Security of Multicarrier Time-of-Flight Ranging
Abstract
OFDM is a widely used modulation scheme. It transmits data over multiple subcarriers in parallel, which provides high resilience against frequency-dependent channel drops (fading) and achieves high throughput. Due to the proliferation of OFDM-enabled devices and the increasing need for location information, the research community has suggested using OFDM symbols for secure (time-of flight) distance measurements. However, a consequence of relying on multiple subcarriers is long symbols (time-wise). This makes OFDM systems not a natural fit for secure ranging, as long symbols allow an attacker longer observation and reaction times to mount a so-called early-detect/late-commit attack. Despite these concerns, a recent standardization effort (IEEE 802.11az) envisions the use of OFDM-based signals for secure ranging. This paper lays the groundwork for analyzing OFDM time-of-flight measurements and studies the security guarantees of OFDM-based ranging against a physical-layer attacker. We use BPSK and 4-QAM, the most robust configurations, as examples to present a strategy that increases the chances for early-detecting the transmitted symbols. Our theoretical analysis and simulations show that such OFDM systems are vulnerable to early-detection/late-commit attacks, irrespective of frame length and number of subcarriers. We identify the underlying causes and explore a possible countermeasure, consisting of orthogonal noise and randomized phase.
People
BibTex
@INPROCEEDINGS{leu2021security,
isbn = {978-1-4503-8579-4},
doi = {10.1145/3485832.3485898},
year = {2021-12},
booktitle = {Annual Computer Security Applications Conference (ACSAC ’21)},
type = {Conference Paper},
institution = {EC},
author = {Leu, Patrick and Kotuliak, Martin and Roeschlin, Marc and Capkun, Srdjan},
abstract = {OFDM is a widely used modulation scheme. It transmits data over multiple subcarriers in parallel, which provides high resilience against frequency-dependent channel drops (fading) and achieves high throughput. Due to the proliferation of OFDM-enabled devices and the increasing need for location information, the research community has suggested using OFDM symbols for secure (time-of flight) distance measurements. However, a consequence of relying on multiple subcarriers is long symbols (time-wise). This makes OFDM systems not a natural fit for secure ranging, as long symbols allow an attacker longer observation and reaction times to mount a so-called early-detect/late-commit attack. Despite these concerns, a recent standardization effort (IEEE 802.11az) envisions the use of OFDM-based signals for secure ranging. This paper lays the groundwork for analyzing OFDM time-of-flight measurements and studies the security guarantees of OFDM-based ranging against a physical-layer attacker. We use BPSK and 4-QAM, the most robust configurations, as examples to present a strategy that increases the chances for early-detecting the transmitted symbols. Our theoretical analysis and simulations show that such OFDM systems are vulnerable to early-detection/late-commit attacks, irrespective of frame length and number of subcarriers. We identify the underlying causes and explore a possible countermeasure, consisting of orthogonal noise and randomized phase.},
keywords = {IEEE 802.11az; Secure ranging; OFDM},
language = {en},
address = {New York, NY},
publisher = {Association for Computing Machinery},
title = {Security of Multicarrier Time-of-Flight Ranging},
PAGES = {887 - 899},
Note = {37th Annual Computer Security Applications Conference (ACSAC 2021); Conference Location: Online; Conference Date: December 6-10, 2021; Conference lecture on December 10, 2021.}
}Research Collection: 20.500.11850/517818