effectiveness of distance decreasing attacks against impulse radio ranging
DESCRIPTION
Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging . Manuel Flury , Marcin Poturalski , Panos Papadimitratos , Jean-Pierre Hubaux , Jean-Yves Le Boudec Laboratory for Computer Communications and Applications, EPFL, Switzerland - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/1.jpg)
Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging
Manuel Flury, Marcin Poturalski,Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec
Laboratory for Computer Communications and Applications, EPFL, Switzerland
Third ACM Conference on Wireless Network Security (WiSec `10) March 23, 2010
![Page 2: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/2.jpg)
2
• Wireless device V (Verifier) measures distance dVP to another device P (Prover)
• Based on message time-of-flight• Adversarial setting:– External attacks
(mafia fraud)– Malicious prover
(distance andterrorist frauds)
Secure Ranging aka Distance Bounding
tRTT /2dVP = c
NV
tRTT
(P ⊕ NV, NP)
Prover PVerifier V
(NV,P,NP,MACPV(NV,P,NP))
dVP dVPmeasureddistance
actualdistance
![Page 3: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/3.jpg)
3
JEWLERY STORE
Example Application: Tracking
store monitoring system
RFID tag RFID tag
secure ranging
![Page 4: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/4.jpg)
4
JEWLERY STORE
Example Application: Tracking
store monitoring system
RFID tag RFID tag
#@%#& !!!If I could only decrease the
measured distance…
![Page 5: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/5.jpg)
5
Other Application Examples• Tracking:– assets in warehouse– inmates– hospital assets, personnel, patients– animals– military personnel and equipment– …
• RFID access control• RFID micropayments• Secure localization• …
![Page 6: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/6.jpg)
Physical Layer Attacks• Decrease the measured distance by
exploiting physical layer redundancyJ. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.So near and yet so far: Distance-bounding attacks inwireless networks. ESAS 2006
• Physical layer and receiver specific– RFID (ISO 14443A) and WSN PHYs
G. P. Hancke, M. G. Kuhn. Attacks on time-of-flightdistance bounding channels. WiSec 2008
• Other physical layers?
6
![Page 7: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/7.jpg)
Impulse Radio UWB
• IR-UWB ranging capabilities:– high precision (sub meter)– copes well with multipath propagation
• IEEE 802.15.4a standard7
transmitted signal received signal sampled signal(energy detector receiver)
![Page 8: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/8.jpg)
Our contribution• Distance-decreasing relay attack against:– IEEE 802.15.4a standard– Energy detector receiver
• Distance decrease of up to 140m*• Attack success rate can be made arbitrarily high
• Components (early detection and late commit) can be used individually by a malicious prover
8* IEEE 802.15.4a mandatory modes
![Page 9: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/9.jpg)
9
Protocol Assumptions• Rapid bit exchange:– Transmission of single
bits– Instantaneous reply
– Challenging to implement
– Not compatible with IEEE 802.15.4a
c1
r1
Prover PVerifier V
c2
r2
cn
rn
...
...
...
We assume no rapid bit exchange
![Page 10: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/10.jpg)
10
Protocol Assumptions• Several-bit-long ranging
messages
• Sufficient if V and P are honest
• With full duplex transmission can cope with malicious prover*
• Compatible with IEEE 802.15.4a
NV
tRTT
NP
Prover PVerifier V
(NV,P,NP,MACPV(NV,P,NP))
* Kasper Bonne Rasmussen, Srdjan Capkun. Location Privacy of Distance Bounding Protocols. CCS 2008
![Page 11: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/11.jpg)
Setup
11
NP
tRTT
NV
NV
NV
Verifier V Prover PRelay MV Relay MP
NP
NP
(NV,P,NP,MACPV(NV,P,NP))
(NV,P,NP,...)
(NV,P,NP,...)
Distance decreasing relay attack
![Page 12: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/12.jpg)
Setup
HTX
HRX
ATX
ARX
Honest Transmitter
Honest Receiver
Adversarial Receiver
Adversarial Transmitter
12
![Page 13: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/13.jpg)
Challenge 2:Payload unknown in advance
Overview
HTX
HRX
ATX
ARX
13
preamble payload
preamble payload
payload
payload
450ns ~ 135m
preamble
preamble
Challenge 1:Transmission time unknown in advance
early detection
late commit
![Page 14: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/14.jpg)
Preamble
HTX
HRX
ATX
ARX
Si
4096ns
preamble symbol
14
![Page 15: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/15.jpg)
Preamble
HTX
HRX
ATX
ARX
Si Si Si Si Si Si Si Si Si Si Si
15
![Page 16: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/16.jpg)
Preamble
HTX
HRX
ATX
ARX
Si Si Si Si Si Si Si Si Si Si Si …Si
Si Si Si Si Si Si Si Si Si Si …Si Si
Si Si Si …
4096ns – 450nsSi Si Si
Si Si …SiSi Si Si
acquisition
16
![Page 17: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/17.jpg)
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si
4096ns – 450nsSi Si Si
Si Si SiSi Si Si
acquisition
Si
Si
Si
Si
0
0
Si
Si
Si
Si
Si
Si
17
![Page 18: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/18.jpg)
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
Si
Si
0
0
Si
Si
-Si
-Si
Si
Si
Si
Si
Si
Si
0
0
Si
Si
0
0
Si
Si
-Si
-Si
Si
Si
Start Frame Delimiter
early SFD detectionnormal SFD detection
18
![Page 19: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/19.jpg)
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter
early SFD detection
late SFD commitSi
Si
time-shift 450ns
19
![Page 20: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/20.jpg)
Payload
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter
early SFD detection
late SFD commitSi
Si
20
![Page 21: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/21.jpg)
Payload
HTX
HRX
ATX
ARX
0-symbol
1024ns
1-symbol
8ns Binary Pulse Position Modulation
…
21
…
~70ns
![Page 22: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/22.jpg)
Payload
HTX
HRX
ATX
ARX
1024ns 8ns Binary Pulse Position Modulation
<> <>
benign receiver
0-symbol 1-symbol
…
…
22
→ 0 → 1
![Page 23: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/23.jpg)
Payload
HTX
HRX
ATX
ARX
1024ns 8ns Binary Pulse Position Modulation
early detection receiver
0-symbol 1-symbol
…
…
late commit transmitter …
<> <>
…
23
→ 0 → 1
→ 0 → 1
![Page 24: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/24.jpg)
Payload
HTX
HRX
ATX
ARX
1024ns 8ns Binary Pulse Position Modulation
0-symbol 1-symbol
…
…
late commit transmitter …
<> <>
…
relay time-shift 450ns = 512ns – 62ns = half symbol duration – early detection time
early detection receiver
24
![Page 25: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/25.jpg)
Attack Performance• Evaluation with physical layer simulations
• IEEE 802.15.4a, with:– 128 bit packets– residential NLOS channel model• based on IR channel measurement campaigns
– LPRF mode (mandatory parameters)
25
![Page 26: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/26.jpg)
Preamble: Early detection
26
4dB
Sync
hron
izatio
n E
rror
Rati
o
ARX SNR [dB]
![Page 27: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/27.jpg)
Preamble: Late commit
27
4dB
Sync
hron
izatio
n E
rror
Rati
o
HRX SNR [dB]
![Page 28: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/28.jpg)
Payload: Early detection
1.7dB
28
Pack
et E
rror
Rati
o
ARX SNR [dB]
![Page 29: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/29.jpg)
Payload: Late commit
4dB
29
Pack
et E
rror
Rati
o
HRX SNR [dB]
![Page 30: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/30.jpg)
Overall attack success
Early detection SNR(ARX)
Late commit SNR(HRX)
30
Prob
abili
ty o
fatt
ack
succ
ess
>99% attack success probability with SNR 4dB (ARX) and 6dB (HRX) greater than for benign operation
Easily achievable:• High gain antenna• Increase transmision power• Move adversarial devices closer
to victim devices
![Page 31: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/31.jpg)
31
Application example: Tracking
jail
relay
???
![Page 32: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/32.jpg)
Countermeasures• Decrease payload symbol length– Our attack gains half of symbol duration– Non-mandatory IEEE 802.15.4a modes with
payload symbol length 32ns (11m)
• Disadvantages:– Shorter symbols result in worse multi-user
interference tolerance– With very short symbols, inter-symbol
interference becomes an issue
32J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006
![Page 33: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/33.jpg)
Countermeasures• Perform early detection at HRX:
in place of– Prevents our attack– Any attack can decrease the measure distance
by at most early detection window duration• Example: 62ns or 18m
• Disadvantages:– Performance loss
33G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec 2008
1.7dB
![Page 34: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/34.jpg)
Countermeasures• Beyond IEEE 802.15.4a: other modulations– BPSK– OOK– “Security Enhanced Modulation”
M. Kuhn, H. Luecken, N. O. Tippenhauer. UWB Impulse Radio Based Distance Bounding. WPNC 2010
– Secret preamble codes– Secret payload time-hopping
34
![Page 35: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/35.jpg)
Conclusion• IR-UWB standard IEEE 802.15.4a is vulnerable to a
distance-decreasing relay attack– 140m distance decrease against energy-detection
receivers*– Attack enabled by BPPM (de)modulation
• Attack performance– 99% success rate at minor SNR cost (few dB)– Success rate can be made arbitrarily high
35* IEEE 802.15.4a mandatory modes
![Page 36: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/36.jpg)
Ongoing work• Countermeasures• Attack with a coherent receiver– Exploits the specifics of the convolutional code
used in IEEE 802.15.4a– Additional 75m distance-decrease
• New physical layer attack against ranging– Malicious interference disrupting ToA estimation– Less effective and precise, but easy to mount
36M. Poturalski, M. Flury, P. Papadimitratos, J-P. Hubaux, J-Y. Le Boudec.The Cicada Attack: Degradation and Denial of Service in IR Ranging. (under submission)
![Page 38: Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging](https://reader033.vdocuments.mx/reader033/viewer/2022061612/568161d9550346895dd1e2af/html5/thumbnails/38.jpg)
38
Honest Transmitter (HTX)
Honest Receiver (HRX)
Adversarial Transmitter (ATX)
Adversarial Receiver (ARX)
PREAMBLE PAYLOAD
PREAMBLE PAYLOAD
PREAMBLE PAYLOAD
PREAMBLE PAYLOAD
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter
early SFD detection
Si
Si
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si
4096ns – 444ns
Si Si Si
Si Si SiSi Si Si
acquisition
4096ns 1024ns 8ns
early detection:on/off-keying demodulation
0-symbol* 1-symbol*
late commit:first half of symbols is identical
<> <>→ 0 → 1
→ 0 → 1
standard detection:energy comparison
relay time-shift: 444ns = 512ns – 68ns = late commit time – early detection time = half symbol duration – channel spread
*Binary Pulse Position Modulation (BPPM)
0 Si 0 -Si Si 0 0 -Si
match with:
late SFD commit
close enough for HRX todetect the SFD
preamble is shortened, but still long enough for HRX to
acquire
Attack overview