Security analysis of IEEE 802.15.4z/HRP UWB time-of-flight distance measurement

Abstract

IEEE 802.15.4z, a standard for Ultra-Wide Band (UWB) secure distance measurement, was adopted in 2020 and the chips that implement this standard are already deployed in mobile phones and in the automotive industry (for Passive Keyless Entry and Start). The standard specifies two different modes - -LRP and HRP. Whereas the security of LRP mode has been analyzed, there is no publicly available security analysis of the HRP mode, which is used in different chips like NXP Trimension SR150/SR040, Samsung smartphones, and U1 chip deployed in Apple iPhones. In this work, we perform the first open analysis of the 802.15.4z HRP mode. Our analysis reviews possible attacks on HRP and assesses strategies that an HRP receiver could implement. We show that in realistic deployments, despite countermeasures, HRP is hard to configure to be both performant and secure. If a distance missdetection rate is set to less than 10% (in benign scenarios), the probability of a successful distance shortening attacks ranges from 7% to over 90%.