Mridula Singh
ABSTRACT
IEEE 802.15.4z, a standard for Ultra-Wide Band (UWB) secure distance measurement, was adopted in 2020 and the chips that implement this standard are already deployed in mobile phones and in the automotive industry (for Passive Keyless Entry and Start). The standard specifies two different modes---LRP and HRP. Whereas the security of LRP mode has been analyzed, there is no publicly available security analysis of the HRP mode, which is used in different chips like NXP Trimension SR150/SR040, Samsung smartphones, and U1 chip deployed in Apple iPhones.
In this work, we perform the first open analysis of the 802.15.4z HRP mode. Our analysis reviews possible attacks on HRP and assesses strategies that an HRP receiver could implement. We show that in realistic deployments, despite countermeasures, HRP is hard to configure to be both performant and secure. If a distance missdetection rate is set to less than 10% (in benign scenarios), the probability of a successful distance shortening attacks ranges from 7% to over 90%.
- [n.d.]. Apple U1 UWBChip, howpublished="https://support.apple.com/guide/security/ultra-wideband-security-sec1e6108efd/web". [Online; Accessed 24. March 2021].Google Scholar
- [n.d.]. IEEE Standarads Association Documents. https://https://mentor.ieee.org/802.15/documents/. [online; Accessed 18. March 2021].Google Scholar
- [n.d.]. Introduction to Impulse Radio UWB Seamless Access Systems. https://www.firaconsortium.org/sites/default/files/2020-04/fira-introduction-impulse-radio-uwb-wp-en.pdf. [online; Accessed 22. March 2021].Google Scholar
- [n.d.]. LRP deployment in automotive. https://www.3db-access.com/article/18. [Online; Accessed 25. March 2021].Google Scholar
- [n.d.]. Microchip ATA8532. https://www.microchip.com/wwwproducts/en/ATA8352. [Online; Accessed 25. March 2021].Google Scholar
- [n.d.]. NXP Trimension. https://www.nxp.com/docs/en/fact-sheet/UWB-IOT-FS.pdf. [Online; Accessed 25. March 2021].Google Scholar
- [n.d.]. SamsungUWB. https://news.samsung.com/global/samsung-expects-uwb-to-be-one-of-the-next-big-wireless-technologies/. [Online; Accessed 24. March 2021].Google Scholar
- [n.d.]. UWB Social Distancing. https://www.uwb-social-distancing.com/. [Online; Accessed 22. March 2021].Google Scholar
- [n.d.]. UWB Social Distancing Meeblue. https://www.meeblue.com/blogs/UWB_For_Social_Alert/. [online; Accessed 20. March 2021].Google Scholar
- [n.d.]. Volkswagen UWB PKES. https://www.volkswagen-newsroom.com/en/stories/realtime-safety-with-uwb-5438. [Online; Accessed 20. March 2021].Google Scholar
- 2020. IEEE Standard for Low-Rate Wireless Networks-Amendment 1: Enhanced Ultra Wideband (UWB) Physical Layers (PHYs) and Associated Ranging Techniques. IEEE Std 802.15.4z-2020 (Amendment to IEEE Std 802.15.4-2020) (2020), 1--174. Google ScholarCross Ref
- Gildas Avoine, Muhammed Ali Bingöl, Ioana Boureanu, Srdjan Čapkun, Gerhard Hancke, Süleyman Kardaş, Chong Hee Kim, Cédric Lauradoux, Benjamin Martin, Jorge Munilla, et al. 2018. Security of distance-bounding: A survey. ACM Computing Surveys (CSUR) 51, 5 (2018), 1--33.Google ScholarDigital Library
- Paramvir Bahl and Venkata N Padmanabhan. 2000. RADAR: An in-building RF-based user location and tracking system. In Proceedings IEEE INFOCOM 2000. Conference on computer communications. Nineteenth annual joint conference of the IEEE computer and communications societies (Cat. No. 00CH37064), Vol. 2. Ieee, 775--784.Google ScholarCross Ref
- Ioana Boureanu, Aikaterini Mitrokotsa, and Serge Vaudenay. 2013. Towards secure distance bounding. In International Workshop on Fast Software Encryption. Springer, 55--67.Google Scholar
- Alberto Compagno, Mauro Conti, Antonio Alberto D'Amico, Gianluca Dini, Pericle Perazzo, and Lorenzo Taponecco. 2016. Modeling enlargement attacks against UWB distance bounding protocols. IEEE Transactions on Information Forensics and Security 11, 7 (2016), 1565--1577.Google ScholarDigital Library
- Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2010. Effectiveness of distance-decreasing attacks against impulse radio ranging. In Proceedings of the third ACM conference on Wireless network security. 117--128.Google ScholarDigital Library
- Stuart A Golden and Steve S Bateman. 2007. Sensor measurements for Wi-Fi location with emphasis on time-of-arrival ranging. IEEE Transactions on Mobile Computing 6, 10 (2007), 1185--1198.Google ScholarDigital Library
- Ismail Guvenc and Zafer Sahinoglu. 2005. Threshold-based TOA estimation for impulse radio UWB systems. In 2005 IEEE International Conference on Ultra-Wideband. IEEE, 420--425.Google Scholar
- I. Guvenc and Z. Sahinoglu. 2005. Threshold-based TOA estimation for impulse radio UWB systems. In 2005 IEEE International Conference on Ultra-Wideband. 420--425. Google ScholarCross Ref
- Kai Huo, Bin Deng, Yongxiang Liu, Weidong Jiang, and Junjie Mao. 2011. High resolution range profile analysis based on multicarrier phase-coded waveforms of OFDM radar. Journal of Systems Engineering and Electronics 22, 3 (2011), 421--427.Google ScholarCross Ref
- AJ Hymans and J Lait. 1960. Analysis of a frequency-modulated continuous-wave ranging system. Proceedings of the IEE-Part B: electronic and communication engineering 107, 34 (1960), 365--372.Google ScholarCross Ref
- Patrick Leu, Mridula Singh, Marc Roeschlin, Kenneth G Paterson, and Srdjan Čapkun. 2020. Message time of arrival codes: A fundamental primitive for secure distance measurement. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 500--516.Google ScholarCross Ref
- Andreas F Molisch, Kannan Balakrishnan, Chia-Chin Chong, Shahriar Emami, Andrew Fort, Johan Karedal, Juergen Kunisch, Hans Schantz, Ulrich Schuster, and Kai Siwiak. 2004. IEEE 802.15. 4a channel model-final report. IEEE P802 15, 04 (2004), 0662.Google Scholar
- Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2011. Distance bounding with IEEE 802.15. 4a: Attacks and countermeasures. IEEE Transactions on Wireless Communications 10, 4 (2011), 1334--1344.Google ScholarCross Ref
- Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2012. On secure and precise IR-UWB ranging. IEEE transactions on wireless communications 11, 3 (2012), 1087--1099.Google ScholarCross Ref
- Ian Sharp, Kegen Yu, and Y Jay Guo. 2009. Peak and leading edge detection for time-of-arrival estimation in band-limited positioning systems. IET communications 3, 10 (2009), 1616--1627.Google Scholar
- Mridula Singh, Patrick Leu, and Srdjan Capkun. 2019. UWB with Pulse Reordering: Securing Ranging against Relay and Physical-Layer Attacks.. In NDSS.Google Scholar
- Nils Ole Tippenhauer, Heinrich Luecken, Marc Kuhn, and Srdjan Capkun. 2015. UWB rapid-bit-exchange system for distance bounding. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 1--12.Google ScholarDigital Library
- Deepak Vasisht, Swarun Kumar, and Dina Katabi. 2016. Decimeter-level localization with a single WiFi access point. In 13th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 16). 165--178.Google Scholar
- Chian-Son Yu. 2012. Factors affecting individuals to adopt mobile banking: Empirical evidence from the utaut model. Journal of Electronic Commerce Research 13 (01 2012), 104--121.Google Scholar
Index Terms
- Security analysis of IEEE 802.15.4z/HRP UWB time-of-flight distance measurement
Recommendations
Investigation and Development of 3D Printed Conventional Shape Compact UWB-DRAs for Societal Applications
AbstractThe potential of polylactic acid (PLA) material as an ultra-wide band (UWB)-dielectric resonator antenna (DRA) created by 3D-printing technique are described in this scientific paper. PLA is an exceptional sort of biodegradable thermoplastic ...
Protecting HRP UWB Ranging System Against Distance Reduction Attacks
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityUltra-wideband (UWB) communication is an emerging technology that enables secure ranging and localization. Since UWB communication enables measuring an exact distance, enhanced security would be expected based on it. Recently, however, it has been ...
Narrow focus ultra-wideband antenna for breast cancer detection
RWS'09: Proceedings of the 4th international conference on Radio and wireless symposiumA narrow focus ultra-wideband dielectric-filled antenna has been designed for the purpose of near-field breast cancer detection without the use of coupling media. Instead of immersing the antenna in a lossy liquid coupling medium, direct matching of the ...
Comments