wifi-ftm's Introduction

Wi-Fi Fine Timing Measurement

Wi-Fi Fine Timing Measurement (FTM) enables two stations to estimate the physical distance between them.

We provide tools to experiment with the protocol, and keep track of its support and security vulnerabilities.

Hardware and Support

We confirmed support on hardware from a variety of vendors, and track its adoption rates in practice.

For more information, see Wi-Fi FTM Hardware and Wi-Fi FTM Survey.

Security and Privacy

We identified vulnerabilities and weaknesses compromising the security and privacy of Wi-Fi FTM.

We keep track of these, together with any CVE Identifiers and vendor security updates.

For more information, see Wi-Fi FTM Security and Privacy.

Code

We provide a number of tools to experiment with the Wi-Fi FTM protocol.

For example, to modify the distance measured by an initiating station.

For more information, see Wi-Fi FTM Tools.

Publications

ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021):

Here, There, and Everywhere: Security Analysis of Wi-Fi Fine Timing Measurement (pdf, acm)

Proceedings on Privacy Enhancing Technologies (PETS 2022):

Privacy-Preserving Positioning in Wi-Fi Fine Timing Measurement (pdf)

USENIX Security 2023:

Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues (pdf, repository)

Conclusion

Wi-Fi FTM is not secure, and we discourage its usage for security-sensitive applications.

We disclosed our findings to all vendors, and hope to contribute and push for more secure implementations.

Additional Resources

Want to learn more on Wi-Fi FTM? Consider the following resources:

wifi-ftm's People

Contributors

Stargazers

Watchers

wifi-ftm's Issues

Wi-Fi FTM Initiator problem

Hi,
I am trying to set up FTM and am following your guide.

I try the following combination: Intel AX-200 | Version 5.4.0 | Core 56 | Version 55 | Version 5.8
After running the command: ./iw wlp1s0 measurement ftm_request example.conf, i get the given result:

wdev 0x1 (phy #0): Peer measurements (cookie 3):
  Peer 70:3a:cb:be:85:cc: status=3 (FAILURE) @305699895518 tsf=0
    FTM failed: NO_RESPONSE (1)
wdev 0x1 (phy #0): peer measurement complete

here is my example.conf:
70:3A:CB:BE:85:CC bw=20 cf=2412

here is my network config:

phy#0
	Interface wlp1s0
		ifindex 3
		wdev 0x1
		addr 80:38:fb:e3:88:52
		type managed
		txpower 0.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

At the same time, Wi-Fi FTM Responder works correctly.

Please tell me what could be wrong?

Which party should we run the distance-modification?

Thanks for your interesting work. I have one question on which party can execute distance-modification.
The adversary can do it to sniff, inject and spoof the responder.
Can the AP(responder) or STA(initiator) perform distance-modification locally to extract the value of t1 and t4 while running FTM? My main concern is that data transmission and sniffing may not be able to be enabled at the same time.

Recommend Projects

domienschepers / wifi-ftm Goto Github PK

wifi-ftm's Introduction

Wi-Fi Fine Timing Measurement

Hardware and Support

Security and Privacy

Code

Publications

Conclusion

Additional Resources

wifi-ftm's People

Contributors

Stargazers

Watchers

Forkers

wifi-ftm's Issues

Wi-Fi FTM Initiator problem

Which party should we run the distance-modification?

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent