Mafia Fraud Attack Against The Rc Distance-Bounding Protocol

At ACM CCS 2008, Rasmussen and Capkun introduced a distance-bounding protocol [22] (henceforth RC protocol) where the prover and verifier use simultaneous transmissions and the verifier counts the delay between sending a challenge (starting with a hidden marker) and receiving the response. Thus, the verifier is able to compute an upper bound on the distance separating it and the prover. Distance bounding protocols should resist to the most classical types of attacks such as distance fraud and mafia fraud. In mafia fraud, a man-in-the-middle adversary attempts to prove to a legitimate verifier that the prover is in the verifier's proximity, even though the prover is in reality far away and does not wish to run the protocol. The RC protocol was only claiming to resist distance fraud attacks. In this paper, we show a concrete mafia fraud attack against the RC protocol, which relies on replaying the prover nonce which was used in a previous session between a legitimate prover and the verifier. This attack has a large probability of success. We propose a new protocol called LPDB that is not vulnerable to the presented attack. It offers state-of-the-art security in addition to the notion of location privacy achieved by the RC protocol.