arxiv: 2605.10632 · v1 · submitted 2026-05-11 · 💻 cs.CR

Recognition: 1 theorem link

· Lean Theorem

Security Analysis of Time-of-Arrival Estimation via Cross-Correlation under Narrow-Band Conditions

Claudio Anliker , Daniele Coppola , Giovanni Camurati , Srdjan \v{C}apkun

Authors on Pith no claims yet

Pith reviewed 2026-05-12 04:27 UTC · model grok-4.3

classification 💻 cs.CR

keywords time-of-arrival estimationcross-correlationdistance-decreasing attacksnegative group delayBluetooth channel soundingnarrowband rangingsignal reshapingranging security

0 comments

The pith

Two symbol-agnostic attacks reshape narrowband ranging signals to produce earlier time-of-arrival estimates via cross-correlation.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that cross-correlation based time-of-arrival estimation in narrowband systems can be undermined without any need to detect or adapt to individual symbols. One attack multiplies the transmitted signal by a waveform that repeats every symbol period; the other routes the signal through a negative group delay filter. Both methods advance the apparent energy of the signal so that a standard receiver reports an earlier arrival time. Simulations applied to Bluetooth Channel Sounding round-trip-time ranging show distance reductions of up to 18 meters, and a working prototype built from commercial parts confirms that the negative group delay approach is practical.

Core claim

Multiplying a ranging waveform by a symbol-periodic function or passing it through a negative group delay filter distorts the cross-correlation peak at the receiver, causing it to lock onto an earlier sample. These operations require no symbol detection, no real-time compensation, and no knowledge of the data content. When applied to Bluetooth Channel Sounding signals, the resulting time-of-arrival shift corresponds to distance reductions reaching 18 meters in simulation; the negative group delay filter was realized with off-the-shelf components and verified in hardware.

What carries the argument

The symbol-periodic multiplier and the negative group delay filter, which advance the leading edge of the signal energy before it reaches the channel so that standard cross-correlation reports an earlier arrival.

If this is right

Narrowband time-of-flight systems that rely solely on cross-correlation become open to distance-decreasing attacks that need no symbol-level processing at the attacker.
Bluetooth Channel Sounding round-trip-time measurements can be shortened by as much as 18 meters under the described conditions.
Attack implementation is simplified because the reshaping occurs in the time domain without adaptive compensation or real-time symbol detection.
A negative group delay filter sufficient to produce these shifts can be constructed from standard commercial components.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same reshaping techniques could be tested against other narrowband ranging protocols that use cross-correlation without additional protections.
Receivers that already employ multipath mitigation or frequency diversity might reduce the effectiveness of these attacks, though the paper does not evaluate that interaction.
Because the attacks are feed-forward and symbol-agnostic, they remain viable even when the ranging sequence is encrypted or frequently changed.
Hardware prototypes suggest that low-cost adversaries could deploy the negative group delay version in field settings.

Load-bearing premise

The victim receiver uses only plain cross-correlation with no multipath mitigation, authentication, frequency hopping, or other countermeasures, and the negative group delay filter introduces no side effects that the receiver would notice.

What would settle it

An experiment in which the symbol-periodic multiplication or the negative group delay filter is applied to a Bluetooth Channel Sounding signal yet the receiver's cross-correlation peak remains at the correct sample index without measurable distortion.

Figures

Figures reproduced from arXiv: 2605.10632 by Claudio Anliker, Daniele Coppola, Giovanni Camurati, Srdjan \v{C}apkun.

**Figure 2.** Figure 2: Narrowband signals typically blur the channel im [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Overview of the proposed attacks: The ranging sig [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗

**Figure 6.** Figure 6: NGD effect on a passband signal: the signal envelope [PITH_FULL_IMAGE:figures/full_fig_p005_6.png] view at source ↗

**Figure 7.** Figure 7: Amplitude response and group delay of 𝐻(𝑓 ) with 𝑓 = 𝜔/(2𝜋). This filter applies a time-shift of Δ𝑡 ≈ −50 ns to signals with 𝑓 ≤ 1 MHz. where 𝜔 = 2𝜋 𝑓 . Although the NGD is promising, the filter is not realizable because |𝐻(𝜔)| → ∞ for 𝜔 → ∞. However, we can further approximate this filter with 𝐻(𝜔) = 1 + Δ𝑡 𝑗𝜔 1 + Δ𝑡 𝑗𝜔 ⇒ 𝜏𝑔 (𝜔) = −Δ𝑡 1 − 2(𝜔Δ𝑡) 2 (1 + 𝜔2Δ𝑡 2 ) (1 + 4𝜔2Δ𝑡 2 ) (24) The amplitude response a… view at source ↗

**Figure 8.** Figure 8: NGD circuit based on the LTC6268 operation amplifier. [PITH_FULL_IMAGE:figures/full_fig_p007_8.png] view at source ↗

**Figure 10.** Figure 10: Frequency response of the simulated NGD circuit. [PITH_FULL_IMAGE:figures/full_fig_p008_10.png] view at source ↗

**Figure 12.** Figure 12: Input 𝑥 (𝑡) and the output 𝑥˜(𝑡) of the NGD stage. Peaks and troughs of Re(𝑥˜(𝑡)) appear slightly left-shifted. 16.5 17.0 17.5 18.0 18.5 19.0 19.5 Distance Reduction (m) 0.00 0.25 0.50 0.75 1.00 Peak-Norm. Histogram 2M (RS) 1M (RS) 1M (RS, SNR=10dB) 1M (SS) 55 60 65 ToA Advance (ns) [PITH_FULL_IMAGE:figures/full_fig_p008_12.png] view at source ↗

**Figure 13.** Figure 13: ToA advance by the NGD filter: 2 MHz (2M) signals are advanced less than their 1 MHz counterparts. This configuration models a realistic scenario where the attacker receives a noisy signal. Results [PITH_FULL_IMAGE:figures/full_fig_p008_13.png] view at source ↗

**Figure 14.** Figure 14: Impact of NGD filtering on Bluetooth CS detection metrics for different packet configurations, compared with [PITH_FULL_IMAGE:figures/full_fig_p009_14.png] view at source ↗

**Figure 15.** Figure 15: ToA advance measured after passing CS SYNC [PITH_FULL_IMAGE:figures/full_fig_p012_15.png] view at source ↗

read the original abstract

Time-of-arrival (ToA) estimation via cross-correlation is an essential building block of time-of-flight ranging. However, in narrowband systems, it is notoriously difficult to protect against distance-decreasing attacks such as Early-Detect/Late-Commit (ED/LC). We present and analyze two new attacks that reshape ranging signals to compromise correlation-based ToA estimation. The first attack multiplies the signal by a symbol-periodic waveform in the time domain, while the second passes it through a negative group delay (NGD) filter. In contrast to ED/LC, our attacks do not require real-time symbol detection or adaptive compensation; they are completely symbol-agnostic. We describe implementation strategies for both attacks and discuss NGD filtering in the context of Bluetooth Channel Sounding (CS), a recent narrowband ranging system. To this end, we simulate an NGD circuit in LTspice and a ToA estimator in MATLAB, demonstrating that the attack can result in distance reductions of up to 18 m against Bluetooth CS RTT ranging. Finally, we verify the feasibility of the NGD approach by building a prototype using commercial off-the-shelf components.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

read the letter

The paper describes two symbol-agnostic attacks on narrowband ToA estimation, with MATLAB/LTspice simulations showing up to 18 m distance reduction for Bluetooth CS but hardware only confirming the NGD filter in isolation. One attack multiplies the incoming signal by a waveform that repeats every symbol period. The other passes the signal through a negative group delay filter. Both avoid the real-time symbol detection and compensation that earlier Early-Detect/Late-Commit attacks require, which is the main technical distinction the authors draw from prior work on ToA security. They apply the ideas to Bluetooth Channel Sounding RTT ranging and run concrete simulations: LTspice for the NGD circuit and MATLAB for the cross-correlator estimator. The results indicate the attacks can advance the measured arrival time enough to shrink reported distance by as much as 18 m under the narrowband conditions they model. They also build a simple prototype from commercial parts to show that an NGD filter can be realized and produces the expected negative delay on the bench. The simulation evidence is direct and matches the stated assumptions about narrowband signals and correlation-based receivers. The prototype adds a practical check that the filter is not purely theoretical. The hardware section stops short of an end-to-end test, however. No real Bluetooth packets are sent through the physical prototype and then into an actual ToA estimator to measure the resulting RTT bias. Transients, insertion loss, noise, or the frequency-hopping behavior of CS are therefore not checked in hardware, leaving the 18 m figure as a simulation outcome. This work is aimed at researchers who study the security of wireless ranging and localization, particularly those following Bluetooth CS or similar narrowband systems. Readers who want explicit attack constructions and simulation numbers will find usable material here. The paper shows clear engagement with the relevant literature and supplies reproducible simulation setups, so it is worth sending to peer review. Reviewers can press on the hardware gap and on how the attacks hold up once standard receiver defenses are added.

Referee Report

1 major / 2 minor

Summary. The manuscript analyzes the vulnerability of cross-correlation-based time-of-arrival estimation to distance-decreasing attacks in narrowband conditions. It proposes two attacks that do not require real-time symbol detection: multiplying the signal by a symbol-periodic waveform and passing it through a negative group delay filter. The analysis is applied to Bluetooth Channel Sounding RTT ranging, with LTspice simulations of the NGD circuit and MATLAB simulations of the ToA estimator showing distance reductions of up to 18 meters. The feasibility of the NGD approach is further supported by a hardware prototype built from commercial off-the-shelf components.

Significance. If the simulation results hold under the stated narrowband conditions, this work is significant for identifying practical, symbol-agnostic attacks on correlation-based ranging. The combination of LTspice and MATLAB simulations plus a working COTS prototype provides direct evidence for the distance-reduction claim and the realizability of the NGD filter, which is a strength compared to purely theoretical analyses. These findings could inform defenses in Bluetooth CS and similar systems.

major comments (1)

[Hardware Prototype section] Hardware Prototype section: The COTS prototype verifies that an NGD filter can be realized with commercial components and produces negative group delay in bench tests, but the manuscript does not report routing a real Bluetooth CS packet through the physical prototype into a cross-correlation ToA estimator to measure the resulting RTT bias. This leaves the translation of the simulated 18 m advance untested against filter transients, insertion loss, noise, or Bluetooth packet structure.

minor comments (2)

The specific simulation parameters (bandwidth, SNR, packet details) that achieve the maximum 18 m reduction could be summarized in a table for easier reference.
Figure captions for the correlation plots and NGD response could include more explicit axis labels and units to improve clarity.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the positive assessment of the work's significance and for the constructive major comment. We address it directly below, maintaining that the combination of validated simulations and prototype evidence is sufficient for the paper's scope while acknowledging the value of additional validation.

read point-by-point responses

Referee: The COTS prototype verifies that an NGD filter can be realized with commercial components and produces negative group delay in bench tests, but the manuscript does not report routing a real Bluetooth CS packet through the physical prototype into a cross-correlation ToA estimator to measure the resulting RTT bias. This leaves the translation of the simulated 18 m advance untested against filter transients, insertion loss, noise, or Bluetooth packet structure.

Authors: We appreciate this observation and agree that a complete hardware-in-the-loop experiment would provide additional confirmation. However, the prototype's role is specifically to establish the practical realizability of the NGD filter with COTS components, as confirmed by bench measurements matching the LTspice model. The 18 m distance reduction is demonstrated in MATLAB simulations that apply the extracted filter response to full Bluetooth CS packet waveforms under the narrowband conditions stated in the paper. These simulations incorporate the filter's group delay characteristics, and the prototype validates that the circuit achieves the modeled behavior without unexpected deviations in controlled tests. While transients, insertion loss, and noise are not re-measured end-to-end in hardware, they are accounted for in the simulation framework consistent with the narrowband analysis. We therefore maintain that the current evidence supports the attack feasibility claims without requiring the full physical packet routing for this study; a dedicated hardware validation could be pursued in follow-on work. revision: no

Circularity Check

0 steps flagged

No circularity: attacks defined independently and validated via external simulation/hardware

full rationale

The paper introduces two symbol-agnostic attacks (time-domain multiplication by periodic waveform; NGD filtering) on cross-correlation ToA estimation, then demonstrates them via LTspice circuit simulation and MATLAB ToA estimator for Bluetooth CS, plus a COTS hardware prototype confirming NGD feasibility. No equations reduce the reported distance reductions (up to 18 m) to quantities defined by the authors' own prior fits or self-citations. The simulations and prototype are independent implementations of the stated attack definitions, not predictions forced by construction from fitted inputs. The derivation chain is self-contained against external benchmarks with no self-definitional, fitted-prediction, or load-bearing self-citation steps.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on standard signal-processing assumptions about cross-correlation ToA and the practical realizability of NGD filters; no free parameters or new entities are introduced.

axioms (2)

domain assumption Cross-correlation remains the dominant ToA estimator in narrowband ranging systems such as Bluetooth CS
Stated as the essential building block whose security is analyzed.
domain assumption Narrowband conditions make real-time symbol detection and adaptive compensation difficult for defenders
Used to motivate why the new attacks are harder to defend against than ED/LC.

pith-pipeline@v0.9.0 · 5518 in / 1401 out tokens · 47383 ms · 2026-05-12T04:27:09.392025+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

NGD filter H(ω)=1+Δt jω/(1+Δt jω) yielding τ_g ≈ -50 ns; cross-correlation ˜P'(0) = -2 Re{⟨Δx,x'⟩ ⟨˜x,x⟩*}

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

39 extracted references · 39 canonical work pages

[1]

Graciana Aad, Giovanni Camurati, Matteo Dell’Amico, and Srdjan Čapkun. 2026. FAST: Fast and Accurate Security Testing of HRP UWB Chips.IACR Transactions on Cryptographic Hardware and Embedded Systems2026, 1 (2026), 500–532

work page 2026
[2]

Analog Devices. 2026. LTspice. https://www.analog.com/en/resources/design- tools-and-calculators/ltspice-simulator.html

work page 2026
[3]

Claudio Anliker, Giovanni Camurati, and Srdjan Čapkun. 2023. Time for Change: How Clocks Break UWB Secure Ranging. In32nd USENIX Security Symposium, USENIX Security 2023, Joseph A. Calandrino and Carmela Troncoso (Eds.). USENIX Association, Anaheim, CA, USA, 19–36. https://www.usenix.org/system/files/ usenixsecurity23-anliker.pdf

work page 2023
[4]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2019. Low Entropy Key Negotiation Attacks on Bluetooth and Bluetooth Low Energy. Cryp- tology ePrint Archive, Paper 2019/933. https://eprint.iacr.org/2019/933

work page 2019
[5]

Daniele Antonioli, Nils Ole Tippenhauer, Kasper Rasmussen, and Mathias Payer

work page
[6]

InProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy. InProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 196–207

work page 2022
[7]

2020.Further Updates on 11az Secure LTF Design

Anuj Batra. 2020.Further Updates on 11az Secure LTF Design. IEEE 802.11 Submission IEEE 802.11-20/1855r0. IEEE 802.11 Working Group. https://mentor.ieee.org/802.11/dcn/20/11-20-1855-00-00az-further-updates-on- 11az-secure-ltf-design.pptx Accessed: 2026-03-01

work page 2020
[8]

Bluetooth Special Interest Group. 2025. Bluetooth ® Core 6.2 feature overview. https://www.bluetooth.com/bluetooth-core-6-2-feature-overview/ Bluetooth Technology Website

work page 2025
[9]

2026.Bluetooth Core Specification v6.2

Bluetooth Special Interest Group. 2026.Bluetooth Core Specification v6.2. Blue- tooth Special Interest Group (SIG). https://www.bluetooth.com/specifications/ specs/core-specification-6-2/ Accessed: 2026-03-02

work page 2026
[10]

Heungjae Choi, Yongchae Jeong, Chul Dong Kim, and James Stevenson Kenney

work page
[11]

doi:10.2528/pier10041808

Bandwidth Enhancement of an Analog Feedback Amplifier by Employing a Negative Group Delay Circuit.Progress In Electromagnetics Research105 (2010), 253–272. doi:10.2528/pier10041808

work page doi:10.2528/pier10041808 2010
[12]

Hancke, Markus G

Jolyon Clulow, Gerhard P. Hancke, Markus G. Kuhn, and Tyler Moore. 2006. So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks. In Security and Privacy in Ad-Hoc and Sensor Networks, Third European Workshop, ESAS 2006 (Lecture Notes in Computer Science, Vol. 4357). Springer, Heidelberg, Germany, 83–97. https://doi.org/10.1007/11964254_9

work page doi:10.1007/11964254_9 2006
[13]

Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2010. Effectiveness of distance-decreasing attacks against impulse radio ranging. InProceedings of the Third ACM Conference on Wireless Network Security, WISEC 2010. Association for Computing Machinery, New York, NY, USA, 117–128. doi:10.1145/1741866.1741887

work page doi:10.1145/1741866.1741887 2010
[14]

Giannakis, Hisashi Kobayashi, Andreas F

Sinan Gezici, Zhi Tian, Gergios B. Giannakis, Hisashi Kobayashi, Andreas F. Molisch, H. Vincent Poor, and Zafer Sahinoglu. 2005. Localization via Ultra- Wideband radios: A look at positioning aspects for future sensor networks.IEEE Signal Processing Magazine22, 4 (2005), 70–84

work page 2005
[15]

Hancke and Markus G

Gerhard P. Hancke and Markus G. Kuhn. 2008. Attacks on time-of-flight distance bounding channels. InProceedings of the First ACM Conference on Wireless Network Security. ACM, Hamburg, Germany, 194–202. doi:10.1145/1352533.1352566

work page doi:10.1145/1352533.1352566 2008
[16]

2020.IEEE Standard for Low-Rate Wireless Networks–Amendment 1: En- hanced Ultra Wideband (UWB) Physical Layers (PHYs) and Associated Ranging Techniques

IEEE. 2020.IEEE Standard for Low-Rate Wireless Networks–Amendment 1: En- hanced Ultra Wideband (UWB) Physical Layers (PHYs) and Associated Ranging Techniques. Technical Report IEEE Std 802.15.4z-2020. IEEE 802.15 Working Group. https://standards.ieee.org/ieee/802.15.4z/10230/

work page 2020
[17]

IEEE. 2022.IEEE Standard for Information Technology–Telecommunications and Information Exchange between Systems Local and Metropolitan Area Networks– Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 4: Enhancements for Positioning. Technical Report IEEE Std 802.11az-2022. IEEE 802.11...

work page 2022
[18]

IEEE. 2024.IEEE Standard for Low-Rate Wireless Networks – Amendment 1: Enhanced Ultra Wide-Band (UWB) Physical Layers (PHYs) and Associated Medium Access and Control (MAC) sublayer Enhancements. Technical Report IEEE Std 802.15.4ab-2024. IEEE 802.15 Working Group. https://standards.ieee.org/ieee/ 802.15.4ab/10694/

work page 2024
[19]

Kyungho Joo and Wonsuk Choi. 2024. Enhancing Security of HRP UWB Ranging System Based on Channel Characteristic Analysis.IEEE Internet of Things Journal 11, 24 (2024), 39794–39808

work page 2024
[20]

2011.Asymptotic Limits of Negative Group Delay Phe- nomenon in Linear Causal Media

Miodrag Kandic. 2011.Asymptotic Limits of Negative Group Delay Phe- nomenon in Linear Causal Media. Ph.D. dissertation. University of Mani- toba. https://mspace.lib.umanitoba.ca/server/api/core/bitstreams/10ea6ee2-3d3c- 4e67-9275-193e689dbdfb/content

work page 2011
[21]

Patrick Leu, Giovanni Camurati, Alexander Heinrich, Marc Roeschlin, Claudio Anliker, Matthias Hollick, Srdjan Capkun, and Jiska Classen. 2022. Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging. In31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022. USENIX Association, Berkeley, CA, USA, 1343–135...

work page 2022
[22]

Patrick Leu, Martin Kotuliak, Marc Roeschlin, and Srdjan Čapkun. 2021. Secu- rity of Multicarrier Time-of-Flight Ranging. InProceedings of the 37th Annual Computer Security Applications Conference. ACSA, Columbia, MD, USA, 887–899

work page 2021
[23]

Lonzetta, Peter Cope, Joseph Campbell, Bassam J

Angela M. Lonzetta, Peter Cope, Joseph Campbell, Bassam J. Mohd, and Thaier Hayajneh. 2018. Security vulnerabilities in Bluetooth technology as used in IoT. Journal of Sensor and Actuator Networks7, 3 (2018), 28

work page 2018
[24]

Xiliang Luo, Cem Kalkanli, Hao Zhou, Pengcheng Zhan, and Moche Cohen. 2024. Secure Ranging with IEEE 802.15. 4z HRP UWB. In2024 IEEE Symposium on Security and Privacy (SP). IEEE, IEEE, Piscataway, NJ, USA, 2794–2811

work page 2024
[25]

Andreas F. Molisch. 2009. Ultra-Wide-Band Propagation Channels.Proc. IEEE97, 2 (2009), 353–371

work page 2009
[26]

Maundy, and Ahmed S

Julia Nako, Costas Psychalinos, Brent J. Maundy, and Ahmed S. Elwakil. 2024. Elementary Negative Group Delay Filter Functions.Circuits, Systems, and Signal Processing43, 6 (Mar 2024), 3396–3409. doi:10.1007/s00034-024-02647-9

work page doi:10.1007/s00034-024-02647-9 2024
[27]

Nguyen, Marko Jacovic, Cem Sahin, and Kapil R

Danh H. Nguyen, Marko Jacovic, Cem Sahin, and Kapil R. Dandekar. 2019. Energy- Efficient Reactive Jamming of Frequency-Hopping Spread Spectrum (FHSS) Sig- nals using Software-Defined Radios. Google Patents. https://patents.google. com/patent/US20190268087A1/en US Patent App. 16/284,574. Publication No. US 2019/0268087 A1

work page 2019
[28]

Hildur Ólafsdóttir, Aanjhan Ranganathan, and Srdjan Čapkun. 2017. On the Secu- rity of Carrier Phase-Based Ranging. InCryptographic Hardware and Embedded Systems - CHES 2017 (Lecture Notes in Computer Science, Vol. 10529). Springer, Heidelberg, Germany, 490–509. https://doi.org/10.1007/978-3-319-66787-4_24

work page doi:10.1007/978-3-319-66787-4_24 2017
[29]

Marcin Poturalski, Manuel Flury, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2010. The cicada attack: Degradation and denial of service in IR ranging. In2010 IEEE International Conference on Ubiquitous Wireless Broadband (ICUWB), Vol. 2. IEEE, IEEE, Piscataway, NJ, USA, 1–4

work page 2010
[30]

Aanjhan Ranganathan, Boris Danev, Aurélien Francillon, and Srdjan Čapkun

work page
[31]

InProceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012

Physical-layer attacks on chirp-based ranging systems. InProceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012. Association for Computing Machinery, New York, NY, USA, 15–26. doi:10.1145/2185448.2185453

work page doi:10.1145/2185448.2185453 2012
[32]

Mridula Singh, Marc Roeschlin, Ezzat Zalzala, Patrick Leu, and Srdjan Čapkun

work page
[33]

4z/HRP UWB time-of-flight distance measurement

Security analysis of IEEE 802.15. 4z/HRP UWB time-of-flight distance measurement. InProceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, New York, NY, USA, 227–237

work page
[34]

Paul Staat, Kai Jansen, Christian Zenger, Harald Elders-Boll, and Christof Paar

work page
[35]

InProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Analog Physical-Layer Relay Attacks with Application to Bluetooth and Phase-Based Ranging. InProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, New York, NY, USA, 60–72

work page
[36]

Michael Stocker, Bernhard Großwindhager, Carlo Alberto Boano, and Kay Römer

work page
[37]

In2020 IEEE 17th International Conference on Mobile Ad Hoc and Sensor Systems (MASS) (Delhi, India)

Towards Secure and Scalable UWB-based Positioning Systems. In2020 IEEE 17th International Conference on Mobile Ad Hoc and Sensor Systems (MASS) (Delhi, India). IEEE, IEEE, Piscataway, NJ, USA, 247–255

work page
[38]

2024.bleCSWaveform

The MathWorks, Inc. 2024.bleCSWaveform. Natick, MA, USA. https://ch. mathworks.com/help/bluetooth/ref/blecsconfig.blecswaveform.html Accessed: 2026-03-02

work page 2024
[39]

Kewei Zhang and Panos Papadimitratos. 2019. On the Effects of Distance- decreasing Attacks on Cryptographically Protected GNSS Signals. InProceedings of the 2019 International Technical Meeting of The Institute of Navigation. The Institute of Navigation, Manassas, VA, USA, 363–372. A Derivation of ˜𝑃 ′ (0) We start by rewriting ˜𝑃(𝜏)=| ˜𝑅(𝜏)| 2 as ˜𝑃(𝜏)=|...

work page 2019