UWBAD: Towards Effective and Imperceptible Jamming Attacks Against UWB Ranging Systems with COTS Chips

TL;DR

This work reveals a practical vulnerability in HRP UWB ranging by exploiting the NCC-based packet detection used for ToF estimation. The authors implement UWBAD on COTS UWB chips to perform reactive, field-level jamming that selectively blocks ranging sessions without revealing the attack, effectively preventing distance updates. Through hardware experiments and three real-world case studies (asset tracking, indoor localization, and PKES), they demonstrate robust, targeted disruption of commercial UWB devices from Apple, NXP, and Qorvo, triggering industry security responses. The findings underscore a tangible security risk for UWB-enabled systems and motivate countermeasures such as randomizing ranging timing and reinforcing PKES control logic, with implications for current and forthcoming 4z/4ab standards.

Abstract

UWB ranging systems have been adopted in many critical and security sensitive applications due to its precise positioning and secure ranging capabilities. We present a practical jamming attack, namely UWBAD, against commercial UWB ranging systems, which exploits the vulnerability of the adoption of the normalized cross-correlation process in UWB ranging and can selectively and quickly block ranging sessions without prior knowledge of the configurations of the victim devices, potentially leading to severe consequences such as property loss, unauthorized access, or vehicle theft. UWBAD achieves more effective and less imperceptible jamming due to: (i) it efficiently blocks every ranging session by leveraging the field-level jamming, thereby exerting a tangible impact on commercial UWB ranging systems, and (ii) the compact, reactive, and selective system design based on COTS UWB chips, making it affordable and less imperceptible. We successfully conducted real attacks against commercial UWB ranging systems from the three largest UWB chip vendors on the market, e.g., Apple, NXP, and Qorvo. We reported our findings to Apple, related Original Equipment Manufacturers (OEM), and the Automotive Security Research Group, triggering internal security incident response procedures at Volkswagen, Audi, Bosch, and NXP. As of the writing of this paper, the related OEM has acknowledged this vulnerability in their automotive systems and has offered a $5,000 reward as a bounty.

Figures (16)

• Figure 1: Attack scenarios of UWBAD. (a) Asset Tracking: An adversary can fail the UWB ranging between an iPhone and the wallet (attached with an AirTag) and easily steal the wallet, while the other iPhone-AirTag pair remains unaffected. (b) Indoor Localization: An adversary wearing a non-removable localization tag can freely enter or leave the restricted areas with UWBAD. (c) Vehicle Theft: The adversary disrupts the ranging process of a passive keyless entry and start (PKES) system of vehicles, such that the car believes that the key fob is still around, even when the user has walked a long distance.
• Figure 2: Double-sided two-way ranging (DS-TWR).
• Figure 3: An example of UWB HRP packet configuration.
• Figure 4: Injecting interference signal with larger power will significantly reduce the peak value of CIR estimated from the SYNC field, which may cause the ranging system to drop the current packet since the CIR peak is below the threshold.
• Figure 5: Attack packet with amplified power in the SYNC field. The attack packet and legitimate ranging packet should be aligned in time for jamming attack.