On the Security of Carrier Phase-based Ranging

Multicarrier phase-based ranging is fast emerging as a cost-optimized solution for a wide variety of proximity-based applications due to its low power requirement, low hardware complexity and compatibility with existing standards such as ZigBee and 6LoWPAN. Given potentially critical nature of the applications in which phase-based ranging can be deployed (e.g., access control, asset tracking), it is important to evaluate its security guarantees. Therefore, in this work, we investigate the security of multicarrier phase-based ranging systems and specifically focus on distance decreasing relay attacks that have proven detrimental to the security of proximity-based access control systems (e.g., vehicular passive keyless entry and start systems). We show that phase-based ranging, as well as its implementations, are vulnerable to a variety of distance reduction attacks. We describe different attack realizations and verify their feasibility by simulations and experiments on a commercial ranging system. Specifically, we successfully reduced the estimated range to less than 3 m even though the devices were more than 50 m apart. We discuss possible countermeasures against such attacks and illustrate their limitations, therefore demonstrating that phase-based ranging cannot be fully secured against distance decreasing attacks

On Secure and Precise IR-UWB Ranging

To provide high ranging precision in multipath environments, a ranging protocol should find the first arriving path, rather than the strongest path. We demonstrate a new attack vector that disrupts such precise Time-of-Arrival (ToA) estimation, and allows an adversary to decrease the measured distance by a value in the order of the channel spread (10-20 meters). This attack vector can be used in previously reported physical-communication-layer (PHY) attacks against secure ranging (or distance bounding). Furthermore, it creates a new type of attack based on malicious interference: This attack is much easier to mount than the previously known external PHY attack (distance-decreasing relay) and it can work even if secret preamble codes are used. We evaluate the effectiveness of this attack for a PHY that is particularly well suited for precise ranging in multipath environments: Impulse Radio Ultra-Wideband (IR-UWB). We show, with PHY simulations and experiments, that the attack is effective against a variety of receivers and modulation schemes. Furthermore, we identify and evaluate three types of countermeasures that allow for precise and secure ranging

Security of distance-bounding: A survey

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI linkDistance-bounding protocols allow a verifier to both authenticate a prover and evaluate whether the latter is located in his vicinity. These protocols are of particular interest in contactless systems, e.g., electronic payment or access control systems, which are vulnerable to distance-based frauds. This survey analyzes and compares in a unified manner many existing distance-bounding protocols with respect to several key security and complexity features