On the Security of Carrier Phase-Based Ranging

Ólafsdóttir, Hildur; Ranganathan, Aanjhan; Čapkun, Srđjan

doi:10.1007/978-3-319-66787-4_24

Cited by 20 publications

(29 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Accurate distance measurement can also be achieved using Narrow-Band radio technology, such as, Bluetooth Low Energy (BLE) using signals' phase information [ZRG + 19, BRGD20]. However, phasebased ranging solutions are also vulnerable to manipulation, such as, phase slope rollover attacks, as pointed out by Ólafsdóttir, Ranganathan, and Capkun in [ORC17]. It is worth mentioning, though, that phase manipulation attacks are more difficult to execute in practice, due to the typical wide radiation-pattern of antennae and reflections in the propagation path of radio signals (multipath).…”

Section: Introductionmentioning

confidence: 99%

Secure, Accurate, and Practical Narrow-Band Ranging System

Abidin

Soussi

Romme

et al. 2021

TCHES

View full text Add to dashboard Cite

Relay attacks pose a serious security threat to wireless systems, such as, contactless payment systems, keyless entry systems, or smart access control systems. Distance bounding protocols, which allow an entity to not only authenticate another entity but also determine whether it is physically close by, effectively mitigate relay attacks. However, secure implementation of distance bounding protocols, especially of the time critical challenge-response phase, has been a challenging task. In this paper, we design and implement a secure and accurate distance bounding protocol based on Narrow-Band signals, such as Bluetooth Low Energy (BLE), to particularly mitigate relay attacks. Narrow-Band ranging, specifically, phase-based ranging, enables accurate distance measurement, but it is vulnerable to phase rollover attacks. In our solution, we mitigate phase rollover attacks by also measuring time-of-flight (ToF) to detect the delay introduced by such attacks. Therefore, our protocol effectively combines the best of both worlds: phase-based ranging for accuracy and time-of-flight (ToF) measurement for security. To demonstrate the feasibility and practicality of our solution, we prototype it on NXP KW36 BLE chips and evaluate its performance and relay attack resistance. The obtained precision and accuracy of the presented ranging solution are 2.5 cm and 30 cm, respectively, in wireless measurements.

show abstract

Section: Introductionmentioning

confidence: 99%

Secure, Accurate, and Practical Narrow-Band Ranging System

Abidin

Soussi

Romme

et al. 2021

TCHES

View full text Add to dashboard Cite

show abstract

“…Unlike logical-layer attacks that use manipulations of message bits, physical-layer attacks involve the manipulation of signal characteristics with the goal of fooling the receiver into decoding incorrect bits or incorrectly measuring signal phase, amplitude or time of arrival. A number of ranging systems have been shown to be vulnerable to physical-layer attacks: e.g., UWB 802.15.4a to Cicada attack [25], Phase ranging [3] to phase manipulation [23] and early detect / late commit (ED/LC) [12], Chirp Spread Spectrum to ED/LC [28]. These attacks are effective despite authentication and distance-bounding protocols [8], [20], since they target the physical layer and do not change the message content.…”

Section: Introductionmentioning

confidence: 99%

UWB with Pulse Reordering: Securing Ranging against Relay and Physical-Layer Attacks

Singh

Leu

Čapkun

2019

Proceedings 2019 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Physical-layer attacks allow attackers to manipulate (spoof) ranging and positioning. These attacks had realworld impact and allowed car thefts, executions of unauthorized payments and manipulation of navigation. UWB impulse radio, standardized within 802.15.4a,f, has emerged as a prominent technique for precise ranging that allows high operating distances despite power constraints by transmitting multi-pulse symbols. Security of UWB ranging (in terms of the attacker's ability to manipulate the measured distance) has been discussed in the literature and is, since recently also being addressed as a part of the emerging 802.15.4z standard. However, all research so far, as well as security enhancements proposed within this emerging standard face one main limitation: they achieve security through short symbol lengths and sacrifice performance (i.e., limit the maximum distance of measurement), or use longer symbol lengths, therefore sacrificing security. We present UWB with pulse reordering (UWB-PR), the first modulation scheme that secures distance measurement between two mutually trusted devices against all physical-layer distance shortening attacks without sacrificing performance, therefore simultaneously enabling extended range and security. We analyze the security of UWB-PR under the attacker that fully controls the communication channel and show that UWB-PR resists such strong attackers. We evaluate UWB-PR within a UWB system built on top of the IEEE 802.15.4 device and show that it achieves distances of up to 93m with 10cm precision (LoS). UWB-PR is, therefore, a good candidate for the extended mode of the new 802.15.4z Low Rate Pulse standard. Finally, UWB-PR shows that secure distance measurement can be built on top of modulation schemes with longer symbol lengths-so far, this was considered insecure.

show abstract

“…Unlike logical-layer attacks that use manipulations of (bits of) messages, physical-layer attacks involve the manipulation of signal characteristics with a goal of fooling the receiver into decoding incorrect bits or incorrectly measuring signal phase, amplitude, time of arrival, etc. A number of ranging systems have been shown to be vulnerable to physical layer attacks: e.g., UWB 802.15.4a to Cicada attack [7], Phase ranging to phase manipulation [6] and early detect / late commit (ED/LC) [4], Chirp Spread Spectrum to ED/LC [9]. These attacks are effective despite authentication and distance bounding protocols [3], since they target the physical layer and don't change the message content.…”

Section: Introductionmentioning

confidence: 99%

UWB with Pulse Reordering: Securing Ranging against Relay and Physical Layer Attacks

Singh¹,

Leu²,

Čapkun³

2018

EasyChair Preprints

Self Cite

View full text Add to dashboard Cite

Physical layer attacks allow attackers to manipulate (spoof) ranging and positioning. These attacks had real world impact and allowed car thefts, executions of unauthorised payments and manipulation of navigation. UWB impulse radio (UWB-IR) has emerged as a prominent technique for precise ranging that allows high operating distances despite power constraints by transmitting multi-pulse symbols. Unfortunately, longer symbols make UWB-IR vulnerable to physical layer attacks. Currently, none of the existing systems is precise, performant and secure at the same time. We present UWB with Pulse Reordering (UWB-PR), the first modulation scheme that secures distance measurement between two mutually trusted devices against all physical-layer attacks.

show abstract

On the Security of Carrier Phase-Based Ranging

Cited by 20 publications

References 29 publications

Secure, Accurate, and Practical Narrow-Band Ranging System

Secure, Accurate, and Practical Narrow-Band Ranging System

UWB with Pulse Reordering: Securing Ranging against Relay and Physical-Layer Attacks

UWB with Pulse Reordering: Securing Ranging against Relay and Physical Layer Attacks

Contact Info

Product

Resources

About