Distance Bounding with IEEE 802.15.4a: Attacks and Countermeasures

Impulse Radio Ultra-Wideband, in particular the recent standard IEEE 802.15.4a, is a primary candidate for implementing distance bounding protocols, thanks to its ability to perform accurate indoor ranging. Distance bounding protocols allow two wireless devices to securely estimate the distance between themselves, with the guarantee that the estimate is an upper-bound on the actual distance. These protocols serve as building blocks in security-sensitive applications such as tracking, physical access control, or localization. We investigate the resilience of IEEE 802.15.4a to physical-communication-layer attacks that decrease the distance measured by distance bounding protocols, thus violating their security. We consider two attack types: malicious prover (internal) and distance-decreasing relay (external). We show that if the honest devices use energy-detection receivers (popular due to their low cost and complexity), then an adversary can perform highly effective internal and external attacks, decreasing the distance by hundreds of meters. However, by using more sophisticated rake receivers, or by implementing small modifications to IEEE 802.15.4a and employing energy-detection receivers with a simple countermeasure, honest devices can reduce the effectiveness of external distance-decreasing relay attacks to the order of 10 m. The same is true for malicious prover attacks, provided that an additional modification to IEEE 802.15.4a is implemented.

[1]  Manuel Flury Interference Robustness and Security of Impulse-Radio Ultra-Wide Band Networks , 2010 .

[2]  Srdjan Capkun,et al.  ID-Based Secure Distance Bounding and Localization , 2009, ESORICS.

[3]  G.B. Giannakis,et al.  Localization via ultra-wideband radios: a look at positioning aspects for future sensor networks , 2005, IEEE Signal Processing Magazine.

[4]  Umberto Mengali,et al.  Energy-Detection UWB Receivers with Multiple Energy Measurements , 2007, IEEE Transactions on Wireless Communications.

[5]  Avishai Wool,et al.  Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[6]  Jorge Munilla,et al.  Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels , 2008, Wirel. Commun. Mob. Comput..

[7]  Laurent Bussard Trust establishment protocols for communicating devices , 2004 .

[8]  Steven J. Murdoch,et al.  Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks , 2007, USENIX Security Symposium.

[9]  A. Molisch,et al.  IEEE 802.15.4a channel model-final report , 2004 .

[10]  Jan Craninckx,et al.  A 0.65-to-1.4nJ/burst 3-to-10GHz UWB Digital TX in 90nm CMOS for IEEE 802.15.4a , 2007, 2007 IEEE International Solid-State Circuits Conference. Digest of Technical Papers.

[11]  Gildas Avoine,et al.  The Swiss-Knife RFID Distance Bounding Protocol , 2008, ICISC.

[12]  Markus G. Kuhn,et al.  So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks , 2006, ESAS.

[13]  Panagiotis Papadimitratos,et al.  Effectiveness of distance-decreasing attacks against impulse radio ranging , 2010, WiSec '10.

[14]  Markus G. Kuhn,et al.  Attacks on time-of-flight distance bounding channels , 2008, WiSec '08.

[15]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[16]  Marcin Poturalski,et al.  The cicada attack: Degradation and denial of service in IR ranging , 2010, 2010 IEEE International Conference on Ultra-Wideband.

[17]  Jan Craninckx,et al.  A 0.65-to-1.4 nJ/Burst 3-to-10 GHz UWB All-Digital TX in 90 nm CMOS for IEEE 802.15.4a , 2007, IEEE Journal of Solid-State Circuits.

[18]  R. Merz,et al.  An energy detection receiver robust to multi-user interference for IEEE 802.15.4a networks , 2008, 2008 IEEE International Conference on Ultra-Wideband.

[19]  Radha Poovendran,et al.  Distance Bounding Protocols: Authentication Logic Analysis and Collusion Attacks , 2007, Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks.

[20]  Srdjan Capkun,et al.  Location privacy of distance bounding protocols , 2008, CCS.

[21]  Gerhard P. Hancke,et al.  Design of a secure distance-bounding channel for RFID , 2011, J. Netw. Comput. Appl..

[22]  Srdjan Capkun,et al.  Modeling and Verifying Physical Properties of Security Protocols for Wireless Networks , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[23]  Chunjie Duan,et al.  A Non-Coherent 802.15.4a UWB Impulse Radio , 2007, 2007 IEEE International Conference on Ultra-Wideband.

[24]  Armin Wittneben,et al.  MLSE Post-Detection for ISI Mitigation and Synchronization in UWB Low Complexity Receivers , 2007, 2007 IEEE 65th Vehicular Technology Conference - VTC2007-Spring.

[25]  Srdjan Capkun,et al.  Secure positioning in wireless networks , 2006, IEEE Journal on Selected Areas in Communications.

[26]  J.E. Mazo,et al.  Digital communications , 1985, Proceedings of the IEEE.

[27]  Lutz H.-J. Lampe,et al.  Performance Analysis of the IEEE 802.15.4a UWB System , 2009, IEEE Transactions on Communications.

[28]  Heinrich Luecken,et al.  UWB impulse radio based distance bounding , 2010, 2010 7th Workshop on Positioning, Navigation and Communication.

[29]  Bart Preneel,et al.  Distance Bounding in Noisy Environments , 2007, ESAS.

[30]  Juan Manuel González Nieto,et al.  Detecting relay attacks with timing-based protocols , 2007, ASIACCS '07.

[31]  Gildas Avoine,et al.  RFID Distance Bounding Protocol with Mixed Challenges to Prevent Relay Attacks , 2009, CANS.