Secure Distance Bounding via TDoA-based Hyperbolic Multilateration with IEEE 802.11

Master Thesis, Project


Analysis: 6
Empiricism: 1
Implementation: 8
Literature Research: 4


There is an increasing number of applications and technical systems in which the physical presence of one device unlocks a certain functionality of another device. Prominent examples include touchless access systems, wireless payment services, and localization services. Touchless access systems, for instance, unlock doors merely by means of the physical presence of a wireless token. Many of such systems are based on the assumption that the presence of a wireless signal proofs the proximity of the respective communication device. This assumption may seem plausible at a first glance due to the limited range of electromagnetic waves. However, several such systems have been shown to be vulnerable to relay attacks [1 - 4], in which a man-in-the-middle (MITM) attacker extends the range of the wireless signal between two trusted devices in both directions in order to unlock the functionality of one device (e.g., opening the car) without the physical presence of the other device (e.g., the car key).
The goal of this project is to implement a secure protocol on software-defined radios that effectively prevents relay attacks between two devices. The protocol shall be implemented on software-defined radios in real-time operation. The envisioned technique makes use of hyperbolic multilateration based on time difference of arrival (TDoA) and works for scenarios in which the blind node is trustable and actively participates in the protocol. As opposed to previous work in our group that was based on differential time difference of arrival (DTDoA), this project is going to rely on antenna synchronization at the terminal, and the ability to synchronize the blind node via synchronization frames. This will essentially allow to use the phase as an additional measure besides timestamps for precise TDoA estimation.

[3] A. Francillon, B. Danev, and S. Capkun. “Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars.” In: Network & Distributed System Security. NDSS. The Internet Society, Feb. 2011. [Online]
[4] R. Silberschneider, T. Korak, and M. Hutter. “Access Without Permission: A Practical RFID Relay Attack.” In: Austrochip 2013, 21st Austrian Workshop on Microelectronics, Linz, Austria, October 10, 2013, pp. 59–64.[Online]


  • Devise a concept of a practical protocol based on IEEE 802.11g for proximity proof
  • Implement TDoA-based hyperbolic multilateration to estimate a mobile node's position
  • Implement and evaluate a mechanism to wirelessly synchronize the mobile node
  • Implement TDoA-based hyperbolic multilateration with the mobile node as an anchor
  • Evaluate practical performance bounds of the protocol


Research Areas: Sichere Mobile Netze



Prof. Dr.-Ing. Matthias Hollick

Technische Universität Darmstadt
Department of Computer Science
Secure Mobile Networking Lab 

Mornewegstr. 32 (S4/14)
64293 Darmstadt, Germany

Phone: +49 6151 16-25472
Fax: +49 6151 16-25471


A A A | Drucken Drucken | Impressum Impressum | Sitemap Sitemap | Suche Suche | Kontakt Kontakt | Webseitenanalyse: Mehr Informationen
zum Seitenanfangzum Seitenanfang