On the Security of Carrier Phase-based Ranging

Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan CapkunDepartment of Computer Science

ETH Zurich, Switzerland

AbstractMulticarrier phase-based ranging is fast emerging as acost-optimized solution for a wide variety of proximity-based applications due to its low power requirement,low hardware complexity and compatibility with existingstandards such as ZigBee and 6LoWPAN. Given poten-tially critical nature of the applications in which phase-based ranging can be deployed (e.g., access control, assettracking), it is important to evaluate its security guaran-tees. Therefore, in this work, we investigate the securityof multicarrier phase-based ranging systems and specifi-cally focus on distance decreasing relay attacks that haveproven detrimental to the security of proximity-based ac-cess control systems (e.g., vehicular passive keyless en-try and start systems). We show that phase-based rang-ing, as well as its implementations, are vulnerable to avariety of distance reduction attacks. We describe differ-ent attack realizations and verify their feasibility by sim-ulations and experiments on a commercial ranging sys-tem. Specifically, we successfully reduced the estimatedrange to less than 3m even though the devices were morethan 50 m apart. We discuss possible countermeasuresagainst such attacks and illustrate their limitations, there-fore demonstrating that phase-based ranging cannot befully secured against distance decreasing attacks.

1 Introduction

The use of proximity and location information is ubiq-uitous today in a wide range of applications [20, 38].For example, proximity-based access tokens (e.g., con-tactless smart cards, key fobs) are prevalent today in anumber of systems [17, 34] including public transportticketing, parking and highway toll fee collection, pay-ment systems, electronic passports, physical access con-trol and personnel tracking. Furthermore, modern auto-mobiles use passive keyless entry systems (PKES) to un-lock, lock or start the vehicle. The vehicle automatically

identifies and unlocks when the key fob is in proximity,and there is no need for the user to remove the key fromhis pocket. By eliminating the need for user interaction,PKES-like systems also offer better protection in scenar-ios, e.g., where the user forgets to lock the car manually.With the advent of modern cyber physical autonomoussystems and the internet of things, the need for proxim-ity and location information is only bound to increase.

Numerous ranging techniques [23] that use radio com-munication signals have been developed in the recentyears. Some techniques are based on estimating thechange in the physical characteristics of the signal suchas amplitude, phase and frequency. For example, rangingsystems based on received signal strength (RSS) [7, 43]rely on the free-space path-loss propagation model to es-timate the distance between two entities. Other rangingtechniques estimate distance based on the time-of-flight(e.g., roundtrip time of flight (RTOF), time-difference-of-arrival (TDOA)) [41,45] of the radio frequency signal.

Most of these ranging techniques are inherently in-secure. For example, an attacker can fake the signalstrength in an RSS-based ranging system. Similarly, inan ultrasonic ranging system, an attacker can gain anadvantage by relaying messages over the faster radio-frequency channel [39]. Recently, it was shown that thePKES systems used in automobiles are also vulnerableto relay attacks [15]. In a relay attack, the attacker usestwo proxy devices to relay the communications betweentwo legitimate entities without requiring any knowledgeof the actual data being transmitted; therefore indepen-dent of any cryptographic primitives implemented. Re-searchers were able to unlock the car and drive away eventhough the legitimate key was several hundred metersaway from the car. Similar relay attacks were demon-strated on other radio-frequency based access tokens(NFC phones [16], Google Wallet [35]), even though thecommunication range for many such contactless systemsis limited to a few centimeters.

Multicarrier phase-based ranging [8] is fast emerg-

1

arX

iv:1

610.

0607

7v1

[cs

.CR

] 1

9 O

ct 2

016

ing as a cost-optimized solution for a wide variety ofproximity-based applications. The low hardware com-plexity and their low power consumption make themsuitable for power-constrained wireless sensor systemapplications. For example, the advent of internet ofthings has seen an increasing number of smart andnetworked devices being deployed ubiquitously wherelow power consumption is a key requirement. To-day, multicarrier phase-based ranging solutions [1, 6, 42]that are compliant with prominent standards such asWiFi, ZigBee [5] and 6LoWPAN [21] are already be-ing commercialized (e.g., warehouse monitoring, child-monitoring). Given the widespread deployment of802.11 WiFi networks, several indoor localization andranging schemes [4, 12, 42, 44] that use the carrier-phaseof the radio signals have been proposed. For exam-ple, Chronos [42] leverages the carrier phase informationof the 802.11 WiFi signals to implement a centimetre-level localization and ranging system using commodityWiFi cards. The implications of distance modificationattacks in scenarios where these systems are deployed insecurity-critical applications like access control to auto-mobiles, critical infrastructure, and medical devices aresignificant and have not been investigated so far.

Therefore, in this work, we investigate the securityof carrier phase-based ranging systems and demonstratetheir vulnerability to distance modification attacks by ex-ploiting the inherent physical properties of the signal. Wefocus on attacks which result in a decrease of the mea-sured distance since these have been shown to be mostrelevant in a majority of security applications. Specifi-cally, we make the following contributions:

• We show that phase-based ranging, as well as itsimplementations, are vulnerable to a variety of dis-tance reduction attacks. To this extent, we describethree different attack realizations with varying de-gree of attacker complexity and evaluate their ef-fectiveness under various conditions.

• We demonstrate the attack on a commercial multi-carrier phase-ranging system and show that it is fea-sible to reduce the estimated distance significantly.Specifically, through our experiments we success-fully reduced the estimated range to less than 3 meven though the devices were more than 50m apart.

• We discuss possible countermeasures against thesedistance decreasing relay attacks and illustrate theirlimitations. We show how implementing counter-measures such as e.g., estimating rough time-of-flight, pseudorandom frequency hopping etc. onlyincreases the system complexity without fully se-curing against distance decreasing attacks.

θ

θ

d

t

V P

Figure 1: Phase Ranging: The prover locks its local os-cillator to the verfier’s signal and transmits it back to theverifier. The verifier then measures the distance based onthe difference in the phase of the received signal and itsreference signal.

The rest of the paper is organized as follows. InSection 2, we give a brief overview of phase-baseddistance measurement technique. We describe our dis-tance decreasing relay attacks in Section 3 and presentour experimental results in Section 4. In Section 5, wediscuss possible countermeasures and their effectivenessin preventing the distance decreasing relay attacks. Wepresent related work in Section 6 and finally conclude inSection 7.

2 Background

2.1 Phase-based RangingIn phase-based ranging, two devices A and B measurethe distance between them by estimating the phase dif-ference between a received continuous wave signal anda local reference signal. For example, if device A (veri-fier) is measuring its distance to device B (prover), thenthe verifier begins ranging by transmitting a continuouswave carrier signal. The prover locks its local oscilla-tor to this incoming signal and transmits it back to theverifier. The verifier measures the distance based on thedifference in the phase of the received signal and its ref-erence signal as shown in Figure 1. If the distance dbetween the verifier and the prover is less than the sig-

nal’s wavelength i.e.,2 · f

c, where f is the frequency of

the signal and c is the speed of light, the measured phasedifference θ will be,

θ = 4π · d · fc

(1)

In order to unambiguously measure distances greaterthan the signal’s wavelength, it is necessary to keep track

2

Δt t

θ1

θ2

Figure 2: Multicarrier Phase Ranging: Two signals ofdifferent frequencies that travel the same amount of timewill experience a different phase shift.

of the number of whole cycles elapsed. Therefore, theequation for measuring d becomes,

d =c

2 · f· ( θ

2π+n) (2)

where n is an integer which reflects the number ofwhole cycles elapsed. The need for keeping track of n iseliminated by using continuous wave signals of differentfrequencies.

2.2 Multicarrier Phase RangingMulticarrier phase ranging systems eliminates the wholecycle ambiguity by transmitting continuous wave signalsat different frequencies (Figure 2). For example, the ver-ifier first transmits a signal with a frequency f1 to whichthe prover locks its local oscillator and retransmits thesignal back to the verifier. At the verifier, the measuredphase difference between the received signal from theprover and the verifier’s own signal for this frequency(θ1) is given by (from Equation 2),

θ1 = 2π · (2 ·d · f1

c+n) (3)

The verifier then transmits a continuous wave signalwith a frequency f2 and measures the phase difference(θ2) as previously.

θ2 = 2π · (2 ·d · f2

c+n) (4)

The distance d between the verifier and the prover canbe unambiguously measured by combining equations 3and 4:

d =c

4π· θ2−θ1

f2− f1(5)

Phase Slope Method: In real-world, using only two fre-quencies to measure the phase differences results in poorranging accuracy. Therefore, it is typical for the verifierto measure the phase differences on more than two fre-quencies, thereby improving the system’s resolution andaccuracy. The phase difference measurements (θi) foreach frequency ( fi) can be expressed in the form of:

θi =4π

c· fi ·d +N (6)

If the phase differences are plotted on a phase vs fre-quency curve, the slope of the curve represents the dis-tance d between the verifier and the prover (Figure 3). Inother words, the above equation can be seen as a straightline with the distance proportional to the slope of the line:

d =c

4π· slope (7)

Figure 3a shows the measured phase differencesvs frequency for two different distances. The phase-differences are straightened as is shown in Figure 3b tocalculate the effective slope and estimate the distancebetween the verifier and the prover.

2.3 Commercial Phase Ranging SystemsDue to their low-complexity and low power requirement,multicarrier phase ranging is fast emerging as a cost-optimized solution for a wide variety of applications.For example, multicarrier phase ranging has been pro-posed for the positioning of ultra-high frequency RFIDsystems [24, 25]. More recently, Atmel released a ra-dio transceiver [6] specifically targeting low-power ap-plications and complying with standards such as Zig-Bee [5] and 6LoWPAN [21]. The radio transceiverAT86RF233 is designed for use in industry, scientificand medical (ISM) band applications and implementsmulticarrier phase-based ranging technique for distancemeasurement. Further more, leveraging the proliferationof 802.11 WiFi networks and the availability of carrierphase information directly from the network cards [18],several indoor localization schemes [4, 12] have beenproposed recently. For example, Chronos [42] leveragesthe carrier phase information of the 802.11 WiFi signalsto implement an indoor localization and ranging systemusing commodity WiFi cards with centimeter-level pre-cision.

The ranging procedure in these systems is typicallydivided into control and ranging signals. The controlmessages are all transmitted using the same presetfrequency and is used to set up the necessary parametersand time synchronization for the ranging to take place.In addition, the verifier and prover exchange the results

3

(a) The phase of the received signal.

~d2

~d1

(b) The straightened phase of the received signal.

Figure 3: Phase versus frequency if the prover is 10 and 20 m away from the verifier.

of the ranging using the control channel. The frequen-cies of the continuous wave signals used in the rangingranges from 2.324− 2.527GHz with configurable hopsizes of 0.5, 1, 2, 4 MHz.

3 Security of Phase Ranging Systems

In this section, we investigate the security of phaseranging systems with a focus on the physical-layerdistance decreasing attacks as these attacks have beenshown to be detrimental to a number of security criticalapplications (e.g., NFC payment systems [16, 35],keyless entry systems in automobiles [15]).

3.1 Distance Decreasing Relay AttacksWe consider two devices, a verifier and a prover that areable to communicate over a wireless radio link. Thedevices implement multicarrier phase measurement forranging. The verifier measures and verifies the distanceclaimed by the prover. The verifier is trusted and is as-sumed to be honest. In this setting, distance decreasingattacks can be mounted in two ways: (i) by a dishon-est prover trying to cheat on its distance to the verifier,referred to as an internal attack and (ii) by an externalattacker who aims to shorten the distance between theverifier and the honest prover, referred to as a “distance-decreasing relay attack”.

There are several ways for a dishonest or a maliciousprover to mount an internal attack. For example, a ma-licious prover can cheat on the distance by not lockingon to the correct phase when the verifier transmits its in-terrogating signal (from Figure 1). The malicious provercan simply respond with a signal that is phase incoher-ent with the verifier’s reference signal; thus resulting in

a different distance estimate at the verifier. Such internalattacks can only be prevented by distance bounding [9]and implementing distance bounding [29, 31, 33] requirea number of hardware-software modifications that are in-compatible with the existing design of phase ranging sys-tems. In this work, we focus on external attackers underthe assumption that both the verifier and the prover aretrusted and honest. Such a scenario is most applicable toe.g., passive keyless entry systems where the key fob andthe car are both trusted and assumed to be honest. How-ever, we note that the presented attacks in this paper canbe used by a dishonest prover to decrease its distance tothe verifier without any loss of generality.

Additionally, it is important that the verifier and theprover exchange data that is cryptographically generated.Otherwise, it would be trivial for an unauthorized deviceto recreate the ranging signals and appear legitimateto the verifier. Throughout this paper, we assumethat the verifier and the prover generate and exchangecryptographic data in order to prevent unauthorizedranging attempts.

3.2 Phase-slope Rollover AttackRecall that in a multicarrier phase ranging system, dis-tance d is measured based on the estimated phase dif-ferences between two or more carrier frequency signals(Equation 5). Thus, the maximum measurable distancei.e., the largest value of distance dmax that can be esti-mated using multicarrier phase-ranging system, dependson the maximum measurable phase difference ∆θmax be-tween the two frequency signals. Given that the phasevalues range from 0 to 2π , the maximum measurablephase difference between any two frequencies is ∆θmax =2π . Substituting the values in Equation 5 the maximummeasurable distance is given by,

4

V P

θ

t

Δt

θ

Δt

Figure 4: The verifier’s signal travels unaltered from theverifier to the prover. There the prover locks onto the in-coming signal and transmits a signal with the same phaseback. The attacker intercepts the prover’s signal and de-lays each frequency by the same amount. The verifiercalculates an incorrect distance measurement based onthe attacker’s signal.

0 0.2 0.4 0.6 0.8Delay [7s]

0

20

40

60

80

Mea

sure

d D

ista

nce

[m]

Figure 5: The verifier and prover are located 30 m fromeach other and the frequency hop size is 2 MHz (roll overhappens at every 500 ns / 75 m). The figure shows themeasured distance at the verifier when an attacker uni-formly delays all the frequencies by the same amount.

dmax =c

4π· ∆θmax

∆ f

dmax =c2· 1

∆ f

(8)

For example, if the frequency hop size is 2MHz (∆ f ), themaximum distance measurable without any ambiguity is75 m after which the measured distance rolls over to 0 m.Similarly for frequency hop sizes of 0.5, 1, 2, 4 MHz,the maximum measurable distances are 300, 150, 75 and37.5 m respectively, beyond which there is a rollover.

In our phase-slope rollover attack, we demonstratehow an attacker can leverage the maximum measurabledistance property of the phase ranging system in order toexecute the distance decreasing relay attack.

The phase-slope rollover attack is illustrated in

V P

θ

t

Δt1

θ

Δt2

Figure 6: The verifier’s signal travels unaltered from theverifier to the prover. There the prover locks onto theincoming signal and transmits a signal with the samephase back. The attacker intercepts the prover’s signaland delays each frequency individually.The verifier cal-culates an incorrect distance measurement based on theattacker’s signal.

Figure 4. The attacker is assumed to be closer to theverifier than the prover. For illustrative simplicity, herewe assume that the prover is far away from the verifieror in other words, the verifier and the prover are not incommunication range. During a phase-slope rolloverattack, the attacker simply relays (amplify and forward)the verifier’s interrogating signal to the prover. Theprover determines the phase of the interrogating signaland re-transmits a response signal that is phase-lockedwith the verifier’s interrogating signal. The attackerreceives the prover’s response signal and forwards itto the verifier, however with a time delay (∆t). Theattacker chooses the time delay such that measuredphase differences ∆θ between the carrier frequencysignals reaches its maximum value of 2π and rolls over.Considering the previous example of a system withthe frequency hop size of 2MHz, the measured phasedifferences ∆θ rolls over every 500ns. Figure 5 showshow the measured distance by the verifier changesdepending on the delay ∆t introduced by the attacker.In Section 4, we demonstrate the feasibility of such anattack on a commercial phase-based ranging systemusing a experimental setup. Furthermore, we show thatan attacker can decrease the estimated distance to theminimum possible distance measurable (depends onsampling rate) by the system irrespective of the truedistance of the prover.

3.3 RF Cycle Slip Attack

In this section, we describe an alternative way for an at-tacker to decrease the estimated distance of multicarrierphase ranging systems. In this attack, the attacker ma-

5

dvp: 30 m

dvp: 74 m

Figure 7: The delay of each frequency the attacker needsto introduce to decrease the distance to 1 m from 30 and74 m respectively. Here dvp is prover-verifier distance.

nipulates the phase of individual carrier frequencies inorder to achieve the required phase difference betweenthe carrier frequencies that will result in a reduced dis-tance estimate at the verifier. This is in contrast to thephase-slope rollover attack described previously, wherethe attacker simply delays all the carrier frequencies by∆t until the effective phase difference between the carrierfrequencies exceed the maximum value and rolls over.

In a RF cycle slip attack, the attacker delays eachcarrier frequency fi by ∆ti. Recall that at the verifier,phase difference θi is measured between the prover’sresponse signal and the verifier’s reference signal forfrequency fi. Thus, an attacker can alter θi by delayingindividual carrier signals by an amount that causes eachphase measurement to change to a value θ ′i . The attackerchooses the new phase, θ ′i , for each frequency such thatthe slope of the phase vs frequency graph decreasesand thus decreasing the measured distance. Figure 7illustrates the delays needed for individual carrierfrequencies to cause a particular distance estimate by theverifier. One of the drawbacks of this method is that theattacker needs very high sampling rate. Alternatively,the attacker can use analog delay lines [26, 40] to realizesuch a relay attack hardware.

3.4 On-the-fly Phase Manipulation AttackIn this section, we present a real-time phase manipula-tion attack, in which the attacker is not required to delaythe prover’s response signal. In this attack, the attackermanipulates the phase of the prover’s response signal bymixing it with specially crafted signal which results in anappropriate phase difference at the verifier. It is impor-tant to note that the real-time phase manipulation attackskeeps any possible data exchanged intact independent ofthe modulation scheme used.

θ

t

V P

θap

θA

θA-θap

Figure 8: Attacker phase shifts the prover’s signal by firstmixing it with a signal of twice the frequency and thenlow-pass filters the result before transmitting it to the ver-ifier.

Figure 8 illustrates the real-time phase manipulationattack. The prover receives the interrogating signal andre-transmits a phase-locked response signal back to theverifier. The prover’s response sP(t) can be expressed as

sP(t) = cos(2π f t +θap) (9)

where f is the signal frequency and θap is the receivedphase of the prover’s signal at the attacker. The attackerreceives the prover’s signal sP(t) and mixes it with a spe-cially crafted signal si f (t) = cos(4π f t + θA) before re-laying the signal to the verifier. Note that the craftedsignal has twice the frequency of the prover’s responsesignal. This is to account for the frequency conversionthat occurs during mixing of two signals. The attacker’ssignal sA(t) (after filtering high frequency components)that is finally relayed to the verifier can be derived as fol-lows:

sA(t) = si f (t)⊗ sP(t)

= cos(2π f t +θap)⊗ cos(4π f t +θA)

LP=

12

cos(

2π f t +θA−θap

) (10)

From Equation 10, we observe that the relayed signalsA(t) is identical to the prover’s response signal exceptthat it is shifted in phase. Recall that (Equation 5),in a multicarrier phase ranging system, the measureddistance depends on the change in phase differencemeasurements between each carrier frequency. Thus,in order to modify the measured distance, the attackerneeds to manipulate the phase of each carrier frequencysuch that it results in a reduced distance estimate. Inother words, the attacker has to choose θA such thatθA−θap results in a phase difference estimate that corre-sponds to the reduced distance. In order to configure θA,the attacker must have apriori knowledge of the phase

6

of the prover’s signal when received at the attacker’slocation (θap). The attacker can detect the phase of theverifier’s signal when it received it and if the attackerknows the distance between the attacker and the prover,the attacker can estimate θap. An alternative method forthe attacker would be to actually detect (e.g., using aphase-locked loop) the phase of the prover’s responsesignal. However, this would introduce unnecessarydelays1 in the relaying hardware thus making it lessfavourable for the attacker.

4 Experimental Evaluation

In this section, we evaluate the feasibility of the abovedescribed distance decreasing relay attacks using bothcommercial phase-ranging systems and simulations.First, we demonstrate the distance decrease relay attackon the commercially available Atmel AT86RF233 radiotransceiver [6, 32] that implements multicarrier phase-based ranging technique. Furthermore, we evaluatethe feasibility of the attacks in different environmentalconditions (e.g., noise, communication range) usingsimulations.

Table 1: Atmel hardware configuration for the attack

Parameter ValueFrequency Hop ∆ f 2MHzRanging Frequency Range 2.403−2.443GHzControl Message Frequency 2.4GHzNo. of Frequencies 20Signal Strength −17dBm

4.1 Practical Demonstration of the AttackFigure 9 shows the experimental setup used in evaluatingthe feasibility of executing the distance decreasing relayattack on the Atmel phase-ranging system. Our setupconsists of two multicarrier phase ranging devices basedon Atmel AT86RF233 radio transceiver. One device (1)acts as the prover while the other device (3) takes therole of the verifier. The verifier continuously measuresthe distance between the prover and itself and outputs theresult to the connected laptop (4). The laptop was con-figured to continuously log the distance measurements.We used Atmel’s default setup for configuring the rang-ing parameters2 and list them in Table 1.

1due to the settling time of PLLs2For the 50 m attack the transmit power of the Atmel devices was

increased to −10dBm

dap

3

4

2

1

Figure 9: Our experimental setup consists of two mul-ticarrier phase ranging devices based on the AtmelAT86RF233 radio transceiver, that function as the prover(1) and verifier (3). The distance measured by the verifieris recorded to the connected laptop (4). The attacker’shardware (2) consists of an USRP [2] and two directionalantennas, one each for receiving the prover’s responsesignal and the other for transmitting the attacker’s signalto the verifier.

~50m

Figure 10: Hallway in which the experiment took place.

4.1.1 Attacker Hardware

The attacker’s hardware (2) consists of an USRP [2]and two directional antennas, one used for receivingthe prover’s response signal and the other for transmit-ting the attacker’s signal to the verifier. The attackersetup was placed close to the verifier while the proverwas placed at different distances to the verifier. Weimplemented the phase-slope rollover attack describedin Section 3.2 in which the attacker delays all thecarrier frequencies until the effective phase differencebetween the frequencies exceed the maximum value of2π and rolls over. The verifier’s interrogating signal wasleft unmodified and the attacker manipulated (delayedand amplified) only the prover’s response signal. Inorder to minimize the processing delay due to theattacker’s hardware, all processing was done directlyon the USRP’s FPGA, that included receiving, delayingand transmitting the signal. In other words, the host

7

Figure 11: Effectiveness of the distance decreasing relayattack where the prover and verifier are located 30, 40and 50 m apart and the attacker attempts to decrease thedistance.

computer of the USRP was bypassed completely and thesignal processing was done solely in the FPGA of theUSRP. The delay from receiving to transmitting, causedby the USRP hardware, was 536.22ns with a standarddeviation of 1.83ns. The USRP’s host computer wasonly used to trigger the relay attack and for specifyingthe amount of delay to introduce into the prover’sresponse signal. The delay was made configurable fromthe host and tuned at runtime to achieve the desiredattack objective.

4.1.2 Experimental Results

We placed the prover at distances 30m, 40m and 50maway from the verifier in an empty hallway. The proverand verifier were in communication range during theexperiment and thus were able to estimate their truedistance in the absence of the attacker. The results of ourexperiment are shown in Figure 11. As can be observed,without the presence of the attacker (solid line), theverifier and the prover estimate their true distance. Whenthe attack is triggered, the verifier’s estimated distancebegins to reduce. The gradual reduction is due to theverifier averaging the range estimates over a number ofsamples. We note that the experiment was carried outin a corridor (see Figure 10)with significant interferencefrom other ISM band systems (e.g., WiFi). Even in suchconditions, our attacker was able to reduce the distanceestimate by more than 50m.

4.1.3 Rollover Using Only Amplification

If two phase-ranging devices are further away from eachother than the maximum unambiguous distance that theycan measure an attacker can cause a roll-over by simply

θ

AWGN

dva dap

V P

AWGNΔt

Figure 12: Simulation of the Phase-slope rollover and RFcycle slip attack where dva and dap is the verifier-attackerdistance and attacker-prover distance respectively. Addi-tive White Gaussian noise is added to the verifier’s andprover’s signal. The attacker delays the prover’s signal.For the Phase-slope rollover attack all frequencies are de-layed equally but for the RF cycle slip attack each carrierfrequency is uniquely delayed.

amplifying their signals. We simulated such and attackon the Atmel AT86RF233 radio transceivers. We placedthe devices at roughly 53m apart. When the devices wereconfigured to use a frequency hop size of 2MHz theycorrectly estimated their position. However, when con-figured to use a hop size of 4MHz they incorrectly mea-sured a distance of 15− 16m, which is consistent withthe rollover being 37.5m. Such an attack is simple toimplement but of course the attacker can only reduce thedistance rather than spoof the devices to a particular dis-tance since the measured distance will be determined bythe devices actual distance.

4.2 Theoretical Evaluation

In this section, we evaluate the effectiveness of thedistance decreasing relay attack under various channelconditions using simulations.

4.2.1 Simulation Setup

For the simulations, we implemented the verifier, theprover and the attacker in Matlab. The multicarrierphase-ranging system was modelled exactly as describedin Section 2.2. Similar to real-world phase ranging sys-tems, the verifier uses multiple carrier frequencies in theISM band as the interrogating signal. The range of fre-quencies used were 2.40−2.48GHz with a configurablefrequency hop of 1MHz or 2MHz. The phase of the ver-ifier’s interrogating signal is selected randomly for eachfrequency hop to simulate real-world behaviour. Theprover measures the phase of the verifier’s signal as in a

8

θ

AWGN

dva dap

V P

θ

AWGN

Figure 13: Simulation of the on-the-fly attack wheredva and dap is the verifier-attacker distance and attacker-prover distance respectively. Additive White Gaussiannoise is added to the verifier’s and prover’s signal. Theattacker estimates the phase of the verifier’s signal anduses it and knowledge of the distance to the prover to es-timate the phase of the prover’s signal when it arrives atthe attacker. The attacker then mixes and low-pass filtersthe prover’s signal to achieve the desired phase shift.

real system and generates its response signal that is phasesynced to the verifier’s interrogating signal. For evalu-ating the effectiveness of the attack under noisy channelconditions, white Gaussian noise is added to both the ver-ifier’s and the prover’s signal. The distances between theverifier, prover and the attacker were simulated by intro-ducing propagation delays in the signal. For example,in order to simulate a verifier-prover distance of 30m,the signals were temporally shifted by 100ns before theywere processed by the verifier or the prover.

The attacker was modelled depending on the typeof attack evaluated. In the scenario of the phase-sloperollover and the RF cycle slip attack (Figure 12), theattacker only received and delayed the response signalfrom the prover appropriately before relaying it to theverifier. In the case of on-the-fly phase manipulationattack (Figure 13), the attacker estimates the phase ofthe verifier’s signal to be able to estimate the phase ofthe prover’s signal when it reaches the attacker. Theattacker then mixes the received response signal withhis locally generated signal as described in Section 3.4to generate a attack signal that is appropriately shiftedin phase in order to reduce the distance estimate whilepreserving the carrier frequency. The attack signal islow-pass filtered and relayed to the verifier.

4.2.2 Effect of Channel Noise

We evaluated the effectiveness of the various distancedecreasing attacks described in Section 3 under differentnoise conditions. The evaluations were averaged over

0 5 10 15 20 25 30

SNR [dB]

0

10

20

30

40

Dis

tanc

e E

rror

[m

] Non-spoofed 1 MHz

Spoofed 1 MHz

Non-spoofed 2 MHz

Spoofed 2 MHz

Figure 14: The error in the measured distance in a non-adversarial and when a RF cycle slip attack is performed.The non-adversarial measurements are when prover is lo-cated 1 m away from the verifier. In the adversarial set-ting the prover is located 30 m away from the verifierand the attacker tries to reduce this distance to 1 m. Inthe adversarial setting the prover and verifier are not incommunications range

100 different iterations for each SNR value in the set[0− 30]dB. We compared the error in the estimateddistance in an adversarial and non-adversarial scenario.The non-adversarial setting was simulated with theprover located 1m away from the verifier without anyattacker present. In the adversarial scenario, an attackerlocated 1m away from the verifier relayed the signalsbetween the verifier and the prover. The verifier and theprover were assumed to be out of communication range.Additive white Gaussian noise was added to both theverifier’s interrogating signal and the prover’s responsesignal. Figure 14 and Figure 15 shows the results for theRF cycle slip attacker and On-the-fly phase manipulationattacker respectively. We simulated the attacks for thecommonly used frequency hop size of 1MHz and2MHz. As seen in Figure 14 for the RF cycle slip attack,there is little difference in the distance error between theadversarial and non-adversarial setting. However, theon-the-fly phase manipulation attacker performs slightlyworse than the non-adversarial setting. This is becausethe attacker must estimate the verifier’s phase undernoisy conditions and any error in this estimation resultsin an incorrect phase shift.

4.2.3 Effect of Interference from the Prover

In certain scenarios, it is common that the verifier andthe prover are in communication range and the verifieralso receives the legitimate response signals in additionto the attacker’s signals. In this set of experiments,we evaluated the effect of interference caused by the

9

2400 2420 2440 2460 2480

Frequency [MHz]

0

:

2:

Phas

e [r

ad]

(a) The received phase at the verifier if an attacker changes thephase of each carrier randomly.

(b) The verifier attempt to straighten the phase and linearly fit it.

Figure 17: The distance estimated based on a random phase will be approximately dmax2 where dmax is the maximum

measurable distance.

0 5 10 15 20 25 30

SNR [dB]

0

10

20

30

40

50

Dis

tanc

e E

rror

[m

] Non-spoofed 1 MHz

Spoofed 1 MHz

Non-spoofed 2 MHz

Spoofed 2 MHz

Figure 15: The error in the measured distance in a non-adversarial and when a OTF attack is performed. Thenon-adversarial measurements are when prover is lo-cated 1 m away from the verifier. In the adversarial set-ting the prover is located 74 m away from the verifierand the attacker tries to reduce this distance to 1 m. Inthe adversarial setting the prover and verifier are not incommunications range

legitimate prover signals on the ability of the attacker toreduce the estimated distance. The amplitude and phaseof the received signal at the verifier will depend on boththe amplitude and phase of the attacker and the proversignals. For example, if the prover’s signal is weakerthan the attacker’s, the effect on the estimated distancedue to the legitimate prover’s signal will be minimal.Figure 16 shows the deviation in the distance calculatedby the verifier for different verifier-prover distances. Inour simulations, the attacker was located 1m away fromthe verifier and the prover’s distance from the verifierwas varied. The attacker’s objective was always to forcethe estimated distance to be 1m. It can be seen thatthe effect is negligible even if the prover is located at a

0 10 20 30 40 50 60 70

Prover Distance[m]

0

0.02

0.04

0.06

0.08

0.1

|Dis

tanc

e E

rror

| [m

]

Figure 16: The effect on measured distance when theverifier and prover are in communications range and theattacker does not correct for the effect from the prover’ssignal. The attacker is located 1 m away from the verifierand tries to decrease the distance to 1 m for all prover-verifier distances.

distance of 10m from the verifier.

4.2.4 Random Phase Manipulation Attack

An attacker can simply introduce a random phase changeto the prover’s signal, by either randomly delaying thephase of individual carrier frequencies or introducing arandom phase change in the on-the-fly attack. Figure 17shows the received phase at the verifier if such an attackis performed. A naive phase-ranging system mightsimply try to linearly fit a slope to the measured phasewhich will result in an incorrect distance. Dependingon the true distance of the prover and verifier, theattacker might thus achieve a distance reduction bysimply randomly manipulating the phase. However, a

10

verifier should be able to detect that the received phase isabnormal and thus surmise that any distance calculatedfrom it would be incorrect.

5 Effectiveness of Possible Countermea-sures

In this section, we discuss possible countermeasures andtheir effectiveness in preventing the distance decreaseattacks described previously.

5.1 Frequency HoppingIn order to execute the distance decreasing attack, theattacker must know the correct carrier frequency or becapable of re-transmitting the entire set of frequenciesused for ranging. So, an obvious countermeasure wouldbe to implement pseudo-random frequency hopping. Inother words, the verifier and the prover change carrierfrequencies based on a shared secret during the rangingprocess. However, it would be ineffective againstattackers capable of listening and transmitting over theentire range of frequencies used by the system. Withthe widespread availability of low-cost, high-bandwidthamplifiers [11], it is reasonable to assume that the at-tacker would be capable of executing these attacks overthe entire range of frequencies used by the multicarrierphase ranging system. Moreover, the attacker can listento the verifier’s interrogating signal that is necessaryfor the prover to lock and retransmit its response,thereby easily detecting the next frequency used by theverifier and prover to execute the ranging. Thus, a largebandwidth or a pseudo-random frequency hop sequencewould be ineffective in preventing distance decreasingattacks.

5.2 Rough Time-of-Flight EstimationAn alternative countermeasure would be to realize arough time-of-flight estimation. The verifier and theprover can implement a challenge-response mechanismi.e., the verifier modulates challenges in the interrogat-ing signal that is transmitted to the prover. The proverdemodulates the challenge, computes a correspondingresponse and modulates them back on the phase-lockedresponse signal that the prover transmits back to the ver-ifier. Assuming that the signals travel at the speed oflight and knowing the prover’s processing time, the veri-fier can estimate a coarse distance by measuring the timeelapsed between transmitting the challenges and receiv-ing the responses. It is well established that the preci-

θ θi

θ θi+1

t

V P

Figure 18: The prover adds a phase offset to the receivedphase, which is known to the verifier.

sion of the time estimate depends on the system band-width [8]. Commercially available phase-ranging radiotransceivers today are capable of exchanging data at amaximum rate of 2Mbps. Assuming that the transceiverscan estimate time-of-flight at this data rate, the maximumachievable precision is 500ns, which translates to a dis-tance estimate of 150m. This means that, the systemwould potentially detect attacks in scenarios where theprover is greater than 150m away from the verifier.

It is important to note that the time-of-flight estimatewould only guarantee whether the prover is within, forexample 150m. This still leaves a lot of room for anattacker to execute a distance decreasing attack as phase-ranging would still be required in addition to rough time-of-flight for precise distance estimates. For example, theattacker can still reduce the estimated distance to 1meven in scenarios where the prover is located 100m awayfrom the verifier. In order to improve the precision of thetime-of-flight estimate, it is necessary to increase the sys-tem bandwidth. Given that one of the main advantagesof multicarrier phase ranging is its low-complexity andcost, increasing the bandwidth for better time-of-flightestimate will potentially make the phase-ranging systemredundant.

5.3 Phase-shifted Response Signal

Even though implementing a time-of-flight estimationprevents rollover attacks, it is ineffective against an at-tacker capable of on-the-fly phase manipulation. As de-scribed previously, in an on-the-fly phase manipulationattack, the attacker does not reduce the estimated dis-tance by delaying the signals. The attacker mixes a lo-cally generated intermediate frequency signal with theresponse signal in real-time to generate the attack signal.In order to generate the intermediate frequency signal,the attacker must know the phase of the incoming re-sponse signal. The attacker can estimate the phase of the

11

incoming response signal based on the prover’s distance.The prover can potentially leverage this requirement forthe attacker and introduce additional phase-shifts in itsresponse signals. The phase-shifts introduced by theprover can be agreed apriori with the verifier and canbe accounted for during the distance estimation. The at-tacker cannot guess the phase-shift that the prover intro-duces and thereby cannot generate a corresponding mix-ing signal to execute the distance reduction attack andthereby will result in large fluctuations in the measuredphase difference across the carrier frequencies. Recallthat, in an non-adversarial setting, the phase differencebetween the carrier frequencies would vary linearly.

However, an attacker can always detect the phaseof the response signal and accordingly generate themixing signal. Due to the required precision of thephase estimates, the verifier and the prover transmittheir interrogating and response signals for a longduration of time 60 − 100 µs, in order to allow thephase-locked loop to converge to a precise value. Thisgives significant time for the attacker to detect the phaseof the response signal and generate the necessary mixingsignal for the distance decreasing attack. Furthermore, itis important to note that, this technique does not preventthe rollover attacks and hence has to be combined withrough time-of-flight estimation technique. This furtherincreases the complexity of the system, thereby makingother ranging techniques such as UWB-IR better suitedfor security critical applications.

6 Related Work

In this section, we discuss relevant related work inphysical-layer security of wireless ranging systems be-ginning with the works closest to ours. Physical-layerattacks exploits the physical properties of the radio com-munication system and are therefore independent of anyhigher layer cryptographic protocols implemented. Sev-eral attacks ranging from simply relaying the signal be-tween two legitimate nodes to injecting messages at thephysical layer were demonstrated in the past. Clulow etal. [10] introduced physical-layer attacks such as earlydetect and late commit attacks. In an early detect at-tack, the attacker predicts the data bit before receivingthe entire symbol while in a late commit attack, the at-tacker leverages the ability of the receiver to decode thebit even though the entire symbol has not been correctlyreceived. The feasibility of these attacks on a ISO 14443RFID was demonstrated in [19].

For short and medium-distance precision rangingand localisation, ultra-wide band (UWB) and chirpspread spectrum (CSS) emerged as the most promi-nent techniques [36] and were standardized in IEEE

802.15.4a [22] and ISO/IEC 24730-5 [3]. Flury etal. [14] evaluated the security of impulse radio ultrawide-band PHY layer. The authors demonstrated an ef-fective distance decrease of 140 m for the mandatorymodes of the standard. Poturalski et al. [27, 28] intro-duced the Cicada attack on the impulse radio ultra wide-band PHY. In this attack, a malicious transmitter contin-uously transmits a “1” impulse with power greater thanthat of an honest transmitter. This degrades the perfor-mance of energy detection based receivers resulting indistance reduction and possibly denial of service. Ran-ganathan et al. [30] investigated the security of CSS-based ranging systems and demonstrated that an attackerwould be able to effectively reduce the distance esti-mated by more than 600 m.

To the best of our knowledge, the security ofphase ranging systems have not been evaluatedin literature. However, there have been severalworks [13, 24, 32, 37, 46] that evaluated novel highprecision distance measurement techniques using carrierphase of a signal.

7 Conclusion

In this work, we investigated the security of multicar-rier phase-based ranging systems and demonstrated itsvulnerability to distance decreasing relay attacks. Wedemonstrated both through simulations and real worldexperiments that phase-based ranging is vulnerable to avariety of distance reduction attacks. We showed that anattacker can reduce the distance measured by a multicar-rier phase-based ranging system to any arbitrary valueand thus compromise its security. Specifically, we suc-cessfully reduced the estimated range to less than 3meven though the devices were more than 50 m apart.We discussed possible countermeasures that can make itmore costly and difficult for an attacker. However, thesecountermeasures increase the system complexity, do notfully secure against distance decreasing attacks and canbe easily circumvented by strong attackers.

References

[1] Rf ranging. http://www.rfranging.com/. Ac-cessed: 2016-04-09.

[2] Usrp n210. https://www.ettus.com/. Ac-cessed: 2016-04-09.

[3] ISO/IEC 14443: Identification cards – Contactlessintegrated circuit cards – Proximity cards – Part 2:Radio frequency power and signal interface, 2010.

12

[4] T. E. Abrudan, A. Haghparast, and V. Koivunen.Time synchronization and ranging in ofdm systemsusing time-reversal. IEEE Transactions on Instru-mentation and Measurement, 62(12):3276–3290,2013.

[5] Z. Alliance. Zigbee. Accessed: 2016-04-09.

[6] Atmel. Atmel avr2152: Rtb evaluation applicationsoftware user’s guide. 2013.

[7] P. Bahl and V. N. Padmanabhan. RADAR: an in-building RF-based user location and tracking sys-tem. 2000.

[8] A. Bensky. Wireless positioning technologies andapplications. Artech House, 2007.

[9] S. Brands and D. Chaum. Distance-bounding pro-tocols. In Workshop on the theory and applicationof cryptographic techniques on Advances in cryp-tology, EUROCRYPT ’93, 1993.

[10] J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore.So near and yet so far: Distance-bounding at-tacks in wireless networks. In Security and Pri-vacy in Ad-hoc and Sensor Networks, pages 83–97.Springer, 2006.

[11] M. P. A. Datasheets. Minicircuits products.

[12] R. Exel. Carrier-based ranging in ieee 802.11 wire-less local area networks. In 2013 IEEE Wire-less Communications and Networking Conference(WCNC), pages 1073–1078. IEEE, 2013.

[13] B. D. Farnsworth and D. W. Taylor. High precisionnarrow-band rf ranging. In Proceedings of the 2010International Technical Meeting of The Institute ofNavigation, pages 161–166, 2001.

[14] M. Flury, M. Poturalski, P. Papadimitratos, J.-P.Hubaux, and J.-Y. L. Boudec. Effectiveness ofDistance-Decreasing Attacks Against Impulse Ra-dio Ranging. 2010.

[15] A. Francillon, B. Danev, and S. Capkun. Relay At-tacks on Passive Keyless Entry and Start Systemsin Modern Cars. 2011.

[16] L. Francis, G. Hancke, K. Mayes, and K. Markan-tonakis. Practical nfc peer-to-peer relay attack us-ing mobile phones. In Radio Frequency Identifica-tion: Security and Privacy Issues. 2010.

[17] S. K. S. Gupta, T. Mukherjee, K. Venkatasubrama-nian, and T. B. Taylor. Proximity Based AccessControl in Smart-Emergency Departments. 2006.

[18] D. Halperin, W. Hu, A. Sheth, and D. Wetherall.Tool release: gathering 802.11 n traces with chan-nel state information. ACM SIGCOMM ComputerCommunication Review, 41(1):53–53, 2011.

[19] G. P. Hancke and M. G. Kuhn. Attacks on time-of-flight Distance Bounding Channels. 2008.

[20] M. Hazas, J. Scott, and J. Krumm. Location-awarecomputing comes of age. 2004.

[21] L. IETF. Ipv6 over low power wpan. Accessed:2016-04-09.

[22] The Institute of Electrical and Electronic Engi-neers. IEEE 802.15.4a-2007 Wireless Medium Ac-cess Control (MAC) and Physical Layer (PHY)Specifications for Low-Rate Wireless Personal AreaNetworks (WPANs), 2007.

[23] H. Liu, H. Darabi, P. Banerjee, and J. Liu. Sur-vey of Wireless Indoor Positioning Techniques andSystems. 2007.

[24] R. Miesen, F. Kirsch, P. Groeschel, and M. Vossiek.Phase based multi carrier ranging for uhf rfid.In Wireless Information Technology and Systems(ICWITS), 2012 IEEE International Conference on,2012.

[25] R. Miesen, A. Parr, J. Schleu, and M. Vossiek. 360degree carrier phase measurement for uhf rfid lo-cal positioning. In RFID-Technologies and Appli-cations (RFID-TA), 2013 IEEE International Con-ference on, pages 1–6. IEEE, 2013.

[26] Y. Moon, J. Choi, K. Lee, D.-K. Jeong, and M.-K.Kim. An all-analog multiphase delay-locked loopusing a replica delay line for wide-range operationand low-jitter performance. Solid-State Circuits,IEEE Journal of, 2000.

[27] M. Poturalski, M. Flury, P. Papadimitratos, J.-P.Hubaux, and J.-Y. L. Boudec. The Cicada Attack:Degradation and Denial of Service in IR Ranging.2010.

[28] M. Poturalski, M. Flury, P. Papadimitratos, J.-P.Hubaux, and J.-Y. L. Boudec. Distance Bound-ing with IEEE 802.15.4a: Attacks and Countermea-sures. 2011.

[29] A. Ranganathan, B. Danev, and S. Capkun. Prox-imity verification for contactless access control andauthentication systems. In Proceedings of the 31stAnnual Computer Security Applications Confer-ence, pages 271–280. ACM, 2015.

13

[30] A. Ranganathan, B. Danev, A. Francillon, andS. Capkun. Physical-layer attacks on chirp-basedranging systems. In Proceedings of the fifth ACMconference on Security and Privacy in Wireless andMobile Networks, WISEC ’12, 2012.

[31] A. Ranganathan, N. O. Tippenhauer, B. Skoric,D. Singelee, and S. Capkun. Design and implemen-tation of a terrorist fraud resilient distance bound-ing system. In European Symposium on Researchin Computer Security, pages 415–432. Springer,2012.

[32] J. Rapinski and M. Smieja. Zigbee ranging usingphase shift measurements. Journal of Navigation,2015.

[33] K. B. Rasmussen and S. Capkun. Realization ofrf distance bounding. In USENIX Security Sympo-sium, pages 389–402, 2010.

[34] K. B. Rasmussen, C. Castelluccia, T. S. Heydt-Benjamin, and S. Capkun. Proximity-based AccessControl for Implantable Medical Devices. 2009.

[35] M. Roland. Applying recent secure element relayattack scenarios to the real world: Google wallet re-lay attack. Computing Research Repository, 2012.

[36] Z. Sahinoglu and S. Gezici. Ranging in the IEEE802.15.4a Standard. 2006.

[37] D. Salido-Monzu, E. Martin-Gorostiza, J. Lazaro-Galilea, F. Domingo-Perez, and A. Wieser. Mul-tipath mitigation for a phase-based infrared rang-ing system applied to indoor positioning. In IndoorPositioning and Indoor Navigation (IPIN), 2013International Conference on, pages 1–10. IEEE,2013.

[38] J. Schiller and A. Voisard. Location-based services.Elsevier, 2004.

[39] S. Sedighpour, S. Capkun, S. Ganeriwal, and M. B.Srivastava. Distance enlargement and reduction at-tacks on ultrasound ranging. 2005.

[40] A. Springer, W. Gugler, M. Huemer, R. Koller, andR. Weigel. A wireless spread-spectrum communi-cation system using saw chirped delay lines. 2001.

[41] Ubisense Technologies. Ubisense Real-time Loca-tion Systems (RTLS), 2010.

[42] D. Vasisht, S. Kumar, and D. Katabi. Decimeter-level localization with a single wifi access point.In 13th USENIX Symposium on Networked SystemsDesign and Implementation (NSDI 16), pages 165–178, 2016.

[43] Z. Xiang, S. Song, J. Chen, H. Wang, J. Huang, andX. Gao. A wireless LAN-based indoor positioningtechnology. IBM Journal of Research and Devel-opment, 2004.

[44] J. Xiong, K. Sundaresan, and K. Jamieson. Tone-track: Leveraging frequency-agile radios for time-based indoor wireless localization. In Proceedingsof the 21st Annual International Conference on Mo-bile Computing and Networking, pages 537–549.ACM, 2015.

[45] Zebra Technologies. Sapphire Dart Ultra-Wideband (UWB) Real Time Locating System,2010.

[46] Y. Zhang, W. Qi, and S. Zhang. The unambiguousdistance in a phase-based ranging system with hop-ping frequencies. arXiv preprint arXiv:1403.1923,2014.

14