mixers [25] do exist, but these reconfigurations do not create distortions. Mixer distortions would create synchronization and timing issues, thus affect communication performance. The DAC’s are also very carefully designed with complex constraints to reduce the power for IoT transmitters [26]. Thus introducing configurable distortions to these transmitter entities may prove very costly, which leaves us with the RF filters. Injection of an RFF can be made possible via a digital filtering technique, which would create that feeble variation or make deliberate changes to the hardware that would create uniquely identifiable signatures from device to device. Thus our questions on the feasibility of injecting RFF is narrowed down to the possibility of creating perturbations in the wireless physical layer with the help of carrier shaping digital RF- filter. This brings us to another important question that needs to be answered,

b) Can this signature injecting, RF-filter be cost effective and power efficient to be adopted for IoT authentication?

Let us consider the hardware realization of a passband filter that can generate a fingerprint. We group them as two main methods of realization, which is as described below:

We present two types of metasurfaces that can be employed with the design goals we have set.

1. a)

   Passive metasurface - This metasurface has a well designed, feature rich signature injection capability but is static. Thus making it suitable for very low-cost applications.

2. b)

   Active (programmable) metasurface - This metasurface can change its property based on a control input while maintaining the richness in the feature space. This feature is very suitable for IoT applications, which are not strictly energy constrained but needs a more secure solution as the injected signature can change with respect to control input.

With the capabilities as mentioned above, we designed and implemented the metasurface RF fingerprint injection (MeRFFI) System, which is a programmable metasurface, MeRFFI prototype has the capability to work in both the modes due to its programmability.

We present three different ways in which MeRFFI can be used for IoT authentication.

Metasurfaces [39] are ultra-thin and planar electromagnetic devices, which are made up of several unit elements. These unit elements are sub-wavelength in size compared to traditional microwave patches and printed antenna elements. They have heavily gained popularity because of the tunability of their individual unit elements [40].

The metasurface for RF-fingerprint injection is a prototype that has software programmed tunability. The material design specification and its tuning control are described below.

MeRFFI is a software-controlled metasurface used for injecting the security signature. It is an Intelligent Reflective Surface (IRS), a.k.a Reconfigurable Reflect Array, which has many unit cell structures [7]. The typical IRS’s unit cells can change their resonant frequencies, which can be perceived as a change in its reflectance and phase. Our custom designed metasurface, MeRFFI, creates constructive reflections on the signals transmitted. These small perturbations appears as frequency peaks when observed from the channel state information at the receiver. To design this specific reflective surface, the unit element has two main requirements. Firstly, to bring the entire metasurface’s resonant frequency to the specific frequency channel where the transmission is taking place. Secondly, some finer modifications of resonances within this channel cause different electromagnetic variations in the wireless physical layer.

MeRFFI’s unit cell structure: MeRFFI prototype’s unit cell has three layers: 1) a frequency selective resonant layer; 2) loading plane, which helps in miniaturizing the dimensions of the metamaterial, and; 3) a reflective ground plane. The top layer is a split ring resonator (SRR), which at the designated frequency, reflects an incoming wave. There is a capacitor $C1$ connected between the slit after split-ring resonator in top layer to change the resonant frequency this SRR. The second layer is a complementary split ring resonator (CSRR) used to miniaturize the unit element[41, 42]. Finally, between the there is a variable capacitor $C2$ connected for changing larger values of resonance.
Specifications: The meta-surface unit element design is shown in figure 4. We have used a split ring resonator as the top plane. A complimentary split ring resonator is used as the loading plane [43, 8]. The dimensions of these layers are given in figure 6(a). We have used varactor $smv2023-079LF$ [44] as C1 and C2. This lab prototype is shrunk to a half-wavelength dimension of its original size, but for usage in much smaller devices, this can be miniaturized further [42]. The entire unit element is built using an FR4 substrate, which is a common PCB material.

MeRFFI’s control mechanism : Figures 6(c) and 6(d) shows the voltage inputs given to all the varactors in MeRFFI prototype. By changing the input voltage to the capacitor $C2$, the capacitance between the loading plane and reflecting plane changes. Since this control voltage ($CV$) is connected to all the unit cells, the total resonance of the meta-surface shifts to the desired frequency channel. Hence this voltage $CV$ is the channel select voltage. The change in resonant frequency with variation in capacitance is shown in figure 7 (The graph shown is a Comsol simulation of MeRFFI, where the capacitance is changed by control voltages, the value displayed here is frequency vs. radar cross section [RCS($m^{2}$)])

The other varactors $C1$ on the top layer, however, have independent voltage connections. If MeRFFI has $M$ number of elements, then an $M$ line parallel but independent control voltage line is needed for controlling the varactors ($SV_{1},SV_{2},.....SV_{M})$. This $M$ line control voltage is what can be used to inject RF-fingerprints into the wireless physical layer. The MeRFFI prototype has 4 unit elements as shown in Figure 6 and two such prototypes were used for signature injection. Hence MeRFFI prototype had an 8 line control input vector. The metasurface prototype has eight such elements in which an 8-line control voltage feed can be given for creating many such variations.

For modeling the injection of a physical layer signature, consider the $i^{th}$ transmitting IoT node which has MeRFFI is placed in its proximity, such that any emission from the $TX$ node reflects from the MeRFFI as shown in the figure 5. Let $x(t)$ be the signal transmitted by the $i^{th}$ IoT node ($X$ in the frequency domain) and $s$ is the function of the meta-surface. Any transmission $x$ going out from this $TX$ node would be the convoluted with $s$ as it is emitted [7]. if $h$ represents the multipath channel between node $i$ and the authentication server, the expression for received signal $y$ can be written as,

$$y(t)=x(t)*s(t)*h(t)+\eta,$$

(2)

The function $s$ can be considered as the sum of the reflection from individual unit elements whose magnitude and phase is controlled by the control voltage vector $CV$. The fourier transform of $s$ which has $N$ unit elements can be written as,

$$S=\sum_{n=0}^{N-1}\rho_{n}e^{j\phi_{n}-2\pi f\tau_{n}}$$

(3)

where $\rho_{n}$ and $\phi_{n}$ are the magnitude and phase of the response from the $n^{th}$ unit element, and $\tau_{n}$ is the time delay of the $n^{th}$ impulse in the time domain. The channel response received at the receiver as seen in equation 2 is a convolution of the MeRFFI’s transfer function ($s$) and the channel multipath ($h$) similar to the sum of the product of amplitude and phase responses caused by the individual path in the multipath, the fingerprint is also the sum of the effect caused by the individual unit elements in the reflect array [7]. In the frequency domain this injected channel response $SH$, is given as:

$$SH_{j}=\sum_{m=0}^{M-1}\sum_{n=0}^{N-1}\alpha_{m}\rho_{n}e^{j(\theta_{m}+\phi_{n}-2\pi f[\tau_{m}+\tau_{n}])},$$

(4)

where $SH_{j}$ represents the $j^{th}$ frequency sample of the signature injected channel and it is a complex number that includes the amplitude $|S||H_{j}|$ and the phase $\angle{(\phi_{h_{j}+}\theta_{s})}$ is shown as follows.

$$SH_{i}=|S||H_{j}|\angle{(\phi_{h_{j}+}\theta_{s})},$$

(5)

Thus at the receiver we get the injected channel vector $SH$ for $s$, CSI samples (here, the number of CSI samples $j=s$) , i.e ,

$$SH_{i}=[SH_{1},SH_{2},SH_{3},.SH_{j},...,SH_{s}]^{T},$$

(6)

In general,

$$Y=SHX+\eta,$$

(7)

From the received signal vector $Y$ we extract $SH$. The fingerprint induced CSI of the IoT node to the authentication server has to be extracted.

$$SH=\frac{Y-\eta}{X},$$

(8)

After obtaining $SH$ the injected fingerprint has to be separated from this vector. Thus we can define a feature extraction space $\chi$, where the feature of a single fingerprint is translated to an N-dimensional feature space.

$$\chi:SH\rightarrow F\approx\hat{S},$$

(9)

where $F=\{f_{1},f_{2},f_{3}...f_{N}\}$. After this we find a function $\Omega$, that can project the feature space of $N$ users, $F$, to class space, $C=\{c_{1},c_{2},c_{3}....c_{N}\}$, i.e.,

$$\Omega:F\rightarrow C,$$

(10)

where the function $\Omega$ belongs to a hypothesis space $\omega$. After the projection, the feature of the specific user is classified to the corresponding class.

As mentioned in equation 6, we receive a vector of complex values corresponding to the number of CSI samples in the communication channel. A convolutional neural network (CNN) was used to extract the signature from the computed CSI vector $SH$. Although CNN is more computationally complex, a server in IoT can afford the computational expenditure during user enrollment, the matching (authentication) phase would be just as simple as any other classfier algorithm. In MeRFFI’s implementation, the first three layers of the CNN are used to extract features. In each layer of the CNN, one-dimensional kernels were used as the filters. This was followed by a batch norm layer to normalize the mean and variance of the data at each layer. For the third layer, a rectified linear unit (ReLU) was added to introduce nonlinearity and a max-pooling layer to reduce the size of the representation.If $\chi$ is the set of parameters for feature extraction in the CNN, then we get the feature $F$ as:

$$F=CNN(SH;\chi).$$

(11)

Depending on the outputs of feature extractor (i.e., F), a fully connected layer followed by another ReLU is used to learn the representation $K$of $F$ as follows:

$$Ki=W_{f}f_{i}+b_{f},$$

(12)

where $W_{f}$ and $b_{f}$ are the parameters to be learned and the softplus function is an activation function to introduce nonlinearity, in order to identify the injected signature, the feature representation $K_{i}$ into a new latent space $H_{i}\in{\rm I\!R_{m}}$, where $m$ is the total number of signatures to be classified. Finally, a Softmax layer is used to obtain the probability vector of signatures:

$$C_{i}=\textit{Softmax}(H_{i}),$$

(13)

$$H_{i}=W_{k}K_{i}+b_{k},$$

(14)

where $W_{k}$ and $b_{k}$ are parameters. From this, we obtain classes corresponding to the signatures $C_{i}$. A loss function $L(c,\hat{c})$ can be defined where $\hat{c}$ is the estimated class. The expected loss of $\Omega$ (the entire classification function) can be estimated while training, using an empirical risk function $R$, where

$$R=\frac{1}{N}\sum_{i}(c_{i},\Omega(v_{i})).$$

(15)

This measure helps us in avoiding overfitting and underfitting scenarios while training. After the classifier is trained, the classified features of the enrolled users are then stored in a database. When a new incoming signal is received, its feature is extracted and its score is computed with the features saved in the database, which is then used for authentication.

To design the MeRFFI metasurface to inject a robust RFF into the wireless channel, we need to take in to account the dynamics of the channel. Let’s consider a scenario where node $i$ is at a location $x\in\mathbb{R}^{2}$ and the receiving base station at $x_{b}\in\mathbb{R}^{2}$. The received signal strength $\gamma(x)$ can be represented as a 2D non-stationary field made up of three types of channel dynamics [45]; path loss ($\gamma_{p}(x)$), shadow fading ($\gamma_{s}(x)$) and the multipath fading component ($\gamma_{m}(x)$).

$$\gamma(x)=\gamma_{p}(x)\gamma_{s}(x)\gamma_{m}(x)$$

(16)

Let the injected the injected signature be represented by the random variable $\gamma_{sig}(\vec{SV},CV)$, which is dependent only on the channel select voltage $CV$ and signature inject voltage vector $\vec{SV}$ , the received signal strength becomes,

$$\gamma(x)=\gamma_{p}(x)\gamma_{s}(x)\gamma_{m}(x)\gamma_{sig}(\vec{SV},CV)$$

(17)

In Decibels this equation is,

	$\displaystyle\gamma_{db}(x)=10\log(\gamma_{p}(x))+10log(\gamma_{s}(x))+10log(\gamma_{m}(x)$		(18)
	$\displaystyle+10\log(\gamma_{sig}(CV,\vec{SV}))$

From various indoor channel modeling based on real-world measurements [45] , $\gamma_{p}(x)$ is a distance dependent path loss, and $\log(\gamma_{s}(x))$ follows a zero mean gaussian distribution and the channel multipath $\gamma_{m}(x)$ follows a rician distribution as given by,

$$f_{w}(x)=(1+K_{r})e^{-k_{r}-(1+k_{r})x}I_{0}(2\sqrt{xk_{r}(k_{r}+1)}$$

(19)

Where $K_{r}$ is the Rician K factor, which is the ratio between the power in the direct-path ($p_{d}$) and the diffused power, and $I_{0}(.)$ is the $0^{th}$ order Bessel function. By applying the expectation operator on equation 18 and rearrange it to inequalities we get,

	$\displaystyle\gamma_{db}(x)-10\log(\gamma_{sig}(CV,\vec{SV})>10\log(\gamma_{p}(x))+$		(20)
	$\displaystyle 10log(E(f_{w}(x)))$

Here the path loss has zero mean and we can deduce that the gain of the RF-fingerprint injected should be greater that the multipath power.

Consider a dynamic environment of an area of radius $||x-x_{b}||$ with $N_{obj}$ moving objects each at distances $r_{i}$ of the receiver and having an average width of $\delta w$. These objects absorb some part of the energy, by an absorb factor $\zeta$ and the total path power is $P_{m}$. If the objects are uniformly distributed with in the area has the following $k_{r}$ [46],

$$k_{r}=\frac{p_{d}}{p_{m}}\frac{\pi(r_{max}+r_{min})}{N_{obj}|\zeta|^{2}\delta w}$$

(21)

From this equation, we can infer that the rician factor and hence mean dynamic value of the multipath power is influenced by the number of moving objects per unit area [46] ($K_{r}=0$ means a highly dynamic channel).

For the injected signature to be prominent in this dynamic environment, MeRFFI metasurface’s SNR with in a short delay spread has to be above the threshold level of the maximum variations caused by channel dynamics. Practically this is the metasurface’s expected capability where it provides constructive interference on the channel, which aids the communication by enhancing certain narrow frequency components. This is contrary to the frequency selective fading introduced by the multipath and requires the metasurface to be tuned to the operating frequency. The maximum gain of the metasurface is obtained when the perimeter of the unit cell is of the order of the wavelength used for communication ($\lambda$). The gain reduces when the unit cell’s size is shrunk. The idea is to choose the metasurface’s size to make the constructively added perturbations to withstand channel variations and at the same time conform to the devices form factor. Our prototype is thus built with the perimeter of each unit cell of the order of $\lambda/4$ (65 mm), which is sufficient for a time varying, dynamic, real-world indoor environment.

Remark: Designing the metasurface channel robust also has the advantage that the injected Rf-fingerprint dataset size becomes independent of the channel, robust to time variance and depends only on the injected code.

Two 4-unit cell based structures were used in all the experiments(figure 6). As mentioned in section 5, two types of control (figure 6(c) & (d)) are required. $a)$ control voltage $CV$, which is a single parallel voltage to be supplied to all the individual elements to select the channel of operation, $b)$ control voltage vector $\vec{SV}=\{SV_{1},SV_{2},.....SV_{M}\}$, is used to inject different RF-signatures in the selected channel. We use an Arduino Mega 2560 to drive the DAC circuit to provide $CV$, and two similar sources were used to feed in the control vector $\vec{SV}$.

Different $SV_{i}$ inputs correspond to an individual unit cell control input, and this was made sure with the above mentioned voltage sources and voltage divider circuits.

For computing the performance of the classification system designed, we first compute the following: a) true positive (TP): the digital signatures correctly identified, b) true negative (TN): the fingerprints correctly rejected, c) false positive (FP): the false signature wrongly identified, and d) false negative (FN): a valid signature misclassified as false. These values are used to compute the standard performance measures sensitivity ( recall, hit rate, or true positive rate (TPR), Fall-out or false positive rate (FPR), Precision or positive predictive value (PPV), Accuracy (ACC), F1 Score, area under the ROC (receiver operating characteristic) curve. Since this is a multi-class classification problem. We compute the micro and macro average of all the performance measures shown above. Hence we perform an $M$ number of one vs. all classifications for all the classes and compute this micro and macro averages performance measure, which would give us an overall performance of the signatures classified at the receiver. A sample of how micro and macro averages are computed. An example for computing the micro and macro average of precision ($PPV_{micro}$ and $PPV_{macro}$) is given as

$\displaystyle PPV_{micro}=\frac{TP1+TP2}{TP1+TP2+FP1+FP2}.$

(22)

$\displaystyle PPV_{macro}=\frac{P1+P2}{2}.$

(23)

We use the micro and macro averages to create the average ROC and then compute the $AUC_{micro}$, $AUC_{Macro}$ average, which would give us a good sense of the overall performance of the system.

Objective: To visually observe changes caused in the wireless channel caused by the control voltage input given to MeRFFI and thereby verifying if MeRFFI’s channel select and signature inject control mechanisms are working.

Experimental setup: To test whether the designed meta-surface performs as per the design specification, an Agilent Vector Network Analyzer (model-8753ES) was used. MeRFFI was kept near the TX antenna, and $S21$ (forward gain) was observed from the receiver end, which is kept 2.54 m away. At first control input $CV$ was changed, and changes were observed at the VNA. The experiment was done in a conference room with the setting as seen in figure 10.

Results and inferences: At 16.1 volts a peak was observed within the range 2.420 GHz and 2.425 GHz, which indicates that $CV$ was functioning as the channel selector. Then random voltage vectors $\vec{SV}$ was applied and distinct $S21$(forward gain) patterns corresponding to different $\vec{SV}$ inputs were observed as seen in the figure 8. This pre-test helped us validate the channel select mechanism and different patterns observed at the VNA verify that the signature injection mechanism of MeRFFI is functional.

Objective: In this experiment, 208 codes, which are very close to each other (very minimum voltage change in each input control), are given as input SV. This experiment is to classify these 208 closely-spaced signatures received at the receiver and estimate the signature capacity of MeRFFI.

Experimental setup: This experiment was performed in a conference room $10.16\times 6.35$ m, whose plan is displayed in figure 9 and the position is marked with label A. This room was chosen so that the environment is not controlled, which includes other commercial wireless interferences. The COTS experimental devices used were a Lenovo ThinkPad E570 equipped with an Intel 8265ac NIC card as the transmitter, and a Dell Latitude E6530 fitted with an Intel 5300ac NIC card as the receiver. MeRFFI was placed 2 cm in front of the transmitter’s inbuilt antenna as shown in figure 10. The receiver is placed 2.54 m away from the transmitter. The values of the control voltages $SV_{1}$ for each unit cell are varied from 0 till 10, while the control inputs to other unit cells are kept zero. Twenty six voltage values were given to each capacitor, and the changes were done on all the eight different unit cells. Thus making it 208 different code words triggering that many injected codes, which have very minimum variation from one to the next. The number of voltage values that can be given to each unit element depends on the dynamic range of the varactor chosen. The data set collected 500 CSI vector values received for each signature. The structure of the CNN used for classifying this data is shown in table I.

Result and inference: Table II shows the accuracy and the F1 score (micro and macro averages) for 80:20 and 90:10 test to train percentage split. The values suggest that MeRFFI RF-Fingerprinting has a substantial signature capacity and is very reliable. In the above experiment, each unit cell was triggered by 26 voltage levels one after the other. Based on the technical specification of the varactor [44] used in creating this variation a maximum of 32 different physical signatures.

To generalize, consider a MeRFFI prototype that has $M$ unit elements in the metasurface. Each of these unit elements can create several capacitance variations depending on the dynamic characteristics of the varactor connected to them. If $R_{d}$ is the dynamic range of the varactor and $V_{t}$ is the minimum control voltage needed to create capacitance change of the varactor, the number of signatures that can be injected by MeRFFI can be written as :

$$N=(R_{d}/V_{t})^{M},$$

(24)

From this equation, we can interpret that a high resolution varactor with a higher dynamic range can achieve a large design space for signatures.

In a perfect environment with low noise, the MeRFFI prototype in the lab that has 8 unit cells can create a maximum $48^{8}$ ($2^{45}$) signatures. Thus a more significant number of unit cells in MeRFFI would result in a higher signature capacity.

Objective: This experiment is performed to test the variation in the performance of the MeRFFI system with varying distances.

Experimental setup: This experiment is performed using the same COTS devices mentioned in the previous experiment. Here the distance of the receiver is varied in each experiment (distance). The receiver is kept at three different distances 7 m, 27 m and 53 m from the receiver location and the experiment is done on WiFi’s channel 5. The experimental setup is labeled as ’B’ in the figure 9 and as seen in the figure, is a 53 m long corridor, thus a complex environment from the wireless channel perspective. Twelve different signatures were injected through the MeRFFI device on the transmitted wireless signal. Packets are transmitted for 20 seconds for each signature. The signatures received at the receiver are classified using a CNN whose structure is similar to the one shown in the table I. Here only 20 percent of the data is used for training and the remaining 80 percent is used for testing.

Result and inference: Table III shows the performance of the MeRFFI system with different distances 7m, 27m, and 53m. It can be seen that the system performs well, despite the wireless channel being a complex tunnel-like environment. Hence MeRFFI’s injected signature does not significantly vanish from the wireless physical layer with distance. Since MeRFFI’s application scenario requires it to be kept very close to the transmitter, it can be inferred that the injected signatures exist at very short delay spread compared to other multipath components that come into picture when the communication distance increases.

Objective: This experiment is done to test whether a change in orientation between the transmitter and receiver affects the performance of MeRFFI’s RF-fingerprint injection capability.

Experimental setup: This experiment was performed in the same COTS equipment mentioned in the previous experiment. The transmitting laptop has the Intel 8265ac is attached with the MeRFFI device and is kept at a fixed location. The receiver laptop is at a distance of 2.54 m from the transmitter. The experimental setup is marked ’D’ in the figure 9. The position of the receiver is then varied by 30 degrees with the distance being the same. The same 12 voltage values are injected in four such orientations 0^∘, 30^∘, 60^∘, and 90^∘ respectively. This data is then classified using CNN for each location, and their performance is compared. Same as the previous experiment, 20 percent of the data is used for training, and the remaining 80 percent is used for testing.

Result and inference: Table IV shows the performance of the MeRFFI system with varying orientation. The minimum accuracy obtained was 95.42 percentage. It can be seen that the change of orientation does not affect the performance of this system.

Objective: This experiment is done to test the MeRFFI’s signature injection capability when there is a blockage between the transmitter and the receiver.

Experimental setup: This experimental setup, which is represented as ’C’ in the figure 9 is placed such that the transmitter is in one room, 100 m away from the wall and the receiver is placed 0.3 m away from the wall in the next room. There is no other line of sight available for these COTS devices to communicate. The same 12 codes as in the previous experiment are injected by the transmitter. The received codes are classified using the CNN classifier with the structure as given in table I. Similar to the previous cases, 20 percent of the data was used for training, and the remaining 80 percent was used for testing.

Result and inference: As it can be seen from the table V, MeRFFI performs well through a wall. With 20 percent training and remaining test, MeRFFI has the potential to be applied for real-world scenarios with obstruction.

Objective: To test the hypothesis that the same signature injected by MeRFFI appears as a different one if the devices use a different channel for communication.

Experimental setup: Here we use the test set up ’A’ as shown in figure 9. 24 signatures were injected in 4 different channels. Thus a 96 class recognition system had to be built.

Result and inference The minimum micro averaged AUC for test to train ratio varying from 50$\%$ to 80$\%$ was observed to be 0.95. Table VI shows the averaged F1 scores and accuracy. From the observations, we can validate this hypothesis that MeRFFI’s signature appears different when observed from a different channel number.

All the above experiments were done using the very high throughput mode (VHT) of IEEE 802.11 ac. The data rate is always above 50 Mbps, thus indicating that the injected perturbations do not significantly hinder the datarate. We also did not observe any packet drops while MeRFFI was attached to the transmitting node.

The cost of manufacturing our prototype was less than 10 dollars including the price of commercial varactor chips used. The cost was kept low due to in lab design and fabrication. On mass production these materials would cost less than 20 cents per device.

The entire power including the control mechanism, i.e., channel select and signature inject code was less than 50 millijoules (0.05 Ws), which, when compared to DSP chip is $67\%$ less power consumed. The energy consumption of a programmable MeRFFI module does not vary with packet size. In our COTS testbed, the above results indicate that MeRFFI is very suitable for commercial IoT adoption.

Consider an RF-Fingerprint authentication scenario, as seen in figure 11, where an IoT node ’$i$’, which has the MeRFFI module attached, is trying to access an authentication server ’$s$’. There is a man-in-the-middle scenario where an attacker ’$at$’ is trying to break this authentication mechanism. Here, ’$at$’ can try to impersonate the genuine node ’$i$’.

Objective: To perform a feature replay attack on MeRFFI system.

Experimental Setup: For this experiment there are three entities involved: (a) the legitimate transmitter (Alice), (b) the receiver (Bob) and (c) the attacker (AT). Their specifications are as follows:
(a) Alice : A Lenovo ThinkPad E570 equipped with an Intel 8265ac NIC card with MeRFFI attached as the transmitting node.
(b) Bob: a Dell Latitude E6530 fitted with an Intel 5300ac NIC card as the receiver.
(c) AT : In-order to give the attacker, the best possible capabilities, we equipped it with the best devices we have. We designed the AT with four devices, (i) a Dell Latitude E6530 fitted with an Intel 5300ac NIC card, which acts as evesdropper for snooping the signal transmitted by Alice, (ii) Dell Precision tower server-T5810 with Intel Xeon CPU E5-1630 @ 3.7 GHz and 64 GB ram, for performing the feature learning, similar to equation 28 , (iii) A Lenovo ThinkPad E570 equipped with an Intel 8265ac NIC card for doing the feature replay transmission (iv) MeRFFI for injecting the features that were evesdropped.

The experimental setup can be seen in figure 12, and the distances between the entities are marked in the figure. In our setup, Alice transmits to Bob, AT is trying to perform a feature replay attack. AT has knowledge of the frequency channel used for communication, the channel control voltage $CV$ to select that channel, and several signature control vectors $\vec{SV}$ (secret hardware key) and their responses. AT first receives the packet as an eavesdropper with equipment (i), then uses a deep learning-based supervised function approximator using the setup (ii) to train estimate the value of $\vec{SV}$ at the receiver, let the estimated value be ($\vec{SV_{r}}$). AT then uses equipment (iii) to transmit packets to Bob by using MeRFFI, which is controlled with the estimated $\vec{SV_{r}}$. Bob already has a classifier trained to accept only legitimate devices (here Alice’s RFFs generated with MeRFFI). Bob receives the packets from Alice and the Attacker and checks them for authenticity.

To quantify the attacking scenario. First, Alice transmits 5500 packets of 11 different MeRFFI signatures. The Attacker knows all the 11 signature control vectors $\vec{SV_{i}},i=1,2..11)$, uses these as labels to train its deep learning based function approximator (from the 5500 packets, 4950 packets are used to train the network and 550 are used to validate, this is to avoid overfitting). The function approximator is a modified version of CNN shown in table I, where the output layer is modified to get smooth estimates[48, 49]. With this we perform our evaluation with 2 test procedures.

Test procedure 1: We test the linear separability of the received data of 12 different attacks (transmissions by AT). The separability is measured by Mahalanobis distance between Alice’s data and AT’s data, as seen by Bob. In each scenario AT listens for 5500 packets from 11 $SV$ signals of Alice, and sends 25 attack signatures towards Bob.

Test procedure 2: In this test, we identify the CSI samples with the least distance from test procedure 1 and perform an attack on Bob. Bob has an authentication system built (using CNN shown in table I to accept all 12 signatures from Alice. Then Attacker uses its learned function approximator to generate 500 packets for which the signature control vector is $\vec{SV_{x}}$, where $x$ is a secret between Alice and Bob. This estimated control signal, $\hat{\vec{SV_{x}}}$ is used to send 500 packet burst with MeRFFI to force an authentication with Bob.

Result: From test procedure 1, we identified that test 5 has the least distance between Alice’s signature and AT’s signature, as seen by Bob. The distance, which is equal to 1, is still a good distance, which a strong classifier can classify. But this signature is the weakest among the one we tested. We then perform procedure 2, where we use this scenario to send 500 attack packets to Bob. Here Bob has an authentication system that is tailored to accept 12 different signatures from Alice. In this experiment, all the 500 packets from AT were rejected by Bob. We also checked if time variability affects the attack, hence we performed this attack again after one week, but the results were the same.

Inference: From this experiment, we can infer that even after knowing many of the signature control vectors $\vec{SV_{x}}$, it is extremely difficult to attack the MeRFFI system if the control code is not known. This opens up the avenue for developing a data-dependent device procedure where a digital signature and physical signature are dependent, further improving the security condition. Another inference we can make is from test procedure-1 (figure 13). We can observe that certain attack signatures may have high similarity to the original injected CSI, as is the case with tests 5, 3, and 11. Although they were still rejected authentication by a carefully designed classifier at Bob, this weakness can be reduced using protocol 2 and 3, which uses multiple code injections to authenticate a node. Other than the attack scenario mentioned above, one may argue that the attacker may also have the capability to record the downlink channel without the signature, inverse it, and then compare it with the injected channel to isolate the signature. But reciprocity of the channel is usually an assumption to get approximate CSI, due to the detrimental changes in the transceiver components and the channel [50], thus making this measurement inadequate for the attacker.

The radio frequency fingerprint community has been trying to address the contradicting tradeoff between security and reliability [20]. With MeRFFI we have optimized the dimensions based on our theoretical deductions in section IV-E to maintain an optimum between security and reliability based on the environment.

The metamaterial research community has been actively researching the [42] area of Frequency Selective Surfaces (FSS). The Prototype created in our lab has been miniaturized to half the size of its original dimension. Size reduction up to $1/16$ of the original dimension is common in the metamaterial research community. This miniaturization is also accompanied by narrowed operating bandwidth of the frequency selective surface and reduced gain. The narrow bandwidth is good for RFF injection, a smaller number of perturbations can be made in the operating frequency, but a reduced gain can make the authentication system sensitive to environmental effects. Thus, while designing the size of MeRFFI, we have to take into consideration the application and the frequency of operation.

In MeRFFI’s classifier design, we used a CNN that is robust in a static environment, but if the receiver has a change in orientation or is required to be moved from one place to another, it would have to be retrained in the system. This is because the feature representation may not separate (linear separability) the injected signature from the environmental multipath. This can be solved either by generalization using transfer learning approaches [51, 52], or using 2 step transmission for authentication. To further clarify, if the feature representation of the injected signatures made in one position/orientation is termed source domain data and the representation in another position/orientation is the target domain data, we would want the features learned from the source domain to be valid in the target domain. In statistical terms, we need to generalize the injected features learned by reducing the difference between the distributions of the source and target domain data.

Another way to solve this problem is to use a two code transmission for authentication, where the difference in the injected CSI’s [53] at the receiver yields the actual code. Let the IoT node transmit three security signatures $S1$,$S2$, and $S3$. These signatures are influenced by channel H. At the receiver, let the received signature be $SH_{1}$, $SH_{2}$ and $SH_{3}$. Using $[SH_{1}-SH_{2}]$ and $[SH_{1}-SH_{3}]$ and using this difference to authenticate the TX node can make the system robust to movement. Our future work is focused on realizing this authentication scheme.

Our experimental results suggest that an active Frequency Selective Surface (FSS) offers much more secure physical layer signatures than a passive one. Although the active MeRFFI prototype made in the lab consumes very minimal power, low power IoT applications would need energy harvesting based FSS [54] that does not need an external battery.