pith. sign in

arxiv: 2603.18687 · v1 · pith:TJFWCYDKnew · submitted 2026-03-19 · 💻 cs.CR

Secure Wi-Fi Ranging Today: Security and Adoption of IEEE 802.11az/bk

Nikola Antonijevi\'c , Bernhard Etzlinger , Dave Singel\'ee , Bart Preneel This is my paper

Pith reviewed 2026-05-15 08:51 UTC · model grok-4.3

classification 💻 cs.CR
keywords Wi-Fi rangingIEEE 802.11azIEEE 802.11bksecure FTMphysical layer securitydowngrade attacksranging adoption
0
0 comments X

The pith

Secure Wi-Fi ranging under IEEE 802.11az and 802.11bk remains vulnerable to unauthenticated sessions and attacks when common configurations are used.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines the security additions in the 2023 IEEE 802.11az amendment for Wi-Fi Fine Timing Measurement ranging along with bandwidth increases in 802.11bk. Standards analysis combined with simulations and hardware tests shows that logical-layer choices can produce unauthenticated ranging, downgrade attacks, and denial-of-service. Physical-layer waveform predictability, symbol repetition, and spectral-mask compliance add further risks on real devices. These factors explain the limited support for secure ranging in current commodity hardware and motivate the provided configuration guidelines.

Core claim

Secure Wi-Fi ranging mechanisms defined in IEEE 802.11az and 802.11bk remain highly sensitive to deployment configuration at the logical layer, enabling unauthenticated sessions, downgrade attacks, and denial-of-service, while physical-layer waveform choices make secure implementation non-trivial on existing hardware, as evidenced by limited commodity device support.

What carries the argument

Dual-layer analysis of logical negotiation and authentication procedures in 802.11az together with physical waveform predictability and symbol repetition effects under 802.11bk bandwidths.

If this is right

  • High-stakes ranging applications require strict configuration controls to avoid unauthenticated or downgraded sessions.
  • Vendors must improve hardware support before secure Wi-Fi ranging becomes practical at scale.
  • Standards bodies should revise waveform and negotiation rules to reduce predictability and denial-of-service exposure.
  • Current users can apply the paper's guidelines to reduce but not eliminate risks in existing deployments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Mandatory secure modes in future amendments could prevent fallback to unauthenticated ranging.
  • Hybrid systems combining Wi-Fi ranging with ultra-wideband may offset the identified accuracy-security trade-offs.
  • Broader field measurements across diverse radio environments could expose additional hardware-specific vulnerabilities.

Load-bearing premise

The selected simulations and measurements on commercial and development hardware capture the dominant security and implementation obstacles present in real deployments.

What would settle it

Widespread availability of commercial devices that perform full secure 802.11az ranging without configuration-dependent vulnerabilities or spectral compliance failures would contradict the reported sensitivity and limited adoption.

Figures

Figures reproduced from arXiv: 2603.18687 by Bart Preneel, Bernhard Etzlinger, Dave Singel\'ee, Nikola Antonijevi\'c.

Figure 1
Figure 1. Figure 1: Example of a typical FTM ranging session between the station (STA) and the access point (AP). Measurement exchange. During measurement exchange, the AP and STA send FTM message pairs with embedded transmit and receive timestamps. The AP transmits an FTM frame at time t1 ( [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of the HE-LTF part of an HE ranging NDP in the legacy (non￾secure) and secure IEEE 802.11az formats. Earlier preamble fields and headers are omitted for clarity. IEEE 802.11az replaces these fixed patterns with secure HE-LTFs (Fig. 2b), where training content is derived from secret keying material. Pairwise key mate￾rial shared between initiator and responder is used to generate a pseudorandom b… view at source ↗
Figure 3
Figure 3. Figure 3: Waveform reconstruction after partial observation (80%). with Monte Carlo sampling [5,7]. For the results below, we run a particle-based message-passing algorithm with 300 samples and set the noise variance such that the SNR is 7 dB. After inference, we obtain approximate marginals for each constellation sym￾bol and the common phase, p ( Xk | yobs) and p ( β | yobs) . Concretely, for each Xk and for β we o… view at source ↗
Figure 4
Figure 4. Figure 4: Simulation results, 25 iterations. (a) Average RMSE. Top: distance between estimated and true constellation symbols, compared to minimum symbol distance. Bottom: average RMSE in time domain for the observed signal part and the predicted signal part, compared to the mean symbol energy of the HE-LTF y. (b) Top: accuracy of random phase shift estimation. Bottom: sharpness and cross entropy of the posterior fu… view at source ↗
Figure 5
Figure 5. Figure 5: (a) Distance bias induced by advancing a fraction of the secure HE-LTF. The at￾tacker observes the first k% of the secure HE-LTF to predict and transmit an advanced replica for the remaining portion. The positive x-axis denotes an advance (distance re￾duction), while negative values denote a delay (distance enlargement). (b) RMS error vector magnitude (EVM) after HE-LTF demodulation versus the applied sign… view at source ↗
Figure 6
Figure 6. Figure 6: Simulated power spectral density of 20 MHz NDPs for the non-secure (left) and secure (right) variants, before (blue) and after (orange) the power amplifier model, compared against the standard-defined spectral mask (black) [PITH_FULL_IMAGE:figures/full_fig_p017_6.png] view at source ↗
read the original abstract

Ranging and localisation have become critical for many applications and services. The Wi-Fi (IEEE 802.11) standard is a natural candidate for providing these functions across diverse environments, given its widespread deployment. The IEEE 802.11az amendment, finalised in 2023, introduces "Next Generation Positioning" mechanisms to secure and harden the existing insecure Wi-Fi Fine Timing Measurement (FTM) ranging solution. Moreover, the recent IEEE 802.11bk amendment increases the available bandwidth with the goal of approaching the centimetre-level ranging accuracy of ultra-wideband (UWB) systems. This paper examines to what extent these promises hold from a security and deployability perspective. We analyse the core mechanisms of secure Wi-Fi ranging as defined in IEEE 802.11az and IEEE 802.11bk at both the logical and physical layers, combining standards analysis with simulations and measurements on commercial and development hardware. At the logical layer, we show how common deployment choices can result in unauthenticated ranging, downgrade attacks, and simple denial-of-service attacks, making it difficult to securely realise many high-stakes use cases. At the physical layer, we study the predictability of secure ranging waveforms, the security impact of symbol repetition, and how waveform design choices affect compliance with spectral masks under realistic RF behaviour. Our results show that secure Wi-Fi ranging is highly sensitive to configuration choices and is non-trivial to implement on existing hardware. This is also evidenced by the currently limited support for secure Wi-Fi ranging in commodity devices. This paper provides practical guidelines for using secure FTM safely and recommendations to vendors and standardisation bodies to improve its robustness and deployability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper analyzes the security and deployability of secure Wi-Fi ranging in IEEE 802.11az (Next Generation Positioning) and 802.11bk (increased bandwidth). At the logical layer, it identifies risks from common deployment choices including unauthenticated ranging, downgrade attacks, and denial-of-service. At the physical layer, it examines waveform predictability, symbol repetition effects, and spectral mask compliance under realistic RF conditions via standards analysis, simulations, and measurements on commercial/development hardware. The central claim is that secure ranging is highly sensitive to configuration choices and non-trivial to implement on existing hardware, as evidenced by limited commodity device support, with accompanying practical guidelines and recommendations for vendors and standard bodies.

Significance. If the empirical findings on configuration sensitivity and implementation challenges hold under broader testing, the work would be significant for the wireless security community by providing concrete, actionable guidance on safe deployment of 802.11az/bk ranging and highlighting gaps that could inform future amendments. The combination of logical-layer attack analysis with physical-layer simulations and hardware measurements strengthens its practical relevance for high-stakes applications like localization services.

major comments (2)
  1. [Physical layer analysis] Physical layer section: the simulations and measurements on a limited set of commercial/development hardware do not detail exact hardware models, simulation parameters, or measurement protocols, which directly limits verification of the reported waveform predictability, symbol-repetition effects, and spectral-mask violations; if these setups miss vendor-specific baseband behaviors or multipath profiles, the inference that limited commodity support reflects inherent non-triviality rather than market lag is weakened.
  2. [Logical layer analysis] Logical layer analysis: while common deployment choices are shown to enable unauthenticated ranging and downgrade attacks, the paper does not quantify how frequently these choices occur in practice or provide concrete mappings to high-stakes use cases, making it unclear whether the identified risks are load-bearing for the claim of difficulty in securely realizing many applications.
minor comments (2)
  1. [Abstract] Abstract: could include one or two key quantitative results from the hardware measurements (e.g., specific predictability metrics or compliance violation rates) to better ground the sensitivity claim.
  2. [Simulation setup] The paper would benefit from an explicit discussion of how the chosen channel models compare to standard indoor multipath profiles used in 802.11 literature.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We appreciate the referee's detailed feedback on our manuscript. We address the major comments point by point below, providing clarifications and committing to revisions where the manuscript can be strengthened.

read point-by-point responses

  1. Referee: [Physical layer analysis] Physical layer section: the simulations and measurements on a limited set of commercial/development hardware do not detail exact hardware models, simulation parameters, or measurement protocols, which directly limits verification of the reported waveform predictability, symbol-repetition effects, and spectral-mask violations; if these setups miss vendor-specific baseband behaviors or multipath profiles, the inference that limited commodity support reflects inherent non-triviality rather than market lag is weakened.

    Authors: We acknowledge that additional details on the experimental setup are necessary to allow full verification of our physical layer results. In the revised manuscript, we will expand the physical layer section to include the exact hardware models used (e.g., specific Wi-Fi chipsets and development boards), complete simulation parameters (including channel models, SNR ranges, and repetition factors), and a step-by-step description of the measurement protocols. This will enable independent reproduction and address concerns about vendor-specific behaviors. We believe this will reinforce rather than weaken our conclusions regarding implementation challenges. revision: yes

  2. Referee: [Logical layer analysis] Logical layer analysis: while common deployment choices are shown to enable unauthenticated ranging and downgrade attacks, the paper does not quantify how frequently these choices occur in practice or provide concrete mappings to high-stakes use cases, making it unclear whether the identified risks are load-bearing for the claim of difficulty in securely realizing many applications.

    Authors: Our logical layer analysis is based on the standard specifications and identifies vulnerabilities that arise from permissible configuration choices, which are not prohibited by the protocol. While we do not provide statistical quantification of deployment frequencies (as this would require extensive market surveys outside the paper's scope), we will add concrete examples and references to high-stakes applications such as secure access control and autonomous systems where these risks could be critical. We maintain that the existence of these attack vectors in common setups supports our claim of difficulty in secure realization, even without frequency data, as the standard allows insecure defaults. revision: partial

Circularity Check

0 steps flagged

No circularity: empirical standards analysis and measurements

full rationale

The paper performs logical-layer analysis of IEEE 802.11az/bk standards, waveform simulations, and hardware measurements on commercial devices. No derivations, fitted parameters, or predictions appear; all security and deployability claims rest directly on quoted standard text plus new experimental results. No self-citations are load-bearing, no ansatzes are smuggled, and no results are renamed or defined circularly. The work is fully self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper performs standards analysis and empirical testing without introducing new mathematical parameters, axioms beyond standard cryptographic assumptions, or invented entities.

pith-pipeline@v0.9.0 · 5617 in / 1076 out tokens · 60822 ms · 2026-05-15T08:51:19.713547+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

30 extracted references · 30 canonical work pages

  1. [1]

    https://developer.android.com/de velop/connectivity/wifi/wifi-rtt#supported-devices , accessed 7 January 2026

    Android: Wi-Fi location: Ranging with RTT. https://developer.android.com/de velop/connectivity/wifi/wifi-rtt#supported-devices , accessed 7 January 2026

    work page 2026

  2. [2]

    https://source.android.com/docs/co re/connect/wifi-rtt (2026), accessed 7 January 2026

    Android Open Source Project: Wi-Fi RTT. https://source.android.com/docs/co re/connect/wifi-rtt (2026), accessed 7 January 2026

    work page 2026

  3. [3]

    In: 10th USENIX Workshop on Offensive Technologies (WOOT 16) (2016)

    Böck, H., Zauner, A., Devlin, S., Somorovsky, J., Jovanovic, P.: Nonce- Disrespecting adversaries: Practical forgery attacks on GCM in TLS. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16) (2016)

    work page 2016

  4. [4]

    In: 2007 IEEE in- ternational symposium on information theory

    Dauwels, J.: On variational message passing on factor graphs. In: 2007 IEEE in- ternational symposium on information theory. pp. 2546–2550. IEEE (2007) 22 N. Antonijević et al

    work page 2007

  5. [5]

    In: 2006 IEEE International Symposium on Information Theory

    Dauwels, J., Korl, S., Loeliger, H.A.: Particle methods as message passing. In: 2006 IEEE International Symposium on Information Theory. IEEE (2006)

    work page 2006

  6. [6]

    IEEE Transactions on Information Theory 29(2), 198–208 (1983)

    Dolev, D., Yao, A.: On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)

    work page 1983

  7. [7]

    In: 2011 Wireless Advanced

    Etzlinger, B., Haselmayr, W., Springer, A.: Message passing methods for factor graph based MIMO detection. In: 2011 Wireless Advanced. IEEE (2011)

    work page 2011

  8. [8]

    In: 2025 International Conference on Com- puting, Networking and Communications (ICNC)

    Famili, A., Atalay, T., Stavrou, A.: Unlocking the Potential of IEEE 802.11az: A Deep Dive into Ranging Capabilities. In: 2025 International Conference on Com- puting, Networking and Communications (ICNC). pp. 763–769. IEEE (2025)

    work page 2025

  9. [9]

    Google LLC: WifiRttLocator App, https://play.google.com/store/apps/details?i d=com.google.android.apps.location.rtt.wifirttlocator , accessed 7 January 2026

    work page 2026

  10. [10]

    In: 2021 IEEE 32nd Annual International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC)

    Henry, J., Busnel, Y., Ludinard, R., Montavont, N.: Ranging and Location attacks on 802.11 FTM. In: 2021 IEEE 32nd Annual International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC). pp. 1481–1486. IEEE (2021)

    work page 2021

  11. [11]

    In: IPIN 2021: 9th International Con- ference on Indoor Positioning and Indoor Navigation

    Henry, J., Busnel, Y., Ludinard, R., Montavont, N.: Reducing FTM ranging and location attack exposure with crowd-wisdom. In: IPIN 2021: 9th International Con- ference on Indoor Positioning and Indoor Navigation. pp. 1–16 (2021)

    work page 2021

  12. [12]

    IEEE Standards Association: Newly Released IEEE 802.11az Standard Improving Wi-Fi Location Accuracy is Set to Unleash a New Wave of Innovation. https: //standards.ieee.org/beyond-standards/newly-released-ieee-802-11az-standard-i mproving-wi-f i-location-accuracy-is-set-to-unleash-a-new-wave-of-innovation/ (2026), accessed 26 January 2026

    work page 2026

  13. [13]

    IEEE Std 802.11bk-2025 (2025)

    IEEE Standards Association et al.: IEEE Standard for Local and Metropolitan Area Networks–Part 11: Wireless LAN MAC and PHY Specifications Amendment 3: 320MHz Positioning. IEEE Std 802.11bk-2025 (2025)

    work page 2025

  14. [14]

    IEEE Std 802.11-2024 (2025)

    IEEE Standards Association et al.: IEEE Standard for Local and Metropolitan Area Networks–Part 11: Wireless LAN Medium Access Control (MAC) and Phys- ical Layer (PHY) Specifications. IEEE Std 802.11-2024 (2025)

    work page 2024

  15. [15]

    https://www.indooratlas.co m/ (2026), accessed 7 January 2026

    IndoorAtlas: Unlock Smart Spaces with IndoorAtlas. https://www.indooratlas.co m/ (2026), accessed 7 January 2026

    work page 2026

  16. [16]

    In: 2020 Third International Conference on Vocational Education and Electrical Engineering (ICVEE) (2020)

    Jayati, A.E., Sipan, M.: Impact of Nonlinear Distortion with the Rapp Model on the GFDM System. In: 2020 Third International Conference on Vocational Education and Electrical Engineering (ICVEE) (2020)

    work page 2020

  17. [17]

    In: IEEE INFOCOM 2020-IEEE Conference on Computer Communications

    Jiokeng, K., Jakllari, G., Tchana, A., Beylot, A.L.: When FTM discovered MUSIC: Accurate WiFi-based ranging in the presence of multipath. In: IEEE INFOCOM 2020-IEEE Conference on Computer Communications. pp. 1857–1866. IEEE (2020)

    work page 2020

  18. [18]

    Computer Communications (2025)

    Kosek-Szott, K., Szott, S., Ciezobka, W., Wojnar, M., Rusek, K., Segev, J.: Indoor Positioning with Wi-Fi Location: A Survey of IEEE 802.11 mc/az/bk Fine Timing Measurement Research. Computer Communications (2025)

    work page 2025

  19. [19]

    In: Proceedings of the 37th Annual Computer Security Applications Conference

    Leu, P., Kotuliak, M., Roeschlin, M., Capkun, S.: Security of multicarrier time-of- flight ranging. In: Proceedings of the 37th Annual Computer Security Applications Conference. pp. 887–899 (2021)

    work page 2021

  20. [20]

    IEEE transactions on wireless communications 3(1), 224–234 (2004)

    Li, X., Pahlavan, K.: Super-resolution TOA estimation with diversity for indoor geolocation. IEEE transactions on wireless communications 3(1), 224–234 (2004)

    work page 2004

  21. [21]

    https://www.mathworks.com/help/wlan/ug/802-11az-indoor-positioning-u sing-super-resolution-time-of-arrival-estimation.html , accessed 13 January 2026

    MathWorks: 802.11az Positioning Using Super-Resolution Time of Arrival Estima- tion. https://www.mathworks.com/help/wlan/ug/802-11az-indoor-positioning-u sing-super-resolution-time-of-arrival-estimation.html , accessed 13 January 2026

    work page 2026

  22. [22]

    https://www.mathworks.com/help /wlan/ug/802-11az-waveform-generation.html (2026), accessed 13 January 2026 Secure Wi-Fi Ranging Today: Security and Adoption of IEEE 802.11az/bk 23

    MathWorks: 802.11az Waveform Generation. https://www.mathworks.com/help /wlan/ug/802-11az-waveform-generation.html (2026), accessed 13 January 2026 Secure Wi-Fi Ranging Today: Security and Adoption of IEEE 802.11az/bk 23

    work page 2026

  23. [23]

    IEEE Communications Magazine 62(10), 126–131 (2023)

    Picazo-Martínez, P., Barroso-Fernández, C., Martín-Pérez, J., Groshev, M., de la Oliva, A.: IEEE 802.11az Indoor Positioning with mmWave. IEEE Communications Magazine 62(10), 126–131 (2023)

    work page 2023

  24. [24]

    Proceedings on Privacy Enhancing Technologies (2022)

    Schepers, D., Ranganathan, A.: Privacy-preserving positioning in Wi-Fi Fine Tim- ing Measurement. Proceedings on Privacy Enhancing Technologies (2022)

    work page 2022

  25. [25]

    In: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (2021)

    Schepers, D., Singh, M., Ranganathan, A.: Here, there, and everywhere: Security analysis of Wi-Fi Fine Timing Measurement. In: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (2021)

    work page 2021

  26. [26]

    In: Pro- ceedings of Cyber-Physical Systems and Internet of Things Week 2023 (2023)

    Singh, G., Pandey, A., Prakash, M., Andreoni, M., Baddeley, M.: Benchmarking and Security Considerations of Wi-Fi FTM for Ranging in IoT Devices. In: Pro- ceedings of Cyber-Physical Systems and Internet of Things Week 2023 (2023)

    work page 2023

  27. [27]

    In: Proceedings of the 2017 ACM SIGSAC conference on computer and communi- cations security

    Vanhoef, M., Piessens, F.: Key reinstallation attacks: Forcing nonce reuse in WPA2. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communi- cations security. pp. 1313–1328 (2017)

    work page 2017

  28. [28]

    In: International Conference on Applied Cryptography and Network Security

    Vanhoef, M., Robben, J.: A security analysis of WPA3-PK: Implementation and precomputation attacks. In: International Conference on Applied Cryptography and Network Security. pp. 217–240. Springer (2024)

    work page 2024

  29. [29]

    In: 2020 IEEE Symposium on Security and Privacy (SP)

    Vanhoef, M., Ronen, E.: Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In: 2020 IEEE Symposium on Security and Privacy (SP). pp. 517–533. IEEE (2020)

    work page 2020

  30. [30]

    Cambridge University Press, Cambridge (2007)

    Wymeersch, H.: Iterative Receiver Design. Cambridge University Press, Cambridge (2007)

    work page 2007