On the Security of Carrier Phase-Based Ranging

Multicarrier phase-based ranging is fast emerging as a cost-optimized solution for a wide variety of proximity-based applications due to its low power requirement, low hardware complexity and compatibility with existing standards such as ZigBee and 6LoWPAN. Given potentially critical nature of the applications in which phase-based ranging can be deployed (e.g., access control, asset tracking), it is important to evaluate its security guarantees. Therefore, in this work, we investigate the security of multicarrier phase-based ranging systems and specifically focus on distance decreasing relay attacks that have proven detrimental to the security of proximity-based access control systems (e.g., vehicular passive keyless entry and start systems). We show that phase-based ranging, as well as its implementations, are vulnerable to a variety of distance reduction attacks. We describe different attack realizations and verify their feasibility by simulations and experiments on a commercial ranging system. Specifically, we successfully reduced the estimated range to less than \(3\, \mathrm {m}\) even though the devices were more than 50 m apart. We discuss possible countermeasures against such attacks and illustrate their limitations, therefore demonstrating that phase-based ranging cannot be fully secured against distance decreasing attacks.

[1]  S. Gezici,et al.  Ranging in the IEEE 802.15.4a Standard , 2006, 2006 IEEE Annual Wireless and Microwave Technology Conference.

[2]  Carsten Bormann,et al.  6LoWPAN: The Wireless Embedded Internet , 2009 .

[3]  José Luis Lázaro,et al.  Multipath mitigation for a phase-based infrared ranging system applied to indoor positioning , 2013, International Conference on Indoor Positioning and Indoor Navigation.

[4]  Yue Zhang,et al.  The Unambiguous Distance in a Phase-based Ranging System with Hopping Frequencies , 2014, ArXiv.

[5]  Visa Koivunen,et al.  Time Synchronization and Ranging in OFDM Systems Using Time-Reversal , 2013, IEEE Transactions on Instrumentation and Measurement.

[6]  Alan Bensky,et al.  Wireless positioning technologies and applications , 2008 .

[7]  Markus G. Kuhn,et al.  Attacks on time-of-flight distance bounding channels , 2008, WiSec '08.

[8]  Gerhard P. Hancke,et al.  Practical NFC Peer-to-Peer Relay Attack Using Mobile Phones , 2010, RFIDSec.

[9]  John Krumm,et al.  Location-aware computing comes of age , 2004, Computer.

[10]  Srdjan Capkun,et al.  Proximity-based access control for implantable medical devices , 2009, CCS.

[11]  Jie Xiong,et al.  ToneTrack: Leveraging Frequency-Agile Radios for Time-Based Indoor Wireless Localization , 2015, MobiCom.

[12]  M. Vossiek,et al.  Phase based multi carrier ranging for UHF RFID , 2012, 2012 IEEE International Conference on Wireless Information Technology and Systems (ICWITS).

[13]  E. L. Harder,et al.  The Institute of Electrical and Electronics Engineers, Inc. , 2019, 2019 IEEE International Conference on Software Architecture Companion (ICSA-C).

[14]  Srdjan Capkun,et al.  Physical-layer attacks on chirp-based ranging systems , 2012, WISEC '12.

[15]  Srdjan Capkun,et al.  Realization of RF Distance Bounding , 2010, USENIX Security Symposium.

[16]  Reinhard Exel,et al.  Carrier-based ranging in IEEE 802.11 wireless local area networks , 2013, 2013 IEEE Wireless Communications and Networking Conference (WCNC).

[17]  Martin Vossiek,et al.  360° carrier phase measurement for UHF RFID local positioning , 2013, 2013 IEEE International Conference on RFID-Technologies and Applications (RFID-TA).

[18]  Jing Liu,et al.  Survey of Wireless Indoor Positioning Techniques and Systems , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[19]  Michael Roland,et al.  Applying recent secure element relay attack scenarios to the real world: Google Wallet Relay Attack , 2012, ArXiv.

[20]  Panagiotis Papadimitratos,et al.  Distance Bounding with IEEE 802.15.4a: Attacks and Countermeasures , 2011, IEEE Transactions on Wireless Communications.

[21]  Markus G. Kuhn,et al.  So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks , 2006, ESAS.

[22]  Panagiotis Papadimitratos,et al.  Effectiveness of distance-decreasing attacks against impulse radio ranging , 2010, WiSec '10.

[23]  Jacek Rapinski,et al.  ZigBee Ranging using Phase Shift Measurements , 2015 .

[24]  Bradley David Farnsworth,et al.  High Precision Narrow-Band RF Ranging , 2010 .

[25]  Srdjan Capkun,et al.  Proximity Verification for Contactless Access Control and Authentication Systems , 2015, ACSAC 2015.

[26]  Hao Wang,et al.  A wireless LAN-based indoor positioning technology , 2004, IBM J. Res. Dev..

[27]  David Wetherall,et al.  Tool release: gathering 802.11n traces with channel state information , 2011, CCRV.

[28]  Robert Weigel,et al.  A wireless spread-spectrum communication system using SAW chirped delay lines , 2001 .

[29]  Sandeep K. S. Gupta,et al.  Proximity based access control in smart-emergency departments , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOMW'06).

[30]  Michael F. Goodchild,et al.  Location-Based Services , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[31]  Swarun Kumar,et al.  Decimeter-Level Localization with a Single WiFi Access Point , 2016, NSDI.

[32]  Marcin Poturalski,et al.  The cicada attack: Degradation and denial of service in IR ranging , 2010, 2010 IEEE International Conference on Ultra-Wideband.

[33]  Srdjan Capkun,et al.  Distance enlargement and reduction attacks on ultrasound ranging , 2005, SenSys '05.

[34]  Deog-Kyoon Jeong,et al.  An all-analog multiphase delay-locked loop using a replica delay line for wide-range operation and low-jitter performance , 2000, IEEE Journal of Solid-State Circuits.

[35]  Srdjan Capkun,et al.  Design and Implementation of a Terrorist Fraud Resilient Distance Bounding System , 2012, ESORICS.

[36]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[37]  Paramvir Bahl,et al.  RADAR: an in-building RF-based user location and tracking system , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).