Our team demonstrated how these could be manipulated to compromise the security of the entire locating system. More details can be found in our blog and white paper.
Recently, we decided to analyze another popular solution of UWB-based RTLS, the Ubisense Dimension4 3D tracking system. These sensors are used globally in industrial sectors including defense, manufacturing, healthcare, and transit management, to improve the efficiency of processes by tracking the exact position of equipment, tools, kits and components used in production. Similar to other UWB RTLS, however, this system is also deployed in more sensitive use cases such as hospital patient positions and movement tracking, contact tracing, geofencing, and more, where the confidentiality, integrity, and availability of information play a crucial role.
In this blog, we explain how we managed to reproduce the same vulnerabilities found in the Sewio and Avalue systems on the Ubisense RTLS and share suggested mitigations. CISA is also in the process of finalizing an industry-wide alert, to make asset owners aware of the security risks associated with widespread deployment of UWB RTLS across sectors. For Nozomi Networks customers, our solutions have been updated to support the Ubisense Dimension4 RTLS to specifically detect attacks against these systems.
Introduction to Real Time Locating Systems, Time Difference of Arrival, and Angle of Arrival
Real Time Locating Systems (RTLS) use radio-frequency signals (e.g., UWB) to locate assets or people specifically in indoor environments where GPS would be imprecise or ineffective. The technology consists of three main components:
- Tags are sensors worn by people or placed on objects of interest, and periodically transmit UWB signals to anchors;
- Anchors are deployed in strategic spots of a facility or location, receiving UWB signals from tags and transmitting the related data with the central positioning server through an Ethernet or Wi-Fi connection;
- A central positioning server receives the data from the anchors, computes the position of tags, and stores or displays their location on the user interface.
Traditional UWB RTLS (such as the Sewio and Avalue systems) leverage Time Difference of Arrival (TDoA), a technique to locate a tag based on the relative arrival times of a single message. In these systems, anchors transmit two types of information to the server:
- Synchronization messages that allow the server to compare the clocks of anchors and establish a common notion of time;
- Time of arrival messages containing the time at which anchors have received the UWB messages from the tags, used by the server to derive their real-time positions.
The Ubisense RTLS has key differences with respect to the average UWB RTLS for associating arrival times:
- Besides using TDoA, Ubisense systems also utilize Angle of Arrival (AoA) which provides information about the direction from which the signal is arriving at each anchor by estimating the angle of arrival of a signal (Figure 1). By combining the TDoA and AoA measurements from multiple anchors, the location of the tag in N dimensions can be estimated with high accuracy with N anchors (not N+1, as in TDoA-only solutions);
- To achieve timing synchronization, anchors directly communicate with each other, either via a secondary daisy chained Ethernet connection or through an optional device called Timing Distribution Unit. This keeps anchors in sync with each other, alleviating the server from the burden of continuously computing a common notion of time.
Reverse Engineering and Vulnerability Testing
To pinpoint the relevant communications exchanged for location purposes in the Ubisense UWB RTLS, all network traffic exchanged among anchors and server was captured through the span port of the network switch. When analyzed, we discovered that some network packets within the UDP communications on port 36776 (Figure 2) contained the cleartext ID of the tag being moved in the lab room. Curiously, only two out of the three anchors deployed in the room were communicating these types of messages (Figure 3: the server is 172.16.6.34, the anchors are 172.16.6.37, 40 and 41).
A quick check on the server highlighted that the process “ubisense_location_cell_manager.exe” was listening on the same port. Our team began a reverse engineering activity to capture additional information about tag locations. Eventually, we identified a way to dissect the network packet due to a verbose log message responsible for printing its content, as shown in Figure 4. This allowed us to correlate sequences of bytes included in the packet with their semantics.
What is surprising is that variables “v34”, v36”, and “v35”, respectively, immediately revealed the X, Y, and Z coordinates of the tag. We speculate that this happens because anchors are kept in sync with each other and, as such, they have all necessary information to immediately compute and transmit to the server the final positions of the tags, offloading the server from this task and reducing the amount of network communications.
However, it must be highlighted that this also greatly increases the possibility to perform passive eavesdropping and active traffic manipulation attacks. As a matter of fact, if in traditional TDoA solutions an attacker would need to reconstruct the location of anchors and then apply a TDoA algorithm on the collected timestamps to obtain the position of tags (or the reverse process to manipulate them), here it is simply sufficient to extract (or overwrite) the information in the network packets, without any other preconditions. The development of the sniffing tool for these Ubisense systems (Figure 5) proved to be much simpler than what was necessary to create for the Sewio and Avalue systems previously analyzed.
Furthermore, additional tests confirmed that no cryptographic protections were applied to the packet, leading to the possibility to quickly create manipulated data to inject into the packet read by the server and alter with absolute precision the related position of tags (Figure 6).
The severity of potential impacts depends on the final purpose of these systems. If the RTLS is employed to automatically manage the configuration of tools in the production line (e.g., change the applied torque value on the basis of their position and the component to be tightened), the impact would be the possibility for an attacker to cause damage to the final products by misplacing them. If the RTLS is employed to track the position of patients in a hospital for contact tracing purposes, the alteration of the position could lead to the recording of false positional contact or the hiding of true contact, with potential indirect consequences to the lives of the target victims.
We have updated our GitHub repository "UWB RTLS" to include a PCAP of the network traffic of the Ubisense system, as well as a Wireshark dissector for the location packets. You may download them here.
Mitigations
As with the Sewio and Avalue systems, it proved to be problematic for Ubisense to directly remediate this design choice and add a transport security layer on top of the existing communications (we have examined some of these reasons in our white paper).
The generic recommendation for asset owners remains to keep the entire UWB RTLS backhaul network segregated, and secure access to the network both physically and logically in order to prevent unauthorized actors from gaining a foothold.
Another mitigation would be to protect the network with a continuous monitoring system as an attacker would be forced to perform a Man-in-the-Middle (MitM) attack to collect the tags coordinates. By monitoring for signatures such as new ARP frames or new links between nodes, a vulnerability and threat detection system can quickly detect an ongoing MitM attempt.
Conclusions
UWB RTLS have revolutionized the way businesses operate by providing highly accurate and real-time indoor location services. They improve operational efficiency, increase asset visibility, and enhance safety in a variety of sectors from healthcare and retail to logistics and manufacturing.
With respect to other wireless protocols, UWB (with the IEEE 802.15.4z standard amendment) generally provides stronger resiliency and less opportunities for attacks by cyber adversaries. However, to evaluate the overall security posture of a system, it is crucial to assess the entire chain, as attackers will always try to leverage its weakest link.
In this article, we have confirmed that the vulnerabilities on the Sewio and Avalue RTLS presented at Black Hat USA 2022 also affect the Ubisense Dimension4, another popular UWB RTLS employed for a variety of purposes. We strongly encourage asset owners who deploy these and other UWB RTLS to enact one of the proposed mitigations, especially if their systems are used for safety-critical purposes.