Wideband Radio Frequency (RF) applications have been developed that are capable of accurate distance measurement between two or more wireless devices. These measurements are based on Time-of-Flight (ToF) calculations which are derived by accurate determination of departure and arrival times of RF packets between two devices. RF packets travel at the speed of light and thus a calculated ToF allows determination of the distance between devices. Such a procedure is commonly called ‘Ranging’. One practical application of Ranging is ‘Distance Bounding’ whereby ToF calculations are used to verify whether the distance between two devices is less than a predefined threshold, such as used for automotive Passive Keyless Entry (PKE) systems and other access control systems, as well as for contactless electronic payment systems.
FIG. 1 illustrates the principle of calculating the ToF between two devices, A and B, using Time-of-Arrival (ToA) and Time-of-Departure (ToD) measurements for RF packets transmitted there between. The procedure starts with Device A transmitting a ‘Request’ packet to Device B with a measured ToD (ttodA). Upon receipt of the Request packet, Device B measures the ToA (ttoaB) and transmits a ‘Response’ packet back to Device A with a measured (or predetermined) ToD (ttodB). Upon receipt of the Response packet, Device A measures the ToA of the Response packet (ttoaA). From the measured (or otherwise derived) ToDs and ToAs, a roundtrip duration (Trtt=ttodA ttoaA) and a response duration (Trsp=ttoaB−ttodB) can be calculated. The ToF between the devices A and B may then be estimated from the roundtrip duration and response duration: ToF=0.5*(Trtt−Trsp).
In a multipath environment, the ToAs for the most direct (shortest) path, i.e. the ‘Line-of-Sight’ (LoS) path, between the two devices should be measured and used for accurately calculating the distance between two devices. Accordingly, the first arriving path for the respective RF packet needs to be found. In order to enable a receiving device to identify the first arriving path for an RF packet, the receiving device derives a channel estimate to describe the multipath environment. FIG. 2 illustrates an example of such a channel estimate, with the first non-zero tap, such as indicated at 200 in FIG. 2, typically representing the first path within the multipath environment between the two devices. Significantly, the LoS path signal may not be the strongest signal received by the receiver, for example when a blocking object is located directly between the transmitting device and the receiving device. As such, the tap 200 within the channel estimate representing the LoS path may not have the highest amplitude within the channel estimate. Accordingly, the LoS path within a multipath environment is conventionally found by identifying the first non-zero tap within the channel estimate.
A receiving device is able to derive a channel estimate in relation to a transmitting device using known patterns within a received packet from the transmitting device. For example, in IR-UWB (Impulse Radio-Ultra-WideBand) systems, such as defined in IEEE 802.15.4, a preamble comprising repeating synchronisation symbols and a Start-of-Frame Delimiter (SFD) is placed in front of a payload segment. In IR-UWB receivers, the repeating synchronisation symbols within the preamble of a received packet are typically used to derive a channel estimate for the received packet.
However, conventional approaches to identifying the LoS path for a multi-channel environment are susceptible to ‘attacks’ that can result in a false ‘first’ path being detected, and thus an incorrect (early) ToA measurements being taken. One example of such an attack is known as the ‘Cicada’ attack, as described in “The Cicada Attack: Degradation and Denial of Service in IR Ranging”; Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec; 2010 IEEE International Conference on Ultra-Wideband. A Cicada attack is employed by an ‘illegitimate’ transmitter blindly transmitting a sequence of pulses. If the adversarial pulse rate matches the symbol rate used by a receiver of the legitimate signal to derive a channel estimate, then the adversarial pulses will affect the channel estimate derived by the receiver. Since these adversarial pulses are unsynchronised with the legitimate transmitted signal, they will be time-shifted randomly with respect to symbols being transmitted within the legitimate signal. Accordingly, there is a likelihood that for some of the symbols transmitted within the legitimate signal the adversarial pulses will induce a sporadic illegitimate LoS path located ahead of the legitimate LoS path within the channel estimate derived by the receiving device, and thus cause a false first path to be detected and an early ToA measurement to be taken. By causing an early ToA measurement to be taken, the subsequent ToF calculation will be based on the early ToA measurement, resulting in a shortened ToF to be calculated, which in turn will result in a shortened distance between the legitimate transmitter device and receiver device to be estimated. Since there is no synchronization to the legitimate signal, the actual distance gain is hard to predict. However in many scenarios the attacker does not need to succeed in the first attempt. Significantly, the attacking device only requires knowledge of the symbol period used for deriving the channel estimate to employ the Cicada attack, information which is often publically available, for example defined within standards etc.
A more sophisticated attack is described in “Effectiveness of Distance-Decreasing Attacks Against Impulse Radio Ranging”; Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves Le Boudec; 3rd ACM Conference on Wireless Network Security, 2010. In this attack, the attacking device synchronises to the legitimate signal first, and then transmits the adversarial sequence of pulses with a specific timing offset. In this manner, the attacking device is able to control the relative timing of the adversarial sequence of pulses with respect to the legitimate signal. As a result, the attacking device is able to control where the adversarial pulses will be located within the channel estimate derived by the receiving device, and thus control how much of a distance gain is achieved. Significantly, since the synchronisation symbols are in many cases used for deriving the channel estimate within a receiving device, the attacking device only requires knowledge of the synchronisation symbol pattern and symbol period to employ this second attack.