UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice

The presentation discusses the vulnerabilities in two popular uwb rtls's used for personnel tracking, geofencing, and contact tracing. It highlights the importance of well-defined security standards in safety-critical software and the need to consider the entire attack surface. The presentation also provides some mitigations for the vulnerabilities.

• Weak security requirements in critical software can lead to safety issues that cannot be ignored. Safety-critical software should have well-defined security standards.
• There are attack surfaces out there that no one is looking at but they have significant consequences if compromised. It's important to look at the entire attack surface and not just focus on one part while ignoring others.
• Exploiting secondary communications in uwb rtls can be challenging but it's doable. The devastating effects it can cause cannot be ignored.
• Mitigations for the vulnerabilities include adding modern TLS into a segregator network, adding an intrusion detection system to the buckle network, and adding an encryption integrity layer on top of the existing communications.
• The presentation demonstrates how a threat actor can manipulate the system to stop or restart production and put workers in harm's way.

The presentation provides an anecdote of an attacker manipulating a tag and putting it inside the geosensing zone to generate an alert and shut down production. The attacker was able to take the tag outside of the geofencing zone to restart production, putting the worker in harm's way. The presentation highlights the harm that such attacks can cause to workers in a manufacturing plant.

Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted to drive sales volumes exceeding one billion devices annually by 2025. Among its current applications, off-the-shelf Real Time Locating Systems (RTLS) employ UWB to provide localization solutions for a wide set of use cases (i.e., medical patients location tracking, safety geofencing, asset monitoring, contact tracing, etc.).The security of UWB wireless communications has recently been strengthened by the Institute of Electrical and Electronic Engineers (IEEE) 802.15.4z amendment. However, critical phases of the RTLS process are handled by obscure network protocols that are not regulated by standards, leaving the responsibility for their design and implementation to the vendors.In an effort to strengthen the security of devices utilizing UWB, Nozomi Networks Labs conducted a security assessment of two popular UWB RTLS solutions available on the market. Our research reveals 0-day vulnerabilities and other weaknesses that, if exploited, could allow an attacker to gain full access to all sensitive location data exchanged over-the-air.In this presentation, we will demonstrate how an attacker may exploit RTLS to locate and target people, hinder safety geofencing rules, and interfere with contact tracing, as well as present key actions to help mitigate these weaknesses to secure UWB RTLS from potential cyber attacks.