So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks

  • Jolyon Clulow
  • Gerhard P. Hancke
  • Markus G. Kuhn
  • Tyler Moore
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4357)


Distance-bounding protocols aim to prevent an adversary from pretending that two parties are physically closer than they really are. We show that proposed distance-bounding protocols of Hu, Perrig and Johnson (2003), Sastry, Shankar and Wagner (2003), and Čapkun and Hubaux (2005, 2006) are vulnerable to a guessing attack where the malicious prover preemptively transmits guessed values for a number of response bits. We also show that communication channels not optimized for minimal latency imperil the security of distance-bounding protocols. The attacker can exploit this to appear closer himself or to perform a relaying attack against other nodes. We describe attack strategies to achieve this, including optimizing the communication protocol stack, taking early decisions as to the value of received bits and modifying the waveform of transmitted bits. We consider applying distance-bounding protocols to constrained devices and evaluate existing proposals for distance bounding in ad hoc networks.


Wireless Network Wireless Sensor Network Receive Signal Strength Malicious Node Authentication Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brands, S., Chaum, D.: Distance-bounding protocols (extended abstract). In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994)Google Scholar
  2. 2.
    Karl, H., Willig, A.: Protocols and Architectures for Wireless Sensor Networks. Wiley, Chichester (2005)CrossRefGoogle Scholar
  3. 3.
    Karp, B., Kung, H.T.: GPSR: greedy perimeter stateless routing for wireless networks. In: MOBICOM, pp. 243–254 (2000)Google Scholar
  4. 4.
    Hu, Y.C., Perrig, A., Johnson, D.B.: Packet leashes: A defense against wormhole attacks in wireless networks. In: INFOCOM (2003)Google Scholar
  5. 5.
    Hu, Y.C., Perrig, A., Johnson, D.B.: Rushing attacks and defense in wireless ad hoc network routing protocols. In: [22], pp. 30–40 (2003)Google Scholar
  6. 6.
    Karlof, C., Wagner, D.: Secure routing in wireless sensor networks: attacks and countermeasures. Ad Hoc Networks 1(2-3), 293–315 (2003)CrossRefGoogle Scholar
  7. 7.
    Čapkun, S., Buttyán, L., Hubaux, J.P.: SECTOR: secure tracking of node encounters in multi-hop wireless networks. In: Setia, S., Swarup, V. (eds.) SASN, pp. 21–32. ACM, New York (2003)Google Scholar
  8. 8.
    Werb, J., Lanzl, C.: Designing a positioning system for finding things and people indoors. IEEE Spectrum 35(9), 71–78 (1998)CrossRefGoogle Scholar
  9. 9.
    Bahl, P., Padmanabhan, V.: RADAR: An in-building RF-based user location and tracking system. In: Nineteenth Annual Joint Conference of the IEEE Computer and Communication Society, pp. 775–784. IEEE, Los Alamitos (2000)Google Scholar
  10. 10.
    Liu, D., Ning, P., Du, W.: Attack-resistant location estimation in sensor networks. In: IPSN, pp. 99–106. IEEE, Los Alamitos (2005)Google Scholar
  11. 11.
    Liu, D., Ning, P., Du, W.: Detecting malicious beacon nodes for secure location discovery in wireless sensor networks. In: ICDCS, pp. 609–619. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  12. 12.
    Čapkun, S., Hubaux, J.P.: Secure positioning of wireless devices with application to sensor networks. In: INFOCOM (2005)Google Scholar
  13. 13.
    Čapkun, S., Hubaux, J.P.: Secure positioning in wireless networks. IEEE Journal on Selected Areas in Communications: Special Issue on Security in Wireless Ad Hoc Networks 24(2), 221–232 (2006)Google Scholar
  14. 14.
    Čapkun, S., Cagalj, M., Srivastava, M.: Securing localization with hidden and mobile base stations. Internet-draft, NESL, UCLA (2005)Google Scholar
  15. 15.
    Krumm, J., Horvitz, E.: LOCADIO: Inferring motion and location from Wi-Fi signal strengths. In: First Annual Internationl Conference on Mobile and Ubiquitous Systems: Networking and Services, pp. 4–13. IEEE, Los Alamitos (2004)CrossRefGoogle Scholar
  16. 16.
    Sastry, N., Shankar, U., Wagner, D.: Secure verification of location claims. In: [22], pp. 1–10 (2003)Google Scholar
  17. 17.
    Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: IEEE SecureComm 2005, Athens, Greece, pp. 67–73. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  18. 18.
    Zetik, R., Sachs, J., Thome, R.: UWB localization – active and passive approach. In: 21st IEEE Instrumentation and Measurement Technology Conference, pp. 1005–1009. IEEE, Los Alamitos (2004)Google Scholar
  19. 19.
    Fontana, R.J., Richley, E., Barney, J.: Commercialization of an ultra wideband precision asset location system. In: Conference on Ultra Wideband Systems and Technologies, pp. 369–373. IEEE, Los Alamitos (2003)CrossRefGoogle Scholar
  20. 20.
    Ghavami, M., Micheal, L.B., Kohno, R.: Ultra Wideband Signals and Systems in Communication Engineering. Wiley, Chichester (2004)CrossRefGoogle Scholar
  21. 21.
    Ubisense: White papers and datasheets (2003–2006),
  22. 22.
    Maughan, W.D., Perrig, A. (eds.): Proceedings of the 2003 ACM Workshop on Wireless Security, San Diego, CA, USA, September 19 (2003), In: Maughan, W.D., Perrig, A. (eds.): Workshop on Wireless Security, ACM (2003)Google Scholar
  23. 23.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jolyon Clulow
    • 1
  • Gerhard P. Hancke
    • 1
  • Markus G. Kuhn
    • 1
  • Tyler Moore
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUnited Kingdom

Personalised recommendations