Due to its suitability for wireless ranging, Ultra-Wide Band (UWB) has gained traction over the past years. UWB chips have been integrated into consumer electronics and considered for security-relevant use cases, such as access control or contactless payments. However, several publications in the recent past have shown that it is difficult to protect the integrity of instance measurements on the physical layer. In this paper, we identify transceiver clock imperfections as a new, important parameter that has been widely ignored so far. We present Mix-Down and Stretch-and-Advance, two novel attacks against the current (IEEE 802.15.4z) and the upcoming (IEEE 802.15.4ab) UWB standard, respectively. We demonstrate Mix-Down on commercial chips and achieve distance reduction from 10 m to 0 m. For the Stretch-and-Advance attack, we show analytically that the current proposal of IEEE 802.15.4ab allows reductions of over 90 m. In order to prevent the attack, we propose and analyze an effective countermeasure.

翻译：由于其适用于无线测距，超宽带（UWB）在过去几年中获得了广泛关注。UWB芯片已被集成到消费电子产品中，并应用于访问控制或非接触式支付等安全敏感场景。然而，近期多项研究表明，在物理层保护瞬时测量值的完整性十分困难。本文首次将收发器时钟缺陷识别为一个长期被忽视的关键参数。我们提出了两种新型攻击：针对当前（IEEE 802.15.4z）标准的"混频下击"攻击与针对即将发布（IEEE 802.15.4ab）标准的"拉伸前移"攻击。我们在商用芯片上实现了混频下击攻击，成功将测距结果从10米缩减至0米。针对拉伸前移攻击，我们通过理论分析表明，IEEE 802.15.4ab的现行草案可允许超过90米的距离缩减。为防范此类攻击，我们提出并验证了一种有效的防御机制。