UWB with Pulse Reordering: Securing Ranging against Relay and Physical Layer Attacks

Physical-layer attacks allow attackers to manipulate (spoof) ranging and positioning. These attacks had realworld impact and allowed car thefts, executions of unauthorized payments and manipulation of navigation. UWB impulse radio, standardized within 802.15.4a,f, has emerged as a prominent technique for precise ranging that allows high operating distances despite power constraints by transmitting multi-pulse symbols. Security of UWB ranging (in terms of the attacker’s ability to manipulate the measured distance) has been discussed in the literature and is, since recently also being addressed as a part of the emerging 802.15.4z standard. However, all research so far, as well as security enhancements proposed within this emerging standard face one main limitation: they achieve security through short symbol lengths and sacrifice performance (i.e., limit the maximum distance of measurement), or use longer symbol lengths, therefore sacrificing security. We present UWB with pulse reordering (UWB-PR), the first modulation scheme that secures distance measurement between two mutually trusted devices against all physical-layer distance shortening attacks without sacrificing performance, therefore simultaneously enabling extended range and security. We analyze the security of UWB-PR under the attacker that fully controls the communication channel and show that UWB-PR resists such strong attackers. We evaluate UWB-PR within a UWB system built on top of the IEEE 802.15.4 device and show that it achieves distances of up to 93m with 10cm precision (LoS). UWB-PR is, therefore, a good candidate for the extended mode of the new 802.15.4z Low Rate Pulse standard. Finally, UWB-PR shows that secure distance measurement can be built on top of modulation schemes with longer symbol lengths so far, this was considered insecure.

[1]  David A. Wagner,et al.  Secure verification of location claims , 2003, WiSe '03.

[2]  Srdjan Capkun,et al.  UWB rapid-bit-exchange system for distance bounding , 2015, WISEC.

[3]  Swarun Kumar,et al.  Decimeter-Level Localization with a Single WiFi Access Point , 2016, NSDI.

[4]  Serge Vaudenay,et al.  Towards Secure Distance Bounding , 2013, FSE.

[5]  Marcin Poturalski,et al.  The cicada attack: Degradation and denial of service in IR ranging , 2010, 2010 IEEE International Conference on Ultra-Wideband.

[6]  Gildas Avoine,et al.  The Swiss-Knife RFID Distance Bounding Protocol , 2008, ICISC.

[7]  Pascal Lafourcade,et al.  Survey of Distance Bounding Protocols and Threats , 2015, FPS.

[8]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[9]  Panagiotis Papadimitratos,et al.  Distance Bounding with IEEE 802.15.4a: Attacks and Countermeasures , 2011, IEEE Transactions on Wireless Communications.

[10]  Srdjan Capkun,et al.  On the Security of Carrier Phase-Based Ranging , 2016, CHES.

[11]  Panagiotis Papadimitratos,et al.  GNSS-based Positioning: Attacks and countermeasures , 2008, MILCOM 2008 - 2008 IEEE Military Communications Conference.

[12]  Paramvir Bahl,et al.  RADAR: an in-building RF-based user location and tracking system , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[13]  Yih-Chun Hu,et al.  Packet leashes: a defense against wormhole attacks in wireless networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[14]  Srdjan Capkun,et al.  Are We Really Close? Verifying Proximity in Wireless Systems , 2017, IEEE Security & Privacy.

[15]  Srdjan Capkun,et al.  UWB-ED: Distance Enlargement Attack Detection in Ultra-Wideband , 2019, USENIX Security Symposium.

[16]  Peter Kulchyski and , 2015 .

[17]  Srdjan Capkun,et al.  Secure positioning in wireless networks , 2006, IEEE Journal on Selected Areas in Communications.

[18]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[19]  Srdjan Capkun,et al.  Secure positioning of wireless devices with application to sensor networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[20]  T. Humphreys,et al.  Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer , 2008 .

[21]  Xiang Gao,et al.  Comparing and fusing different sensor modalities for relay attack resistance in Zero-Interaction Authentication , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[22]  Srdjan Capkun,et al.  Physical-layer attacks on chirp-based ranging systems , 2012, WISEC '12.

[23]  Srdjan Capkun,et al.  Realization of RF Distance Bounding , 2010, USENIX Security Symposium.

[24]  Juan Manuel González Nieto,et al.  Detecting relay attacks with timing-based protocols , 2007, ASIACCS '07.

[25]  Gerhard P. Hancke,et al.  Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones , 2011, IACR Cryptol. ePrint Arch..

[26]  R.J. Fontana,et al.  Observations on Low Data Rate, Short Pulse UWB Systems , 2007, 2007 IEEE International Conference on Ultra-Wideband.

[27]  Markus G. Kuhn,et al.  So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks , 2006, ESAS.

[28]  Panagiotis Papadimitratos,et al.  Effectiveness of distance-decreasing attacks against impulse radio ranging , 2010, WiSec '10.