Security Analysis of Time-of-Arrival Estimation via Cross-Correlation under Narrow-Band Conditions
It identifies security vulnerabilities in narrowband ranging systems like Bluetooth CS, which are critical for applications requiring secure distance bounding.
The paper presents two new attacks on cross-correlation-based time-of-arrival estimation in narrowband systems, demonstrating distance reductions of up to 18 m against Bluetooth Channel Sounding RTT ranging via a negative group delay filter attack.
Time-of-arrival (ToA) estimation via cross-correlation is an essential building block of time-of-flight ranging. However, in narrowband systems, it is notoriously difficult to protect against distance-decreasing attacks such as Early-Detect/Late-Commit (ED/LC). We present and analyze two new attacks that reshape ranging signals to compromise correlation-based ToA estimation. The first attack multiplies the signal by a symbol-periodic waveform in the time domain, while the second passes it through a negative group delay (NGD) filter. In contrast to ED/LC, our attacks do not require real-time symbol detection or adaptive compensation; they are completely symbol-agnostic. We describe implementation strategies for both attacks and discuss NGD filtering in the context of Bluetooth Channel Sounding (CS), a recent narrowband ranging system. To this end, we simulate an NGD circuit in LTspice and a ToA estimator in MATLAB, demonstrating that the attack can result in distance reductions of up to 18 m against Bluetooth CS RTT ranging. Finally, we verify the feasibility of the NGD approach by building a prototype using commercial off-the-shelf components.