The Insecurity of Time-of-Arrival Distance-Ranging in IEEE 802.11 Wireless Networks

Two-way Time-of-Arrival (TOA) distance-ranging is well-suited for use in IEEE 802.11 MANETs and wireless mesh networks because it is simple, efficient and does not require precise time synchronization between network stations. Despite its utility we show that this distance-ranging procedure is completely insecure and demonstrate how it can be subverted by a simple but highly effective attack. This attack allows the adversary comprehensive and fine-grained control over the distance reported by the procedure. Such adversaries can appear to be either much further away or much closer than they are in reality. We demonstrate the attack experimentally and also show how it can be implemented using ordinary wireless network interfaces. Finally, the necessary and sufficient conditions for the secure use of two-way TOA distance-ranging procedure in IEEE 802.11 wireless networks are identified.

[1]  Markus G. Kuhn,et al.  So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks , 2006, ESAS.

[2]  Francisco Barceló,et al.  SofTOA: Software Ranging for TOA-Based Positioning of WLAN Terminals , 2009, LoCA.

[3]  Srdjan Capkun,et al.  SECTOR: secure tracking of node encounters in multi-hop wireless networks , 2003, SASN '03.

[4]  Christian Hoene,et al.  Four-way TOA and software-based trilateration of IEEE 802.11 devices , 2008, 2008 IEEE 19th International Symposium on Personal, Indoor and Mobile Radio Communications.

[5]  Francisco Barceló,et al.  A robust to multi-path ranging technique over IEEE 802.11 networks , 2010, Wirel. Networks.

[6]  Stuart A. Golden,et al.  Sensor Measurements for Wi-Fi Location with Emphasis on Time-of-Arrival Ranging , 2007, IEEE Transactions on Mobile Computing.

[7]  Markus G. Kuhn,et al.  Attacks on time-of-flight distance bounding channels , 2008, WiSec '08.

[8]  D. McCrady,et al.  Mobile ranging using low-accuracy clocks , 2000 .

[9]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[10]  J. Paradells,et al.  Performance evaluation of a TOA-based trilateration method to locate terminals in WLAN , 2006, 2006 1st International Symposium on Wireless Pervasive Computing.

[11]  M. Girish Chandra,et al.  An Improved Time-of-Arrival Estimation for WLAN-Based Local Positioning , 2007, 2007 2nd International Conference on Communication Systems Software and Middleware.

[12]  Tor Helleseth,et al.  Workshop on the theory and application of cryptographic techniques on Advances in cryptology , 1994 .

[13]  Christian Hoene,et al.  Measuring Round Trip Times to Determine the Distance Between WLAN Nodes , 2005, NETWORKING.