The Cicada Attack: Degradation and Denial of Service Attacks in IR Ranging Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec

Outline Context: ranging and secure ranging The Cicada attack Attack performance evaluation Countermeasures Conclusion

Ranging Ranging can be applied in a number of applications Localization and navigation of robot fleets ranging

Ranging Ranging can be applied in a number of applications Tracking of goods ranging

Ranging Many are security sensitive! Ranging can be applied in a number of applications Physical access control Many are security sensitive! ranging

Ranging Many are security sensitive! Ranging can be applied in a number of applications Physical access control Many are security sensitive! Impersonate

Ranging Many are security sensitive! Ranging can be applied in a number of applications Tracking of goods Many are security sensitive! ranging

Ranging Many are security sensitive! Ranging can be applied in a number of applications Tracking of goods Many are security sensitive! Manipulate ranging measurement

How to make ranging secure Securing Ranging How to make ranging secure ?

Securing Ranging Distance bounding protocols S. Brands and D. Chaum. “Distance Bounding Protocols.” EUROCRYPT’93 S. Capkun, L. Buttyan and J. Hubaux. “SECTOR: secure tracking of node encounter in multi-hop wireless networks.” SASN’03 L. Bussard and W. Bagga. “Distance-Bounding Proof of Knowledge to Avoid Real- Time Attacks.” SEC’05 G.P Hancke and M.G. Kuhn. “An RFID distance bounding protocol.” SecureComm’05 C. Meadows, P. Syverson and L. Chang. “Towards More Efficient Distance Bounding Protocols for Use in Sensor Networks.” SecureComm’06 J. Reid, J.M.G Nieto, T. Tang and B. Senadji, “Detecting Relay Attacks with Timing-Based Protocols” ASIACCS’07 D. Singelee and B. Preneel. “Distance bounding in noisy environments”. ESAS’07 …

Securing Ranging Distance bounding protocol example: Provides an upper-bound on the computed distance Not possible to decrease the measures distance Messages travel at the speed of light Possible to increase the distance Relay delay messages A B NV tRTT (P ⊕ NV, NP) (NV,P,NP,MACPV(NV,P,NP))

Securing Ranging Not quite Do distance bounding protocols solve the problem …? Physical layer attacks against distance bounding J. Clulow, G.P. Hancke, M.G. Kuhn, T. Moore. “So Near and yet So Far: Distance-Bounding Attacks in Wireless Networks.” ESAS’06 M. Flury, M. Poturalski, P. Papadimitratos, J.-P. Hubaux, J.-Y. Le Boudec. “Effectiveness of Distance-Decreasing Attacks Against Impulse Radio Ranging.” WiSec’10 This paper: New kind of physical layer attack against (IR) ranging Not quite

Impulse Radio Ranging Precise ranging in dense multipath environments The first path is not necessarily the strongest path

The Ranging Process Transmitter T Receiver R Preamble: frame sequence modulated by ternary preamble code Transmitter T 1. Coarse synchronization Lock on strongest path 2. Fine synchronization Back-search for first path Receiver R

The Cicada Attack Denial of Service: Ranging not possible Preamble: frame sequence modulated by ternary preamble code Transmitter T Malicious transmitter M Receiver R Denial of Service: Ranging not possible

The Cicada Attack Degradation of Service: Range decreased Preamble: frame sequence modulated by ternary preamble code Transmitter T Cicada attack Malicious transmitter M Back-search finds bogus first path Receiver R Degradation of Service: Range decreased

Denial vs Degradation Degradation is more stealthy than denial Potentially more severe We focus on an adversary aiming at degradation

The Cicada Attack Very simple to mount Limited effectiveness Requires only an IR transmitter Oblivious to preamble code Limited effectiveness Mild distance decrease Back-search window size, e.g., 20m Random distance decrease

Example Attack

Simulation Setup Transmitter T Receiver R Malicious transmitter M SNRT SNRM Transmitter T Receiver R Malicious transmitter M IEEE 802.15.4a PHY Mandatory LPRF mode Indoor NLOS channel model Attack performance for 3 energy detection receivers: Vanilla – basic energy detection receiver MINF, PICNIC – receivers robust to multi user interference We simulate entire packet reception process

Vanilla Receiver Packet not received Failure of SFD detection or data decoding Packet received Packet received ToA decreased by > 4ns Packet not received Failure of synchronization SNRT = 20dB

Vanilla Receiver SNRT = 20dB The cicada signal sometimes misses the back-search window

Vanilla Receiver SNRT = 20dB Increase cicada signal rate

Vanilla Receiver SNRT = 20dB SNRT = 20dB Increase cicada signal rate

Vanilla Receiver Degradation takes place: SNRT = 20dB Degradation takes place: If the cicada signal is not lost in noise If the cicada signal is lower than the signal of T

MINF Receiver Designed to cope with benign multi-user interference during fine synchronization Z. Sahinoglu and I. Guvenc. “Multiuser interference mitigation in noncoherent UWB ranging via nonlinear filtering.” EURASIP Journal on Wireless Communication Networks, 2006 D. Dardari, A. Giorgetti, and M.Z. Win. “Time-of-arrival estimation of UWB signals in the presence of narrowband and wideband interference.” ICUWB, 2007

MINF Receiver Assume coarse synchronization is achieved Cicada signal is present in every frame Min filter will not remove it samples in frame Remove frames according to code i Apply moving minimum filter frames benign interferer (code j) user of interest (code i)

Attack Performance against MINF SNRT = 20dB Vanilla SNRT = 20dB Attack performs slightly worse than for Vanilla

PICNIC Receiver Design to cope with benign multi-user interference during synchronization M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing acquisition in IEEE 802.15.4a IR-UWB networks.” PIMRC, 2009 Adversary exploits the interference robustness of the PICNIC receiver to improve attack performance SNRT = 20dB PICNIC PICNIC SNRT = 20dB SNRT = 20dB Vanilla

Countermeasures to Degradation Do not perform back-search Loose in benign case ranging performance Perform multiple range measurements Cicada attack increases variance of measurements Modify the modulation scheme Time-hopping in the preamble? Secure synchronization algorithms Complexity and energy consumption is an issue

Conclusion Cicada attack Security must be addressed at all layers Simple attack able to decrease distance measured by IR ranging protocols Exploits fundamental difficulty in distinguishing legitimate and interfering signals Security must be addressed at all layers

http://lca.epfl.ch/projects/snd marcin.poturalski@epfl.ch To learn more… http://lca.epfl.ch/projects/snd marcin.poturalski@epfl.ch

Extra slides

PICNIC Receiver Design to cope with benign multi-user interference during synchronization M. Flury, R. Merz, and J.-Y. Le Boudec. “Robust non-coherent timing acquisition in IEEE 802.15.4a IR-UWB networks.” PIMRC, 2009 Component 1: Power Independent Detection (PID) Component 2: Interference Cancelation Detect presence of alternative preamble code If detected, estimate and remove interference Threshold 0 : x < t 1 : x ≥ t + … Correlator output

Attack Performance against PICNIC SNRT = 20dB Vanilla SNRT = 20dB Attack performs slightly worse than for Vanilla Denial sets in at low SNRM

Attack Performance against PICNIC SNRT = 20dB + … Threshold 0 : x < t 1 : x ≥ t SNRT = 20dB Correlator output is maximized for all cicada peaks Make cicada signal more sparse?

Attack Performance against PICNIC SNRT = 20dB SNRT = 20dB Adversary exploits the interference robustness of the PICNIC receiver to improve attack performance

Attack Performance against PICNIC 8 SNRT = 20dB SNRT = 20dB Attack with high rate cicada signal

Distance decrease Back-search window size 64ns