By Omar Yang (Senior Threat Researcher, Automotive)
The ultra-wideband (UWB) technology has gained popularity in recent years. It is heralded as the next generation of keyless technology and promises immunity to attacks that have plagued its predecessors. However, UWB is not new. Its origins trace back to the late 19th century, when Heinrich Hertz generated the first UWB signals through his spark-gap transmitter experiments. UWB technology saw significant advancements throughout the mid to late 20th century, particularly in military applications such as radar systems. This rich history set the stage for UWB’s modern applications, including its transformative impact on automotive security.
In this second installment of our two-part blog series, we examine the integration of UWB into vehicle entry systems, the advantages it brings, the vulnerabilities it might entail, and how to mitigate its security issues.
What is the UWB protocol?
UWB is a wireless communication technology that operates over a wide frequency spectrum, typically between 3.1 and 10.6 GHz. Unlike traditional wireless technologies like Bluetooth and Wi-Fi, which use narrowband signals, UWB transmits data over a broad range of frequencies. This unique characteristic enables UWB to offer distinct advantages, particularly in the realm of precision and security.
UWB works by transmitting short pulses of radio waves across a wide frequency spectrum. These pulses are sent at precisely timed intervals, allowing the receiver to accurately determine the time it takes for each pulse to arrive. By calculating the time difference, UWB can measure the distance between devices with great accuracy. This makes UWB ideal for applications that require precise location tracking and secure communication.
We summarize here the defining features of UWB:
- High precision: UWB can measure distances with centimeter-level accuracy. This is achieved through time-of-flight (ToF) measurements, where the time it takes for a signal to travel from the transmitter to the receiver is used to calculate distance.
- Low interference: Because of its wide frequency range and low power spectral density, UWB experiences minimal interference from other wireless technologies. This ensures reliable communication even in crowded environments.
- High data rates: UWB can support high data transfer rates, making it suitable for applications requiring rapid and large data exchanges.
Because of its advantages, UWB has been used in different industries for various applications. To better understand its uses, we list here several industries where UWB can be found and how it is utilized:
- Automotive industry: UWB is being integrated into vehicle entry systems to enhance security and prevent relay attacks. Its precise distance measurement ensures that a car unlocks only when the authorized key fob or phone key is within a specific range. Examples of its applications include advanced key fobs and smartphone-based entry systems in vehicles like those from Audi and BMW.
- Consumer electronics: Devices like smartphones and smart home systems use UWB for accurate location tracking and secure device-to-device communication. A notable example is Apple’s AirTag, which uses UWB to provide precise location tracking for lost items, ensuring users can find their belongings with pinpoint accuracy.
- Industrial and medical fields: UWB is utilized for real-time location systems (RTLSs) to track assets and personnel with high accuracy, and for medical imaging and monitoring applications.
A closer look at UWB
UWB technology transmits pulse signals rather than sine waves, which are more common in other wireless protocols such as Bluetooth and Wi-Fi. A small pulse duration in the time domain means that the power spectrum in the frequency domain occupies a wide band. In UWB applications, the pulse duration is either in nanoseconds or hundreds of picoseconds with their corresponding frequency. For example, a pulse that lasts 2 ns has a frequency bandwidth of approximately 500 MHz. This means that the signal occupies a wide range of frequencies centered around its carrier frequency, with a spread of about 500 MHz. Compared to other common wireless technologies, UWB uses a much wider frequency band. For example, Wi-Fi typically uses 20 to 160 MHz and Bluetooth uses only 20 MHz.
Conventional narrowband communications (e.g., 2G mobile phones) and conventional communications (e.g., Wi-Fi and 3G mobile) operate at higher power levels over narrower bands. UWB wireless communication spans a wide frequency range with significantly lower transmission power.
Figure 1. A comparison of transmission power across various wireless communication technologies
Different methods of ranging and locating
UWB technology offers several precise methods for ranging and locating objects:
- ToF measures the time it takes for a signal to travel from the transmitter to the receiver and directly calculates the distance based on the known speed of the signal. The signals in this instance are electromagnetic and travel at the speed of light.
- Time difference of arrival (TDoA) uses multiple receivers to determine the difference in arrival times of the same signal, allowing for triangulation and highly accurate positioning.
- Phase difference of arrival (PDoA) or angle of arrival (AoA) uses UWB devices with multiple antennas that receive the same signal, resulting in a phase difference between the received signals at the antennas. This phase difference is used to calculate the relative location and distance of the transmitter.
- Two-way ranging (TWR) involves the exchange of signals between devices, measuring the round-trip time to determine distance. Each method leverages UWB’s high temporal resolution to achieve precise and reliable location tracking, making UWB suitable for applications requiring high accuracy. A variant of this is double-sided TWR (DS-TWR), where at least three messages are transmitted instead of only two for TWR. This approach has the advantage that both anchor and tag can calculate the distance between them.
In the following figures, the goal is to determine the location of the tag using different ranging and locating methods.
For ToF, the tag transmits a UWB frame as payload, the time at which the frame is sent (t1). The anchor receives the frame at t2 and calculates the ToF as t2 − t1.
Figure 2. The ToF method of calculating the location of the tag
For TDoA localization, the tag transmits a signal that reaches each anchor at different times because of the varying distances between the tag and the anchors. By measuring the time differences between when the signal arrives at pairs of anchors, a hyperbola can be calculated. The location of the tag is determined by finding the intersection point of at least three such hyperbolas.
Figure 3. The TDoA method of determining the location of the tag
In the PDoA or AoA method, the tag transmits a signal that is received by multiple antennas on an anchor. The location of the tag can be accurately calculated by getting the phase difference of the same signal at different antennas and knowing the distance between the antennas.
Figure 4. The PDoA or AoA method of calculating the location of the tag
The TWR method improves upon the ToF method by eliminating the need for synchronization between the anchor and the tag, relying solely on timestamps from one device. The anchor transmits a message that the tag receives after the propagation time or the ToF. The tag then responds after a fixed reply time, which is included in the packet. The anchor can then calculate the ToF from the round-trip time (RTT), using the known reply time.
Figure 5. The TWR method of calculating the location of the tag
The DS-TWR method is similar to the TWR method, but the anchor replies to the tag, allowing the tag to calculate the RTT and determine its distance from the anchor.
Figure 6. The DS-TWR method of calculating the location of the tag
Why UWB is immune to relay attacks
As previously described in the first installment of our two-part blog series, relay attacks occur when the signal between a key fob and a car is extended via a “tunnel” created by a pair of radio devices controlled by an attacker. This is possible because the communication between a car and its key fob is usually not time-sensitive. However, UWB technology is largely immune to relay attacks thanks to its high temporal resolution and precise ToF measurements. The precision of UWB ensures that any attempt to relay the signal results in a noticeable time discrepancy. Cars equipped with UWB can easily identify that the key is out of range by calculating the time difference between the signal transmitted by the key fob and received by the car.
To illustrate how UWB technology can prevent a relay attack, we provide an example. In this scenario, we assume that the car involved can be unlocked when the distance between the car and its key fob is less than 1 meter. The car is parked 5 meters away from a thief who is trying to relay the key fob signal.
ToF when unlocking from 1 meter:
ToF1 m = 1/3 x 108 = 3.33 ns
ToF from 5 meters away:
ToF5 m = 5/3 x 108 = 16.67 nsThe threshold for unlocking the car within 1 meter is around 3.33 ns, while the signal travels 16.67 ns to arrive at the car. UWB systems can easily detect this discrepancy. Therefore, the signal is rejected because the arrival time is about 5 times longer than the threshold, indicating that the key is not within the expected range.
How UWB can be attacked
If UWB is immune to relay attacks, is it immune to other forms of attack? Despite the features UWB provides, UWB itself is not bulletproof.
Researchers from GoGoByte demonstrated an attack toward UWB named “UWB accurate deafening.” They wanted to see if it would be possible to cause message collisions by recording the signal of an initiator and its responder, and then sending malicious packets within the expected time frame. In their experiments, the researchers successfully disrupted the ranging function between an iPhone and an AirTag. When attacking the initiator, the attack device is placed close to the initiator to sniff the signal. By sending fake messages at the right time, the initiator would not be able to resolve messages from the intended responder correctly.
Figure 7. UWB accurate deafening attack on a vehicle entry system
Such an attack can cause denial of service (DoS) on a vehicle’s entry system if UWB is mandated in the passive keyless entry with start (PKES) system. However, if real-time ranging is not required when unlocking the car or when the PKES can be executed without UWB, car thefts can still happen.
How to mitigate attacks targeting UWB
Attacks such as UWB accurate deafening can be successfully executed mainly because the timings of the messages can be easily predicted. To mitigate these attacks, a random delay can be introduced between the signal received and the signal transmitted. In this way, only the initiator and the responder can expect authentic messages from each other, while messages sent by an attacker will be out of the designed time frame and thus neglected. As illustrated in the diagrams in Figure 8, if the response time is unpredictable to the attacker, the attacker will send the messages either sooner or later than the authentic ones.
Figure 8. Introducing a random delay to mitigate attacks on the UWB protocol
In our previous blog entry, we reviewed the past versions of vehicle entry systems leading up to the use of UWB. Each version was susceptible to some form of attack. Similar to that article, this second installment emphasizes how security should be an important consideration in implementing UWB in vehicles, as by itself it is not an absolute defense against vehicle theft and other forms of entry system attacks.