Time for Change: How Clocks Break UWB Secure Ranging

Authors: Claudio Anliker, Giovanni Camurati, and Srdjan Čapkun
Proceedings of the 32nd USENIX Security Symposium
PDF

Abstract

Due to its suitability for wireless ranging, Ultra-Wide Band (UWB) has gained traction over the past years. UWB chips have been integrated into consumer electronics and considered for security-relevant use cases, such as access control or contactless payments. However, several publications in the recent past have shown that it is difficult to protect the integrity of distance measurements on the physical layer. In this paper, we identify transceiver clock imperfections as a new, important parameter that has been widely ignored so far. We present Mix-Down and Stretch-and-Advance, two novel attacks against the current (IEEE 802.15.4z) and the upcoming (IEEE 802.15.4ab) UWB standard, respectively. We demonstrate Mix-Down on commercial chips and achieve distance reductions from 10 m to 0 m. For the Stretch-and-Advance attack, we show analytically that the current proposal of IEEE 802.15.4ab allows reductions of over 90 m. To prevent the attack, we propose and analyze an effective countermeasure.

Research Area: Secure Ranging and Positioning

People

Claudio Anliker
Doctoral Student

BibTex

@INPROCEEDINGS{anliker2023change,
	isbn = {978-1-939133-37-3},
	copyright = {In Copyright - Non-Commercial Use Permitted},
	year = {2023},
	booktitle = {Proceedings of the 32nd USENIX Security Symposium},
	type = {Conference Paper},
	editor = {Calandrino, Joe and Troncoso, Carmela},
	author = {Anliker, Claudio and Camurati, Giovanni and Capkun, Srdjan},
	abstract = {Due to its suitability for wireless ranging, Ultra-Wide Band (UWB) has gained traction over the past years. UWB chips have been integrated into consumer electronics and considered for security-relevant use cases, such as access control or contactless payments. However, several publications in the recent past have shown that it is difficult to protect the integrity of distance measurements on the physical layer. In this paper, we identify transceiver clock imperfections as a new, important parameter that has been widely ignored so far. We present Mix-Down and Stretch-and-Advance, two novel attacks against the current (IEEE 802.15.4z) and the upcoming (IEEE 802.15.4ab) UWB standard, respectively. We demonstrate Mix-Down on commercial chips and achieve distance reductions from 10 m to 0 m. For the Stretch-and-Advance attack, we show analytically that the current proposal of IEEE 802.15.4ab allows reductions of over 90 m. To prevent the attack, we propose and analyze an effective countermeasure.},
	language = {en},
	address = {Berkeley, CA},
	publisher = {USENIX Association},
	DOI = {10.3929/ethz-b-000641831},
	title = {Time for Change: How Clocks Break UWB Secure Ranging},
	PAGES = {19 - 36},
	Note = {32nd USENIX Security Symposium (USENIX Security 2023); Conference Location: Anaheim, CA, USA; Conference Date: August 9-11, 2023}
}

Research Collection: 20.500.11850/641831