Physical-layer attacks on chirp-based ranging systems

Chirp signals have been extensively used in radar and sonar systems to determine distance, velocity and angular position of objects and in wireless communications as a spread spectrum technique to provide robustness and high processing gain. Recently, several standards have adopted chirp spread spectrum (CSS) as an underlying physical-layer scheme for precise, low-power and low-complexity real-time localization. While CSS-based ranging and localization solutions have been implemented and deployed, their security has so far not been analyzed. In this work, we analyze CSS-based ranging and localization systems. We focus on distance decreasing relay attacks that have proven detrimental for the security of proximity-based access control systems (e.g., passive vehicle keyless entry and start systems). We describe a set of distance decreasing attacks realizations and verify their feasibility by simulations and experiments on a commercial ranging system. Our results demonstrate that an attacker is able to effectively reduce the distance measured by chirp-based ranging systems from 150 m to 600 m depending on chirp configuration. Finally, we discuss possible countermeasures against these attacks.

[1]  Robert Weigel,et al.  Spread spectrum communications using chirp signals , 2000, IEEE/AFCEA EUROCOMM 2000. Information Systems for Enhanced Public Safety and Security (Cat. No.00EX405).

[2]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[3]  E. L. Harder,et al.  The Institute of Electrical and Electronics Engineers, Inc. , 2019, 2019 IEEE International Conference on Software Architecture Companion (ICSA-C).

[4]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[5]  Gerhard P. Hancke,et al.  On the security issues of NFC enabled mobile phones , 2010 .

[6]  Hao Wang,et al.  A wireless LAN-based indoor positioning technology , 2004, IBM J. Res. Dev..

[7]  M. Vossiek,et al.  Precise 3-D Object Position Tracking using FMCW Radar , 1999, 1999 29th European Microwave Conference.

[8]  Jing Liu,et al.  Survey of Wireless Indoor Positioning Techniques and Systems , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[9]  David S. Dayton FM "Chirp" Communications: Multiple Access to Dispersive Channels , 1968 .

[10]  Panagiotis Papadimitratos,et al.  Distance Bounding with IEEE 802.15.4a: Attacks and Countermeasures , 2011, IEEE Transactions on Wireless Communications.

[11]  Markus G. Kuhn,et al.  So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks , 2006, ESAS.

[12]  Panagiotis Papadimitratos,et al.  Effectiveness of distance-decreasing attacks against impulse radio ranging , 2010, WiSec '10.

[13]  Sandeep K. S. Gupta,et al.  Proximity based access control in smart-emergency departments , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOMW'06).

[14]  Sinan Gezici,et al.  Ultra-wideband Positioning Systems: Theoretical Limits, Ranging Algorithms, and Protocols , 2008 .

[15]  Charles E. Cook,et al.  Radar Signals: An Introduction to Theory and Application , 1967 .

[16]  David L Adamy,et al.  Ew 101: A First Course in Electronic Warfare , 2001 .

[17]  Per K. Enge,et al.  Global positioning system: signals, measurements, and performance [Book Review] , 2002, IEEE Aerospace and Electronic Systems Magazine.

[18]  Srdjan Capkun,et al.  Realization of RF Distance Bounding , 2010, USENIX Security Symposium.

[19]  Daeyoung Kim,et al.  IEEE 802.15.4a CSS-based Localization System for Wireless Sensor Networks , 2007, 2007 IEEE Internatonal Conference on Mobile Adhoc and Sensor Systems.

[20]  K. Laker,et al.  Surface wave filters: Design, construction, and use , 1979, Proceedings of the IEEE.

[21]  Srdjan Capkun,et al.  Proximity-based access control for implantable medical devices , 2009, CCS.

[22]  John Krumm,et al.  Location-aware computing comes of age , 2004, Computer.

[23]  Paramvir Bahl,et al.  RADAR: an in-building RF-based user location and tracking system , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[24]  S. Gezici,et al.  Ranging in the IEEE 802.15.4a Standard , 2006, 2006 IEEE Annual Wireless and Microwave Technology Conference.

[25]  Hwan Hur,et al.  One-way ranging technique for CSS-based indoor localization , 2008, 2008 6th IEEE International Conference on Industrial Informatics.

[26]  W. Gregg,et al.  On the Utility of Chirp Modulation for Digital Signaling , 1973, IEEE Trans. Commun..

[27]  D. Kasilingam,et al.  A novel chirp modulation spread spectrum technique for multiple access , 2002, IEEE Seventh International Symposium on Spread Spectrum Techniques and Applications,.

[28]  G. F. Gott,et al.  Differential phase-shift keying applied to chirp data signals , 1974 .

[29]  Markus G. Kuhn,et al.  Attacks on time-of-flight distance bounding channels , 2008, WiSec '08.

[30]  Robert Weigel,et al.  A wireless spread-spectrum communication system using SAW chirped delay lines , 2001 .

[31]  Young Jin Nam,et al.  Efficient Indoor Localization and Navigation with a Combination of Ultrasonic and CSS-based IEEE 802.15.4a , 2009, Proceedings of the 4th International Conference on Ubiquitous Information Technologies & Applications.

[32]  Srdjan Capkun,et al.  Distance enlargement and reduction attacks on ultrasound ranging , 2005, SenSys '05.

[33]  Srdjan Capkun,et al.  ID-Based Secure Distance Bounding and Localization , 2009, ESORICS.

[34]  Chanmin Yoon,et al.  Experimental analysis of IEEE 802.15.4a CSS ranging and its implications , 2011, Comput. Commun..

[35]  Marcin Poturalski,et al.  The cicada attack: Degradation and denial of service in IR ranging , 2010, 2010 IEEE International Conference on Ultra-Wideband.

[36]  A White Real Time Location Systems White Paper Version 1.02 , 2007 .

[37]  Hans-Werner Gellersen,et al.  Location and Navigation Support for Emergency Responders: A Survey , 2010, IEEE Pervasive Computing.