So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks

Distance-bounding protocols aim to prevent an adversary from pretending that two parties are physically closer than they really are. We show that proposed distance-bounding protocols of Hu, Perrig and Johnson (2003), Sastry, Shankar and Wagner (2003), and Capkun and Hubaux (2005, 2006) are vulnerable to a guessing attack where the malicious prover preemptively transmits guessed values for a number of response bits. We also show that communication channels not optimized for minimal latency imperil the security of distance-bounding protocols. The attacker can exploit this to appear closer himself or to perform a relaying attack against other nodes. We describe attack strategies to achieve this, including optimizing the communication protocol stack, taking early decisions as to the value of received bits and modifying the waveform of transmitted bits. We consider applying distance-bounding protocols to constrained devices and evaluate existing proposals for distance bounding in ad hoc networks.

[1]  Brad Karp,et al.  GPSR: greedy perimeter stateless routing for wireless networks , 2000, MobiCom '00.

[2]  David A. Wagner,et al.  Secure verification of location claims , 2003, WiSe '03.

[3]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[4]  Vivien Chu,et al.  Ultra Wideband Signals and Systems in Communication Engineering , 2007 .

[5]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[6]  Srdjan Capkun,et al.  Secure positioning of wireless devices with application to sensor networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[7]  J. Sachs,et al.  UWB localization - active and passive approach [ultra wideband radar] , 2004, Proceedings of the 21st IEEE Instrumentation and Measurement Technology Conference (IEEE Cat. No.04CH37510).

[8]  Paramvir Bahl,et al.  RADAR: an in-building RF-based user location and tracking system , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[9]  J. Werb,et al.  Designing a positioning system for finding things and people indoors , 1998 .

[10]  Yih-Chun Hu,et al.  Rushing attacks and defense in wireless ad hoc network routing protocols , 2003, WiSe '03.

[11]  Yih-Chun Hu,et al.  Packet leashes: a defense against wormhole attacks in wireless networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[12]  Eric Horvitz,et al.  LOCADIO: inferring motion and location from Wi-Fi signal strengths , 2004, The First Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004..

[13]  Reiner S. Thoma,et al.  UWB Localization - Active and Passive Approach , 2004 .

[14]  Adrian Perrig,et al.  Proceedings of the 2nd ACM workshop on Wireless security , 2003 .

[15]  Srdjan Capkun,et al.  Secure Localization with Hidden and Mobile Base Stations , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[16]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[17]  Donggang Liu,et al.  Attack-resistant location estimation in sensor networks , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[18]  Srdjan Capkun,et al.  Secure positioning in wireless networks , 2006, IEEE Journal on Selected Areas in Communications.

[19]  Srdjan Capkun,et al.  SECTOR: secure tracking of node encounters in multi-hop wireless networks , 2003, SASN '03.

[20]  J. Barney,et al.  Commercialization of an ultra wideband precision asset location system , 2003, IEEE Conference on Ultra Wideband Systems and Technologies, 2003.

[21]  Andreas Willig,et al.  Protocols and Architectures for Wireless Sensor Networks , 2005 .

[22]  Donggang Liu,et al.  Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[23]  Ryuji Kohno,et al.  Ultra Wideband Signals and Systems in Communication Engineering: Ghavami/Ultra Wideband Signals and Systems in Communication Engineering , 2004 .

[24]  C. Karlof,et al.  Secure routing in wireless sensor networks: attacks and countermeasures , 2003, Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, 2003..

[25]  Adrian Perrig,et al.  Proceedings of the 2003 ACM Workshop on Wireless Security, San Diego, CA, USA, September 19, 2003 , 2003, Workshop on Wireless Security.