Paper 2017/591

On the Security of Carrier Phase-based Ranging

Hildur Olafsdottir, Aanjhan Ranganathan, and Srdjan Capkun


Multicarrier phase-based ranging is fast emerging as a cost-optimized solution for a wide variety of proximity-based applications due to its low power requirement, low hardware complexity and compatibility with existing standards such as ZigBee and 6LoWPAN. Given potentially critical nature of the applications in which phase-based ranging can be deployed (e.g., access control, asset tracking), it is important to evaluate its security guarantees. Therefore, in this work, we investigate the security of multicarrier phase-based ranging systems and specifically focus on distance decreasing relay attacks that have proven detrimental to the security of proximity-based access control systems (e.g., vehicular passive keyless entry and start systems). We show that phase-based ranging, as well as its implementations, are vulnerable to a variety of distance reduction attacks. We describe different attack realizations and verify their feasibility by simulations and experiments on a commercial ranging system. Specifically, we successfully reduced the estimated range to less than 3 m even though the devices were more than 50 m apart. We discuss possible countermeasures against such attacks and illustrate their limitations, therefore demonstrating that phase-based ranging cannot be fully secured against distance decreasing attacks.

Available format(s)
Publication info
Published by the IACR in CHES 2017
secure rangingproximity
Contact author(s)
ohildur @ inf ethz ch
raanjhan @ inf ethz ch
capkuns @ inf ethz ch
2017-06-21: received
Short URL
Creative Commons Attribution


      author = {Hildur Olafsdottir and Aanjhan Ranganathan and Srdjan Capkun},
      title = {On the Security of Carrier Phase-based Ranging},
      howpublished = {Cryptology ePrint Archive, Paper 2017/591},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.