Attacking Ultra-Wideband: Security Analysis of UWB Applications in Smartphones

Ultra-wideband (UWB) is a new wireless layer that is now integrated into high-end smartphones, enabling fine-grained distance measurements between devices. This technology introduces new features, including indoor-location, item finders, and digital car keys, but it also opens up new attack vectors, particularly in security-sensitive contexts. Attackers may seek to reduce the measured distance to gain unauthorized access to physical goods. In this talk, we will cover the basics of UWB, implementations in iPhones, the accuracy of measurements, and potential attacks against it.

In this talk, we will present the basics of ultra-wideband (UWB), a new wireless technology that is implemented very differently from Bluetooth or Wi-Fi. We will explain how it enables highly accurate distance measurements and what are the current protection mechanisms against malicious interference.

We will then focus on the implementations of UWB in iPhones and Samsung smartphones. iPhones contain a custom-designed Apple U1 chip solely for UWB communication, while Samsung devices use an NXP UWB Chipset. These chips implement many of the currently available UWB features and can only be sparsely configured by the system to ensure real-time processing of the UWB signals. We will cover if this separation from the OS can actually reduce the security risk or introduce new attack vectors.

On iOS, most UWB signals are handled by the nearby daemon (nearbyd), which offers several cross-process communication points for Apple’s internal use cases and for third-party applications. nearbyd manages ranging sessions and handles results. We will then present our extensive measurement series, where we analyzed how accurate and reliable the UWB measurements are on an iPhone, a Google Pixel smartphone, and a Samsung Galaxy S21 Ultra. Our evaluation shows that UWB is currently the most accurate option to measure distances on a smartphone, with errors of less than 20 cm on average.

Finally, we will cover the first attacks on this system, including a potential live demonstration of the attack that works best on an iPhone. The attack results in distance reductions of up to 12 m and can be applied to trick entry systems into believing that the user is closer than he is. Luckily, the success rate is very low on every device and a correct implementation on the end system can detect distance reduction attacks.