Method and system for preventing a physical layer relay attack

Abstract

There is provided a method and a system for authorizing a user device to send a request to a vehicle in order to prevent a physical layer relay attack. The system comprises a vehicle comprising an acoustic transducer and an RF transceiver and a user device comprising an acoustic transducer and an RF transceiver. The method relates to a signaling scheme using a combination of acoustic and RF signals for preventing a successful physical layer relay attack.

Claims

1. A method, comprising: establishing a secure communication channel between a vehicle and a user device; transmitting an acoustic signal comprising a first unique identity ID.sub.1 from a vehicle acoustic transducer and creating a time stamp t.sub.0; in the vehicle, receiving at least one reflected acoustic signal and creating a time stamp t.sub.1 upon reception, and, for the at least one reflected acoustic signal, determining a first time-of-flight ToF.sub.1=t.sub.1−t.sub.0; in the user device, receiving and verifying the first unique identity ID.sub.1 transmitted by the vehicle and creating a time stamp t.sub.2 upon reception, generating a response signal using a previously agreed upon method for creating a second unique identity ID.sub.2 based on the received first unique identity ID.sub.1, transmitting the response signal as an acoustic signal comprising the second unique identity ID.sub.2 and creating a time stamp t.sub.3 for the transmission event, determining a response delay time t.sub.D=t.sub.3−t.sub.2, and transmitting a radio frequency (RF) signal comprising the response delay time t.sub.D to the vehicle over the secure communication channel; in the vehicle, receiving the response signal, verifying the second unique identity ID.sub.2 and creating a time stamp t.sub.4, receiving the RF signal comprising the response delay time t.sub.D, and determining a second time-of-flight ToF.sub.2=t.sub.4−t.sub.0−t.sub.D; and when a difference between ToF.sub.1 and ToF.sub.2 is below a predetermined threshold value T.sub.max, authorizing the user device to send a request to the vehicle.

2. The method of claim 1, wherein, after establishing the secure communication channel between the vehicle and the user device, the remaining steps of claim 1 are performed repeatedly.

3. The method of claim 2, further comprising, when the difference between ToF.sub.1 and ToF.sub.2 is above the predetermined threshold value T.sub.max, denying authorization of the user device to send the request to the vehicle.

4. The method of claim 1, further comprising, in the vehicle, receiving a plurality of reflected signals, creating a corresponding plurality of time stamps t.sub.11, . . . , t.sub.1N upon reception of each of the plurality of reflected signals, for each of the plurality of reflected signals determining a first time-of-flight ToF.sub.11, . . . , ToF.sub.1N=t.sub.11−t.sub.0, . . . , t.sub.1N−t.sub.0, and when a difference between any one of ToF.sub.11, . . . , ToF.sub.1N, and ToF.sub.2 is below the predetermined threshold value T.sub.max, authorizing the user device to send the request to the vehicle.

5. The method of claim 4, further comprising, when an object is detected which is closer to the vehicle than the user device which is to be authorized, denying the authorization.

6. The method of claim 1, wherein the response delay time is a random time within a predetermined range.

7. The method of claim 1, wherein the previously agreed upon method for creating the second unique identity ID.sub.2 comprises using one or more of a predetermined algorithm, a secure key, a shared secret, and an algorithm and secret data exchanged over the secure communication channel.

8. The method of claim 1, wherein establishing the secure communication channel comprises broadcasting a Bluetooth signal from the vehicle.

9. The method of claim 1, wherein transmitting the acoustic signal from the vehicle acoustic transducer is done based on a request from the user device.

10. A system, comprising: a vehicle comprising a vehicle acoustic transducer and a vehicle radio frequency (RF) transceiver; a user device comprising a user device acoustic transducer and a user device RF transceiver; and a vehicle control unit configured to: establish a secure communication channel between the vehicle and the user device, activate the vehicle acoustic transducer to transmit an acoustic signal comprising a first unique identity ID.sub.1 and create a time stamp t.sub.0, receive at least one reflected acoustic signal and create a time stamp t.sub.1 upon reception, and for the at least one reflected acoustic signal, determine a first time-of-flight ToF.sub.1=t.sub.1−t.sub.0; wherein the user device is configured to: receive and verify the first unique identity ID.sub.1 transmitted by the vehicle and create a time stamp t.sub.2 upon reception, generate a response signal using a previously agreed upon method for creating a second unique identity ID.sub.2 based on the first unique identity ID.sub.1, transmit the response signal as an acoustic signal comprising the second unique identity ID.sub.2 and create a time stamp t.sub.3 for the transmission event, determine a response delay time t.sub.D=t.sub.3−t.sub.2, and transmit an RF signal comprising the response delay time t.sub.D to the vehicle over the secure communication channel; wherein the vehicle control unit is further configured to: receive the response signal, verify the second unique identity ID.sub.2, and create a time stamp t.sub.4, receive the RF signal comprising the response delay time t.sub.D, and determine a second time-of-flight ToF.sub.2=t.sub.4−t.sub.0−t.sub.D; and when a difference between ToF.sub.1 and ToF.sub.2 is below a predetermined threshold value T.sub.max, the system is configured to authorize the user device to send a request to the vehicle.

11. The system of claim 10, wherein the vehicle comprises one acoustic transducer arranged in each corner of the vehicle, wherein each transducer has a horizontal directional sensitivity of at least 270° and a vertical directional sensitivity of at least 180°.

12. The system of claim 10, wherein the acoustic transducer in the vehicle is part of a proximity detection system of the vehicle.

13. The system of claim 10, wherein the user device is one of a car key, a key fob, and a smartphone.

14. The system of claim 10, wherein the acoustic transducer in either or both of the user device and the vehicle comprises a separate transmitter module and a separate receiver module.

15. The system of claim 10, wherein the system is further configured to, when the difference between ToF.sub.1 and ToF.sub.2 is above the predetermined threshold value T.sub.max, denying authorization of the user device to send the request to the vehicle.

16. The system of claim 10, wherein the response delay time is a random time within a predetermined range.

17. The system of claim 10, wherein the previously agreed upon method for creating the second unique identity ID.sub.2 comprises using one or more of a predetermined algorithm, a secure key, a shared secret, and an algorithm and secret data exchanged over the secure communication channel.

18. The system of claim 10, wherein establishing the secure communication channel comprises broadcasting a Bluetooth signal from the vehicle.

19. The system of claim 10, wherein transmitting the acoustic signal from the vehicle acoustic transducer is done based on a request from the user device.

20. A method, comprising: establishing a secure communication channel between a vehicle and a user device; transmitting an acoustic signal comprising a first unique identity ID, from a vehicle acoustic transducer and creating a time stamp t.sub.0; in the vehicle, receiving at least one reflected acoustic signal and creating a time stamp t.sub.1 upon reception, and, for the at least one reflected acoustic signal, determining a first time-of-flight ToF.sub.1=t.sub.1−t.sub.0; in the user device, receiving and verifying the first unique identity ID.sub.1 transmitted by the vehicle and creating a time stamp t.sub.2 upon reception, generating a response signal comprising a second unique identity ID.sub.2, transmitting the response signal as an acoustic signal comprising the second unique identity ID.sub.2 and creating a time stamp t.sub.3 for the transmission event, determining a response delay time t.sub.D=t.sub.3−t.sub.2, and transmitting a radio frequency (RF) signal comprising the response delay time t.sub.D to the vehicle over the secure communication channel; in the vehicle, receiving the response signal, verifying the second unique identity ID.sub.2 and creating a time stamp t.sub.4, receiving the RF signal comprising the response delay time t.sub.D, and determining a second time-of-flight ToF.sub.2=t.sub.4−t.sub.0−t.sub.D; and when a difference between ToF.sub.1 and ToF.sub.2 is below a predetermined threshold value T.sub.max, authorizing the user device to send a request to the vehicle.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) These and other aspects of the present invention will now be described in more detail, with reference to the appended drawings showing an example embodiment of the invention, wherein:

(2) FIG. 1 schematically illustrates a vehicle comprising a system according to an embodiment of the present invention;

(3) FIG. 2 is a flow chart outlining the general steps of a method according to an embodiment of the invention;

(4) FIG. 3 schematically illustrates an example user device of a system according to an embodiment of the invention;

(5) FIG. 4 schematically illustrates an example user device of a system according to an embodiment of the invention; and

(6) FIG. 5 schematically illustrates an example user device of a system according to an embodiment of the invention.

DESCRIPTION OF EMBODIMENTS

(7) The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which currently preferred embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided for thoroughness and completeness, and fully convey the scope of the invention to the skilled person. Like reference characters refer to like elements throughout.

(8) In the following detailed description, various embodiments of the invention will be described with reference to an acoustic transducer in the form of an ultrasound transducer, and the transmitted signals will similarly be discussed as ultrasonic signals. However, the same general principles are applicable for acoustic signals in the audible range.

(9) Various embodiments of the invention will be described with reference to FIG. 1 schematically illustrating a system 100 for authorizing a user device 102 to send a request to a vehicle 104, and to the flow chart of FIG. 2 outlining the general steps of a method for authorizing a user device 102 according to an embodiment of the invention.

(10) The system 100 of FIG. 1 comprises a vehicle 104 comprising a plurality of ultrasound transducers 106 and an RF transceiver 108. The method is in principle applicable for a vehicle 104 comprising only one ultrasound transducer 106. However, for increased convenience, the vehicle 104 preferable comprises a plurality of ultrasound transducers 106. The vehicle may for example comprise one ultrasound transducer 106 arranged in each corner of the vehicle, wherein each transducer 106 has a horizontal directional sensitivity of at least 270° and a vertical directional sensitivity of at least 180°. By using a plurality of ultrasound transducers 106 in the vehicle, it is possible to more accurately determine the location of objects in the vicinity of the vehicle. The ultrasound transducer 106 is herein referred to as a single unit, even though the ultrasound transducer 106 equally well may comprise separate transmitter and receiver units. The user device 102 also comprises an ultrasound transducer and an RF transceiver.

(11) FIG. 3 schematically illustrates a user device 102 in the form of a smartphone 300. The illustrated smartphone 300 comprises an acoustic transmitter 302, an acoustic receiver 304 and an RF transceiver 306. The acoustic transmitter 302 and the acoustic receiver 304 is here illustrated as the speaker and the microphone of the smartphone, which may be configured to transmit and receive audible sound and/or ultrasound. However, the smartphone 300 may also be equipped with a single ultrasound transducer module. The RF transceiver 306 may for example be a Bluetooth module. The user device 104 may also be a key fob or the like as illustrated in FIG. 1.

(12) The maximum distance between the vehicle 104 and the user device 102 for performing the authorization is in practice limited by the range of the ultrasound transducers 106 in the user device 102 and/or in the vehicle 104. The maximum allowable distance may also be set based on regulatory or standard-based requirements.

(13) In applications where the user device 102 is a passive key, there may be requirements that the passive key can only unlock a vehicle 104 if the distance between the passive key and the vehicle 104 is lower than a predetermined distance. In one example, the key must be closer than 1.5 m from the vehicle 104 to authorize an unlock request. However, the described method may equally well be performed at longer distances as long as the described signals can be transmitted correctly.

(14) The vehicle 104 further comprises a vehicle control unit 110. The control unit 110 may include a microprocessor, microcontroller, programmable digital signal processor or another programmable device. The control unit 110 may also, or instead, include an application specific integrated circuit, a programmable gate array or programmable array logic, a programmable logic device, or a digital signal processor. Where the control unit 110 includes a programmable device such as the microprocessor, microcontroller or programmable digital signal processor mentioned above, the processor may further include computer executable code that controls operation of the programmable device. Moreover, the control unit 110 may be a general purpose control unit 110 of the vehicle, or it may be a dedicated control unit 110 specifically configured to control the authorization system 100.

(15) The vehicle control unit 110 is configured to control the system 100 to perform the method according to various embodiments of the invention.

(16) First, a secure communication channel is established 200 between the vehicle 104 and the user device 102. The communication channel may be a Bluetooth channel established via known methods where the user device 102 is discovered based on a Bluetooth broadcast from the vehicle 104.

(17) The next step comprises activating 202 the vehicle ultrasound transducer 106 to transmit 204 an ultrasound signal, US.sub.1, comprising a first unique ID, ID.sub.1, and creating a time stamp t.sub.0. The ultrasound transducer 106 may be automatically activated once the communication channel is established, or it may be set to be always active, in which case the activation steps is the same as transmitting the signal US.sub.1. However, it is also possible that activation of the ultrasound transducer 106 requires a request from the user device 102.

(18) The unique ID, ID.sub.1, is encoded in the ultrasound signal, where encoding may be performed using different well-known encoding schemes such as amplitude modulation, frequency modulation, or phase shift modulation. A time stamp t.sub.0 is created in the vehicle 104 when the ultrasound signal US.sub.1 is transmitted 204 from the vehicle 104. The method may comprise transmitting a plurality of ultrasound signals from the vehicle 104, in which case each signal has a unique ID and a corresponding unique time stamp.

(19) Next, a reflected ultrasound signal USR having been reflected in a corresponding at least one object is received 206 in the vehicle 104 and a time stamp t.sub.1 is created upon reception. It is further verified that the reflected ultrasound signal USR comprises ID.sub.1. Accordingly, a first time-of-flight ToF.sub.1 for the received reflected ultrasound signal USR can be determined 208 as ToF.sub.1=t.sub.1-t.sub.0. In case of transmission of a plurality of ultrasound signals from the vehicle, the ID of the transmitted signals can be controlled to ensure that the received reflected signal corresponds to a transmitted signal having the expected ID.

(20) Accordingly, the determined time-of-flight ToF.sub.1 is proportional to the distance between the vehicle 104 and the object. To describe the general principle of the invention, it is assumed that only one reflected signal is received by the vehicle 104, and that the signal has been reflected by the user device 102 or by a carrier of the user device 102, meaning that the location of the object is assumed to correspond to the location of the user device 102.

(21) The ultrasound signal US.sub.1 transmitted by the vehicle is also received and verified 210 by the user device 102. The signal US.sub.1 may be verified by confirming that ID.sub.1 is a valid ID created by the vehicle 104. This can be done by the user device 102 receiving information of ID.sub.1 from the vehicle 104 over the secure RF communication channel before the ultrasound signal is sent. Furthermore, a time stamp t.sub.2 is created in the user device 102 upon reception of the signal US.sub.1 in the user device 102.

(22) Based on the received signal identity ID.sub.1, a second unique ID, ID.sub.2, is created using a previously agreed upon method, and a response signal US.sub.2 is generated 212. The response signal US.sub.2 is then transmitted 214 as an ultrasound signal comprising ID.sub.2 and a time stamp t.sub.3 is created 216 for the transmission event.

(23) Based on the time stamp t.sub.2 created upon reception of the signal US.sub.1 and the time stamp t.sub.3 created for the transmission event, a response delay time t.sub.D can be determined 218 as t.sub.D=t.sub.3−t.sub.2. The response delay time thereby describes the time from reception of US.sub.1 to transmission of US.sub.2 by the user device 102. The response delay time may depend on latencies and processing times of the user device 102. The response delay time may also comprise a controllable or random delay to make it more difficult for an attacker to predict the response delay time. The random delay time may have a range from zero up to a maximum random delay time preferably being several times larger than the measurement inaccuracy of the overall system. Some system latencies are not controllable by the system and can thus not be included in the response delay time. However, these system latencies are typically negligible in comparison to the time of flight of the ultrasound signals.

(24) Next, the user device 102 transmits 220 an RF signal, RF.sub.1, comprising t.sub.D to the vehicle 104 over the secure communication channel.

(25) The control unit 110 of the vehicle 104 thereby receives 222 the response signal US.sub.2, verify ID.sub.2, and create a time stamp t.sub.4 upon reception of the signal US.sub.2. That ID.sub.2 is verified means that it is determined that ID.sub.2 is a valid ID originating from the user device 102, and derived from the ultrasound signal identity ID.sub.1, based on that the previously agreed upon method for creating ID.sub.2 is known by the vehicle 104. It is also possible to encode only a truncated version of ID.sub.2 in the ultrasound signal ID.sub.2, and to send the complete ID.sub.2 in the RF signal RF.sub.1. This can for example be advantageous for long IDs, since large amounts of information is more easily encoded in RF signals compared to in ultrasound signals. Either way, ID.sub.2 is received by the vehicle 104 which is then able to verify that the time stamp t.sub.4 corresponds to a signal US.sub.2 received from the user device 102, based on the originally transmitted signal US.sub.1.

(26) The signal RF.sub.1 transmitted by the user device 102 may also comprise ID.sub.1, thereby allowing the vehicle 104 to verify that ID.sub.1 has been received by the user device 102 without being corrupted.

(27) Furthermore, the RF signal RF.sub.1 comprising t.sub.D, and optionally the complete ID.sub.2, is received 224 by the vehicle 104. The vehicle 104 can then determine 226 a second time-of-flight TOF.sub.2 as TOF.sub.2=t.sub.4−t.sub.0−t.sub.D. The second time of flight TOF.sub.2 should thus correspond to the time of flight of the reflected signal US.sub.1. To be able to correctly determine TOF.sub.2 the vehicle must have knowledge of the delay in the user device t.sub.D, which is transmitted over the secure channel.

(28) Accordingly, in a final step, ToF.sub.1 is compared with TOF.sub.2 and if a difference between ToF.sub.1 and TOF.sub.2 is below a predetermined threshold value T.sub.max, the user device is authorized 228.

(29) The threshold value T.sub.max is preferably larger than the combined measurement inaccuracies in the vehicle 104 and the user device 102. Accordingly, the threshold value T.sub.max may thus be set for a particular combination of vehicle 104 and user device 102, or for a combination covering many different vehicles 104 and user devices 102.

(30) If the difference between ToF.sub.1 and TOF.sub.2 exceeds threshold value T.sub.max, this can be interpreted as a potential relay station attack, and at this point the vehicle 104 will not authorize a service request from the user device 102. The service request can be explicitly communicated by the user device 102 via the secure radio channel, but it can also be an implicit request, such as an implicit request to unlock the vehicle 104 when the user device 102 is within a maximum distance from the vehicle 104.

(31) When the authorization fails, a new attempt can be carried out by the user device 102 again detecting an ultrasound signal transmitted by the vehicle 104, and performing the steps above for the vehicle 104 to again calculate ToF.sub.1 and TOF.sub.2 for comparison. If the renewed authentication and verification process then succeeds, the vehicle 104 may authorize the request from the user device 102, or it may have a policy to require more than one successful verification after a failed authorization before granting the request. In the case of several failed authorization attempts, the vehicle 104 may have a policy to prevent setting up a secure communication channel to this user device 102, and thereby aborting any requests from the user device 102, possibly for a set time period. The vehicle 104 may in this case also report the failed authorization via other communication channels to its owner, or some other recipient.

(32) Various additional safeguards may be implemented to further increase the difficulty for an attacker attempting a physical layer relay attack.

(33) FIG. 4 schematically illustrates an example where a plurality of objects are located in the vicinity of the vehicle 104 resulting in a plurality of reflected signals. The vehicle 104 then creates a corresponding plurality of time stamps t.sub.11, . . . , t.sub.1N, where N represent the number of received reflected signals, upon reception of each reflected signal. For each received reflected ultrasound signal, a corresponding first time-of-flight ToF.sub.11, . . . , ToF.sub.1N is determined as ToF.sub.11, . . . , ToF.sub.1N=t.sub.11−t.sub.0, . . . , t.sub.1N−t.sub.0 such that each of ToF.sub.11 to ToF.sub.1N can be compared with the second time of flight ToF.sub.2. Thereby, if a difference between any one of ToF.sub.11, . . . , ToF.sub.1N, and TOF.sub.2 is below the predetermined threshold value T.sub.max, the user device can be authorized.

(34) The adjacent objects may for example be an adjacent vehicle 400 or an attack device 402 used to intercept signals between the vehicle 104 and the user device 102 to perform a physical layer relay attack. Accordingly, to further reduce the risk of a successful attack, an authorization can be prevented or revoked if any detected object is closer to the vehicle 104 than the user device 102. The distance to the user device 102 can be determined based on TOF.sub.2 which in turn can be determined based on knowledge of the response delay time t.sub.D.

(35) FIG. 5 schematically illustrates the general steps of an embodiment of the invention illustrating the signaling between the user device 102 and the vehicle 104.

(36) First, in 502, a secure RF communication channel RF.sub.SC is established. Next 504, an ultrasound signal US.sub.1 is transmitted from the vehicle 104 and the transmitted signal is subsequently reflected 506 in an object at a location determined to correspond to the location of the user device 102. In 508, a response signal US.sub.2 is generated in the user device 102 and transmitted to the vehicle 104. Finally, in 510, an RF signal RF.sub.1 is transmitted from the user device 102 to the vehicle 104 over the secure communication channel.

(37) Even though the invention has been described with reference to specific exemplifying embodiments thereof, many different alterations, modifications and the like will become apparent for those skilled in the art. Also, it should be noted that parts of the method and system may be omitted, interchanged or arranged in various ways, the method and system yet being able to perform the functionality of the present invention.

(38) Additionally, variations to the disclosed embodiments can be understood and effected by the skilled person in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Method and system for preventing a physical layer relay attack

Assignee

Inventors

Cpc classification

Classification Explorer

H04W12/082

ELECTRICITY

Classification Explorer

F02N11/0807

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

G07C9/00182

PHYSICS

Classification Explorer

G07C2009/00261

PHYSICS

Classification Explorer

G07C2009/00555

PHYSICS

Classification Explorer

G07C2009/00769

PHYSICS

Classification Explorer

B60R25/2072

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

G07C9/00309

PHYSICS

Classification Explorer

G07C2009/00801

PHYSICS

Classification Explorer

G07C9/00174

PHYSICS

Classification Explorer

H04W12/08

ELECTRICITY

Classification Explorer

H04L63/1466

ELECTRICITY

Classification Explorer

H04W12/12

ELECTRICITY

Classification Explorer

B60R25/24

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

G07C2209/63

PHYSICS

International classification

Classification Explorer

B60R25/24

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

H04W12/12

ELECTRICITY

Classification Explorer

H04L9/40

ELECTRICITY

Classification Explorer

F02N11/08

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

H04W12/082

ELECTRICITY

Classification Explorer

H04W12/08

ELECTRICITY

Classification Explorer

G07C9/00

PHYSICS

Classification Explorer

B60R25/20

PERFORMING OPERATIONS; TRANSPORTING

Abstract

Claims

Description