Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves.

Published byLucinda Sharp Modified over 9 years ago

Similar presentations

Presentation on theme: "Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves."— Presentation transcript:

1 Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec Laboratory for Computer Communications and Applications, EPFL, Switzerland Third ACM Conference on Wireless Network Security (WiSec `10) March 23, 2010

2 Wireless device V (Verifier) measures distance d VP to another device P (Prover) Based on message time-of-flight Adversarial setting: – External attacks (mafia fraud) – Malicious prover (distance and terrorist frauds) Secure Ranging aka Distance Bounding 2 t RTT /2d VP = cc NVNV t RTT (P ⊕ N V, N P ) Prover PVerifier V (N V,P,N P,MAC PV (N V,P,N P )) d VP  d VP measured distance actual distance

3 J EWLERY S TORE Example Application: Tracking 3 store monitoring system RFID tag secure ranging

4 J EWLERY S TORE Example Application: Tracking 4 store monitoring system RFID tag #@%#& !!! If I could only decrease the measured distance…

5 Other Application Examples Tracking: – assets in warehouse – inmates – hospital assets, personnel, patients – animals – military personnel and equipment – … RFID access control RFID micropayments Secure localization … 5

6 Physical Layer Attacks Decrease the measured distance by exploiting physical layer redundancy J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore. So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006 Physical layer and receiver specific – RFID (ISO 14443A) and WSN PHYs G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec 2008 Other physical layers? 6

7 Impulse Radio UWB IR-UWB ranging capabilities: – high precision (sub meter) – copes well with multipath propagation IEEE 802.15.4a standard 7 transmitted signal received signal sampled signal (energy detector receiver)

8 Our contribution Distance-decreasing relay attack against: – IEEE 802.15.4a standard – Energy detector receiver Distance decrease of up to 140m* Attack success rate can be made arbitrarily high Components (early detection and late commit) can be used individually by a malicious prover 8 * IEEE 802.15.4a mandatory modes

9 Protocol Assumptions Rapid bit exchange: – Transmission of single bits – Instantaneous reply – Challenging to implement – Not compatible with IEEE 802.15.4a 9 c1c1 r1r1 Prover PVerifier V c2c2 r2r2 cncn rnrn... We assume no rapid bit exchange

10 Protocol Assumptions Several-bit-long ranging messages Sufficient if V and P are honest With full duplex transmission can cope with malicious prover* Compatible with IEEE 802.15.4a 10 NVNV t RTT NPNP Prover PVerifier V (N V,P,N P,MAC PV (N V,P,N P )) * Kasper Bonne Rasmussen, Srdjan Capkun. Location Privacy of Distance Bounding Protocols. CCS 2008

11 Setup 11 NPNP t RTT NVNV NVNV NVNV Verifier VProver P Relay M V Relay M P NPNP NPNP (N V,P,N P,MAC PV (N V,P,N P )) (N V,P,N P,...) Distance decreasing relay attack

12 Setup HTX HRX ATX ARX Honest Transmitter Honest Receiver Adversarial Receiver Adversarial Transmitter 12

13 Challenge 2: Payload unknown in advance Overview HTX HRX ATX ARX 13 preamblepayload preamblepayload 450ns ~ 135m preamble Challenge 1: Transmission time unknown in advance early detection late commit

14 Preamble HTX HRX ATX ARX SiSi 4096ns preamble symbol 14

15 Preamble HTX HRX ATX ARX SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi … SiSi 15

16 Preamble HTX HRX ATX ARX SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi … SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi … SiSi SiSi SiSi SiSi SiSi … 4096ns – 450ns SiSi SiSi SiSi SiSi SiSi … SiSi SiSi SiSi SiSi acquisition 16

17 Preamble HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi 4096ns – 450ns SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi SiSi acquisition SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi -S i SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi 0 0 SiSi SiSi SiSi SiSi 17

18 Preamble HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi -S i SiSi SiSi SiSi SiSi SiSi SiSi 0 0 SiSi SiSi 0 0 SiSi SiSi SiSi SiSi Start Frame Delimiter early SFD detectionnormal SFD detection 18

19 Preamble HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi 0 0 0 0 -S i SiSi SiSi SiSi SiSi 0 0 0 0 0 0 0 0 Start Frame Delimiter early SFD detection late SFD commit SiSi SiSi time-shift 450ns 19

20 Payload HTX HRX ATX ARX … … … … SiSi SiSi SiSi SiSi 0 0 SiSi SiSi SiSi SiSi 0 0 0 0 -S i SiSi SiSi SiSi SiSi 0 0 0 0 0 0 0 0 Start Frame Delimiter early SFD detection late SFD commit SiSi SiSi 20

21 Payload HTX HRX ATX ARX 0-symbol 1024ns 1-symbol 8ns Binary Pulse Position Modulation … 21 … ~70ns

22 Payload HTX HRX ATX ARX 1024ns8ns Binary Pulse Position Modulation < > < > benign receiver 0-symbol1-symbol … … 22 → 0→ 1

23 Payload HTX HRX ATX ARX 1024ns8ns Binary Pulse Position Modulation early detection receiver 0-symbol1-symbol … … late commit transmitter … < > < > … 23 → 0→ 1 → 0→ 1

24 Payload HTX HRX ATX ARX 1024ns8ns Binary Pulse Position Modulation 0-symbol1-symbol … … late commit transmitter … < > < > … relay time-shift 450ns = 512ns – 62ns = half symbol duration – early detection time early detection receiver 24

25 Attack Performance Evaluation with physical layer simulations IEEE 802.15.4a, with: – 128 bit packets – residential NLOS channel model based on IR channel measurement campaigns – LPRF mode (mandatory parameters) 25

26 Preamble: Early detection 26 4dB Synchronization Error Ratio ARX SNR [dB]

27 Preamble: Late commit 27 4dB Synchronization Error Ratio HRX SNR [dB]

28 Payload: Early detection 1.7dB 28 Packet Error Ratio ARX SNR [dB]

29 Payload: Late commit 4dB 29 Packet Error Ratio HRX SNR [dB]

30 Overall attack success Early detection SNR (ARX) Late commit SNR (HRX) 30 Probability of attack success >99% attack success probability with SNR 4dB (ARX) and 6dB (HRX) greater than for benign operation Easily achievable: High gain antenna Increase transmision power Move adversarial devices closer to victim devices

31 Application example: Tracking 31 jail relay ???

32 Countermeasures Decrease payload symbol length – Our attack gains half of symbol duration – Non-mandatory IEEE 802.15.4a modes with payload symbol length 32ns (11m) Disadvantages: – Shorter symbols result in worse multi-user interference tolerance – With very short symbols, inter-symbol interference becomes an issue 32 J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore. So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006

33 Countermeasures Perform early detection at HRX: in place of – Prevents our attack – Any attack can decrease the measure distance by at most early detection window duration Example: 62ns or 18m Disadvantages: – Performance loss 33 G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec 2008 1.7dB

34 Countermeasures Beyond IEEE 802.15.4a: other modulations – BPSK – OOK – “Security Enhanced Modulation” M. Kuhn, H. Luecken, N. O. Tippenhauer. UWB Impulse Radio Based Distance Bounding. WPNC 2010 – Secret preamble codes – Secret payload time-hopping 34

35 Conclusion IR-UWB standard IEEE 802.15.4a is vulnerable to a distance-decreasing relay attack – 140m distance decrease against energy-detection receivers* – Attack enabled by BPPM (de)modulation Attack performance – 99% success rate at minor SNR cost (few dB) – Success rate can be made arbitrarily high 35 * IEEE 802.15.4a mandatory modes

36 Ongoing work Countermeasures Attack with a coherent receiver – Exploits the specifics of the convolutional code used in IEEE 802.15.4a – Additional 75m distance-decrease New physical layer attack against ranging – Malicious interference disrupting ToA estimation – Less effective and precise, but easy to mount 36 M. Poturalski, M. Flury, P. Papadimitratos, J-P. Hubaux, J-Y. Le Boudec. The Cicada Attack: Degradation and Denial of Service in IR Ranging. (under submission)

37 To learn more… http://lca.epfl.ch/projects/snd marcin.poturalski@epfl.ch 37

38 Attack overview 38

Download ppt "Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves."

Similar presentations

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANS) Submission Title: [Staccato UWB PHY Proposal for TG4a] Date Submitted:

Project: IEEE P Working Group for Wireless Personal Area Networks (WPANS) Submission Title: [Staccato UWB PHY Proposal for TG4a] Date Submitted:
1 Understanding and Mitigating the Impact of RF Interference on 802.11 Networks Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan.

1 Understanding and Mitigating the Impact of RF Interference on Networks Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan.
Marcin Poturalski, Manuel Flury,

Marcin Poturalski, Manuel Flury,
A Low-Cost Method to Thwart Relay Attacks in Wireless Sensor Networks Reza Shokri Tutors: Panos Papadimitratos, Marcin Poturalski 29 January 2008.

A Low-Cost Method to Thwart Relay Attacks in Wireless Sensor Networks Reza Shokri Tutors: Panos Papadimitratos, Marcin Poturalski 29 January 2008.
Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan Seshan (CMU) Presented by Lei Yang in CS595H, W08 1 Understanding and Mitigating.

Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan Seshan (CMU) Presented by Lei Yang in CS595H, W08 1 Understanding and Mitigating.
Secure Localization using Dynamic Verifiers Nashad A. Safa Joint Work With S. Sarkar, R. Safavi-Naini and M.Ghaderi.

Secure Localization using Dynamic Verifiers Nashad A. Safa Joint Work With S. Sarkar, R. Safavi-Naini and M.Ghaderi.
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
The National Centres of Competence in Research are managed by the Swiss National Science Foundation on behalf of the Federal Authorities NCCR MICS review.

The National Centres of Competence in Research are managed by the Swiss National Science Foundation on behalf of the Federal Authorities NCCR MICS review.
1 Understanding and Mitigating the Impact of RF Interference on 802.11 Networks Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan.

1 Understanding and Mitigating the Impact of RF Interference on Networks Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan.
1 A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks Reza Shokri, Marcin Poturalski, Gael Ravot, Panos Papadimitratos, and.

1 A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks Reza Shokri, Marcin Poturalski, Gael Ravot, Panos Papadimitratos, and.
Done by Sarah Hussein 10\05\2012. Trends in modern communication systems place high demands on low power consumption, high-speed transmission, and anti-

Done by Sarah Hussein 10\05\2012. Trends in modern communication systems place high demands on low power consumption, high-speed transmission, and anti-
Doc.: IEEE 802.11-10/0489r1 Submission May 2010 Alexander Maltsev, IntelSlide 1 PHY Performance Evaluation with 60 GHz WLAN Channel Models Date: 2010-05-20.

Doc.: IEEE /0489r1 Submission May 2010 Alexander Maltsev, IntelSlide 1 PHY Performance Evaluation with 60 GHz WLAN Channel Models Date:
1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.
Doc.: IEEE 802.15-05-0021-00-004a Submission January 2004 Welborn, FreescaleSlide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks.

Doc.: IEEE a Submission January 2004 Welborn, FreescaleSlide 1 Project: IEEE P Working Group for Wireless Personal Area Networks.
Signal Propagation Propagation: How the Signal are spreading from the receiver to sender. Transmitted to the Receiver in the spherical shape. sender When.

Signal Propagation Propagation: How the Signal are spreading from the receiver to sender. Transmitted to the Receiver in the spherical shape. sender When.
Towards Provable Secure Neighbor Discovery in Wireless Networks Marcin Poturalski Panos Papadimitratos Jean-Pierre Hubaux.

Towards Provable Secure Neighbor Discovery in Wireless Networks Marcin Poturalski Panos Papadimitratos Jean-Pierre Hubaux.
1 Physical Layer ผศ. ดร. อนันต์ ผลเพิ่ม Asst. Prof. Anan Phonphoem, Ph.D. Computer Engineering Department.

1 Physical Layer ผศ. ดร. อนันต์ ผลเพิ่ม Asst. Prof. Anan Phonphoem, Ph.D. Computer Engineering Department.
April 25th 2005Doc: IEEE 15-05-0269-004a Zafer Sahinoglu, Mitsubishi Electric SlideTG4a1 Project: IEEE P802.15 Working Group for Wireless Personal Area.

April 25th 2005Doc: IEEE a Zafer Sahinoglu, Mitsubishi Electric SlideTG4a1 Project: IEEE P Working Group for Wireless Personal Area.
Secure Neighbor Discovery in Wireless Networks Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux 1.

Secure Neighbor Discovery in Wireless Networks Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux 1.
Supervisor: Supervisor: Dr. Ahmed Masri Dr. Ahmed Masri Prepared by: Prepared by: 1. Aya Hamarsheh 1. Aya Hamarsheh 2. Safaa Hamdan 2. Safaa Hamdan Novel.

Supervisor: Supervisor: Dr. Ahmed Masri Dr. Ahmed Masri Prepared by: Prepared by: 1. Aya Hamarsheh 1. Aya Hamarsheh 2. Safaa Hamdan 2. Safaa Hamdan Novel.

Similar presentations

Ads by Google