Locationing Bluetooth Style

Imagine walking into your living room and your phone displays the lighting, temperature and TV settings for the living room. When you leave and walk into your bedroom, your phone automatically displays the smart device settings for the bedroom.

This can all be possible if your devices know, securely and precisely, your location in the home or building based on your smartphone. In addition to enhancing experiences for convenience, channel sounding can be used to enable energy management. For example, NXP's channel sounding demo from Embedded World shows how an air conditioner could use channel sounding to automatically turn on or off. With future generations of the Bluetooth LE standard, this "locationing" capability may become as ubiquitous as Bluetooth through a technology called channel sounding¹.

Distance Measurement Isn't New

The idea of using Bluetooth to estimate distance is not new and there have been several different technologies introduced for this purpose. Shortly after the Bluetooth standard was introduced, the concept of using the received signal strength (RSSI) was used to get a rough estimate of distance (see Figure 1). While simple and supported by every Bluetooth radio, RSSI has many downsides, including very limited accuracy and security vulnerabilities. Using multiple antennas, Angle of Arrival/Angle of Departure (AoA/AoD) improves the accuracy limitations of RSSI, as shown in Figure 2, but does not address the security vulnerabilities. However, the antennas must be precisely designed and deployed for AoA/AoD to work correctly, making them both expensive and difficult to manufacture. Tolerances in the antenna locations on the end product must be very tight, as any misalignment will decrease the accuracy. Finally, signal strength measurements for both RSSI, AoA and AoD can be impacted by signals bouncing off walls and objects. Because of the limitations of these two methods, the Bluetooth SIG started investigating an alternative called channel sounding.

Distance measurements made with RSSI, AoA and AoD are highly susceptible to "man-in-the-middle" attacks. Since these methods rely entirely on the signal strength to estimate distance, if an attacker is able to boost the signal, then the receiving device will measure a strong signal and estimate a much closer distance, as shown in Figure 3. This poses a significant issue for applications like door locks, where the attacker could get the door to unlock before the end user is close to the door. For example, in a commercial building an attacker could gain access to the building while an employee is leaving their car in the parking lot.

An Enhanced Distance Measurement Method

Channel sounding will be a secure, accurate standard for estimating distance using Bluetooth LE. Channel sounding combines two different ranging techniques into the standard Bluetooth LE data flow, time of flight (ToF) and round-trip phase (RTP), as shown in Figure 4. The initiator sends a ToF packet to the reflector, which then replies with a ToF packet indicating when it received the initial communication. Using the speed of light, the initiator can get a secure, rough distance estimation. Next the initiator sends a series of tones to the reflector, which sends the tones back to the initiator. The phase shift in these tones provides a more accurate distance measurement. Using these two techniques, channel sounding can achieve open air accuracies of +/- 0.5 meters, providing a secure, accurate way to measure the distance between two Bluetooth LE devices.

Channel sounding also makes great improvements to security which address the "man-in-the-middle" attacks deployed with existing technology. This is accomplished by using encrypted, time-stamped packets in the distance estimation, which are not reproducible by an attacker. Furthermore, channel sounding compares the ToF and RTP measurements to ensure both are similar. With these techniques, channel sounding builds a strong foundation for robust security.

Channel sounding will bring many benefits to locationing with Bluetooth, and many silicon vendors, including NXP, have already added support to their chipsets. The initiator and reflector devices must both support the channel sounding feature, and with smart phones quickly adopting sounding, the feature will soon become common place.

Implementing Channel Sounding with NXP

The ToF and RTP distance estimation algorithms are computationally intensive and can quickly overburden the core of a typical Bluetooth MCU. To help developers bring products with "locationing" capabilities to market faster, the newly introduced MCX W72 wireless MCU family will support the new Bluetooth channel sounding standard. The MCX W72 family includes a localization compute engine that reduces the latency and performance burden of the distance estimation algorithm. The MCX W72 is a secure, flexible and robust multi-protocol wireless MCU family that supports Matter with Thread, Zigbee and Bluetooth LE and is targeted for building automation, smart home and other wirelessly connected devices. A block diagram showing the full feature set of the MCX W72 including the localization compute engine is shown in Figure 3.

Setting the Stage for Innovation

The security and accuracy introduced by Bluetooth channel sounding opens the door to many new and innovative Industrial and IoT applications, especially when combined with other technologies like ultra-wide band (UWB). UWB utilizes short pulses over a wide frequency band for short range, secure and precise distance measurement, often achieving centimeters of accuracy. By combining the two technologies the overall user experience can be greatly enhanced. For example, a car could use Bluetooth channel sounding to securely and accurately do longer distance, coarser ranging and then turn the UWB radio on once the use is close to the vehicle. This technique allows the UWB radios to stay powered off longer, saving power on both the vehicle and the user's smartphone. The new Aliro standard for smart door locks combines Bluetooth RSSI ranging with UWB, setting the stage for future innovations with Bluetooth channel sounding. NXP's Trimension® portfolio of ultra-wideband (UWB) secure radar and fine ranging products, combined with the newly introduced MCX W72 wireless microcontroller, offer a complete platform for locationing designs.

Bluetooth channel sounding represents an exciting new chapter for Bluetooth and for locationing as a technology. With major smartphone chipset vendors announcing support for channel sounding, soon many new smart phones will include Bluetooth channel sounding, and with it the ability to accurately and securely measure distance. With this capability, the opportunities for innovative IoT applications are numerous-door locks and car keys will be just the beginning.

¹ The Bluetooth SIG is developing the Channel sounding technology which is based on a working draft of a potential Bluetooth Specification that is subject to change. Bluetooth SIG is targeted 2H2024 for releasing a ratified version of the specification that will include channel sounding.