Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Secure Wi-Fi Ranging Today: Security and Adoption of IEEE 802.11az/bk

Nikola Antonijević, Bernhard Etzlinger, Dave Singelée, Bart Preneel

Abstract

Ranging and localisation have become critical for many applications and services. The Wi-Fi (IEEE 802.11) standard is a natural candidate for providing these functions across diverse environments, given its widespread deployment. The IEEE 802.11az amendment, finalised in 2023, introduces "Next Generation Positioning" mechanisms to secure and harden the existing insecure Wi-Fi Fine Timing Measurement (FTM) ranging solution. Moreover, the recent IEEE 802.11bk amendment increases the available bandwidth with the goal of approaching the centimetre-level ranging accuracy of ultra-wideband (UWB) systems. This paper examines to what extent these promises hold from a security and deployability perspective. We analyse the core mechanisms of secure Wi-Fi ranging as defined in IEEE 802.11az and IEEE 802.11bk at both the logical and physical layers, combining standards analysis with simulations and measurements on commercial and development hardware. At the logical layer, we show how common deployment choices can result in unauthenticated ranging, downgrade attacks, and simple denial-of-service attacks, making it difficult to securely realise many high-stakes use cases. At the physical layer, we study the predictability of secure ranging waveforms, the security impact of symbol repetition, and how waveform design choices affect compliance with spectral masks under realistic RF behaviour. Our results show that secure Wi-Fi ranging is highly sensitive to configuration choices and is non-trivial to implement on existing hardware. This is also evidenced by the currently limited support for secure Wi-Fi ranging in commodity devices. This paper provides practical guidelines for using secure FTM safely and recommendations to vendors and standardisation bodies to improve its robustness and deployability.

Secure Wi-Fi Ranging Today: Security and Adoption of IEEE 802.11az/bk

Abstract

Ranging and localisation have become critical for many applications and services. The Wi-Fi (IEEE 802.11) standard is a natural candidate for providing these functions across diverse environments, given its widespread deployment. The IEEE 802.11az amendment, finalised in 2023, introduces "Next Generation Positioning" mechanisms to secure and harden the existing insecure Wi-Fi Fine Timing Measurement (FTM) ranging solution. Moreover, the recent IEEE 802.11bk amendment increases the available bandwidth with the goal of approaching the centimetre-level ranging accuracy of ultra-wideband (UWB) systems. This paper examines to what extent these promises hold from a security and deployability perspective. We analyse the core mechanisms of secure Wi-Fi ranging as defined in IEEE 802.11az and IEEE 802.11bk at both the logical and physical layers, combining standards analysis with simulations and measurements on commercial and development hardware. At the logical layer, we show how common deployment choices can result in unauthenticated ranging, downgrade attacks, and simple denial-of-service attacks, making it difficult to securely realise many high-stakes use cases. At the physical layer, we study the predictability of secure ranging waveforms, the security impact of symbol repetition, and how waveform design choices affect compliance with spectral masks under realistic RF behaviour. Our results show that secure Wi-Fi ranging is highly sensitive to configuration choices and is non-trivial to implement on existing hardware. This is also evidenced by the currently limited support for secure Wi-Fi ranging in commodity devices. This paper provides practical guidelines for using secure FTM safely and recommendations to vendors and standardisation bodies to improve its robustness and deployability.
Paper Structure (41 sections, 2 equations, 6 figures, 1 table)

This paper contains 41 sections, 2 equations, 6 figures, 1 table.

Table of Contents

  1. Introduction
  2. Contributions.
  3. Background and Support for Secure FTM
  4. Fine Timing Measurement (802.11mc)
  5. Negotiation.
  6. Measurement exchange.
  7. Termination.
  8. Secure Fine Timing Measurement (802.11az and 802.11bk)
  9. Protected Management Frames.
  10. Preassociation Security Negotiation.
  11. Secure LTF sequence.
  12. Adoption of Secure FTM
  13. Threat Model and Methodology
  14. Threat Model
  15. Scope and limitations
  16. ...and 26 more sections

Figures (6)

  • Figure 1: Example of a typical FTM ranging session between the station (STA) and the access point (AP).
  • Figure 2: Comparison of the HE-LTF part of an HE ranging NDP in the legacy (non-secure) and secure IEEE 802.11az formats. Earlier preamble fields and headers are omitted for clarity.
  • Figure 3: Waveform reconstruction after partial observation (80%).
  • Figure 4: Simulation results, 25 iterations. (a) Average RMSE. Top: distance between estimated and true constellation symbols, compared to minimum symbol distance. Bottom: average RMSE in time domain for the observed signal part and the predicted signal part, compared to the mean symbol energy of the HE-LTF $y$. (b) Top: accuracy of random phase shift estimation. Bottom: sharpness and cross entropy of the posterior function on the constellation symbols $X_k$.
  • Figure 5: (a) Distance bias induced by advancing a fraction of the secure HE-LTF. The attacker observes the first $k$% of the secure HE-LTF to predict and transmit an advanced replica for the remaining portion. The positive x-axis denotes an advance (distance reduction), while negative values denote a delay (distance enlargement). (b) RMS error vector magnitude (EVM) after HE-LTF demodulation versus the applied signal advance.
  • ...and 1 more figures