Combining UWB and BLE radios can create efficient secure entry systems. To understand why this is so, it is important to have knowledge of the strengths and weaknesses of the two underlying radio technologies and how they fit together to create practical and secure entry systems.
Ultra-wide band (UWB) radios have been available for nearly 10 years for use as a precise positioning technology. There have been previous incarnations of the technology as a high-speed data transfer technology, but we will not be discussing these here.
First, let us recap the basics of UWB as a radio transmission method. UWB is defined as “transmission for which emitted signal bandwidth exceeds the lesser of 500 MHz or 20% of fractional bandwidth”. To provide some real-world context, current generation UWB modules conforming to global standards (we will discuss standards later) from companies such as Insight SIP operate at 6.5MHz (band 5) and 8 MHz (band 9), both with a 500MHz bandwidth.
In practice, this means that a UWB radio transmits at low power over a wide bandwidth. This in turn leads to some key characteristics for the radio transmission. Firstly, you can generate a pulse with sharp time definition, and this signal is relatively impervious to noise (recall Fourier Transforms). Secondly, the primary pulse can be easily separated from a reflected secondary pulse due to this sharp temporal definition. By contrast, a narrow band pulse will be much less well defined in time, significantly impacted by noise, and any reflected signal is likely to be mixed in with the primary one, thus leading to additional error in time definition.
These differences are illustrated in the diagrams below.
Figure 1. Radio transmission characteristics and their differences for the various UWB radio options.
The reason to focus on this time definition of a pulse is that for positioning applications, a precisely defined timed pulse can, via knowledge of the speed of light, be used as a time-of-flight method to accurately measure distance.
UWB as a localization technology: two-way ranging and time difference of arrival
There are two main ways to use UWB to measure distance. The first is “two way ranging” (TWR), whereby a pulse is sent from one device to second one, and then immediately returned to the original device. As long as you know the “turnaround time” at the second device, and this is controlled to be a known number of clock cycles, you can determine the distance between the two devices.
This method is the simplest and most effective for point-to-point measurements. However, should you want to localize an object in three dimensions, you would need to exchange position information with at least three “Anchors” (units in a fixed and known position). This carries the disadvantage of much higher power consumption, and in the case of many objects being tracked, higher chance of interference between devices.
The other method which can be used is “time difference of arrival” (TDoA). In such a case, an object to be tracked emits a single pulse, which is detected by multiple anchors. The difference in time that the pulse arrives at different anchors can be used to determine a 3-D position. This reduces the power consumption by an order of magnitude, and in turn reduces the risk of pulse collisions. The disadvantage, however, is that you need to very precisely synchronize/calibrate the anchors (to picosecond level), so that the time difference can be detected, and you also need a method to “reassemble” the pulse information arriving at different anchors. It therefore requires a complex system to link anchors, calibrate timing, and link information from the anchors to a single specific pulse.
For the remainder of this article, we will focus on TWR solutions as these are relatively easy to implement and can be used in small battery powered objects and add precision and security to existing localization solutions. By contrast, a TDoA solution requires a major hardware and software system engineering effort.
Secure distance measurement and “relay attacks”
There are existing methods for determining the distance between two objects. Many cars, for example, have what are described as “keyless entry systems”, whereby the car doors unlock as you approach the car. This is a rather inaccurate phrase, as there remains a key in the system. This key transmits a radio signal to the car to open it rather than having to enter a physical key into a mechanical lock. We will nevertheless stick with the phrase “keyless entry” as it is in common usage.
The first generation of such systems used signal strength to determine when the person with the key was approaching the car. There are two issues with this approach. The signal strength is a rather inaccurate way of detecting proximity – it will be influenced by where the key is located on the body, any other objects in the proximity of the car and other factors. This was not a critical factor – solutions could be made “good enough” – but the more significant issue is that such systems have a major security flaw.
With a signal strength-based proximity detection, it is relatively easy to pick up the signal from a key, boost it via a simple power amplifier, and retransmit it to the car. By such a method, you can “spoof” proximity to the car, as the car will see a strong signal indicating close proximity of a key. In the real world, it has been shown that you can pick up a key signal from inside a house, and use it to open the car, or follow someone from a car park, and pick up the signal from their bag or pocket. This is called a “relay attack” and is not just a theoretical possibility. It has been shown to be used in real world thefts, particularly of high-end vehicles. Note that in the above scenario, you do not need to break any cryptographic exchange between the key and car – these simply pass transparently via the relay.
UWB as protection against relay attacks
A UWB based distance measurement is not susceptible to relay attacks as UWB measures distance via time of flight, so the relay is easily detected. Any distance added via the relay adds extra time to the round-trip time measurement, so the UWB measurement accurately measures the real distance. Indeed, the relay is likely to add a further delay to the transmission time, so the key will appear even further away from the car than it is. Whilst it would be naive to describe any security as “unbreakable”, UWB offers a solution that is orders of magnitude harder to crack.
Power management with UWB
At this point, UWB might seem the perfect solution, but unfortunately things aren’t quite that simple. UWB radios are relatively power hungry, with even the latest generation devices consuming around 50-60mA when radios are on. This isn’t an issue if mains power or a large battery is available, but it certainly is for portable/handheld devices operating on coin cell type batteries or similar. The reasons for this are quite complex, but for precise timing, you need to run very fast clocks and match pulse trains to identify UWB genuine signals above noise.
The first issue for a coin cell solution is that typical coin cells simply can’t deliver that level of current, and even with that issue solved, if the radios were active for long periods the battery charge would be drained very fast. So, a UWB only solution would be useless for an automatic keyless entry system.
On the more positive side, the advantage of UWB time of flight solutions is that they only use very short pulses. So in theory the radios do not need to operate for long periods. The peak current issue can therefore be solved by use of capacitors to deliver the necessary 50mA to drive the radios. However, the more basic question is how you manage the two ends of the solution to have radios operating only for the minimum necessary time.
BLE and UWB working together as a low power solution
To overcome this problem, it is possible to use BLE and UWB together to create an overall low power solution. BLE has the useful property of being designed for devices to “find” each other via standard protocols whilst consuming very little power. It is also possible to detect proximity using BLE signal strength, albeit with poor accuracy and weak security as we have discussed above.
The use case that can be deployed therefore has the following steps:
- Start point: door locked, UWB radios off/deep sleep.
- BLE radio on door is in listening for connection mode.
- BLE radio in key is advertising mode.
- Key and door make connection via BLE.
- Approximate (and insecure) proximity measured by BLE.
- When proximity reaches (programmable) threshold, UWB radios switched on and measure precise and secure proximity according to timed cycle.
- When UWB measured secure distance goes below threshold, door opens.
- Return to start point.
Thus, it is possible to have a key solution that combines UWB’s accuracy and security with BLE’s low power properties, if you have a device that combines both radios. An example module featuring BLE and UWB radios with integrated antennas is Insight SIP’s ISP3080 module, which also provides a “door” example with the development kit.
This can be refined further using additional hardware such as accelerometer, so even BLE radios can be in deep sleep until the key is moved.
Standardization with UWB
Until relatively recently, the market for UWB solutions was hampered by a lack of standardization, so customers were limited to vendor dependent proprietary solutions. This has changed in the last few years with FiRa (Fine Ranging) consortium standards, supporting interoperability between vendor UWB chips, including those from Apple, Qorvo, NXP and others. In turn, that has led to UWB radios being included on mobile phones. For the moment this is limited to the higher end devices, but history indicates that technology propagates fast to become standard (e.g., BLE, WiFi). For example, the latest generation of Apple “Air Tag” uses UWB technology to improve localization capability.