At Black Hat 2022, security researchers showed off a new attack that goes after tracking systems built on ultra-wideband (UWB) radio technology. They were able to stalk these tracking devices without their target’s knowledge, and even make targets appear to move at their attackers’ will.
A key use of UWB is real-time locating systems (RTLS), where a series of transceiver stations called anchors track the location of small, wearable devices called tags in a specific area, in real-time. This has a number of applications, from simple tasks like tracking personal items to high-stakes scenarios like infectious disease contact-tracing and factory safety mechanisms.
“Security flaws in this technology, especially in industrial environments, can be deadly,” says Nozomi Networks Security Research Evangelist Roya Gordon.
You may not be familiar with UWB, but it’s familiar with you. Apple has integrated it into mobile devices starting with the iPhone 11, as well as modern Apple Watches, HomePods, and AirTags. It’s also being used in large-scale infrastructure projects, like the effort to drag the New York City Subway signaling system into the 21st century.
Although Apple AirTags use UWB, the systems the team looked at were markedly different.
Standard Loopholes
What’s the problem with UWB RTLS? Although there is an IEEE standard for RTLS, it doesn’t cover the synchronization or exchange of data, the research team explains. Lacking a required standard, it’s up to individual vendors to figure out those issues, which creates opportunities for exploitation.
In its work, the team procured two off-the-shelf UWB RTLS systems: the Sewio Indoor Tracking RTLS UWB Wi-Fi Kit, and the Avalue Renity Artemis Enterprise Kit. Instead of focusing on tag-to-anchor communication, the Nozomi Networks team looked at communications between the anchors and the server where all the computation happens.
The team’s goal was to intercept and manipulate the location data, but to do that, they first needed to know the precise location of each anchor. That’s easy if you can see the anchors, but much harder if they’re hidden or you don’t have physical access to the space. But Andrea Palanca, Security Researcher at Nozomi Networks, found a way.
The anchors could be detected by measuring the power output of their signals, and the precise center of the space found by watching for when all the anchors detect identical signal data for a single tag. Since RTLS systems require the anchors to be arranged to form a square or rectangle, some simple geometry can pinpoint the anchors.
But an attacker wouldn’t even need pinpoint precision; anchor positions can be off by 10% and still function, Lever says.
Attacking RTLS
With all the pieces in place, the team showed off their location-spoofing attacks in a series of demos. First, they showed how to track targets using existing RTLS systems. We’ve already seen mounting concern over malicious uses of AirTags, where a bad guy tracks a person by hiding an AirTag on them. In this attack, the team didn’t need to hide a device, they simply tracked the tag that their target already used.
They also demonstrated how spoofing a tag’s movements in a COVID-19 contact-tracing scenario could create a false exposure alert, or prevent the system from detecting an exposure.
Another demo used a manufacturing facility mockup, where RTLS data was used to shut down machines so a worker could enter safely. By messing with the data, the team was able to stop production at the faux factory by tricking the system into thinking a worker was nearby. The opposite could be more dire. By making it seem as if the worker had left the area when they were actually still there, the machine could be reactivated and potentially injure the worker.
Practical Complications
The good news for owners of these systems is that these attacks aren’t easy. To pull it off, Luca Cremona, a Security Researcher at Nozomi Networks, first had to compromise a computer inside the target network, or add a rogue device to the network by hacking the Wi-Fi. If a bad guy can get that kind of access, you’ve got a lot of problems already.
Unfortunately, the team didn’t have any easy answers for securing RTLS in general. They kludged data encryption onto an RTLS system, but found that it created so much latency as to make the system unusable for real-time tracking.
The best solution the team presented was for the IEEE standard to be revised to cover the synchronization and exchange of data, requiring manufacturers to meet standards that could prevent RTLS attacks like this.
“We can’t afford to have those loopholes in standards,” Gordon says.
Keep reading PCMag for the latest from BlackHatBlackHat.
.