Janis Tiemann,Johannes Friedrich,Christian Wietfeld

DOI: https://doi.org/10.3390/s22041643

IF: 3.9

2022-02-19

Sensors

Abstract:The rise of precise wireless localization for industrial and consumer use is continuing to challenge a significant amount of research. Recently the new ultra-wideband standard IEEE 802.15.4z was released to increase both the robustness and security of the underlying message exchanges. Due to the lack of accessible transceivers, most of the current research on this is of theoretical nature though. This work provides the first experimental evaluation of the ranging performance in realistic environments and also assesses the robustness to different sources of interference. To evaluate the individual aspects, a set of three different experiments are conducted. One experiment with realistic movement and two additional with targeted interference. It could be shown that the cryptographic additions of the new standard can provide sufficient information to improve the reliability of the ranging results under multi-user interference significantly.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Li Lu,Muhammad Jawad Hussain,Zhigang Han

DOI: https://doi.org/10.1109/twc.2016.2532858

IF: 10.4

2016-01-01

IEEE Transactions on Wireless Communications

Abstract:We present a physical layer solution to RF distance bounding, which reduces the prover's processing delay virtually to zero by employing the concepts of frequency modulated continuous wave (FMCW) and secondary radars, and equipping it with the capability of cryptographic communication over unintelligent radar signals. To realize, we encode the verifier's challenges in waveform slope of signals while the prover communicates its cryptographic replies in shape of backscatter modulation. For resilience to multipath, the prover introduces analog frequency modulation using the principle of secondary radar. Our protocol is based on pre-commitment distance bounding scheme. Our paper primarily focuses on design intricacies of a realizable system while we briefly present the simulation results. We critically analyze the security of our protocol against attacksmost concerned in distance bounding and thoroughly investigate its robustness under noise and multipath environments. A shortcoming of our design is low range resolution at lower spectral bandwidths, which can be foretoken as system tolerance. We foresee our endeavor to present a viable zero-delay RF distance bounding scheme while minimizing the hardware, energy, and computational overhead for passive and semipassive tokens.

Wenlong Gou,Chuanhang Yu,Gang Wu

2024-06-10

Abstract:In order to mitigate the distance reduction attack in Ultra-Wide Band (UWB) ranging, this paper proposes a secure ranging scheme based on a random time-hopping mechanism without redundant signaling overhead. Additionally, a secure ranging strategy is designed for backward compatibility with existing standards such as IEEE 802.15.4a/z, combined with an attack detection scheme. The effectiveness and feasibility of the proposed strategy are demonstrated through both simulation and experimental results in the case of the Ghost Peak attack, as demonstrated by Patrick Leu et al. The random time-hopping mechanism is verified to be capable of reducing the success rate of distance reduction attacks to less than 0.01%, thereby significantly enhancing the security of UWB ranging.

Signal Processing,Cryptography and Security

Claudio Anliker,Giovanni Camurati,Srdjan Capkun

DOI: https://doi.org/10.48550/arXiv.2305.09433

2023-05-16

Abstract:Due to its suitability for wireless ranging, Ultra-Wide Band (UWB) has gained traction over the past years. UWB chips have been integrated into consumer electronics and considered for security-relevant use cases, such as access control or contactless payments. However, several publications in the recent past have shown that it is difficult to protect the integrity of instance measurements on the physical layer. In this paper, we identify transceiver clock imperfections as a new, important parameter that has been widely ignored so far. We present Mix-Down and Stretch-and-Advance, two novel attacks against the current (IEEE 802.15.4z) and the upcoming (IEEE 802.15.4ab) UWB standard, respectively. We demonstrate Mix-Down on commercial chips and achieve distance reduction from 10 m to 0 m. For the Stretch-and-Advance attack, we show analytically that the current proposal of IEEE 802.15.4ab allows reductions of over 90 m. In order to prevent the attack, we propose and analyze an effective countermeasure.

Cryptography and Security

Patrick Leu,Giovanni Camurati,Alexander Heinrich,Marc Roeschlin,Claudio Anliker,Matthias Hollick,Srdjan Capkun,Jiska Classen

DOI: https://doi.org/10.48550/arXiv.2111.05313

2021-11-10

Abstract:We present the first over-the-air attack on IEEE 802.15.4z High-Rate Pulse Repetition Frequency (HRP) Ultra-WideBand (UWB) distance measurement systems. Specifically, we demonstrate a practical distance reduction attack against pairs of Apple U1 chips (embedded in iPhones and AirTags), as well as against U1 chips inter-operating with NXP and Qorvo UWB chips. These chips have been deployed in a wide range of phones and cars to secure car entry and start and are projected for secure contactless payments, home locks, and contact tracing systems. Our attack operates without any knowledge of cryptographic material, results in distance reductions from 12m (actual distance) to 0m (spoofed distance) with attack success probabilities of up to 4%, and requires only an inexpensive (USD 65) off-the-shelf device. Access control can only tolerate sub-second latencies to not inconvenience the user, leaving little margin to perform time-consuming verifications. These distance reductions bring into question the use of UWB HRP in security-critical applications.

Cryptography and Security

Ioan Domuta,Tudor Petru Palade,Emanuel Puschita,Andra Pastrav

DOI: https://doi.org/10.3390/s20185422

2020-09-22

Abstract:Due to the known issue that the ranging in the 802.15.4™-2015 standard is prone to external attacks, the enhanced impulse radio (EiR), a new amendment still under development, advances the secure ranging protocol by encryption of physical layer (PHY) timestamp sequence using the AES-128 encryption algorithm. This new amendment brings many changes and enhancements which affect the impulse-radio ultra-wideband (IR-UWB) ranging procedures. The timestamp detection is the base factor in the accuracy of range estimation and inherently in the localization precision. This paper analyses the key parts of PHY which have a great contribution in timestamp estimation precision, particularly: UWB pulse, channel sounding and timestamp estimation using ciphered sequence and frequency selective fading. Unlike EiR, where the UWB pulse is defined in the time domain, in this article, the UWB pulse is synthesized from the power spectral density mask, and it is shown that the use of the entire allocated spectrum results in a decrease in risetime, an increase in pulse amplitude, and an attenuation of lateral lobes. The paper proposes a random spreading of the scrambled timestamp sequence (STS), resulting in an improvement in timestamp estimation by the attenuation lateral lobes of the correlation. The timestamp estimation in the noisy channels with non-line-of-sight and multipath propagation is achieved by cross-correlation of the received STS with the locally generated replica of STS. The propagation in the UWB channel with frequency selective fading results in small errors in the timestamp detection.

Tien D. Vo-Huu,Triet D. Vo-Huu,Guevara Noubir

DOI: https://doi.org/10.48550/arXiv.2010.08901

2020-10-27

Abstract:Secure ranging is poised to play a critical role in several emerging applications such as self-driving cars, unmanned aerial systems, wireless IoT devices, and augmented reality. In this paper, we propose a design of a secure broadcast ranging systems with unique features and techniques. Its spectral-flexibility, and low-power short ranging bursts enable co-existence with existing systems such as in the 2.4GHz ISM band. We exploit a set of RF techniques such as upsampling and successive interference cancellation to achieve high accuracy and scalability to tens of reflectors even when operating over narrow bands of spectrum. We demonstrate that it can be implemented on popular SDR platforms FPGA and/or hosts (with minimal FPGA modifications). The protocol design, and cryptographically generated/detected signals, and randomized timing of transmissions, provide stealth and security against denial of service, sniffing, and distance manipulation attacks. Through extensive experimental evaluations (and simulations for scalability to over 100 reflectors) we demonstrate an accuracy below 20cm on a wide range of SNR (as low as 0dB), spectrum 25MHz-100MHz, with bursts as short as 5us.

Cryptography and Security

Zhang Tingting,Zhang Qinyu,Zhang Naitong,Xu Hongguang

2009-01-01

Abstract:To evaluate the ranging performance of impulse radio ultra wideband (IR-UWB) signals, an experiment is performed in a typical indoor environment. In order to mitigate the ranging error caused by theoretical algorithm and practical circuits, one way-time difference of the arrival (OW-TDOA) ranging method and corresponding approaches are proposed and carried out according to the structure of UWB transceivers. Generalized maximum likelihood (GML) estimator based on energy detection is applied for the time of arrival estimation. The obtained results show that this UWB ranging system can achieve a relative high ranging accuracy in a multipath environment (e.g. about 5 cm at ranges up to 6 m), which is practical and meaningful for many sensor applications.

Yiyin Wang,Ma, Xiaoli,Leus, G.

DOI: https://doi.org/10.1109/icuwb.2010.5615052

2010-01-01

Abstract:The two-way ranging (TWR) protocol has been adopted in the IEEE 802.15.4a standard for wireless networks. However, it is vulnerable to malicious attacks (e.g., internal attacks). An internal ranging attack here refers to a fraudulent timestamp report. For example, a compromised sensor node tampers its timestamp report to spoof its processing time in order to malignly decrease or enlarge distance measurements, or a sensor node submits an inaccurate timestamp report due to the clock drift. In this paper, we propose an UWB ranging-based localization strategy, which is immune to the internal ranging attack. Regardless of the honesty of the timestamp report from a sensor node, we could still estimate the position of the sensor node accurately. We show how to defeat a ranging attack by taking it into account in the development of a localization algorithm.

Fei Sun,Huarui Yin,Weidong Wang

DOI: https://doi.org/10.1109/VETECF.2011.6092838

2011-01-01

Abstract:The ranging implementation for IEEE 802.15.4a systems usually requires for high sampling rate high resolution ADCs, which are too complicated and power-hungry for realization. Recent methods have been proposed to make tradeoffs, such as limiting amplitude resolution to a few bits, which results in finite-resolution quantization receiver. In this paper, the influence of the low-bit quantizer on UWB time-of-arrival (TOA) estimation is investigated. Likelihood ratio test (LRT) and involved generalized Neyman-Pearson lemma are used to optimize the TOA estimation performance. Several types of the low-bit and full-resolution digital receivers are compared via Monte Carlo simulation. We demonstrate that our scheme provides obvious superiority than the traditional uniform quantizer with little complexity increase. Furthermore, 3-bit receiver is proved good enough since it can approach the performance bound achieved by the full-resolution receiver.

Chuanying Zhai,Zhuo Zou,Qin Zhou,Lirong Zheng

DOI: https://doi.org/10.1109/icwits.2012.6417741

2012-01-01

Abstract:In this work, we further demonstrate the passive UWB-RFID positioning system by using a Software Defined Radio (SDR) platform. The SDR platform works as the UWB reader network to perform the ToA estimations and the time-difference-of-arrival (TDoA) positioning calculation. It is implemented by an oscilloscope and a set of off-shelf components. The oscilloscope features high-speed real-time sampling (40 GS/s), with 4 independent synchronized channels, enabling the multi-antenna multi-channel receiver realization in UWB bands with signal processing capability. The algorithms are evaluated and the system concept is demonstrated. According to the experimental results, the SDR platform using 4 receiver nodes successfully realizes the real-time positioning and achieves an average positioning with a best accuracy of 4 cm root-mean-square-error (RMSE) in 1m×1m area.

Pablo Corbalán,Gian Pietro Picco

DOI: https://doi.org/10.48550/arXiv.2004.06324

2020-07-21

Abstract:We propose a novel concurrent ranging technique for distance estimation with ultra-wideband (UWB) radios. Conventional schemes assume that the necessary packet exchanges occur in isolation, to avoid collisions. Concurrent ranging relies on the overlapping of replies from nearby responders to the same ranging request issued by an initiator node. As UWB transmissions rely on short pulses, the individual times of arrival can be discriminated by examining the channel impulse response (CIR) of the initiator transceiver. By ranging against N responders with a single, concurrent exchange, our technique drastically abates network overhead, enabling higher ranging frequency with lower latency and energy consumption w.r.t. conventional schemes. Concurrent ranging can be implemented with a strawman approach requiring minimal changes to standard schemes. Nevertheless, we empirically show that this limits the attainable accuracy, reliability, and therefore applicability. We identify the main challenges in realizing concurrent ranging without dedicated hardware and tackle them by contributing several techniques, used in synergy in our prototype based on the popular DW1000 transceiver. Our evaluation, with static targets and a mobile robot, confirms that concurrent ranging reliably achieves decimeter-level distance and position accuracy, comparable to conventional schemes but at a fraction of the network and energy cost.

Networking and Internet Architecture,Signal Processing,Systems and Control

Z. G. Fan,S. Qiao,J. T. Huangfu,L. X. Ran

DOI: https://doi.org/10.2528/pier07021501

2007-01-01

Abstract:In this paper, signal descriptions and formulations for the radio frequency ( RF) front-end of a passive backscatter radio frequency identification ( RFID) reader working at ultra high frequencies ( UHF) are discussed in detail, and a set of design considerations aiming to improve the read range are outlined. The reader's architecture is proposed and the design details of its RF frond-end are presented. The read range is formulated through calculating the time-averaging power absorbed by the tag and the signal-noise-ratio ( SNR) of the demodulation, and accordingly RFID systems can be classified into tag-determining and reader-determining ones. It is concluded that the gain of the reader antenna, the phase noise of the local oscillation ( LO) and the receive-transmit isolation coefficient dominate the demodulation output noise of the reader, and consequently the reader-determining maximum operational distance. A prototype reader working at the frequency of 915MHz was built with off-the-shelf components and was evaluated with a commercial tag in an indoor environment. The measured results show that this RFID system is of tag-determining and has a read range of 8.4 meters, which are in good agreement with the calculated results.

Chuanying Zhai,Zhuo Zou,Lirong Zheng

DOI: https://doi.org/10.1109/icuwb.2012.6340400

2012-01-01

Abstract:This paper presents a software defined radio (SDR) platform for Impulse Ultra-Wideband (IR-UWB) sensing and positioning applications. The platform is composed by a software simulator (SW) and a hardware testbed (HW). The software simulator based on Matlab offers reconfigurable modules/functions of UWB systems with a graphic user interface (GUI). Correspondingly, the testbed is implemented by an oscilloscope and a set of off-the-shelf components. The oscilloscope (Lecroy WaveMaster 816Zi-A) features high-speed real-time sampling (i.e., 40 GS/s with 16 GHz analog bandwidth) with 4 independent channels, enabling a multi-antenna multichannel receiver network in UWB bands, with signal processing capability at the Nyquist rate. The SW and HW are seamlessly integrated by the build-in software in the oscilloscope. It allows rapid prototypes of various algorithms to be verified in real environments. Finally, a case study on UWB ranging for localization is given to demonstrate the feasibility and usability of the proposed platform.

Haixin Song,Woogeun Rhee,Zhihua Wang

DOI: https://doi.org/10.1109/CICC48029.2020.9075925

2020-01-01

Abstract:This paper describes a communication/ranging pulse-based transceiver that enables physical-layer security against relay attack. A reconfigurable transceiver system with concatenation operation is designed by having PPM/PWM-based two-bit communication between the prover and the verifier, significantly reducing the processing latency of the prover. Multichannel transmission with enhanced spectral efficiency and link margin are realized with channel hopping and subband hopping methods. A prototype 6-8GHz UWB/VWB transceiver is implemented in 65nm CMOS. The transceiver achieves a processing latency of <; 3.5ns for the prover and an RMS ranging accuracy of 1.0cm for the verifier, consuming 8.3mW with -73dBm sensitivity at 5Mb/ s.

Mridula Singh,Patrick Leu,AbdelRahman Abdou,Srdjan Capkun

DOI: https://doi.org/10.48550/arXiv.1911.11078

2019-11-26

Abstract:Mobile autonomous systems, robots, and cyber-physical systems rely on accurate positioning information. To conduct distance-measurement, two devices exchange signals and, knowing these signals propagate at the speed of light, the time of arrival is used for distance estimations. Existing distance-measurement techniques are incapable of protecting against adversarial distance enlargement---a highly devastating tactic in which the adversary reissues a delayed version of the signals transmitted between devices, after distorting the authentic signal to prevent the receiver from identifying it. The adversary need not break crypto, nor compromise any upper-layer security protocols for mounting this attack. No known solution currently exists to protect against distance enlargement. We present \textit{Ultra-Wideband Enlargement Detection} (UWB-ED), a new modulation technique to detect distance enlargement attacks, and securely verify distances between two mutually trusted devices. We analyze UWB-ED under an adversary that injects signals to block/modify authentic signals. We show how UWB-ED is a good candidate for 802.15.4z Low Rate Pulse and the 5G standard.

Cryptography and Security

Chuanying Zhai,Zhuo Zou,Qin Zhou,Jia Mao,Qiang Chen,Hannu Tenhunen,Lirong Zheng,Lida Xu

DOI: https://doi.org/10.1080/17517575.2016.1152401

2017-01-01

Enterprise Information Systems

Abstract:This paper presents a 2.4-GHz radio frequency RF and ultra-wide bandwidth UWB hybrid real-time locating system RTLS for industrial enterprise Internet of Things IoT. It employs asymmetric wireless link, that is, UWB radio is utilised for accurate positioning up to 10 cm in critical sites, whereas 2.4-GHz RF is used for tag control and coarse positioning in non-critical sites. The specified communication protocol and the adaptive tag synchronisation rate ensure reliable and deterministic access with a scalable system capacity and avoid unpredictable latency and additional energy consumption of retransmissions due to collisions. The tag, consisting of a commercial 2.4-GHz transceiver and a customised application-specific integrated circuit ASIC UWB transmitter Tx, is able to achieve up to 3 years’ battery life at 1600 tags per position update second with 1000 mAh battery in one cluster. The time difference of arrival TDoA–based positioning experiment at UWB radio is performed on the designed software-defined radio SDR platform.

Tingting Zhang,Qinyu Zhang,Naitong Zhang,Hongguang Xu

DOI: https://doi.org/10.1109/CNSR.2009.54

2009-01-01

Abstract:In this paper, we present a ranging experiment performed in a typical indoor environment with a digital ultra wideband (UWB) system. At first, the structures of UWB transceivers are introduced, based on which the time of arrival (TOA) estimation algorithm based on energy detection is proposed consequently. Then the experiment background including the environment and measure method is illustrated. In order to mitigate the ranging error caused by theoretical algorithm and practical circuits, One way - time difference of arrival (OW-TDOA) ranging method and corresponding approaches are proposed and carried out. The obtained results show that this UWB ranging system can achieve a relative high ranging accuracy in a multipath environment (e.g. about 5cm at ranges up to 10m), which is practical and meaningful for many sensor applications. © 2009 IEEE.

Zuoya Liu,Teemu Hakala,Juha Hyyppä,Antero Kukko,Ruizhi Chen

DOI: https://doi.org/10.1109/jsen.2024.3368113

IF: 4.3

2024-01-01

IEEE Sensors Journal

Abstract:Most Ultrawideband (UWB) location systems implement the early UWB IEEE 802.15.4 standard. However, recently, the latest UWB IEEE 802.15.4z standard was introduced. Here, to understand the exact performance of the IEEE 802.15.4z standard and thus provide a valuable reference for UWB-based location systems, we present the first performance comparison of the two standards in ranging and positioning, as well as energy efficiency. All comparisons were carried out in a common environment (a typical indoor office) with the same settings used in a critical performance comparison and analysis. The comparisons include both line-of-sight (LOS) and non–line-of-sight (NLOS) conditions. Experimental results indicate that both standards achieve centimeter-level ranging accuracy in LOS conditions, but IEEE 802.15.4z achieves better performance in NLOS conditions with an average ranging error of less than 0.2 m and thus better performance in positioning than that of IEEE 802.15.4. Moreover, IEEE 802.15.4z achieves approximately three times higher energy efficiency than that of IEEE 802.15.4. Therefore, this work provides a comprehensive overview of a practical performance comparison of IEEE 802.15.4z and IEEE 802.15.4.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Wenlong Gou,Chuanhang Yu,Juntao Ma,Gang Wu,Vladimir Mordachev

2024-06-10

Abstract:A variety of ranging threats represented by Ghost Peak attack have raised concerns regarding the security performance of Ultra-Wide Band (UWB) systems with the finalization of the IEEE 802.15.4z standard. Based on channel reciprocity, this paper proposes a low complexity attack detection scheme that compares Channel Impulse Response (CIR) features of both ranging sides utilizing an autoencoder with the capability of data compression and feature extraction. Taking Ghost Peak attack as an example, this paper demonstrates the effectiveness, feasibility and generalizability of the proposed attack detection scheme through simulation and experimental validation. The proposed scheme achieves an attack detection success rate of over 99% and can be implemented in current systems at low cost.

Cryptography and Security,Social and Information Networks,Signal Processing