Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging

Manuel Flury, Marcin Poturalski,Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec

Laboratory for Computer Communications and Applications, EPFL, Switzerland

Third ACM Conference on Wireless Network Security (WiSec `10) March 23, 2010

2

• Wireless device V (Verifier) measures distance dVP to another device P (Prover)

• Based on message time-of-flight• Adversarial setting:– External attacks

(mafia fraud)– Malicious prover

(distance andterrorist frauds)

Secure Ranging aka Distance Bounding

tRTT /2dVP = c

NV

tRTT

(P ⊕ NV, NP)

Prover PVerifier V

(NV,P,NP,MACPV(NV,P,NP))

dVP dVPmeasureddistance

actualdistance

3

JEWLERY STORE

Example Application: Tracking

store monitoring system

RFID tag RFID tag

secure ranging

4

JEWLERY STORE

Example Application: Tracking

store monitoring system

RFID tag RFID tag

#@%#& !!!If I could only decrease the

measured distance…

5

Other Application Examples• Tracking:– assets in warehouse– inmates– hospital assets, personnel, patients– animals– military personnel and equipment– …

• RFID access control• RFID micropayments• Secure localization• …

Physical Layer Attacks• Decrease the measured distance by

exploiting physical layer redundancyJ. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.So near and yet so far: Distance-bounding attacks inwireless networks. ESAS 2006

• Physical layer and receiver specific– RFID (ISO 14443A) and WSN PHYs

G. P. Hancke, M. G. Kuhn. Attacks on time-of-flightdistance bounding channels. WiSec 2008

• Other physical layers?

6

Impulse Radio UWB

• IR-UWB ranging capabilities:– high precision (sub meter)– copes well with multipath propagation

• IEEE 802.15.4a standard7

transmitted signal received signal sampled signal(energy detector receiver)

Our contribution• Distance-decreasing relay attack against:– IEEE 802.15.4a standard– Energy detector receiver

• Distance decrease of up to 140m*• Attack success rate can be made arbitrarily high

• Components (early detection and late commit) can be used individually by a malicious prover

8* IEEE 802.15.4a mandatory modes

9

Protocol Assumptions• Rapid bit exchange:– Transmission of single

bits– Instantaneous reply

– Challenging to implement

– Not compatible with IEEE 802.15.4a

c1

r1

Prover PVerifier V

c2

r2

cn

rn

...

...

...

We assume no rapid bit exchange

10

Protocol Assumptions• Several-bit-long ranging

messages

• Sufficient if V and P are honest

• With full duplex transmission can cope with malicious prover*

• Compatible with IEEE 802.15.4a

NV

tRTT

NP

Prover PVerifier V

(NV,P,NP,MACPV(NV,P,NP))

* Kasper Bonne Rasmussen, Srdjan Capkun. Location Privacy of Distance Bounding Protocols. CCS 2008

Setup

11

NP

tRTT

NV

NV

NV

Verifier V Prover PRelay MV Relay MP

NP

NP

(NV,P,NP,MACPV(NV,P,NP))

(NV,P,NP,...)

(NV,P,NP,...)

Distance decreasing relay attack

Setup

HTX

HRX

ATX

ARX

Honest Transmitter

Honest Receiver

Adversarial Receiver

Adversarial Transmitter

12

Challenge 2:Payload unknown in advance

Overview

HTX

HRX

ATX

ARX

13

preamble payload

preamble payload

payload

payload

450ns ~ 135m

preamble

preamble

Challenge 1:Transmission time unknown in advance

early detection

late commit

Preamble

HTX

HRX

ATX

ARX

Si

4096ns

preamble symbol

14

Preamble

HTX

HRX

ATX

ARX

Si Si Si Si Si Si Si Si Si Si Si

15

Preamble

HTX

HRX

ATX

ARX

Si Si Si Si Si Si Si Si Si Si Si …Si

Si Si Si Si Si Si Si Si Si Si …Si Si

Si Si Si …

4096ns – 450nsSi Si Si

Si Si …SiSi Si Si

acquisition

16

Preamble

HTX

HRX

ATX

ARX

…

…

…

…

Si Si Si Si Si Si Si Si Si Si Si Si

Si Si Si Si Si Si Si Si Si Si Si Si

Si Si Si

4096ns – 450nsSi Si Si

Si Si SiSi Si Si

acquisition

Si

Si

Si

Si

0

0

Si

Si

Si

Si

Si

Si

17

Preamble

HTX

HRX

ATX

ARX

…

…

…

…

Si

Si

Si

Si

0

0

Si

Si

Si

Si

Si

Si

0

0

Si

Si

-Si

-Si

Si

Si

Si

Si

Si

Si

0

0

Si

Si

0

0

Si

Si

-Si

-Si

Si

Si

Start Frame Delimiter

early SFD detectionnormal SFD detection

18

Preamble

HTX

HRX

ATX

ARX

…

…

…

…

Si

Si

Si

Si

0

0

Si

Si

Si

Si

0

0

0

0

-Si

-Si

-Si

-Si

Si

Si

Si

Si

0

0

0

0

0

0

0

0

-Si

-Si

-Si

-Si

Start Frame Delimiter

early SFD detection

late SFD commitSi

Si

time-shift 450ns

19

Payload

HTX

HRX

ATX

ARX

…

…

…

…

Si

Si

Si

Si

0

0

Si

Si

Si

Si

0

0

0

0

-Si

-Si

-Si

-Si

Si

Si

Si

Si

0

0

0

0

0

0

0

0

-Si

-Si

-Si

-Si

Start Frame Delimiter

early SFD detection

late SFD commitSi

Si

20

Payload

HTX

HRX

ATX

ARX

0-symbol

1024ns

1-symbol

8ns Binary Pulse Position Modulation

…

21

…

~70ns

Payload

HTX

HRX

ATX

ARX

1024ns 8ns Binary Pulse Position Modulation

<> <>

benign receiver

0-symbol 1-symbol

…

…

22

→ 0 → 1

Payload

HTX

HRX

ATX

ARX

1024ns 8ns Binary Pulse Position Modulation

early detection receiver

0-symbol 1-symbol

…

…

late commit transmitter …

<> <>

…

23

→ 0 → 1

→ 0 → 1

Payload

HTX

HRX

ATX

ARX

1024ns 8ns Binary Pulse Position Modulation

0-symbol 1-symbol

…

…

late commit transmitter …

<> <>

…

relay time-shift 450ns = 512ns – 62ns = half symbol duration – early detection time

early detection receiver

24

Attack Performance• Evaluation with physical layer simulations

• IEEE 802.15.4a, with:– 128 bit packets– residential NLOS channel model• based on IR channel measurement campaigns

– LPRF mode (mandatory parameters)

25

Preamble: Early detection

26

4dB

Sync

hron

izatio

n E

rror

Rati

o

ARX SNR [dB]

Preamble: Late commit

27

4dB

Sync

hron

izatio

n E

rror

Rati

o

HRX SNR [dB]

Payload: Early detection

1.7dB

28

Pack

et E

rror

Rati

o

ARX SNR [dB]

Payload: Late commit

4dB

29

Pack

et E

rror

Rati

o

HRX SNR [dB]

Overall attack success

Early detection SNR(ARX)

Late commit SNR(HRX)

30

Prob

abili

ty o

fatt

ack

succ

ess

>99% attack success probability with SNR 4dB (ARX) and 6dB (HRX) greater than for benign operation

Easily achievable:• High gain antenna• Increase transmision power• Move adversarial devices closer

to victim devices

31

Application example: Tracking

jail

relay

???

Countermeasures• Decrease payload symbol length– Our attack gains half of symbol duration– Non-mandatory IEEE 802.15.4a modes with

payload symbol length 32ns (11m)

• Disadvantages:– Shorter symbols result in worse multi-user

interference tolerance– With very short symbols, inter-symbol

interference becomes an issue

32J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006

Countermeasures• Perform early detection at HRX:

in place of– Prevents our attack– Any attack can decrease the measure distance

by at most early detection window duration• Example: 62ns or 18m

• Disadvantages:– Performance loss

33G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec 2008

1.7dB

Countermeasures• Beyond IEEE 802.15.4a: other modulations– BPSK– OOK– “Security Enhanced Modulation”

M. Kuhn, H. Luecken, N. O. Tippenhauer. UWB Impulse Radio Based Distance Bounding. WPNC 2010

– Secret preamble codes– Secret payload time-hopping

34

Conclusion• IR-UWB standard IEEE 802.15.4a is vulnerable to a

distance-decreasing relay attack– 140m distance decrease against energy-detection

receivers*– Attack enabled by BPPM (de)modulation

• Attack performance– 99% success rate at minor SNR cost (few dB)– Success rate can be made arbitrarily high

35* IEEE 802.15.4a mandatory modes

Ongoing work• Countermeasures• Attack with a coherent receiver– Exploits the specifics of the convolutional code

used in IEEE 802.15.4a– Additional 75m distance-decrease

• New physical layer attack against ranging– Malicious interference disrupting ToA estimation– Less effective and precise, but easy to mount

36M. Poturalski, M. Flury, P. Papadimitratos, J-P. Hubaux, J-Y. Le Boudec.The Cicada Attack: Degradation and Denial of Service in IR Ranging. (under submission)

To learn more…

http://lca.epfl.ch/projects/sndmarcin.poturalski@epfl.ch

37

38

Honest Transmitter (HTX)

Honest Receiver (HRX)

Adversarial Transmitter (ATX)

Adversarial Receiver (ARX)

PREAMBLE PAYLOAD

PREAMBLE PAYLOAD

PREAMBLE PAYLOAD

PREAMBLE PAYLOAD

Si

Si

Si

Si

0

0

Si

Si

Si

Si

0

0

0

0

-Si

-Si

-Si

-Si

Si

Si

Si

Si

0

0

0

0

0

0

0

0

-Si

-Si

-Si

-Si

Start Frame Delimiter

early SFD detection

Si

Si

Si Si Si Si Si Si Si Si Si Si Si Si

Si Si Si Si Si Si Si Si Si Si Si Si

Si Si Si

4096ns – 444ns

Si Si Si

Si Si SiSi Si Si

acquisition

4096ns 1024ns 8ns

early detection:on/off-keying demodulation

0-symbol* 1-symbol*

late commit:first half of symbols is identical

<> <>→ 0 → 1

→ 0 → 1

standard detection:energy comparison

relay time-shift: 444ns = 512ns – 68ns = late commit time – early detection time = half symbol duration – channel spread

*Binary Pulse Position Modulation (BPPM)

0 Si 0 -Si Si 0 0 -Si

match with:

late SFD commit

close enough for HRX todetect the SFD

preamble is shortened, but still long enough for HRX to

acquire

Attack overview