UWB ranging systems have been adopted in many critical and security sensitive applications due to its precise positioning and secure ranging capabilities. We present a practical jamming attack, namely UWBAD, against commercial UWB ranging systems, which exploits the vulnerability of the adoption of the normalized cross-correlation process in UWB ranging and can selectively and quickly block ranging sessions without prior knowledge of the configurations of the victim devices, potentially leading to severe consequences such as property loss, unauthorized access, or vehicle theft. UWBAD achieves more effective and less imperceptible jamming due to: (i) it efficiently blocks every ranging session by leveraging the field-level jamming, thereby exerting a tangible impact on commercial UWB ranging systems, and (ii) the compact, reactive, and selective system design based on COTS UWB chips, making it affordable and less imperceptible. We successfully conducted real attacks against commercial UWB ranging systems from the three largest UWB chip vendors on the market, e.g., Apple, NXP, and Qorvo. We reported our findings to Apple, related Original Equipment Manufacturers (OEM), and the Automotive Security Research Group, triggering internal security incident response procedures at Volkswagen, Audi, Bosch, and NXP. As of the writing of this paper, the related OEM has acknowledged this vulnerability in their automotive systems and has offered a $5,000 reward as a bounty.

翻译：超宽带（UWB）测距系统因其精确定位与安全测距能力，已被广泛应用于诸多关键及安全敏感场景。本文提出一种针对商用UWB测距系统的实用干扰攻击方法UWBAD。该攻击利用UWB测距过程中采用归一化互相关处理的漏洞，能够在无需预先获知受害设备配置信息的情况下，选择性地快速阻断测距会话，可能导致财产损失、未授权访问或车辆盗窃等严重后果。UWBAD的攻击效能更强且隐蔽性更高，这得益于：（一）通过场级干扰有效阻断所有测距会话，从而对商用UWB测距系统产生实质性影响；（二）基于商用现成UWB芯片构建的紧凑型反应式选择性系统设计，使得攻击成本低廉且更难以被察觉。我们已成功对市场上三大UWB芯片供应商（包括Apple、NXP和Qorvo）的商用UWB测距系统实施了实际攻击。研究结果已向苹果公司、相关原始设备制造商及汽车安全研究组披露，并触发了大众、奥迪、博世和NXP的内部安全事件响应流程。截至本文撰写时，相关原始设备制造商已确认其汽车系统中存在此漏洞，并提供了5000美元漏洞赏金。