Spectrum-flexible secure broadcast ranging

Secure ranging is poised to play a critical role in several emerging applications such as self-driving cars, unmanned aerial systems, wireless IoT devices, and augmented reality. In this paper, we propose a design of a secure broadcast ranging systems with unique features and techniques. Its spectral-flexibility, and low-power short ranging bursts enable co-existence with existing systems such as in the 2.4GHz ISM band. We exploit a set of RF techniques such as upsampling and successive interference cancellation to achieve high accuracy and scalability to tens of reflectors even when operating over narrow bands of spectrum. We demonstrate that it can be implemented on popular SDR platforms FPGA and/or hosts (with minimal FPGA modifications). The protocol design, and cryptographically generated/detected signals, and randomized timing of transmissions, provide stealth and security against denial of service, sniffing, and distance manipulation attacks. Through extensive experimental evaluations (and simulations for scalability to over 100 reflectors) we demonstrate an accuracy below 20cm on a wide range of SNR (as low as 0dB), spectrum 25MHz-100MHz, with bursts as short as 5us.

[1]  Andrea Zanellaza Best Practice in RSS Measurements and Ranging , 2016 .

[2]  W.F. Walker,et al.  A spline-based algorithm for continuous time-delay estimation using sampled data , 2005, IEEE Transactions on Ultrasonics, Ferroelectrics and Frequency Control.

[3]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[4]  Linas Svilainis,et al.  Subsample interpolation bias error in time of flight estimation by direct correlation in digital domain , 2013 .

[5]  Yongdae Kim,et al.  Tractor Beam , 2019, ACM Trans. Priv. Secur..

[6]  Andrea Zanella,et al.  Best Practice in RSS Measurements and Ranging , 2016, IEEE Communications Surveys & Tutorials.

[7]  Srdjan Capkun,et al.  UWB with Pulse Reordering: Securing Ranging against Relay and Physical Layer Attacks , 2018, IACR Cryptol. ePrint Arch..

[8]  Srdjan Capkun,et al.  On the Security of Carrier Phase-Based Ranging , 2016, CHES.

[9]  Kin K. Leung,et al.  A Survey of Indoor Localization Systems and Technologies , 2017, IEEE Communications Surveys & Tutorials.

[10]  Linas Svilainis,et al.  Analysis of the interpolation techniques for time-of-flight estimation , 2016 .

[11]  Guevara Noubir,et al.  Security of GPS/INS Based On-road Location Tracking Systems , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[12]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[13]  Panagiotis Papadimitratos,et al.  Distance Bounding with IEEE 802.15.4a: Attacks and Countermeasures , 2011, IEEE Transactions on Wireless Communications.

[14]  Marcin Poturalski,et al.  The cicada attack: Degradation and denial of service in IR ranging , 2010, 2010 IEEE International Conference on Ultra-Wideband.

[15]  Eckhard Grass,et al.  An approach for implementation of ranging and positioning methods on a software defined radio , 2017, 2017 14th Workshop on Positioning, Navigation and Communications (WPNC).

[16]  Srdjan Capkun,et al.  UWB-ED: Distance Enlargement Attack Detection in Ultra-Wideband , 2019, USENIX Security Symposium.

[17]  W. Marsden I and J , 2012 .

[18]  Sachin Katti,et al.  SpotFi: Decimeter Level Localization Using WiFi , 2015, SIGCOMM.

[19]  Srdjan Capkun,et al.  Message Time of Arrival Codes: A Fundamental Primitive for Secure Distance Measurement , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[20]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[21]  Srdjan Capkun,et al.  Physical-layer attacks on chirp-based ranging systems , 2012, WISEC '12.

[22]  Srdjan Capkun,et al.  Are We Really Close? Verifying Proximity in Wireless Systems , 2017, IEEE Security & Privacy.

[23]  Srdjan Capkun,et al.  SecNav: secure broadcast localization and time synchronization in wireless networks , 2007, MobiCom '07.

[24]  Pascal Lafourcade,et al.  Survey of Distance Bounding Protocols and Threats , 2015, FPS.

[25]  Swarun Kumar,et al.  Decimeter-Level Localization with a Single WiFi Access Point , 2016, NSDI.

[26]  Andrei Costin,et al.  Ghost in the Air(Traffic): On insecurity of ADS-B protocol and practical attacks on ADS-B devices , 2012 .

[27]  Srdjan Capkun,et al.  Secure Ranging With Message Temporal Integrity , 2009, IACR Cryptol. ePrint Arch..

[28]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[29]  Panagiotis Papadimitratos,et al.  Effectiveness of distance-decreasing attacks against impulse radio ranging , 2010, WiSec '10.

[30]  Gianluca Dini,et al.  On the Feasibility of Overshadow Enlargement Attack on IEEE 802.15.4a Distance Bounding , 2014, IEEE Communications Letters.

[31]  Markus G. Kuhn,et al.  Attacks on time-of-flight distance bounding channels , 2008, WiSec '08.

[32]  Rui Pinheiro,et al.  On Perception and Reality in Wireless Air Traffic Communication Security , 2016, IEEE Transactions on Intelligent Transportation Systems.

[33]  Srdjan Capkun,et al.  Location privacy of distance bounding protocols , 2008, CCS.

[34]  Guevara Noubir,et al.  Wireless Attacks on Aircraft Instrument Landing Systems , 2019, USENIX Security Symposium.

[35]  Moe Z. Win,et al.  Ranging With Ultrawide Bandwidth Signals in Multipath Environments , 2009, Proceedings of the IEEE.