Abstract:UWB ranging systems have been adopted in many critical and security sensitive applications due to its precise positioning and secure ranging capabilities. We present a practical jamming attack, namely UWBAD, against commercial UWB ranging systems, which exploits the vulnerability of the adoption of the normalized cross-correlation process in UWB ranging and can selectively and quickly block ranging sessions without prior knowledge of the configurations of the victim devices, potentially leading to severe consequences such as property loss, unauthorized access, or vehicle theft. UWBAD achieves more effective and less imperceptible jamming due to: (i) it efficiently blocks every ranging session by leveraging the field-level jamming, thereby exerting a tangible impact on commercial UWB ranging systems, and (ii) the compact, reactive, and selective system design based on COTS UWB chips, making it affordable and less imperceptible. We successfully conducted real attacks against commercial UWB ranging systems from the three largest UWB chip vendors on the market, e.g., Apple, NXP, and Qorvo. We reported our findings to Apple, related Original Equipment Manufacturers (OEM), and the Automotive Security Research Group, triggering internal security incident response procedures at Volkswagen, Audi, Bosch, and NXP. As of the writing of this paper, the related OEM has acknowledged this vulnerability in their automotive systems and has offered a $5,000 reward as a bounty.

What problem does this paper attempt to address?

The paper primarily explores and proposes a novel interference attack method for commercial Ultra-Wideband (UWB) positioning systems, termed UWBAD (UWB Accurate Dampening). The core purpose of the paper is to reveal and exploit a vulnerability in the UWB systems when using the Normalized Cross-Correlation (NCC) process for Channel Impulse Response (CIR) estimation, to effectively and inconspicuously disrupt UWB positioning sessions. UWBAD achieves its objectives through the following two key strategies: 1. **Efficiently disrupting each session**: Unlike range reduction attacks, UWBAD does not manipulate the measured distances but prevents the update of distance data between devices by disrupting each positioning update. It interferes with the SYNC field, reducing the similarity between the received packets and the local template below the threshold, thereby breaking the packet detection mechanism and blocking the positioning session. 2. **Reactive and selective interference**: UWBAD employs low-cost, compact commercial off-the-shelf (COTS) UWB chips for monitoring and reactive attacks, without the need for full bandwidth noise flooding, which is easily detectable in practical scenarios. It can target specific victim devices without affecting neighboring devices, making the attack more covert. To implement these strategies, the paper addresses two main challenges: - How to maximize the interference efficiency for each positioning session? UWBAD, by analyzing the NCC process, finds that it only compares signal similarity without considering signal strength. Therefore, by interfering with the SYNC field, it can effectively reduce the maximum correlation and prevent positioning updates. - How to inject interference packets without understanding the physical layer structure? UWBAD uses the responses of COTS UWB chips as clues, dividing the sniffing process into phases, significantly reducing the potential search space, thus enabling accurate prediction and interference with the SYNC field in a short time to efficiently launch attacks. The hardware prototype of UWBAD is built on the COTS UWB chip DW3210, which is compact and easy to deploy. Experimental results show that UWBAD can completely block positioning sessions from various commercial devices from mainstream UWB chip suppliers such as Apple, Qorvo, and NXP, demonstrating its robust performance in real-world tests. The authors have also shared their findings with Apple, relevant Original Equipment Manufacturers (OEMs), and the Automotive Security Research Group (ASRG), triggering internal security incident response procedures at companies like Volkswagen, Audi, Bosch, and NXP. OEMs have acknowledged this vulnerability and rated it as "critical," even offering a bounty of $5,000 as a reward.

UWBAD: Towards Effective and Imperceptible Jamming Attacks Against UWB Ranging Systems with COTS Chips

WASTON: Inferring Critical Information to Enable Spoofing Attacks Using COTS Mmwave Radar

Stars Can Tell: A Robust Method to Defend Against GPS Spoofing Attacks Using Off-the-shelf Chipset.

Radar2: Passive Spy Radar Detection and Localization Using COTS Mmwave Radar

Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging

Reactive Jamming and Attack Mitigation over Cross-Technology Communication Links

Time for Change: How Clocks Break UWB Secure Ranging

The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks.

Defending Wireless Networks from Radio Interference Attacks

Localizing jammers in wireless networks

Random Time-hopping Secure Ranging Strategy Against Distance-Reduction Attacks in UWB

An Anti-jamming Method based on Multichannel Singular Spectrum Analysis and Affinity Propagation for UWB Ranging Sensors

Channel Reciprocity Based Attack Detection for Securing UWB Ranging by Autoencoder

UWB-ED: Distance Enlargement Attack Detection in Ultra-Wideband

Implement of a Secure Selective Ultrasonic Microphone Jammer

An UWB Ranging-Based Localization Strategy with Internal Attack Immunity

Wireless jamming localization by exploiting nodes’ hearing ranges

Opportunistic Wiretapping/Jamming: A New Attack Model in Millimeter-Wave Wireless Networks

Smartphones with UWB: Evaluating the Accuracy and Reliability of UWB Ranging

Jamming Detection for IR-UWB Ranging Technology in Autonomous UAV Swarms

Analyzing and Enhancing the Security of Ultrasonic Sensors for Autonomous Vehicles