Security Issues in UWB Ranging

Transcript Security Issues in UWB Ranging

Effectiveness of Distance Decreasing Attacks
Against Impulse Radio Ranging
Manuel Flury, Marcin Poturalski,
Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec
Laboratory for Computer Communications and Applications, EPFL, Switzerland
Third ACM Conference on Wireless Network Security (WiSec `10)
March 23, 2010
Secure Ranging aka Distance Bounding
• Wireless device V (Verifier) measures distance dVP
to another device P (Prover)
• Based on message time-of-flight
• Adversarial setting:
Verifier V
– External attacks
(mafia fraud) dVP 
measured
– Malicious prover
(distance anddistance
terrorist frauds)
tRTT
Prover P
dVP
actual
distance
NV
(P ⊕ NV, NP)
(NV,P,NP,MACPV(NV,P,NP))
dVP = c tRTT /2
2
Example Application: Tracking
store monitoring system
JEWLERY STORE
secure ranging
RFID tag RFID tag
3
Example Application: Tracking
store monitoring system
#@%#& !!!
If I could only
decrease the
measured distance…
JEWLERY STORE
RFID tag RFID tag
4
Other Application Examples
• Tracking:
–
–
–
–
–
–
•
•
•
•
assets in warehouse
inmates
hospital assets, personnel, patients
animals
military personnel and equipment
…
RFID access control
RFID micropayments
Secure localization
…
5
Physical Layer Attacks
• Decrease the measured distance by
exploiting physical layer redundancy
J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.
So near and yet so far: Distance-bounding attacks in
wireless networks. ESAS 2006
• Physical layer and receiver specific
– RFID (ISO 14443A) and WSN PHYs
G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight
distance bounding channels. WiSec 2008
• Other physical layers?
6
Impulse Radio UWB
• IR-UWB ranging capabilities:
– high precision (sub meter)
– copes well with multipath propagation
transmitted signal
received signal
sampled signal
(energy detector receiver)
• IEEE 802.15.4a standard
7
Our contribution
• Distance-decreasing relay attack against:
– IEEE 802.15.4a standard
– Energy detector receiver
• Distance decrease of up to 140m*
• Attack success rate can be made arbitrarily high
• Components (early detection and late commit)
can be used individually by a malicious prover
8
* IEEE 802.15.4a mandatory modes
Protocol Assumptions
• Rapid bit exchange:
– Transmission of single
bits
– Instantaneous reply
Verifier V
Prover P
c1
We assume
– Challenging to
c2
implement no rapid bit exchange
– Not compatible with IEEE
cn
802.15.4a
...
r1
...
r2
rn
...
9
Protocol Assumptions
• Several-bit-long ranging
messages
• Sufficient if V and P are
honest
• With full duplex
transmission can cope
with malicious prover*
• Compatible with IEEE
802.15.4a
Verifier V
Prover P
NV
tRTT
* Kasper Bonne Rasmussen, Srdjan Capkun.
Location Privacy of Distance Bounding Protocols. CCS 2008
NP
(NV,P,NP,MACPV(NV,P,NP))
10
Setup
Relay MV
Verifier V
Relay MP
Prover P
NV
NV
Distance decreasing
relay attack
tRTT
NV
NP
NP
NP
(NV,P,NP,...)
(NV,P,NP,MACPV(NV,P,NP))
(NV,P,NP,...)
11
Setup
HTX
ARX
ATX
HRX
Honest Transmitter
Adversarial Receiver
Adversarial Transmitter
Honest Receiver
12
Overview
HTX
preamble
payload
early detection
ARX
preamble
payload
late commit
ATX
preamble
payload
HRX
preamble
payload
Challenge 1:
Transmission time
unknown in advance
Challenge 2:
450ns ~ 135m
Payload
unknown in advance
13
Preamble
4096ns
HTX
Si
preamble symbol
ARX
ATX
HRX
14
Preamble
HTX
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
ARX
ATX
HRX
15
Si
Preamble
HTX
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
…
acquisition
ARX
ATX
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
…
Si
Si
Si
Si
Si
Si
…
4096ns – 450ns
HRX
Si
Si
Si
Si
Si
Si
…
16
Preamble
HTX
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
…
Si
0
Si
acquisition
ARX
ATX
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
…
Si
0
S
Si
Si
Si
Si
Si
Si
…
Si
Si
S
4096ns – 450ns
HRX
Si
Si
Si
Si
Si
Si
…
Si
Si
17
S
Preamble
Start Frame Delimiter
HTX
…
Si
0
Si
0
-Si
Si
0
0
-Si
early SFD detection
normal SFD detection
ARX
…
Si
0
Si
0
-Si
Si
0
0
-Si
ATX
…
Si
Si
Si
Si
Si
Si
Si
Si
Si
HRX
…
Si
Si
Si
Si
Si
Si
Si
Si
Si
18
Preamble
Start Frame Delimiter
HTX
…
Si
0
Si
0
-Si
Si
0
0
-Si
early SFD detection
ARX
…
Si
0
Si
0
-Si
Si
0
0
-Si
Si
0
0
-Si
late SFD commit
ATX
HRX
…
…
Si
Si
Si
Si
Si
Si
0
0
-Si
-Si
Si
0
0
-Si
time-shift 450ns
19
Payload
Start Frame Delimiter
HTX
…
Si
0
Si
0
-Si
Si
0
0
-Si
early SFD detection
ARX
…
Si
0
Si
0
-Si
Si
0
0
-Si
Si
0
0
-Si
late SFD commit
ATX
HRX
…
…
Si
Si
Si
Si
Si
Si
0
0
-Si
-Si
Si
0
0
-Si
20
Payload
1024ns
8ns
HTX
…
0-symbol
ARX
Binary Pulse Position
Modulation
1-symbol
…
~70ns
ATX
HRX
21
Payload
1024ns
8ns
HTX
…
0-symbol
ARX
Binary Pulse Position
Modulation
1-symbol
… benign receiver
<> → 0
<> → 1
ATX
HRX
22
Payload
1024ns
8ns
HTX
…
0-symbol
ARX
ATX
HRX
→0
Binary Pulse Position
Modulation
1-symbol
→1
late commit
transmitter
… early detection
receiver
…
…
<> → 0
<> → 1
23
Payload
1024ns
8ns
HTX
…
0-symbol
Binary Pulse Position
Modulation
1-symbol
… early detection
receiver
ARX
ATX
HRX
late commit
transmitter
…
…
<>
<>
relay time-shift 450ns = 512ns – 62ns
= half symbol duration – early detection time
24
Attack Performance
• Evaluation with physical layer simulations
• IEEE 802.15.4a, with:
– 128 bit packets
– residential NLOS channel model
• based on IR channel measurement campaigns
– LPRF mode (mandatory parameters)
25
Synchronization Error Ratio
Preamble: Early detection
4dB
ARX SNR [dB]
26
Synchronization Error Ratio
Preamble: Late commit
4dB
HRX SNR [dB]
27
Packet Error Ratio
Payload: Early detection
1.7dB
ARX SNR [dB]
28
Packet Error Ratio
Payload: Late commit
4dB
HRX SNR [dB]
29
Probability of
attack success
Overall attack success
>99% attack success probability
with SNR 4dB (ARX) and 6dB (HRX)
greater than for benign operation
Easily achievable:
• High gain antenna
• Increase transmision power
Early detection
SNR adversarialLate
commit
SNR
• Move
devices
closer
(ARX) to victim devices
(HRX)
30
Application example: Tracking
???
jail
relay
31
Countermeasures
• Decrease payload symbol length
– Our attack gains half of symbol duration
– Non-mandatory IEEE 802.15.4a modes with
payload symbol length 32ns (11m)
• Disadvantages:
– Shorter symbols result in worse multi-user
interference tolerance
– With very short symbols, inter-symbol
interference becomes an issue
J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.
So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006
32
Countermeasures
• Perform early detection at HRX:
in place of
– Prevents our attack
– Any attack can decrease the measure distance
by at most early detection window duration
• Example: 62ns or 18m
• Disadvantages:
– Performance loss
1.7dB
G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec 2008
33
Countermeasures
• Beyond IEEE 802.15.4a: other modulations
– BPSK
– OOK
– “Security Enhanced Modulation”
M. Kuhn, H. Luecken, N. O. Tippenhauer. UWB Impulse Radio
Based Distance Bounding. WPNC 2010
– Secret preamble codes
– Secret payload time-hopping
34
Conclusion
• IR-UWB standard IEEE 802.15.4a is vulnerable to a
distance-decreasing relay attack
– 140m distance decrease against energy-detection
receivers*
– Attack enabled by BPPM (de)modulation
• Attack performance
– 99% success rate at minor SNR cost (few dB)
– Success rate can be made arbitrarily high
35
* IEEE 802.15.4a mandatory modes
Ongoing work
• Countermeasures
• Attack with a coherent receiver
– Exploits the specifics of the convolutional code
used in IEEE 802.15.4a
– Additional 75m distance-decrease
• New physical layer attack against ranging
– Malicious interference disrupting ToA estimation
– Less effective and precise, but easy to mount
M. Poturalski, M. Flury, P. Papadimitratos, J-P. Hubaux, J-Y. Le Boudec.
The Cicada Attack: Degradation and Denial of Service in IR Ranging. (under submission)
36
To learn more…
http://lca.epfl.ch/projects/snd
[email protected]
37
Attack overview
Honest Transmitter (HTX)
PREAMBLE
PAYLOAD
Adversarial Receiver (ARX)
PREAMBLE
PAYLOAD
Adversarial Transmitter (ATX)
PREAMBLE
Honest Receiver (HRX)
PAYLOAD
PREAMBLE
PAYLOAD
0-symbol*
Start Frame Delimiter
4096ns
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
0
Si
acquisition
Si
Si
Si
Si
Si
Si
Si
Si
0
-Si
Si
0
1024ns
0
Si
Si
Si
Si
0
Si
0
-Si
Si
*Binary Pulse Position Modulation (BPPM)
8ns
-Si
→0
early SFD detection
Si
1-symbol*
0
0
-Si
0
0
-Si
→1
early detection:
on/off-keying demodulation
late SFD commit
Si
Si
Si
Si
Si
Si
Si
Si
Si
0
-Si
Si
late commit:
first half of symbols is identical
4096ns – 444ns
Si
Si
Si
Si
Si
Si
preamble is shortened, but still
long enough for HRX to
acquire
Si
Si
Si
0
-Si
Si
0
0
< →0
>
match with:
0
Si
0
standard detection:
energy comparison
-Si
-Si
Si
0
close enough for HRX to
detect the SFD
0
-Si
< →1
>
relay time-shift: 444ns = 512ns – 68ns
= late commit time – early detection time
= half symbol duration – channel spread
38

Security Issues in UWB Ranging

Transcript Security Issues in UWB Ranging

Directory