Security Analysis of Time-of-Arrival Estimation via Cross-Correlation under Narrow-Band Conditions

TL;DR

This paper introduces two novel, symbol-agnostic attacks that compromise narrowband ToA estimation via cross-correlation, demonstrating significant distance reduction and practical implementation feasibility.

Contribution

It presents two new attacks on narrowband ToA estimation that do not require real-time symbol detection, expanding understanding of system vulnerabilities.

Findings

Attacks can reduce estimated distance by up to 18 meters.

Prototypes confirm the practical feasibility of NGD-based attack methods.

Simulations show effectiveness against Bluetooth Channel Sounding RTT ranging.

Abstract

Time-of-arrival (ToA) estimation via cross-correlation is an essential building block of time-of-flight ranging. However, in narrowband systems, it is notoriously difficult to protect against distance-decreasing attacks such as Early-Detect/Late-Commit (ED/LC). We present and analyze two new attacks that reshape ranging signals to compromise correlation-based ToA estimation. The first attack multiplies the signal by a symbol-periodic waveform in the time domain, while the second passes it through a negative group delay (NGD) filter. In contrast to ED/LC, our attacks do not require real-time symbol detection or adaptive compensation; they are completely symbol-agnostic. We describe implementation strategies for both attacks and discuss NGD filtering in the context of Bluetooth Channel Sounding (CS), a recent narrowband ranging system. To this end, we simulate an NGD circuit in LTspice and a ToA estimator in MATLAB, demonstrating that the attack can result in distance reductions of up to 18 m against Bluetooth CS RTT ranging. Finally, we verify the feasibility of the NGD approach by building a prototype using commercial off-the-shelf components.