A Practical DoS Attack on Commercial UWB Ranging Systems

Download PDF
Open Webpage

Yongzhao Zhang, Yuqiao Yang, Zhiwei Chen, Zhongjie Wu, Ting Chen, Jun Li, Jie Yang, Guowen Xu, Wenhao Liu, Xiaosong Zhang, Jingwei Li, Yu Jiang, Zhuo Su

Published: 2025, Last Modified: 05 Jan 2026IEEE Trans. Mob. Comput. 2025EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Ultra-wideband (UWB) ranging systems are increasingly deployed in critical, security-sensitive applications due to their precise positioning and secure ranging capabilities. In this work, we introduce a practical DoS attack via reactive jamming, referred to as UWBAD+, which targets commercial UWB ranging systems by exploiting the vulnerabilities of the normalized cross-correlation process. This allows UWBAD+ to selectively and effectively disrupt ranging sessions without requiring prior knowledge of the victim devices’ configurations, leading to potentially severe consequences, such as property loss, unauthorized access, or vehicle theft. The enhanced effectiveness and low detectability of UWBAD+ stem from the following: (i) it can rapidly sniff the physical layer structures of unknown UWB systems, even in the presence of multiple UWB devices operating simultaneously; (ii) it blocks each ranging session efficiently by employing field-level jamming, thus exerting a significant impact on commercial UWB ranging systems; and (iii) its compact, reactive, and selective design based on COTS UWB chips, which makes it both affordable and less noticeable. We successfully executed real-world attacks on commercial UWB ranging systems produced by the three largest UWB chip vendors in the market, including Apple, NXP, and Qorvo. We disclosed our findings to Apple, relevant Original Equipment Manufacturers (OEMs), and the Automotive Security Research Group. As of the time of writing, the involved OEM has acknowledged this vulnerability in their automotive systems and has issued a ${\$} 5,000$ bounty as a reward.