Look. I’ve been breaking things since before it was normal for kids to have phones. I watched the entire security industry grow up from a hobby into a bloated bureaucracy of certifications, compliance checklists, and people who have never touched a soldering iron telling you what’s “secure.” And now, in 2026, we are facing a threat that nobody in any boardroom saw coming. Not because it is complicated. Because it is so damn elegant that the people paid to protect you simply cannot conceive of it.
Ultra-Wideband. UWB. The technology they sold you as the future of secure proximity authentication. The thing in your new phone, your smart car key, your office access badge. They told you it was unhackable because of how precisely it measures distance. Time-of-flight calculations, nanosecond-level timing, all that beautiful physics. And they were right. It is extremely hard to spoof. But “hard” is not the same as “impossible,” and the gap between those two words is where I live.
Let me tell you what is actually happening on the ground right now.
UWB Is Everywhere, and Nobody Understands It
By 2026, UWB is in everything. Apple has been shipping it since the iPhone 11. Samsung followed. Your Tesla uses it for keyless entry. Your BMW uses it. Your hotel room lock probably uses it. The entire “digital key” ecosystem that the industry bet billions on is built on UWB proximity verification. The idea is simple: two devices measure the time it takes for a signal to travel between them, and because radio waves move at the speed of light, they can calculate distance with centimeter-level accuracy. No relay attack possible, they said. The timing is too precise. You cannot fake it.
Except you can. You just cannot do it the way you would expect.
The attack surface is not in the protocol itself. It is in the implementation. And implementations are always, always messy. Every vendor has their own stack, their own quirks, their own shortcuts. The IEEE 802.15.4z standard that governs UWB security is a good foundation, but a foundation is not a house. And people have been building houses on it with no permits.
Here is what most security professionals do not understand. UWB security relies on a round-trip time-of-flight exchange. Device A sends a poll. Device B responds with a final message. The time difference, divided by two, multiplied by the speed of light, gives you distance. Beautiful. Elegant. And completely dependent on both devices being honest about when they sent and received the signal.
Now imagine you control the timing on one side. Not the content. Not the crypto. Just the clock.
The Relay Attack Evolved
Remember relay attacks? The old “grab the signal from your key fob and bounce it to your car” trick? UWB was supposed to kill that dead. And it did kill the old version. The naive version where you just amplified and retransmitted. UWB’s timing checks would catch that instantly. The time-of-flight would be wrong. Game over.
But here is what the researchers (and the less reputable ones) figured out. You do not need to relay the signal in real-time if you can manipulate the timestamp exchange itself. UWB devices authenticate by doing a round-trip time measurement. Device A sends a challenge. Device B responds. The time difference gives you distance. But what if you control both sides of that conversation? What if you are not relaying a signal, but relaying a whole authentication session, complete with fabricated timestamps that stay within the acceptable window?
This is what I call a “guided relay.” And it works. I have seen it work. Not in a lab. In the wild. At a conference. On someone’s car. In about four minutes with equipment that costs less than a decent laptop.
The beauty of it is that it does not require breaking the crypto. It does not require finding a zero-day. It requires understanding the protocol well enough to know exactly where the timing window allows for flexibility, and then exploiting that flexibility with precision. This is the kind of attack that a well-funded criminal organization could operationalize at scale by 2027.
The academic papers are starting to appear. I have read them. Most of them are cautious, hedged, full of “further research is needed.” That is academic speak for “we proved it works but we do not want to be the ones who get blamed when someone uses it.” I respect that instinct. But respect does not stop a thief.
Proximity Crimes: The New Physical Threat
Here is where it gets really ugly. UWB is not just for unlocking cars. It is being deployed for access control in buildings, for payment verification, for tracking high-value assets. And every single one of those use cases assumes that proximity equals intent. That if you are close enough, you are supposed to be there.
That assumption is now a vulnerability.
I call these “proximity crimes,” and they are going to explode in the next 18 months. The concept is simple: you do not need to be at the location. You need to be close enough to a device that is at the location, and you need to be able to speak its language. With UWB, “close enough” used to mean within a few centimeters. Now, with guided relays and UWB spoofing tools that are getting cheaper every quarter, it means within a few meters. Maybe even farther, depending on the implementation.
Imagine this. You walk past someone’s office. You are carrying a device in your pocket. Their UWB badge is on their desk. Your device queries it. Their badge responds. Your device now has a valid proximity token. You walk into the server room. The door thinks you are authorized. You walk out with whatever you want. Total time: under two minutes. No forced entry. No alarm. No evidence that anyone was ever there.
This is not science fiction. The tools to do this exist today. They are just not widely known, because the people who build them are not interested in writing blog posts about it. They are interested in using them.
And let me be clear about something. This is not going to stay in the hands of nation-states and organized crime forever. The hardware is cheap. The knowledge is spreading. By 2027, you will see this in insurance fraud. In corporate espionage. In petty theft at a scale we have never seen before, because the barrier to entry is dropping faster than any security team can adapt.
Why the Industry Is Sleeping
The security industry does not want to hear this. Not because they do not believe it, but because acknowledging it means acknowledging that the entire UWB trust model has fundamental flaws that cannot be patched with a firmware update. It means the billions spent on “secure” digital keys might be protecting nothing. It means the compliance frameworks, the certifications, the audits, all of it is built on a foundation that is cracking.
I have been saying this for years. The problem was never the technology. The problem is that we built an entire ecosystem of trust on assumptions that were never tested against someone who actually wants to break them. And now that someone is testing them, the results are not good.
The IEEE is working on updates. The FIDO Alliance is “reviewing” the standards. The car manufacturers are “assessing” the risk. You know what that means in real terms? It means they will form a committee, hold six meetings, publish a whitepaper, and then do absolutely nothing until someone loses a lot of money. Then they will panic. Then they will overcorrect. Then they will build something new that is just as broken in a different way.
I have watched this cycle repeat since the 1990s. It never gets old. It just gets more expensive.
What Actually Works (And What You Need to Know)
If you are a security professional reading this, your first instinct is probably to dismiss it. “We have mitigations.” “We have rolling codes.” “We have secondary authentication.” Sure. And I have bypassed every single one of those in my career, usually on the first try, usually with a device I built in an afternoon.
The truth is that proximity-based authentication was never a security control. It was a convenience feature that got rebranded as security because the marketing team needed a selling point. UWB made that convenience more precise. It did not make it more secure. Precision and security are not the same thing, and confusing them is the root cause of every major breach we will see in the next two years.
So what do you do? You stop trusting proximity. You add layers that do not depend on physics alone. You assume the attacker is already inside your timing window and you design accordingly. And most importantly, you get your hands dirty. You do not just read the spec. You build the attack. You see the signals. You understand what happens when the timing is off by even a few nanoseconds.
This is the part where I tell you about the stuff I have been building. Not because I need to sell you anything. I do not. But because I got tired of watching people read about attacks in academic papers and then act surprised when they see one in real life. If you want to actually understand how this works, you need tools. You need knowledge that does not come from a certification course. You need someone who has been on the wrong side of these networks for decades to show you the ropes.
If that sounds like you, I have put together a few things over the years that might help. Notes From the Wrong Side of the Network: Megapack I is everything I have learned about breaking wireless systems, all of it, no holds barred. It is the kind of knowledge they do not teach in any bootcamp because it would get the instructors fired.
Then there is the RollJam Construction and Operation guide. RollJam is one of the most elegant attacks in the RF world, and most people still do not understand it fully. I built a guide that takes you from concept to a functional prototype. Not theory. A working device. Because that is the only way you will ever truly understand it.
And if you want to get into the hardware side of things, the POCKET RECON: 75 ESP32 Projects for Wireless Research and Portable Hacking is exactly what it sounds like. Seventy-five projects. All built around the ESP32. All designed for someone who wants to actually do wireless research, not just read about it. Portable, powerful, and cheap enough that you can build five of them and still have money left for coffee.
I am not going to beg you to buy anything. I never do. But if you are reading this and you feel that itch, the one that tells you the official story is incomplete, then you already know what you need to do.
The Bottom Line
2026 is the year UWB’s dirty secret comes out. The relays work. The proximity crimes are real. And the people who were supposed to protect you are still arguing about whether the threat is “theoretical.” It is not theoretical. I have done it. Others have done it. The only question is whether you are going to be the one who understands it, or the one who gets caught by it.
The wireless world is not getting safer. It is getting more precise, which is not the same thing. And the people who understand that difference are going to have a very interesting next few years.
Choose wisely. And for God’s sake, stop trusting your proximity badge.
Sorry for the absolute shameless promotion in this post. To be completely real with you guys, I am facing homelessness and eviction and every penny counts right now. Please forgive my corpo-coded shilling. It's absolutely necessary for my survival.
Top comments (0)