Manuel Flury Marcin Poturalski Panos Papadimitratos JeanPierre Hubaux JeanYves Le Boudec Laboratory for Computer Communications and Applications EPFL Switzerland Third ACM Conference on Wireless Network Security WiSec 10 ID: 379638
Download Presentation The PPT/PDF document "Effectiveness of Distance Decreasing Att..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging
Manuel Flury, Marcin Poturalski,Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le BoudecLaboratory for Computer Communications and Applications, EPFL, SwitzerlandThird ACM Conference on Wireless Network Security (WiSec `10) March 23, 2010Slide2
Wireless device V
(Verifier) measures distance dVP to another device P (Prover)Based on message time-of-flightAdversarial setting:External attacks(mafia fraud)Malicious prover(distance andterrorist frauds)Secure Ranging
aka
Distance Bounding
2
t
RTT
/2
d
VP =
c
N
V
t
RTT
(
P
⊕
N
V
,
N
P
)
Prover
P
Verifier
V
(
N
V
,
P,NP,MACPV(NV,P,NP))
d
VP
dVP
measured
distance
actual
distanceSlide3
J
EWLERY
S
TORE
Example Application: Tracking
3
store monitoring system
RFID tag
RFID tag
secure rangingSlide4
J
EWLERY
S
TORE
Example Application: Tracking
4
store monitoring system
RFID tag
RFID tag
#@%#& !!!
If I could only decrease the measured distance…Slide5
Other Application Examples
Tracking:assets in warehouseinmateshospital assets, personnel, patientsanimalsmilitary personnel and equipment…RFID access controlRFID micropaymentsSecure localization…5Slide6
Physical Layer Attacks
Decrease the measured distance by exploiting physical layer redundancy J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore. So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006Physical layer and receiver specificRFID (ISO 14443A) and WSN PHYs
G
. P.
Hancke
, M. G. Kuhn. Attacks on
time-of-flight
distance bounding channels. WiSec 2008Other physical layers? 6Slide7
Impulse Radio UWB
IR-UWB ranging capabilities:high precision (sub meter)copes well with multipath propagationIEEE 802.15.4a standard7
transmitted signal
received signal
sampled signal
(energy detector receiver)Slide8
Our contribution
Distance-decreasing relay attack against:IEEE 802.15.4a standardEnergy detector receiverDistance decrease of up to 140m*Attack success rate can be made arbitrarily highComponents (early detection and late commit) can be used individually by a malicious prover8* IEEE 802.15.4a mandatory modesSlide9
Protocol Assumptions
Rapid bit exchange:Transmission of single bitsInstantaneous replyChallenging to implementNot compatible with IEEE 802.15.4a9
c
1
r
1
Prover
P
Verifier
V
c
2
r
2
c
n
r
n
...
...
...
We assume
n
o rapid bit exchangeSlide10
Protocol Assumptions
Several-bit-long ranging messagesSufficient if V and P are honestWith full duplex transmission can cope with malicious prover*Compatible with IEEE 802.15.4a10
N
V
t
RTT
N
P
Prover
P
Verifier
V
(
N
V
,
P,N
P
,
MAC
PV
(
N
V,
P,N
P))
* Kasper Bonne Rasmussen,
Srdjan Capkun. Location Privacy of Distance Bounding Protocols.
CCS 2008Slide11
Setup
11NP
t
RTT
N
V
N
V
N
V
Verifier
V
Prover
P
Relay
M
V
Relay
M
P
N
P
N
P
(
N
V
,
P,N
P
,
MACPV(
NV
,
P,NP))
(
N
V
,P,N
P
,
...)
(
N
V
,
P,N
P
,
...)
Distance decreasing relay attackSlide12
Setup
HTX
HRX
ATX
ARX
Honest Transmitter
Honest Receiver
Adversarial Receiver
Adversarial Transmitter
12Slide13
Challenge 2:
Payload unknown in advanceOverview
HTX
HRX
ATX
ARX
13
preamble
payload
preamble
payload
payload
payload
450ns ~ 135m
preamble
preamble
Challenge 1:
Transmission time
unknown in advance
early detection
late commitSlide14
Preamble
HTX
HRX
ATX
ARX
S
i
4096ns
preamble symbol
14Slide15
Preamble
HTX
HRX
ATX
ARX
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
Si
…
S
i
15Slide16
Preamble
HTX
HRX
ATX
ARX
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
Si
…
S
i
S
i
S
iSiSiS
i
S
iSi
S
i
S
i
S
i
…
S
i
S
i
S
i
S
i
S
i
…
4096ns – 450ns
S
i
S
i
S
i
S
i
S
i
…
S
i
S
i
S
i
S
i
acquisition
16Slide17
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
4096ns – 450ns
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
acquisition
S
i
S
i
S
i
S
i
0
0
S
i
S
i
S
i
S
i
S
i
S
i
0
0
S
i
S
i
-S
i
-S
i
S
i
S
i
S
i
S
i
S
i
S
i
0
0
S
i
S
i
0
0
S
i
S
i
-S
i
-
S
i
S
i
S
i
17Slide18
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
S
i
S
i
S
i
S
i
0
0
S
i
S
i
S
i
S
i
S
i
S
i
0
0
S
i
S
i
-S
i
-S
i
S
i
S
i
S
i
S
i
S
i
S
i
0
0
S
i
S
i
0
0
S
i
S
i
-S
i
-
S
i
S
i
S
i
Start Frame Delimiter
early SFD detection
normal SFD detection
18Slide19
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
S
i
S
i
S
i
S
i
0
0
S
i
S
i
S
i
S
i
0
0
0
0
-S
i
-S
i
-S
i
-S
i
S
i
S
i
S
i
S
i
0
0
0
0
0
0
0
0
-S
i
-
S
i
-S
i
-S
i
Start Frame Delimiter
early SFD detection
late SFD commit
S
i
S
i
time-shift
450ns
19Slide20
Payload
HTX
HRX
ATX
ARX
…
…
…
…
S
i
S
i
S
i
S
i
0
0
S
i
S
i
S
i
S
i
0
0
0
0
-S
i
-S
i
-S
i
-S
i
S
i
S
i
S
i
S
i
0
0
0
0
0
0
0
0
-S
i
-
S
i
-S
i
-S
i
Start Frame Delimiter
early SFD detection
late SFD commit
S
i
S
i
20Slide21
Payload
HTX
HRX
ATX
ARX
0-symbol
1024ns
1
-symbol
8ns
Binary Pulse Position Modulation
…
21
…
~70nsSlide22
Payload
HTX
HRX
ATX
ARX
1024ns
8ns
Binary Pulse Position Modulation
<
>
<
>
benign receiver
0-symbol
1
-symbol
…
…
22
→ 0
→ 1Slide23
Payload
HTX
HRX
ATX
ARX
1024ns
8ns
Binary Pulse Position Modulation
early detection receiver
0-symbol
1
-symbol
…
…
late commit transmitter
…
<
>
<
>
…
23
→ 0
→ 1
→ 0
→ 1Slide24
Payload
HTX
HRX
ATX
ARX
1024ns
8ns
Binary Pulse Position Modulation
0-symbol
1
-symbol
…
…
late commit transmitter
…
<
>
<
>
…
relay time-shift
450ns
=
512ns
–
62ns
= half
symbol duration – early detection time
early detection receiver
24Slide25
Attack Performance
Evaluation with physical layer simulationsIEEE 802.15.4a, with:128 bit packetsresidential NLOS channel modelbased on IR channel measurement campaignsLPRF mode (mandatory parameters)25Slide26
Preamble:
Early detection26
4d
B
Synchronization Error Ratio
ARX
SNR
[dB]Slide27
Preamble
: Late commit27
4
dB
Synchronization Error Ratio
HRX
SNR
[dB]Slide28
P
ayload: Early detection
1.7dB
28
Packet Error Ratio
ARX
SNR
[dB]Slide29
Payload
: Late commit
4
dB
29
Packet Error Ratio
H
RX
SNR
[dB]Slide30
Overall attack success
Early detection SNR(ARX)
Late commit
SNR
(HRX)
30
Probability of
attack success
>99% attack success probability with SNR
4dB (ARX) and 6dB (HRX) greater than for benign operationEasily achievable:
High gain antenna
Increase transmision powerMove adversarial devices
closer to victim devicesSlide31
Application example: Tracking
31
jail
relay
???Slide32
Countermeasures
Decrease payload symbol lengthOur attack gains half of symbol durationNon-mandatory IEEE 802.15.4a modes with payload symbol length 32ns (11m)Disadvantages:Shorter symbols result in worse multi-user interference toleranceWith very short symbols, inter-symbol interference becomes an issue32
J.
Clulow
, G. P.
Hancke, M. G. Kuhn, and T. Moore.
So near and yet so far: Distance-bounding attacks in
wireless networks. ESAS 2006Slide33
Countermeasures
Perform early detection at HRX: in place ofPrevents our attackAny attack can decrease the measure distance by at most early detection window durationExample: 62ns or 18mDisadvantages:Performance loss33
G. P.
Hancke
, M. G. Kuhn
. Attacks on time-of-flight
distance
bounding channels. WiSec 2008
1.7dBSlide34
Countermeasures
Beyond IEEE 802.15.4a: other modulationsBPSKOOK“Security Enhanced Modulation” M. Kuhn, H. Luecken, N. O. Tippenhauer. UWB Impulse Radio Based Distance Bounding. WPNC 2010 Secret preamble codesSecret payload time-hopping34Slide35
Conclusion
IR-UWB standard IEEE 802.15.4a is vulnerable to a distance-decreasing relay attack140m distance decrease against energy-detection receivers*Attack enabled by BPPM (de)modulationAttack performance99% success rate at minor SNR cost (few dB)Success rate can be made arbitrarily high35
* IEEE 802.15.4a mandatory modesSlide36
Ongoing work
CountermeasuresAttack with a coherent receiverExploits the specifics of the convolutional code used in IEEE 802.15.4aAdditional 75m distance-decreaseNew physical layer attack against rangingMalicious interference disrupting ToA estimationLess effective and precise, but easy to mount36M. Poturalski, M. Flury, P.
Papadimitratos
, J-P.
Hubaux
, J-Y. Le Boudec.
The Cicada Attack: Degradation and Denial of Service in IR Ranging. (under submission)Slide37
To learn more…
http://lca.epfl.ch/projects/sndmarcin.poturalski@epfl.ch37Slide38
Honest Transmitter (HTX)
Honest Receiver (HRX)
Adversarial Transmitter (ATX)
Adversarial Receiver (ARX)
PREAMBLE
PAYLOAD
PREAMBLE
PAYLOAD
PREAMBLE
PAYLOAD
PREAMBLE
PAYLOAD
S
i
S
i
S
i
S
i
0
0
S
i
S
i
S
i
S
i
0
0
0
0
-S
i
-S
i
-S
i
-S
i
S
i
S
i
S
i
S
i
0
0
0
0
0
0
0
0
-S
i
-
S
i
-S
i
-S
i
Start Frame Delimiter
early SFD detection
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
4096ns – 444ns
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
S
i
acquisition
4096ns
1024ns
8ns
early detection:
on/off-keying demodulation
0-symbol*
1-symbol*
late commit:
first half of symbols is identical
<
>
<
>
→ 0
→ 1
→ 0
→ 1
standard detection:
energy comparison
relay time-shift:
444ns = 512ns – 68ns
=
late commit time
– early detection time
=
half
symbol duration – channel spread
*Binary Pulse Position Modulation (BPPM)
0
S
i
0
-S
i
S
i
0
0
-S
i
match with:
late SFD commit
close enough for HRX to
detect the SFD
preamble is shortened, but still long enough for HRX to acquire
Attack overview
38