research-article

Attacks on time-of-flight distance bounding channels

Authors:

Gerhard P. Hancke,

Markus G. KuhnAuthors Info & Claims

WiSec '08: Proceedings of the first ACM conference on Wireless network security

Pages 194 - 202

https://doi.org/10.1145/1352533.1352566

Published: 31 March 2008 Publication History

Abstract

Cryptographic distance-bounding protocols verify the proximity of two parties by timing a challenge-response exchange. Such protocols rely on the underlying communication channel for accurate and fraud-resistant round- trip-time measurements, therefore the channel's exact timing properties and low-level implementation details become security critical. We practically implement 'late-commit' attacks, against two commercial radio receivers used in RFID and sensor networks, that exploit the latency in the modulation and decoding stages. These allow the attacker to extend the distance to the verifier by several kilometers. We also discuss how 'overclocking' a receiver can make a prover respond early. We practically implement this attack against an ISO 14443A RFID token and manage to get a response 10 µs earlier than normal. We conclude that conventional RF channels can be problematic for secure distance-bounding implementations and discuss the merits and weaknesses of special distance-bounding channels that have been proposed for RFID applications.

References

[1]

J. Clulow, G. P. Hancke, M. G. Kuhn, T. Moore. So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks. Proceedings of European Workshop on Security and Privacy in Ad-hoc and Sensor Networks (ESAS), pp 83--97, 2006.

Digital Library

[2]

J. Reid, J. M. G Nieto, T. Tang and B. Senadji. Detecting Relay Attacks with Timing-Based Protocols. Proceeding of the 2nd ACM symposium on Information, Computer and Communications Security, pp 204--213, March 2007.

Digital Library

[3]

S. Brands and D. Chaum. Distance-bounding protocols. Advances in Cryptology EUROCRYPT '93, Springer-Verlag LNCS 765, pp 344--359, May 1993.

Digital Library

[4]

J. Munilla, A. Ortiz and A. Peinado. Distance Bounding Protocols with Void Challenges for RFID. Proceedings of Workshop on RFID Security(RFIDSec), pp 15--26, July, 2006.

[5]

G. P Hancke and M. G. Kuhn. An RFID distance bounding protocol. Proceedings of IEEE SecureComm, pp 67--73, 2005.

Digital Library

[6]

S. Drimer and S. J. Murdoch. Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks. In Proceedings of USENIX Security, September 2007.

Digital Library

[7]

K. B. Rasmussen and S. Čapkun. Implications of Radio Fingerprinting on the Security of Sensor Networks. In Proceedings of IEEE SecureComm, 2007.

[8]

N. Sastry, U. Shankar and D. Wagner. Secure verification of location claims. Proceedings of the 2003 ACM Workshop on Wireless Security, pp 1--10, September 2003.

Digital Library

[9]

Y. C. Hu, A. Perrig and D. B. Johnson. Packet leashes: A defense against wormhole attacks in wireless networks. Proceedings of Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), Vol. 3, pp 1976--1986, April 2003.

[10]

S. Čapkun, L. Buttyán and J. Hubaux. SECTOR: secure tracking of node encounter in multi-hop wireless networks, Proceedings ACM Workshop on Security in Ad Hoc and Sensor Networks (SASN), ACM Press, 2003.

Digital Library

[11]

Mica2 node, 2006. Crossbow Technology, http://www.xbow.com/Products/Product_pdf_files/Wireless_pdf/MICA_Datasheet.pdf

[12]

RF Solutions FM Transmitter and Receiver Modules http://www.rfsolutions.co.uk/acatalog/DS069-7.pdf

[13]

NXP MF RC531 Contactless Reader IC http://www.nxp.com/products/identification/mifare/index.html

[14]

ChipCon CC1000 Single Chip Very Low Power RF Transceiver http://www.chipcon.com/files/CC1000_Data_Sheet_2_2.pdf

[15]

MAXIM-IC 1471 315MHz/434MHz Low-Power, 3V/5V ASK/FSK Superheterodyne Receiver http://www.maxim-ic.com/quick_view2.cfm/qv_pk/4304

[16]

MELEXIS MLX90121 13.56MHz RFID Transceiver http://www.melexis.com/ProdMain.aspx?nID=78

[17]

Microchip 16F87X Datasheet http://ww1.microchip.com/downloads/en/DeviceDoc/30292c.pdf

[18]

Xilinx, Inc. Manchester Encoder-Decoder for Xilinx CPLDs. Application Note XAPP339 (v1.3), October, 2002.

[19]

K. Finkenzeller, RFID Handbook: Radio-frequency identification fundamentals and applications, Wiley, 1999.

[20]

NXP Semiconductors. Contactless Reader Components - Data Sheets and Application Notes. www.nxp.com/products/identification/readers/contactless/

[21]

J. G. Proakis. Digital Communications. 3rd Edition, McGraw-Hill, 1995.

[22]

D. Singelée, B. Preneel. Distance Bounding in Noisy Environments. European Workshop on Security and Privacy in Ad-hoc and Sensor Networks(ESAS), Springer-Verlag LNCS 4572, pp 101--115, 2007.

Digital Library

Cited By

Capkun S(2025)Security of Distance Bounding ProtocolsEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_62(2320-2321)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_62
Khalil FFazil AHussain MMasood A(2024)Cross-Layer RF Distance Bounding Scheme for Passive and Semi-passive Ubiquitous Computing SystemsComputers and Security10.1016/j.cose.2023.103633137:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103633
Khalfaoui SLeneutre JVillard AGazeau IMa JUrien P(2021)Security Analysis of Machine Learning-Based PUF Enrollment Protocols: A ReviewSensors10.3390/s2124841521:24(8415)Online publication date: 16-Dec-2021
https://doi.org/10.3390/s21248415
Show More Cited By

Index Terms

Attacks on time-of-flight distance bounding channels

Recommendations

Reid et al.'s distance bounding protocol and mafia fraud attacks over noisy channels

Distance bounding protocols are an effective countermeasure against relay attacks including distance fraud, mafia fraud and terrorist fraud attacks. Reid et al. proposed the first symmetric key distance bounding protocol against mafia and terrorist ...
The Poulidor distance-bounding protocol
RFIDSec'10: Proceedings of the 6th international conference on Radio frequency identification: security and privacy issues

RFID authentication protocols are susceptible to different types of relay attacks such as mafia and distance frauds. A countermeasure against these types of attacks are the well-known distance-bounding protocols. These protocols are usually designed to ...
Security analysis of two distance-bounding protocols
RFIDSec'11: Proceedings of the 7th international conference on RFID Security and Privacy

In this paper, we analyze the security of two recently proposed distance bounding protocols called the "Hitomi" and the "NUS" protocols. Our results show that the claimed security of both protocols has been overestimated. Namely, we show that the Hitomi ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '08: Proceedings of the first ACM conference on Wireless network security

March 2008

234 pages

ISBN:9781595938145

DOI:10.1145/1352533

General Chair:
Virgil Gligor
University of Maryland, USA
,
Program Chairs:
Jean-Pierre Hubaux
EPFL, Switzerland
,
Radha Poovendran
University of Washington, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 March 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WISEC '08

Sponsor:

WISEC '08: First ACM Conference on Wireless Network Security

March 31 - April 2, 2008

VA, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
485
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)6

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Capkun S(2025)Security of Distance Bounding ProtocolsEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_62(2320-2321)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_62
Khalil FFazil AHussain MMasood A(2024)Cross-Layer RF Distance Bounding Scheme for Passive and Semi-passive Ubiquitous Computing SystemsComputers and Security10.1016/j.cose.2023.103633137:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103633
Khalfaoui SLeneutre JVillard AGazeau IMa JUrien P(2021)Security Analysis of Machine Learning-Based PUF Enrollment Protocols: A ReviewSensors10.3390/s2124841521:24(8415)Online publication date: 16-Dec-2021
https://doi.org/10.3390/s21248415
Vo-Huu TVo-Huu TNoubir GPöpper CVanhoef MBatina LMayrhofer R(2021)Spectrum-flexible secure broadcast rangingProceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3448300.3467819(300-310)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3448300.3467819
Abdel-Basset MMoustafa NHawash HDing WAbdel-Basset MMoustafa NHawash HDing W(2021)Internet of Things Security Requirements, Threats, Attacks, and CountermeasuresDeep Learning Techniques for IoT Security and Privacy10.1007/978-3-030-89025-4_3(67-112)Online publication date: 6-Dec-2021
https://doi.org/10.1007/978-3-030-89025-4_3
Avoine GBoureanu IGérault DHancke GLafourcade POnete C(2021)From Relay Attacks to Distance-Bounding ProtocolsSecurity of Ubiquitous Computing Systems10.1007/978-3-030-10591-4_7(113-130)Online publication date: 15-Jan-2021
https://doi.org/10.1007/978-3-030-10591-4_7
Zhang JYang AHu QHancke GCavallaro LKinder JHolz T(2019)Security Implications of Implementing Multistate Distance-Bounding ProtocolsProceedings of the ACM Workshop on Cyber-Physical Systems Security & Privacy10.1145/3338499.3357359(99-108)Online publication date: 11-Nov-2019
https://dl.acm.org/doi/10.1145/3338499.3357359
Liu YZhang JZheng WHancke G(2019)Approaches for Best-Effort Relay-Resistant Channels on Standard Contactless Channels2019 IEEE 17th International Conference on Industrial Informatics (INDIN)10.1109/INDIN41052.2019.8972254(1719-1724)Online publication date: Jul-2019
https://doi.org/10.1109/INDIN41052.2019.8972254
Avoine GBingöl MBoureanu Ičapkun SHancke GKardaş SKim CLauradoux CMartin BMunilla JPeinado ARasmussen KSingelée DTchamkerten ATrujillo-Rasua RVaudenay S(2018)Security of Distance-BoundingACM Computing Surveys10.1145/326462851:5(1-33)Online publication date: 25-Sep-2018
https://dl.acm.org/doi/10.1145/3264628
Pagnin EYang AHu QHancke GMitrokotsa A(2018)HB+DBFuture Generation Computer Systems10.1016/j.future.2016.05.03180:C(627-639)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1016/j.future.2016.05.031
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten