Here, there, and everywhere: Security analysis of wi-fi fine timing measurement

Abstract

Today, an increasing number of applications rely on location and proximity information to deliver services. With the introduction of Wi-Fi Fine Timing Measurement (FTM) in the IEEE 802.11-2016 standard, Wi-Fi derived location and proximity information will play a key role in many safety- and security-critical applications. For example, Wi-Fi FTM is adopted in Wi-Fi Aware where it enables geo-fencing and mobile identification. In this paper, we perform the first security analysis of Wi-Fi FTM and analyze its security guarantees across the logical and physical layers. We find various weaknesses that enable an attacker to introduce distance reductions and enlargements to any arbitrary attacker-chosen value, requiring commodity hardware only. We perform an evaluation using commercial access points, smartphones, and off-the-shelf Wi-Fi cards, and show that an attacker can manipulate distances with meter-level precision. Furthermore, we highlight the distance manipulation attacks which are independent of any higher-layer cryptographic protection, exposing fundamental limitations to achieving secure distance measurements in the current standard. Finally, we present security recommendations for the design and implementation of Wi-Fi FTM and next-generation positioning protocols.