The IEEE 802.11mc standard introduces fine time measurement (Wi-Fi FTM), allowing high-precision synchronization between peers and round-trip time calculation (Wi-Fi RTT) for location estimation - typically with a precision of one to two meters. This has considerable advantages over received signal strength (RSS)-based trilateration, which is prone to errors due to multipath reflections. We examine different commercial radios which support Wi-Fi RTT and benchmark Wi-Fi FTM ranging over different spectrums and bandwidths. Importantly, we find that while Wi-Fi FTM supports localization accuracy to within one to two meters in ideal conditions during outdoor line-of-sight experiments, for indoor environments at short ranges similar accuracy was only achievable on chipsets supporting Wi-Fi FTM on wider (VHT80) channel bandwidths rather than narrower (HT20) channel bandwidths. Finally, we explore the security implications of Wi-Fi FTM and use an on-air sniffer to demonstrate that Wi-Fi FTM messages are unprotected. We consequently propose a threat model with possible mitigations and directions for further research.

翻译：IEEE 802.11mc标准引入了精细时间测量（Wi-Fi FTM），支持设备间高精度同步及往返时间（Wi-Fi RTT）计算，从而实现定位估计——通常精度为一至两米。相较于易受多径反射误差影响的基于接收信号强度（RSS）的三边定位法，该方法具有显著优势。我们测试了多种支持Wi-Fi RTT的商业无线电芯片，并在不同频谱和带宽下对Wi-Fi FTM测距进行基准评估。关键发现是：虽然Wi-Fi FTM在室外视距理想条件下可实现一至两米的定位精度，但在短距离室内环境下，仅支持较宽信道带宽（VHT80）的芯片组能达成类似精度，而较窄带宽（HT20）的芯片组则无法实现。最后，我们探讨了Wi-Fi FTM的安全隐患，通过空中嗅探实验证实Wi-Fi FTM消息未受保护，并据此提出包含缓解措施的威胁模型及后续研究方向。