skip to main content
10.1145/3448300.3467831acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
research-article

Security analysis of IEEE 802.15.4z/HRP UWB time-of-flight distance measurement

Published: 28 June 2021 Publication History

Abstract

IEEE 802.15.4z, a standard for Ultra-Wide Band (UWB) secure distance measurement, was adopted in 2020 and the chips that implement this standard are already deployed in mobile phones and in the automotive industry (for Passive Keyless Entry and Start). The standard specifies two different modes---LRP and HRP. Whereas the security of LRP mode has been analyzed, there is no publicly available security analysis of the HRP mode, which is used in different chips like NXP Trimension SR150/SR040, Samsung smartphones, and U1 chip deployed in Apple iPhones.
In this work, we perform the first open analysis of the 802.15.4z HRP mode. Our analysis reviews possible attacks on HRP and assesses strategies that an HRP receiver could implement. We show that in realistic deployments, despite countermeasures, HRP is hard to configure to be both performant and secure. If a distance missdetection rate is set to less than 10% (in benign scenarios), the probability of a successful distance shortening attacks ranges from 7% to over 90%.

References

[1]
[n.d.]. Apple U1 UWBChip, howpublished="https://support.apple.com/guide/security/ultra-wideband-security-sec1e6108efd/web". [Online; Accessed 24. March 2021].
[2]
[n.d.]. IEEE Standarads Association Documents. https://https://mentor.ieee.org/802.15/documents/. [online; Accessed 18. March 2021].
[3]
[n.d.]. Introduction to Impulse Radio UWB Seamless Access Systems. https://www.firaconsortium.org/sites/default/files/2020-04/fira-introduction-impulse-radio-uwb-wp-en.pdf. [online; Accessed 22. March 2021].
[4]
[n.d.]. LRP deployment in automotive. https://www.3db-access.com/article/18. [Online; Accessed 25. March 2021].
[5]
[n.d.]. Microchip ATA8532. https://www.microchip.com/wwwproducts/en/ATA8352. [Online; Accessed 25. March 2021].
[6]
[n.d.]. NXP Trimension. https://www.nxp.com/docs/en/fact-sheet/UWB-IOT-FS.pdf. [Online; Accessed 25. March 2021].
[7]
[n.d.]. SamsungUWB. https://news.samsung.com/global/samsung-expects-uwb-to-be-one-of-the-next-big-wireless-technologies/. [Online; Accessed 24. March 2021].
[8]
[n.d.]. UWB Social Distancing. https://www.uwb-social-distancing.com/. [Online; Accessed 22. March 2021].
[9]
[n.d.]. UWB Social Distancing Meeblue. https://www.meeblue.com/blogs/UWB_For_Social_Alert/. [online; Accessed 20. March 2021].
[10]
[n.d.]. Volkswagen UWB PKES. https://www.volkswagen-newsroom.com/en/stories/realtime-safety-with-uwb-5438. [Online; Accessed 20. March 2021].
[11]
2020. IEEE Standard for Low-Rate Wireless Networks-Amendment 1: Enhanced Ultra Wideband (UWB) Physical Layers (PHYs) and Associated Ranging Techniques. IEEE Std 802.15.4z-2020 (Amendment to IEEE Std 802.15.4-2020) (2020), 1--174.
[12]
Gildas Avoine, Muhammed Ali Bingöl, Ioana Boureanu, Srdjan Čapkun, Gerhard Hancke, Süleyman Kardaş, Chong Hee Kim, Cédric Lauradoux, Benjamin Martin, Jorge Munilla, et al. 2018. Security of distance-bounding: A survey. ACM Computing Surveys (CSUR) 51, 5 (2018), 1--33.
[13]
Paramvir Bahl and Venkata N Padmanabhan. 2000. RADAR: An in-building RF-based user location and tracking system. In Proceedings IEEE INFOCOM 2000. Conference on computer communications. Nineteenth annual joint conference of the IEEE computer and communications societies (Cat. No. 00CH37064), Vol. 2. Ieee, 775--784.
[14]
Ioana Boureanu, Aikaterini Mitrokotsa, and Serge Vaudenay. 2013. Towards secure distance bounding. In International Workshop on Fast Software Encryption. Springer, 55--67.
[15]
Alberto Compagno, Mauro Conti, Antonio Alberto D'Amico, Gianluca Dini, Pericle Perazzo, and Lorenzo Taponecco. 2016. Modeling enlargement attacks against UWB distance bounding protocols. IEEE Transactions on Information Forensics and Security 11, 7 (2016), 1565--1577.
[16]
Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2010. Effectiveness of distance-decreasing attacks against impulse radio ranging. In Proceedings of the third ACM conference on Wireless network security. 117--128.
[17]
Stuart A Golden and Steve S Bateman. 2007. Sensor measurements for Wi-Fi location with emphasis on time-of-arrival ranging. IEEE Transactions on Mobile Computing 6, 10 (2007), 1185--1198.
[18]
Ismail Guvenc and Zafer Sahinoglu. 2005. Threshold-based TOA estimation for impulse radio UWB systems. In 2005 IEEE International Conference on Ultra-Wideband. IEEE, 420--425.
[19]
I. Guvenc and Z. Sahinoglu. 2005. Threshold-based TOA estimation for impulse radio UWB systems. In 2005 IEEE International Conference on Ultra-Wideband. 420--425.
[20]
Kai Huo, Bin Deng, Yongxiang Liu, Weidong Jiang, and Junjie Mao. 2011. High resolution range profile analysis based on multicarrier phase-coded waveforms of OFDM radar. Journal of Systems Engineering and Electronics 22, 3 (2011), 421--427.
[21]
AJ Hymans and J Lait. 1960. Analysis of a frequency-modulated continuous-wave ranging system. Proceedings of the IEE-Part B: electronic and communication engineering 107, 34 (1960), 365--372.
[22]
Patrick Leu, Mridula Singh, Marc Roeschlin, Kenneth G Paterson, and Srdjan Čapkun. 2020. Message time of arrival codes: A fundamental primitive for secure distance measurement. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 500--516.
[23]
Andreas F Molisch, Kannan Balakrishnan, Chia-Chin Chong, Shahriar Emami, Andrew Fort, Johan Karedal, Juergen Kunisch, Hans Schantz, Ulrich Schuster, and Kai Siwiak. 2004. IEEE 802.15. 4a channel model-final report. IEEE P802 15, 04 (2004), 0662.
[24]
Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2011. Distance bounding with IEEE 802.15. 4a: Attacks and countermeasures. IEEE Transactions on Wireless Communications 10, 4 (2011), 1334--1344.
[25]
Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2012. On secure and precise IR-UWB ranging. IEEE transactions on wireless communications 11, 3 (2012), 1087--1099.
[26]
Ian Sharp, Kegen Yu, and Y Jay Guo. 2009. Peak and leading edge detection for time-of-arrival estimation in band-limited positioning systems. IET communications 3, 10 (2009), 1616--1627.
[27]
Mridula Singh, Patrick Leu, and Srdjan Capkun. 2019. UWB with Pulse Reordering: Securing Ranging against Relay and Physical-Layer Attacks. In NDSS.
[28]
Nils Ole Tippenhauer, Heinrich Luecken, Marc Kuhn, and Srdjan Capkun. 2015. UWB rapid-bit-exchange system for distance bounding. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 1--12.
[29]
Deepak Vasisht, Swarun Kumar, and Dina Katabi. 2016. Decimeter-level localization with a single WiFi access point. In 13th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 16). 165--178.
[30]
Chian-Son Yu. 2012. Factors affecting individuals to adopt mobile banking: Empirical evidence from the utaut model. Journal of Electronic Commerce Research 13 (01 2012), 104--121.

Cited By

View all
  • (2024)Trustworthiness for an Ultra-Wideband Localization ServiceSensors10.3390/s2416526824:16(5268)Online publication date: 14-Aug-2024
  • (2024)UWBAD: Towards Effective and Imperceptible Jamming Attacks Against UWB Ranging Systems with COTS ChipsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670349(3376-3390)Online publication date: 2-Dec-2024
  • (2024)Secure Ranging with IEEE 802.15.4z HRP UWB2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00238(2794-2811)Online publication date: 19-May-2024
  • Show More Cited By

Index Terms

  1. Security analysis of IEEE 802.15.4z/HRP UWB time-of-flight distance measurement

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    WiSec '21: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks
    June 2021
    412 pages
    ISBN:9781450383493
    DOI:10.1145/3448300
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 28 June 2021

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. HRP
    2. IEEE 802.15.4z
    3. UWB ranging
    4. distance ranging
    5. physical-layer security
    6. secure distance measurement
    7. time-of-flight measurement
    8. ultra-wide band

    Qualifiers

    • Research-article

    Funding Sources

    • European Research Council (ERC)

    Conference

    WiSec '21
    Sponsor:

    Acceptance Rates

    WiSec '21 Paper Acceptance Rate 34 of 121 submissions, 28%;
    Overall Acceptance Rate 98 of 338 submissions, 29%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)171
    • Downloads (Last 6 weeks)16
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Trustworthiness for an Ultra-Wideband Localization ServiceSensors10.3390/s2416526824:16(5268)Online publication date: 14-Aug-2024
    • (2024)UWBAD: Towards Effective and Imperceptible Jamming Attacks Against UWB Ranging Systems with COTS ChipsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670349(3376-3390)Online publication date: 2-Dec-2024
    • (2024)Secure Ranging with IEEE 802.15.4z HRP UWB2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00238(2794-2811)Online publication date: 19-May-2024
    • (2024)Security Analysis of Wireless Sensor Networks in Prospective Aircraft Industry2024 6th International Youth Conference on Radio Electronics, Electrical and Power Engineering (REEPE)10.1109/REEPE60449.2024.10479684(1-6)Online publication date: 29-Feb-2024
    • (2024)Performance Comparison of UWB IEEE 802.15.4z and IEEE 802.15.4 in Ranging, Energy Efficiency, and PositioningIEEE Sensors Journal10.1109/JSEN.2024.336811324:8(12481-12489)Online publication date: 15-Apr-2024
    • (2024)Enhancing Security of HRP UWB Ranging System Based on Channel Characteristic AnalysisIEEE Internet of Things Journal10.1109/JIOT.2024.345391011:24(39794-39808)Online publication date: 15-Dec-2024
    • (2024)Detecting Ranging Spoofing Attacks on IEEE 802.15.4z2024 IEEE/CIC International Conference on Communications in China (ICCC Workshops)10.1109/ICCCWorkshops62562.2024.10693819(794-799)Online publication date: 7-Aug-2024
    • (2024)Channel Reciprocity Based Attack Detection for Securing UWB Ranging by Autoencoder2024 IEEE/CIC International Conference on Communications in China (ICCC)10.1109/ICCC62479.2024.10681985(509-514)Online publication date: 7-Aug-2024
    • (2023)Time for changeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620239(19-36)Online publication date: 9-Aug-2023
    • (2023)Test-Time Adversarial Detection and Robustness for Localizing Humans Using Ultra Wide Band Channel Impulse Responses2023 31st European Signal Processing Conference (EUSIPCO)10.23919/EUSIPCO58844.2023.10290092(1365-1369)Online publication date: 4-Sep-2023
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media