on the security of carrier phase based ranging
play

On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, - PowerPoint PPT Presentation

Nov 16, 2022 •281 likes •807 views

On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan Capkun Importance of Secure Proximity Verification Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2 Importance of Secure

  1. On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan Capkun

  2. Importance of Secure Proximity Verification Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2

  3. Importance of Secure Proximity Verification Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2

  4. Importance of Secure Proximity Verification Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2

  5. Importance of Secure Proximity Verification Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2

  6. Importance of Secure Proximity Verification Distance is determined using a variety of methods (e.g., based on received signal strength , time of flight etc.) Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2

  7. Estimating Distance t tof t p d d = c * (t tof - t p ) / 2 Received Signal Strength (RSS) Time of Flight (ToF) Physical-layer Techniques for Secure Proximity Verification & Localization 3

  8. Attacks on Proximity Systems Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 4

  9. Attacks on Proximity Systems Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 4

  10. Attacks on Proximity Systems Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 4

  11. Attacks on Proximity Systems Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 4

  12. Attacks on Proximity Systems Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 4

  13. Attacks on Proximity Systems No knowledge of the data exchanged is required! Independent of cryptographic primitives Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 4

  14. Multi-carrier Phase Ranging • Cost optimised solution for proximity-based applications • Low-hardware complexity, low-power consumption, high precision • Compliant with prominent standards such as WiFi, ZigBee • Localization schemes* leveraging signal phase information are increasingly becoming popular ‣ 802.11, NB-IoT, LoRa, 5G networks * Vasisht, Deepak, Swarun Kumar, and Dina Katabi. "Decimeter-Level Localization with a Single WiFi Access Point." NSDI 2016. * Xiong, J., Sundaresan, K., Jamieson, K. “Tonetrack: Leveraging frequency-agile radios for time-based indoor wireless localization.” MobiCom 2015. * Exel, R. “Carrier-based ranging in ieee 802.11 wireless local area networks.” IEEE Wireless Communications and Networking Conference (WCNC) 2013. Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 5

  15. Motivation • Implications of distance modification attacks are significant ‣ loss of property to even human life (e.g., IMD access control) • Security of multi-carrier phase ranging has not be analysed yet. ‣ number of prior works on other prominent ranging systems* Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 6

  16. Contributions Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 7

  17. Contributions • Investigate the vulnerability of carrier phase-based ranging system to distance modification attacks ‣ focus on distance reduction attacks ‣ no knowledge of the implemented cryptographic primitive (if any) required Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 7

  18. Contributions • Investigate the vulnerability of carrier phase-based ranging system to distance modification attacks ‣ focus on distance reduction attacks ‣ no knowledge of the implemented cryptographic primitive (if any) required • Three different attack realisations (varying attacker complexity) Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 7

  19. Contributions • Investigate the vulnerability of carrier phase-based ranging system to distance modification attacks ‣ focus on distance reduction attacks ‣ no knowledge of the implemented cryptographic primitive (if any) required • Three different attack realisations (varying attacker complexity) • Experiments show that it is possible to reduce the estimated distance to less than 3 m even though the devices were more than 50 m apart Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 7

  20. Contributions • Investigate the vulnerability of carrier phase-based ranging system to distance modification attacks ‣ focus on distance reduction attacks ‣ no knowledge of the implemented cryptographic primitive (if any) required • Three different attack realisations (varying attacker complexity) • Experiments show that it is possible to reduce the estimated distance to less than 3 m even though the devices were more than 50 m apart 50 m Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 7

  21. Contributions • Investigate the vulnerability of carrier phase-based ranging system to distance modification attacks ‣ focus on distance reduction attacks ‣ no knowledge of the implemented cryptographic primitive (if any) required • Three different attack realisations (varying attacker complexity) • Experiments show that it is possible to reduce the estimated distance to less than 3 m even though the devices were more than 50 m apart < 3 m 50 m Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 7

  22. Phase-based Ranging θ Δ d θ Δ 7 Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 8

  23. Phase-based Ranging θ Δ d θ 2 · f · ( θ c d = 2 π + n ) Δ θ 7 Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 8

  24. Phase-based Ranging θ Δ d θ 2 · f · ( θ c d = 2 π + n ) Δ θ 7 ambiguity! Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 8

  25. Phase-based Ranging f 1 θ θ 1 d = c 4 π · θ 2 − θ 1 Δ f 2 − f 1 d f 2 θ 2 · f · ( θ c d = 2 π + n ) Δ θ θ 2 7 ambiguity! Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 8

  26. Distance Decreasing Relay Attacks Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 9

  27. Distance Decreasing Relay Attacks System Assumption • Two entities, verifier (e.g., car) and a prover (e.g., key) estimate distance using multicarrier phase ranging technology • Verifier and prover implement some form of cryptographic authentication Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 9

  28. Distance Decreasing Relay Attacks System Assumption • Two entities, verifier (e.g., car) and a prover (e.g., key) estimate distance using multicarrier phase ranging technology • Verifier and prover implement some form of cryptographic authentication Attacker Model • Verifier and prover are trusted and assumed to be honest • External attacker tries to reduce the estimated distance between a honest prover and verifier Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 9

  29. Phase slope Rollover Attack d = c 4 π · θ 2 − θ 1 Distance f 1 f 2 − f 1 θ 1 f 2 θ 2 Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 10

  30. Phase slope Rollover Attack d = c 4 π · θ 2 − θ 1 Distance f 1 f 2 − f 1 θ 1 4 π · ∆ θ max c Maximum d max = ∆ f measurable distance f 2 θ 2 Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 10

  31. Phase slope Rollover Attack d = c 4 π · θ 2 − θ 1 Distance f 1 f 2 − f 1 θ 1 0 to 2 π 4 π · ∆ θ max c Maximum d max = ∆ f measurable distance f 2 θ 2 Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 10

  32. Phase slope Rollover Attack d = c 4 π · θ 2 − θ 1 Distance f 1 f 2 − f 1 θ 1 0 to 2 π 4 π · ∆ θ max c Maximum d max = ∆ f measurable distance d max = c 1 f 2 2 · ∆ f θ 2 Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 10

  33. Phase slope Rollover Attack d = c 4 π · θ 2 − θ 1 Distance f 1 f 2 − f 1 θ 1 0 to 2 π 4 π · ∆ θ max c Maximum d max = ∆ f measurable distance d max = c 1 f 2 2 · ∆ f ∆ f = 2 MHz , then d max = 75 m after which distance e.g., rollsover back to 0 θ 2 Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 10

  34. Phase slope Rollover Attack d = c 4 π · θ 2 − θ 1 Distance f 1 f 2 − f 1 θ 1 0 to 2 π 4 π · ∆ θ max c Maximum d max = ∆ f measurable distance d max = c 1 f 2 2 · ∆ f ∆ f = 2 MHz , then d max = 75 m after which distance e.g., rollsover back to 0 θ 2 Attacker leverages this maximum measurable distance property to reduce the estimated distance Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 10

  35. Phase slope Rollover Attack V P θ Δ t θ Δ t t Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 11

  36. Phase slope Rollover Attack 80 V P Measured Distance [m] θ 60 Δ t 40 θ 20 Δ t 0 t 0 0.2 0.4 0.6 0.8 Delay [ 7 s] ∆ f = 2 MHz, then d max = 75 m Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 11

  37. Phase slope Rollover Attack 80 V P Measured Distance [m] θ 60 Δ t 40 θ 20 500 ns Δ t 0 t 0 0.2 0.4 0.6 0.8 Delay [ 7 s] ∆ f = 2 MHz, then d max = 75 m Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 11

Recommend

CAESAR: Carrier Sense-Based Ranging in Off-The-Shelf 802.11 Wireless LAN Domenico Giustiniano and

CAESAR: Carrier Sense-Based Ranging in Off-The-Shelf 802.11 Wireless LAN Domenico Giustiniano and

CAESAR: Carrier Sense-Based Ranging in Off-The-Shelf 802.11 Wireless LAN Domenico Giustiniano and Stefan Mangold Disney Research Zurich, Switzerland Summary Wireless LAN is crucial in navigation systems Current solutions do not meet a

686 views • 36 slides
Electronic Logging Devices Federal Motor Carrier Safety Administration Agenda Are You

Electronic Logging Devices Federal Motor Carrier Safety Administration Agenda Are You

Electronic Logging Devices Federal Motor Carrier Safety Administration Agenda Are You Subject? Exemptions ELD Phase I ELD Phase II How to get Ready ELD Checklist Driver Responsibility Motor carrier Responsibility 2

364 views • 35 slides
Carrier Phase and Symbol Timing Synchronization Saravanan Vijayakumaran sarva@ee.iitb.ac.in

Carrier Phase and Symbol Timing Synchronization Saravanan Vijayakumaran sarva@ee.iitb.ac.in

Carrier Phase and Symbol Timing Synchronization Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay November 2, 2012 1 / 28 The System Model Consider the following

755 views • 28 slides
WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life

WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life

WHO: Sentinel Security Life Atlantic Coast Life You WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life Atlantic Coast Life Founded in 1948 Founded in 1925 Based out of Salt Lake City, UT

339 views • 15 slides
WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life

WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life

WHO: Sentinel Security Life Atlantic Coast Life You WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life Atlantic Coast Life Founded in 1948 Founded in 1925 Based out of Salt Lake City, UT

137 views • 13 slides
WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life

WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life

WHO: Sentinel Security Life Atlantic Coast Life You WHAT: Guaranteed Income Annuity CARRIER PARTNERS: P A R T N E R S Sentinel Security Life Atlantic Coast Life Founded in 1948 Founded in 1925 Based out of Salt Lake City, UT

522 views • 16 slides
ARTI SAN CONTRACTOR POLI CY WHO IS UTICA FIRST INSURANCE COMPANY? Regional Carrier based in New

ARTI SAN CONTRACTOR POLI CY WHO IS UTICA FIRST INSURANCE COMPANY? Regional Carrier based in New

ARTI SAN CONTRACTOR POLI CY WHO IS UTICA FIRST INSURANCE COMPANY? Regional Carrier based in New York State, in business since 1903. $ 160 million in Written Premium , AM Best A Rated Standard Lines Carrier, Specializing in BOP ,

42 views • 3 slides
Importer Security Filing and Additional Carrier Requirements 10+2 Program Update CBP Trade

Importer Security Filing and Additional Carrier Requirements 10+2 Program Update CBP Trade

Importer Security Filing and Additional Carrier Requirements 10+2 Program Update CBP Trade Symposium - December 2009 FOR OFFICIAL USE ONLY What is the Security Filing? The Security Filing, commonly known as the 10+2 initiative, is

640 views • 25 slides
On Secure Ranging and Localiza:on Srdjan apkun Department

On Secure Ranging and Localiza:on Srdjan apkun Department

Selected Topics in Physical Layer Security: On Secure Ranging and Localiza:on Srdjan apkun Department of Computer Science ETH Zurich This slide:

891 views • 65 slides
Absolute Ionosphere Slant Delays From Ambiguous Carrier Phase Data Dru A. Smith, Ph.D. National

Absolute Ionosphere Slant Delays From Ambiguous Carrier Phase Data Dru A. Smith, Ph.D. National

Absolute Ionosphere Slant Delays From Ambiguous Carrier Phase Data Dru A. Smith, Ph.D. National Geodetic Survey National Oceanic and Atmospheric Administration ION NTM 2005 January 25, 2005 San Diego, CA Topics of Discussion Motivation

895 views • 64 slides
AHI AHI Car Carrier rier Fz Fzc A CARRIER JOINT VENTURE COMPANY Product Presentation CARRIER

AHI AHI Car Carrier rier Fz Fzc A CARRIER JOINT VENTURE COMPANY Product Presentation CARRIER

AHI AHI Car Carrier rier Fz Fzc A CARRIER JOINT VENTURE COMPANY Product Presentation CARRIER 30AWH Air To Water Heat Pump 2 overview europe, middle east &amp; asia # 8 # 8 factories &amp; design centers # 1 17 factories 07 design

951 views • 51 slides
Rainwater Harvesting and Reuse system CARRIER DOME MELISSA CADWELL Carrier Dome Carrier Dome

Rainwater Harvesting and Reuse system CARRIER DOME MELISSA CADWELL Carrier Dome Carrier Dome

Rainwater Harvesting and Reuse system CARRIER DOME MELISSA CADWELL Carrier Dome Carrier Dome Located in the City of Syracuse Seats approximately 49,262 Host a variety of events Air supported roof 6.5 acre 6.5 million gallons

447 views • 5 slides
Corporate Presentation Who s who, and who is doing what ? A little bit of history 1950 :

Corporate Presentation Who s who, and who is doing what ? A little bit of history 1950 :

Corporate Presentation Who s who, and who is doing what ? A little bit of history 1950 : Carrier Conveyor Corporation 1983 : Carrier Vibrating Equipment 1995 : Carrier Europe ( Nivelles-Sud ) 1998 : Carrier Workshop Shangha

287 views • 16 slides
Green Dolphin a concept design for a new Handysize bulk carrier A joint development project

Green Dolphin a concept design for a new Handysize bulk carrier A joint development project

Green Dolphin a concept design for a new Handysize bulk carrier A joint development project Project phases Phase 1: SDARI, DNV and Wrtsil have worked closely together Phase 2: SDARI will independently prepare basic design

805 views • 10 slides
Importer Security Filing and Additional Carrier Requirements 10+2 Trade Outreach Webinar

Importer Security Filing and Additional Carrier Requirements 10+2 Trade Outreach Webinar

Importer Security Filing and Additional Carrier Requirements 10+2 Trade Outreach Webinar Spring 2010 1 Today s Presentation on 10+2 Overview of the ISF Requirements Program Update Enforcement Strategy Top ISF

278 views • 27 slides
Drafting Motor Carrier Agreements: Anticipating and Addressing Cargo Claims, Carrier Indemnity

Drafting Motor Carrier Agreements: Anticipating and Addressing Cargo Claims, Carrier Indemnity

Presenting a live 90-minute webinar with interactive Q&amp;A Drafting Motor Carrier Agreements: Anticipating and Addressing Cargo Claims, Carrier Indemnity Obligations and More Navigating MAP-21 Legislation, Carrier Safety Performance and

912 views • 64 slides
CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized,

CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized,

European Academy of Dermatology and Venereology Annual Congress October 12, 2019 CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized, Placebo-Controlled Dose-Ranging Trial in Patients with Moderate-to-Severe Alopecia

782 views • 20 slides
IPC Integrated Food Security Phase Classification Strengthening the Food Security Cluster in

IPC Integrated Food Security Phase Classification Strengthening the Food Security Cluster in

IPC Integrated Food Security Phase Classification Strengthening the Food Security Cluster in Bangladesh through strategic technical support Funded by ECHO IPC Acute analysis: Findings of Coastal zone of Bangladesh Prepared by Feroz Ahmed IPC

543 views • 19 slides
Congestion Control in CSMA-based Vehicular Networks: Do Not Forget the Carrier Sensing Razvan

Congestion Control in CSMA-based Vehicular Networks: Do Not Forget the Carrier Sensing Razvan

Congestion Control in CSMA-based Vehicular Networks: Do Not Forget the Carrier Sensing Razvan Stanica, Emmanuel Chaput, Andr-Luc Beylot Institut National Polytechnique de Toulouse IEEE 9th Annual Conference on Sensor, Mesh and Ad Hoc

1.01k views • 29 slides
A 2-Phase Frame-based Knowledge A 2-Phase Frame-based Knowledge Extractjon Framework Extractjon

A 2-Phase Frame-based Knowledge A 2-Phase Frame-based Knowledge Extractjon Framework Extractjon

A 2-Phase Frame-based Knowledge A 2-Phase Frame-based Knowledge Extractjon Framework Extractjon Framework Francesco Corcoglioniti Marco Rospocher, Alessio Palmero Aprosio francesco@corcoglioniti.name Fondazione Bruno Kessler IRST Trento,

423 views • 29 slides
School Bus Terminal Inspection Craig Weaver, Motor Carrier Specialist III Motor Carrier Safety

School Bus Terminal Inspection Craig Weaver, Motor Carrier Specialist III Motor Carrier Safety

School Bus Terminal Inspection Craig Weaver, Motor Carrier Specialist III Motor Carrier Safety Unit Paul Morris Motor Carrier Specialist II PUC Liaison, HOS SME Commercial Vehicle Section CVC 2807 School buses must be inspected by the CHP

383 views • 36 slides
REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic

REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic

REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic ranging application Current Work Paul: 2 device ranging using android devices + calculations in MATLAB Vitor: Device to device communication

273 views • 12 slides
Cobitolimod for Moderate-to-Severe, Left-Sided Ulcerative Colitis (CONDUCT): A Phase 2b,

Cobitolimod for Moderate-to-Severe, Left-Sided Ulcerative Colitis (CONDUCT): A Phase 2b,

Cobitolimod for Moderate-to-Severe, Left-Sided Ulcerative Colitis (CONDUCT): A Phase 2b, Randomised, Double-Blind, Placebo-Controlled, Dose-Ranging Trial Raja Atreya* , Laurent Peyrin Biroulet, Andrii Klymenko, Monica Augustyn, Igor Bakulin,

921 views • 12 slides
CARRIER CARRIER EACCO EACCOUNTI UNTING NG 20 March 2015 Background Willis are a founder

CARRIER CARRIER EACCO EACCOUNTI UNTING NG 20 March 2015 Background Willis are a founder

Willis CARRIER CARRIER EACCO EACCOUNTI UNTING NG 20 March 2015 Background Willis are a founder member of the Ruschlikon Initiative, a community set up in 2008 by a group of global (re)insurance industry players to improve Accounting /

927 views • 8 slides

More recommend