SWRA791 February   2024 CC2340R5 , CC2340R5-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
  5. 2Basics of Bluetooth Channel Sounding
  6. 3Bluetooth Channel Sounding Procedure
  7. 4Bluetooth Channel Sounding Flow for Phase-Based Ranging
  8. 5Channel Sounding Security
  9. 6Summary
  10. 7References
  11.   Appendix A: Basics of Phase Based Ranging and Multi-Carrier Phase Ranging

5 Channel Sounding Security

The Bluetooth channel sounding draft specification has added different security features to either detect or to prevent an attack that can manipulate the ranging procedure to make the distance between two valid CS devices appear closer than they actually are. Refer to the Channel Sounding draft specification for full list of security features.

PBR procedures used for distance estimation can be attacked by performing man-in-the-middle attacks that can either delay or manipulate phase of the ongoing signal transmissions to measure a shorter distance between the two valid devices. To mitigate these attacks, the Bluetooth CS specification specifies random hopping of frequencies during PBR and additionally, has added round trip time (RTT) measurements that is yet another ranging measurement between the two devices. Since the maximum unambiguous measurable distance for PBR with 1MHz frequency hops is 150m (see Equation 1 for calculation), the RTT time-of-flight measurements, although not as accurate as the CS PBR mechanism is still a viable option to identify roll over attacks.

Note:

The maximum measurable distance using PBR, depends on the maximum measurable phase difference between the two frequency signals. With maximum phase difference between any two tones being 2*π and the CS tones being 1MHz apart, the maximum measurable distance dmax is given by:

Equation 1. dmax= c4π×ΔθmaxΔ f=150m

The distance estimation using RTT time-of-flight measurements is as shown in Figure 5-1.

GUID-20231002-SS0I-VQZH-Z3LF-JVLKHXL9WCDK-low.svgFigure 5-1 Time of Arrival (ToA), Time of Departure (ToD), and Time of Flight (ToF) for RTT Estimation

RTT packets are exchanged between initiator and reflector. The time of departure (ToD) and time of arrival (ToA) of these RTT packets at both the initiator and reflector are used to estimate the time-of-flight. The CS step mode 1 and mode 3 allow for RTT packet exchanges.

Bluetooth CS specification also supports RTT packets with random sequence (known to only the initiator and reflector) to be communicated, so that it is increasingly possible to measure difference between the received GFSK modulated packet and the expected packet signal (reference). This measurement is represented as a normalized attack detector metric (NADM) which is a range that indicates if there is an increased or decreased chance of a man-in-the-middle attacker trying to relay the RTT packets by manipulating the signal to appear earlier to perform ECLD (early commit, late detect) and EDLC (early detect, late commit) type of attacks. NADM algorithms are used to determine the NADM value for the received RTT packets in each CS device on both sides of the link. The NADM algorithm definition and implementation is beyond the scope of Bluetooth CS specification.