Preventing Early Commit Delay Detection Attacks
By transmitting signals of varying quality during different phases, the method effectively prevents ECLD attacks in wireless communication systems, enhancing security and reducing costs without additional circuit elements.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- TEXAS INSTRUMENTS INC
- Filing Date
- 2024-05-01
- Publication Date
- 2026-06-30
AI Technical Summary
Existing solutions to prevent early commit late detect (ECLD) attacks in wireless communication systems often require additional circuit elements, increasing cost and design area, and can affect device performance.
A method involving a first device transmitting signals of varying quality during different communication phases, with a degraded signal quality during authentication to detect and mitigate ECLD attacks, using existing transceiver circuit elements to generate filterable distortions.
Enhances the robustness of secure devices against ECLD attacks while reducing design area and costs, maintaining compliance with Bluetooth communication standards.
Smart Images

Figure 2026521325000001_ABST
Abstract
Description
Technical Field
[0001] The present disclosure generally relates to electronic systems and methods, and in particular embodiments, to methods for preventing early commit late detect (ECLD) attacks.
Background Art
[0002] An early commit late detect (ECLD) attack occurs in a wireless communication environment when an attacking device learns the symbols of a transmitted signal early during the communication phase between two devices, commits those symbols later in the communication phase, and attempts to deceive the receiving device about the arrival time of the transmitted signal and thus the proximity of the transmitting device to the receiving device. If this is successful, the receiving device may perform an action such as unlocking a device (e.g., a vehicle door, a hotel door) for the attacker based on that signal.
[0003] Existing solutions to prevent ECLD attacks may include, for example, randomizing the symbols transmitted from one device to another, shortening the pulses of the signals transmitted from one device to another, and limiting proximity and distance to shorter values. However, some of these solutions require additional circuit elements, which can increase the cost and design area of the system for access control and / or affect the performance of the device.
Summary of the Invention
[0004] Some embodiments described herein also advantageously provide improvements in preventing early commit delay detection attacks. Some embodiments can prevent attacks on devices and systems by manipulating signals communicated between devices in such a way that attacks on devices are detectable. In an exemplary embodiment, a method is provided for preventing an ECLD attack. This method includes a first device identifying a degradation level, the first device transmitting a first signal having a first signal quality based on the degradation level during a first communication phase, and the first device transmitting a second signal having a second signal quality during a second communication phase, wherein the second signal quality is higher than the first signal quality.
[0005] This summary is provided to introduce, in a simplified form, selected concepts that will be further described thereafter in modes for carrying out the invention. This summary is not intended to identify the main or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. [Brief explanation of the drawing]
[0006] To fully understand the present invention and its advantages, please refer to the following description provided in conjunction with the accompanying drawings.
[0007] [Figure 1A] A block diagram of a system according to one embodiment of this disclosure is shown. [Figure 1B] A block diagram of a system according to one embodiment of this disclosure is shown.
[0008] [Figure 2A] This invention provides a method for communicating signals of varying quality between elements of a system, according to one embodiment of this disclosure. [Figure 2B] This invention provides a method for communicating signals of varying quality between elements of a system, according to one embodiment of this disclosure.
[0009] [Figure 3A] A sequence diagram of a system according to one embodiment of the present disclosure is shown. [Figure 3B] A sequence diagram of a system according to one embodiment of the present disclosure is shown.
[0010] [Figure 4] The phase trajectories and instantaneous frequency deviations for three symbol periods, according to one embodiment of the present disclosure, are shown.
[0011] [Figure 5A] The waveforms associated with the devices shown in Figures 1A and 1B, according to one embodiment of the present disclosure, are shown. [Figure 5B] The waveforms associated with the devices shown in Figures 1A and 1B, according to one embodiment of the present disclosure, are shown. [Figure 5C] The waveforms associated with the devices shown in Figures 1A and 1B, according to one embodiment of the present disclosure, are shown.
[0012] [Figure 6] The bit error rate (BER) versus detection delay (DD) for different scenarios according to one embodiment of this disclosure is shown. [Figure 7] The bit error rate (BER) versus detection delay (DD) for different scenarios according to one embodiment of this disclosure is shown.
[0013] [Figure 8] An eye diagram associated with a device, according to one embodiment of the present disclosure, is shown.
[0014] [Figure 9] The relationship between the Eye Quality Index (EQI) and the Degree Determinant (DD) according to one embodiment of this disclosure is illustrated.
[0015] [Figure 10] The DD, EQI, eye diagrams, and waveforms for various scenarios according to the embodiments of this disclosure are shown. [Figure 11]Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 12] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 13] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 14] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 15] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 16] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 17] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 18] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 19] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure. [Figure 20] Shows DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of the present disclosure.
[0016] Corresponding numbers and symbols in different drawings generally refer to corresponding parts, unless otherwise noted. The drawings are drawn to clearly illustrate relevant aspects of the preferred embodiments and are not necessarily drawn to scale.
Mode for Carrying Out the Invention
[0017] The creation and use of the disclosed embodiments are described in detail below. However, it should be recognized that this disclosure provides many applicable inventive concepts that can be embodied in a wide range of specific contexts. The specific embodiments described are merely illustrative of specific methods for creating and using the invention and do not limit the scope of the invention.
[0018] The following description illustrates various specific details to provide a deeper understanding of several exemplary embodiments in accordance with this description. Embodiments may be obtained without one or more specific details, or using other methods, components, materials, etc. In other instances, known structures, materials, or operations are not illustrated or described in detail so as not to obscure different aspects of the embodiment. The reference to “embodiment” in this description indicates that a particular configuration, structure, or feature described in relation to that embodiment is included in at least one embodiment. Consequently, phrases such as “in one embodiment” that may appear at different points in this description do not necessarily refer to the exact same embodiment. Furthermore, specific compositions, structures, or features may be combined in any suitable manner in one or more embodiments.
[0019] The embodiments of this disclosure are described in specific contexts, such as preventing early commit delayed detection (ECLD) attacks for unlocking a vehicle using Bluetooth or Bluetooth Low Energy (BLE). Some embodiments may also be used in other applications, such as access control in a hotel room or business, and may use other wireless communication protocols. Some embodiments may also be used in applications other than access control, such as controlling a first device based on the proximity of a second device to a first device, and / or authenticating a second device by a first device, partly based on the proximity of the second device to the first device.
[0020] An ECLD attack can be understood as a type of cyberattack against devices that send and receive Bluetooth signals, for example. A malicious device attempting to commit an ECLD attack may try to gain access to or control of another device by mimicking the signals of one device. For example, a malicious device may try to unlock a vehicle and gain access to its interior by sending a duplicated signal from a smartphone to a vehicle. In this context, if the malicious device is successful, the vehicle may receive the duplicated signal, believe that the signal is coming from the smartphone or other authentication device, and take action based on that signal.
[0021] This specification discloses embodiments of improved detection systems, devices, and methods for preventing ECLD attacks. In one embodiment, a first device (e.g., a key fob, or another device acting as a key fob) uses increased phase noise while transmitting authentication packets to a second device (e.g., a vehicle) during the authentication phase (e.g., during or accompanying one or more channel sounding steps), which can advantageously prevent or mitigate a MITM attack or make the attack detectable by the second device. In some embodiments, the increased phase noise is intentionally induced by increasing the bandwidth of the PLL of the first device while transmitting at least a portion of the authentication packets. In some embodiments, the first device uses reduced phase noise while transmitting packets to the second device during the communication phase.
[0022] In some embodiments, a method for preventing an ECLD attack is provided. This method includes: a first device identifying a degradation level; the first device transmitting a first signal having a first signal quality based on the degradation level during a first communication phase; and the first device transmitting a second signal having a second signal quality during a second communication phase, wherein the second signal quality is higher than the first signal quality.
[0023] In another exemplary embodiment, a device is provided comprising a transmitter circuit and a processor. The processor is configured to transmit a first packet having a first quality during a first communication phase using the transmitter circuit, and to transmit a second packet having a second quality lower than the first quality during a second communication phase.
[0024] In yet another exemplary embodiment, a device is provided comprising a transceiver and a processor. The processor is configured to identify a degradation level, identify a reference signal based on the degradation level, receive a first signal, perform a comparison between the first signal and the reference signal to generate a comparison result, and determine, based on the comparison result, whether the first signal is genuine or not.
[0025] Advantageously, systems, methods, and devices for preventing ECLD attacks not only increase the robustness of secure devices providing access, but can also reduce design area requirements and costs by utilizing existing transceiver circuit elements to generate filterable distortions for detecting attacks while adhering to Bluetooth communication standards and protocols.
[0026] Figures 1A and 1B show block diagrams of a system according to one embodiment of the present disclosure. Figure 1A includes an operating environment 101, which includes device 105, device 110, and their components. Figure 1B includes an operating environment 102, which also includes device 105, device 110, and their components, and further includes attack devices 120-1 and 120-2. Device 105 includes circuit element 106 and processor 108. Device 110 includes circuit element 111 and processor 113. In various examples, devices 105 and 110 perform an early commit delayed detection (ECLD) attack prevention process, such as process 200 in Figure 2A and process 210 in Figure 2B, respectively. Thus, devices 105 and 110 may perform such a process in hardware, software, firmware, or any combination or variation thereof.
[0027] Referring first to Figure 1A, the operating environment 101 represents an environment including devices 105 and 110 that communicate wirelessly with each other. Device 105 may represent any device, apparatus, or system that can send and receive signals to and from device 105 using a wireless communication protocol such as Bluetooth or BLE. For example, in some embodiments, device 105 may be a key fob or a smartphone. Similarly, device 110 may represent any device, apparatus, or system that can send and receive signals to and from device 105 via a wireless communication protocol. In some embodiments, device 110 may be a vehicle, a hotel room keypad, or any other device configured to provide wireless access control. In some embodiments, wireless communication between device 105 and device 110 uses Gaussian frequency-shifted modulation (GFSK).
[0028] In various embodiments, devices 105 and 110 include components capable of establishing wireless communication between them, performing actions based on signals received from each other, and preventing ECLD attacks. For example, device 105 includes a circuit element 106 and a processor 108, and device 110 includes a circuit element 111 and a processor 113.
[0029] Circuit elements 106 and 111 may represent one or more hardware components capable of transmitting, receiving, and processing signals communicated over a wireless network. In some embodiments, examples of circuit elements 106 and 111 may include communication equipment, antennas, transmitting and receiving circuit elements (e.g., transceivers), logic devices, amplifiers and buffers, filters, analog-to-digital converters, and the like. Specifically, in such embodiments, circuit element 106 may include transceiver 107, and circuit element 111 may include transceiver 112. In some embodiments, additional circuit elements may be included in or outside of devices 105 and 110. For example, in some embodiments, devices 105 and 110 may include or use one or more antennas located outside of devices 105 and 110 to facilitate communication between devices 105 and 110.
[0030] Processors 108 and 113 may represent one or more processors or processing cores capable of controlling circuit elements 106 and 111, and other aspects of devices 105 and 110, respectively. In some embodiments, each of processors 108 and 113 may be implemented as a general-purpose or custom controller or processor coupled to memory and capable of executing instructions stored in memory. In some embodiments, examples of processors 108 and 113 may include one or more general-purpose or custom microcontrollers, DSPs, general-purpose central processing units, application-specific processors or circuits (e.g., ASICs), and / or logic devices (e.g., FPGAs), as well as any other types of processing devices, combinations thereof, or variations thereof.
[0031] In operation, devices 105 and 110 may perform several communication phases via circuit elements 106 and 111 and processors 108 and 113 to negotiate the characteristics of communication between them, to authenticate each other, and to provide each other with signals and other data. A first communication phase may include a negotiation phase. A second communication phase may include an authentication phase. A third communication phase may include a data communication phase.
[0032] During the negotiation phase, devices 105 and 110 may conduct degradation negotiation 115 depending on the signal quality of the communication over the Bluetooth connection. Device 110 may initiate degradation negotiation 115 by sending a first signal to device 105 via a circuit element 111 (e.g., transceiver 112) indicating a degradation level to apply to the signal transmitted during the authentication check 116. In some embodiments, the processor 113 of device 110 may select a degradation level based on the quality or capability of the circuit elements 111 of device 110. For example, the processor 113 may select a degradation level corresponding to the amount of distortion that one or more filters of the circuit elements 111 can filter out to determine whether the received signal is genuine or not. For example, in some embodiments, device 105 or 110 selects a degradation level that is lower than the maximum achievable communication quality between device 105 and device 110, but higher than the minimum communication quality that ensures communication between device 105 and device 110 without substantial errors (e.g., a bit error rate lower than a predetermined threshold). In response to receiving a first signal from device 110, device 105 may identify the degradation level and transmit an acknowledgment signal to device 110 via circuit element 106.
[0033] Next, device 110 may initiate an authentication phase to verify that device 105 is an authenticated device and that the signal subsequently received is a genuine signal. During the authentication procedure, devices 105 and 110 may perform authentication checks 116. Authentication checks 116 may begin when device 110 (or device 105 in other examples) sends an authentication message to device 105 (e.g., a message having a sequence of bits known to both devices 105 and 110). In some embodiments, the authentication message may be or include a round-trip time (RTT) packet (for example, the RTT packet may be sent by device 110 to device 105, received by device 105, sent back by device 105 to device 110, received by device 110, and the time between when device 110 sends the RTT packet and when device 110 receives the RTT packet may be used to determine the distance between device 105 and device 110). Device 105 may receive an RTT packet during authentication check 116 and send a signal containing known bits (or data based on known bits) to device 110. Before sending the signal to device 110 to prevent an ECLD attack, device 105 may intentionally distort the signal based on a degradation level via circuit element 106 and processor 108 (i.e., send a signal with lower signal quality than other signals (e.g., transmitted during degradation negotiation 115 and / or data communication 117)). This may involve changing the phase of the signal, injecting noise into the message to increase the signal-to-noise ratio (SNR) or bit error rate (BER) of the signal, or any other means.
[0034] Device 110 can receive a distorted signal, filter out noise using circuit element 111, and determine whether the received signal is genuine or not. This may involve determining the distance between device 105 and device 110 based on the arrival time of the received signal (e.g., phase) versus the transmission time of the RTT packet from device 110 (e.g., the round-trip delay (RTT) of the authentication message sent from either device 105 or device 110). In some examples, this distance may include a threshold distance range (e.g., 0 to 3 meters). If device 110 determines that the distance between device 105 and device 110 is outside the threshold distance range, device 110 may determine that the received signal is not genuine and take no action. However, if device 110 determines that the distance between device 105 and device 110 is within the threshold distance range, device 110 may determine that the received signal is genuine and take action. In some cases, determining whether a received signal is genuine or not may, in addition to or alternatively, involve determining the amount of distortion in the received signal, the BER value of the received signal, and / or the phase of the received signal. If the amount of distortion, BER value, or phase of the received signal exceeds the respective threshold, device 110 may determine that the received signal is not genuine.
[0035] For example, in some embodiments, device 110 may be a vehicle, and device 105 may be a key fob (or a smartphone or other device acting as a key fob). Based on the arrival time (e.g., phase) of the authentication message received by device 110 from device 105 during the authentication check 116, device 110 may determine the proximity between the devices. If device 105 is closer to device 110 than a predetermined threshold (e.g., 1 meter), for example, by pressing a button on the vehicle's steering wheel, device 110 may take actions such as unlocking the vehicle or enabling the vehicle's unlocking capability.
[0036] Following the authentication of device 105, devices 105 and 110 may perform data communication 117 during the communication phase. Data communication 117 may include the transmission of data and other signals from device 105 to device 110. In some embodiments, data communication 117 between device 105 and device 110 may occur sequentially or independently of the authentication check 116. Regardless of how and when data communication 117 occurs, device 105 may transmit signals during data communication 117 using higher signal quality than the signals transmitted during the authentication check 116. In other words, during this communication phase, device 105 may not intentionally distort the signal based on the negotiated degradation level. Therefore, signals transmitted during the communication phase may have reduced noise and BER value, as well as increased SNR value, compared to signals transmitted during the authentication phase.
[0037] Next, referring to Figure 1B, the operating environment 102 represents an environment that includes device 105, device 110, and attack devices 120-1 and 120-2 (collectively referred to as attack device 120), through which attack device 120 attempts to wirelessly communicate with devices 105 and 110 and carry out an ECLD attack against device 110.
[0038] Attack device 120 may represent any device, apparatus, or system that can communicate with devices 105 and 110, as well as with each other. In various examples, attack device 120 may be referred to as a man-in-the-middle (MITM) device that manipulates communication between device 105 and device 110, causing device 110 to receive an authentication message during authentication check 116, which is expected to arrive sooner than if there were no action from attack device 120. In such examples, attack device 120-1 may be positioned in close proximity to device 105, while attack device 120-2 may be positioned in close proximity to device 110. Attack devices 120-1 and 120-2 may be connected to each other via a physical cable or some other high-speed communication mechanism.
[0039] As shown in Figures 1A and 1B, Scenario 102 is similar to Scenario 101, but the attacking device 120 acts to relay / transmit communication between device 105 and device 110. In Scenario 102, devices 105 and 110 are far apart and outside of Bluetooth communication range.
[0040] In operation, device 110 initiates a degradation negotiation 115 between device 110 and device 105 via attack device 120 (devices 105 and 110 are outside the Bluetooth communication range). In some embodiments, this may involve device 110 providing a first signal to device 105, which then transmits a signal indicating an identified degradation level, depending on the degradation level. In some embodiments, this may involve attack device 120-2 intercepting the signal indicating the identified degradation level transmitted by device 110. In any case, attack device 120-2 may provide the signal to attack device 120-1 via a physical link. Attack device 120-1 may provide the signal to device 105. Device 105 recognizes the degradation level and can transmit an acknowledgment signal. In some examples, device 105 is not close enough to device 110 for its signal to reach device 110. However, attack device 120-1 can intercept this signal and relay it to device 110 via attack device 120-2.
[0041] Following the degraded negotiation 115, attack device 120 may attempt to gain access to device 110 via the ECLD attack by attempting to perform an authentication check 116 between device 105 and device 110. To initiate the authentication phase, device 110 may transmit a signal containing an RTT packet, which may be relayed by attack device 120 if device 110 and device 105 are not close enough to each other. In response to receiving the RTT packet, device 105 may transmit an authentication signal with signal quality based on the identified degraded level. The signal quality may be inferior to other signals transmitted by device 105 during other phases. Attack device 120-1 may intercept the degraded signal and attempt to predict the bit sequence of the degraded signal (in an attempt to replicate the signal transmitted by device 105) and transmit the signal to attack device 120-2 for further transmission to device 110. More specifically, in some embodiments, the attacking device 120 begins transmitting "relayed" bits before receiving them (based on predictions), and then adjusts (flipping bits) if the prediction is wrong. If, due to noise, device 120 is too late in determining that the prediction was wrong, it needs to boost the flipped bits to recover from the bad prediction. The later the bad prediction is identified, the greater the boost required for the flipped bits, resulting in more distortion in the signal, which in turn makes it more recognizable.
[0042] Device 110 can receive a signal from attack device 120 and determine whether the received signal is genuine or not. Determining whether the received signal is genuine or not may include determining the amount of distortion in the received signal, the BER value of the received signal, and / or the phase or phase trajectory of the received signal. If the amount of distortion, BER value, or phase of the received signal exceeds the respective threshold, device 110 may determine that the received signal is not genuine. Additionally or alternatively, determining whether the received signal is genuine may involve determining the distance between device 105 and device 110 based on the received signal. In this example, which includes attack device 120, device 110 may utilize any of the above methods for determining that the received signal is not genuine. For example, device 110 may determine that the round-trip delay time between sending the authentication signal and receiving the returned signal exceeds a predetermined threshold. Because attack device 120-1 may encounter problems predicting and relaying the signal due to its poor signal quality, delays may occur based on the level of degradation applied to the signal by device 105. As a result, the distortion applied to the signal may also affect the distortion, BER value, and / or phase of the signal replicated by attack device 120-1. Therefore, after determining that the received signal is not genuine, device 110 may not grant access and may not carry out the event. In some cases, device 110 may also terminate data communication 117 with device 105.
[0043] For example, device 110 could be a vehicle parked on the driveway of a house, and device 105 could be in the master bedroom of the house (e.g., 20 meters away from device 110). Attack device 120 may be divided into two nodes, with the first node (attack device 120-1) near the master bedroom of the house (near device 105) and the second node (attack device 120-2) near the vehicle (near device 110), and the two attack devices 120 connected by a physical cable or some other high-speed communication mechanism. When attack device 120 receives an authentication message from device 105 (e.g., using attack device 120-1), attack device 120 may predict the next symbol and attempt to send the predicted symbol to device 110 (e.g., using attack device 120-2), thereby causing device 110 to receive the authentication message earlier than it would have arrived if attack device 120 were not present. Therefore, based on the shortened arrival time, device 110 may determine that an ECLD attack has occurred and refuse to take any action, such as unlocking one or more doors of the vehicle.
[0044] It should be noted that several examples involving different systems or devices may be contemplated within this disclosure. For example, device 105 may be a hotel key, and device 110 may be a hotel room keypad. Devices 105 and 110 can use the described techniques to prevent ECLD attacks from an attacking device 120 seeking to gain unauthorized access.
[0045] Figures 2A and 2B illustrate a method for communicating signals of varying quality between elements of a system to prevent an ECLD attack, according to one embodiment of the present disclosure. Figure 2A includes process 200, and Figure 2B includes process 210. Both processes 200 and 210 refer to elements of the operating environments 101 and 102 of Figures 1A and 1B, respectively. In various examples, processes 200 and 210 may be implemented in software, hardware, firmware, or any combination or variation thereof.
[0046] Referring first to Figure 2A, process 200 may include a series of steps, for example, performed by device 105 or from the perspective of device 105, between different communication phases between device 105 and device 110.
[0047] In operation 201, device 105 identifies a degradation level via its processor 108 that sends an authentication signal to device 110 during the negotiation phase. The degradation level may be selected based on the capabilities of device 105, such as the hardware capabilities of device 105. In some embodiments, the degradation level is identified during the design or manufacture of device 105, and such a degradation level may be stored in the non-volatile memory of device 105. In some embodiments, the degradation level is selected based on the capabilities of device 110 (which may be received via a message) in addition to the capabilities of device 105. For example, in some embodiments, the degradation level may be selected as the worst degradation that both devices 105 and 110 can withstand.
[0048] During the negotiation phase, devices 105 and 110 may respond to the signal quality for communication over the Bluetooth connection. In some examples, device 105 may initiate the negotiation phase. In some examples, device 110 may transmit a first signal to device 105 indicating a degradation level to apply to the signal transmitted during the authentication phase. The processor 113 of device 110 may select a degradation level based on the quality or capability of the circuit element 111 of device 110 and / or the circuit element 106 of device 105. For example, the processor 113 may select a degradation level corresponding to the amount of distortion that one or more filters of the circuit element 111 can filter out in order to identify whether the received signal is genuine or not. In response to receiving the first signal from device 110, device 105 may identify the degradation level and transmit an acknowledgment signal to device 110 via the circuit element 106.
[0049] In operation 202, device 105 transmits an authentication signal having a first signal quality based on an identified degradation level via a circuit element 106 (e.g., transceiver 107). In various examples, device 105 may transmit an authentication signal in response to receiving an RTT packet sent from device 110. The authentication signal may include an authentication packet having a set of bits known to both device 105 and device 110. Device 105 may intentionally inject noise (e.g., based on a selected degradation level identified during process 201) or otherwise degrade the quality of the packet it transmits so that, for example, a MITM (e.g., attack device 120) cannot reproduce the authentication signal sufficiently early and / or without substantial distortion. Degrading the signal may involve altering the phase or phase trajectory of the signal, injecting noise into the message to reduce the signal-to-noise ratio (SNR) or increase the bit error rate (BER), or any other means.
[0050] Device 110 can receive a distorted authentication signal, filter out noise using circuit element 111, and determine whether the received signal is genuine or not. This may involve determining the distance between device 105 and device 110 based on the arrival time of the received signal (e.g., phase) versus the transmission time of the RTT packet from device 110 (e.g., the round-trip delay (RTT) of the authentication message sent from either device 105 or device 110). In some examples, this distance may include a threshold distance range (e.g., 0 to 3 meters). If device 110 determines that the distance between device 105 and device 110 is outside the threshold distance range, device 110 may determine that the received signal is not genuine and may take no action. However, if device 110 determines that the distance between device 105 and device 110 is within the threshold distance range, device 110 may determine that the received signal is genuine and may take action, such as initiating a data communication phase with device 105. Device 110 may determine that a signal is not genuine based on distance, as well as BER (e.g., BER higher than a predetermined threshold), phase changes during RTT packet transmission, and / or SNR lower than a predetermined threshold.
[0051] In operation 203, during the data communication phase, device 105 may transmit a data signal having a second signal quality higher than the first signal quality of the authentication signal. The data signal may include data packets unrelated to authentication between device 105 and device 110. In some examples, devices 105 and 110 may exchange data signals periodically, continuously, or at any time before and / or after the authentication phase. However, device 105 may transmit the authentication signal using a degraded signal quality relative to the data signal. As a result, in some embodiments, device 105 may not inject noise into the data signal transmitted before or after the authentication phase so that the data signal is transmitted with higher quality than the authentication signal.
[0052] Referring now to Figure 2B, process 210 may represent a series of steps performed by device 110, or from the perspective of device 110, between different communication phases occurring between device 105 and device 110.
[0053] In operation 211, device 110 identifies a degradation level that device 105 may use to transmit an authentication signal during the authentication phase (for example, based on a message received from device 105). The degradation level may correspond to the signal quality of the communication transmitted from device 105 to device 110. In various examples, device 110 may determine the degradation level based on the ability of circuit element 111 to filter out the amount of distortion and noise corresponding to the degradation level, and / or based on the ability of circuit element 105 to generate a distorted signal based on the degradation level. In some examples, device 110 may provide the degradation level to device 105 (for example, via a message during degradation negotiation).
[0054] In operation 212, device 110 identifies a reference signal based on a selected degradation level. The reference signal includes an authentication packet (or part thereof) having a sequence of bits. The sequence of bits may be known to both device 110 and device 105 used for authentication purposes. Device 110 may use the reference signal to compare an incoming authentication signal and determine whether the received authentication signal is genuine. In some embodiments, the reference signal includes degradation based on a selected degradation level. For example, device 110 determines the reference signal based on the sequence of bits and a selected degradation level, such that the reference signal becomes a degraded sequence of bits (for example, a digital representation of an analog signal encoding a sequence of bits, and the analog signal is degraded based on a selected degradation level).
[0055] Next, in operation 213, device 110 receives a first signal having a first signal quality. The first signal may refer to an authentication signal containing an authentication packet. In some examples, the first signal may contain an RTT packet. In some examples, the first signal may be transmitted by device 105. However, in some examples, the first signal may be transmitted by another device, such as a MITM, such as one of the attacking devices 120, for example, by forwarding the signal transmitted by device 105.
[0056] In operation 214, device 110 performs a comparison between a reference signal and the received first signal to generate a comparison result. In various examples, device 110 can filter out noise and distortion from the received first signal before performing the comparison, and then determine whether the bit sequence of the received first signal matches the bit sequence of the reference signal. In some examples, comparing the received signal with the reference signal involves performing a correlation operation. In some embodiments, a correlation operation is performed between the reference signal and the received first signal, and the comparison result shows the deviation of the first signal from the reference signal.
[0057] In some examples, instead of comparing the received signal to a reference signal, the received signal is compared to a predetermined metric (for example, based on a selected degradation level). For example, in some examples, the BER of the received signal is compared to a predetermined BER threshold (for example, based on a selected degradation level) to generate a comparison result. In some embodiments, the SNR of the received signal is compared to a predetermined SNR threshold (for example, based on a selected degradation level) to generate a comparison result. In some such embodiments, the step of generating a reference signal can be replaced with generating thresholds (for example, BER, SNR).
[0058] Based on the comparison results, in operation 215, device 110 may determine whether the first received signal is genuine or not. Determining whether a received signal is genuine or not may include determining the amount of distortion in the received signal, the BER value of the received signal, and / or the phase or phase trajectory of the received signal. If one or more of the amount of distortion, BER value (even if its error is recoverable), or phase of the received signal exceeds the respective threshold, device 110 may determine that the received signal is not genuine. For example, a signal that is too distorted or has an incorrect sequence of bits may indicate an attack signal or a non-genuine signal. Additionally or alternatively, determining whether a received signal is genuine or not may involve determining the distance between device 105 and device 110 based on the received signal. In some examples, device 110 may determine a threshold distance value. Device 110 may compare the determined distance with the threshold distance value and, based on the comparison results, determine whether the received signal is genuine or not. This distance determination process can be performed before, after, or simultaneously with the authentication process.
[0059] In some embodiments, device 110 may detect a phase shift while receiving an authentication packet (e.g., while receiving a sequence of bits). Such a phase shift may indicate an attack and result in device 110 determining that the device is not genuine (e.g., during step 215). In some such embodiments, the generation of a reference signal (e.g., during step 212) and the generation of a comparison result (e.g., during step 214) may be omitted. In some embodiments, detection of a phase shift may be achieved by performing a correlation between the received signal and the reference signal.
[0060] In operation 216, if device 110 determines that the received first signal is authentic, or in other words, transmitted from device 105 within a threshold distance and / or with threshold quality, device 110 may take action. For example, device 105 may be a smartphone, and device 110 may be a vehicle or a component thereof. If device 105 is close enough to device 110, and device 110 can decode the authentication packet and detect that the authentication packet is authentic (i.e., device 110 does not detect any abnormalities (e.g., a BER exceeding a threshold, a phase shift exceeding a threshold, etc.)), device 110 may unlock the vehicle's doors. If device 105 is close enough to device 110, but device 110 cannot decode the authentication packet (e.g., based on noise), device 110 may not unlock the vehicle's doors and instead proceed to operation 217.
[0061] However, in operation 217, if device 110 determines that the received first signal is not genuine, or in other words, was sent from device 105 or attack device 120 outside the threshold distance or threshold quality, device 110 may terminate communication and refuse to perform an action (e.g., an unlock action). For example, device 110 may determine that the received first signal is not genuine if the round-trip delay time between sending the RTT packet and receiving the first signal exceeds a predetermined threshold. In one example of MITM involvement, such as with attack device 120, the delay may occur based on the level of degradation applied to the signal by device 105, as the attack device 120-1 may encounter problems predicting the sequence of signals and relaying the predicted signals due to poor signal quality. As a result, the distortion applied to the signal may also affect the distortion, BER value, and / or phase of the signal replicated by attack device 120-1 or attack device 120-2, thereby preventing unauthorized access to device 110.
[0062] Figures 3A and 3B show sequence diagrams of a system according to one embodiment of the present disclosure. Figure 3A includes sequence 301, which refers to elements of the operating environment 101 in Figure 1A. Figure 3B includes sequence 302, which refers to elements of the operating environment 102 in Figure 1B. Sequences 301 and 302 each include a series of operations performed by the elements in Figures 1A and 1B, respectively, which may correspond to the steps of processes 200 and 210 in Figures 2A and 2B, respectively.
[0063] Referring first to Figure 3A, sequence 301 includes a series of communications and events between device 105 and device 110. Sequence 301 may begin when device 110 initiates a negotiation phase with device 105. During the negotiation phase, devices 105 and 110 may respond to the signal quality of the communication over the Bluetooth connection. In some embodiments, device 110 may select or identify a degradation level to be used during subsequent communication phases between device 105 and device 110. In some embodiments, device 105 may select or identify a degradation level to be used during subsequent communication phases between device 105 and device 110. In the previous embodiments, device 110 may then transmit a signal indicating the degradation level to device 105. In response to identifying the degradation level, device 105 may return an acknowledgment to device 110. In some of the latter embodiments, device 105 may transmit a signal indicating the degradation level to device 110. In response to identifying the degradation level, device 110 may return an affirmative response to device 105.
[0064] Next, device 110 may initiate an authentication phase to verify that device 105 is an authenticated device and that the signal subsequently received is a genuine signal within a predetermined threshold. During the authentication phase, device 110 (or device 105 in other examples) may send an authentication message (e.g., a message with a bit sequence known to both devices 105 and 110) to device 105. In some embodiments, the authentication message may be a round-trip time (RTT) packet (e.g., an RTT packet is sent by device 110 to device 105, received by device 105, sent back by device 105 to device 110, and received by device 110. The time between when device 110 sends the RTT packet and when device 110 receives the RTT packet may be used to determine the distance between device 105 and device 110).
[0065] Device 105 may receive an RTT packet during authentication check 116 and send a signal containing known bits to device 110. However, before sending a return signal in response to the RTT packet, device 105 may intentionally degrade the signal based on a degradation level via circuit element 106 and processor 108 before sending the signal to device 110 to prevent an ECLD attack (i.e., send a signal with lower signal quality than other signals communicated during other communication phases). Degrading the signal carrying the RTT packet may involve altering the phase or phase trajectory of the signal, injecting noise into the message to increase the signal-to-noise ratio (SNR) or bit error rate (BER) of the signal, or any other means.
[0066] Device 110 can receive distorted signals, filter out noise using circuit element 111, and determine whether the received signal is genuine or not. This may involve determining the amount of distortion in the received signal, the BER value of the received signal, the phase or phase trajectory of the received signal, or the distance between device 105 and device 110, based on the arrival time of the received signal (e.g., phase) versus the transmission time of the RTT packet from device 110 (e.g., the round-trip delay (RTT) of the authentication message sent from either device 105 or device 110). In some examples, the distance may include a threshold distance range (e.g., 0 to 3 meters). If device 110 determines that the distance between device 105 and device 110 is outside the threshold distance range, device 110 may determine that the received signal is not genuine and may take no action. However, if device 110 determines that the distance between device 105 and device 110 is within the threshold distance range, device 110 may determine that the received signal is genuine and may take action. In some cases, if the amount of distortion, BER value, or phase of the received signal exceeds the respective threshold, device 110 may determine that the received signal is not genuine.
[0067] Following authentication of device 105, device 105 may initiate a communication phase (if it has not already progressed) in which device 105 transmits data signals to which it did not apply degradation during the authentication phase.
[0068] Referring now to Figure 3B, sequence 302 includes a series of communications and events between device 105, device 110, and attack device 120. In sequence 302, attack device 120 may function as a malicious MITM device attempting to gain access to device 110.
[0069] Sequence 302 begins when device 105 initiates a negotiation phase with device 110. During the negotiation phase, device 105 may transmit signals to device 110 in response to the degradation level to which signals are transmitted between device 105 and device 110. In some embodiments, attack device 120-1 may intercept signals indicating the identified degradation level transmitted by device 105. Attack device 120-1 may provide a signal to attack device 120-2 via a physical link connecting attack devices 120-1 and 120-2. Attack device 120-2 may provide this signal to device 110. Device 110 may recognize the degradation level and transmit an acknowledgment signal, which may be transmitted from device 110 to attack device 120-2, and further to attack devices 120-1 and 105. In some embodiments, device 105 may instead recognize the degradation level and transmit an acknowledgment signal to device 110 via attack device 120.
[0070] Following the degraded negotiation 115, attack device 120 may attempt to gain access to device 110 via an ECLD attack. During the authentication phase, device 110 may send an RTT packet, which may be relayed (and possibly modified) by attack device 120 from device 110 to device 105 if device 110 and device 105 are not close enough to each other. In response to receiving the RTT packet, device 105 may send an authentication signal with signal quality based on the identified degraded level. The signal quality may be inferior to other signals sent by device 105 during other phases. Attack device 120-1 may intercept the degraded signal, attempt to predict the bit sequence of the degraded signal, and send the modified signal to attack device 120-2 for further transmission to device 110.
[0071] Device 110 can receive a signal from attack device 120-2 and determine whether the received signal is genuine or not. Determining whether the received signal is genuine or not may include determining the amount of distortion in the received signal, the BER value of the received signal, and / or the phase or phase trajectory of the received signal, or determining the distance between device 105 and device 110 based on the received signal. In this example, which includes attack device 120, device 110 may utilize any of the above methods for determining whether the received signal is genuine. For example, device 110 may determine that the round-trip delay time between sending the authentication signal and receiving the returned signal exceeds a predetermined threshold. The delay may occur based on the level of degradation applied to the signal by device 105, as attack device 120-1 may encounter problems replicating the signal due to poor signal quality. Consequently, the distortion applied to the signal may also affect the distortion, BER value, and / or phase of the signal replicated by attack device 120-1. Therefore, after determining that the received signal is not genuine, device 110 may not grant access and may not perform the event. In some cases, device 110 may also terminate data communication with device 105.
[0072] Figure 4 shows possible phase trajectories and instantaneous frequency deviations for three symbol periods according to one embodiment of the present disclosure. Curve 402 represents symbol (1,1,1). Curve 404 represents symbol (1,1,0). Curve 406 represents symbol (1,0,1). Curve 408 represents symbol (1,0,0). Curve 410 represents symbol (0,1,1). Curve 412 represents symbol (0,1,0). Curve 414 represents symbol (0,0,1). Curve 416 represents symbol (0,0,0).
[0073] As shown in Figure 4, the last three symbols of any curves 402, 404, 406, 408, 410, 412, 414, and 416 can be predicted based on the phase of the signal during the detection delay (DD) period of the second symbol. The DD period, also called the attack window, can be defined from a symbol boundary (e.g., zero crossing) and can be negative if a bit can be detected based on a Gaussian spread to the previous bit. A signal (r(t)) may contain a message (m(t)), where the message (m(t)) represents the signal in time and can be defined by the following equations. In the first equation of TIFF2026521325000002.tif1249, f can be a carrier value, m(t) can be a message, and Φ n α can be the phase noise produced by device 105, i(t) can be the interference value, and n(t) can be the noise received by device 110 or attack device 120. In the second equation, α can represent the symbol of the message, τ can represent the Gaussian shape of the message, and T s This can represent the duration of the message.
[0074] As shown in Figure 4, the graphical representation 400 shows the signal at the top, including curves 402, 404, 406, 408, 410, 412, 414, and 416, and the signal deviation is shown in the four lower parts of the graph. Phase noise from device 105, i.e., Φ in the above signal equation n This can cause a rightward shift (delay) in the attack window (making DD less negative or more positive), which can lead to greater distortion in the signal received by device 110 and a change in the phase of the signal received by device 110 (e.g., an increase).
[0075] Figure 5A shows graphic representations 501, 502, and 503, including waveforms 510, 512, and 514, respectively, associated with device 105, attack device 120, and device 110 in Figure 1B, in an example where attack device 120 does not perform an attack. Figure 5B shows graphic representations 501, 504(502?), and 505(503?), including waveforms 510, 516, and 518, respectively, associated with device 105, attack device 120, and device 110, in an example where attack device 120 performs an attack. Figure 5C shows graphic representations 501, 506(502?), and 507(503?), including waveforms 510, 520, and 522, respectively, associated with device 105, attack device 120, and device 110, in an example where attack device 120 performs an attack. The waveforms in Figures 5A, 5B, and 5C may each represent the deviation of a message (m(t)) transmitted by device 105, transmitted by attack device 120, and processed in device 110 (e.g., an internal signal of device 110 following filtering with a full symbol latency filter).
[0076] First, referring to Figure 5A, in some embodiments, waveform 510 includes a sequence of bits such as "10100111" transmitted by device 105 to device 110. In the scenario illustrated in Figure 5A, attack device 120 intercepts the signal transmitted by device 105 and forwards such a signal to device 110 without altering the signal, as shown in waveform 510. Waveform 514 illustrates the signal received by device 110. As shown in Figure 5A, waveform 514 may be shifted (for example, due to the effect of filtering by device 110) and includes the same sequence of bits as waveforms 510 and 512, but has a single-period delay because, for example, the zero-crossing at device 110 corresponds to the zero-crossing at device 105 (for example, due to a full-symbol latency filter).
[0077] In Figure 5B, the attack device 120 may generate waveform 516 while attempting to predict the bit sequence of waveform 510. In some embodiments, the attack device 120 may generate the attack signal (waveform 516) at a distance of approximately 20 meters from device 105 with a detection delay (DD) of -0.16. As can be seen by comparing Figure 5A and Figure 5B, waveform 518 (which illustrates the waveform received by device 110 after being modified by device 120) is shifted to the left relative to waveform 512. As can be seen in Figure 5B, the distortion introduced by the attack device 120 (for example, by boosting the predicted signal, as illustrated by waveform 516, thereby causing a shift in the waveform) may be filtered by device 110, causing the authentication message sent by device 105 to appear to arrive earlier, while the authentication message appears to arrive earlier, thereby making device 105 appear closer to device 110, without detecting any substantial distortion.
[0078] The longer it takes the attacking device 120 to predict the next symbol, the more distortion it will introduce to make the authentication message arrive sooner. For example, Figure 5C shows waveforms 510, 520, and 522 associated with device 105, attacking device 120, and device 110, respectively. Figure 5C shows a scenario with a higher DD (compared to Figure 5B) where the attacking device cannot detect the next symbol quickly enough (e.g., due to increased noise). As a result, device 120 may detect prediction errors and correct such errors later. For example, Figures 5B and 5C show a symbol prediction error at approximately time 4 (prediction 1, actual symbol 0), which is corrected as soon as device 120 detects such an error. Because device 120 detects such errors at a later time in Figure 5C compared to Figure 5B (for example, DD is -0.16 in Figure 5B compared to 0 in Figure 5C), more distortion is introduced at approximately time 4 in the scenario illustrated in Figure 5C compared to the scenario illustrated in Figure 5B (see the magnitude of the symbol flip at approximately time 4 in waveform 520 versus waveform 514). Such distortion can become high enough to be recognizable and detectable after filtering by device 110 (in some embodiments, if DD is high enough, such as 0 or positive) (see the distortion in waveform 518 between approximately time 4 and 5.4 compared to the increased distortion in waveform 522 between approximately time 4 and 5.4). In some embodiments, device 110 detects the distortion in waveform 520 and, in response, refuses to take action (for example, it does not authenticate device 105 even though device 105 appears to be close to device 110).
[0079] In some embodiments, device 105 degrades the signal carrying the RTT packets (for example, by injecting noise into the signal) to prevent device 120 from predicting symbols too early (therefore, for an undegraded signal, DD becomes less negative, zero, or even positive).
[0080] In some embodiments, device 105 dynamically (e.g., abruptly) generates a phase noise component Φ while transmitting a packet or message (e.g., during an RTT packet). n (And consequently, the signal-to-noise ratio (SNR)) is changed.
[0081] In some embodiments, a device (e.g., device 105) may have a transmitter that can adjust its SNR output to a predetermined range for modulated transmissions. In some embodiments, there may be seven different SNR levels, as shown in Table 1, and the device (e.g., device 105) may be able to adjust its SNR output to any of the seven levels. [Table 1]
[0082] In some embodiments, a device (e.g., 105 or 110) may support at least one of the SNR levels shown in Table 1 (e.g., level 3 may be required according to the protocol or standard), but may not support all levels. In some embodiments, a device (e.g., 105 or 110) may support the SNR levels shown in Table 1. In some embodiments, during the negotiation phase, selecting or identifying a degradation level involves selecting a level from a predetermined list of possible levels, such as the seven possible levels in Table 1.
[0083] In some examples, If TIFF2026521325000004.tif36 is a sequential version of the observed CS_SYNC packets sent by a device (e.g., device 105) in process k, TIFF2026521325000005.tif919 was observed The phase of TIFF2026521325000006.tif36 suggests that the low-pass filter used to receive CS_SYNC packets transmitted by a device (e.g., device 105) can be considered broadband.
[0084] In some embodiments, the SNR control error can be calculated as follows. TIFF2026521325000007.tif439
[0085] In some embodiments, device 105 modifies phase noise by changing the bandwidth of the phase-locked loop (PLL) in the transmission path of device 105. For example, during the communication phase between device 105 and device 110, the bandwidth of device 105's PLL may be set to a first value, which may favorably result in a low BER. During the authentication phase (e.g., while sending authentication packets / messages), the PLL bandwidth may be increased to a second value higher than the first value. Such an increased bandwidth may result in increased phase noise, which may favorably increase the chances of device 110 detecting an attack by attack device 120, or make it more difficult for attack device 120 to carry out an attack. In some embodiments, the PLL of device 105 has a bandwidth equal to the second value throughout the entire authentication phase. In some embodiments, the PLL of device 105 has a bandwidth equal to the second value during a portion of the authentication phase (at the beginning or end), while during the other portion of the authentication phase, the PLL has a first value (or another value different from the first value).
[0086] Figure 6 shows simulations 601, 602, and 603 of bit error rate (BER) versus detection delay (DD) for different signal-to-noise ratios (SNR). Figure 7 shows simulation 700 of bit error rate (BER) versus detection delay (DD) for different real device data captures, including for different distances in line of sight (LoS) and beyond line of sight (nLoS).
[0087] For example, based on Figures 6 and 7, in some embodiments, the following occurs. The best results for DD are the LoS captures for 1m / 2m in channel A (Ch A), which can represent channels with good intrinsic phase noise characteristics in some examples. For the same channel and mode, nLoS capture is worse than LoS capture. Channel B (Ch B), which may represent a channel with inferior intrinsic phase noise characteristics compared to Ch A, has visually worse DD performance than Ch A. PN++ mode, which can represent one or more settings or modes that further degrade signal quality by creating additional phase noise (PN), can always behave worse (with higher DD) than normal mode. For BER10-2, the valid brackets for DD values are between [-60ns, +80ns]. For BER10-3, the valid bracket for DD values is between [0ns, +220ns]. TAD = DD + FD (30 ns in this case).
[0088] In some embodiments, a higher DD can be obtained by degrading the quality of the transmitted signal (e.g., degrading phase noise, BER, or SNR). This is illustrated, for example, with respect to BER in Figures 6 and 7. A higher DD can cause device 120 to introduce more distortion that may be detectable by device 110, so in some embodiments, degrading the quality of the transmitted signal can advantageously allow the device (e.g., 110) to detect an ECLD attack.
[0089] In some embodiments, increasing the phase noise with device 105 can cause the attack device 120 to adopt a higher DD, thereby making the attack more detectable.
[0090] Figure 8 shows eye diagrams 801 and 802 associated with device 110 according to one embodiment of the present disclosure. Figure 9 illustrates the relationship between eye quality index (EQI) (i.e., an index of the quality of the eye diagram, which can be measured / determined in any method known in the art) and detection delay (DD) in a graphical representation 9000 according to one embodiment of the present disclosure. In some embodiments, the EQI may correspond to an SNR value, such as the values in Table 1 above.
[0091] As shown in Figures 8 and 9, the EQI may show a DD, and the higher the EQI, the higher the DD. As shown in Figure 9, in some embodiments, a DD of 0 occurs at an EQI of approximately 0.6. In some embodiments, a DD of 0 can be high enough for device 110 to detect an attack by attack device 120. In some embodiments, the phase noise of device 105 is increased to a value that lowers the EQI of device 105 to, for example, below 0.7, such as between an upper threshold (e.g., 0.7) and a lower threshold (e.g., 0.6). In such embodiments, the modulation characteristics may be used to determine the upper and lower thresholds at fluctuating frequencies, such as 200kHz to 300kHz. Based on frequency values recorded across various test packets, for example, a modulation characteristic of 0.6 to 0.7 may be used to distort the signal in order to prevent attacks by malicious devices such as attack device 120.
[0092] In some embodiments, a positive DD may be necessary to cause an attacker (e.g., attacking device 120) to manipulate the signal delay in such a way that it leaves a measurable imprint (e.g., distortion) on the intended receiver (e.g., device 110). In some embodiments, the real transmitter (e.g., device 105) can control local phase noise to cause an attacker (e.g., attacking device 120) to re-sort the DD value to zero or greater.
[0093] In some embodiments, there is a strong correlation between the measured EQI (which indicates signal spread) and the minimum DD used by the attacker (e.g., attack device 120).
[0094] In some embodiments, the modulation characteristics may require a certain guaranteed phase noise level for RTT packets.
[0095] Figures 10 to 20 show DD, EQI, eye diagrams, and waveforms for various scenarios according to embodiments of this disclosure.
[0096] Examples of the illustrative embodiments of this disclosure are summarized herein. Other embodiments can also be understood from the entire Spec and the claims filed herein.
[0097] Example 1. A method includes: a first device identifying a degradation level; the first device transmitting a first signal having a first signal quality based on the degradation level during a first communication phase; and the first device transmitting a second signal having a second signal quality during a second communication phase, wherein the second signal quality is higher than the first signal quality.
[0098] Example 2. The method of Example 1, wherein identifying the degradation level includes identifying the degradation level based on the capabilities of the first device.
[0099] Example 3. One of the methods from Example 1 or 2 further includes: a second device identifying a reference signal based on the degradation level; the second device receiving a first signal during a first communication phase; the second device performing a comparison between the reference signal and the received first signal to generate a comparison result; and the second device determining, based on the comparison result, whether the first signal is genuine or not.
[0100] Example 4. The method from Examples 1-3 further includes terminating communication between the first device and the second device in response to determining that the received first signal is not genuine.
[0101] Example 5. One of the methods from Examples 1 to 4, in which determining that a received first signal is not genuine includes determining that the received first signal deviates from a reference signal by a predetermined threshold.
[0102] Example 6. One of the methods from Examples 1 to 5, wherein performing a comparison between a received first signal and a reference signal includes performing a correlation between the received first signal and the reference signal to generate a correlation result, wherein the comparison result includes the correlation result, and determining whether the received first signal is genuine or not includes determining that the received first signal is genuine when the correlation result exceeds a predetermined threshold, and determining that the received first signal is not genuine when the correlation result falls below a predetermined threshold.
[0103] Example 7. One of the methods from Examples 1 to 6 further includes a second device authenticating the first device for a second communication phase in response to determining that the received first signal is genuine.
[0104] Example 8. One of the methods from Examples 1 to 7 further includes determining the distance between a first device and a second device based on a first signal received.
[0105] Example 9. One of the methods from Examples 1 to 8 further includes unlocking the vehicle in response to the distance falling below a predetermined distance and determining that the received first signal is genuine.
[0106] Example 10. One of the methods from Examples 1-9, where the predetermined distance is 3 meters.
[0107] Example 11. One of the methods from Examples 1 to 10, wherein the first device and the second device are part of an access control system for a room.
[0108] Example 12. One of the methods from Examples 1 to 11, wherein the degradation level corresponds to a predetermined signal-to-noise ratio (SNR) or a predetermined bit error rate (BER).
[0109] Example 13. One of the methods from Examples 1 to 12, wherein the first signal includes a round-trip time (RTT) packet, and the method further includes a second device receiving the RTT packet, determining the distance between the first device and the second device based on the received RTT packet, and unlocking the vehicle based on the determined distance.
[0110] Example 14. One of the methods from Examples 1-13, in which determining the distance includes determining the distance based on the phase of the symbols in the RTT packet.
[0111] Example 15. One of the methods from Examples 1 to 14 further includes a second device receiving a first signal, detecting an attack based on the distortion of the received first signal, and the second device refusing to take action based on the detection of the attack.
[0112] Example 16. One of the methods from Examples 1 to 15, wherein the first signal includes a round-trip time (RTT) packet, and the method further includes the second device receiving the RTT packet, detecting an attack based on the bit error rate (BER) of the received RTT packet, and the second device refusing to take action based on the detection of the attack.
[0113] Example 17. One of the methods from Examples 1 to 16 further includes receiving a first signal by a second device, detecting an attack based on a change in the phase trajectory during the reception of the first signal, and the second device refusing to take action based on the detection of the attack.
[0114] Example 18. One method from Examples 1 to 17, wherein transmitting a first signal having a first signal quality includes transmitting the first signal using a phase-locked loop (PLL) of a first device, the PLL having a first bandwidth, and transmitting a second signal having a second signal quality includes transmitting the second signal using a PLL having a second bandwidth lower than the first bandwidth.
[0115] Example 19. One of the methods from Examples 1 to 18, wherein transmitting the first signal includes transmitting the first signal using Bluetooth.
[0116] Example 20. One of the methods from Examples 1 to 19, wherein transmitting the first signal includes transmitting the first signal using Bluetooth-Low-Energy (BLE).
[0117] Example 21. One of the methods from Examples 1 to 20, wherein the degradation level includes a value that is greater than or equal to a predetermined first threshold and less than or equal to a predetermined second threshold.
[0118] Example 22. One of the methods from Examples 1 to 21, wherein a predetermined first threshold is 18 dB and a predetermined second threshold is 30 dB.
[0119] Example 23. One of the methods from Examples 1 to 22, wherein the first device is a key fob or a smartphone.
[0120] Example 24. One of the methods from Examples 1 to 23, wherein transmitting a second signal includes transmitting a second signal after transmitting a first signal.
[0121] Example 25. One of the methods from Examples 1 to 23, wherein transmitting a second signal includes transmitting the second signal before transmitting the first signal.
[0122] Example 26. The device includes a transmitter circuit and a processor, the processor being configured to use the transmitter circuit to transmit a first packet having a first quality during a first communication phase, and to use the transmitter circuit to transmit a second packet having a second quality lower than the first quality during a second communication phase.
[0123] Example 27. The device is the same as in Example 26, and the second communication phase occurs after the first communication phase.
[0124] Example 28. The device is the same as in Example 26, and the second communication phase occurs before the first communication phase.
[0125] Example 29. One of the devices from Examples 26-28, wherein transmitting a first packet having a first quality includes transmitting a first packet having a first phase noise value, and transmitting a second packet having a second quality includes transmitting a second packet having a second phase noise value higher than the first phase noise value.
[0126] Example 30. One of the devices from Examples 26-29 further includes a phase-locked loop (PLL) having a filter with dynamic bandwidth, and transmitting a first packet having first quality includes configuring the dynamic bandwidth to the first bandwidth, and transmitting a second packet having second quality includes configuring the dynamic bandwidth to a second bandwidth that is higher than the first bandwidth.
[0127] Example 31. One of the devices from Examples 26-30, wherein transmitting a first packet having a first quality includes transmitting a first packet having a first signal-to-noise ratio (SNR) value, and transmitting a second packet having a second quality includes transmitting a second packet having a second SNR value lower than the first SNR value.
[0128] Example 32. One of the devices from Examples 26-31, wherein the processor is further configured to identify the degradation level, and the second quality is based on the degradation level.
[0129] Example 33. The device includes a transceiver and a processor, the processor being configured to identify a degradation level, identify a reference signal based on the degradation level, receive a first signal, perform a comparison between the first signal and the reference signal to generate a comparison result, and determine whether the first signal is genuine or not based on the comparison result.
[0130] Example 34. The device of Example 33 is configured such that, in order to determine that a received first signal is not genuine, the processor determines that the received first signal deviates from a reference signal by a predetermined threshold.
[0131] Example 35. In one of the devices in Example 33 or 34, the processor is configured to perform a comparison between a received first signal and a reference signal, by performing a correlation between the received first signal and the reference signal to generate a correlation result, the comparison result including the correlation result, and in order to determine whether the received first signal is genuine or not, the processor is configured to determine that the received first signal is genuine when the correlation result exceeds a predetermined threshold, and to determine that the received first signal is not genuine when the correlation result falls below a predetermined threshold.
[0132] Example 36. One of the devices from Examples 33-35, wherein the processor is further configured to refuse to take any action indicated or triggered by the first signal in response to determining that the first signal is not genuine.
[0133] Example 37. One of the devices from Examples 33-36, wherein the processor is further configured to determine the distance based on a first signal.
[0134] Example 38. One of the devices from Examples 33-37, wherein the processor is configured to unlock the vehicle in response to the distance being less than a predetermined distance and the first received signal being determined to be genuine.
[0135] Example 39. One of the devices from Examples 33-38, where the predetermined distance is 3 meters.
[0136] Example 40. One of the devices from Examples 33-39, where the degradation level corresponds to a predetermined signal-to-noise ratio (SNR) or a predetermined bit error rate (BER).
[0137] Example 41. One of the devices from Examples 33-40, the device is a vehicle or an electronic access control device.
[0138] Example 42. A method comprising: transmitting an authentication packet having a first phase noise value by a first device during the authentication phase; and transmitting a data packet having a second phase noise value lower than the first phase noise value by the first device during the communication phase.
[0139] Example 43. The method of Example 42 further includes receiving an authentication packet by a second device, determining the distance between the first device and the second device based on the received authentication packet, and unlocking the vehicle based on the determined distance.
[0140] Example 44. One of the methods from Example 42 or 43, wherein determining the distance includes determining the distance based on the phase of the symbols in the authentication packet.
[0141] Example 45. One of the methods from Examples 42-44 further includes receiving an authentication packet by a second device, detecting an attack based on distortions in the received authentication packet, and refusing to take action based on the detection of an attack.
[0142] Example 46. One of the methods from Examples 42-45 further includes receiving an authentication packet by a second device, detecting an attack based on the bit error rate (BER) of the received authentication packet, and refusing to take action based on the detection of an attack.
[0143] Example 47. One of the methods from Examples 42-46 further includes receiving an authentication packet by a second device, detecting an attack based on a change in the phase trajectory while receiving the authentication packet, and refusing to take action based on the detection of the attack.
[0144] Example 48. One of the methods from Examples 42 to 47, wherein transmitting an authentication packet having a first phase noise value includes transmitting the authentication packet using a phase-locked loop (PLL) of a first device having a first bandwidth, and transmitting a data packet having a second phase noise value includes transmitting the data packet using a PLL having a second bandwidth lower than the first bandwidth.
[0145] Example 49. One of the methods from Examples 42-48, where sending an authentication packet includes sending an authentication packet using Bluetooth.
[0146] Example 50. One of the methods from Examples 42 to 49, which involves transmitting an authentication packet using Bluetooth, includes transmitting an authentication packet using Bluetooth Low Energy (BLE).
[0147] Example 51. One of the methods from Examples 42 to 50, wherein the first phase noise value corresponds to the SNR of a second device between a first predetermined signal-to-noise ratio (SNR) threshold and a second predetermined SNR threshold.
[0148] Example 52. One of the methods from Examples 42 to 51, wherein the first device is a key fob or a smartphone.
[0149] Example 53. A method comprising a first device transmitting an authentication packet during an authentication phase, wherein during a first part of the authentication phase, the authentication packet is transmitted with a first phase noise value, and during a second part of the authentication phase, the authentication packet is transmitted with a second phase noise value different from the first phase noise value.
[0150] Example 54. A wireless device includes a phase-locked loop (PLL) having a filter with dynamic bandwidth and a transmitter circuit, wherein the transmitter circuit is configured to transmit authentication packets using a filter with a first bandwidth and to transmit data packets using a filter with a second bandwidth lower than the first bandwidth.
[0151] Example 55. A method comprising transmitting authentication packets having a first signal-to-noise ratio during the authentication phase by a first device, and transmitting data packets having a second SNR value during the communication phase by the first device, wherein the second SNR value is higher than the first SNR value.
[0152] Example 56. The method of Example 55 further includes receiving an authentication packet by a second device, determining the distance between the first device and the second device based on the received authentication packet, and unlocking the vehicle based on the determined distance.
[0153] Example 57. One of the methods from Example 55 or 56, wherein determining the distance includes determining the distance based on the phase of the symbols in the authentication packet.
[0154] Example 58. One of the methods from Examples 55-57 further includes receiving an authentication packet by a second device, detecting an attack based on distortions in the received authentication packet, and refusing to take action based on the detection of an attack.
[0155] Example 59. One of the methods from Examples 55-58 further includes a second device receiving an authentication packet, detecting an attack based on the bit error rate (BER) of the received authentication packet, and refusing to take action based on the detection of an attack.
[0156] Example 60. One of the methods from Examples 55-59 further includes receiving an authentication packet by a second device, detecting an attack based on a phase change during the reception of the authentication packet, and refusing to take action based on the detection of the attack.
[0157] Example 61. One of the methods from Examples 55 to 60, wherein transmitting an authentication packet having a first SNR value includes transmitting the authentication packet using a phase-locked loop (PLL) of a first device having a first bandwidth, and transmitting a data packet having a second SNR value includes transmitting it using a PLL having a second bandwidth lower than the first bandwidth.
[0158] Example 62. One of the methods from Examples 55-61, where sending an authentication packet includes sending an authentication packet using Bluetooth.
[0159] Example 63. One of the methods from Examples 55-62, where sending an authentication packet includes sending an authentication packet using Bluetooth Low Energy (BLE).
[0160] Example 64. One of the methods from Examples 55 to 63, wherein the first SNR value lies between a first predetermined SNR threshold and a second predetermined SNR threshold.
[0161] Example 65. One of the methods from Examples 55-64, wherein the first device is a key fob or a smartphone.
[0162] Example 66. A method comprising transmitting an authentication packet by a first device during an authentication phase, wherein during a first part of the authentication phase the authentication packet is transmitted with a first signal-to-noise ratio (SNR) value, and during a second part of the authentication phase the authentication packet is transmitted with a second SNR value different from the first SNR value.
[0163] Example 67. A method comprising: a first device identifying a degradation level based on a predetermined set of degradation levels; the first device transmitting a first signal having a first signal quality based on the identified degradation level during a first communication phase; and the first device transmitting a second signal having a second signal quality corresponding to another degradation level of a predetermined set during a second communication phase, wherein the second signal quality is higher than the first signal quality.
[0164] Example 68. The method of Example 67, wherein a predetermined set of degradation levels includes a first degradation level corresponding to a signal-to-noise ratio (SNR) of 18 dB, a second degradation level corresponding to an SNR of 20 dB, a third degradation level corresponding to an SNR of 22 dB, a fourth degradation level corresponding to an SNR of 24 dB, a fifth degradation level corresponding to an SNR of 26 dB, a sixth degradation level corresponding to an SNR of 28 dB, and a seventh degradation level corresponding to an SNR of 30 dB.
[0165] Example 69. One of the methods in Example 67 or 68, wherein the first signal quality corresponds to a signal-to-noise ratio (SNR) of 24 dB.
[0166] Example 70. One of the methods from Example 67 or 68, wherein the second signal quality corresponds to a signal-to-noise ratio (SNR) of 24 dB.
[0167] The embodiments for carrying out the above-described inventions in the examples of this technology are not intended to be comprehensive or to limit the technology to the exact embodiments disclosed above. Specific examples of this technology are given above for illustrative purposes, but as will be recognized by those skilled in the art, various equivalent modifications are possible within the scope of this technology. For example, while processes or blocks are presented in a given order, alternative implementations may involve performing routines with steps in a different order, or utilizing systems with blocks in a different order, and some processes or blocks may be deleted, moved, added, subdivided, combined, and / or modified to provide alternatives or subcombinations. Each of these processes or blocks may be implemented in a wide variety of different ways. Also, while processes and blocks are sometimes shown to be carried out as a series, these processes and blocks may instead be carried out or implemented in parallel, or at different times. Furthermore, the specific figures described herein are for illustrative purposes only, and alternative implementations may utilize different values or ranges.
[0168] The technical teachings provided herein are not limited to the systems described above, but can also be applied to other systems. The elements and operations of the various examples described above can be combined to provide further implementations of the technology. Some alternative implementations of the technology may include not only additional elements to the implementations described above, but also fewer elements.
[0169] This disclosure is written with reference to illustrative examples, but is not limiting. Various modifications and combinations of the illustrative examples, as well as other embodiments, will be apparent to those skilled in the art by referring to this disclosure.
Claims
1. It is a method, The first device identifies the degradation level, During the first communication phase, the first device transmits a first signal having a first signal quality based on the degradation level. During the second communication phase, the first device transmits a second signal having a second signal quality, A method comprising the above, wherein the second signal quality is higher than the first signal quality.
2. A method according to claim 1, wherein identifying the degradation level includes identifying the degradation level based on the capability of the first device.
3. The method according to claim 1, further, Based on the aforementioned degradation level, a reference signal is identified by a second device, During the first communication phase, the second device receives the first signal, In order to generate a comparison result, the second device performs a comparison between the reference signal and the received first signal, Based on the comparison results, the second device determines whether the received first signal is genuine or not. Methods that include...
4. A method according to claim 3, further comprising terminating communication between the first device and the second device in response to determining that the received first signal is not genuine.
5. A method according to claim 3, wherein determining that the received first signal is not genuine includes determining that the received first signal deviates from the reference signal by a predetermined threshold.
6. The method according to claim 3, Performing the comparison between the received first signal and the reference signal includes performing a correlation between the received first signal and the reference signal to generate a correlation result, wherein the comparison result includes the correlation result. Determining whether the received first signal is genuine or not is When the correlation result exceeds a predetermined threshold, it is determined that the received first signal is genuine. A method for determining that the received first signal is not genuine when the correlation result falls below a predetermined threshold.
7. A method according to claim 3, further comprising the second device authenticating the first device for the second communication phase in response to determining that the received first signal is genuine.
8. A method according to claim 3, further comprising determining the distance between the first device and the second device based on the received first signal.
9. A method according to claim 8, further comprising unlocking the vehicle in response to the distance falling below a predetermined distance and determining that the received first signal is genuine.
10. The method according to claim 3, wherein the first device and the second device are part of a room access control system.
11. A method according to claim 1, wherein the degradation level corresponds to a predetermined signal-to-noise ratio (SNR) value or a predetermined bit error rate (BER).
12. The method according to claim 1, wherein the first signal includes a round-trip time (RTT) packet, and the method further: The RTT packet is received by the second device, Based on the received RTT packets, the distance between the first device and the second device is determined, Based on the distance determined above, the vehicle's locks are released. Methods that include...
13. The method according to claim 1, further, The first signal is received by the second device, Based on the distortion of the first signal received, an attack is detected. Based on the detection of the aforementioned attack, the second device may refuse to take any action. Methods that include...
14. The method according to claim 1, wherein the first signal includes a round-trip time (RTT) packet, and the method further: The RTT packet is received by the second device, Based on the bit error rate (BER) of the received RTT packets, the attack is detected. Based on the detection of the aforementioned attack, the second device may refuse to take any action. Methods that include...
15. The method according to claim 1, further, The first signal is received by the second device, Based on the change in the phase trajectory during the reception of the first signal, an attack is detected, Based on the detection of the aforementioned attack, the second device may refuse to take any action. Methods that include...
16. The method according to claim 1, Transmitting the first signal having the first signal quality includes transmitting the first signal using a phase-locked loop (PLL) of the first device, wherein the PLL has a first bandwidth. A method for transmitting the second signal having the second signal quality, comprising transmitting the second signal using the PLL having a second bandwidth lower than the first bandwidth.
17. A method according to claim 1, wherein transmitting the first signal includes transmitting the first signal using Bluetooth.
18. A method according to claim 1, wherein transmitting the first signal includes transmitting the first signal using Bluetooth-Low-Energy (BLE).
19. A method according to claim 1, wherein the degradation level includes a value that is a predetermined first threshold or exceeds a predetermined first threshold and is a predetermined second threshold or falls below a predetermined second threshold.
20. The method according to claim 1, wherein the first device is a key fob or a smartphone.
21. A method according to claim 1, wherein transmitting the second signal includes transmitting the second signal after transmitting the first signal.