UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice

Presented at Black Hat USA 2022, Aug. 10, 2022, 4:20 p.m. (40 minutes)

Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted to drive sales volumes exceeding one billion devices annually by 2025. Among its current applications, off-the-shelf Real Time Locating Systems (RTLS) employ UWB to provide localization solutions for a wide set of use cases (i.e., medical patients location tracking, safety geofencing, asset monitoring, contact tracing, etc.).

The security of UWB wireless communications has recently been strengthened by the Institute of Electrical and Electronic Engineers (IEEE) 802.15.4z amendment. However, critical phases of the RTLS process are handled by obscure network protocols that are not regulated by standards, leaving the responsibility for their design and implementation to the vendors.

In an effort to strengthen the security of devices utilizing UWB, Nozomi Networks Labs conducted a security assessment of two popular UWB RTLS solutions available on the market. Our research reveals 0-day vulnerabilities and other weaknesses that, if exploited, could allow an attacker to gain full access to all sensitive location data exchanged over-the-air.

In this presentation, we will demonstrate how an attacker may exploit RTLS to locate and target people, hinder safety geofencing rules, and interfere with contact tracing, as well as present key actions to help mitigate these weaknesses to secure UWB RTLS from potential cyber attacks.

Presenters:

• Roya Gordon - Security Research Evangelist, Nozomi Networks
  Roya Gordon is a Security Research Evangelist at Nozomi Networks where she provides insights for OT and IoT security solutions. Prior to Nozomi, Roya worked as the Cyber Threat Intelligence SME for OT and Critical Infrastructure at Accenture, a Control Systems Cybersecurity Analyst at Idaho National Laboratory, and as an Intelligence Specialist in the United States Navy. She holds a Masters in Global Affairs with a focus on cyberwarfare from Florida International University (FIU).
• Luca Cremona - Security Researcher, Nozomi Networks
  Luca Cremona received the PhD title in 2021 from the Computer Science department of Politecnico di Milano. The main research fields of his PhD include RTL design for secure and power-aware SoCs, with a particular emphasis on Side Channel Attack countermeasures. He's currently a security researcher at Nozomi Networks, working on reverse engineering and hardware hacking topics.
• Andrea Palanca - Security Researcher, Nozomi Networks
  Andrea Palanca is a Nozomi Networks security researcher, with a background in penetration testing of enterprise web applications and commercial network devices. He is the first author of "A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks", which unveiled a novel way to exploit a design-level vulnerability affecting the CAN bus standard.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#uwb-real-time-locating-systems-how-secure-radio-communications-may-fail-in-practice-27106

Similar Presentations:

• DEF CON 29 (2021) / Wibbly Wobbly, Timey Wimey - What's Really Inside Apple's U1 Chip
• Black Hat USA 2021 / Wibbly Wobbly, Timey Wimey – What's Really Inside Apple's U1 Chip