Distance Bounding with IEEE 802.15.4a: Attacks and Countermeasures
Impulse Radio Ultra-Wideband, in particular the recent standard IEEE 802.15.4a, is a primarycandidate for implementing distance bounding protocols, thanks to its ability to perform accurate indoor ranging. Distance bounding protocols allow two wireless devices to securely estimate the distance between themselves, with the guarantee that the estimate is an upper-bound on the actual distance. These protocols serve as building blocks in security-sensitive applications such as tracking, physical access control, or localization. We investigate the resilience of IEEE 802.15.4a to physical-communication-layer attacks that decrease the distance measured by distance bounding protocols, thus violating their security. We consider two attack types: malicious prover (internal) and distance-decreasing relay (external). We show that if the honest devices use energy-detection receivers (popular due to their low cost and complexity), then an adversary can perform highly effective internal and external attacks, decreasing he distance by hundreds of meters. However, by using more sophisticated rake receivers, or by implementing small modifications to IEEE 802.15.4a and employing energy-detection receivers with a simple countermeasure, honest devices can reduce the effectiveness of external distance-decreasing relay attacks to the order of 10m. The effectiveness of malicious prover can also be reduced to 10m, by an additional modification to IEEE 802.15.4a along with the same simple countermeasure for both energy-detection receivers and rake receivers.
Record created on 2010-07-21, modified on 2016-08-08