Post on 22-Feb-2016
description
Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging
Manuel Flury, Marcin Poturalski,Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec
Laboratory for Computer Communications and Applications, EPFL, Switzerland
Third ACM Conference on Wireless Network Security (WiSec `10) March 23, 2010
2
• Wireless device V (Verifier) measures distance dVP to another device P (Prover)
• Based on message time-of-flight• Adversarial setting:– External attacks
(mafia fraud)– Malicious prover
(distance andterrorist frauds)
Secure Ranging aka Distance Bounding
tRTT /2dVP = c
NV
tRTT
(P ⊕ NV, NP)
Prover PVerifier V
(NV,P,NP,MACPV(NV,P,NP))
dVP dVPmeasureddistance
actualdistance
3
JEWLERY STORE
Example Application: Tracking
store monitoring system
RFID tag RFID tag
secure ranging
4
JEWLERY STORE
Example Application: Tracking
store monitoring system
RFID tag RFID tag
#@%#& !!!If I could only decrease the
measured distance…
5
Other Application Examples• Tracking:– assets in warehouse– inmates– hospital assets, personnel, patients– animals– military personnel and equipment– …
• RFID access control• RFID micropayments• Secure localization• …
Physical Layer Attacks• Decrease the measured distance by
exploiting physical layer redundancyJ. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.So near and yet so far: Distance-bounding attacks inwireless networks. ESAS 2006
• Physical layer and receiver specific– RFID (ISO 14443A) and WSN PHYs
G. P. Hancke, M. G. Kuhn. Attacks on time-of-flightdistance bounding channels. WiSec 2008
• Other physical layers?
6
Impulse Radio UWB
• IR-UWB ranging capabilities:– high precision (sub meter)– copes well with multipath propagation
• IEEE 802.15.4a standard7
transmitted signal received signal sampled signal(energy detector receiver)
Our contribution• Distance-decreasing relay attack against:– IEEE 802.15.4a standard– Energy detector receiver
• Distance decrease of up to 140m*• Attack success rate can be made arbitrarily high
• Components (early detection and late commit) can be used individually by a malicious prover
8* IEEE 802.15.4a mandatory modes
9
Protocol Assumptions• Rapid bit exchange:– Transmission of single
bits– Instantaneous reply
– Challenging to implement
– Not compatible with IEEE 802.15.4a
c1
r1
Prover PVerifier V
c2
r2
cn
rn
...
...
...
We assume no rapid bit exchange
10
Protocol Assumptions• Several-bit-long ranging
messages
• Sufficient if V and P are honest
• With full duplex transmission can cope with malicious prover*
• Compatible with IEEE 802.15.4a
NV
tRTT
NP
Prover PVerifier V
(NV,P,NP,MACPV(NV,P,NP))
* Kasper Bonne Rasmussen, Srdjan Capkun. Location Privacy of Distance Bounding Protocols. CCS 2008
Setup
11
NP
tRTT
NV
NV
NV
Verifier V Prover PRelay MV Relay MP
NP
NP
(NV,P,NP,MACPV(NV,P,NP))
(NV,P,NP,...)
(NV,P,NP,...)
Distance decreasing relay attack
Setup
HTX
HRX
ATX
ARX
Honest Transmitter
Honest Receiver
Adversarial Receiver
Adversarial Transmitter
12
Challenge 2:Payload unknown in advance
Overview
HTX
HRX
ATX
ARX
13
preamble payload
preamble payload
payload
payload
450ns ~ 135m
preamble
preamble
Challenge 1:Transmission time unknown in advance
early detection
late commit
Preamble
HTX
HRX
ATX
ARX
Si
4096ns
preamble symbol
14
Preamble
HTX
HRX
ATX
ARX
Si Si Si Si Si Si Si Si Si Si Si
15
Preamble
HTX
HRX
ATX
ARX
Si Si Si Si Si Si Si Si Si Si Si …Si
Si Si Si Si Si Si Si Si Si Si …Si Si
Si Si Si …
4096ns – 450nsSi Si Si
Si Si …SiSi Si Si
acquisition
16
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si
4096ns – 450nsSi Si Si
Si Si SiSi Si Si
acquisition
Si
Si
Si
Si
0
0
Si
Si
Si
Si
Si
Si
17
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
Si
Si
0
0
Si
Si
-Si
-Si
Si
Si
Si
Si
Si
Si
0
0
Si
Si
0
0
Si
Si
-Si
-Si
Si
Si
Start Frame Delimiter
early SFD detectionnormal SFD detection
18
Preamble
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter
early SFD detection
late SFD commitSi
Si
time-shift 450ns
19
Payload
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter
early SFD detection
late SFD commitSi
Si
20
Payload
HTX
HRX
ATX
ARX
0-symbol
1024ns
1-symbol
8ns Binary Pulse Position Modulation
…
21
…
~70ns
Payload
HTX
HRX
ATX
ARX
1024ns 8ns Binary Pulse Position Modulation
<> <>
benign receiver
0-symbol 1-symbol
…
…
22
→ 0 → 1
Payload
HTX
HRX
ATX
ARX
1024ns 8ns Binary Pulse Position Modulation
early detection receiver
0-symbol 1-symbol
…
…
late commit transmitter …
<> <>
…
23
→ 0 → 1
→ 0 → 1
Payload
HTX
HRX
ATX
ARX
1024ns 8ns Binary Pulse Position Modulation
0-symbol 1-symbol
…
…
late commit transmitter …
<> <>
…
relay time-shift 450ns = 512ns – 62ns = half symbol duration – early detection time
early detection receiver
24
Attack Performance• Evaluation with physical layer simulations
• IEEE 802.15.4a, with:– 128 bit packets– residential NLOS channel model• based on IR channel measurement campaigns
– LPRF mode (mandatory parameters)
25
Preamble: Early detection
26
4dB
Sync
hron
izatio
n E
rror
Rati
o
ARX SNR [dB]
Preamble: Late commit
27
4dB
Sync
hron
izatio
n E
rror
Rati
o
HRX SNR [dB]
Payload: Early detection
1.7dB
28
Pack
et E
rror
Rati
o
ARX SNR [dB]
Payload: Late commit
4dB
29
Pack
et E
rror
Rati
o
HRX SNR [dB]
Overall attack success
Early detection SNR(ARX)
Late commit SNR(HRX)
30
Prob
abili
ty o
fatt
ack
succ
ess
>99% attack success probability with SNR 4dB (ARX) and 6dB (HRX) greater than for benign operation
Easily achievable:• High gain antenna• Increase transmision power• Move adversarial devices closer
to victim devices
31
Application example: Tracking
jail
relay
???
Countermeasures• Decrease payload symbol length– Our attack gains half of symbol duration– Non-mandatory IEEE 802.15.4a modes with
payload symbol length 32ns (11m)
• Disadvantages:– Shorter symbols result in worse multi-user
interference tolerance– With very short symbols, inter-symbol
interference becomes an issue
32J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006
Countermeasures• Perform early detection at HRX:
in place of– Prevents our attack– Any attack can decrease the measure distance
by at most early detection window duration• Example: 62ns or 18m
• Disadvantages:– Performance loss
33G. P. Hancke, M. G. Kuhn. Attacks on time-of-flight distance bounding channels. WiSec 2008
1.7dB
Countermeasures• Beyond IEEE 802.15.4a: other modulations– BPSK– OOK– “Security Enhanced Modulation”
M. Kuhn, H. Luecken, N. O. Tippenhauer. UWB Impulse Radio Based Distance Bounding. WPNC 2010
– Secret preamble codes– Secret payload time-hopping
34
Conclusion• IR-UWB standard IEEE 802.15.4a is vulnerable to a
distance-decreasing relay attack– 140m distance decrease against energy-detection
receivers*– Attack enabled by BPPM (de)modulation
• Attack performance– 99% success rate at minor SNR cost (few dB)– Success rate can be made arbitrarily high
35* IEEE 802.15.4a mandatory modes
Ongoing work• Countermeasures• Attack with a coherent receiver– Exploits the specifics of the convolutional code
used in IEEE 802.15.4a– Additional 75m distance-decrease
• New physical layer attack against ranging– Malicious interference disrupting ToA estimation– Less effective and precise, but easy to mount
36M. Poturalski, M. Flury, P. Papadimitratos, J-P. Hubaux, J-Y. Le Boudec.The Cicada Attack: Degradation and Denial of Service in IR Ranging. (under submission)
To learn more…
http://lca.epfl.ch/projects/sndmarcin.poturalski@epfl.ch
37
38
Honest Transmitter (HTX)
Honest Receiver (HRX)
Adversarial Transmitter (ATX)
Adversarial Receiver (ARX)
PREAMBLE PAYLOAD
PREAMBLE PAYLOAD
PREAMBLE PAYLOAD
PREAMBLE PAYLOAD
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter
early SFD detection
Si
Si
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si
4096ns – 444ns
Si Si Si
Si Si SiSi Si Si
acquisition
4096ns 1024ns 8ns
early detection:on/off-keying demodulation
0-symbol* 1-symbol*
late commit:first half of symbols is identical
<> <>→ 0 → 1
→ 0 → 1
standard detection:energy comparison
relay time-shift: 444ns = 512ns – 68ns = late commit time – early detection time = half symbol duration – channel spread
*Binary Pulse Position Modulation (BPPM)
0 Si 0 -Si Si 0 0 -Si
match with:
late SFD commit
close enough for HRX todetect the SFD
preamble is shortened, but still long enough for HRX to
acquire
Attack overview