Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec Laboratory for Computer Communications and Applications, EPFL, Switzerland Third ACM Conference on Wireless Network Security (WiSec `10) March 23, 2010

Wireless device V (Verifier) measures distance d VP to another device P (Prover) Based on message time-of-flight Adversarial setting: – External attacks (mafia fraud) – Malicious prover (distance and terrorist frauds) Secure Ranging aka Distance Bounding 2 t RTT /2d VP = cc NVNV t RTT (P ⊕ N V, N P ) Prover PVerifier V (N V,P,N P,MAC PV (N V,P,N P )) d VP  d VP measured distance actual distance

J EWLERY S TORE Example Application: Tracking 3 store monitoring system RFID tag secure ranging

J EWLERY S TORE Example Application: Tracking 4 store monitoring system RFID tag !!! If I could only decrease the measured distance…

Other Application Examples Tracking: – assets in warehouse – inmates – hospital assets, personnel, patients – animals – military personnel and equipment – … RFID access control RFID micropayments Secure localization … 5

Physical Layer Attacks Decrease the measured distance by exploiting physical layer redundancy J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore. So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006 Physical layer and receiver specific – RFID (ISO 14443A) and WSN PHYs G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec 2008 Other physical layers? 6

Impulse Radio UWB IR-UWB ranging capabilities: – high precision (sub meter) – copes well with multipath propagation IEEE a standard 7 transmitted signal received signal sampled signal (energy detector receiver)

Our contribution Distance-decreasing relay attack against: – IEEE a standard – Energy detector receiver Distance decrease of up to 140m* Attack success rate can be made arbitrarily high Components (early detection and late commit) can be used individually by a malicious prover 8 * IEEE a mandatory modes

Protocol Assumptions Rapid bit exchange: – Transmission of single bits – Instantaneous reply – Challenging to implement – Not compatible with IEEE a 9 c1c1 r1r1 Prover PVerifier V c2c2 r2r2 cncn rnrn... We assume no rapid bit exchange

Protocol Assumptions Several-bit-long ranging messages Sufficient if V and P are honest With full duplex transmission can cope with malicious prover* Compatible with IEEE a 10 NVNV t RTT NPNP Prover PVerifier V (N V,P,N P,MAC PV (N V,P,N P )) * Kasper Bonne Rasmussen, Srdjan Capkun. Location Privacy of Distance Bounding Protocols. CCS 2008

Setup 11 NPNP t RTT NVNV NVNV NVNV Verifier VProver P Relay M V Relay M P NPNP NPNP (N V,P,N P,MAC PV (N V,P,N P )) (N V,P,N P,...) Distance decreasing relay attack

Setup HTX HRX ATX ARX Honest Transmitter Honest Receiver Adversarial Receiver Adversarial Transmitter 12

Challenge 2: Payload unknown in advance Overview HTX HRX ATX ARX 13 preamblepayload preamblepayload 450ns ~ 135m preamble Challenge 1: Transmission time unknown in advance early detection late commit

Preamble HTX HRX ATX ARX SiSi 4096ns preamble symbol 14

Preamble HTX HRX ATX ARX SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi … SiSi 15

Preamble HTX HRX ATX ARX SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi … SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi … SiSi SiSi SiSi SiSi SiSi … 4096ns – 450ns SiSi SiSi SiSi SiSi SiSi … SiSi SiSi SiSi SiSi acquisition 16

Preamble HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi 4096ns – 450ns SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi acquisition SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi -S i SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi 0 0 SiSi SiSi SiSi SiSi 17

Preamble HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi -S i SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi 0 0 SiSi SiSi SiSi SiSi Start Frame Delimiter early SFD detectionnormal SFD detection 18

Preamble HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi S i SiSi SiSi SiSi SiSi Start Frame Delimiter early SFD detection late SFD commit SiSi SiSi time-shift 450ns 19

Payload HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi S i SiSi SiSi SiSi SiSi Start Frame Delimiter early SFD detection late SFD commit SiSi SiSi 20

Payload HTX HRX ATX ARX 0-symbol 1024ns 1-symbol 8ns Binary Pulse Position Modulation … 21 … ~70ns

Payload HTX HRX ATX ARX 1024ns8ns Binary Pulse Position Modulation < > < > benign receiver 0-symbol1-symbol … … 22 → 0→ 1

Payload HTX HRX ATX ARX 1024ns8ns Binary Pulse Position Modulation early detection receiver 0-symbol1-symbol … … late commit transmitter … < > < > … 23 → 0→ 1 → 0→ 1

Payload HTX HRX ATX ARX 1024ns8ns Binary Pulse Position Modulation 0-symbol1-symbol … … late commit transmitter … < > < > … relay time-shift 450ns = 512ns – 62ns = half symbol duration – early detection time early detection receiver 24

Attack Performance Evaluation with physical layer simulations IEEE a, with: – 128 bit packets – residential NLOS channel model based on IR channel measurement campaigns – LPRF mode (mandatory parameters) 25

Preamble: Early detection 26 4dB Synchronization Error Ratio ARX SNR [dB]

Preamble: Late commit 27 4dB Synchronization Error Ratio HRX SNR [dB]

Payload: Early detection 1.7dB 28 Packet Error Ratio ARX SNR [dB]

Payload: Late commit 4dB 29 Packet Error Ratio HRX SNR [dB]

Overall attack success Early detection SNR (ARX) Late commit SNR (HRX) 30 Probability of attack success >99% attack success probability with SNR 4dB (ARX) and 6dB (HRX) greater than for benign operation Easily achievable: High gain antenna Increase transmision power Move adversarial devices closer to victim devices

Application example: Tracking 31 jail relay ???

Countermeasures Decrease payload symbol length – Our attack gains half of symbol duration – Non-mandatory IEEE a modes with payload symbol length 32ns (11m) Disadvantages: – Shorter symbols result in worse multi-user interference tolerance – With very short symbols, inter-symbol interference becomes an issue 32 J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore. So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006

Countermeasures Perform early detection at HRX: in place of – Prevents our attack – Any attack can decrease the measure distance by at most early detection window duration Example: 62ns or 18m Disadvantages: – Performance loss 33 G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec dB

Countermeasures Beyond IEEE a: other modulations – BPSK – OOK – “Security Enhanced Modulation” M. Kuhn, H. Luecken, N. O. Tippenhauer. UWB Impulse Radio Based Distance Bounding. WPNC 2010 – Secret preamble codes – Secret payload time-hopping 34

Conclusion IR-UWB standard IEEE a is vulnerable to a distance-decreasing relay attack – 140m distance decrease against energy-detection receivers* – Attack enabled by BPPM (de)modulation Attack performance – 99% success rate at minor SNR cost (few dB) – Success rate can be made arbitrarily high 35 * IEEE a mandatory modes

Ongoing work Countermeasures Attack with a coherent receiver – Exploits the specifics of the convolutional code used in IEEE a – Additional 75m distance-decrease New physical layer attack against ranging – Malicious interference disrupting ToA estimation – Less effective and precise, but easy to mount 36 M. Poturalski, M. Flury, P. Papadimitratos, J-P. Hubaux, J-Y. Le Boudec. The Cicada Attack: Degradation and Denial of Service in IR Ranging. (under submission)

To learn more… 37

Attack overview 38