Security analysis of IEEE 802.15.4z/HRP UWB time-of-flight distance measurement
Abstract
IEEE 802.15.4z, a standard for Ultra-Wide Band (UWB) secure distance measurement, was adopted in 2020 and the chips that implement this standard are already deployed in mobile phones and in the automotive industry (for Passive Keyless Entry and Start). The standard specifies two different modes - -LRP and HRP. Whereas the security of LRP mode has been analyzed, there is no publicly available security analysis of the HRP mode, which is used in different chips like NXP Trimension SR150/SR040, Samsung smartphones, and U1 chip deployed in Apple iPhones. In this work, we perform the first open analysis of the 802.15.4z HRP mode. Our analysis reviews possible attacks on HRP and assesses strategies that an HRP receiver could implement. We show that in realistic deployments, despite countermeasures, HRP is hard to configure to be both performant and secure. If a distance missdetection rate is set to less than 10% (in benign scenarios), the probability of a successful distance shortening attacks ranges from 7% to over 90%.
Research Area: Secure Ranging and Positioning
People
BibTex
@INPROCEEDINGS{singh2021security,
isbn = {978-1-4503-8349-3},
doi = {10.1145/3448300.3467831},
year = {2021-06},
booktitle = {Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21)},
type = {Conference Paper},
institution = {EC},
author = {Singh, Mridula and Roeschlin, Marc and Zalzala, Ezzat and Leu, Patrick and Capkun, Srdjan},
abstract = {IEEE 802.15.4z, a standard for Ultra-Wide Band (UWB) secure distance measurement, was adopted in 2020 and the chips that implement this standard are already deployed in mobile phones and in the automotive industry (for Passive Keyless Entry and Start). The standard specifies two different modes - -LRP and HRP. Whereas the security of LRP mode has been analyzed, there is no publicly available security analysis of the HRP mode, which is used in different chips like NXP Trimension SR150/SR040, Samsung smartphones, and U1 chip deployed in Apple iPhones. In this work, we perform the first open analysis of the 802.15.4z HRP mode. Our analysis reviews possible attacks on HRP and assesses strategies that an HRP receiver could implement. We show that in realistic deployments, despite countermeasures, HRP is hard to configure to be both performant and secure. If a distance missdetection rate is set to less than 10% (in benign scenarios), the probability of a successful distance shortening attacks ranges from 7% to over 90%.},
keywords = {IEEE 802.15.4z; HRP; UWB ranging; Ultra-wide band; Distance ranging; Secure distance measurement; Physical-layer security; Time-of-flight measurement},
language = {en},
address = {New York, NY},
publisher = {Association for Computing Machinery},
title = {Security analysis of IEEE 802.15.4z/HRP UWB time-of-flight distance measurement},
PAGES = {227 - 237},
Note = {14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021); Conference Location: Online; Conference Date: June 28 - July 2, 2021}
}
Research Collection: 20.500.11850/497943