Ranging and localisation have become critical for many applications and services. The Wi-Fi (IEEE 802.11) standard is a natural candidate for providing these functions across diverse environments, given its widespread deployment. The IEEE 802.11az amendment, finalised in 2023, introduces "Next Generation Positioning" mechanisms to secure and harden the existing insecure Wi-Fi Fine Timing Measurement (FTM) ranging solution. Moreover, the recent IEEE 802.11bk amendment increases the available bandwidth with the goal of approaching the centimetre-level ranging accuracy of ultra-wideband (UWB) systems. This paper examines to what extent these promises hold from a security and deployability perspective. We analyse the core mechanisms of secure Wi-Fi ranging as defined in IEEE 802.11az and IEEE 802.11bk at both the logical and physical layers, combining standards analysis with simulations and measurements on commercial and development hardware. At the logical layer, we show how common deployment choices can result in unauthenticated ranging, downgrade attacks, and simple denial-of-service attacks, making it difficult to securely realise many high-stakes use cases. At the physical layer, we study the predictability of secure ranging waveforms, the security impact of symbol repetition, and how waveform design choices affect compliance with spectral masks under realistic RF behaviour. Our results show that secure Wi-Fi ranging is highly sensitive to configuration choices and is non-trivial to implement on existing hardware. This is also evidenced by the currently limited support for secure Wi-Fi ranging in commodity devices. This paper provides practical guidelines for using secure FTM safely and recommendations to vendors and standardisation bodies to improve its robustness and deployability.

翻译：在众多应用与服务中，测距与定位功能已变得至关重要。鉴于其广泛部署，Wi-Fi（IEEE 802.11）标准成为在多样化环境中提供这些功能的天然候选。2023年最终确定的IEEE 802.11az修正案引入了“下一代定位”机制，旨在加固并保障现有不安全的Wi-Fi精细定时测量（FTM）测距解决方案。此外，近期发布的IEEE 802.11bk修正案增加了可用带宽，其目标是达到超宽带（UWB）系统的厘米级测距精度。本文从安全性与可部署性的角度，审视这些承诺在多大程度上能够实现。我们从逻辑层和物理层两个层面，结合标准分析、仿真实验以及商用与开发硬件上的实际测量，对IEEE 802.11az和IEEE 802.11bk中定义的Wi-Fi安全测距核心机制进行了剖析。在逻辑层，我们展示了常见的部署选择如何导致未经认证的测距、降级攻击以及简单的拒绝服务攻击，从而使得安全实现许多高利害关系用例变得困难。在物理层，我们研究了安全测距波形的可预测性、符号重复对安全性的影响，以及在现实射频行为下波形设计选择如何影响对频谱掩膜的符合性。我们的研究结果表明，安全Wi-Fi测距对配置选择高度敏感，并且在现有硬件上实现起来并非易事。目前商用设备对安全Wi-Fi测距的支持有限也印证了这一点。本文为安全地使用安全FTM提供了实用指南，并向厂商和标准化机构提出了增强其鲁棒性与可部署性的建议。