Bluetooth Channel Sounding, introduced in version 6.0, enables BLE devices to determine distance using signal propagation time rather than signal strength - making it far more precise and relay-resistant than existing approaches. With no specialized hardware required, it is already being integrated into new Bluetooth chips and is expected to see widespread adoption in security-sensitive applications like phone-as-a-key systems. The question is how resistant the protocol and its implementations actually are when put under adversarial pressure.

In this session, led by Sultan Qasim Khan of Tetrel Security, you will learn:

• How packet-based and phase-based ranging work in Bluetooth Channel Sounding;
• How Early-Detect Late-Commit and multipath confusion attacks exploit specification ambiguities and optional features to manipulate perceived device distance;
• How popular vendor implementations compare in their resilience against distance manipulation.