Enhancing Security of HRP UWB Ranging System Based on Channel Characteristic Analysis

Ultra-wideband (UWB) communication is emerging as a prominent technology to enhance the security of proximity verification systems (e.g., passive keyless entry and start systems, financial payment, and user authentication) against signal-relaying attacks. Leveraging the short-duration pulse (1-2 ns) in the physical-layer pulse, UWB communication enables a precise Time-of-Arrival (ToA) measurement for the received frame, which in turn leads to precise distance measurement. The current UWB communication is based on the IEEE 802.15.4z standard, which defines a scrambled timestamp sequence (STS) field that provides a secure ranging capability. However, exploiting the lack of integrity checks in the STS field, recent studies showed that an attacker could maliciously reduce the distance measurement between UWB devices. In this article, we present a distance reduction attack detection method for high-rate pulse repetition frequency (HRP) UWB ranging system. The proposed method analyzes the distribution of the channel impulse response (CIR) computed at the receiver for a ToA measurement. Since IEEE standard-compliant devices measure the ToA based on the CIR, our method can be widely implemented for commercial-off-the-shelf (COTS) devices. Through simulation and real-world experiments, we show that our method can effectively detect distance reduction attacks with a false alarm rate of 1%.