How Precisely Can One Infer the Position of a Wi-Fi RTT Device by Eavesdropping on Its FTM Frames?

Abstract

Until the implementation of the IEEE 802.11az standard in common devices becomes a reality, the IEEE 802.11mc fine time measurement (FTM) procedure used for location purposes in indoor environments may be easily compromised by an adversary. Despite the scarce amount of work focusing on the security of the FTM procedure, in the first place, this paper provides an overview of the vulnerabilities that have been studied so far. Lack of encryption and authentication allows an attacker to eavesdrop on any FTM session and/or forge the frame exchange. But how critical can this be? We study the situation where an adversary is able to overhear the FTM frames of a legitimate user that is positioning itself. On the one hand, we show that the adversary is able to easily infer the position of the victim. Moreover, simulation results show that this calculated position can be obtained with a 99th percentile error of 1 m even under the presence of errors in the time measurements, raising significant concern about the security of the current implementation of the protocol.

1. Introduction

In recent years, Location-Based Services (LBSs) have become ubiquitous in our daily lives, providing geographic context in real time for many application fields such as navigation, social networking, or entertainment, among others. The emergence of the Internet of Things (IoT), with thousands of devices connected to the Internet that are capable of collecting, processing, and sharing data, has boosted interest in LBSs even further [1]. IoT devices, ranging from wearable fitness trackers to industrial sensors, often depend on accurate location data to function properly. In smart cities, for instance, IoT-enabled traffic management systems use location information to reduce congestion, while public transport systems provide real-time updates to passengers. Similarly, in healthcare, IoT devices can aid in tracking the location of medical equipment, patients, and staff within hospitals, ensuring the continuous monitoring of a patient’s health and timely response in critical situations.

While LBSs provide numerous benefits, they also raise a number of security and privacy concerns. One of the primary security risks is the exposure of sensitive location data [2], which can be intercepted, stolen, or misused by malicious actors to track users or devices. In addition, location data can also reveal information about a user’s preferences, habits, or condition, leading to a breach of privacy. Another major security issue is the vulnerability of the positioning systems used in LBSs to spoofing and tampering attacks [3]. Adversaries can manipulate or forge location data to disrupt the operation of such systems, leading to incorrect position estimations. In critical sectors like healthcare or emergency services, where accurate location data are vital, such disruptions could have severe consequences.

Among the existing location techniques, the Global Navigation Satellite System (GNSS) and, in particular, Global Positioning System (GPS) has prevailed for outdoor positioning. However, it is well known that these techniques exhibit many limitations in indoor environments [4]: GPS signals struggle to penetrate walls and ceilings, often resulting in weak or nonexistent signals. Signal degradation and the multipath effect due to signal reflection on walls or other obstacles lead to a drastic reduction in the system’s accuracy in terms of positioning error. In addition, the use of GNSS increases energy consumption, making it unsuitable for battery-limited devices such as the ones in the IoT ecosystem. As a consequence, other technologies like Wi-Fi, Radio Frequency Identification (RFID), and Bluetooth Low Energy (BLE) have been proposed to enhance accuracy in indoor positioning [1].

Nowadays, an indoor positioning technique must not only provide accurate estimations but also be easy to use in common off-the-shelf (COTS) devices. This is why research has increasingly focused on technologies commonly supported by smartphones, tablets, smartwatches, and similar devices—primarily IEEE 802.11 (Wi-Fi) and BLE. With 60% of Internet traffic traveling through Wi-Fi, this technology remains the most widely used for browsing [5]. Therefore, to avoid deploying new infrastructure specifically for localization and to reduce costs, choosing Wi-Fi-based positioning solutions appears to be a natural choice [6].

Nevertheless, the design of ranging methods for Wi-Fi environments also pose some challenges regarding latency and bandwidth consumption: on the one hand, the location process should be fast enough to allow a device to obtain its position in real time. On the other hand, the exchange of location information should not result in network congestion or in an excess of bandwidth consumption to the detriment of user traffic. The fine timing measurement (FTM) procedure, defined in the IEEE 802.11mc standard [7], is intended to provide ranging functionalities to stations willing to estimate their position while meeting these requirements. As a consequence, security issues such as location privacy have been left in the background. The procedure was designed to be performed without the need for a station to associate to an access point (AP), and therefore, there is no AP authentication. Lack of authentication allows for any attacker to set up a rogue AP [8,9], establish an FTM session with a station, and lead it to a wrong position estimation by reporting false data. Other security services such as data confidentiality or data integrity are not considered either. All messages exchanged between the station and the AP are sent in the clear, which causes a privacy breach since any adversary in the range can eavesdrop on the communication [10,11].

However, users are increasingly becoming more aware of the importance of protecting their data against third parties, and thus, there is a need to include security mechanisms within the positioning methods. The concept of Privacy by Design (PbD) [12] aims at enhancing sensibility regarding data protection and describes an approach to include considerations regarding privacy and data protection into Information Technology (IT) systems and technological products at an early stage of their development. Recently, IEEE 802.11az [13] (Amendment for Enhancements for Positioning) was released, aiming to protect the FTM procedure through encryption and AP authentication. However, its practicality is questionable when the FTM procedure is applied in public venues, where no cryptographic material is shared in advance between users and network infrastructure [14]. In addition, the introduction of encryption and authentication mechanisms increases the overhead, thus decreasing the available bandwidth. Also, while being issued in 2023, devices integrating IEEE 802.11az will take time to be available on the market, thus still requiring work on the currently available implementation of FTM.

The literature on security threats identified in positioning mechanisms in general is as deep and as old as that on Wi-Fi vulnerabilities, but the literature that specifically covers attacks over Wi-Fi RTT positioning is rather limited, to the best of the authors’ knowledge. To fill this gap, in this work, an overview of the vulnerabilities of the FTM procedure is provided, together with a brief description of the security improvements introduced by the IEEE 802.11az amendment. We also show that an adversary can benefit from the lack of security of this protocol in order to eavesdrop on a session and obtain the position of a given user. In this respect, an attack was simulated in order to assess to what extent a malicious user can infer the location of another user that is running the FTM procedure with the APs in the area. With a precision of 54 cm and a 99th percentile of 1.01 m of positioning error under realistic conditions, the results are stunning, presenting the security issue of FTM as a priority for future investigations.

The rest of this paper is organized as follows. The IEEE 802.11mc positioning method is described in Section 2, which also provides an overview of the security issues identified in the FTM exchange. The proposed attack is described in Section 3, together with the mathematical formulation to derive a system of equations based on time difference of arrival (TDOA) measurements. Section 4 presents the simulation scenario, the error model considered with regard to TDOA measurements and the approach followed to solve the system of equations. Section 5 shows the simulated results obtained both under the assumption of no measurement errors (ideal scenario) and a more realistic scenario in which TDOA measurement errors are taken into consideration. Finally, Section 6 presents the conclusions of this work.

2. FTM Procedure and Security Issues

In 2016, the IEEE introduced a new standard [7] that enables precise distance measurements based on the round trip time (RTT) of Wi-Fi signals. The IEEE 802.11mc protocol, popularly known as Wi-Fi RTT, involves two Wi-Fi stations (STAs). As illustrated in Figure 1, an STA seeking to determine its position, referred to as the initiator (e.g., a smartwatch or smartphone), transmits a request to another STA, known as the responder (e.g., an AP).

This initial request establishes the required parameters for the responder to transmit FTM messages. Each FTM message is confirmed by the initiator via an acknowledment (ACK) frame. Both STAs record the timestamps associated with each frame exchange:

• The responder logs the transmission timestamp ($t_1$) and the reception timestamp ($t_4$);
• The initiator logs the reception timestamp ($t_2$) and the transmission timestamp ($t_3$).

To enable distance estimation, the responder includes its timestamps ($t_1$, $t_4$) in a subsequent FTM frame sent to the initiator. The initiator then computes the RTT by subtracting the processing delay at the initiator ($t_3-t_2$) from the total round-trip time observed at the responder ($t_4-t_1$).

It is important to highlight that the time interval ($t_3-t_2$) is difficult to predict and typically exhibits values several orders of magnitude larger than the signal time of flights (TOFs) (e.g., ($t_2-t_1$) and ($t_4-t_3$)). However, these TOFs directly correspond to the distance between the two STAs; therefore, they are the key values that must be estimated accurately. In this regard, the IEEE 802.11mc standard ensures that, throughout the FTM process, these timestamps are recorded with nanosecond precision on both STAs. Additionally, the number of FTM-ACK sequences, known as the burst size (B), can be negotiated in the initial FTM request, which is sent in the clear. This procedure enables the averaging of the individual RTT in the burst size, thus fostering more reliable RTT estimations [15]. Typically, the burst size is set to 7, meaning that the responder transmits a total of 8 FTM messages. The initiator needs to perform the RTT procedure with several APs to determine its own position (e.g., at least three APs for a 2D position).

Localization while minimizing both bandwidth consumption and latency is of capital importance in the IEEE 802.11mc standard. For this reason, the FTM mechanism was designed so that it can start without the need for previous association between the initiator and responder (hereafter referred to as the AP), and therefore, no authentication with the AP is required, and no cryptographic material is negotiated with it. Thus, all frames are exchanged in the clear (not encrypted), and data confidentiality and integrity are not provided. The initial FTM request allows for the configuration of key localization parameters, including the number of consecutive bursts, the burst size B, the time interval between consecutive measurements, and the bandwidth. Figure 2 depicts the format of the FTM frame defined in [7], with the main parameters negotiated in the FTM Parameters element. Additionally, the initiator can use the initial FTM request to ask for the Location Configuration Information (LCI) and Location Civic Report (LCR) parameters by including a Measurement Request element (see Figure 2b) with the Measurement Type field equal to LCI or LCR, respectively. These parameters contain the coordinates and orientation of the AP and enable the initiator to refine its own position estimation.

Both the initial and subsequent requests contain two special fields: (1) trigger (see Figure 2a), which indicates whether the FTM session should start, continue, or terminate; and (2) ASAP (see Figure 2c), which specifies whether the session should begin immediately (ASAP = 1) or be scheduled to start within a specific time window (ASAP = 0). On top of that, each response sent by the AP includes a token field (Measurement token in Figure 2b) that allows the initiator to correlate responses with the corresponding ACKs. The token is a nonzero integer that increments with each response. The last response in a burst must have a token value of zero, indicating that no further measurements will be taken in that burst.

Besides the lack of security mechanisms, the FTM procedure exhibits other vulnerabilities, both because of its design and the implementation of the protocol in a specific STA [11,14]. In the following, we give an overview of such vulnerabilities and the attacks against the FTM procedure that have been described in the literature so far. To the best of the authors’ knowledge, the number of works covering the attacks over Wi-Fi RTT positioning [11,14,16,17] is rather limited.

2.1. Data Injection

Since AP authentication is not required for the FTM procedure, an attacker could easily set up a rogue AP and establish an FTM session with an initiating STA. Once the procedure has commenced, the rogue AP may transmit responses with falsified $t_4$ and $t_1$ measurements, and as the initiator cannot verify the authenticity or the integrity of the received data, such measurements might mislead the STA into an incorrect estimation of its position. In [14], several implementations were tested, revealing that most STAs accept any value without further verification. Some implementations may analyze the plausibility of the measurement and filter out values exceeding a predetermined threshold. Furthermore, if the rogue AP introduces a significant bias in the reported measurement, it may prevent the positioning algorithm from converging, rendering the STA’s location estimation infeasible and leading to a Denial of Service (DoS) attack.

Another attack with similar consequences involves forging LCI data. An initiator can request an AP’s LCI, which consists of the AP’s geographical coordinates for localization purposes [18]. As highlighted in [14], forging LCI parameters is relatively simple from a practical standpoint, as it only requires modifying a file (on Linux systems). In contrast, timestamps are computed by the Digital Signal Processor (DSP) chip, which requires a higher level of control over the operating system to manipulate them.

When AP authentication is absent, an attacker may also inject false data into an existing FTM session between an initiator and a legitimate AP [11,16]. The initiator will accept these data if the attacker successfully spoofs the MAC address of the legitimate AP and transmits an FTM response frame with a valid token field. The token is a nonzero value included in a response frame, enabling the correlation of each response with the corresponding ACK returned by the initiator. It increments by one with each response, and the final response must include a zero token, indicating that no further measurements will be performed within the burst. Since FTM frames are not encrypted, an attacker can easily obtain the AP’s MAC address and the last token used in the session by eavesdropping on the communication channel.

2.2. Replay Attacks

The IEEE 802.11mc standard does not include mechanisms to prevent data replay and provide freshness, i.e., to ensure that the received information is “fresh” and does not belong to an old session. Consequently, if tokens are not generated in a secure way (e.g., the initial token always has the same value), an attacker could easily eavesdrop on an active FTM session, capture FTM frames, and retransmit them in a subsequent session. This allows the attacker to provide incorrect measurements to an initiator without the need to forge response frames [16].

2.3. Denial of Service (DoS)

As discussed in Section 2.1, an adversary can execute a DoS attack by injecting false data to make the location service unavailable. Erroneous measurements may disrupt the localization process to the extent that the initiator is prevented from estimating its position. However, DoS attacks can also be executed through other methods. For instance, an attacker may forge a response frame with the token field set to zero, prematurely terminating the FTM burst before all required measurements are completed [11].

APs support a limited number of concurrent FTM sessions, which varies based on manufacturer and device version. For example, the firmware versions of the Intel AX-200 and AX-210, used in [11], support up to 10 concurrent sessions, whereas earlier versions accommodate up to 32. Once this limit is reached, the AP rejects further FTM session requests. An attacker could exploit this limitation by initiating FTM procedures from multiple devices, thereby preventing STAs from obtaining their location.

2.4. Location Leakage of Initiating Stations

Since all the frames exchanged in an FTM session are transmitted in the clear, thus lacking data confidentiality, an adversary can eavesdrop on an ongoing FTM session and capture the $t_1$ and $t_4$ measurements reported by the AP. Under the assumption that (1) the initiator uses a fixed MAC address and (2) sufficient measurements from different APs are eavesdropped, an attacker might be able to estimate the initiator’s position.

To mitigate location information leakage, the passive TDOA technique proposed in [19] can be employed. This method enables a passive STA to determine its position by observing FTM measurements exchanged between an initiator and multiple APs (at least three). In [11], the authors extended this approach by proposing a hyperbolic solution for joint positioning; they conducted real-world experiments, demonstrating meter-level accuracy in position estimation. While these experiments focused on a simplified scenario where the passive STA is positioned between the initiator and the AP (i.e., along the transverse axis of the hyperbola), they provide valuable insights into the accuracy of passive self-positioning methods.

In this paper, we go a step further; we demonstrate that passive TDOA can also be exploited by an attacker, acting as a passive STA, to infer the position of an initiator, whatever the position of the attacker.

2.5. MAC Address Randomization Flaws

MAC addresses are unique identifiers, and therefore, they can be used to track users when transmitting data, thus violating their privacy. A common countermeasure is MAC address randomization, as recommended by the IEEE 802.11mc standard. However, the standard does not specify precise guidelines for performing randomization.

Many modern devices (e.g., Android smartphones) implement specific mechanisms to generate random MAC addresses for each new FTM session. However, some implementations (such as older Intel network cards) are insecure due to predictable randomization algorithms that generate the same sequence of addresses after a firmware reset [11]. Additionally, previous works such [11,20] show that frame correlation under MAC randomization is feasible by performing side-channel attacks based on power measurements or sequence numbers.

2.6. Security Mechanisms in IEEE 802.11az

The IEEE 802.11az amendment for Enhancements for Positioning [13], released in 2023, aims to improve Wi-Fi FTM security. Notably, it introduces the so-called Pre-Association Security Negotiation (PASN), which enables an initiator to establish a secure session with an AP without requiring association, thereby protecting the FTM procedure from unauthorized observers. Through PASN, the initiator and AP agree on Pairwise Transient Key Security Association (PTKSA) and encryption/authentication algorithms (e.g., Advanced Encryption Standard (AES) in Counter with CBC-MAC mode (CCM), or Galois/Counter Mode (GCM)) to secure frame exchanges.

PASN can operate with or without AP authentication. In the authenticated mode, the initiator and the AP must share a pre-shared key (PSK) in advance, which is feasible in private networks but impractical in public venues [14]. In the unauthenticated mode, FTM messages are protected via encryption and integrity mechanisms, but PASN does not prevent attackers from establishing rogue FTM sessions and injecting false data. In [9], the authors propose a mechanism to select APs for the FTM procedure so that the probability of choosing rogue APs is minimized.

IEEE 802.11az also introduces the Secure Long Training Field (LTF), which enhances range estimation security using AES-128 pseudorandom sequences. This countermeasure is mainly targeted to secure proximity technologies, such as Near Field Communication (NFC), which can be vulnerable to Man In the Middle (MiTM) attacks or Time Advanced attacks.

Additionally, in order to prevent replay attacks, encrypted frames incorporate a Packet Number (PN), a field that is incremented with each transmission and authenticated by means of the authentication algorithm negotiated during the PASN.

Although these mechanisms address many security concerns in Wi-Fi RTT, their widespread adoption in COTS devices remains uncertain in the short term. Consequently, understanding the security vulnerabilities of IEEE 802.11mc and implementing appropriate countermeasures still remains critical.

3. Position Estimation by Eavesdropping on an FTM Session

This section describes a method that allows an attacker to infer the position of an STA (the victim, hereafter) by eavesdropping on the FTM procedure performed between the victim and a given number of APs. The method relies on the Wi-Fi passive TDOA algorithm presented in [19], in which a STA passively estimates its own position based on the FTM exchanges initiated by others. In this work, we turn the problem around and show that an attacker (A) can act as the passive station and take advantage of the above-mentioned algorithm.

We assume a Dolev–Yao model [21] for A, i.e., it is capable of eavesdropping on, intercepting, and forging any message, and it is only limited by the cryptographic methods used by the victim. Since IEEE 802.11mc control frames are transmitted in the clear, it is straightforward for an attacker to read the content of the FTM messages in the considered scenario. Also, another assumption is that the attacker is carrying out the attack with a laptop or a COTS device without significant constraints on CPU or memory resources.

Figure 3 depicts how the proposed attack works. The victim (V) initiates an FTM procedure by sending an FTM request that will be answered with an ACK by an AP (the responder (R) in our formulation). Then, an FTM frame and an ACK are sent so the timestamp of the former ($t_1$) and the time of arrival (TOA) of the latter ($t_4$) can be recorded at R, and reported back to the victim in the following frame $FTM(t_4,t_1)$. V can compute a precise RTT from Equation (1):

$$\begin{array}{c}\hfill (t_4-t_1)=RTT+\delta =T_{RV}+T_{VR}+\delta \end{array}$$

(1)

where $T_{ij}$ is the TOF from station i to station j, and $\delta$ is the time between the reception of an FTM at V until the corresponding ACK frame is sent (i.e., $t_3-t_2$).

Due to the broadcast nature of the Wi-Fi medium, the frames exchanged between V and R will reach the attacker (A) as well. Hence, A also knows $t_4$ and $t_1$. In addition, A can set a precise measurement for the TOA of the FTM and ACK frames, leading to timestamps $t_1^{\prime }$ and $t_4^{\prime }$, and calculate the TDOA as follows:

$$TDOA=(t_4^{\prime }-t_1^{\prime })=T_{RV}+\delta +T_{VA}-T_{RA}$$

(2)

where $t_1^{\prime }$ involves the path from R to A and $t_4^{\prime }$ the path from R to V and then from there to A.

As demonstrated in [19], by combining Equations (1) and (2) and assuming TOF measurements to be equal in both directions ($T_{ij}=T_{ji}$), Equation (2) can be rewritten as:

$$(t_4^{\prime }-t_1^{\prime })=(t_4-t_1)+T_{VA}-T_{RV}-T_{RA}$$

(3)

Note that delta, which is unknown to the attacker, is then removed from the equation [19].

A single TDOA measurement $(t_4^{\prime }-t_1^{\prime })$ defines a hyperbola of possible positions. In order to infer the position of the victim, the attacker needs to eavesdrop on several FTM sessions between V and different APs, and compute the corresponding TDOA measurements. From each measurement, an equation like Equation (3) can be derived, and time measurements can be turned into distances by multiplying both sides of the equations by c, the speed of light. As a result, Equation (3) can be rewritten as:

$$d_{VA}-d_{RV}-d_{RA}=c·\left(\right(t_4^{\prime }-t_1^{\prime })-(t_4-t_1))$$

(4)

where $d_{ij}$ is the Euclidean distance between devices i and j, i.e., $\sqrt{{(x_i-x_j)}^2+{(y_i-y_j)}^2}$. Equation (4) defines the TDOA distance ($d_{TDOA}$ from now on).

Section 4.3 shows how to build an equation system suitable for use with a multilateration algorithm.

4. Methodology

Currently, the restrictions imposed by vendors on their hardware make it difficult (if not impossible) to deploy a testbed and run the proposed attack with Wi-Fi COTS devices. On the one hand, the monitor mode must be enabled in the attacker’s Wi-Fi card, so that it can process the Wi-Fi management frames exchanged by other peers (i.e., FTM frames between the initiator and the APs). However, changing the 802.11 capture mode depends on the platform/network adapter/driver/libpcap [11]; moreover, the evaluation may be biased by the specific hardware used in the experiment, thus requiring complete deployment on several devices to obtain a realistic and generic performance estimation, as also observed in [19]. On the other hand, the attacker’s Wi-Fi card must enable fine timing measurement, which is necessary so that the attacker can store the timestamps ($t_1^{\prime }$, $t_4^{\prime }$, and $t_5^{\prime }$ in Figure 3) with nanosecond precision; however, it is not clear whether it is possible when the initial FTM request is addressed to the initiator and not to the attacker. For these reasons, the positioning error analysis proposed in this paper was conducted through simulations in Python [22]. First, the simulation layout and parameters are described in Section 4.1. Moreover, two scenarios are considered: one named “Ideal”, where the possible errors that may incur when measuring the TDOA are considered to be negligible; the other one named “Real”, where an error is added to the TDOA estimations made by the attacker (A). The error model used in this study is described in Section 4.2, while the algorithm used to translate the TDOAs into a position is presented in Section 4.3.

4.1. Scenario and Simulations

A squared area of side 16 m is considered, with four APs providing Wi-Fi coverage. The APs will be located near the corners at positions ($x_R$, $y_R$) (see

Table 1. Simulation layouts and parameters: position coordinates of the victim ($x_V^{real}$, $y_V^{real}$), of the AP_k ($x_{R_k}$, $y_{R_k}$), and of the attacker ($x_A$, $y_A$); a real and/or ideal scenario is also considered for each layout.

Layout	Position	Values		Scenario
1, 2	($x_V^{real}$, $y_V^{real}$)	[(0, 0), (0, 1), ⋯, (0, 16), (1, 0), ⋯, (16, 16)]
		(249 points on the grid for V)
	($x_{R_k}$, $y_{R_k}$)	AP1 = (0.1, 0.1)	AP2 = (0.1, 15.9)
		AP3 = (15.9, 15.9)	AP4 = (15.9, 0.1)
1	($x_A$, $y_A$)	[(0, 0), (0, 1), ⋯, (0, 16), (1, 1), ⋯, (1, 16), (2, 2), ⋯, (16, 16)]		Ideal
		(153 points on the grid for A)
2	($x_A$, $y_A$)	500 random positions for A		Ideal and Real

), following the recommendations from Aruba [23], which suggests that the “distance between two APs should be approximately 40 to 60 feet”. For the victim’s (V) positions ($x_V$, $y_V$), a grid of 1 m side is defined, and V can only be placed in one of the points in the grid. Several layouts are considered, where A and/or the APs can take different assets.

In layout 1, the attacker (A) is placed in one of the points in the grid ($x_A$, $y_A$). Since the APs are placed near the corners but not in the points of the grid, neither A and/or V can overlap with them. This first layout is highly symmetrical, as the purpose is to observe whether and how the geometry may affect the precision of the position estimation in the first place. Then, a second layout (layout 2) is considered, where A is located randomly in the scenario, while leaving the other settings as in layout 1. In order to provide statistically relevant results, 500 random positions are considered.

In the first place, an ideal scenario is considered, where all the TDOA estimations can be easily translated into distances by multiplying them by the speed of light. This ideal scenario is investigated for layouts 1 and 2. However, a more realistic scenario is also considered, where an error is added to the TDOA estimation, as described in Section 4.2.

The methodology followed in this paper is summarized in Figure 4. For each layout and scenario, the simulation starts with V placed in the first position of the grid (e.g., (0, 0)), and A in the first position according to the selected layout (e.g., (0, 0) in layout 1, or in the first of the 500 random positions in layout 2); the position of V is estimated according to the procedure explained in Section 4.3. Then, A is moved to another position depending on the layout, and the position of V is estimated again. Once all the possible positions of A in the layout are considered, then V is moved to the second position (e.g., (0, 1)), and again A repeatedly moves through all the points defined in the selected layout. This is repeated again, until V is placed in the last possible position of the grid (e.g., (16, 16)).

Before providing the details on how the position of the victim is estimated, the error model used in the realistic scenario is described in Section 4.2.

4.2. Error Estimation

Equation (4) defines the TDOA measurement performed at the attacker in an ideal scenario with no errors. Under the presence of errors, Equation (4) can be rewritten as follows:

$$d_{TDOA}=c·\left(\right(t_4^{\prime }-t_1^{\prime })-(t_4-t_1)+ϵ)$$

(5)

where $ϵ$ can be computed as the error in the TDOA measurement $(t_4^{\prime }-t_1^{\prime })$ minus the error in the rough RTT measurement $(t_4-t_1)$. As in [19], measurement errors are modeled as additive noise to the TOF values used to compute both the RTT and the TDOA measurements considered in Figure 3. Such errors mainly depend on the hardware used and the propagation model; in indoor environments, signals are prone to be affected by multipath or degraded due to propagation and obstacles [24]. According to the experimental studies conducted in line of sight (LOS) conditions in [19], the TOF measurement error can be modeled as a zero-mean Gaussian distribution, with a distance-dependent standard deviation as in Equation (6):

$${ϵ}_{tof}=\left\{\begin{array}{cc}{\sigma }_0(lo{g}^{-1}\left(1.1\right)-0.4427)\hfill & \mathrm{if}d\le 1.1\mathrm{m}\hfill \\ {\sigma }_0(lo{g}^{-1}\left(d\right)-0.4427)\hfill & \mathrm{if}1.1\mathrm{m}<d\le 2\mathrm{m}\hfill \\ {\sigma }_0(1+log(d-1))\hfill & \mathrm{if}d>2\mathrm{m}\hfill \end{array}\right.$$

(6)

where ${\sigma }_0={10}^{-9}$ is the reference standard deviation, and d is the distance between the two devices involved in the TOF measurement.

While the assumption of LOS conditions is common, it does not always hold in real-world scenarios. A study in [25] found that Wi-Fi TOF ranging estimates, taken at 5 GHz with an 80 MHz bandwidth, remain unaffected by non-line of sight conditions at distances of up to 20 m. However, according to the authors, beyond this range, increasing the density of APs can enhance the reliability of distance measurements. In this study, we adopted the error model presented in Equation (6), leaving the impact of additional complexities, such as non line of sight (NLOS) conditions, for future research.

4.3. Position Estimation

According to the methodology summarized in Figure 4, the position of the victim V can be estimated once the position of the APs and of the attacker A are set. Thus, the following parameters are considered to be known:

• The attacker’s position ($x_A$, $y_A$);
• The position of k APs ($x_{R_k}$,$y_{R_k}$);
• The timestamps at which the FTM is sent by each AP (i.e., $t_1^{R_k}$, $t_5^{R_k}$, etc.);
• The timestamps at which the FTM, sent by each AP, is received at A (i.e., $t_1^{\prime R_k}$, $t_5^{\prime R_k}$, etc.);
• The timestamps at which the ACK, sent by V, is received at each AP (i.e., $t_4^{R_k}$);
• The timestamps at which the ACK, sent by V to each AP, is received at A (i.e., $t_4^{\prime R_k}$).

Note that according to these assumptions, the coordinates of V are the only unknowns in Equation (5). Thus, at least three TDOA measurements will be needed (two of them to determine the victim’s coordinates, and an additional measurement to avoid the quadratic ambiguity), leading to a system of three hyperbolic equations with two unknowns.

As reported in [26], a Least Squares (LS) algorithm is typically used for positioning. We adapt Equation (1) in [26] for our situation, where the estimated distance is the TDOA distance instead. From the estimated distances $d_{TDO{A}_k}$ derived from each measurement (i.e., Equation (5)) and known positions ($x_{R_k}$, $y_{R_k}$) and ($x_A$, $y_A$) of each k AP and A, respectively, the position ($x_V$, $y_V$) of the victim can be calculated by finding ($\widehat{x}$, $\widehat{y}$) that satisfy:

$$\begin{array}{c}\hfill (\widehat{x},\widehat{y})=arg\underset{x_V,y_V}{min}\sum _{k=1}^N(\sqrt{{(x_i-x_A)}^2+{(y_i-y_A)}^2}-\\ \hfill \sqrt{{(x_{R_k}-x_V)}^2+{(y_{R_k}-y_V)}^2}-d_{R_{k}A}-d_{TDO{A}_k}{)}^2\end{array}$$

(7)

The least_squares SciPy function [27] was used in this work to solve the system of quadratic equations; this function requires an Initial Guess (IG) (i.e., ($x_V^0$, $y_V^0$)) for the position of the victim as input. Typically, as the positions of the APs are known, the IG is set as the centroid among them. Also, the solution space was bounded in this study, considering the nature of the Wi-Fi signal that imposes a maximum distance for A to be able to eavesdrop on the FTM frames between V and the APs. While the distances between A and each AP are bounded by the simulation area itself, the estimated V position can be searched out of it, provided it is not too far away from A (i.e., in order to guarantee the Wi-Fi signal is received correctly at A). Thus, the search space for $x_V$ and $y_V$ is limited to a maximum distance from $x_A$ and $y_A$, respectively, equal to the maximum distance allowed in the simulation area, i.e., 16$\sqrt{2}$ m. The default tolerance for the termination of the iterative search process in Python was used in this work (i.e., 10⁻⁸). While tuning this parameter may lead to more precise estimations, it is out of the scope of this work and it is left for future work in the first place.

5. Results

This section presents the error incurred in the estimation of the position of the victim V, depending on its location in the grid. First, an ideal scenario is considered, where no error is added to the RTT measurements eavesdropped by the attacker A. The results in Section 5.1 are intended to set a threshold on the best resolution we may achieve, by also avoiding specific geometries that may negatively impact the LS positioning method. Section 5.2 shows how the precision is affected by the error in the RTT measurements.

5.1. Ideal Scenario

As described in Section 4.3, an IG for the position of the victim is needed in order to start the LS algorithm. Typically, the IG is selected as the centroid among the APs, whose position is known. First, this strategy was applied to the layout proposed in this work, so the IG was set at (8.0, 8.0).

Table 2. Position error under the ideal scenario with different layouts. Several statistics are computed: average error, the median, the standard deviation (STD), the maximum error observed, the RMSE, and the 99th percentile of the error.

Layout	IG	Statistics [m]—Ideal Scenario
1	(8.0, 8.0)	Error:	Average	Median	STD	Max
			0.0154	0.0025	0.2719	11.7562
		RMSE	0.2723
		99th Perc	0.010
1b	(8.1, 7.8)	Error:	Average	Median	STD	Max
			0.0028	0.0022	0.0083	0.1571
		RMSE	0.0087
		99th Perc	0.010
		Error (V=A)	0.0008	0.0007	0.0008	0.0029
2	(8.0, 8.0)	Error:	Average	Median	STD	Max
			0.0029	0.0022	0.0088	0.1571
		RMSE	0.0093
		99th Perc	0.008

summarizes the main statistics obtained under ideal conditions with different layouts; in layout 1, the average positioning error is around 1.5 cm with an standard deviation (STD) of 27.19 cm; the median error is even lower, 2.5 mm, and the root mean squared error (RMSE) is 27.23 cm, thus showing very accurate estimations in most cases. However, the maximum error can be as high as 11.76 m. Since no errors in the RTT measurements are considered in this ideal scenario, further investigation is needed on why such a high maximum positioning error is observed.

The RMSE for each position of the victim in the grid in layout 1 is plotted as a heatmap in Figure 5 on the left; green represents an RMSE below 20 cm and blue represents an RMSE of 1.2 m. Whenever V is on the same line as two APs (i.e., diagonals), the RMSE increases while V gets closer to one of the APs; however, the same happens whenever V shares one coordinate with the IG (i.e., the “blue cross” in Figure 5 on the left). A deeper analysis of the results shows that whenever V, A, and the IG are aligned (and specifically in this order), the precision drops (i.e., the RMSE increases). That is, while most of the time the attacker is able to accurately locate the victim, sometimes it struggles and may incur very high errors, even under ideal conditions. While under ideal conditions, an exact solution should be feasible, these findings highlight the fact that due to the Geometric Dilution of Precision (GDoP) in the perfectly symmetric layout 1, in certain occasions, we may need higher computational power in order to estimate the position with higher precision. However, tuning the tolerance of the LS is out of the scope of this paper, and it is left for future work. Since no errors are considered in this ideal scenario, however, further investigation on how to avoid such high errors is mandatory.

It is worth noting that guaranteeing that V, A, and IG are not aligned is only possible in the simulation scenario, since the position of the victim is unknown. Two possible turnarounds were investigated, which led to very similar results. In the first place, the IG was moved to a point that is not on the same line as A and V in layout 1 (i.e., (8.1, 7.8)). This first approach is referred to as layout 1b. However, this is not a solution that can be applied in real deployments because the position of V is unknown; moreover, in considering that this perfect alignment rarely appears in real scenarios where the devices involved are not constrained to the grid, the probability of such high positioning errors, as the ones observed in Figure 5 on the left, is expected to be very low in real scenarios. To prove this, layout 2 was simulated; again, the victim can take any position on the grid, and IG is in the centroid of the four APs, while the attacker is randomly positioned in the area. In this way, the probability that V, A, and IG are aligned is very low. Under these circumstances, better statistics for the error are observed in Table 2 in both layout 1b and layout 2, compared to layout 1. For instance, the maximum error drops from 11.76 m to less than 16 cm, and the RMSE from 27 cm to less than 1 cm. The heatmap of the RMSE depicted in Figure 5 on the right shows very low values (i.e., under 1 cm) for most of the victim’s locations in the grid. Still, we can observe that when the victim is located in one of the corners, the RMSE increases to 8 cm. A very similar figure is obtained for layout 1b, and it is not shown to avoid redundancy.

The cumulative distribution function (CDF) of the position error in layout 2 is depicted in Figure 6. Overall, for all the layouts analyzed in the ideal scenario, the probability that the position error is lower than 1 cm is 99% (see Table 2); plus, in layout 2, it is lower than 0.49 cm at 95%.

It is important to recall here that, as soon as an error incurs in the TOF estimations, the position errors detailed in this section are expected to increase. The results observed so far are useful as a benchmark for the best-case scenario we may expect under the given conditions.

5.2. Errors in the Estimated FTMs

While the ideal scenario presented in Section 5.1 helps us understand whether there are geometries that may affect the precision when estimating the position of the victim, it is interesting to observe whether an attacker would be able to infer the position of the victim even when the FTM messages that A overhears carry some noise (i.e., the RTT measurements cannot be thought of simply as “distance” [28]). For this, the error model presented in Section 4.2 is applied to the timestamps that the attacker estimates.

Table 3. Position error under realistic scenario and different layouts. The increment in the execution time with respect to the ideal scenario is also shown.

Layout	IG	Statistics—Real scenario
1b	(8.1, 7.8)		Average	Median	STD	Max
		Error [m]	0.5214	0.5067	0.1467	1.7543
		$\mathsf{\Delta }$ Time [%]	24.4	6.5	211.1	158.7
		RMSE [m]	0.5416
2	(8.0, 8.0)	Error [m]	0.5207	0.5078	0.1395	1.7779
		$\mathsf{\Delta }$ Time [%]	26.0	5.1	336.4	179.2
		RMSE [m]	0.5391

shows an increase in all the statistics compared to the ideal scenario in Table 2; as expected, the estimation of the position of the victim is less accurate and less precise. Again, layout 1b and layout 2 show very similar results; the RMSE is around 54 cm, and the maximum error observed is around 1.78 m. Yet, on average, the position of the victim can be inferred with very good accuracy (i.e., the average and the mean are both around 51–52 cm).

The distribution of these statistics on the grid is shown in Figure 7, where each point represents the statistics observed at the specific position of the victim once averaged over all the possible attacker’s positions. That is, at point (0, 0), whichever location on the grid the attacker is, it can estimate that the victim is actually at point (0, 0) with a maximum error of 70 cm (green color in the top-right plot) and an average error of 30 cm (green color in the bottom-left plot). Such pretty accurate estimations can be observed whenever the victim is almost in the same position as one of the APs (i.e., in the corners). However, when V is on the borders of the area (i.e., any point with $x_V^{real}$ = 0 or 16, or with $y_V^{real}$ = 0 or 16), the RMSE and the average error increase (dark blue colors in the top- or bottom-left plots, respectively). Also, when V is 1 m away from one of the corners (e.g., at (1, 0), (0, 1), (0, 15), etc.), the precision of the estimation drops: the highest value for the RMSE (up to 61 cm) and the STD (up to 35 cm) are observed, together with the highest maximum error (up to 1.78 m represented by the dark blue color in the top-right plot). We can conclude that, in this case, the geometry between A and V affects the results. For the rest of the points in the grid, both the accuracy and precision of the estimate are more or less the same, with a slight improvement (better average error and RMSE, and lower maximum error) when V is located on the diagonal that links AP1 with AP3, or AP2 with AP4.

To better understand how the geometry between A and V has an impact on the position estimation made by the attacker, we observe how the position error evolves while A moves on the grid, with V placed 1 m away from one corner. For this analysis, we have to use layout 1b, where the IG is at (8.1, 7.8). Figure 8 depicts the position error when V is at (1, 0) as a function of where A is located in each point in the grid. Clearly, the worst estimations are related to the GDoP caused by having AP1, AP4, A, and V, on the same line; that is, in this case, when A is at any point with $y_V^{real}$ = 0 or 1, except when A is at the same position as V (i.e., (1, 0)).

The CDF of the position error is depicted in Figure 9 for layout 2. Overall, in the real scenario, the probability that the position error is lower than 1 m is 99%, and 95% lower than 74 cm. However, in 1% of the cases, one may incur higher errors, up to 1.78 m. Again, these values may decrease when increasing the tolerance for the termination of the iterative search process; however, it is out of the scope of this paper.

Another key parameter for assessing the feasibility of the interception attack analyzed in this paper in current devices is the time required for the attacker to estimate the position of the victim. However, since this time may depend on several parameters, such as the hardware used, Table 3 presents the increase in time observed in the real scenario versus that obtained in the ideal one instead (see $\mathsf{\Delta }$ Time). On average, the percentage of increase in the execution time with respect to the ideal scenario is 26%. Moreover, the variability considerably increases, with maximum times that can take up to 2.8 times longer in the worst case. As a reference, the time taken for A to estimate V position with layout 2 under realistic conditions is 613 ms (99th percentile), while almost 5 s may be needed in the worst case; these times were obtained when running the simulations on a laptop with an Intel Core i9 processor, a CPU at 2.40 GHz, and 32 GB of RAM. Depending on the device where the proposed attack is performed, in realistic scenarios, the computational complexity of the execution may increase, and thus, it may limit the precision achieved. However, a deeper analysis on the execution time is out of the scope of this paper and left for future work.

6. Conclusions

The Wi-Fi positioning method based on the exchange of FTM frames between peers has been recently made available in Android devices by Google. However, since the initial FTM request can be sent without the need for previous authentication, the method is prone to several vulnerabilities. On top of that, the FTM measurements are sent in the clear, paving the way for an intruder to eavesdrop on this information.

In this paper, we are interested in assessing to what extent this information is sensible. Is it just a matter of “someone else has my own FTM messages” or may the intruder determine my position by means of such information? And if so, how precise can its estimation be? To this end, a number of simulations were conducted with Python, which prove the feasibility of the attack. A squared room with four APs was considered, located at the corners at a distance of 16 m up to 22.6 m between each other; the latter is also the maximum distance between the victim and the attacker. In the first place, an ideal scenario was considered in order to estimate the highest precision that can be obtained with the multilateration algorithm. Under the assumption of no measurement errors and with the default tolerance for the termination of the search method, the RMSE ranges from 9 mm to 27 cm, depending on the layout considered. Also, the symmetrical layout sheds lights on the precision drop under particular GDoP conditions.

Under more realistic conditions, i.e., with noisy RTT measurements and with randomly located devices, simulation results show that the position error is lower than 1 m in 99% of the cases, with an RMSE of 54 cm. These preliminary results highlight the fact that FTM-based location represents a serious threat to the privacy of users and pose the need for immediate solutions until COTS devices support IEEE 802.11az.

A potential countermeasure to the attack described in this paper could be to set a dedicated node in the network infrastructure to act as an active station so that regular users can passively obtain their position [19], i.e., without the need of sending any frames, thus without disclosing location information. However, this approach can be vulnerable to other attacks, such as the impersonation of the dedicated node. In the future, we aim to assess the precision of the attack when the malicious node has no knowledge of its own position.