\floatsetup

[table]capposition=top

Channel Reciprocity Based Attack Detection for Securing UWB Ranging by Autoencoder

1Wenlong Gou, 1Chuanhang Yu, 1Juntao Ma, 1Gang Wu, 2Vladimir Mordachev {gouwenlong, chuanhangyu, juntaoma}@std.uestc.edu.cn,
wugang99@uestc.edu.cn (corresponding author), mordachev@bsuir.by 1 National Key Laboratory of Wireless Communications,
University of Electronic Science and Technology of China, Chengdu, China
2 Belarusian State University of Informatics and Radioelectronics

Abstract

A variety of ranging threats represented by Ghost Peak attack have raised concerns regarding the security performance of Ultra-Wide Band (UWB) systems with the finalization of the IEEE 802.15.4z standard. Based on channel reciprocity, this paper proposes a low complexity attack detection scheme that compares Channel Impulse Response (CIR) features of both ranging sides utilizing an autoencoder with the capability of data compression and feature extraction. Taking Ghost Peak attack as an example, this paper demonstrates the effectiveness, feasibility and generalizability of the proposed attack detection scheme through simulation and experimental validation. The proposed scheme achieves an attack detection success rate of over 99% and can be implemented in current systems at low cost.

Index Terms:

Ultra-Wideband, channel reciprocity, Channel Impulse Response, autoencoder

I Introduction

Ultra-Wideband (UWB) characterized by high resistance to multipath fading[1] and low power consumption offers centimeter-level ranging precision, which has garnered significant attention in various fields such as keyless car entry and mobile payment[2, 3]. Despite the new release of IEEE 802.15.4z standard in 2020 which has enhanced the accuracy and security of ranging by introducing Scrambled Timestamp Sequence(STS) encrypted by the Advanced Encryption Standard (AES)[4] , ranging security remains a critical consideration. For the IEEE 802.15.4a protocol, Poturalski et al. [5] proposed the Cicada attack that continuously injects UWB pulses into the receiver during the legitimate transmission of the preamble, in addition to the Early Detection/Late Commitment (ED/LC) attack scheme that leverages the predictability of the signal structure within the preamble[6]. Targeting the IEEE 802.15.4z protocol, the Cicada++ attack executes the distance attack by transmitting pseudo-random STS signals to alter the timestamps of received signals, whereas the Adaptive Injection Attack (AIA) can further refine the attack precision by controlling the placement of injected attack signals[7]. Patrick Leu et al. [8] conducted the Ghost Peak attack achieving a success rate of up to 4% on commercially available Apple U1 and Qorvo UWB chips. In [9], Claudio Anliker et al. also proposed and demonstrated the Mix-Down attack, which exploits the clock drift of transceivers.

To defend against these distance attacks, there are some methods that have been proposed, e.g., a ranging scheme combining Time of Flight (TOF) and Received Signal Strength (RSS) is proposed in [10], aiming to effectively mitigate distance fraud. Additionally, Chen H et al. [11] designed the UnSpoof UWB localization system capable of pinpointing the position of both the attacker and the legitimate device, and Kiseok Kim et al. [12] proposed a UWB localization system for vehicles based on Directed-Acyclic Graph (DAG) structure to enhance security. However, how to efficiently detect attacks in the process of UWB secure ranging is also an urgent problem that is often neglected.

It is worth noting that attacks such as Ghost Peak require sniffing in advance of the attack, and attacks like Cicada require constant attempts to succeed. Therefore, effective detection of attacks is crucial for enhancing the security performance of UWB systems. In [13], Mridula Singh presented a novel modulation technique to detect distance enlargement attacks relying on the interleaving of pulses of different phases. Kyungho Joo et al. [14] achieved an attack detection success rate of 96.24% by leveraging the consistency of cross-correlation results between the sub-fields of STS and local templates. Towards the upcoming IEEE 802.15.4ab protocol, Li Sun et al. [15] proposed an integrity protection mechanism based on time-reversal to detect interference, and they also suggested adding a new STS configuration to support integrity protection. Nevertheless, most of the defense schemes against distance attacks modify the established UWB physical layer standards to a large extent, increasing the expenses of practical deployments [16].

The UWB channel provides more possibilities for attack detection. Previously, the security and robustness of secret key generation method using UWB channels have been investigated in [17]. Furthermore, Philipp Peterseil et al. presented a trustworthiness score based on autoencoders trained on Channel Impulse Response (CIR), which could remarkably improve ranging accuracy in [18]. Inspired by the aforementioned work, this paper proposes an attack detection scheme utilizing channel reciprocity and autoencoders, which could enhance the security performance of the existing UWB system effectively. Different from above work, the proposed scheme achieves a low complexity end-to-end attack detection based on existing standards by using only the encoder module of the autoencoder which is trained for CIR feature extraction in the offline training phase. Our main contributions can be summarized as follows:

•

The channel reciprocity in UWB ranging process is analysed, and based on the analysis an attack detection scheme by comparing the CIR of both ranging sides is proposed, which achieves the high reliability of UWB ranging and maintains the current physical layer specification. The feasibility of the proposed scheme is validated through simulation and experiments.
•

Leveraging the designed autoencoder with a high capacity of data compression trained on simulation data only, the proposed attack detection scheme offers a relatively low cost for transmission, and the generalizability of the scheme is validated through practical deployment.

II System Model and problem Formulation

II-A Classic UWB Ranging Model

Classic UWB ranging methods primarily consist of Single Side-Two Way Ranging (SS-TWR) and Double Side-Two Way Ranging (DS-TWR). Compared with the simple SS-TWR, the DS-TWR method where both the transmitter and receiver exchange a total of three ranging messages can effectively alleviate the impacts of clock drift and other factors[19]. The distance can be estimated as:

d=c\cdot T_{\text{prop}}=\frac{T_{\text{{round}}_{\text{1}}}\times T_{\text{{% round}}_{\text{2}}}-T_{\text{{ reply}}_{\text{1}}}\times T_{\text{{ reply}}_{% \text{2}}}}{T_{\text{{ round}}_{\text{1}}}+T_{\text{{ round}}_{\text{2}}}+T_{% \text{{reply}}_{\text{1}}}+T_{\text{{ reply}}_{\text{2}}}}c,

(1)

where the time intervals $T_{\text{{round}}_{\text{1}}}$ , $T_{\text{{round}}_{\text{2}}}$ , $T_{\text{{ reply}}_{\text{1}}}$ , $T_{\text{{ reply}}_{\text{2}}}$ are shown in Fig. 1, $c$ refers to the speed of light.

The reception timestamps used for calculating the time intervals are obtained through STS cross-correlation:

t_{i}=g_{\text{LE}}(\boldsymbol{s_{\text{STS}}},\boldsymbol{s^{\prime}_{\text{% STS}}}),i\in\mathbb{M},

(2)

where the optional message set $\mathbb{M}$ is $\{\text{Poll},\text{Response},\text{Final}\}$ , $\boldsymbol{s_{\text{STS}}}$ and $\boldsymbol{s^{\prime}_{\text{STS}}}$ denote loacl STS and received STS respectively, $g_{\text{LE}}(\cdot,\cdot)$ denotes the leading edge detection algorithm based on the Back-Search Time Window (BTW) [7]. This detection algorithm is primarily determined by two thresholds: the Maximum Peak to Early Peak Ratio (MPEP) , indicating the ratio between the main path and the first path, and the Peak to Average Power Ratio (PAPR), representing the ratio between peak and average power. Only when both thresholds are satisfied can it be identified as the first path.

The attack detection scheme proposed in this paper is suitable for a wide range of distance attacks, with the Ghost Peak attack used as an illustrative example. During the reception of the Response or Final message of the legitimate devices, the attacker transmits an attack signal in which the STS segment, whose power is significantly higher than the legitimate signal, is forged by the attacker. These attack signals can alter the timestamps $t_{i}$ obtained through the leading edge detection algorithm $g_{\text{LE}}$ , resulting in a shortened measured distance $d$ [8]. The primary process of the Ghost Peak attack is depicted in Fig. 1 (taking the attack on the Response as an example).

Refer to caption — Figure 1: The principle of DS-TWR and Ghost Peak attack

II-B Improved Integrity check Ranging Model for security

The absence of a detection step for intentional attacks in existing UWB ranging methods makes both ranging sides continue the ranging process completely all the time even if the measured results are obviously wrong (e.g. excessively drastic changes), which also increases the risk of successful attacks and system power consumption. We improve the existing model to enhance its resistance to attacks by adding two modules, i.e., feature extraction and integrity check.

As shown in Fig. 2, after the Responder receives the first Poll message, it performs CIR estimation using preamble and STS respectively:

\boldsymbol{h_{j}}=g_{\text{CIR}}(\boldsymbol{s_{j}},\boldsymbol{s^{\prime}_{j% }}),j\in\mathbb{S},

(3)

where the optional sequence set $\mathbb{S}$ is {preamble, STS}, $g_{\text{CIR}}(\cdot,\cdot)$ represents CIR estimation function in transceivers, $s_{j}$ and $s^{\prime}_{j}$ denote local templates and received signals. Here we add the feature extraction step utilizing the precise CIR $\boldsymbol{h_{\text{STS}}}$ generated from STS segments. In addition, the Initiator also captures the channel features after receiving the second ranging message. Furthermore, we design an integrity checking mechanism to determine the state of the system (i.e. Normal or Attacked) at that time as a basis to decide whether the ranging process should continue or not. The system judged to be under attack will sound an alarm and enter the suspended state, in which the Initiator decides whether to continue ranging.

II-C Problem Formulation

Depending on the application scenario, the implementer of the attack detection can be either the Initiator or Responder during the ranging process. Given an observation $\boldsymbol{h^{m}_{\text{STS}}}\in\Gamma$ $(m\in\{\text{Initiator},\text{Responder}\})$ over the observation space $\Gamma$ of both ranging sides, attack detection can be regarded as a binary hypothesis testing problem, in which the observations may be derived from two possible hypotheses (Normal or Attacked), denoted by $H_{0}$ and $H_{1}$ . The decision $\psi(\boldsymbol{h^{m}_{\text{STS}}})$ is made based on the partition of $\Gamma$ :

\psi{(\boldsymbol{h^{m}_{\text{STS}}})}=\left\{\begin{matrix}{D_{1},~{}% \boldsymbol{h^{m}_{\text{STS}}}\in R_{0}~{}}\\ {D_{2},~{}\boldsymbol{h^{m}_{\text{STS}}}\in R_{1}},\end{matrix}\right.

(4)

where $D_{1}$ and $D_{2}$ denote the decision of attacked and normal respectively, while $R_{0}$ and $R_{1}$ denote the partition area of $\Gamma$ . The design of the attack detection aims to find an efficient partition of observation space $\Gamma$ .

The evaluation metrics of attack detection scheme are generally the probability of false alarm $P_{\text{fa}}$ and miss detection $P_{\text{m}}$ , which represent the conditional probabilities $p(D_{1}|H_{0})$ and $p(D_{0}|H_{1})$ , respectively.

III Attack Detection Scheme Design

III-A Attack Detection Procedure Based on Channel Reciprocity

Channel reciprocity refers to the fact that when both communication ends carry out signal transmission, the transmission characteristics of the channel remain consistent within a specified time window, regardless of the direction of transmission. During a complete DS-TWR ranging process, it is assumed that the Poll message from the Initiator and the Response message from the Responder experience the identical channel fading, which also reflects the assumption of ToF invariance.

Input:

f_{\varphi}\left(\bullet\right)

Q_{q}\left(\bullet\right)

Output: state

1while Receive Poll do

2 Gain

\boldsymbol{h_{\text{IR}}[n]}

;

3 Calculate

\boldsymbol{p}_{\text{IR}}

via (7);

4 Embed

\boldsymbol{p}_{\text{IR}}

in Payload of Response;

5 Send Response;

7 end while

8while Receive Response do

9 Gain

\boldsymbol{h_{\text{RI}}[n]}

\boldsymbol{h_{\text{IR}}[n]}

;

10 Calculate

\boldsymbol{p}_{\text{RI}}

via (8);

11 for k=1,2,…, $K_{p}$ do

12 Compare

{{p}_{\text{IR}}^{k}}

and

{{p}_{\text{RI}}^{k}}

;

13 if ${p}_{\emph{IR}}^{k}$ $\neq$ ${p}_{\emph{RI}}^{k}$ then

d=d+1

15 end if

17 end for

18 if $d\left({\boldsymbol{p}_{\emph{IR}},\boldsymbol{p}_{\emph{RI}}}\right)\geq T$ then

19 state= Attacked

20 else

21 state= Normal

22 end if

24 end while

Procedure 1 Attack detection

In the standard ranging process, both the Initiator and Responder have the process of channel estimation, i.e., both sides involve Channel Impulse Response (CIR). Utilize the autoencoder to decrease the data dimension of the CIR on both transmitter and receiver sides, mapping the lengthy data vector into a concise feature vector. The mapping process is:

\boldsymbol{s}=f_{\varphi}(\boldsymbol{h[n]}),

(5)

where $\varphi$ denotes the coefficients of the encoder module in the autoencoder and $\boldsymbol{h[n]}$ denotes the input CIR sequence.

Further quantify the extracted low-dimensional feature:

\boldsymbol{p}=Q_{q}\left(\boldsymbol{s}\right),

(6)

where $Q(\cdot)$ denotes the quantization process and $q$ denotes the quantity of quantization bits.

Without loss of generality, it is assumed that the attacker attacks the Response message. In a complete DS-TWR process, the Responder estimates the CIR $\boldsymbol{h_{\text{IR}}[n]}$ at this time after receiving the Poll message. Subsequently, the Responder sends $\boldsymbol{h_{\text{IR}}[n]}$ to the autoencoder for encoding, followed by quantization to obtain $\boldsymbol{p}_{\text{IR}}$ :

\boldsymbol{p}_{\text{IR}}=Q_{q}(f_{\varphi}(\boldsymbol{h_{\text{IR}}\left[n% \right]})).

(7)

The Response message containing $\boldsymbol{{p}_{\text{IR}}}$ is then transmitted by the Responder within the Payload field[4]. Upon receiving the Response message, the Initiator demodulates the Payload field to retrieve $\boldsymbol{{p}_{\text{IR}}}$ as well as performs similar operations as the Responder to acquire $\boldsymbol{{p}_{\text{RI}}}$ :

\boldsymbol{p}_{\text{RI}}=Q_{q}(f_{\varphi}(\boldsymbol{h_{\text{RI}}\left[n% \right]})).

(8)

Then each bit ${p}_{\text{IR}}^{k}$ and ${p}_{\text{RI}}^{k}$ are individually compared to calculate the Hamming distance between $\boldsymbol{{p}_{\text{IR}}}$ and $\boldsymbol{{p}_{\text{RI}}}$ . Ultimately, by comparing this distance with the preset judgment threshold ${T}$ (which can be established through simulation or practical measurement), the attacks can be detected:

\left\{{\begin{matrix}{d({\boldsymbol{p}_{\text{IR}},\boldsymbol{p}_{\text{RI}% }})\geq{T},\text{Attacked state}}\\ {d({\boldsymbol{p}_{\text{IR}},\boldsymbol{p}_{\text{RI}}})\textless{T},\text{% Normal state}},\end{matrix}}\right.

(9)

where $d(\cdot,\cdot)$ denotes the Hamming distance. The observation space $\Gamma$ is partitioned into two regions through (9). The process of the proposed attack detection scheme is summarized in Procedure 1.

III-B Attack Detection Principles Using Autoencoders

UWB Channel features such as Received Signal Power to First Path Power level ratio, mean excess delay spread, kurtosis, etc., can be directly used to identify the Line of Sight (LOS) and Non-Line of Sight (NLOS) channel[20]. However, in order to prevent attackers from using these obvious features to pass the integrity check and to extract the most representative features of the channel, this paper selects neural networks for feature extraction.

The autoencoder is one of the most widely used self-supervised neural network structures for data compression and feature extraction, which can extract the most critical features by reproducing the original data[21]. To reduce transmission consumption, We use the autoencoder to encode the CIR to extract its low-dimensional features and the CIRs of both sides exhibit similar characteristics due to the consistency of the channel. Meanwhile, since the attacker’s signal reaches the receiver through a distinct channel, the attack can be detected by contrasting the CIR features of both legitimate sides. Thus, the autoencoder is only fed by the CIRs in the unattacked situation for training.

The structure of the Multilayer Perceptron (MLP) autoencoder designed in this paper is shown in Fig. 3. On the other hand, it is essential to reasonably select the number of encoded feature dimensions and the corresponding quantization bits in order to facilitate transmission.

III-C Complexity Analysis

The complexity of the proposed attack detection scheme is primarily determined by the autoencoder. Therefore, this subsection concentrates on analyzing the complexity of the designed autoencoder, including time complexity and space complexity. Time complexity is quantified by the count of Floating-Point Operations (FLOPs) and space complexity is measured by the aggregate count of model parameters.

The time complexity $c_{\text{time}}$ and space complexity $c_{\text{space}}$ of the autoencoder can be expressed as:


$\displaystyle c_{\text{time}}$	$\displaystyle=\sum_{d=1}^{D}{\left(2I_{d}-1\right)\times\ J_{d}}+\sum_{d=1}^{D% -1}J_{d},$	(10a)
$\displaystyle c_{\text{space}}$	$\displaystyle=\sum_{d=1}^{D}{\left(I_{d}+1\right)\times\ J_{d}},$	(10b)

where $D$ denotes the depth of the autoencoder, i.e., the quantity of fully connected layers, $I_{d}$ and $J_{d}$ denote the input and output dimensions of each fully connected layer, respectively.

IV Numerical Simulation Evaluation and Experimental Validation

This section shows the simulation evaluation results of the proposed attack detection scheme, and we also conducted practical validation of its effectiveness using the commercial chip DW3110. The parameter configurations for the legitimate signal and attack signals are detailed in Table I.

TABLE I: Configurations for legitimate and attack signals

Parameter	legitimate signals	attack signals
mode	BPRF	BPRF
Preamble spreading factor	4	9
Preamble code index	9	9
SFD number	0	0
modulation	BPSK+BPM	BPSK+BPM
Payload encoding	RS &convolution	RS &convolution
samples of per pulse	4	4
Preamble duration	64	64
STS segment length	64	64

The receiver structure is not explicitly specified in the IEEE 802.15.4z standard. In this paper, after shaping filtering and sampling on the received signal, the local SHR and STS fields are employed to correlate with the processed signal to search for the first path using the leading-edge detection algorithm described in Section II. The length of BTW is fixed at 400 samples (with a sampling rate of 2 GHz), MPEP is set to 0.5 and PAPR is set to 2. The RAKE receiver architecture is employed for receiving the PHR and Payload fields. What’s more, all simulations in this paper are performed with a distance of 10 m between the devices and an attack is considered successful if the ranging result is below 5 m.

IV-A Numerical Simulation Evaluation

Let $\alpha_{\text{t}}$ denote the threshold coefficient ( $0<\alpha_{\text{t}}<1$ ) and $T_{\text{H}}$ denote the Hamming distance between the quantified CIR features of both sides without attacks, then they are related to the preset judgment threshold $T$ as follows:

T=\alpha_{\text{t}}\cdot T_{\text{H}}

(11)

Adopting the indoor LOS channel model specified in the IEEE 802.15.4 standard, the CIRs of both sides in the normal ranging process (a total of 20,000 pairs) are divided into a training set and a test set at a ratio of 9:1. Through simulation analysis, the input dimension, output dimension, number of quantization bits and threshold coefficient in the attack detection scheme finalized in this paper are 700, 32, 4 and 0.5, respectively.

Fig. 4 illustrates the impact of various parameters on the performance of attack detection. It shows that the input dimension has a minor effect on the false alarm probability, whereas the miss detection probability decreases significantly as the input dimension increases. There is a positive correlation between the output dimension and performance, aligning with the anticipated outcome that a higher number of output features facilitates differentiation between CIRs of normal and attacked state. Nevertheless, larger output dimensions imply higher costs and an elevated risk of overfitting, which requires a trade-off between performance and complexity.

As shown in Fig. 4(c), a gradual rise in false alarm probability and a decline in miss detection probability are observed with the increase of quantization bits. A higher number of quantization bits lead to more total bits of extracted feature data, which results in the Hamming distance between $\boldsymbol{p}_{\text{IR}}$ and $\boldsymbol{p}_{\text{RI}}$ is more likely to be larger than the preset threshold. Fig. 4(d) illustrates how the threshold impacts detection performance, aligning with the general knowledge that raising the threshold decreases false alarm probability but increases miss detection probability.

Furthermore, the time and space complexity of the designed scheme are 1,670,692 FLOPs and 838,180 parameters, as calculated from (10a) (10b), respectively.

Adopting the proposed attack detection scheme, we simulated 10,000 DS-TWR ranging processes under Ghost Peak attack with various parameter configurations. We conducted statistical calculations for the success probability of attack $P_{\text{s}}$ , the probability distribution of ranging error $P_{\text{r}}$ and false alarm probability $P_{\text{fa}}$ . The obtained results are shown in Fig. 5. The SIR in Fig. 5 represents the ratio of STS power of the legitimate signal to the attack signal, while SNR denotes the signal-to-noise ratio in the environment. The results indicate that the proposed scheme can effectively detect attacks. Fig. 5(a) shows that the success probability of attack detection can exceed 99% with 4 quantization bits and surpass 95% with 2 quantization bits. Fig. 5(b) illustrates the probability distribution curve of ranging error, showing that the proposed scheme can effectively reduce ranging error in a large extent, and the result when using 4-bit quantization is slightly better than 1-bit quantization. Fig. 5(c) depicts the curve of false alarm probability with respect to SNR. Whereas the false alarm probability with SNR has little difference, it tends to increase to some extent as the power of the attack signal decreases. This may be attributed to the insufficient power of the attack signal, resulting in an insufficient distinction in the CIR between both sides, thereby increasing the false alarm probability.

IV-B Experimental Validation

We utilized the commercial ranging device equipped with the DW3110 chip to build a Ghost Peak attack scenario. The attack detection model, obtained by offline training using simulation data, was practically deployed to validate the proposed scheme in an indoor 10m test environment, as shown in Fig. 6. The STS mode of the chip was switched to the SDC mode which is more likely to be attacked successfully[22], with the statistically measured results shown in Table II.

TABLE II: The result of practical validation

Befor detection	After detection
$P_{\text{s}}$	$P_{\text{fa}}$	$P_{\text{m}}$	$P_{\text{s}}$
60.067%	2.4%	0.075%	0.045%

In terms of listed results, it is evident that the proposed attack detection scheme performs satisfactorily in the practical scenario. The proposed scheme is able to detect attacks with a successful probability of nearly 99% while maintaining a low false alarm probability, which further validates the feasibility and generalizability of the designed model.

V Conclusion

Leveraging the principle of channel reciprocity and an autoencoder with capability of data compression and feature extraction, this paper proposes an attack detection scheme that compares the CIR characteristics of both sides. The transmission consumption is greatly reduced by incorporating the quantization process. In the meanwhile, the scheme is able to be relatively compatible with existing UWB systems by means of offline training and online deployment. We also evaluated and validated the effectiveness of the scheme through simulation and practical experiments. Furthermore, other factors (e.g. channel variation and threshold update) can be jointly considered to optimise the performance of the proposed scheme in future work.

References

[1] M. Z. Win, R. A. Scholtz, and M. A. Barnes. “Ultra-wide bandwidth signal propagation for indoor wireless communications,” in Proc. Int. Conf. Commun. (ICC), Vol. 1, Jun. 1997, pp: 56-60.
[2] Car Connectivity Consortium, “CCC digital key release 3.0 whitepaper,” 2022. [Online]. Available: https://carconnectivity.org/whitepapers/
[3] D. Coppens, A. Shahid, S. Lemey, B. V. Herbruggen, C. Marshall, and E. D. Poorter, “An overview of UWB standards and organizations(IEEE 802.15.4, FiRa, Apple): Interoperability aspects and future research directions,” IEEE Access, Vol. 10, pp. 70 219–70 241, Jun 2022.
[4] IEEE 802.15.4z part 15.4z low-Rate wireless networks, IEEE Std 802.15.4–2020 (Revision of IEEE Std 802.15.4–2015), New York, 2020.
[5] M. Poturalski, M. Flury, P. Papadimitratos et al., “Distance bounding with ieee 802.15.4a: Attacks and countermeasures,” IEEE Trans. Wireless Commun. vol. 10, no. 4, pp. 1334–1344, Feb. 2011.
[6] M. Flury, M. Poturalski, P. Papadimitratos et al., “Effectiveness of distance-decreasing attacks against impulse radio ranging,” in Proc. 3rd ACM Conf. Wireless Netw. Secur., Mar. 2010, pp. 117–128.
[7] M. Singh, M. Roeschlin, E. Zalzala et al., “Security analysis of IEEE 802.15. 4z/HRP UWB time-of-flight distance measurement,” in Proc. 14th ACM Conf. Secur. Privacy Wireless Mobile Netw., June. 2021, pp. 227-237.
[8] P. Leu, G. Camurati, A. Heinrich et al., “Ghost peak: Practical distance reduction attacks against HRP UWB ranging,” in 31st USENIX Secur. Symp., BOSTON, MA, USA, Aug. 2022, pp. 1343-1359.
[9] C. Anliker, G. Camurati, S. Capkun, “Time for change: How clocks break UWB secure ranging,” in Proc. 32nd USENIX Secur. Symp., Aug. 2023, pp. 19-36.
[10] L. Botler, K. Diwold and K. Römer, “A UWB-based solution to the distance enlargement fraud using hybrid ToF and RSS measurements,” in Proc. 2021 IEEE 18th Int. Conf. Mobile Ad Hoc Smart Syst. (MASS), Denver, CO, USA, 2021, pp. 324-334.
[11] H. Chen and A. Dhekne, “Spoofing evident and spoofing deterrent localization using Ultrawideband (UWB) active–passive ranging,” in IEEE J. Indoor Seamless Positioning Navig., vol. 2, pp. 12-24, 2024.
[12] K. Kim, S. Lee, T. Yoo and H. Kim, “Vehicular localization framework with UWB and DAG-based distributed ledger for ensuring positioning accuracy and security,” in Electronics, vol. 12, no. 23, pp. 4756, 2023.
[13] M. Singh, “Securing distance measurement against physical layer attacks,” M.S. thesis, ETH Zurich., Zurich, Switzerland, 2021.
[14] K. Joo, D. H. Lee, Y. Jeong and W. Choi, “Protecting HRP UWB ranging system against distance reduction attacks,” in Proc. 2023 ACM SIGSAC Conf. Comput. Commun. Sec. (CCS), New York, NY, USA, 2023, pp. 622-635.
[15] Li Sun, “Integrity protection to support secure ranging in IR-UWB,” TG4ab (NG-UWB) 15-22-0072-02-04ab, Huawei Technologies Co., Ltd., Mar. 2022, https://mentor.ieee.org/802.15/dcn/22/15-22-0072-02-04ab-integrity-protection-to-support-secure-ranging-in-ir-uwb.pptx
[16] C. Wang, D. Wang, G. Xu and D. He, “Efficient privacy-preserving user authentication scheme with forward secrecy for industry 4.0,” Sci. China Inf. Sci., vol. 65, no. 1, pp. 192-206, 2022.
[17] S. T. -B. Hamida, J. -B. Pierrot, B. Denis, C. Castelluccia and B. Uguen, “On the security of UWB secret key generation methods against deterministic channel prediction attacks,” in Proc. 2012 IEEE Veh. Technol. Conf. (VTC Fall), Quebec City, QC, Canada, 2012, pp. 1-5.
[18] P. Peterseil, B. Etzlinger, R. Khanzadeh and A. Springer, “Trustworthiness score for UWB indoor localization,” in Proc. 2023 IEEE Global Commun. Conf. (GLOBECOM), Kuala Lumpur, Malaysia, 2023, pp. 189-194.
[19] Z. Xiao, Y. Zeng, “An overview on integrated localization and communication towards 6G,” Sci. China Inf. Sci., vol. 65, no. 3, pp. 5-50, 2022.
[20] M. Kolakowski, J. Modelski, “Detection of direct path component absence in NLOS UWB channel,” in 2018 22nd Int. Microw. Radar Conf. (MIKON), Poznan, Poland, May. 2018, pp. 247-250.
[21] D.Bank, N. Koenigstein, R. Giryes, “Autoencoders,” in Machine Learning for Data Science Handbook: Data Mining and Knowledge Discovery Handbook, 2023, pp.353-374.
[22] DecaWave. DW3000 USER MANUAL. (2019). [Online]. Available: https://www.qorvo.com/products/d/da008154