Computers & Security 131 (2023) 103293

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

A survey on indoor positioning security and privacy

Yerkezhan Sartayeva∗, Henry C. B. Chan
The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong, China

a r t i c l e i n f o a b s t r a c t

Article history: With rising demand for indoor location-based services (LBS) such as location-based marketing, mobile
Received 30 June 2022 navigation, etc., there has been considerable interest in indoor positioning methods as well as their secu-
Revised 9 May 2023
rity and privacy. Current survey papers on indoor positioning methods mainly focus on positioning accu-
Accepted 9 May 2023
racy, whereas discussion on security and privacy considerations is limited. While there are survey papers
Available online 12 May 2023
on the security/privacy of LBS, they mainly focus on the services rather than the positioning methods.
Keywords: On the other hand, various survey papers on Internet of Things security/privacy mostly address device
Indoor positioning security and system security. To fill the gap and complement the aforementioned survey papers, we conduct a
Indoor positioning privacy systematic and comprehensive survey on indoor positioning security and privacy, focusing on the po-
Location-based services sitioning methods. In particular, we provide the following contributions. First, based on general search
Collaborative positioning (using the systematic PRISMA approach) and specific search, we study related papers published in recent
Non-collaborative positioning
years with the aim of addressing three research questions. Second, to facilitate the survey and study, we
Wireless networks
categorise the positioning methods into non-collaborative methods (i.e., proximity-based, geometric and
fingerprinting methods), collaborative methods (i.e., mobile proximity-based and mobile geometric meth-
ods) and others (combining multiple technologies/methods). Third, for each method, we give an overview
of the method and discuss its security and privacy issues. Last but not least, we highlight some future
research directions and work on indoor positioning security and privacy. In particular, there is a need to
conduct more research on collaborative positioning methods, including their security and privacy issues.
© 2023 Elsevier Ltd. All rights reserved.

1. Introduction

Abbreviations used in the paper: AES, Advanced Encryption Standard; APIT, Ap-
proximate Point in Triangle; AoA, Angle of Arrival; AoD, Angle of Departure; BLE,
Bluetooth Low Energy; CAB, Concentric Anchor Beacon; CFO, Carrier Frequency Off-
set; CS, Ciphered Sequence; CSI, Channel State Information; DoS, Denial of Service;
ECDH, Elliptic Curve Diffie-Hellman; ECDSA, Elliptic Curve Digital Signature Algo-
rithm; EDS, Encryption and Decision Server; EIPS, Encrypted Indoor Positioning Ser-
vice; FHE, Fully Homomorphic Encryption; GAEN, Google and Apple Exposure Noti-
fication; GC, Garbled Circuit; GNSS, Global Navigation Satellite System; GPS, Global
Positioning System; HMAC, Hash-based Message Authentication Code; IMU, Inertial
Measurement Unit; IPS, Indoor Positioning System; k-NN, k-Nearest Neighbours;
LBS, Location-Based Services; LPPM, Location Privacy-Preserving Mechanism; MAC,
Message Authentication Code; MANET, Mobile Ad Hoc Network; MAP, Maximum a
Posteriori; MIMO, Multiple Input and Multiple Output; MLE, Maximum Likelihood
Estimation; MMSE, Minimum Mean Squared Error; MTAC, Message Time of Arrival
Code; PDR, Pedestrian Dead Reckoning; PHE, Partially Homomorphic Encryption;
PPS, Privacy-Preserving Summation; RF, Radio Frequency; RFID, Radio-Frequency
Identification; RPI, Rolling Proximity Identifier; RSA, Rivest-Shamir-Adleman; RSSI,
Received Signal Strength Indicator; RTT, Round-Trip Time; SHA, Secure Hash Al-
gorithm; SLAM, Simultaneous Localisation and Mapping; SOCP, Second-Order Cone
Programming; STS, Scrambled Timestamp Sequence; TDoA, Time Difference of Ar-
rival; TWR, Two-Way Ranging; ToA, Time of Arrival; ToF, Time of Flight; UWB, Ultra-
wideband; VLC, Visible Light Communication; WSN, Wireless Sensor Network; WiFi,
Wireless Fidelity.
∗
Corresponding authors.
E-mail addresses: yerkezhan.sartayeva@connect.polyu.hk (Y. Sartayeva),
henry.chan.comp@polyu.edu.hk (H.C. B. Chan).
Location-based services (LBS) are now widely used and con-
tinue to grow in popularity (Jiang et al., 2021; Liu et al., 2019b; Up-
haus et al., 2021). LBS is a collective term for online services that
rely on users’ geographical data, i.e., their location (Bettini, 2018).
They can be used in various domains, which include marketing
(Banerjee et al., 2021; Shieh et al., 2019), healthcare (Sen and Ma-
hapatra, 2019), navigation (Tiemann et al., 2020) and more. One of
the main issues with LBS is protecting users’ locations from ma-
licious parties, including service providers themselves. Users may
not want to disclose their location or at least an association of
their identity with a location to third parties, therefore, it is crit-
ical to make sure that this information is not abused. Many sur-
veys have been written on the protection of user locations, e.g.,
the works of Jiang et al. (2021) and Liu et al. (2018a), but they
do not discuss how security of the localisation process itself is en-
sured, especially in indoor environments. GPS-based (Global Posi-
tioning System) outdoor localisation is performed locally, meaning
that the user’s location is not disclosed to third parties, but this is
not the case in indoor positioning systems because they rely on a
different localisation infrastructure (Boutet and Cunche, 2021). GPS
cannot be used for indoor localisation because of poor signal pen-

https://doi.org/10.1016/j.cose.2023.103293
0167-4048/© 2023 Elsevier Ltd. All rights reserved.
Y. Sartayeva and H.C. B. Chan
etration and a high degree of obstructions indoors (Kunhoth et al.,
2020). Hence, this survey will only cover indoor localisation. De-
spite its steady growth in popularity (Zafari et al., 2019), security
and privacy are rarely considered in works on indoor positioning,
with priority given to accuracy (Tiku and Pasricha, 2019). This is
understandable because accuracy is critical in LBS (Nessa et al.,
2020), i.e., LBS assume location data supplied to them is correct.
In addition, incorporating security and privacy preservation into in-
door positioning systems (IPSs) poses an additional computational
burden on participant nodes that is impractical because of their
resource constraints. However, accuracy can also be compromised
as a result of security and privacy attacks, such as data tamper-
ing, node capturing and more, as will be discussed throughout the
paper. The negative repercussions of low localisation security in
the context of indoor localisation could range from minor incon-
veniences, like guiding a student to the wrong classroom, to more
severe issues, like hospital staff failing to locate a medication for
a patient in critical condition on time (Tiku and Pasricha, 2019).
In this survey, it is assumed that a separate server (IPS server) is
responsible for localisation, i.e., not a server that provides LBS. If
LBS provision and indoor localisation are the responsibility of the
same server, it does not mean that the server’s security measures
for location privacy protection are sufficient for secure localisa-
tion. When it comes to protecting information about user locations,
privacy preservation mechanisms for this purpose have been cov-
ered extensively in LBS privacy surveys, e.g., by Chen et al. (2017a),
Jiang et al. (2021), Liu et al. (2018a). This survey will focus on
methods used for securing ways in which locations/positions are
estimated. That means, unlike the previous surveys, our focus is on
the security and privacy of indoor positioning methods, which is
not covered by the previous surveys. To the best of our knowledge,
this survey paper should be the first or among the first to provide
a systematic and comprehensive survey on the security and pri-
vacy issues for indoor positioning (i.e., focusing on different types
of positioning methods). Our work should complement the previ-
ous surveys.
Indoor positioning is different from outdoor localisation in
that it cannot rely on GPS because of poor signal penetration
in buildings (Kunhoth et al., 2020). In addition, according to
Laoudias et al. (2018), Global Navigation Satellite System (GNSS)
receivers have high energy consumption requirements, which is
draining on battery-powered devices such as smartphones, and
require up to a few minutes to capture sufficient satellite sig-
nals, which is undesirable for time-critical applications. Given that
people spend the majority of their time indoors (Davidson and
Pich, 2017) and a rising demand for indoor positioning, especially
in disaster management, it is hard to overstate the importance of
indoor positioning. A wide variety of alternative technologies are
used for indoor localisation, which include Bluetooth Low Energy
(BLE), ultra-wideband (UWB), Wireless Fidelity (WiFi), Visible Light
Communication (VLC) and more. Achieving high accuracy in indoor
settings is difficult because of the heterogeneity of indoor spaces,
frequent rearrangement of objects and obstructions, which ham-
per communication between localisation devices, and signal noise
caused by these obstructions, which is hard to model. The security
of IPSs is dictated by their infrastructure and positioning mech-
anisms, and a wide variety of these exist because no one solu-
tion satisfies all applications. One of the most popular positioning
methods is fingerprinting because of its high positioning accuracy
(Alhomayani and Mahoor, 2020), and most works on secure indoor
localisation discuss solutions for fingerprinting-based systems, but
papers for other methods can be found as well. This survey will be
structured based on the most common localisation method cate-
gories presented in Fig. 1 and will discuss their corresponding se-
curity and privacy issues and possible solutions. Please note that
this survey primarily covers RF-based positioning methods since
2
Computers & Security 131 (2023) 103293
the majority of papers found during literature review focused on
them. However, we still present a summary of existing works on
the security and privacy of other positioning systems, which in-
clude multimodal/hybrid systems, where we define “multimodal”
as positioning that involves a combination of different communi-
cation technologies and/or methods. In general, we classify indoor
positioning methods into two categories: collaborative and non-
collaborative, where the former involve cooperation between lo-
calised and unlocalised nodes in localisation, while the latter only
rely on the network infrastructure for positioning. Please note that
we use “mobile” and “collaborative” interchangeably because we
assume that in collaborative positioning, targets and anchors can
move.
1.1. Contributions
In summary, the contributions of this survey paper are outlined
as follows.
• A unique survey paper on indoor positioning security and privacy.
Most survey papers on indoor positioning systems focus on ac-
curacy and performance but do not take security and privacy
into consideration. Although there are surveys on security and
privacy of location-based services, they focus on the services
rather than the positioning methods. This survey paper aims to
fill the gap and complement the previous survey papers. To the
best of our knowledge, this is the first survey paper that pro-
vides a comprehensive survey on the security and privacy is-
sues for indoor positioning methods.
• An overview of the most recent works on secure indoor localisation
methods. Indoor positioning is a swiftly evolving field with new
works published frequently, so it is important to stay up-to-
date with recent developments in the field. The majority of pa-
pers covered in this survey were published in or after 2017. To
identify these papers, the systematic Preferred Reporting Items
for Systematic Review and Meta Analysis (PRISMA) approach
(Liberati et al., 2009) was used.
• Security and privacy of major indoor positioning methods. A ma-
jor contribution of this paper is to categorise the positioning
methods into two types: non-collaborative positioning meth-
ods (i.e., proximity-based, geometric and fingerprinting meth-
ods) and collaborative positioning methods, and study the se-
curity and privacy issues of each method, including possible so-
lutions.
• Future research directions and work. Last but not least, we high-
light future research directions and work on indoor position-
ing security and privacy. In particular, there should be more re-
search work on collaborative positioning methods.
1.2. Organization
The rest of the paper is structured as follows. Section 2 gives an
overview of the related work/surveys. Section 3 presents some mo-
tivational cases studies and the research framework for the survey.
Sections 4 and 5 discuss more specific security and privacy issues
related to individual non-collaborative and collaborative methods,
respectively. Section 6 discusses directions for future work on in-
door positioning security and privacy. Section 7 gives concluding
remarks and summarises key insights.
2. Related work/surveys
During the literature review, we considered survey papers on
three major topics: indoor positioning, location-based services and
IoT security. The work of Holcer et al. (2020) is most related to
this survey as they also conducted a review of papers on loca-
tion privacy in IPSs. However, 70% of the papers covered by the
Y. Sartayeva and H.C. B. Chan
Fig. 1. Indoor positioning methods.
survey employed WiFi fingerprinting, i.e., security and privacy of
other positioning methods were not covered in-depth. Most survey
papers on indoor positioning cover the positioning methods with
little discussion on security and privacy. While there are survey pa-
pers on location privacy, they have limited coverage on positioning
security and privacy specifically, i.e., they assume that the underly-
ing positioning methods are secure. There are more survey papers
on IoT security. However, their focus is also not on positioning se-
curity and privacy. Table 1 gives an overview of the surveys related
to this paper. From the table, it can be seen that there is a strong
need for a survey paper on indoor positioning security and privacy.
2.1. Indoor positioning
In terms of indoor positioning surveys, many works have been
published in recent years, some focusing on the use of machine
learning (Alhomayani and Mahoor, 2020; Li et al., 2019b; Nessa
et al., 2020; Roy and Chowdhury, 2021), some on UWB-based
systems (Ridolfi et al., 2021; Shi and Ming, 2016), others on
smartphone-based systems (Davidson and Pich, 2017; Subedi and
Pyun, 2020). However, they either do not discuss security and pri-
vacy issues and solutions related to indoor positioning at all or
simply cover them briefly and mention that more research needs
to be done in this regard. For example, Zafari et al. (2019) included
security and privacy in their IPS evaluation framework and argued
that one of the reasons why IPSs are not adopted on a large scale
is because of privacy. They explain that the reason behind the diffi-
culty of incorporating security and privacy measures in IPSs lies in
the energy constraints of participating devices, meaning that util-
ising conventional distributed or centralised key-based systems in
IPSs is infeasible. However, in order to encourage more research in
this direction, surveys are needed to give researchers an overview
of current issues and existing solutions.
2.2. Location privacy in LBS
Surveys on location privacy in LBS are closer to the area of this
survey’s interest as they cover issues and solutions specific to pro-
3
Computers & Security 131 (2023) 103293
tecting location privacy. Most do not focus on indoor localisation,
but Chen et al. (2017a) included a section on the security of non-
GNSS positioning systems. Despite this, the authors did not cover
the security and privacy concerns inherent in the localisation pro-
cess itself. They discussed ways in which to protect location data,
not considering potential security and data leakage issues during
location estimation. Similarly, Liu et al. (2018a) provided a general
overview of location attacks, adversaries and privacy preservation
mechanisms, which partially overlaps with the issue of secure lo-
calisation because data used to obtain a location should be pro-
tected as well, so perhaps privacy preservation mechanisms em-
ployed for location privacy could be used in this case as well.
Jiang et al. (2021) conducted a comprehensive review of privacy
preservation methods in LBS, assessed their limitations and viabil-
ity and found that cryptography-based methods provide the high-
est level of security and utility but are also highly computationally
expensive.
2.3. IoT security
Finally, with regard to IoT security surveys, security and pri-
vacy in the IoT sector in general has been thoroughly investigated
in recent years because of the considerable growth in the use of
IoT devices. According to Mohanta et al. (2020), existing security
protocols cannot be applied to IoT systems because they have dif-
ferent security vulnerabilities. The authors described security at-
tacks in IoT systems and presented an overview of solutions based
on artificial intelligence, machine learning and blockchain technol-
ogy. Machine-learning-based solutions mostly focused on identify-
ing security issues, while blockchain was mainly used for identity-
based issues such as authentication, authorisation and trust man-
agement. Since IoT devices are not as computationally powerful
as more sophisticated devices like smartphones and PCs, one of
the most critical considerations in IoT security is the computa-
tional complexity of security interventions. In addition, since IoT
networks are highly extensible, scalability should be considered
as well. These insights are useful for context as IPSs are part of
the IoT realm. However, the scope of IoT security surveys, e.g., by
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

Table 1
Overview of related surveys from the literature.

Reference Summary Survey category Remarks

Holcer et al. (2020) This survey analyses existing works on indoor Indoor positioning privacy 70% of the papers they analysed
positioning privacy and provides a classification employed WiFi fingerprinting, i.e.,
of location privacy preservation mechanisms. security and privacy preservation
methods of other positioning
approaches were not covered
in-depth.
Alhomayani and Mahoor (2020) This survey reviews works on deep learning for Indoor positioning Limited discussion of indoor
fingerprinting. positioning security and privacy. Most
surveys mention it as a future
research area rather than discussing
specific problems and solutions.
Li et al. (2019b) This survey covers papers on outdoor and indoor
localisation based on machine learning.
Nessa et al. (2020) This survey discusses the latest machine learning
tools for indoor positioning such as for reduction
of noise and fusion.
Roy and Chowdhury (2021) This survey gives an overview of machine
learning techniques adopted in existing indoor
positioning systems.
Shi and Ming (2016) This survey studies recent works on UWB-based
IPSs.
Ridolfi et al. (2021) This survey focuses on UWB-based collaborative
IPSs.
Subedi and Pyun (2020) This survey is on smartphone-based IPSs and
mostly focuses on fingerprinting.
Davidson and Pich (2017) This survey describes indoor positioning methods
for smartphones.
Zafari et al. (2019) This survey provides a comprehensive overview
of the latest works on indoor positioning systems
and technologies.
Chen et al. (2017a) This survey is on the security and privacy of LBS Location privacy in LBS Location privacy in LBS is different
for IoT, where both indoor and outdoor systems from location privacy in IPSs because
are covered. The authors list issues and solutions the localisation process itself is not
and focus on both technical and legal aspects. inherently secure.
Liu et al. (2018a) This survey gives a general overview of location
privacy attacks and protection mechanisms.
Jiang et al. (2021) This survey provides a detailed discussion of
location privacy preservation mechanisms in LBS.
Mohanta et al. (2020) This review article lists security and privacy IoT security These surveys discuss IoT security in
issues of IoT systems and presents solutions from general rather than focusing on indoor
the literature based on machine learning, positioning.
blockchain and artificial intelligence.
binti Mohamad Noor and This article reviews existing works on IoT security
Hassan (2019) between 2016 and 2018.
Neshenko et al. (2019) This article compares different IoT surveys and
provides a taxonomy of IoT vulnerabilities.
Hassija et al. (2019) This survey discusses security threats of IoT
applications as well as existing and emerging
technologies for addressing them, focusing on fog
computing, edge computing, blockchain and
machine learning.
Al-Garadi et al. (2020) This article surveys machine learning and deep
learning methods for supporting and enhancing
IoT security.

Al-Garadi et al. (2020), Hassija et al. (2019), binti Mohamad Noor
and Hassan (2019) and Neshenko et al. (2019), is too wide for IPS
security and privacy, i.e., they do not focus specifically on secure
localisation.
Overall, it is evident that there is little work on indoor position-
ing security and privacy issues and solutions, so this paper aims to
address this gap and complement the previous survey papers.
3. Case studies and research framework
Our overview of related work suggests that previously, re-
searchers have focused on location privacy in LBS and improving
accuracy in indoor positioning. However, security and privacy of
IPSs in general and positioning methods in particular are equally
important since the underlying localisation process itself is not
inherently secure and privacy-preserving. In this section, we first
present some motivational case studies or examples to illustrate
why IPS security and privacy are important and then, based on
findings from the related work and case studies, we set out the
research questions and research framework of this survey.
3.1. Case studies
3.1.1. Asset localisation
Suppose that A is a patient at an intensive care unit in a hos-
pital. His condition has just got worse, and he is in need of a life-
critical medication. The nurse responsible for retrieving the med-
ication searches for the location of the medication in the hospital
database and finds that it has been misplaced. Then she opts to use
the hospital’s medication localisation system based on BLE, which
has been recently hijacked by B, who shuffled the BLE beacons.
As a result, the system directs the nurse to an incorrect location,

4
Y. Sartayeva and H.C. B. Chan
leading to A’s premature death due to untimely medical interven-
tion. The same problem (i.e., leading to wrong locations/positions)
might apply to other scenarios such as the localisation of people in
burning buildings, positioning of assets in warehouses and more.
3.1.2. Contact tracing
In general, whenever users consent to their data being collected
by a service provider, this implies that the service provider will not
use the data in ways users did not consent to, e.g., revealing their
identity. A study by Narayanan and Shmatikov (2008) revealed that
even with an anonymous dataset of movie ratings collected by Net-
flix, it is possible to de-anonymise records associated with a user
identity if one knows some information about the user. Similarly,
in contact tracing, there is a risk of de-anonymisation. For exam-
ple, suppose that users A and B have a contact tracing app run-
ning in the background on their phones, and they come close to
each other. Even if the users’ identities are protected, with enough
data from other people’s submissions, it may be possible to de-
anonynomise A and B or infer that they were in proximity to each
other (Cho et al., 2020). As a result, A and B could be tracked by
malicious parties without prior consent.
3.1.3. Shopping mall navigation
Suppose there is a shopping mall that allows its customers to
navigate the mall using a WiFi-fingerprint-based indoor position-
ing system that was designed by a contractor C. Whenever cus-
tomers need to be localised, they use their smartphones to collect
fingerprints from nearby access points and send them unencrypted
to C’s server. This means that, for every customer that sends their
fingerprints to the server, C is able to gain access to their loca-
tion through its fingerprint database and will thus be able to use
this sensitive information for its own purposes, e.g., unsolicited
location-based marketing.
3.1.4. COVID-19 QR code check-in
Suppose there is a restaurant R that requires its customers to
scan a QR code before entry to make sure their presence in the
restaurant is recorded for COVID-19 control. One day an adversary
replaced the QR code at the entrance of the restaurant with the
QR code of a hospital H with a high number of COVID-19 cases.
No one noticed the change since the adversary also replaced the
QR code label with R’s name. However, from that day forward
the restaurant’s customers were falsely recorded as visitors at H,
meaning they could be labelled as close contacts of infected indi-
viduals in the hospital, even though they were never there.
3.2. Research questions
Based on the review of related work and the aforementioned
case studies, it is evident there is an urgent need to investigate
security and privacy preservation methods for indoor positioning
systems, and the following research questions can thus be formed:
RQ1. What are the major indoor positioning methods and how
can they be categorised? Fundamentally, we need to identify the
major indoor positioning methods. Furthermore, it is important to
study how they can be categorised. This aims to establish the foun-
dation or framework for subsequent studies. In particular, it facil-
itates the identification and study of relevant security and privacy
issues.
RQ2. What are the security and privacy issues for each method?
As was mentioned previously, security and privacy issues for in-
door positioning methods are not well covered in existing survey
papers. There is a need to conduct a more comprehensive survey
to identify these issues.
RQ3. What are the possible solutions to tackle these security
and privacy issues? In relation to RQ2, there is also a need to
5
Computers & Security 131 (2023) 103293
study solutions to tackle the issues with the aim of developing
secure and privacy-preserving indoor positioning methods for LBS
with minimal impact on other performance metrics like accuracy
and computational cost. Since indoor positioning systems are rising
in demand, their security and privacy issues are becoming more
pressing, as not only are they crucial for protecting user data, but
they also directly determine the accuracy of indoor positioning,
which has been the primary evaluation metric for indoor position-
ing systems. In other words, even if one develops an extremely ac-
curate indoor positioning system, if measures are not taken to pro-
tect data used for positioning, the adversary can easily manipulate
the data and thus compromise the system’s accuracy. Furthermore,
the adversary can gain valuable insight into users’ locations just
from this intermediary data used as input for the positioning al-
gorithm, allowing him/her to track the victim, lead the victim to
wrong locations, etc.
3.3. Research framework
To address the research questions formulated in Section 3.2, the
PRISMA research framework (Liberati et al., 2009) was adopted.
Four databases were used for collating sources for literature re-
view:
1. Scopus (https://scopus.com/)
2. Google Scholar (https://scholar.google.com/)
3. IEEE Xplore Library (https://ieeexplore.ieee.org/)
4. ACM Digital Library (https://dl.acm.org/)
Various search strings were used for searching papers in the
core databases, such as: “indoor AND (locali∗ OR positi∗ ) AND sys-
tem AND (secur∗ OR priv∗ )”. Only journal articles and conference
papers in English related to indoor localisation security or pri-
vacy and published between 2017 and 2022 were included. Em-
pirical studies with experimental results and survey papers rele-
vant to at least one research question were considered. A total of
1342 records was found after combining search results from all
databases, 956 records remained after removing duplicates, and
58 papers met the inclusion and eligibility criteria and passed the
quality assessment.
Based on the papers found and other related studies, the fol-
lowing sections will present the survey in detail. Fig. 2 gives
an overview of the survey framework and Table 2 highlights
the key issues to be discussed in the subsequent sections. Basi-
cally, security and privacy issues identified during literature review
have been categorised by positioning method type, i.e., proximity-
based, geometric, fingerprint-based, collaborative proximity-based
and collaborative geometric. Fig. 2 depicts the classification sys-
tem for indoor positioning security and privacy that was developed
based on issues identified during the literature review. It is a two-
tier system, where the first tier is the overall issue category, i.e.,
confidentiality, integrity, authenticity or other, and the second tier
is the entity that an issue pertains to, e.g., jamming attacks target
communication links, whereas malicious node attacks target net-
work nodes. The list seeks to present the major issues. Based on
the list, the most vulnerable part of the indoor positioning pro-
cess is its communication links, and most attacks are related to in-
tegrity issues. Table 2 gives an overview of which issues are appli-
cable to which method type and which broad category they belong
to, i.e., confidentiality, integrity, authenticity or other. It is evident
that the privacy of the different parties involved in the localisation
process is under threat in almost every method type, but existing
studies focus more on client privacy. Signal attacks are also appli-
cable to every method type, but some are more resilient than oth-
ers. For example, detection of malicious nodes is more difficult in
collaborative systems.
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

Fig. 2. Indoor positioning security and privacy issues.

Table 2
Positioning methods vs. security and privacy issues applicable to them. Abbreviations in the top row: P - proximity-based, G -
geometric, F - fingerprinting, CP - collaborative proximity-based, CG - collaborative geometric.

Issue category Issue name P G F CP CG

Confidentiality User location privacy (during localisation)    

Database privacy     
Reference node privacy    
Wireless eavesdropping     
Traffic analysis attack     
User location privacy (after localisation)     
Integrity Database corruption     
Distance estimation attacks    
QR code replacement 
Jamming attack     
Replay attack     
Data tampering     
Authenticity Malicious node attacks     
Collusion attack    
Other Replaying QR codes 
Resource draining  

Table 2 is also related to the motivational case studies or
examples presented before. For example, the Asset Localisation
case study demonstrates how geometric indoor positioning can
be subject to authenticity and integrity issues. The case study in
Section 3.1.2 relates to confidentiality issues in collaborative po-
sitioning, while the QR code case study serves as an example of
integrity and authenticity issues in proximity-based positioning in
line with our framework in Fig. 2. Finally, the shopping mall case
was given to illustrate confidentiality issues in fingerprint-based
positioning.
4. Non-collaborative positioning methods
This section describes non-collaborative indoor positioning
methods and discusses their security and privacy issues, broken
down step-by-step. Potential solutions from the literature are also
covered. Please note the following assumptions:
• The server-to-target channel is over the Internet, and Internet
security is not covered in this paper.
• The database-to-server channel is also over the Internet.
• Operations that happen locally, e.g., only on the server’s side
or only on the target’s side, are assumed to be safe. Of course,
they could be compromised by malware injection and adver-
sarial attacks on the localisation software or the decoded input,
but server and mobile security are beyond the paper’s scope.
Please note that we only list security and privacy issues that are
the most relevant to the indoor positioning methods in question,
i.e., we do not argue that there cannot be overlaps. A matrix of
which attacks are applicable to which methods can be found in
Table 2.

6
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

Fig. 3. Proximity-based indoor positioning illustration.

4.1. Proximity-based methods

4.1.1. Overview
The most basic type of indoor positioning is to assign a target’s
location to a nearby reference point or object with known coordi-
nates. This is referred to as proximity-based positioning, meaning
that one or more reference points or nodes closest to the target
are used to estimate its rough location. Some of the most com-
mon proximity-based indoor positioning methods are landmarking,
closest neighbour and centroid localisation. They are similar in that
they rely on the presence of reference points or nodes with known
coordinates, but they differ in either the way they process these
coordinates or the nature of the reference nodes. This section gives
an overview of the aforementioned proximity-based indoor posi-
tioning methods, and the next section will discuss their security
and privacy issues collectively.
Landmarking. Proximity-based localisation is the simplest po-
sitioning method, whereby the location of the target is deduced
to be the location of the closest reference node in its range. A
reference node does not have to be a transmitter. QR code land-
marking is the simplest instance of proximity-based positioning,
whereby the user simply scans the nearest QR code, which con-
tains the coordinates of the location where the QR code is. It has
found widespread use in recent years in contact tracing due to
the COVID-19 pandemic to provide snapshots of people’s locations,
meaning that QR code landmarking on its own is not capable of
tracking people in real-time. However, QR code landmarking can
also be used for more precise positioning. For example, Li and
Huang (2018) designed an IPS where targets were equipped with Fig. 4. General workflow of proximity-based indoor positioning.
special cameras with a depth sensor so they could estimate dis-
tances to nearby QR codes, which had their coordinates encoded
in them, and run trilateration to localise themselves. Thus, the au- tion is delegated to a server, which queries a database to obtain
thors combined landmarking and trilateration in one system. the locations of reference nodes. Since there are more parties in-
Closest neighbour method. The closest neighbour method is an- volved in localisation, this variation is less secure but may be the
other proximity-based localisation method whose working mech- only option for some IPSs. Fig. 4 gives a more detailed workflow of
anism is very similar to landmarking except that here, reference proximity-based positioning for both variations. The closest neigh-
nodes are transmitters. For example, in most cases, these reference bour method is usually used for use cases where room-level po-
nodes are beacons. Fig. 3 gives an illustration of the closest neigh- sitioning accuracy is enough, i.e., when the owner of the system
bour method. The target receives signals from all reference nodes simply wants to know if someone is in proximity to some refer-
in its range and selects the location of the closest node as its own ence node in the network, e.g., a shop in a mall. Proximity is usu-
location estimate. In the client-side variation of this method (the ally estimated using the Received Signal Strength Indicator (RSSI),
blue arrow in the figure), the target estimates its own location lo- i.e., the stronger the signal, the closer two devices are to each other
cally, which poses fewer security risks since the target’s location (Hata, 1980).
is not communicated to external parties. In the server-based varia- Proximity detection acts as the basis of contact tracing (please
tion of this method (the red arrow in the figure), location estima- see Section 5.1.1 for an overview of contact tracing) but has its

7
Y. Sartayeva and H.C. B. Chan
Fig. 5. Trilateration example.
own security and privacy challenges. For example, according to
Buccafurri et al. (2021), even performing proximity testing is a vi-
olation of privacy in social networks because two people are not
supposed to know that they are close, i.e., proximity tests must
be performed in such a way that the identity of neither party is
revealed. The authors proposed the use of k-anonymity in grid-
based proximity testing to preserve user privacy. Many privacy-
preserving contact tracing schemes can be found in the literature,
e.g., by Järvinen et al. (2018), Ye et al. (2018) and Zhu et al. (2018),
but this sort of proximity detection is different from proximity-
based positioning because it is performed between mobile nodes
whose locations are not disclosed.
The accuracy of proximity-based positioning depends on the
distance between reference nodes, but, in general, the accuracy
is much lower compared to other methods since location esti-
mates are discrete, i.e., this method does not take into account
how far away from the reference node the target is. It would
seem that increasing the density of reference nodes would lead
to an increase in positioning accuracy, but Ng et al. (2018) inves-
tigated the relationship between the number of reference nodes
and positioning accuracy and found that accuracy goes down after
the reference node deployment density reaches a certain thresh-
old; in their study, the best results were achieved with a den-
sity of 5 beacons/m2 . Low accuracy is compensated by low cost,
which stems from the fact that the number of reference nodes
required for positioning can be as low as one, whereas in geo-
metric methods, there is a requirement on the minimum num-
ber of anchors needed for positioning, which is three for multi-
lateration (Zafari et al., 2019), two for multiangulation (Hou et al.,
2018) and four for TDoA-based (Time Difference of Arrival) locali-
sation (Krishnan et al., 2018). In addition, localisation accuracy of
proximity-based localisation can be higher with a higher number
of reference nodes if they are spaced out, which is not necessarily
true for geometric methods (Heurtefeux and Valois, 2012).
Centroid localisation. As an extension of the closest neighbour
method, a more accurate approach to localising an object based on
the coordinates of neighbouring reference nodes is to take the av-
erage of their locations, which is referred to as centroid localisation
(Kluge et al., 2020). The setup of reference nodes in this method
is similar to the one illustrated in Fig. 3, except that all reference
nodes contribute to the final location estimate instead of simply
being disregarded, as is done in the closest neighbour method.
8
Computers & Security 131 (2023) 103293
Although this method is more accurate compared to the closest
neighbour method, it still ranks lower compared to other position-
ing methods, i.e., geometric, collaborative and fingerprinting-based
methods. A slight improvement to centroid localisation would be
to take the weighted average of the reference nodes’ locations,
assigning higher weight to nodes that are closer (Orujov et al.,
2018), but the accuracy of weighted centroid localisation is still
low (Subedi and Pyun, 2017).
4.1.2. Security and privacy threats
This section delineates common security and privacy threats of
proximity-based methods, seeking to give an overview of the se-
curity and privacy issues of these methods as a whole, and is-
sues more specific to these methods will be discussed once to
avoid repetition. Landmarking’s weaknesses are mainly related to
QR code validity and misuse, whereas the other two methods’ is-
sues lie in the reference nodes and communication links.
QR code replacement. This issue relates to QR code landmarking,
whereby the adversary simply replaces the original QR code with
another one containing malicious content or an incorrect location.
This attack is hard to detect unless the landmarks are constantly
monitored. Focardi et al. (2019) report that security threats stem-
ming from malicious content stored in QR codes include phishing,
malware propagation, SQL injections, QR code counterfeiting and
more.
When it comes to solutions, QR codes can be secured us-
ing encryption, but schemes proposed in the literature score
low on usability because of high computational overhead.
Focardi et al. (2019) evaluated four usable QR code cryptographic
methods: RSA (Rivest–Shamir–Adleman) (with 1024, 2056 and
3072 bits), Elliptic Curve Digital Signature Algorithm (ECDSA, with
256 bits), Hash-based Message Authentication Codes (HMAC) (with
SHA-256, SHA-384 and SHA-512 (Secure Hash Algorithm)) and
AES-128 (Advanced Encryption Standard), i.e., both symmetric and
asymmetric cryptographic schemes were tried. In open environ-
ments, using asymmetric cryptography for QR codes would be dif-
ficult since it would require a sophisticated public key infrastruc-
ture like the one for the HTTPS protocol. However, in a closed en-
vironment, QR code readers can be configured to recognise select
certificates. The authors found that digital-signature-based QR code
decoding took 20–30 ms, which is orders of magnitudes slower
than symmetric-scheme-based decoding methods, meaning that
incorporating an extra layer of security for QR code verification
should not be problematic. Another attack in QR code landmarking
is physical QR code corruption. This attack is much easier to detect
since QR code scanning will simply not yield meaningful results or
will simply not work, so in this case it would be recommended
to allow users to report corruption cases through the localisation
application and also physically shield QR codes from tampering.
Replaying QR codes. Another security issue relating to QR code
landmarking is location faking, whereby users scan a QR code cor-
responding to a certain location but are actually not there. This can
occur if users take a picture of the QR code or generate their own
QR code with the same data and use it elsewhere.
One way to address this problem would be to use digital QR
codes, update them regularly and include the validity period ( p
minutes) within the QR codes. This would ensure that users can-
not fake their location for more than p minutes. A more reliable
solution, which does not require dynamic QR codes, would be to
verify the QR code location with the user’s GPS coordinates. Since
this verification can take place locally, it should not impose addi-
tional security concerns. The two interventions can be combined
for extra security.
Resource draining. This attack is related to proximity-based posi-
tioning methods where reference nodes are transmitters, i.e., cen-
troid localisation and the closest neighbour method. It involves the
Y. Sartayeva and H.C. B. Chan
Fig. 6. Visual guide to multiangulation using AoA (adapted from Hou et al. (2018)’s
work).
adversary introducing many additional reference nodes and mak-
ing them transmit signals to the target, overwhelming it and slow-
ing it down (Chan and Chung, 2021).
In terms of solutions, since disabling these additional nodes is
out of the system’s control, it is only feasible to detect resource
draining and physically remove the extra nodes. Sharma and Ku-
mar Joshi (2019) designed an adaptive policy to detect resource
draining by measuring energy consumption at individual nodes
and checking if it exceeds a certain threshold. Of course, the target
could simply count the number of beacons that it receives pack-
ets from, but if malicious beacons impersonate legitimate beacons
by stealing their credentials, this is not possible. Another solu-
tion would be to simply count the number of incoming packets
and disable positioning if this number exceeds a certain threshold.
Even though the number of reference nodes in the target’s vicinity
can be unlimited in proximity-based positioning, there should be a
reasonable bound on the reference node density, which should be
specified by the system designer.
Malicious node attacks. This threat also applies to methods
where reference nodes are transmitters (i.e., this threat relates to
step 1 in Fig. 4). Since these methods rely on communicating with
reference nodes, it is crucial that the reference nodes are trustwor-
thy and send correct data. If the target is responsible for its lo-
calisation, it needs to make sure that the incoming data is coming
from legitimate nodes, e.g., by cross-checking with a local database
that comes packaged with the localisation software. However, an
adversary could steal a node’s ID, introduce a new transmitter with
the same ID and even remove the legitimate node from the net-
work. If the target observed the behaviour of all reference nodes,
it could identify anomalous behaviour over time, but this is hard to
do in one-shot localisation. In other words, the first major issue is
reference node authentication, where a reference node refers to a
network node with known coordinates. Another issue applicable to
beacons is reshuffling, whereby the adversary simply swaps refer-
ence nodes, so location estimates are no longer correct (Chan and
Chung, 2021).
Solutions for reference node attacks discussed in
Section 4.2.2 are hard to apply in proximity-based positioning
due to its one-shot nature and the simplicity of reference nodes.
Usually, malicious node detection involves the analysis of the
consistency of data passed between nodes, but in BLE-based
positioning, for example, beacons are used as reference nodes, and
they cannot communicate with each other since they only support
transmission (Jeon et al., 2018).
9
Computers & Security 131 (2023) 103293
To address this problem, receivers could be set up in the in-
door space such that they collect measurements from the reference
nodes periodically and send the data to a server, which will run a
malicious node detection algorithm and send alerts to the system
owner in case there is some suspicious behaviour in the network.
This is similar to a spoofing detection system by Wu et al. (2020a),
where a monitoring infrastructure was deployed to analyse BLE
packets and detect anomalous packets based on “cyber features”,
namely, the advertising pattern, operation state, and physical fea-
tures, which include the advertising interval, the carrier frequency
offset (CFO) and RSSI. CFO can be used to uniquely identify wire-
less devices due to imperfections in their radiofrequency circuits,
while RSSI values can be used to uniquely identify the locations
of wireless devices because RSSI values collected around the same
location tend to be similar.
According to Wu et al. (2020a), most legacy BLE devices do
not support firmware upgrades and thus cannot be updated to
support encrypted communication, meaning a separate spoofing
detection system may be needed, but modern BLE devices, have
their own in-built authentication scheme, which is described by
Zhang et al. (2020b). There needs to be a way to protect the ad-
dress of a BLE device from unauthorised access during broadcast-
ing, and this can be achieved with the help of the Identity Resolv-
ing Key (IRK), which is a secret key shared between two devices.
BLE devices have two types of addresses, public and random, and
there are two types of random addresses: static and private. The
public device address comprises two parts, each consisting of 24
bits, where the first part is the company ID and the second part
is the ID assigned by the company. For the static random device
address, it is generated randomly and remains unchanged during
each power cycle. For the private random device address, it can be
updated for each connection. The private random device address
has two subtypes: a resolvable private address (RPA) and a non-
resolvable private address, where the former is responsible for en-
suring privacy in BLE communication. RPA is generated as follows
(Zhang et al., 2020b):
RPA = Hash(N rand, IRK )||N rand, (1)
where Hash is a hash function and Nrand is a random number.
The receiving device can only decode the sender’s address if it has
access to the IRK used to generate the RPA. Since this is a more
advanced security feature, it may not be available in all BLE de-
vices, so, depending on the system, an external spoofing detection
infrastructure may be needed.
Jamming attack. Jamming attacks are also relevant in po-
sitioning methods that rely on wireless communication.
Osanaiye et al. (2018) define jamming as a form of the De-
nial of Service (DoS) attack, whereby the adversary transmits a
high-range signal and thus deliberately injects noise, disrupting
communication channel between two devices. Jamming can also
be unintentional and be caused by other factors such as ferromag-
netic interference and collision. This physical-layer-level damage is
more difficult to address and remains an open problem. Multipath
fading is a major problem of indoor positioning, whereby the
signal undergoes complex transformations as it travels towards the
target, such as reflection, refraction and diffraction, and modelling
these changes is extremely difficult due to their stochastic nature
(Zafari et al., 2019).
Solutions to jamming attacks have been extensively covered in
the literature, so a brief summary will be given in this paper.
Pirayesh and Zeng (2022) provided a comprehensive survey of jam-
ming attacks and possible countermeasures in wireless networks,
including WLAN, BLE, RFID and ZigBee networks, which are appli-
cable to indoor positioning. Anti-jamming techniques they suggest
include
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

• channel hopping — switching data exchange between two de- target (this threat also relates to step 1 in Fig. 4). The signal could
vices to another channel (Djuraev et al., 2017) if one channel be intercepted by an adversary, modified and sent to the intended
has been jammed, recipient of the message, and this is referred to as the replay attack
• spectrum spreading — transmitting the signal over a larger (Alrababah et al., 2017). In the context of proximity-based position-
bandwidth than necessary, which increases resilience against ing, the adversary could modify data packets sent by the reference
signal interference (Chapman et al., 2015), nodes, e.g., modifying their locations or IDs, which would make the
• MIMO-based (Multiple Input and Multiple Output) jamming target obtain an incorrect location estimate or fail to obtain one al-
mitigation, which is based on filtering out the noise out of the together because of the wrong IDs, respectively.
signal, One of the simplest ways to address this issue is to include a
• channel coding — detecting and correcting bit errors in the sig- timestamp in the original packet and verify whether the difference
nal (Faruque, 2016), between the time at the receiver and the timestamp at departure
• MAC layer strategies, which involve adjusting the data rate and is within an acceptable range (Sharma and Hussain, 2017), e.g., an
power control of wireless devices to prevent jamming, RFID-based object tracking system by Anandhi et al. (2019) im-
• jamming detection schemes, plemented a timestamp-based approach to prevent replay attacks.
• learning-based techniques, i.e., using deep learning to optimise However, this method requires clock synchronisation between all
hardware design to minimise the risk of jamming. devices in the network, which is difficult to achieve because of de-
vice heterogeneity. There are other ways to detect replay attacks
Interested readers are referred to the original survey for more
suggested by the authors, such as attaching sequence numbers to
details on jamming attacks and possible countermeasures.
data packets and making sure a consecutive order is maintained in
Relay attack. In methods where proximity detection is per-
the packets the target receives, receiver authentication protocols,
formed with the help of transmitter-based reference nodes (steps
whereby the sender only sends its packets when the receiver is
2S and 1C in Fig. 4), it is possible for the adversary to relay sig-
authenticated, etc., but these methods cannot be used with bea-
nals coming from distant nodes, making them believe they are
cons since they are not capable of performing complex computa-
closer than they actually are, and this is referred to as the relay
tions and can only act as transmitters.
attack (Tu and Piramuthu, 2020). The relay attack is similar to the
Another solution suggested in the literature is the use of
replay attack in that they both involve a message being passed
authentication. According to a survey of authentication mecha-
through the adversary, but in the former, the adversary does not
nisms in IoT networks conducted by Alrababah et al. (2017), au-
modify the message and simply relays it to deceive two devices
thentication protocols typically rely on the presence of a server.
about their distance from one another, whereas in the latter, the
Based on their literature review, they broadly classified authen-
adversary’s goal is to falsify the data exchanged between the two
tication techniques against replay attacks into the following cat-
devices.
egories: (1) hashing the Message Authentication Code (MAC) of
Relay attacks remain an unsolved problem in indoor position-
the sender, (2) asymmetric encryption, (3) timestamp-based, (4)
ing. According to Tu and Piramuthu (2020), they are difficult to
symmetric encryption with a shared secret key. For example,
detect, and RFID/NFC-based applications are especially vulnerable.
Feng et al. (2017) proposed an authentication scheme for resource-
They conducted a literature review of extant works on solutions
constrained IoT networks where clock synchronisation across all
to relay attacks and found that the use of ambient conditions and
devices is difficult to achieve, with a novel challenge-response
distance bounding were the main defense mechanisms proposed
scheme based on session key agreement, which achieves mutual
by researchers. Distance bounding protocols are implemented at
user authentication, so that legitimate nodes reveal the identity of
the physical layer and are thus non-trivial to integrate in a wire-
malicious nodes and reject their packets. Their scenario is simi-
less network as they require special hardware. They are discussed
lar to proximity-based positioning networks because beacons are
in more detail in Section 4.2.2. Moreover, the implementation de-
also constrained in their computational capabilities and energy
pends on the communication technology, e.g., WiFi, BLE, UWB, and
consumption. To minimise the computational burden on resource-
using different types of data. Wang et al. (2019a) evaluated four
constrained nodes, the scheme proposed by the authors requires a
of them in terms of security: average RSSI, round-trip time (RTT),
powerful gateway node, which is responsible for detecting replayed
GPS coordinates and lists of WiFi access points detected by two
messages. A problem with this configuration is that this gateway
devices that claim to be in each other’s range. They established
node will be a single point of failure and can also be attacked by
that these features were resilient against relay attacks, meaning
the adversary, but gateways are more difficult to attack compared
that these measurements should be similar if two devices are close
to beacons.
to each other, and a similarity threshold can be calculated before
Reference node privacy. In closest neighbour and centroid meth-
localisation to detect anomalous measurements. For example, even
ods, which rely on transmitter-based reference nodes, the privacy
though RSSI values fluctuate significantly, at 1-meter distance, they
of reference nodes may need to be preserved, which is discussed
range within a stable interval. However, a fake anchor node can
in Section 4.2.2 (steps 3S and 2C in Fig. 4). It would seem that con-
simply transmit incorrect location information but produce real
cealing the locations of anchor nodes is redundant, but, first, it de-
inter-node signal measurements, i.e., be at the same distance as
pends on the application requirements and, second, disclosing the
it claims to be. In this case, the target should not rely on loca-
locations of anchor nodes can give the adversary an additional ad-
tion data provided by reference nodes since they can always be hi-
vantage in compromising the network, e.g., the adversary can pin-
jacked, so a solution here would be to either have reference node
point the anchor nodes more easily or impersonate the positioning
locations embedded in the localisation software or ask a less vul-
server by tricking target devices with its ground truth anchor loca-
nerable entity, i.e., a database server, to provide them. In addition,
tion knowledge, that is, if anomalous server behaviour detection is
Pietrzak (2020) proposed a cryptographic approach to addressing
integrated in the client-side localisation software. However, based
replay and relay attacks in contact tracing protocols called “delayed
on the previous discussion on replay attacks, since reference nodes’
authentication”, which is based on comparing timestamps between
locations can be corrupted by the adversary on their way to the
the sender and the receiver.
target, it is not recommended to retrieve reference node locations
Replay attack. Another issue related to centroid and closest
from reference nodes.
neighbour methods is the security of the signal as it travels to the

10
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

Fig. 7. Geometric-method-based positioning illustration.

4.2. Geometric methods Multilateration. One of the simplest and widely applied geo-
metric methods is called multilateration, which is based on find-
4.2.1. Overview ing a set of coordinates that produces distances to anchor nodes
Geometric methods refer to indoor positioning methods that that are as close to the real reported distances to corresponding
collect geometric data from a fixed number of anchor nodes anchor nodes as possible. This can be conceptualised as follows
(please see Fig. 7 for an illustration), such as distances or angles (Duong and Thi, 2021):
at which the signal departs or arrives, that allows them to infer ⎧
the positions of target nodes. Fig. 7 shows three anchor nodes, but ⎪
⎪ ( x − x1 )2 + ( y − y1 )2 = d1
⎨
the number of anchor nodes varies depending on the method. Sim- ( x − x2 )2 + ( y − y2 )2 = d2 (2)
ilar to the proximity-based methods’ diagram (Fig. 3), the red ar- ⎪
⎪. . .
row shows the sequence of operations for server-based position- ⎩
( x − xn )2 + ( y − yn )2 = dn
ing, whereas the blue one is for the client-based version, i.e., when
positioning happens locally, in which case the locations of anchor where (x, y ) are the coordinates of the target in 2D space, (xi , yi )
nodes are sent to the target from the anchors themselves or can are the coordinates of anchor node i, di is the distance between the
be sent from the database to the target. Most geometric meth- target and anchor node i and n is the number of anchors, which
ods are range-based, meaning they rely on inter-node distance es- should be at least three (Fig. 5 illustrates an example of trilatera-
timation. Their distinguishing feature is that they rely on anchor tion).
nodes whose positions must be known. Geometric methods are This non-linear set of equations is usually transformed into lin-
more flexible than fingerprinting because they usually do not rely ear form and is formulated as a least squares optimisation prob-
on an external database. Instead, positioning is performed based on lem, the solution to which is (x, y ) = (AT A )−1 AT b (Alanwar et al.,
received signal characteristics, e.g., RSSI, Angle of Arrival (AoA), An- 2017):
gle of Departure (AoD), etc., and both the target and the position-
ing server can be responsible for converting this data to a location (x, y ) = arg mint=(x,y)∈R2 ||At − b||2
⎡ ⎤
estimate. If positioning is performed on the client-side, as in GPS, 2 ( x2 − x1 ) 2 ( y2 − y1 )
then it is more secure because the data is not shared with any ex- A=⎣ .
..
.
.. ⎦
ternal entities. However, the data exchanged between anchors and
2 ( xn − x1 ) 2 ( yn − y1 ) (3)
the target can be intercepted, so it should be protected. One way ⎡ 2 ⎤
of doing this is using encryption, but there must also be a way x2 + y22 − d22 − (x21 + y21 − d12 )
of verifying whether the encrypted information has not been tam- b=⎣ ..
.
⎦
pered with by the adversary. Some of the most commonly used
x2n + y2n − dn2 − (x21 + y21 − d12 )
geometric indoor localisation methods are multilateration, multi-
angulation and TDoA-based positioning. Compared to fingerprint- Multiangulation. Multiangulation also relies on anchor nodes
ing, these methods are more lightweight and can be run on the and requires that their locations are known, but instead of dis-
client-side but are typically delegated to the server-side because tances, it is based on the angle the signal departs or arrives with,
these methods usually rely on a database of the locations of all depending on whether AoD or AoA is used, respectively. At least
anchor nodes, which is stored on a server (Alanwar et al., 2017). two nodes are needed to localise the target using the following set

11
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

of equations (Hou et al., 2018):

tan θa = ya −y
xa −x
yb −y (4)
tan θb = xb −x

This set of equations is based on Fig. 6. AoAs are θa and θb if an-

chor nodes act as transmitters, otherwise, AoAs are βa and βb be-
cause of tan’s periodicity. The system of equations is solved for the
coordinates of the target, i.e., (x, y ). Not all technologies support
AoA/AoD, and, similar to distance estimation, AoA/AoD estimation
is also subject to error because of signal interference in indoor set-
tings and other factors (Lehtimaki, 2018).
TDoA-based localisation. TDoA is similar to multilateration in
that it also relies on solving a matrix of equations based on Eu-
clidean distance between the target and anchor nodes, but it is
predicated on the idea that the difference in signal travel time be-
tween the target and node i and signal travel time between the
target and node j is proportional to the difference in distance from
the target to nodes i and j. This can be expressed as a matrix of
equations as follows (Wu et al., 2019):
|d(i,target ) − d( j,target ) | = c|ti − t j | =
= | (xi − xtarget )2 + (yi − ytarget )2 −
 (5)
− (x j − xtarget )2 + (y j − ytarget )2 |
for each i ∈ {1, ., n}, j ∈ {1, ., n}, i = j
where c is the speed of the signal, di,k is the distance between
nodes i and k, (xi , yi ) are the coordinates of node i, ti is the time
the signal takes to travel between the target and node i and n
is the total number of anchor nodes. ti is also called the Time
of Flight (ToF), which can be calculated using different techniques
such as Two-Way Ranging (TWR) and Time of Arrival (ToA). The
system of equations is solved for xtarget and ytarget to obtain the lo-
cation of the target. The accuracy of this method depends on inter-
node distance estimation accuracy, i.e., di,k , as well as the accuracy Fig. 8. General workflow for geometric algorithms.
of ToF estimation. In addition, some ToF estimation techniques re-
quire precise time synchronisation across the network (Carotenuto
et al., 2020).
to steps 1S and 1C in Fig. 8). Privacy-preserving indoor localisation
4.2.2. Security and privacy issues and solutions literature usually focuses on protecting the localising agent as well
This section gives an overview of the security and privacy issues as the target, but protecting the locations of the anchor nodes may
related to geometric positioning methods and provides solutions also be necessary (Alanwar et al., 2017), e.g., to minimise the risk
from the literature. These attacks relate to the entities involved of giving an additional advantage to the adversary. The importance
in the positioning process, which are illustrated in Fig. 7. The fig- of anchor node privacy is more apparent in collaborative position-
ure shows there is a fixed number of anchor nodes with known ing because targets can also become anchors after being localised,
locations, similar to proximity-based methods, but the way these and this is discussed in Section 5.2.2.
locations are processed to obtain a location estimate is more com- A few works can be found in the literature that present so-
plex with geometric positioning. Geometric methods also support lutions to the issue. For example, Alanwar et al. (2017) trans-
server-side positioning, in which case, apart from the target and formed multilateration into privacy-preserving polyhedra-based lo-
the anchor nodes, security and privacy threats related to the IPS calisation, whereby each anchor’s ranging circle is represented by
server as well as the database server should be addressed. Anchor a polyhedron instead of the anchor’s location and ranging dis-
nodes are vulnerable to malicious node attacks but they can be tance, which is constructed by calculating the normal vectors of
different from those in proximity-based positioning and are thus each polyhedron’s facets. Thus, no sensitive information is revealed
discussed in this section, along with the privacy of anchor nodes. about the anchor nodes because the position of a polyhedron in
Replay attacks are also relevant in geometric positioning, and we the 2D space is unknown and is defined by a vector of offsets,
assume that anchor nodes in geometric methods are also not ca- which is encrypted. The target’s location is obtained by finding
pable of performing complex computations required for authenti- the intersection of multiple polyhedra received from the anchor
cation, so solutions discussed in Section 4.1.2 are also relevant to nodes. The use of computationally expensive encryption-based pri-
geometric methods. Since indoor positioning involves the commu- vacy preservation can be avoided by using a form of information
nication of multiple entities, communication links between them hiding called Privacy-Preserving Summation (PPS).
must also be secured, so the jamming attack and distance estima- Another example is the work of Shi and Wu (2018), who de-
tion attacks are discussed in this section as well. Multilateration composed the least squares formulation of TDoA-based localisa-
and TDoA are range-based, meaning that they rely heavily on the tion (for both active and passive localisation scenarios) into ba-
veracity of distance estimates to anchor nodes, which can be com- sic summation form and used PPS to hide anchor and target lo-
promised by the adversary, and possible remedies to this problem cations without encryption. According to the authors, this method
are discussed here as well. does not have a negative impact on accuracy but does not provide
Anchor node privacy. Equations (3) and (5) show that geometric sufficient privacy protection and has a high communication over-
methods rely heavily on anchor node locations (this issue is related head.

12
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

Fig. 9. Fingerprinting overview: the offline phase.

Jamming attack. Data-layer security can be ensured using cryp-
tographic methods. However, these measures are not resilient
against physical layer attacks, which depend on the nature of the
signal. Examples include introducing physical obstacles between
two devices, deliberate ferromagnetic interference and more. An-
other variation of signal interference is corrupting the signal it-
self, making it difficult to decode. This can be accomplished with
jamming attacks, whereby the adversary deliberately reduces the
signal-to-noise ratio by overwhelming the communication channel
with electromagnetic interference, thus disrupting or stopping sig-
nal transmission altogether (Hymlin Rose and Jayasree, 2019).
Regarding security measures for jamming attacks, these could
be taken at the hardware level but are expensive and dif-
ficult to implement (Pestourie et al., 2019). For example,
Pirayesh et al. (2021) proposed a ZigBee receiver resilient to ra-
dio jamming attacks that can decode the signal despite the noise.
Other physical layer solutions were briefly covered in Section 4.1.2.
Since geometric methods are more sophisticated compared to
proximity-based methods, more rigorous solutions to the jamming
attack can be considered. For example, Li et al. (2019a) suggested
the use of a multi-voting system, whereby localisation is per-
formed with the help of all access points instead of relying on indi-
vidual nodes, where each vote is given a weight. Hymlin Rose and
Jayasree (2019) designed a jamming detection technique based on
sensor node clustering and timestamp analysis. If the timestamp
exceeds a certain time limit, transmission is re-launched through
an alternative route. Jamming protection depends on the type of
data that needs to be derived from the signal.
Distance estimation attacks. Multilateration and TDoA are range-
based methods, meaning that their accuracy is directly determined
by the accuracy of inter-node distance estimations, which can also
be compromised by the adversary. Tippenhauer et al. (2015) listed
the following inter-node distance estimation attacks (a prover is a
device sending the signal and a verifier is the receiving device):
• Distance hijacking: the prover does not have malicious inten-
tions but is manipulated by an adversary to make the ver-
ifier underestimate the distance from itself to the adversary
(Cremers et al., 2012).
• Distance fraud: the prover acts as an adversary and tries to
make the verifier underestimate the distance to the prover
(Singelee and Preneel, 2005).
• Terrorist fraud attacks: the prover acts as an adversary and con-
spires with another adversary to make the verifier underesti-
mate the distance to the prover (Desmedt, 1988).
• Mafia fraud: an adversary tries to make the distance between
the verifier and the prover shorter (Desmedt, 1988).
These attacks are a variation of one problem: compromised
ranging. However, there are many distance estimation techniques,
e.g., based on RSS, ToF, Channel State Information (CSI), PDoA, and
they are not equally resilient to distance estimation attacks. For
example, ToF-based estimation is resilient against the amplify at-
tack, as opposed to RSS-based estimation (Avoine et al., 2018). Se-
curity aspects specific to each distance estimation technique are
discussed in the next section. The relay attack is common to many
distance estimation techniques and involves the adversary intro-
ducing a fake node between two nodes that are not within each
other’s range and relaying data between them, leading them to
consider the other to be closer than it actually is. This way, the ver-
ifier mistakes the attacker to be the prover since it assumes that
being connected to a device means it is the prover (Wang et al.,
2019a).
One way to address distance estimation attacks is to use dis-
tance bounding authentication to make sure that distance esti-
mates are realistic. Distance bounding algorithms vary depending
on the communication technology because they are implemented
in the physical layer and thus require special hardware support
(Tippenhauer et al., 2015), but the original distance bounding pro-
tocol proposed by Brands and Chaum (1994) will be presented here
to give an overall idea of distance bounding. Suppose P is a prover
and V is a verifier. First, V selects a nonce m, and then P sends a
message c to V bit by bit, where each bit is represented as ci , at
time tisP . V receives ci at time tirV , calculates ri = ci  mi and sends
it to P at time tisV . In turn, P receives ri at time tirP . These val-

13
Y. Sartayeva and H.C. B. Chan
ues are recorded until the bilateral bitwise message exchange is
complete, at which point V reveals m to P so that P can calculate
dmax = maxi (tirP − tisP )/2v, where v is the speed of signal propaga-
tion and dmax is the maximum distance a bit took to travel be-
tween P and V . This generates a threshold that defines which dis-
tance estimates are considered valid, i.e., if the threshold is ex-
ceeded, the estimate is less likely to be trusted. Of course, the
threshold could not be completely accurate as maximum distance
estimation may not capture the true maximum, so the accuracy
depends on message length. In addition, this definition assumes
that the processing delay at V is negligible, i.e., tisV − tirV <  , but if
this assumption is dropped, the adversary can operate with a lower
processing delay, producing valid distance estimates. According to
Tippenhauer et al. (2015), wireless signals travel at extremely high
speeds, so a delay on the order of microseconds can allow the ad-
versary to act within a window of approximately a couple of hun-
dred meters.
Liu et al. (2018b) state that noise inherent in wireless commu-
nication indoors can be leveraged to prevent the adversary from
detecting communication between two devices, thus precluding
communication link attacks altogether. To do this, a node should
convert its traffic into low-rate traffic with a degree of randomness
and a long duration, so that the probability of detection by the
adversary is reduced. However, this method is not foolproof and
has issues such as determining a practical privacy rate. Accord-
ing to Singh et al. (2017), it was believed that only short-range
communication can be secure because transmitters are limited in
their output power, and that is why UWB ranging is more secure
compared to other types of ranging, i.e., because of its short
pulses. The shorter the symbol lengths, the higher the resilience
against distance shortening attacks, but this comes at the cost of
lower ranging capability, i.e., the signal reach is lowered. However,
a modulation scheme proposed by the authors was shown to
achieve secure ranging without compromising UWB’s ranging
performance at longer distances, meaning that longer-distance
ranging can also be secured.
Method-specific attacks. As discussed above, there are differ-
ent methods for distance estimation purposes, such as RSSI-based,
phase-based and time-based. This section discusses security is-
sues specific to each method. As was mentioned previously, correct
inter-node distance estimation is critical to the positioning accu-
racy of geometric methods.
• RSS-based distance estimation. According to Avoine et al. (2018),
RSS- and AoA-based distance bounding protocols are among
the least secure ones because the adversary can increase
the signal strength, which is known as the amplify attack
(Ranganathan and Capkun, 2017), or construct special anten-
nae to fabricate incorrect measurements. Ranganathan and Cap-
kun (2017) confirm this and elaborate that RSS-based distance
estimation is vulnerable to amplify attacks, whereby the adver-
sary simply amplifies the signal at the transmitter, making the
receiver believe it is closer to the transmitter than it actually is.
To address this issue, intrusion detection should be performed.
• Phase-based distance estimation. Phase-based distance estima-
tion is also susceptible to relay attacks, whereby the attacker
intercepts communication between two devices, captures the
prover’s signal and, after a certain delay, forwards it to the ver-
ifier such that the phase difference rolls over the maximum
value (2π ), making the verifier believe it is in proximity to
the prover, even though it could be more than 50 m further
(Ólafsdóttir et al., 2017).
• Time-based distance estimation. Stocker et al. (2020) state that
it has recently become popular to investigate the use of time-
based distance estimation in UWB-based positioning systems
because of its better security potential. ToF- and ToA-based dis-
14
Computers & Security 131 (2023) 103293
tance estimation is more secure compared to RSSI-based dis-
tance estimation because it relies on signal travel time esti-
mation, which cannot be controlled by the adversary since the
signal cannot travel faster than the speed of light (Leu et al.,
2020). However, even though time-based distance estimation
raises the bar for the adversary, it is still susceptible to other
attacks.
Time-based distance estimation is vulnerable to the Cicada at-
tack, in which the attacker predicts the preamble and payload
data with 99% accuracy, leveraging systems that rely on deter-
ministic signaling with predefined data, continuously sends a
“1” signal to the verifier at a higher power than the prover,
meaning the attacker’s signals arrive earlier, making the veri-
fier believe these signals are part of the legitimate stream of
bits from the prover and thus making it underestimate the dis-
tance. To prevent this attack, the use of predefined data during
distance estimation should be avoided to reduce the degree of
predictability.
Another security issue related to time-based estimation is early
detect and late commit attacks, where the attacker takes advan-
tage of the robustness of modern UWB receivers and transmits
random signals until he/she can learn the pattern of the symbol
if it is long enough and commit to transmitting correctly pre-
dicted bits (late commit). Bits can be predicted correctly even
before receiving the entire message (early detect) (Clulow et al.,
2006). To prevent these attacks, symbol lengths should be as
short as possible so that the attacker does not have enough
time to learn the pattern. Ranganathan and Capkun (2017) re-
port that even a symbol length of 32 ns can allow the attacker
to lower the distance estimate of the verifier by 10 m.
In terms of solutions from the literature, Leu et al. (2020) pro-
posed a secure ToA-based ranging scheme that uses Message
Time of Arrival Codes (MTAC), which is a triple of probabilis-
tic polynomial-time algorithms (Gen, Mtac, V r f y ) that is used
to verify whether a message arrival time has been tampered
with. Other security measures adopted for ToA estimation are
Scrambled Timestamp Sequence (STS) and the Ciphered Se-
quence (CS), which are expected to become part of the IEEE
802.15.4z standard, according to Stocker et al. (2020). The au-
thors also state that these measures are also often coupled
with distance bounding. The accuracy of ToA-based distance es-
timation is contingent on the precision of clock synchronisa-
tion across all IPS participants, which should be performed se-
curely as well using a shared key for a three-way secure hand-
shake, as discussed in the authors’ work. As for TWR, according
to Leu et al. (2020), TWR-based ranging has in-built distance
bounding, but since it hampers the scalability of UWB-based
positioning, TWR is becoming a less popular choice in favour of
techniques like ToA, which do not have in-built distance bound-
ing. Physical layer security considerations for TWR-based dis-
tance estimation for other communication technologies might
be different, e.g., Schepers et al. (2021) gave suggestions for
WiFi fine timing measurement.
• Angle-based data. Angle-based data like AoA and AoD
mainly suffer from estimation noise. To address this issue,
Abdelaziz et al. (2016) designed an MLE-based (maximum
likelihood estimation) AoA estimator under the jamming
attack based on the CSI matrix, which is not supported by
smartphones. However, more work is needed on the security
vulnerabilities of AoA- and AoD-based positioning.
Data tampering. Data tampering refers to changing data used
for localisation. To understand this problem, one suggestion would
be to consider data tampering in wireless sensor networks
(WSNs), which are similar to IPSs in that they rely on wire-
less networks and also need to localise their nodes. According to
Y. Sartayeva and H.C. B. Chan
Huang et al. (2021), data tampering is a significant issue in WSNs
because one of their primary goals is to minimise the consumption
of their limited resources, which include bandwidth, memory and
energy, which comes at the cost of increased security risks. Since
indoor positioning systems are typically wireless, data tampering
poses a security threat to them as well. Malicious parties typically
tamper with base stations’ data, leading them to make incorrect
inferences or decisions. Since WSNs are left unattended, they be-
come attractive targets for adversaries.
One solution to data tampering is to adopt a fault diagnosis
algorithm based on sensor measurements (Zhang et al., 2018b),
which, in the context of indoor positioning, would be data such
as RSSI, AoA, AoD, ToF, etc. Majority voting was shown to be an
optimal fault detection strategy in WSNs (e.g., Muhammed and
Shaikh, 2017), and, since it only uses local sensor measurements,
does not consume much energy. Majority voting is predicated on
the fact that sensor measurements of neighbouring nodes are sim-
ilar, so if every node exchanges its sensor data with its neighbours
and calculates their similarity scores, it can compute the num-
ber of neighbouring nodes that its sensor data is consistent with
and divide it by the total number of neighbours. Let this propor-
tion of consistent nodes in the neighbourhood be p. A node is
marked as normal if p exceeds a certain threshold theta ∈ [0.5, 1];
other nodes are flagged as faulty. This can also be done in indoor
positioning using fingerprints, e.g., RSSI fingerprints. However, as
was discussed in Section 4.1.2, inter-node signals can be disturbed
with physical interference, thus generating false positives, mean-
ing that legitimate positioning network nodes can be flagged as
faulty, which would be a dire problem for positioning targets since
they are the primary users of the positioning system but could be
banned from the positioning framework.
Muhammed and Shaikh (2017) provided a taxonomy for WSN
fault detection methods and broadly classified them into three cat-
egories: centralised, distributed and hybrid. Since the proportion
of compromised nodes to the total number of nodes is typically
very small, distributed methods are generally preferred, and they
are further categorised into neighbourhood-based (majority voting,
majority weight), statistic (time-series analysis, descriptive statis-
tics, Bayesian statistics), probability (Bayesian), self-detection, soft
computing (machine learning (clustering or a neural network)) and
cloud-based methods. More details pertaining to each method can
be found in the original paper.
Malicious node attacks. Indoor localisation systems rely on a net-
work of devices that exchange signals via a variety of different
communication technologies, such as WiFi, BLE, infrared and ultra-
sound, and usually these networks are wireless. Both wired and
wireless networks suffer from many security vulnerabilities, and
IPSs are no exception. Since all positioning systems rely on the
communication of network nodes, be it targets or anchor nodes, it
is integral to ensure that these nodes are not compromised and can
be trusted because they directly influence positioning accuracy. In
the case of geometric methods, for example, if some anchor nodes
are taken over and configured to transmit incorrect measurements,
positioning results will be incorrect. Major network-related secu-
rity pitfalls applicable to indoor positioning are listed below:
• Node capturing attack: reprogramming existing network nodes
to exhibit malicious behaviour (Kaur and Saxena, 2017).
• Replication attack: creating a replica of a legitimate network
node (with the same identification number) and adding the
replica to the network (Kaur and Saxena, 2017).
• Wormhole attack: a low-latency link is established between two
malicious nodes, confusing legitimate nodes about the actual
distance between one another; the majority of the network
traffic is thus directed through the malicious nodes, creating a
15
Computers & Security 131 (2023) 103293
bottleneck and allowing the adversary to access data directed
through the network (Dutta and Singh, 2019).
• On-off attack: configuring malicious nodes such that they send
wrong data intermittently, i.e., not all the time, to reduce the
probability of detection (Nasution et al., 2020).
• Newcomer attack: a malicious node previously excluded from
the network changes its identification number and re-enters
the network as a new node (Chen et al., 2017a).
• Conflicting behaviour attack: malicious nodes send partially cor-
rect information, e.g., correct identifier but wrong location
(Hu et al., 2018).
• Sybil attack: a malicious node disguises itself under different
identifiers to escape discovery (Mishra et al., 2019).
• Spoofing attack: a malicious node forges its identity to compro-
mise the network, e.g., by launching DoS attacks (Pinto et al.,
2018).
In terms of solutions, one approach is to identify malicious
nodes and ignore their data. Yessembayev et al. (2018) proposed
a method for identifying malicious nodes by analysing incoming
data, clustering their readings and finding outliers. A more ad-
vanced approach for spoofing detection was proposed by Guerrero-
Higueras et al. (2018), who trained different machine learning
models to detect whether a UWB-based localisation network for
autonomous robots had been compromised by a DoS attack or
spoofing based on signal measurements from beacons collected by
robots. Arul Selvan and Selvakumar (2019) also designed a mali-
cious node detection algorithm but for mobile ad hoc networks.
Another way to detect malicious nodes is to check for the pres-
ence of redundant nodes, and an overview of duplicate node detec-
tion methods can be found in Numan et al. (2020)’s work. Accord-
ing to them, redundant node detection methods vary depending
on the network architecture, and centralised approaches are less
effective but also less computationally expensive compared to dis-
tributed methods. One example of a centralised redundant node
detection method, originally designed by Brooks et al. (2007), is
by means of random key distribution, whereby each node gets
assigned a random key, and if some nodes’ keys exceed a cer-
tain threshold value, they are discarded. In general, centralised ap-
proaches rely on collecting data from all nodes and sending it to
a base station, which checks node IDs for duplicates. An example
of a decentralised redundant node detection approach is PRCD by
Pan et al. (2019), whereby the network is divided into clusters, and
one node in each cluster is picked as the cluster head, which is re-
sponsible for detecting nodes with duplicate IDs.
Usually, security methods in wireless networks are high-level
and mainly rely on encryption, meaning that node identity is ver-
ified based on the sender’s ID in the received packet, but the ad-
versary can steal legitimate nodes’ IDs and send seemingly valid
packets. Node authentication based on digital signatures could be
implemented to address this issue, but in recent years, physical-
layer-level security of wireless signal transmission has drawn more
attention from researchers because data-layer protection assumes
that the signal traveling between two devices is legitimate. The
idea behind this is that random perturbations in the signal are
leveraged to authenticate nodes in the network, i.e., a likelihood
of the random perturbations corresponding to a certain node is
calculated after a training phase, like in fingerprinting. According
to Bai et al. (2020), RF-fingerprint-based authentication schemes
are highly resilient as it is extremely difficult to modify physical
RF signal features in a short time but feature variations are very
small and thus require sophisticated algorithms for feature extrac-
tion and authentication. Similarly, Hua et al. (2018) recently pro-
posed an authentication approach for WiFi access points based on
identifying access points by their CFOs derived from the CSI ma-
trix, which are unique and difficult to manipulate.
Y. Sartayeva and H.C. B. Chan
Fig. 10. Fingerprinting overview: the online phase (this figure is connected to Fig. 9).
4.3. Fingerprinting
4.3.1. Overview
According to Zafari et al. (2019), fingerprinting refers to an
indoor positioning method that involves collecting signal mea-
surements between the target and network nodes and mapping
them to a location in a database of signal measurements collected
beforehand based on measurement similarity. It consists of two
phases: an offline phase and an online phase. In the offline phase
(Fig. 9), the indoor space is mapped with equidistant reference lo-
cations, and at each location, signal measurements are collected,
which creates a unique signature for that location. In the online
phase (Fig. 10), measurements are collected from the signal travel-
ling between the target and network nodes and compared against
fingerprints in the database prepared in the offline phase. The ba-
sic assumption of this method is that signal measurements around
a reference location are similar, so if the target collects signal mea-
surements that are similar to a reference location of the offline
fingerprint database, it can be predicted to be there. One popular
type of signal measurement is RSSI, which measures the strength
of the signal when it arrives at the receiver, which could be a net-
work node, such as a WiFi router, or a target, e.g., a smartphone.
The closer the target is to a certain node, the higher the signal
strength (Hata, 1980), which means that signal strength readings
will be higher for certain network nodes in a certain location and
lower for others, creating a unique fingerprint.
This method’s performance relies heavily on the presence and
quality of the offline database, and most security threats associ-
ated with this method try to target this weakness. In terms of data
privacy, emphasis is often placed on user privacy, but the protec-
tion of the fingerprint database should also be ensured because the
owner of an IPS may not want to disclose reference locations and
data about network nodes to other parties. The former type of pri-
vacy shall be referred to as “client privacy”, and the latter shall be
named “server privacy”. According to Yang and Järvinen (2018a),
a system is said to be server-secure if the adversary cannot gen-
erate a database D that can provide the same mapping between
online fingerprints and locations as the real database D in polyno-
mial time. In other words, the distance between a location l  ob-
16
Computers & Security 131 (2023) 103293
tained with D and a location l obtained with D should not exceed
a distance threshold ρ . Client privacy is defined as the inability to
distinguish between a random location and an actual user location
of a user in polynomial time.
Most papers on fingerprint-based IPS security and privacy adopt
the so-called “semi-honest server” model, meaning that the server
follows the protocol honestly but is still curious about users’ loca-
tions. However, Yang and Järvinen (2018a) argue that existing mod-
els for privacy-preserving IPSs underestimate the power of the ad-
versary, which motivated them to devise a new formal unilateral-
malicious security model for IPSs based on WiFi fingerprinting.
The unilateral-malicious setting is weaker than the fully malicious
model but stronger than the traditional semi-honest model.
4.3.2. Security and privacy issues and solutions
Based on literature review, the majority of works on indoor po-
sitioning security and privacy discuss issues in fingerprinting-based
systems. Many papers have focused on fingerprint privacy, which
is related to preventing the positioning server from gaining access
to the target’s location, both implicitly (during localisation) and
explicitly (after localisation). This section discusses major security
and privacy issues related to fingerprinting found in the literature
based on the flowcharts in Fig. 9 (offline phase) and Fig. 10 (online
phase). Note that other attacks, which were discussed in the pre-
vious sections, namely, malicious node attacks (Section 4.2.2), may
also be applicable to fingerprinting. The focus of this section is to
discuss fingerprinting-specific security and privacy issues.
User location privacy (during localisation). Since fingerprinting al-
gorithms usually run on a server, user location privacy preserva-
tion is especially important in fingerprinting. In the literature, LBS
servers are generally regarded as a malicious party (e.g., Jiang et al.,
2021; Liu et al., 2018a), and the same extension can be made to IPS
servers since there is also no guarantee that they will not abuse
positioning data. Localisation could be delegated to the client side,
making it more secure since data needed for localisation does not
have to be exchanged with external parties, but this would im-
ply that, for database-based methods such as fingerprinting, the
client would need to be given access to the database, which can
be large and would go against the server privacy principle, which
Y. Sartayeva and H.C. B. Chan
states that server-side data should not be disclosed to external par-
ties. Assuming that fingerprints can be transmitted to the server
safely without any perturbation, they should be concealed from
the server so the server cannot associate a user’s identity with a
location but can still send a location estimate to the user such that
he/she is the only one able to access it.
One way to protect indoor positioning data is to use local differ-
ential privacy, as was proposed by Kim et al. (2018). Local differen-
tial privacy is a data protection approach used during data collec-
tion, which involves carefully injecting random noise into the orig-
inal data and sending perturbed data to a data collection server.
Formally, this can be defined as follows:
P r[A(vi ) = O]
≤ e , (6)
P r[A(v j ) = O]
meaning that a randomised algorithm A is said to satisfy  -
differential privacy if and only if the probability that A will re-
turn the same output O for all pairs of the sender’s data vi and
v j does not exceed a certain threshold e . Because this method
relies on noise injection, localisation accuracy is compromised as
a result (Shi and Wu, 2018). Selective obfuscation is also pred-
icated on noise injection but assumes that network nodes are
fully abiding and do not disclose their noise values to other
nodes, which may not be the case if they are configured to ex-
hibit malicious behaviour by the adversary (Alanwar et al., 2017).
Zhao et al. (2018b) combined differential privacy with k-anonymity
for location data protection, which is efficient but the latter cannot
be used if there is only one user. Some systems may need to com-
bine fingerprints of a different nature, and Zhang et al. (2022) pro-
posed a differentially private fusion method for WiFi and BLE fin-
gerprints using differentially private graph Laplacians with noise
injection, which also comes at the cost of lower positioning accu-
racy. Another solution is the use of homomorphic encryption, i.e.,
performing computation on encrypted fingerprints, and this is dis-
cussed in the database privacy section. To make sure localisation
results are only accessible by the intended recipients, an authenti-
cation scheme is needed, such as the one proposed by Yoo and Bar-
riga (2017). They added a certificate authority for issuing pseudo-
certificates and private keys to users for anonymous authentication
Database corruption. One of the major security threats of finger-
printing is database corruption, which refers to any activity that
compromises the quality of data in the database. Fingerprinting
performance largely relies on the quality of its database, so ensur-
ing the quality of the data and its integrity is crucial to ensure
high accuracy. However, data quality and integrity can be com-
promised, either deliberately or because of other factors like en-
vironmental noise and human error. Possible causes of database
corruption are listed by Chen et al. (2017a). Some indoor position-
ing systems delegate the task of database construction to users via
crowdsourcing, e.g., as was done by Santos et al. (2021), but they
are usually not trained in how to collect fingerprints and may not
be inclined to invest their time into producing high-quality mea-
surements, so human error is a significant factor. To address the
problem of human errors, usually robots that travel along a pre-
programmed path can be used to collect fingerprints, as was done
by Luo and Hsiao (2019) and Kolakowski (2021), for example. Of
course, robots can also be attacked, but robot security is beyond
the scope of this paper. Another major threat in crowdsourcing
is that the adversary may intentionally manipulate the measure-
ments and send incorrect data to the database, e.g., wrong map-
ping between MAC addresses of network nodes and RSSI values. If
the adversary continuously sends corrupted measurements to the
server, the entire database will be compromised, lowering locali-
sation accuracy. Yang and Järvinen (2018b) revealed a variation of
this attack called the chosen fingerprint attack, whereby the ad-
17
Computers & Security 131 (2023) 103293
versary can corrupt the entire database by simply sending special
fingerprints, e.g., all-zeroes.
To address the problem of invalid fingerprints, either provided
deliberately or by error, automated outlier detection can be im-
plemented, which can be accomplished using the Hampel filter,
k-Nearest Neighbours (k-NN) (distance-based outlier detection),
sparsity-based outlier detection (Khalajmehrabadi et al., 2017) and
other schemes, e.g., Li et al. (2020) or Yu et al. (2019). The same
method can be applied to robot-based crowdsourcing. In general,
outlier detection is predicated on the fact that fingerprints col-
lected around the same reference location tend to be similar, so
if a clustering algorithm is applied to the offline database, out-
liers can be detected as fingerprints that are farthest from cluster
centres. To detect tampering after database construction, Tiku and
Pasricha (2019) suggest running sanity checks on the database by
calculating its checksum and comparing it to the original check-
sum. As for outlier detection in the online phase, i.e., during posi-
tioning, Guan and Harle (2018) proposed a method for doing this
based on localisability evaluation to improve positioning accuracy
as one-shot fingerprints may not always be representative of the
target’s location. Their method facilitates the evaluation of online
fingerprint quality and determining when to stop scanning.
Anchor node security. Other than the offline fingerprint database,
another major source of vulnerability of fingerprinting is its an-
chor nodes. When collecting fingerprints during the offline phase,
it is assumed that signals coming from anchor nodes are legiti-
mate, i.e., the signal measurements for generating the fingerprints
are accurate. This would mean that it would be difficult to de-
tect whether certain fingerprints correspond to their actual lo-
cations while performing outlier detection on offline fingerprints
since the adversary could have configured anchor nodes to trans-
mit incorrect measurements. For example, the adversary can take
over some anchor nodes, make them transmit signals at a higher
power during the offline phase, creating an illusion of proximity
to anchor nodes that are not actually close and then re-configure
them back to their original transmission power during the online
phase, which would lead to incorrect location estimates.
To prevent this from happening, one solution is to evaluate
the trustworthiness of access points when constructing finger-
prints to filter those that have been hijacked or broken. Note that
this method also accounts for accidental failure of anchor nodes,
i.e., damage does not have to be deliberately inflicted by a ma-
licious party. This is useful in unsafe environments, e.g., during
earthquakes. For example, Luo et al. (2018) designed a system
that analyses RSSI values collected from access points and up-
dates the fingerprint database with trusted fingerprints, so the
database is dynamic. They observed that RSSI values fluctua-
tion of compromised nodes is higher compared to normal nodes.
Wang et al. (2021) adopted a similar approach in their system,
where they maintain a dynamic fingerprint database by selecting
the most reliable access points based on confidence intervals.
Alternatively, the collecting device can keep a local database of
ground truth anchor node coordinates, calculate the distance from
itself to each anchor node and verify whether the distance esti-
mate is consistent with the signal readings received from the an-
chor nodes. If a certain threshold is exceeded, the collecting de-
vice can send an alert to the system owner with the identities of
the suspicious nodes. Impersonation attacks are also a major issue,
whereby the adversary can introduce new nodes to the network
and disguise them as legitimate anchor nodes by stealing other an-
chors’ IDs.
One way to protect the database from invalid inputs com-
ing from adversaries is authentication, meaning that the database
should be configured such that it does not accept inputs from non-
registered devices. According to Tiku and Pasricha (2019), a typ-
ical fingerprinting database stores three pieces of data: MAC ad-
Y. Sartayeva and H.C. B. Chan
dresses of network nodes, coordinates of reference locations and
signal readings for each location. The IPS server should make sure
that signal readings come from nodes registered in the database,
and security methods discussed in Section 4.2.2 can be used to en-
sure this.
Database privacy. As discussed previously, protecting the finger-
printing database from external parties is also important. Even if
the adversary does not tamper with the data, simply revealing the
data can raise security/privacy issues because the database may
contain sensitive data. Most papers on privacy preservation mecha-
nisms for indoor positioning focus on user location privacy preser-
vation, but fingerprint database privacy is also significant as the
adversary could use it to localise other users by intercepting their
localisation queries and finding matches for the fingerprints in the
database. Yuan et al. (2018) demonstrate how an adversary can re-
cover the original database in a WiFi-based IPS by pretending to
be a regular user, issuing localisation queries from many different
locations, averaging them and recording them. They show that the
resulting database can be constructed with a high degree of simi-
larity to the original database. The adversary can then incorporate
fake WiFi routers into the network to impersonate existing nodes
and use the database to configure their transmission power such
that localisation results issued by the IPS server are altered.
To protect the database from unauthorised access, the database
as well as online fingerprints can be protected by means of encryp-
tion (Wang et al., 2019b). However, to ensure double-blind locali-
sation, i.e., where the privacy of both the server and the client are
preserved, the fingerprinting method must be revised such that it
works on encrypted data. According to Yang and Järvinen (2018b),
this can be achieved using fully homomorphic encryption, Pail-
lier homomorphic encryption (PHE) (e.g., Alanwar et al., 2017; Li
et al., 2016), Yao’s Garbled Circuit (GC) (e.g., Hussain and Koushan-
far, 2016) or the combination of Paillier encryption with GCs,
which are computationally expensive and difficult to implement.
Researchers have put more extensive effort into optimising PHE,
which is a probabilistic cryptography scheme that relies on the ad-
dition of two encrypted values and the multiplication of the ci-
phertext by the plaintext, which are presented next (Alanwar et al.,
2017).
Dsk Epk (a )  Epk (b) = Dsk Epk (a + b) = a + b,
(7)
Dsk a  Epk (b) = Dsk Epk (a × b) = a × b,
where Dsk is a decryption function with a secret key sk, E pk is an
encryption function with a public key pk, a and b are plaintext val-
ues,  denotes encrypted value addition and  denotes multipli-
cation of a plaintext value by a ciphertext value. These operators
can be extended to be used on matrices as well. The security of
this scheme is based on the Decisional Composition Residuosity as-
sumption (Paillier, 1999).
As mentioned earlier, these operations are impractical for
real-time positioning. One optimisation method was suggested
by Wu et al. (2020b), who used a BayesNet-based partitioning
method, whereby the fingerprint database was divided into par-
titions and stored on different devices. BayesNet was used to iden-
tify which cluster the target’s fingerprint belonged to, and then
localisation was performed using that partition and secure multi-
party distance calculation, thus reducing the computational cost. In
another system named PILOT, Järvinen et al. (2019) proposed out-
sourcing computationally expensive operations to two semi-trusted
non-colluding third parties and using custom circuits depending on
the distance metric. Similarly, Nieminen and Järvinen (2021) pre-
sented a privacy-preserving indoor positioning system where both
the service provider and the client were protected and where
they demonstrated that, with a number of optimisations, the use
of Paillier encryption and GCs was practical, which is consistent
with Yang and Järvinen (2018b). Other recent mutually privacy-
18
Computers & Security 131 (2023) 103293
preserving solutions using Paillier encryption were provided by
Zhang et al. (2020a) and Hu et al. (2022). Another optimisation de-
signed by Richter et al. (2018) is based on quantising RSS values to
reduce the computational overhead and minimise loss in position-
ing accuracy.
User location privacy (after localisation). Since this paper focuses
on the security and privacy issues directly related to the posi-
tioning process, more emphasis is made on user location privacy
during localisation, but an overview of location privacy-preserving
mechanisms (LPPMs) will still be provided here. Location privacy
in location-based services is important because users’ locations
must be protected against unauthorised access, including the LBS
server.
In their survey, Jiang et al. (2021) broadly classified LPPMs into
four categories: (1) privacy-policy-based, (2) obfuscation-based,
(3) cryptography-based and (4) cooperation- and caching-based.
Privacy-policy-based mechanisms rely on obtaining consent from
users on privacy policies that constrain the LBS provider and other
parties in their access to location data. Obfuscation-based mecha-
nisms rely on hiding the mapping between a user’s identity and
his/her location by such means as cloaking, differential privacy,
mix zones, dummy locations and path confusion. Cryptography-
based mechanisms (e.g., space transformation, private information
retrieval, multiparty computation) hide sensitive information us-
ing encryption rather than injecting noise in the data, as is done
in obfuscation-based mechanisms. LPPMs from the last category
operate by minimising communication with untrusted parties by
means of caching historical data and using it for future LBS queries.
Overall, these LPPMs are similar to those for user location pri-
vacy during localisation, meaning that these can be extended to
work on data not just in fingerprinting, but also in other position-
ing methods, to prevent the server from gaining access to raw lo-
cation estimates. However, this would require amending the meth-
ods so they can work with obfuscated or encrypted data, meaning
more research should be done on this.
4.4. Others
4.4.1. Overview
Non-collaborative indoor positioning methods are not limited to
the three categories discussed before. In recent years, the use of
multiple technologies in the same IPS has been gaining attention
as the combined strengths of these technologies can further en-
hance positioning accuracy. The main focus of this survey is on RF-
based technologies for indoor positioning because this is currently
the mainstream approach. Nevertheless, this section still provides
an overview of security and privacy issues applicable to positioning
systems that make use of non-RF technologies or combine different
technologies and/or methods (i.e., multimodal positioning meth-
ods). Please note that certain solutions presented here are not nec-
essarily related to indoor positioning directly, especially for vision-
based approaches, because there are limited papers on the security
and privacy of multimodal positioning.
Indoor positioning technologies can be classified into
the following categories (this classification was inspired by
Brena et al. (2017)’s work): light-based (e.g., VLC, infrared), sound-
based (e.g., acoustic sound, ultrasound), RF-based (e.g., RFID, WiFi,
BLE, UWB, ZigBee) and communication-free technologies (e.g.,
computer vision, IMU, magnetic field). They can also be combined
to support multimodal positioning, which is a challenging area for
future research. In terms of context, it is necessary to also describe
two localisation modes that are distinguished in the literature:
passive and active, where the former means that localisation is
performed by the localisation network, while the latter means that
localisation happens on the client-side, i.e., the target is responsi-
ble for its own localisation (Zafari et al., 2019). These modes are
Y. Sartayeva and H.C. B. Chan
applicable to most communication technologies, and security and
privacy issues depend on the localisation mode. Next, a summary
of individual communication technologies in the context of indoor
positioning will be provided.
• Light-based technologies. Light-based communication technolo-
gies make use of light as a means of communications, whose
nature varies depending on where it appears on the electro-
magnetic spectrum. They have relatively high positioning ac-
curacy but cannot penetrate walls so can only be used for
room-level localisation (Zhuang et al., 2018). Similar to other
technologies, they are based on the transmitter-receiver model,
whereby a receiving device derives positioning data from light
emitted by a transmitter such as an infrared LED.
• Sound-based technologies. Sound-based communication tech-
nologies include acoustic signal and ultrasound, where the for-
mer is within the audible spectrum. Similar to light-based tech-
nologies, they are only applicable to room-level positioning as
sound cannot penetrate walls and also operates based on the
transmitter-receiver model, except that here the carrier of posi-
tioning data is sound.
• RF-based technologies. The advantage of these technologies is
that they are imperceptible, unlike the previous two categories,
meaning that they cannot be perceived by human senses. In ad-
dition, they can penetrate walls, making them a popular choice
for indoor positioning. However, they are also subject to ferro-
magnetic interference, leading to low positioning accuracy.
• Communication-free technologies. These are technologies that do
not rely on inter-device communication but can nevertheless be
used for indoor localisation, such as IMU, computer vision and
magnetic field sensing.
4.4.2. Security and privacy issues
In this subsection, we discuss selected examples of security
and privacy issues of the other methods (i.e., non-RF-based po-
sitioning methods) as well as multimodal positioning methods.
Basiri et al. (2017) assessed the level of privacy of different com-
munication technologies and argue that the highest level of privacy
is achieved when the amount of communication in the network is
minimised and when localisation is performed on the client-side,
as is done with GPS. The lowest level of privacy is when locali-
sation is performed by a third party and is then sent to the client,
e.g., localisation using surveillance cameras. Therefore, the network
architecture plays a significant role in the security and privacy of
IPSs, meaning that client-side localisation should be encouraged
and can itself be a privacy preservation measure. This section lists
issues specific to other methods, as defined in Section 4.4.1.
User identity privacy. Some IPSs gain access to more sensitive
information due to the architecture and technologies they use. For
example, in vision-based device-free positioning, user identity is
revealed to the server through images. One way to address this
problem was proposed by Santo et al. (2017), who designed a
device-free indoor positioning system, whereby the target did not
carry any tags or devices to participate in the localisation process.
Instead, infrared cameras with embedded infrared LEDs were in-
stalled in the room to detect reflections off of markers attached to
walls when a person passed through. Fingerprinting-based and ge-
ometric positioning methods were then employed using these re-
flected signals to localise the person. The cameras can filter out
visible light, meaning that the privacy of the person was preserved.
The authors achieved an accuracy of 30 cm on average with fin-
gerprinting. This is a promising solution but may be problematic
for delivering location-based services since the system must know
which device requested its services. Every detected entity can be
assigned an ID and remotely monitored by the system adminis-
trator, e.g., nurses in an elderly care home, but for location-based
19
Computers & Security 131 (2023) 103293
services, there needs to be a way to connect backend associations
with actual clients.
Another vision-based solution was proposed by
Zhao et al. (2018a), where cameras with single-pixel colour
sensors were used to remove contextual information about the
target such as colour, shape and size and only give the system
access to the centroid of the object. However, again, the prob-
lem of individualised localisation remains. User identity privacy
preservation can also be achieved using seismic signals caused by
footsteps, as was done by Chen et al. (2017b), who used machine
learning to distinguish footsteps from noise and employed TDoA to
pinpoint the origin of the seismic signal. This type of localisation
may not be suitable for all LBS since location estimates are not
associated with individual targets. These technologies can be com-
bined with other indoor positioning technologies for multimodal
positioning and better privacy, which is a promising research area
to explore.
Another concern related to user identity privacy is the privacy
of ambient sound, e.g., voices, music, etc. Carter et al. (2020) also
raised this issue in the discussion of their system based on ultra-
sound, which requires users to use microphones on their smart-
phones. Such systems can work in the background and thus record
sensitive data. The authors argue that as long as the sensitive data
is not communicated with external parties, i.e., stays on the user
device, this configuration should not pose privacy issues. To add
an extra layer of privacy, the sound data should be stored in pro-
cessed form, as suggested by Bahle et al. (2021), so that it cannot
be converted into its original form.
User location privacy (during localisation). Another solution to
the user identity privacy issue is to switch to active localisation
by letting the target collect information about its surroundings
and then submit it to the server for localisation if necessary, e.g.,
with computationally heavy computer vision models, but that way
the server gains access to the location of the target. For exam-
ple, Gu et al. (2017)’s system combines magnetic and WiFi fin-
gerprints and requires users to capture pictures of their surround-
ings and download a subset of the fingerprinting database from
the server based on the images so that localisation can be per-
formed locally. However, submitting pictures of a user’s surround-
ings is also a violation of privacy unless the pictures are encoded
such that the server cannot deduce the user location, as is done by
Dusmanu et al. (2021), for example.
One solution for location privacy preservation in image-based
localisation for robots was proposed by Geppert et al. (2022),
which can be extended to other indoor positioning scenarios. In
their solution, multiple servers were employed, where each stored
a certain dimension of the map of the space, meaning that the
client needed to submit localisation queries to each server and re-
construct its location locally. This ensures that no server can gain
access to the client’s location.
Another viable solution is to convert images captured at the
target into a privacy-preserving representation, as suggested by
Dusmanu et al. (2021), who developed a new image representa-
tion method based on mapping a descriptor point P in a vector
space S to an affine subspace of S that passes through P . The au-
thors suggest their approach poses a marginal computational bur-
den and strikes a balance between accuracy, privacy and computa-
tional overhead. This is similar to using encrypted fingerprints to
protect users’ location privacy, so this approach can be generalised
to other communication technologies, i.e., not just vision-based po-
sitioning.
Finally, as was mentioned previously, one more privacy-
preserving measure to undertake is to minimise communications
in the IPS and perform localisation on the client side, e.g., as
was done by Li and Rashidzadeh (2019), who used acoustic signal
for fine positioning and BLE for coarse positioning, and Qiu and
Y. Sartayeva and H.C. B. Chan
Fig. 11. Collaborative positioning example. The network consists of m anchor nodes and n agent nodes.
Mutka (2017), who used acoustic signal to correct location esti-
mates generated with dead reckoning. Both of these are examples
of multimodal positioning. If the IMU is embedded in the client
device, e.g., a smartphone, then PDR can be said to be a privacy-
preserving method as long as its measurements are not shared
with external parties.
Indoor space privacy. Another entity whose privacy may need
to be preserved is the indoor space itself, e.g., in a military site
or a private property. This issue is relevant to IPSs that make
use of computer vision since cameras can capture more sensi-
tive information such as people’s faces, license plates, etc., unlike
other indoor positioning technologies. In the model training phase,
Yonetani et al. (2017) designed a privacy-preserving approach to
train visual learners using images containing sensitive information.
Models are first trained locally on each device containing training
images, and then they are encrypted and sent to a central server,
which aggregates all models using homomorphic encryption with-
out the need to reveal the weights of the original models. This
approach is only applicable to the training phase. In the predic-
tion phase, Speciale et al. (2019a)’s method can be used, i.e., where
there is a need to conceal images of the environment supplied to
the server for localisation. They transformed the indoor space from
a 3D point cloud to a 3D line cloud to protect the appearance of
the indoor space from the server. However, this method does not
address the problem of concealing images submitted as part of lo-
calisation queries from the server, so Speciale et al. (2019b) pre-
sented a similar privacy preservation mechanism for image-based
localisation, whereby 2D points in localisation query images are
converted into 2D lines, precluding the server from being able
to deduce objects in the images. Shibuya et al. (2020) discussed
that these methods are too computationally expensive for continu-
ous localisation, so they proposed their own approach for privacy-
preserving visual SLAM. Based on this discussion, RF-based tech-
nologies seem to be better for user identity privacy protection
since they do not deal with sensitive data like sound or images.
However, for systems that rely on indoor maps of RF signal data,
additional measures may need to be taken to protect the maps
from the IPS server itself since it is considered honest but curious.
5. Collaborative positioning methods
Collaborative positioning methods are a relatively new research
area, and, according to Pascacio et al. (2021), security issues as-
20
Computers & Security 131 (2023) 103293
sociated with them have not been discussed in the literature. In
this section, we discuss some common collaborative positioning
algorithms as well as the potential security and privacy issues
of these methods. In general, the aforementioned classification
of non-collaborative indoor positioning methods can be extended
to collaborative methods, especially for geometric and proximity-
based methods, but extension of the fingerprint method requires
more studies. In the following discussion, we refer to collaborative
proximity-based methods as mobile proximity-based methods be-
cause IPS network participants are assumed to be in motion, and
the same applies to collaborative geometric methods. We approach
collaborative IPS networks as a hybrid of mobile ad hoc networks
(MANETs) and WSNs because nodes in these networks are mobile,
just like in MANETs, but unlike in MANETs, data routing in collabo-
rative IPSs is not a major issue, although it may also be considered
in the future. In general, for positioning purposes, we assume that
every node simply broadcasts its data to its neighbours. Every node
is equipped with both a transmitter and a receiver and is powerful
enough to localise itself (in a decentralised architecture). Fig. 11 il-
lustrates an example of collaborative positioning.
5.1. Mobile proximity-based methods
5.1.1. Overview
We define mobile proximity-based positioning methods as
those where localisation of IPS participants relies on proximity de-
tection without relying on ranging. In this category, we focus on
contact tracing as an example of mobile proximity-based position-
ing. Even though it relies on proximity detection, its aim does not
lie in obtaining the exact position of a target with the help of its
neighbours. Positioning of each node can be done using GPS, if
available, but contact tracing aims to capture snapshots of nodes
a target has been close to. In other words, contact tracing is fo-
cused on the neighbourhoods of nodes rather than on their exact
positions, but this is still considered a special instance of indoor
positioning.
Contact tracing has risen in popularity in recent years due to
the COVID-19 pandemic. It refers to the process of tracking the
spread of a disease by detecting whether healthy individuals have
been in contact with infected people long enough to catch the dis-
ease (Braithwaite et al., 2020). A general overview of contact trac-
ing is given in Fig. 13. Contact tracing can be combined with QR
code landmarking, which is described in Section 4.1.1, but other
Y. Sartayeva and H.C. B. Chan
Fig. 12. General workflow of mobile geometric positioning.
localisation methods, such as GPS-based localisation, can be used
as well. User locations are not exchanged between network partic-
ipants to preserve privacy.
5.1.2. Security and privacy issues
Challenges related to contact tracing are mainly related to min-
imising the number of false positives while preserving the privacy
of users’ locations and infection status. These issues will be dis-
cussed in this section so that parallels can be drawn to mobile
proximity-based positioning in general.
• Location Privacy. The first major concern in contact tracing is
to ensure that users’ locations are protected from third parties,
which include a healthcare authority’s server (in case contact
Fig. 13. Contact tracing example.
21
Computers & Security 131 (2023) 103293
tracing is centralised) and other users. Not all protocols con-
sider sharing data with central authorities a violation of privacy,
however (Bock et al., 2021). This means that contact tracing
protocols must preclude third parties from being able to track
people’s location history, which implies hiding the identity of
people in proximity.
• Infection Status Privacy. To avoid stigma associated with conta-
giousness (Williams et al., 2021), the identity of infected indi-
viduals should also be protected from regular users. Of course,
infected individuals must report their status to the contact trac-
ing system, but infected people should have control over who
their status is shared with. For example, some protocols au-
tomate the exposure notification process by not revealing the
records of infected people to health authorities, but this comes
at the cost of more false positives (White and van Basshuy-
sen, 2021).
• Compromised Proximity Detection. RSSI is a measure of signal
strength and has been widely used for proximity detection
in COVID-19 contact tracing (Manohar et al., 2020). However,
Bahle et al. (2021) report that RSSI is not always an accurate in-
dicator of proximity because it can penetrate through physical
barriers and generate false positives in exposure notifications, is
affected by ferromagnetic interference in metal enclosures and
varies significantly, e.g., RSSI values are different when a per-
son’s phone is in his/her front or back pocket because the hu-
man body can absorb radiofrequency signals. False positives can
also be generated through relay attacks, whereby the adversary
relays signals between remote users to make them believe they
are close to each other, so relay attack considerations are also
applicable to contact tracing.
5.1.3. Contact tracing protocols
With the aim of addressing the aforementioned security and
privacy issues, this section discusses major contact tracing pro-
tocols currently used in practice. Localisation security in contact
tracing depends on the system architecture, i.e., whether position-
ing takes place on the client-side or the server-side. Contact trac-
ing protocols can be broadly classified into two categories: cen-
tralised and decentralised. In decentralised systems, localisation is
performed locally, i.e., by the target device, minimising the risk of
leakage. In centralised systems, a central authority is responsible
for detecting possible instances of contagion and notifying the peo-
ple affected. The choice between the two depends on the cultural
norms of the country a protocol is adopted in. For example, Sin-
gapore, China and South Korea adopted centralised contact tracing,
which ensures privacy only with respect to other parties but al-
lows health authorities to have access to users’ data because they
are assumed to be honest and trustworthy. Another approach, used
by European countries, focuses on the development of contact trac-
Y. Sartayeva and H.C. B. Chan
ing apps with full privacy (i.e., no exposure to any party except the
user him/herself) (Bock et al., 2021). The advantage of the former
approach is that it allows the central authority to supply poten-
tially infected people with more detailed information, e.g., the ex-
act time of exposure, but this comes at the cost of less privacy.
This paper does not seek to validate either form of contact trac-
ing but will instead give a brief overview of popular contact tracing
protocols found in the literature for both variations, with more em-
phasis on decentralised protocols. Even though, similar to contact
tracing protocols, collaborative systems can also be centralised and
decentralised (Pascacio et al., 2021), analogous to LBS servers, IPS
servers are assumed to be “honest but curious”, meaning that they
should not have direct access to user data. We suggest that future
collaborative positioning systems take these protocol designs into
account to integrate similar (or better) security and privacy con-
siderations in them.
Centralised protocols. One prominent example of centralised
contact tracing protocols is TraceTogether, which was adopted in
Singapore and involves two entities: the users and the Ministry of
Health (MoH) (Tang, 2020). When a user A registers in the system
for the first time, he/she sends his/her phone number NUMi and
a pseudonym IDi to the MoH, which stores the tuple (NUMi , IDi )
in its database and generates an encryption key K for the user.
MoH then determines time intervals [t0 , t1 , ., tn ], and at the begin-
ning of each such interval tx , MoH sends T IDi,x = Enc (IDi , tx ; K ) to
A, where Enc is an encryption function. In the sensing stage, each
user will broadcast his/her T IDi,x to everyone in his/her range for
the time interval [tx , tx+1 ) and record incoming T ID j,x from other
people, along with the signal strength. If a user k gets infected,
he/she must report it to MoH and share all (T IDk,x , T ID j,x ) pairs
with the authority for all relevant j and x, so that MoH can decrypt
each T ID j , extract the phone numbers of potentially infected peo-
ple (NUM j ) and contact them. Tang (2020) argue that TraceTogether
requires Singapore citizens to place extra trust into the authorities
as they will have more information on users’ mobility; however,
only infected people have to share their details. If the infection rate
is low, this may not be much of an issue, but, as the authors sug-
gest, eventually the number of infections will rise, and the author-
ities will have access to much more data. Bell et al. (2020) pro-
posed an improvement to TraceTogether by using message-based
protocols and additively homomorphic encryption to protect user
privacy from the government.
A similar centralised protocol called ROBERT (Castelluccia et al.,
2020) was proposed by Inria and Fraunhofer AISEC for the Pan Eu-
ropean Privacy-Preserving Proximity Tracing (PEPP-PT) scheme in
Europe, where, instead of a phone number, the central author-
ity is allowed to map long-term pseudonyms pseudoU to users’
ephemeral IDs ei , which allows the authority to reveal the iden-
tities of infected people based on their ephemeral IDs through a
trapdoor τ . This means that if someone gains access to a trapdoor
τ , he/she can trace back multiple ephemeral IDs to the original
people they belong to (Vaudenay, 2020b). There are a number of
other centralised contact tracing protocols suggested in the litera-
ture. Further details can be found in Vaudenay (2020b)’s work.
Decentralised protocols. DP-3T, which was developed by
Wang et al. (2019a), is considered a state-of-the-art privacy-
preserving COVID-19 contact tracing protocol that was adopted
in the European Union. It is based on a decentralised architec-
ture with three parties: the users carrying devices that support
BLE communication, a health authority that collects positive
COVID-19 test reports voluntarily submitted by users and in-
forms users about close contacts, and a backend server, whose
sole responsibility is communication, meaning it does not do
any processing on user data. DP-3T is based on BLE signal
exchanges between user devices, which are anonymous. Each
device is identified by an ephemeral pseudo-random ID that
22
Computers & Security 131 (2023) 103293
is re-generated n = (24 × 60 )/l times a day based on a secret
key SKt , where t denotes a day and l is the epoch length,
as follows: E phemeralID1 ||E phemeralID2 || . . . ||E phemeralIDn =
P RG(P RF (SKt , broadcast key )), where P RG is a stream cipher,
suggested to be AES-CTR, and P RF is a pseudo-random function,
suggested to be HMAC-SHA256 (Vaudenay, 2020a). Each device
broadcasts its ephemeral ID to other users in proximity for l min.
The IDs of users in proximity are recorded locally on users’ phones
for 14 days. If a user tests positive for COVID-19, he/she obtains
approval from the health authority and anonymously uploads
his/her secret key SKt to the backend server, which, in turn, broad-
casts the secret key to all users so that their smartphones can
calculate the ephemeral IDs of the infected individual based on
SKt and determine the risk of infection. The secret key is updated
daily as SKt = H (SKt−1 ), where H is a hash function.
In another variation of DP-3T (unlinkable variation), extra pri-
vacy is ensured at the cost of more storage space required on
the client side. For each epoch i, each smartphone generates an
ephemeral ID by drawing a random 32-byte seed seedi , feeds
it to a hash function H and truncates the output to 128 bits
so that the ID fits in the BLE data packet, i.e., E phemeralIDi =
T RUNCAT E128 (H (seedi )). Seeds for all epochs as well as the IDs of
users in proximity, stored as hashes H (E phemeralIDi ||i ), are pre-
served locally for 14 days, similar to the lightweight variation of
DP-3T. If a person receives a positive COVID-19 result, he/she can
choose which records to upload to the backend server and loads
(i, seedi ) pairs corresponding to the time of contagion. The server
then populates a Cuckoo filter F with H (T RUNCAT E128 (H (seedi ))||i )
for each record of the infected person and sends this filter to all
users so that they can determine if they have records of the in-
fected person in their local storage.
Vaudenay (2020a) conducted a privacy analysis of DP-3T and
established that it creates more privacy threats than it solves.
There are three communication channels in DP-3T: app-to-app
channel, server-to-app channel and app-to-authority channel. The
last two can be secured using standard public-key cryptography.
However, the app-to-app channel, i.e., the BLE communication
channel, is difficult to secure, is vulnerable to false alert injec-
tion attacks and can allow the adversary to track people through
deanonymisation. False alert injection attacks that cannot be ad-
dressed with cryptographic solutions are listed as replay of re-
leased cases, replay and relay attacks. In the replay attack, the
adversary collects a pool of the ephemeral IDs of infected peo-
ple and broadcasts some IDs from the pool to victims, notifying
them that they were in close contact with people who had tested
positive for COVID-19. To mitigate this attack, it is suggested to
incorporate device authentication into the protocol by generating
MAC tags for ephemeral IDs based on timestamps and a challenge
for verification. However, this would be inconvenient as devices
would have to communicate with each other instead of just broad-
casting their IDs. In a relay attack, the adversary is positioned be-
tween the victim and an infected individual and relays messages
between the two, resulting in the victim receiving a notification
that he or she is a close contact of a person infected with COVID-
19. To address this problem, a distance bounding protocol could
be used but it is difficult to implement in a mobile ad hoc en-
vironment. Distance bounding is discussed in Section 4.2.2. Based
on Vaudenay (2020a)’s report, privacy-preserving contact tracing is
still an open research area, with the most significant vulnerabil-
ity lying in insecure communication channels of localisation tech-
nologies, such as WiFi and BLE. Incorporating privacy preservation
into contact tracing protocols would require making sacrifices that
make the contact tracing experience inconvenient for users.
Another privacy-preserving contact tracing system called
Google and Apple Exposure Notification (GAEN) framework was
developed as a result of a joint effort by Google and Apple
Y. Sartayeva and H.C. B. Chan
(Google, 2020). It provides an API that Android and iOS develop-
ers can use to implement their own contact tracing applications.
It also utilises BLE for proximity detection and randomly generates
device IDs (called Rolling Proximity Identifiers (RPI)) using Tem-
porary Exposure Keys (TEK) every 10–20 min to prevent tracking.
User devices silently exchange their IDs, which are encrypted us-
ing AES-128, via BLE and record them in local storage. The sys-
tem periodically cross-checks local records against the list of IDs
of COVID-positive people. In case of close contact with an infected
individual, the system generates an exposure notification on the af-
fected person’s phone, where exposure detection runs in the back-
ground, meaning it does not have to be open. The TEKs of infected
people are uploaded to a diagnosis server along with their corre-
sponding Exposure Notification Interval Numbers (ENIN). An ENIN
is the number of the time interval when a TEK started to be valid.
According to Raskar et al. (2020), the GAEN protocol has been
widely adopted around the world because it circumvents issues as-
sociated with Bluetooth running in the background. However, it
does not disclose the location and exact time of exposure. The
authors proposed a privacy-preserving method to augment GAEN
with global context, i.e., allowing developers to implement apps
that also record the GPS locations of users and store them locally
so that they can later be disclosed to people who received ex-
posure notifications without revealing the identity of the infected
person. They also derived a time estimate of exposure based on
ENIN. This reduces the number of false positives since users can
assess the likelihood of infection given location and time informa-
tion.
5.2. Mobile geometric methods
5.2.1. Overview
There is a wide variety of mobile geometric methods, but
overall, their common goal is to optimise an objective function
such that the locations of all unlocalised nodes are as close to
the ground truth as possible, and their distinguishing feature
from proximity-based methods is that they are range-based
(Ridolfi et al., 2021). The cooperative nature of these methods lies
in the exchange of inter-node distance estimates and locations
between neighbouring nodes, meaning that eventually distances
and locations are propagated throughout the network, assisting
the localisation of nodes that do not have a sufficient number of
localised nodes around them. Unlocalised nodes are referred to
as “agent nodes”, and localised nodes are called “anchor nodes”.
Please refer to Fig. 11 for an illustration of collaborative positioning
based on geometric methods and please refer to Fig. 12 for its
general workflow.
Li et al. (2018) gave a comprehensive overview of collabora-
tive indoor positioning algorithms and classified them into four
broad categories: MLE, convex relaxation, message passing and
other methods. An overview of these algorithms will be given in
this section. As these algorithms operate under some common
principles, security threats in cooperative positioning will be dis-
cussed in a broad context, meaning they will not be broken down
by algorithm type. In fact, mobile geometric methods and their se-
curity/privacy issues are still in their early stages of development.
More work is required in this area (see the future work section).
Note that although there is relatively little related work on the se-
curity/privacy issues inherent in mobile geometric methods, collab-
orative IPSs based on geometric methods are similar to mobile ad
hoc networks (MANET) and WSNs. Hence security and privacy con-
cerns discussed in this section are also drawn from the literature
on MANET and WSN security and privacy.
Maximum likelihood estimation. According to Vaghefi and
Buehrer (2015), MLE is a method for finding the parameters of a
probability distribution and is used in a wide variety of applica-
23
Computers & Security 131 (2023) 103293
tions, i.e., not just in collaborative positioning. Based on inter-node
distances and the coordinates of anchor nodes, MLE seeks to esti-
mate the coordinates of agent nodes by minimising the difference
between actual vs. estimated inter-node distance measurements,
taking noise into account as distance measurements have a certain
margin of error, which is assumed to follow a known distribution,
such as a Gaussian distribution. The associated optimisation prob-
lem is solved by iterative methods such as gradient descent. One
of the challenges of MLE is that its search space is non-convex and
non-linear due to the complex nature of indoor signal propagation
patterns, so convergence to global optima is difficult to achieve.
The performance of MLE depends on the initial estimates, so one
solution is to run multiple MLE instances with different initialisa-
tion settings, meaning this method can be implemented in a dis-
tributed manner. It can also be coupled with simulated annealing
to escape local optima, but proper initialisation remains an issue.
To simplify the search space, researchers have proposed using con-
vex relaxation techniques, which relax the MLE problem statement
at the cost of potentially higher error.
Convex relaxation. Vaghefi and Buehrer (2015) distinguish two
convex relaxation techniques: semi-definite programming (SDP)
and second-order cone programming (SOCP) and their combina-
tion. They reformulate the MLE problem statement such that the
search space becomes convex, which increases positioning error
but also significantly increases the likelihood of converging to a
solution that is reasonably close to being optimal (Buehrer et al.,
2018). SOCP tends to be less accurate than SDP but is less compu-
tationally expensive.
Message passing. According to Buehrer et al. (2018), in message-
passing-based algorithms, each unlocalised node is treated as a
random variable with a known prior distribution, whose poste-
rior distribution is predicted based on inter-node message passing
about their relative positions. This way, an agent node does not
have to have at least three anchor nodes in its range to localise it-
self because it can simply wait for its neighbours to be localised,
which is not the case with non-collaborative geometric methods,
such as trilateration. Assuming that the positions of agent nodes
a priori are independent of each other and that inter-node mea-
surements are conditionally independent, then the joint posterior
probability distribution of agent nodes’ locations can be calcu-
lated using Bayes’ theorem. Agent node locations are then inferred
based on minimum mean squared error (MMSE) (Kudoh et al.,
2017) or maximum a posteriori (MAP) probability (Sun et al., 2017).
Ihler et al. (2005)’s study showed that the minimum number of
anchor nodes required for belief-propagation-based collaborative
positioning is three in order to achieve a unique solution.
Other methods. The list of collaborative indoor positioning meth-
ods is not limited to the three described before, and this sec-
tion briefly discusses some of them.
• Multidimensional scaling (MDS). MDS is used to represent sam-
ples in a d-dimensional space based on a dissimilarity matrix
between these samples (Di Franco et al., 2018). In collaborative
positioning, entries in the dissimilarity matrix denote pairwise
distances between all nodes in the network, i.e., both agent and
anchor nodes, which are assumed to be the ground truth, and
MDS finds node locations that fit the dissimilarity matrix with-
out taking anchor nodes’ locations into account. Other optimi-
sation methods can be used to adjust MDS outputs to fit anchor
nodes’ locations. MDS is usually implemented to be centralised
(Saeed et al., 2019) but can be designed to run in a parallel or
distributed manner.
• Outer-approximation. Mendrzik and Bauch (2019) define outer-
approximation as a type of range-free collaborative positioning
whereby all nodes broadcast their data, e.g., ID, location, trans-
mission power, etc., to their neighbours, i.e., nodes their signal
Y. Sartayeva and H.C. B. Chan
can reach. Each node then estimates its location by finding the
intersection of the ranges of its neighbours, which could be of
different “shapes”, e.g., circles (CAB), triangles (APIT), etc. For
example, in the Concentric Anchor Beacon (CAB) method, each
node transmits a signal that contains its ID, location, transmis-
sion power and the maximum distance the signal can travel
at different transmission power levels, creating concentric cir-
cles, and then each node averages the locations of the intersec-
tion points of the three farthest nodes in its range and thus
estimates its own location (Singh and Khilar, 2017). The Ap-
proximate Point in Triangle (APIT) method is similar to CAB in
that it is also based on reducing the possible area where the
target could be, but this is done by finding all possible trian-
gles formed by network nodes and filtering out those that do
not contain the target (Jain et al., 2017). Then the centroid of
the overlap of these triangles is taken as the location estimate.
These methods are not very popular because they come with a
number of limitations such as requiring either a dense network
of nodes or nodes with high communication ranges so that they
can reach neighbouring nodes.
• DV-Hop. This method is based on calculating the minimum
numbers of hops to reach an unlocalised node from a localised
node. Each node stores a table of minimum number of hops to
its neighbours, and an average distance between two adjacent
nodes is calculated (hop size). This distance is then multiplied
by the number of hops to estimate the distance between two
remote nodes (Cui et al., 2018).
5.2.2. Security and privacy issues
Pascacio et al. (2021) reviewed works on collaborative indoor
positioning published between 2006 and 2020 and found that se-
curity and privacy issues in these works were not discussed, de-
spite the fact that collaborative systems are especially vulnerable.
To the best of the authors’ knowledge, security and privacy issues
of collaborative systems have not been covered in the academic
literature, and we seek to address this gap. Collaborative position-
ing networks are similar to MANETs in their communication na-
ture because MANET nodes do not require a central base station
and can operate independently because they are equipped with
both a transmitter and a receiver (Abdel-Fattah et al., 2019). Even
if two nodes are not in each other’s communication range, they
can still communicate via other nodes. Similar to the previous sec-
tions, we will go through the general workflow of range-based col-
laborative positioning, which is presented in Fig. 12, and discuss
potential security and privacy issues. Other than the attacks listed
below, data tampering (Section 4.2.2), jamming (Section 4.2.2), re-
lay (Section 4.1.2) and replay (Section 4.1.2) attacks are applicable
to collaborative positioning. We will also give suggestions for pos-
sible solutions, but more rigorous research is needed to address
these issues and provide a comprehensive picture of other poten-
tial problems.
Distance matrix construction attacks. Most collaborative IPSs
are range-based (Ridolfi et al., 2021), meaning that they rely on
inter-node distance estimation, similar to other range-based meth-
ods like trilateration and TDoA. However, dependence on inter-
node distance measurements in collaborative indoor positioning is
higher because agent nodes are dependent on each other, meaning
that the accuracy of one cluster of nodes influences the accuracy
of other clusters. Thus, physical signal interference (Section 4.1.2)
as well as inter-node distance estimation (Section 4.2.2) attacks
are applicable to collaborative positioning. Other than distance
bounding, which is difficult to implement, a potential solution here
would be to design an algorithm that detects inconsistent distance
measurements and adjusts them such that they align with the rest
of the nodes, e.g., with multidimensional scaling. In other words,
the objective function of collaborative positioning could be ad-
24
Computers & Security 131 (2023) 103293
justed such that another objective is to maximise the number of
distance constraints that are satisfied. However, maximising con-
straint satisfaction may not guarantee correct results if the adver-
sary takes over the majority of the network and adjusts distance
measurements to fit his/her desired positioning configuration.
Malicious node attacks. One major problem with inter-node
communication is verifying the identity of neighbouring nodes to
identify malicious nodes, which was discussed in Section 4.2.2.
However, in collaborative positioning, this problem is more nu-
anced as neighbouring nodes do not have to be anchors, i.e., they
are not registered in a database of legitimate nodes. Malicious par-
ties can easily become part of the network and broadcast incor-
rect data to neighbours, compromising the positioning accuracy
of the entire network. That said, all malicious node attacks de-
fined in Section 4.2.2 are applicable to collaborative positioning
networks because they are also based on inter-node communica-
tion, namely, Sybil, newcomer, node capturing, replication, worm-
hole, on-off, conflicting behaviour and spoofing attacks, it is just
that these nodes are not static, and any node can be an anchor
node. In this case, however, more emphasis should be put on min-
imising the number of false positives in order to not frustrate le-
gitimate users.
A potential solution in this case would be to implement an
anomaly detection strategy in the collaborative positioning method
itself to identify inconsistencies and blacklist users that send
wrong data, e.g., checking if measurements have a reasonable
amount of noise based on the assumed noise distribution. For ex-
ample, Thanigaivelan et al. (2016) proposed an internal anomaly
detection system where each node monitors data coming from its
neighbours and learns normal behaviour from the derived infor-
mation. This can be coupled with a supervised machine learning
approach, whereby the identities of malicious nodes are known
and legitimate nodes learn to detect abnormal inputs in an offline
phase, similar to fingerprinting. However, the adversary could tar-
get nodes strategically to compromise those that determine the lo-
cations of the rest of the nodes such that the network cannot re-
cover, even after anomaly detection. One solution here would be to
prepare backup nodes in advance, run a malicious node detection
algorithm for mobile ad hoc networks, such as those proposed by
Gao et al. (2018), Gomathy et al. (2020), Kukreja et al. (2018), and
activate the backup nodes temporarily, until compromised nodes
recover from adversarial attacks. Of course, backup nodes would
incur additional costs, but it is better than having the entire net-
work disabled. Similarly, Liu et al. (2019a) suggested the use of
confidence intervals to isolate compromised nodes and then only
rely on anchor nodes, and Nguyen et al. (2021) proposed a sim-
ilar secure localisation method, whereby particle swarm optimi-
sation was used to obtain a confidence interval of where un-
localised nodes could be based on the RSSI noise distribution
and then utilise a trilateral detection method to detect compro-
mised nodes that exceeded a certain consistency threshold. Pinto
et al. (2018) designed a method based on k-NN and k-means
clustering of RSSI measurements to detect imposter nodes dur-
ing spoofing attacks, even if the imposter node and the legitimate
node are positioned close to one another. The premise of their ap-
proach is that shadowing will cause different changes in RSSI mea-
surements of the legitimate and malicious nodes, even if they are
in proximity.
Relying on node authentication to identify malicious nodes
would be infeasible because distributed collaborative positioning
does not presuppose there is a database of trusted nodes, mean-
ing that communication links cannot be assumed to be safe before
communication starts. Even though node authentication schemes
for mobile nodes exist (e.g., Kim and Song, 2017), new nodes could
enter the network and request to be localised any time. That said,
secure device-to-device communication should still be explored.
Y. Sartayeva and H.C. B. Chan
For example, Zhang et al. (2018a) proposed an SVM-based device
authentication method based on RF fingerprinting. Another option
is to have a database of nodes with their reputation scores and
let unlocalised nodes only rely on nodes with minimal history of
malicious behaviour. This can be accomplished using blockchains,
e.g., She et al. (2019) designed a blockchain trust model for iden-
tifying malicious nodes in WSNs based on a smart contract that
evaluates the credit score of each node based on the processing
delay, forwarding rate and its state, but since there is no routing
in collaborative positioning networks, the forwarding rate would
have a different meaning, i.e., it would just consider the ratio of
the amount of sent data to the amount of received data. In their
solution, a WSN was divided into clusters, and a sink node (sn)
was allocated to each cluster to serve as its head to collect data
from sensors in the cluster and send it to the base station, which
was responsible for publishing the smart contract. Each sn acted
as a certificate authority and a verification node and participated
in consensus voting on which nodes should be identified as mali-
cious. In this architecture, nodes are assumed to be static, which
is not the case with collaborative positioning nodes, so a hybrid
blockchain-based trust management protocol needs to be designed,
i.e., it should be adapted to mobile nodes but should not require
routing. For example, this protocol could be combined with one
proposed by Lwin et al. (2020) for MANETs, which is based on a
lightweight Delegated-Proof-of-Trust (DPoT) consensus algorithm,
but it requires routing between nodes for them to achieve consen-
sus.
Wireless eavesdropping attack. Eavesdropping on the packets
broadcast by collaborative positioning network nodes is a prob-
lem because each node broadcasts its own location. Neighbouring
nodes do not have to know the ID of the node from which the
location packets come from, e.g., if they use multilateration. How-
ever, knowing the ID of a node would be needed for authentica-
tion, meaning nodes cannot be trusted blindly since they could
send wrong location data. This issue can be resolved with encryp-
tion, e.g., WPA3 in WiFi (Kohlios and Hayajneh, 2018), ECDH-based
(Elliptic Curve Diffie-Hellman) Bluetooth v5.2+LE Secure Connec-
tions (Lounis and Zulkernine, 2020), etc., depending on the com-
munication technology. Destiarti et al. (2017) designed a secure
communication scheme specifically for mobile indoor collaborative
localisation systems, where messages were encrypted using AES-
128, message authentication was ensured using MD5-based HMAC
and the AES key was encrypted with RSA-2048. A major vulnera-
bility of this scheme is the exchange of the RSA key pair, which
can be intercepted (Marqués et al., 2021). Another important con-
sideration in message transmission is the nature of the data to be
transmitted, meaning that none of the nodes should reveal their
raw locations to one another since any node could be malicious. In
other words, location privacy should also be catered for, which is
discussed later in this section.
Traffic analysis attack. In collaborative positioning networks, the
adversary can collect packets and analyse them to construct the
trajectories of nodes and derive their IDs (Jiang et al., 2019). To
address this problem, Ward and Younis (2019) proposed the use
of distributed beamforming to achieve base station anonymity in
WSNs. A similar technique can be applied in collaborative posi-
tioning, whereby the adversary is misguided by fake packets trans-
mitted by nodes in its proximity so that it loses track of the
node of interest. More elaborate designs are needed to combat the
issue.
Collusion attack. In a collusion attack, multiple nodes conspire
to advertise false positioning data while validating each other as
legitimate nodes, so that unlocalised nodes obtain wrong location
estimates (Nguyen et al., 2021). One solution here would be to let
each node maintain a dynamic table of packets and their senders
and implement continuous location verification to detect tamper-
25
Computers & Security 131 (2023) 103293
ing, whereby each localised node periodically checks how much its
location has changed over small periods of time and advertises it-
self as a faulty node if the change in its coordinates exceeds a cer-
tain threshold. It should then find the last few packets in its dy-
namic table, decrease the trust scores of the senders of these pack-
ets in its table and advertise them to its neighbours so that they
can rely on more trustworthy localised nodes. If the interval be-
tween location verification checks is sufficiently small, each node
should not be able to move from its previous location further than
a certain distance. However, the adversary could hijack nodes and
disable location verification. Yaseen et al. (2018) discuss how IoT
network participants are mobile, and their numbers are growing,
so, unlike WSNs, it is impractical to let base stations be responsible
for malicious node detection. They suggested the deployment of
fog nodes, which are solely responsible for keeping track of nodes’
trustworthiness.
User location privacy. In centralised collaborative positioning,
the user location privacy problem is similar to that in server-based
non-collaborative positioning, since localisation is performed on
“an honest but curious” IPS server. In the context of distributed
collaborative positioning systems, however, the user location pri-
vacy problem is more dire because unlocalised nodes rely on the
locations of their neighbours, which could be malicious, so no
node in the collaborative positioning network can have access to
any other node’s raw location. This problem is similar to user lo-
cation privacy issues both during and after localisation. In order
to protect their identity, nodes can use pseudorandom IDs that
are regularly updated, similar to contact tracing protocols. How-
ever, Kalantar et al. (2018) tested MAC randomisation that is in-
built in smartphones to protect user privacy and found that the
MAC update frequency was low enough to allow for device track-
ing, violating location privacy. Kang et al. (2018) made use of
Ephemeral IDs in Eddystone BLE beacons to prevent spoofing and
tracking.
To protect the privacy of each node’s location, obfuscation-
based privacy preservation mechanisms can be utilised. In collab-
orative positioning, obfuscation-based privacy preservation applies
randomised transformations on sensitive data before it is sent to
a central authority so that it can solve an optimisation problem
based on the obfuscated inputs. Obfuscation is then inverted on
the output to retrieve the optimal solution, but a downside of
this method is that it can only be used in centralised networks,
i.e., a single central node should be responsible for optimisation
(Shoukry et al., 2016). Han et al. (2017) proposed a general so-
lution to privacy-preserving distributed constrained optimisation
based on gradient descent, whereby the privacy of all participating
nodes is preserved without the need for a centralised entity us-
ing differential privacy. The authors explain that the problem with
aggregate-node-based optimisation is that the adversary could in-
tercept data as it travels towards the aggregator, which is sensitive
and should be protected from malicious parties. Their method is
based on injecting noise into the public signals where the noise
magnitude is a function of how sensitive the projection operation
is on the optimisation constraints. The downside of this method is
that the objective function must be Lipschitz continuously differ-
entiable and convex, which is not the case in collaborative posi-
tioning (Buehrer et al., 2018). Moreover, differential-privacy-based
privacy preservation comes at the cost of lower positioning accu-
racy because the positioning algorithm must run on perturbed data
(Shoukry et al., 2016).
Another cluster of solutions is based on homomorphic cryp-
tosystems, which can operate on encrypted data without the abil-
ity to decrypt it (Armknecht et al., 2015). Fully Homomorphic
Encryption (FHE) is too computationally expensive to be practi-
cal (Armknecht et al., 2015), so Partially Homomorphic Encryp-
tion (PHE) has been adopted instead, but it is limited in the range
Y. Sartayeva and H.C. B. Chan
of mathematical operations it can perform over encrypted data.
Shoukry et al. (2016) state that PHE provides strong privacy guar-
antees without sacrificing the quality of the output of the op-
timisation algorithm, which is joint mobile node localisation in
the case of collaborative indoor positioning. They designed a PHE-
based privacy-preserving protocol for quadratic programming that
involves multiple parties with sensitive data, where privacy from
colluding agents is guaranteed with zero-knowledge proofs. Their
protocol also aims to protect the data from the untrusted cloud
server, meaning that it can only be used in centralised collabora-
tive systems. Additionally, localised nodes can be treated as tem-
porary anchor nodes, and their privacy protection was discussed in
Section 4.2.2. Marqués et al. (2021) proposed a privacy-preserving
location sharing scheme for BLE advertising that makes use of
anonymous attribute-based credentials based on zero-knowledge
proofs as well. This is the first study that presented a fully decen-
tralised privacy-preserving collaborative positioning system with
BLE.
5.3. Others
Collaborative indoor positioning methods are also not restricted
to mobile proximity-based and mobile geometric positioning
methods. They also include mobile fingerprinting-based posi-
tioning, mobile multimodal/hybrid positioning and more. We
categorise these methods as “others” in Fig. 1 since there are
limited works on their security and privacy. Some examples found
in the literature are summarised in this section.
An example of multimodal mobile proximity-based positioning
is the work of Bahle et al. (2021), who fused BLE RSSI with sound
for more accurate proximity detection. To preserve user privacy
and not expose human conversations recorded during sound sam-
pling, the original sound was processed into a 200Hz feature vector
with no detectable speech and stored locally on the user’s phone.
Their experimental results demonstrated an 80% improvement in
contact detection because sound is not prone to ferromagnetic in-
terference and is not negatively affected by people moving around.
They were also able to successfully detect physical barriers to re-
move false positives.
A more complex multimodal system was developed by
Sadhu et al. (2021), who designed CollabLoc, a collaborative multi-
building localisation system based on WiFi, geomagnetic field,
sound, light and cellular networks that utilised onion routing to
protect intermediate parties from obtaining information about the
signal’s route. The authors also made sure that collaboration be-
tween nodes was not based on proximity because this would vi-
olate the neighbours’ privacy. The suggested solution was able to
achieve a positioning error of approximately 1 m.
Another promising solution was designed by Yin et al. (2020),
who developed a federated learning framework for privacy-
preserving cooperative localisation. In their system, each mobile
terminal collects its own fingerprints to create a training dataset
and trains a deep learning model for location inference locally. The
weights of models trained on individual mobile terminals are then
encrypted and aggregated on a server using homomorphic encryp-
tion to create a global model, which is then shared with all mobile
terminals for client-based localisation. The authors suggest that
model training is a computationally expensive process, but it only
happens in the offline phase. They claim that running the model
for location inference is cheap.
As for vision-based positioning, Zhao et al. (2020) devel-
oped a framework for indoor localisation where the feature
map was divided into a grid, and visual cues were processed
locally for positioning. According to the authors, the frame-
work can be extended to support cooperation between edge
nodes.
26
Computers & Security 131 (2023) 103293
6. Directions for future research
From the above study, it can be seen that most current work is
related to non-collaborative positioning, focusing on the conven-
tional approaches. In fact, studies on fingerprinting security and
privacy are the major focus. While there are other methods, more
research work needs to be conducted in general. There are also
other emerging technologies or areas, and this section discusses
high priority and emerging areas for research in indoor position-
ing security and privacy. The suggested directions have been de-
rived based on the analysis of issues identified during literature
review, which are presented in Tables 3 and 4. In summary, confi-
dentiality issues are related to the privacy of different entities par-
ticipating in localisation, and current privacy preservation mecha-
nisms in IPSs are either too computationally expensive or are not
strong enough. Integrity issues are related to the safety of position-
ing data and are underexplored. Authenticity issues, on the other
hand, have started receiving increasing attention from researchers
with novel solutions such as those based on blockchains. For fu-
ture work, in general, we suggest the following research directions
in the order of priority: (1) conducting more study on collaborat-
ing positioning, including security/privacy issues; (2) studying the
use of AI and machine learning to enhance security/privacy of the
existing methods; (3) exploring multimodal/hybrid methods, in-
cluding the related security/privacy issues (4) enhancing the secu-
rity/privacy of existing methods (e.g., overcoming their limitations).
Note that some of these directions are inter-related as well. The
following presents further discussion on the suggested research di-
rections.
6.1. More study on collaborative positioning
As mentioned above, compared to non-collaborative position-
ing methods, the development of collaborative positioning meth-
ods is still in its infancy stage. With the advent and popularity
of powerful smartphones, study on the security/privacy issues re-
lated to collaborative positioning is a big research area. One di-
rection to explore is the use of blockchains for node trust man-
agement in collaborative localisation to address authenticity issues
discussed in the survey. Many indoor positioning methods work
under a distributed or decentralised environment. That means,
conventional solutions (e.g., centralised solutions) cannot be used.
Hence, blockchains provide a possible solution to handle some of
the security/privacy problems in collaborative positioning methods,
where anchors can change, and thus, their trust values should be
updated regularly. For example, to prevent malicious nodes from
joining a decentralised network, a blockchain can be used to keep
track of valid nodes. Furthermore, blockchains can be employed to
protect data integrity in a distributed environment effectively such
as smart homes, IoT healthcare systems, etc. Second, research on
mobile fingerprinting for collaborative positioning is limited. This
is a challenging research topic due to the dynamic nature of col-
laborative positioning. It may involve new system design with ad-
vanced security techniques.
6.2. AI and machine learning to enhance security and privacy of
existing methods
Another important research direction is to further study the use
of artificial intelligence in general and machine learning in partic-
ular for enhancing the security and privacy of indoor positioning
methods. For example, they can be employed for detecting ma-
licious nodes in all methods and outliers in offline fingerprints.
They can also be used to detect data tampering (Muhammed and
Shaikh, 2017) and jamming (Arjoune et al., 2020). Researchers
Y. Sartayeva and H.C. B. Chan Computers & Security 131 (2023) 103293

Table 3
Indoor positioning security and privacy issues and solutions related to confidentiality and integrity found as a result of literature review.

Category Issue name Solutions Relevant studies

Confidentiality User location privacy (during localisation) Node authentication; differential privacy; encrypted Kim et al. (2018); Yoo and
fingerprints; privacy-preserving optimisation methods; Barriga (2017); Zhao et al. (2018b)
homomorphic cryptosystems; k-anonymity; secure
multi-party computation
Database privacy Paillier homomorphic encryption; Garbled Circuits; federated Alanwar et al. (2017);
learning; secure multi-party computation Hu et al. (2022);
Järvinen et al. (2019); Nieminen and
Järvinen (2021); Wu et al. (2020b);
Yang and Järvinen (2018b);
Zhang et al. (2020a)
Reference node privacy Adjusting the design of the positioning method, e.g., Alanwar et al. (2017); Shi and
Alanwar et al. (2017); Shi and Wu (2018) Wu (2018)
Wireless eavesdropping Encryption Kohlios and Hayajneh (2018);
Lounis and Zulkernine (2020)
Traffic analysis attack Circulating fake packets in the network to confuse the Ward and Younis (2019)
adversary
User location privacy (after localisation) k-anonymity; differential privacy; homomorphic encryption Han et al. (2017); Jiang et al. (2021);
Shoukry et al. (2016)
Integrity Database corruption Outlier detection; automated fingerprint collection; regular Khalajmehrabadi et al. (2017);
sanity checks based on checksum verification Li et al. (2020); Yu et al. (2019)
Distance estimation attacks Distance bounding; using more reliable distance estimation Abdelaziz et al. (2016); Brands and
techniques, e.g., time-based Chaum (1994); Leu et al. (2020);
Liu et al. (2018b)
QR code replacement Digitally signed QR codes Focardi et al. (2019)
Jamming attack Channel hopping; spectrum spreading; MIMO-based jamming Hymlin Rose and Jayasree (2019);
mitigation; channel coding; MAC layer strategies; jamming Li et al. (2019a);
detection schemes; learning-based techniques; multi-voting Pirayesh et al. (2021); Pirayesh and
systems Zeng (2022)
Replay attack Timestamp verification; assigning sequence numbers to Anandhi et al. (2019); Sharma and
packets; node authentication schemes Hussain (2017)
Data tampering Fault diagnosis based on sensor measurements, e.g., majority Muhammed and Shaikh (2017)
voting; attaching MAC tags to messages

Table 4
Indoor positioning security and privacy issues and solutions related to authenticity and other attacks found from the literature review.

Category Issue name Solutions Relevant studies

Authenticity Malicious node attacks
Collusion attack
Other Replaying QR codes
Resource draining
Blockchain-based trust score systems; malicious node Arul Selvan and Selvakumar (2019);
detection systems; node authentication schemes; digital Bai et al. (2020); Brooks et al. (2007);
signatures; physical-layer-level node authentication Guerrero-Higueras et al. (2018);
Hua et al. (2018); Liu et al. (2019a);
Nguyen et al. (2021);
Numan et al. (2020);
Pan et al. (2019); Pinto et al. (2018);
Thanigaivelan et al. (2016);
Yessembayev et al. (2018)
Location-based tampering detection; a separate system for Yaseen et al. (2018)
monitoring nodes’ trustworthiness
Update QR codes regularly and include a validity period in
them; client-side GPS-based location verification
Monitoring energy consumption on reference nodes; Sharma and Kumar Joshi (2019)
monitoring the number of incoming packets

should explore how to make their adoption practical, e.g., reduc-
ing computational costs and strengthening security/privacy guar-
antees. Federated learning is also a promising new area of re-
search in indoor positioning, whereby the privacy of training data
is preserved (Yin et al., 2020). For example, it can be employed in
the offline stage of fingerprinting, where fingerprints are crowd-
sourced, to protect the privacy of fingerprint collectors. It can also
be utilised in centralised cooperative localisation, whereby unlo-
calised nodes submit their measurements to a central server for
location inference without revealing their identity to anyone, in-
cluding the server itself.
6.3. Multimodal and hybrid indoor positioning system security and
privacy
From the previous study, it can be seen that there is a shortage
of studies on security and privacy measures for multimodal and
hybrid IPSs, especially those that employ collaborative positioning.
Most current papers focus on WiFi-fingerprinting-based methods,
indicating that WiFi fingerprinting is the most promising position-
ing approach. However, WiFi fingerprinting may not suit all appli-
cations, especially as hybrid solutions are rising in popularity due
to the fact that they make up for the weaknesses of individual
communication technologies. In addition, some systems combine
multiple positioning methods, which might have different security
and privacy issues, so how the interplay of different issues can be
addressed also needs to be investigated. On the other hand, the
use of multiple technologies/methods can actually be leveraged to
enhance the security/privacy of a system because they can be used
to verify each other’s results. For example, if a system combines
UWB and BLE for better accuracy and performance, the two com-
ponents can also be used independently for localisation, and their
estimates can be compared to detect discrepancies and, thus, intru-
sion. Of course, the adversary can compromise both UWB and BLE
components of the system, but this will be harder to achieve (e.g.,
difficult to provide consistent incorrect results from both compo-

27
Y. Sartayeva and H.C. B. Chan
nents). In other words, multimodal positioning can be employed
for cross verification purposes.
6.4. Addressing the weaknesses of existing methods
Existing security and privacy preservation mechanisms for IPSs
have significant limitations, so researchers should focus on ad-
dressing them. For example, researchers should investigate how to
optimise the trade-off between positioning accuracy and privacy
and how to reduce the computational burden of existing solutions
so that they can be used on less powerful nodes like beacons. In
addition, since many indoor positioning methods are range-based,
more attention should be paid to enhancing inter-node distance
estimation techniques, e.g., how to make distance bounding more
accessible or investigate whether there are other distance verifi-
cation methods that are not hardware-specific. Security and pri-
vacy should not be an afterthought when it comes to IPS design.
New positioning methods may need to be engineered altogether.
Promising solutions include optimisation methods that can oper-
ate on encrypted data, e.g., homomorphic encryption, as well as
the use of privacy-preserving technologies such as infrared cam-
eras.
6.5. Emerging areas
Apart from the aforementioned research directions, there are
also emerging areas to explore when it comes to indoor position-
ing security and privacy. For example, with the advent of the meta-
verse, it is expected that new positioning problems will emerge
(i.e., integrated positioning in physical space and virtual space). For
instance, it may be easier for people to forge their identities in the
metaverse since they can log in through different accounts, and
this will pose additional challenges in identifying malicious parties.
There may be new attacks on virtual wireless technologies, if they
are integrated in the metaverse. Dual positioning problems (i.e.,
in physical and virtual spaces) will raise new security and privacy
issues. Another emerging area is the use of post-quantum cryp-
tography for indoor positioning in the long term. Considering the
exceptional computational capability of quantum computers and
their threat for existing cryptosystems, research should be done on
how post-quantum cryptographic schemes can be integrated into
IPSs with minimal impact on accuracy, scalability and efficiency.
7. Conclusion
In conclusion, we have conducted a systematic and compre-
hensive survey on indoor positioning security and privacy, giving
an overview of major indoor positioning methods, highlighting
the main security and privacy concerns of each method and
discussing recent solutions proposed in the literature. The aim
is to complement the current survey papers, which focus on
the security/privacy of LBS rather than the positioning methods
themselves. Indoor positioning methods can be divided into
three general categories, namely: non-collaborative methods (i.e.,
proximity-based, fingerprinting and geometric methods), collab-
orative methods and others. The first category of methods have
been studied extensively, while the second one is still a new
research area. That means, there is a strong need to conduct
more research on collaborative positioning. The aforementioned
positioning methods have common as well as specific security
issues. In general, the common security issues are related to
protecting network nodes, communications links and data used
for positioning purposes. Some attacks, such as jamming, are more
difficult to address, and solutions to these attacks are mainly based
on detection rather than combating the core issues. Enhancing
security while preserving privacy is also a challenging research
28
Computers & Security 131 (2023) 103293
problem, requiring further studies. Last but not least, we have also
highlighted some future research directions and work.
Declaration of Competing Interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
CRediT authorship contribution statement
Yerkezhan Sartayeva: Conceptualization, Visualization, Writing
– original draft. Henry C. B. Chan: Methodology, Project adminis-
tration, Writing – review & editing, Supervision.
Data availability
No data was used for the research described in the article.
Acknowledgements
This work has been supported by the Hong Kong Ph.D. Fellow-
ship Scheme of the Research Grants Council (RGC) of Hong Kong.
References
Abdel-Fattah, F., Farhan, K.A., Al-Tarawneh, F.H., AlTamimi, F., 2019. Security chal-
lenges and attacks in dynamic mobile ad hoc networks MANETs. In: 2019 IEEE
Jordan International Joint Conference on Electrical Engineering and Information
Technology (JEEIT), pp. 28–33. doi:10.1109/JEEIT.2019.8717449.
Abdelaziz, A., Koksal, C.E., El Gamal, H., 2016. On the security of angle of arrival
estimation. In: 2016 IEEE Conference on Communications and Network Security
(CNS), pp. 109–117. doi:10.1109/CNS.2016.7860476.
Al-Garadi, M.A., Mohamed, A., Al-Ali, A.K., Du, X., Ali, I., Guizani, M., 2020. A survey
of machine and deep learning methods for Internet of Things (IoT) security. IEEE
Commun. Surv. Tutor. 22 (3), 1646–1685. doi:10.1109/COMST.2020.2988293.
Alanwar, A., Shoukry, Y., Chakraborty, S., Martin, P., Tabuada, P., Srivastava, M., 2017.
PrOLoc: resilient localization with private observers using partial homomorphic
encryption. In: Proceedings of the 16th ACM/IEEE International Conference on
Information Processing in Sensor Networks. Association for Computing Machin-
ery, New York, NY, USA, pp. 41–52. doi:10.1145/3055031.3055080.
Alhomayani, F., Mahoor, M.H., 2020. Deep learning methods for fingerprint-based
indoor positioning: a review. J. Locat. Based Serv. 14 (3), 129–200. doi:10.1080/
17489725.2020.1817582.
Alrababah, D., Al-Shammari, E., Alsuht, A., 2017. A survey: authentication protocols
for wireless sensor network in the Internet of Things; keys and attacks. In:
2017 International Conference on New Trends in Computing Sciences (ICTCS),
pp. 270–276. doi:10.1109/ICTCS.2017.34.
Anandhi, S., Anitha, R., Sureshkumar, V., 2019. IoT enabled RFID authentication and
secure object tracking system for smart logistics. Wirel. Pers. Commun 104 (2),
543–560. doi:10.1007/s11277- 018- 6033- 6.
Arjoune, Y., Salahdine, F., Islam, M.S., Ghribi, E., Kaabouch, N., 2020. A novel
jamming attacks detection approach based on machine learning for wireless
communication. In: 2020 International Conference on Information Networking
(ICOIN), pp. 459–464. doi:10.1109/ICOIN48656.2020.9016462.
Armknecht, F., Boyd, C., Carr, C., Gjøsteen, K., Jäschke, A., Reuter, C.A., Strand, M.,
2015. A guide to fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2015,
1192.
Arul Selvan, M., Selvakumar, S., 2019. Malicious node identification using quantita-
tive intrusion detection techniques in MANET. Cluster Comput. 22 (3), 7069–
7077. doi:10.1007/s10586- 018- 2418- 2.
Avoine, G., Bingöl, M.A., Boureanu, I., čapkun, S., Hancke, G., Kardaş, S., Kim, C.H.,
Lauradoux, C., Martin, B., Munilla, J., Peinado, A., Rasmussen, K.B., Singelée, D.,
Tchamkerten, A., Trujillo-Rasua, R., Vaudenay, S., 2018. Security of distance-
bounding: a survey. ACM Comput. Surv. 51 (5). doi:10.1145/3264628.
Bahle, G., Fortes Rey, V., Bian, S., Bello, H., Lukowicz, P., 2021. Using privacy re-
specting sound analysis to improve Bluetooth based proximity detection for
COVID-19 exposure tracing and social distancing. Sensors 21 (16). doi:10.3390/
s21165604.
Bai, L., Zhu, L., Liu, J., Choi, J., Zhang, W., 2020. Physical layer authentication in wire-
less communication networks: a survey. J. Commun. Inf. Netw. 5 (3), 237–264.
doi:10.23919/JCIN.2020.9200889.
Banerjee, S., Xu, S., Johnson, S.D., 2021. How does location based marketing affect
mobile retail revenues? The complex interplay of delivery tactic, interface mo-
bility and user privacy. J. Bus. Res. 130, 398–404. doi:10.1016/j.jbusres.2020.02.
042.
Basiri, A., Lohan, E.S., Moore, T., Winstanley, A., Peltola, P., Hill, C., Amirian, P.,
Figueiredo e Silva, P., 2017. Indoor location based services challenges, require-
ments and usability of current solutions. Comput. Sci. Rev. 24, 1–12. doi:10.
1016/j.cosrev.2017.03.002.
Y. Sartayeva and H.C. B. Chan
Bell, J., Butler, D., Hicks, C., Crowcroft, J., 2020. TraceSecure: towards privacy pre-
serving contact tracing. 10.48550/ARXIV.2004.04059
Bettini, C., 2018. Privacy protection in location-based services: a survey. Springer
International Publishing, Cham, pp. 73–96. doi:10.1007/978- 3- 319- 98161-
1 _4 .
Bock, K., Khne, C. R., Mhlhoff, R., Ost, M. R., Pohle, J., Rehak, R., 2021. Data protection
impact assessment for the corona app. 10.48550/ARXIV.2101.07292
Boutet, A., Cunche, M., 2021. Privacy protection for Wi-Fi location positioning sys-
tems. J. Inf. Secur. Appl. 58, 102635. doi:10.1016/j.jisa.2020.102635.
Braithwaite, I., Callender, T., Bullock, M., Aldridge, R.W., 2020. Automated and
partly automated contact tracing: a systematic review to inform the control of
COVID-19. Lancet Digit. Health 2 (11), e607–e621. doi:10.1016/S2589-7500(20)
30184-9.
Brands, S., Chaum, D., 1994. Distance-bounding protocols. In: Workshop on the
Theory and Application of Cryptographic Techniques on Advances in Cryp-
tology. Springer-Verlag, Berlin, Heidelberg, pp. 344–359. doi:10.5555/188307.
188361.
Brena, R.F., García-Vzquez, J.P., Galvín-Tejada, C.E., Muoz-Rodriguez, D., Vargas-
Rosales, C., Fangmeyer, J., 2017. Evolution of indoor positioning technologies: a
survey. J. Sens. 2017, 2630413. doi:10.1155/2017/2630413.
Brooks, R., Govindaraju, P.Y., Pirretti, M., Vijaykrishnan, N., Kandemir, M.T., 2007. On
the detection of clones in sensor networks using random key predistribution.
IEEE Trans. Syst., Man, Cybern., Part C (Applications and Reviews) 37 (6), 1246–
1258. doi:10.1109/TSMCC.2007.905824.
Buccafurri, F., De Angelis, V., Francesca Idone, M., Labrini, C., 2021. A privacy-
preserving protocol for proximity-based services in social networks. In: 2021
IEEE Global Communications Conference (GLOBECOM), pp. 1–6. doi:10.1109/
GLOBECOM46510.2021.9685284.
Buehrer, R.M., Wymeersch, H., Vaghefi, R.M., 2018. Collaborative sensor network
localization: algorithms and practical issues. Proc. IEEE 106 (6), 1089–1114.
doi:10.1109/JPROC.2018.2829439.
Buehrer, R.M., Wymeersch, H., Vaghefi, R. M., 2018. Collaborative Sensor Network
Localization: Algorithms and Practical Issues. Proceedings of the IEEE 106 (6),
1089–1114. doi:10.1109/JPROC.2018.2829439.
Carotenuto, R., Merenda, M., Iero, D., Della Corte, F.G., 2020. Mobile synchronization
recovery for ultrasonic indoor positioning. Sensors (Basel) 20 (3), 702. doi:10.
3390/s20030702.
Carter, S. A., Avrahami, D., Tokunaga, N., 2020. Using inaudible audio to im-
prove indoor-localization- and proximity-aware intelligent applications. CoRR
abs/20 02.0 0 091. https://arxiv.org/abs/20 02.0 0 091.
Castelluccia, C., Bielova, N., Boutet, A., Cunche, M., Lauradoux, C., Le Métayer,
D., Roca, V., 2020. ROBERT: ROBust and privacy-presERving proximity Tracing.
Working paper or preprint. https://hal.inria.fr/hal-02611265.
Chan, A. C.-F., Chung, R. M. H., 2021. Security and privacy of wireless beacon sys-
tems. 10.48550/ARXIV.2107.05868
Chapman, T., Larsson, E., von Wrycza, P., Dahlman, E., Parkvall, S., Skld, J., 2015.
Chapter 3—CDMA transmission principles. In: Chapman, T., Larsson, E., von
Wrycza, P., Dahlman, E., Parkvall, S., Skld, J. (Eds.), HSPA Evolution. Academic
Press, Oxford, pp. 35–48. doi:10.1016/B978- 0- 08- 099969- 2.0 0 0 03-X.
Cho, H., Ippolito, D., Yu, Y. W., 2020. Contact tracing mobile apps for COVID-19:
privacy considerations and related trade-offs. 10.48550/ARXIV.2003.11511
Chen, W., Guan, M., Wang, L., Ruby, R., Wu, K., 2017b. FLoc: device-free passive in-
door localization in complex environments. In: 2017 IEEE International Confer-
ence on Communications (ICC), pp. 1–6. doi:10.1109/ICC.2017.7997098.
Chen, L., Thombre, S., Jrvinen, K., Lohan, E.S., Aln-Savikko, A., Leppkoski, H.,
Bhuiyan, M.Z.H., Bu-Pasha, S., Ferrara, G.N., Honkala, S., Lindqvist, J., Ruot-
salainen, L., Korpisaari, P., Kuusniemi, H., 2017a. Robustness, security and pri-
vacy in location-based services for future IoT: a survey. IEEE Access 5, 8956–
8977. doi:10.1109/ACCESS.2017.2695525.
Clulow, J., Hancke, G.P., Kuhn, M.G., Moore, T., 2006. So near and yet so far: distance-
bounding attacks in wireless networks. In: Proceedings of the Third European
Conference on Security and Privacy in Ad-Hoc and Sensor Networks. Springer-
Verlag, Berlin, Heidelberg, pp. 83–97. doi:10.1007/11964254_9.
Cremers, C., Rasmussen, K.B., Schmidt, B., Capkun, S., 2012. Distance hijacking at-
tacks on distance bounding protocols. In: 2012 IEEE Symposium on Security and
Privacy, pp. 113–127. doi:10.1109/SP.2012.17.
Cui, L., Xu, C., Li, G., Ming, Z., Feng, Y., Lu, N., 2018. A high accurate localization
algorithm with DV-Hop and differential evolution for wireless sensor network.
Appl. Soft Comput. 68, 39–52. doi:10.1016/j.asoc.2018.03.036.
Davidson, P., Pich, R., 2017. A survey of selected indoor positioning methods for
smartphones. IEEE Commun. Surv. Tutor. 19 (2), 1347–1370. doi:10.1109/COMST.
2016.2637663.
Desmedt, Y., 1988. Major security problems with the ‘unforgeable’
(Feige)–Fiat–Shamir proofs of identity and how to overcome them. In: Proceed-
ings of SECURICOM, vol. 88, pp. 15–17.
Destiarti, A.R., Kristalina, P., Sudarsono, A., 2017. Secure data transmission scheme
for indoor mobile cooperative localization system. In: 2017 International Elec-
tronics Symposium on Engineering Technology and Applications (IES-ETA),
pp. 50–56. doi:10.1109/ELECSYM.2017.8240378.
Di Franco, C., Marinoni, M., Bini, E., Buttazzo, G.C., 2018. Dynamic multidimensional
scaling with anchors and height constraints for indoor localization of mobile
nodes. Robot. Auton. Syst. 108, 28–37. doi:10.1016/j.robot.2018.06.015.
Djuraev, S., Choi, J.-G., Sohn, K.-S., Nam, S.Y., 2017. Channel hopping scheme to mit-
igate jamming attacks in wireless LANs. EURASIP J. Wirel. Commun. Netw. 2017
(1), 11. doi:10.1186/s13638- 016- 0785- z.
29
Computers & Security 131 (2023) 103293
Duong, N.-S., Thi, T.-M.D., 2021. Smartphone indoor positioning based on en-
hanced BLE beacon multi-lateration. TELKOMNIKA 19 (1), 51–62. doi:10.12928/
TELKOMNIKA.v19i1.16275.
Dusmanu, M., Schönberger, J.L., Sinha, S.N., Pollefeys, M., 2021. Privacy-preserving
image features via adversarial affine subspace embeddings. In: 2021 IEEE/CVF
Conference on Computer Vision and Pattern Recognition (CVPR), pp. 14262–
14272. doi:10.1109/CVPR46437.2021.01404.
Dutta, N., Singh, M.M., 2019. Wormhole attack in wireless sensor networks: a crit-
ical review. In: Mandal, J.K., Bhattacharyya, D., Auluck, N. (Eds.), Advanced
Computing and Communication Technologies. Springer Singapore, Singapore,
pp. 147–161.
Faruque, S., 2016. Introduction to Channel Coding. Springer International Publishing,
Cham, pp. 1–16.
Feng, Y., Wang, W., Weng, Y., Zhang, H., 2017. A replay-attack resistant authenti-
cation scheme for the Internet of Things. In: 2017 IEEE International Confer-
ence on Computational Science and Engineering (CSE) and IEEE International
Conference on Embedded and Ubiquitous Computing (EUC), vol. 1, pp. 541–547.
doi:10.1109/CSE-EUC.2017.101.
Focardi, R., Luccio, F.L., Wahsheh, H.A., 2019. Usable security for QR code. J. Inf. Se-
cur. Appl. 48, 102369. doi:10.1016/j.jisa.2019.102369.
Gao, B., Maekawa, T., Amagata, D., Hara, T., 2018. Environment-adaptive malicious
node detection in MANETs with ensemble learning. In: 2018 IEEE 38th Inter-
national Conference on Distributed Computing Systems (ICDCS), pp. 556–566.
doi:10.1109/ICDCS.2018.0 0 061.
Google, 2020. Exposure notifications: helping fight COVID-19. https://www.google.
com/covid19/exposurenotifications/.
Geppert, M., Larsson, V., Schönberger, J.L., Pollefeys, M., 2022. Privacy preserving
partial localization. In: Proceedings of the IEEE/CVF Conference on Computer Vi-
sion and Pattern Recognition (CVPR), pp. 17337–17347. doi:10.1109/CVPR52688.
2022.01682.
Gomathy, V., Padhy, N., Samanta, D., Sivaram, M., Jain, V., Amiri, I.S., 2020. Mali-
cious node detection using heterogeneous cluster based secure routing protocol
(HCBS) in wireless adhoc sensor networks. J. Ambient Intell. Humaniz. Comput.
11 (11), 4995–5001. doi:10.1007/s12652- 020- 01797- 3.
Gu, F., Niu, J., Duan, L., 2017. WAIPO: a fusion-based collaborative indoor localization
system on smartphones. IEEE/ACM Trans. Networking 25 (4), 2267–2280. doi:10.
1109/TNET.2017.2680448.
Guan, R., Harle, R., 2018. Signal fingerprint anomaly detection for probabilistic in-
door positioning. In: 2018 International Conference on Indoor Positioning and
Indoor Navigation (IPIN), pp. 1–8. doi:10.1109/IPIN.2018.8533867.
Guerrero-Higueras, Á.M., DeCastro-García, N., Matelln, V., 2018. Detection of cyber-
attacks to indoor real time localization systems for autonomous robots. Robot.
Auton. Syst. 99, 75–83. doi:10.1016/j.robot.2017.10.006.
Han, S., Topcu, U., Pappas, G.J., 2017. Differentially private distributed constrained
optimization. IEEE Trans. Autom. Control 62 (1), 50–64. doi:10.1109/TAC.2016.
2541298.
Hassija, V., Chamola, V., Saxena, V., Jain, D., Goyal, P., Sikdar, B., 2019. A survey on
IoT security: application areas, security threats, and solution architectures. IEEE
Access 7, 82721–82743. doi:10.1109/ACCESS.2019.2924045.
Hata, M., 1980. Empirical formula for propagation loss in land mobile radio services.
IEEE Trans. Veh. Technol. 29 (3), 317–325. doi:10.1109/T-VT.1980.23859.
Heurtefeux, K., Valois, F., 2012. Is RSSI a good choice for localization in wireless
sensor network? In: 2012 IEEE 26th International Conference on Advanced In-
formation Networking and Applications, pp. 732–739. doi:10.1109/AINA.2012.19.
Holcer, S., Torres-Sospedra, J., Gould, M., Remolar, I., 2020. Privacy in indoor po-
sitioning systems: a systematic review. In: 2020 International Conference on
Localization and GNSS (ICL-GNSS), pp. 1–6. doi:10.1109/ICL-GNSS49876.2020.
9115496.
Hou, Y., Yang, X., Abbasi, Q.H., 2018. Efficient AoA-based wireless indoor localiza-
tion for hospital outpatients using mobile devices. Sensors 18 (11). doi:10.3390/
s18113698.
Hu, J., Lin, H., Guo, X., Yang, J., 2018. DTCs: an integrated strategy for enhancing data
trustworthiness in mobile crowdsourcing. IEEE Internet Things J. 5 (6), 4663–
4671. doi:10.1109/JIOT.2018.2801559.
Hu, Z., Li, Y., Jiang, G., Zhang, R., Xie, M., 2022. Prihorus: privacy-preserving RSS-
based indoor positioning. In: ICC 2022 - IEEE International Conference on Com-
munications, pp. 5627–5632. doi:10.1109/ICC45855.2022.9839103.
Hua, J., Sun, H., Shen, Z., Qian, Z., Zhong, S., 2018. Accurate and efficient wireless
device fingerprinting using channel state information. In: IEEE INFOCOM 2018
- IEEE Conference on Computer Communications, pp. 1700–1708. doi:10.1109/
INFOCOM.2018.8485917.
Huang, D.-W., Liu, W., Bi, J., 2021. Data tampering attacks diagnosis in dynamic
wireless sensor networks. Comput. Commun. 172, 84–92. doi:10.1016/j.comcom.
2021.03.007.
Hussain, S.U., Koushanfar, F., 2016. Privacy preserving localization for smart automo-
tive systems. In: Proceedings of the 53rd Annual Design Automation Conference.
Association for Computing Machinery, New York, NY, USA doi:10.1145/2897937.
2898071.
Hymlin Rose, S., Jayasree, T., 2019. Detection of jamming attack using timestamp for
WSN. Ad Hoc Netw. 91, 101874. doi:10.1016/j.adhoc.2019.101874.
Ihler, A., Fisher, J., Moses, R., Willsky, A., 2005. Nonparametric belief propagation for
self-localization of sensor networks. IEEE J. Sel. Areas Commun. 23 (4), 809–819.
doi:10.1109/JSAC.2005.843548.
Jain, S., Singh, A., Kaur, A., Jain, S., 2017. Improved APIT localization algorithm
in wireless sensor networks. In: 2017 4th International Conference on Signal
Y. Sartayeva and H.C. B. Chan
Processing, Computing and Control (ISPCC), pp. 77–81. doi:10.1109/ISPCC.2017.
8269653.
Järvinen, K., Kiss, Á., Schneider, T., Tkachenko, O., Yang, Z., 2018. Faster privacy-
preserving location proximity schemes. In: Camenisch, J., Papadimitratos, P.
(Eds.), Cryptology and Network Security. Springer International Publishing,
Cham, pp. 3–22. doi:10.1007/978- 3- 030- 00434- 7_1.
Järvinen, K., Leppkoski, H., Lohan, E.-S., Richter, P., Schneider, T., Tkachenko, O.,
Yang, Z., 2019. PILOT: practical privacy-preserving indoor localization using out-
sourcing. In: 2019 IEEE European Symposium on Security and Privacy (EuroS&P),
pp. 448–463. doi:10.1109/EuroSP.2019.0 0 040.
Jeon, K.E., She, J., Soonsawad, P., Ng, P.C., 2018. BLE beacons for Internet of Things
applications: survey, challenges, and opportunities. IEEE Internet Things J. 5 (2),
811–828. doi:10.1109/JIOT.2017.2788449.
Jiang, H., Li, J., Zhao, P., Zeng, F., Xiao, Z., Iyengar, A., 2021. Location privacy-
preserving mechanisms in location-based services: a comprehensive survey.
ACM Comput. Surv. 54 (1). doi:10.1145/3423165.
Jiang, J., Han, G., Wang, H., Guizani, M., 2019. A survey on location privacy protec-
tion in wireless sensor networks. J. Netw. Comput. Appl. 125, 93–114. doi:10.
1016/j.jnca.2018.10.008.
Kalantar, G., Mohammadi, A., Sadrieh, S.N., 2018. Analyzing the effect of Blue-
tooth Low Energy (BLE) with randomized MAC addresses in IoT applications.
In: 2018 IEEE International Conference on Internet of Things (iThings) and IEEE
Green Computing and Communications (GreenCom) and IEEE Cyber, Physical
and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 27–34.
doi:10.1109/Cybermatics_2018.2018.0 0 039.
Kang, J., Seo, J., Won, Y., 2018. Ephemeral ID beacon-based improved indoor posi-
tioning system. Symmetry 10 (11). doi:10.3390/sym10110622.
Kaur, H., Saxena, S., 2017. A review on node replication attack identification schemes
in WSN. In: 2017 8th International Conference on Computing, Communica-
tion and Networking Technologies (ICCCNT), pp. 1–8. doi:10.1109/ICCCNT.2017.
8203945.
Khalajmehrabadi, A., Gatsis, N., Akopian, D., 2017. Modern WLAN fingerprinting in-
door positioning methods and deployment challenges. IEEE Commun. Surv. Tu-
tor. 19 (3), 1974–2002. doi:10.1109/COMST.2017.2671454.
Kim, B., Song, J., 2017. An efficient and practical mobile node reauthentication
scheme for mobile wireless sensor networks. In: Proceedings of the 3rd In-
ternational Conference on Communication and Information Processing. Associ-
ation for Computing Machinery, New York, NY, USA, pp. 326–331. doi:10.1145/
3162957.3163025.
Kim, J.W., Kim, D.-H., Jang, B., 2018. Application of local differential privacy to
collection of indoor positioning data. IEEE Access 6, 4276–4286. doi:10.1109/
ACCESS.2018.2791588.
Kluge, T., Groba, C., Springer, T., 2020. Trilateration, fingerprinting, and centroid: tak-
ing indoor positioning with Bluetooth LE to the wild. In: 2020 IEEE 21st Interna-
tional Symposium on “A World of Wireless, Mobile and Multimedia Networks”
(WoWMoM), pp. 264–272. doi:10.1109/WoWMoM49955.2020.0 0 054.
Kohlios, C.P., Hayajneh, T., 2018. A comprehensive attack flow model and
security analysis for Wi-Fi and WPA3. Electronics 7 (11). doi:10.3390/
electronics7110284.
Kolakowski, M., 2021. Automated calibration of RSS fingerprinting based systems
using a mobile robot and machine learning. Sensors 21 (18). doi:10.3390/
s21186270.
Krishnan, S., Xenia Mendoza Santos, R., Ranier Yap, E., Thu Zin, M., 2018. Improv-
ing UWB based indoor positioning in industrial environments through ma-
chine learning. In: 2018 15th International Conference on Control, Automa-
tion, Robotics and Vision (ICARCV), pp. 1484–1488. doi:10.1109/ICARCV.2018.
8581305.
Kudoh, E., Watanabe, J., Hiratsuka, Y., 2017. MMSE location estimation using multi-
ple items of sensed information in indoor environments. In: 2017 Ninth Inter-
national Conference on Ubiquitous and Future Networks (ICUFN), pp. 266–268.
doi:10.1109/ICUFN.2017.7993789.
Kukreja, D., Dhurandher, S.K., Reddy, B.R., 2018. Power aware malicious nodes detec-
tion for securing MANETs against packet forwarding misbehavior attack. J. Am-
bient Intell. Humaniz. Comput. 9 (4), 941–956. doi:10.1007/s12652- 017- 0496- 2.
Kunhoth, J., Karkar, A., Al-Maadeed, S., Al-Ali, A., 2020. Indoor positioning and
wayfinding systems: a survey. Human-Centric Comput. Inf. Sci. 10 (1), 18.
doi:10.1186/s13673- 020- 00222- 0.
Laoudias, C., Moreira, A., Kim, S., Lee, S., Wirola, L., Fischione, C., 2018. A survey
of enabling technologies for network localization, tracking, and navigation. IEEE
Commun. Surv. Tutor. 20 (4), 3607–3644. doi:10.1109/COMST.2018.2855063.
Lehtimaki, S., 2018. Bluetooth angle estimation for real-time locationing. https://bit.
ly/3NQRaEc.
Leu, P., Singh, M., Roeschlin, M., Paterson, K.G., Čapkun, S., 2020. Message time of
arrival codes: a fundamental primitive for secure distance measurement. In:
2020 IEEE Symposium on Security and Privacy (SP), pp. 500–516. doi:10.1109/
SP40 0 0 0.2020.0 0 010.
Li, H., He, Y., Cheng, X., Sun, L., 2016. A lightweight location privacy-preserving
scheme for WiFi fingerprint-based localization. In: 2016 International Confer-
ence on Identification, Information and Knowledge in the Internet of Things
(IIKI), pp. 525–529. doi:10.1109/IIKI.2016.41.
Li, S., Ni, W., Sung, C.K., Hedley, M., 2018. Recent advances on cooperative wireless
localization and their application in inhomogeneous propagation environments.
Comput. Netw. 142, 253–271. doi:10.1016/j.comnet.2018.06.017.
Li, S., Rashidzadeh, R., 2019. Hybrid indoor location positioning system. IET Wirel.
Sens. Syst. 9 (5), 257–264. doi:10.1049/iet-wss.2018.5237.
30
Computers & Security 131 (2023) 103293
Li, W., Su, Z., Li, R., Zhang, K., Xu, Q., 2020. Abnormal crowd traffic detection for
crowdsourced indoor positioning in heterogeneous communications networks.
IEEE Trans. Netw. Sci. Eng. 7 (4), 2494–2505. doi:10.1109/TNSE.2020.3014380.
Li, Y., Hu, Y., Zhang, R., Zhang, Y., Hedgpeth, T., 2019a. Secure indoor positioning
against signal strength attacks via optimized multi-voting. In: Proceedings of
the International Symposium on Quality of Service. Association for Computing
Machinery, New York, NY, USA doi:10.1145/3326285.3329068.
Li, Z., Huang, J., 2018. Study on the use of Q-R codes as landmarks for in-
door positioning: preliminary results. In: 2018 IEEE/ION Position, Location
and Navigation Symposium (PLANS), pp. 1270–1276. doi:10.1109/PLANS.2018.
8373516.
Li, Z., Xu, K., Wang, H., Zhao, Y., Wang, X., Shen, M., 2019b. Machine-learning-based
positioning: a survey and future directions. IEEE Netw. 33 (3), 96–101. doi:10.
1109/MNET.2019.1800366.
Liberati, A., Altman, D.G., Tetzlaff, J., Mulrow, C., Gøtzsche, P.C., Ioannidis, J.P.A.,
Clarke, M., Devereaux, P.J., Kleijnen, J., Moher, D., 2009. The PRISMA statement
for reporting systematic reviews and meta-analyses of studies that evaluate
healthcare interventions: explanation and elaboration. BMJ 339. doi:10.1136/
bmj.b2700.
Liu, Y., Liu, A., Liu, X., Huang, X., 2019b. A statistical approach to participant selec-
tion in location-based social networks for offline event marketing. Inf. Sci. 480,
90–108. doi:10.1016/j.ins.2018.12.028.
Liu, Z., Liu, J., Zeng, Y., Ma, J., 2018b. Covert wireless communications in IoT systems:
hiding information in interference. IEEE Wirel. Commun. 25 (6), 46–52. doi:10.
1109/MWC.2017.180 0 070.
Liu, X., Su, S., Han, F., Liu, Y., Pan, Z., 2019a. A range-based secure localization algo-
rithm for wireless sensor networks. IEEE Sens. J. 19 (2), 785–796. doi:10.1109/
JSEN.2018.2877306.
Liu, B., Zhou, W., Zhu, T., Gao, L., Xiang, Y., 2018a. Location privacy and its applica-
tions: a systematic study. IEEE Access 6, 17606–17624. doi:10.1109/ACCESS.2018.
2822260.
Lounis, K., Zulkernine, M., 2020. Attacks and defenses in short-range wireless tech-
nologies for IoT. IEEE Access 8, 88892–88932. doi:10.1109/ACCESS.2020.2993553.
Luo, J., Yin, X., Zheng, Y., Wang, C., 2018. Secure indoor localization based on ex-
tracting trusted fingerprint. Sensors 18 (2). doi:10.3390/s18020469.
Luo, R.C., Hsiao, T.J., 2019. Dynamic wireless indoor localization incorporating with
an autonomous mobile robot based on an adaptive signal model fingerprint-
ing approach. IEEE Trans. Ind. Electron. 66 (3), 1940–1951. doi:10.1109/TIE.2018.
2833021.
Lwin, M.T., Yim, J., Ko, Y.-B., 2020. Blockchain-based lightweight trust management
in mobile ad-hoc networks. Sensors 20 (3). doi:10.3390/s20030698.
Marqués, R.C., Pascacio, P., Hajny, J., Torres-Sospedra, J., 2021. Anonymous at-
tribute-based credentials in collaborative indoor positioning systems. SECRYPT.
Mendrzik, R., Bauch, G., 2019. Position-constrained stochastic inference for cooper-
ative indoor localization. IEEE Trans. Signal Inf. Process. Netw. 5 (3), 454–468.
doi:10.1109/TSIPN.2019.2897214.
Mishra, A.K., Tripathy, A.K., Puthal, D., Yang, L.T., 2019. Analytical model for Sybil
attack phases in Internet of Things. IEEE Internet Things J. 6 (1), 379–387.
doi:10.1109/JIOT.2018.2843769.
binti Mohamad Noor, M., Hassan, W.H., 2019. Current research on Internet of Things
(IoT) security: a survey. Comput. Netw. 148, 283–294. doi:10.1016/j.comnet.2018.
11.025.
Mohanta, B.K., Jena, D., Satapathy, U., Patnaik, S., 2020. Survey on IoT secu-
rity: challenges and solution using machine learning, artificial intelligence and
blockchain technology. Internet Things 11, 100227. doi:10.1016/j.iot.2020.100227.
Muhammed, T., Shaikh, R.A., 2017. An analysis of fault detection strategies in wire-
less sensor networks. J. Netw. Comput. Appl. 78, 267–287. doi:10.1016/j.jnca.
2016.10.019.
Narayanan, A., Shmatikov, V., 2008. Robust de-anonymization of large sparse
datasets. In: 2008 IEEE Symposium on Security and Privacy (sp 2008), pp. 111–
125. doi:10.1109/SP.2008.33.
Nasution, A.P., Suryani, V., Wardana, A.A., 2020. IoT object security towards on-off
attack using trustworthiness management. In: 2020 8th International Confer-
ence on Information and Communication Technology (ICoICT), pp. 1–6. doi:10.
1109/ICoICT49345.2020.9166169.
Neshenko, N., Bou-Harb, E., Crichigno, J., Kaddoum, G., Ghani, N., 2019. Demystify-
ing IoT security: an exhaustive survey on IoT vulnerabilities and a first empir-
ical look on internet-scale IoT exploitations. IEEE Commun. Surv. Tutor. 21 (3),
2702–2733. doi:10.1109/COMST.2019.2910750.
Nessa, A., Adhikari, B., Hussain, F., Fernando, X.N., 2020. A survey of machine learn-
ing for indoor positioning. IEEE Access 8, 214945–214965. doi:10.1109/ACCESS.
2020.3039271.
Ng, P.C., She, J., Park, S., 2018. High resolution beacon-based proximity detection for
dense deployment. IEEE Trans. Mob. Comput. 17 (6), 1369–1382. doi:10.1109/
TMC.2017.2759734.
Nguyen, T.N., Le, V.V., Chu, S.-I., Liu, B.-H., Hsu, Y.-C., 2021. Secure localization al-
gorithms against localization attacks in wireless sensor networks. Wirel. Pers.
Commun. doi:10.1007/s11277- 021- 08404- 4.
Nieminen, R., Järvinen, K., 2021. Practical privacy-preserving indoor localization
based on secure two-party computation. IEEE Trans. Mob. Comput. 20 (9),
2877–2890. doi:10.1109/TMC.2020.2990871.
Numan, M., Subhan, F., Khan, W.Z., Hakak, S., Haider, S., Reddy, G.T., Jolfaei, A.,
Alazab, M., 2020. A systematic review on clone node detection in static wire-
less sensor networks. IEEE Access 8, 65450–65461. doi:10.1109/ACCESS.2020.
2983091.
Y. Sartayeva and H.C. B. Chan
Ólafsdóttir, H., Ranganathan, A., Capkun, S., 2017. On the security of carrier
phase-based ranging. In: Fischer, W., Homma, N. (Eds.), Cryptographic Hardware
and Embedded Systems – CHES 2017. Springer International Publishing, Cham,
pp. 490–509.
Orujov, F., Maskeliunas, R., Damaševičius, R., Wei, W., Li, Y., 2018. Smartphone based
intelligent indoor positioning using fuzzy logic. Future Gener. Comput. Syst. 89,
335–348. doi:10.1016/j.future.2018.06.030.
Osanaiye, O., Alfa, A.S., Hancke, G.P., 2018. A statistical approach to detect jamming
attacks in wireless sensor networks. Sensors 18 (6). doi:10.3390/s18061691.
Paillier, P., 1999. Public-key cryptosystems based on composite degree residuosity
classes. In: Stern, J. (Ed.), Advances in Cryptology — EUROCRYPT ’99. Springer
Berlin Heidelberg, Berlin, Heidelberg, pp. 223–238.
Pan, F., Pang, Z., Xiao, M., Wen, H., Liao, R.-F., 2019. Clone detection based on phys-
ical layer reputation for proximity service. IEEE Access 7, 3948–3957. doi:10.
1109/ACCESS.2018.2888693.
Pascacio, P., Casteleyn, S., Torres-Sospedra, J., Lohan, E.S., Nurmi, J., 2021. Collabo-
rative indoor positioning systems: a systematic review. Sensors 21 (3). doi:10.
3390/s21031002.
Pestourie, B., Beroulle, V., Fourty, N., 2019. Security evaluation with an indoor UWB
localization open platform: acknowledgment attack case study. In: 2019 IEEE
30th Annual International Symposium on Personal, Indoor and Mobile Radio
Communications (PIMRC), pp. 1–7. doi:10.1109/PIMRC.2019.8904224.
Manohar, N., Manohar, P., Manohar, R., 2020. Habit: Hardware-assisted Bluetooth-
based infection tracking. Cryptology ePrint Archive, Paper 2020/949. https://
eprint.iacr.org/2020/949.
Pietrzak, K., 2020. Delayed authentication: preventing replay and relay attacks
in private contact tracing. Cryptology ePrint Archive, Paper 2020/418. https:
//eprint.iacr.org/2020/418.
Pinto, E.M.d.L., Lachowski, R., Pellenz, M.E., Penna, M.C., Souza, R.D., 2018. A ma-
chine learning approach for detecting spoofing attacks in wireless sensor net-
works. In: 2018 IEEE 32nd International Conference on Advanced Information
Networking and Applications (AINA), pp. 752–758. doi:10.1109/AINA.2018.00113.
Pirayesh, H., Kheirkhah Sangdeh, P., Zeng, H., 2021. Securing ZigBee communications
against constant jamming attack using neural network. IEEE Internet Things J. 8
(6), 4957–4968. doi:10.1109/JIOT.2020.3034128.
Pirayesh, H., Zeng, H., 2022. Jamming attacks and anti-jamming strategies in wire-
less networks: a comprehensive survey. IEEE Commun. Surv. Tutor. 24 (2), 767–
809. doi:10.1109/COMST.2022.3159185.
Qiu, C., Mutka, M.W., 2017. Silent whistle: effective indoor positioning with assis-
tance from acoustic sensing on smartphones. In: 2017 IEEE 18th International
Symposium on A World of Wireless, Mobile and Multimedia Networks (WoW-
MoM), pp. 1–6. doi:10.1109/WoWMoM.2017.7974312.
Ranganathan, A., Capkun, S., 2017. Are we really close? Verifying proximity
in wireless systems. IEEE Secur. Privacy 15 (3), 52–58. doi:10.1109/MSP.
2017.56.
Raskar, R., Singh, A., Zimmerman, S., Kanaparti, S., 2020. Adding location and global
context to the Google/Apple exposure notification Bluetooth API doi:10.48550/
ARXIV.2007.02317.
Richter, P., Leppakoski, H., Lohan, E.S., Yang, Z., Jarvinen, K., Tkachenko, O., Schnei-
der, T., 2018. Received signal strength quantization for secure indoor position-
ing via fingerprinting. In: 2018 8th International Conference on Localization and
GNSS (ICL-GNSS), pp. 1–6. doi:10.1109/ICL-GNSS.2018.8440910.
Ridolfi, M., Kaya, A., Berkvens, R., Weyn, M., Joseph, W., Poorter, E.D., 2021. Self-
calibration and collaborative localization for UWB positioning systems: a survey
and future research directions. ACM Comput. Surv. 54 (4). doi:10.1145/3448303.
Roy, P., Chowdhury, C., 2021. A survey of machine learning techniques for indoor
localization and navigation systems. J. Intell. Robot. Syst. 101 (3), 1–34. doi:10.
1007/s10846- 021- 01327- z.
Sadhu, V., Zonouz, S., Sritapan, V., Pompili, D., 2021. CollabLoc: privacy-preserving
multi-modal collaborative mobile phone localization. IEEE Trans. Mob. Comput.
20 (1), 104–116. doi:10.1109/TMC.2019.2937775.
Saeed, N., Nam, H., Al-Naffouri, T.Y., Alouini, M.-S., 2019. A state-of-the-art survey
on multidimensional scaling-based localization techniques. IEEE Commun. Surv.
Tutor. 21 (4), 3565–3583. doi:10.1109/COMST.2019.2921972.
Santo, H., Maekawa, T., Matsushita, Y., 2017. Device-free and privacy preserving in-
door positioning using infrared retro-reflection imaging. In: 2017 IEEE Inter-
national Conference on Pervasive Computing and Communications (PerCom),
pp. 141–152. doi:10.1109/PERCOM.2017.7917860.
Santos, R., Leonardo, R., Barandas, M., Moreira, D., Rocha, T., Alves, P., Oliveira, J.P.,
Gamboa, H., 2021. Crowdsourcing-based fingerprinting for indoor location in
multi-storey buildings. IEEE Access 9, 31143–31160. doi:10.1109/ACCESS.2021.
3060123.
Schepers, D., Singh, M., Ranganathan, A., 2021. Here, there, and everywhere: se-
curity analysis of Wi-Fi fine timing measurement. In: Proceedings of the 14th
ACM Conference on Security and Privacy in Wireless and Mobile Networks. As-
sociation for Computing Machinery, New York, NY, USA, pp. 78–89. doi:10.1145/
3448300.3467828.
Sen, M., Mahapatra, G., 2019. Secure remote patient monitoring with location-based
services. In: Abraham, A., Dutta, P., Mandal, J.K., Bhattacharya, A., Dutta, S. (Eds.),
Emerging Technologies in Data Mining and Information Security. Springer Sin-
gapore, Singapore, pp. 715–726.
Sharma, M.K., Kumar Joshi, B., 2019. Adaptive mitigation policy to avoid re-
source draining attacks in wireless sensor networks. In: 2019 IEEE 5th Inter-
national Conference for Convergence in Technology (I2CT), pp. 1–6. doi:10.1109/
I2CT45611.2019.9033954.
31
Computers & Security 131 (2023) 103293
Sharma, V., Hussain, M., 2017. Mitigating replay attack in wireless sensor net-
work through assortment of packets. In: Satapathy, S.C., Prasad, V.K., Rani, B.P.,
Udgata, S.K., Raju, K.S. (Eds.), Proceedings of the First International Conference
on Computational Intelligence and Informatics. Springer Singapore, Singapore,
pp. 221–230.
She, W., Liu, Q., Tian, Z., Chen, J.-S., Wang, B., Liu, W., 2019. Blockchain trust model
for malicious node detection in wireless sensor networks. IEEE Access 7, 38947–
38956. doi:10.1109/ACCESS.2019.2902811.
Shi, G., Ming, Y., 2016. Survey of indoor positioning systems based on ultra-wide-
band (UWB) technology. In: Zeng, Q.-A. (Ed.), Wireless Communications, Net-
working and Applications. Springer India, New Delhi, pp. 1269–1278.
Shi, X., Wu, J., 2018. To hide private position information in localization using time
difference of arrival. IEEE Trans. Signal Process. 66 (18), 4946–4956. doi:10.1109/
TSP.2018.2858187.
Shibuya, M., Sumikura, S., Sakurada, K., 2020. Privacy preserving visual SLAM. In:
European Conference on Computer Vision. Springer, pp. 102–118.
Shieh, C.-H., Xu, Y., Ling, I.L., 2019. How location-based advertising elicits in-store
purchase. J. Serv. Mark. 33 (4), 380–395. doi:10.1108/JSM- 03- 2018- 0083.
Shoukry, Y., Gatsis, K., Alanwar, A., Pappas, G.J., Seshia, S.A., Srivastava, M.,
Tabuada, P., 2016. Privacy-aware quadratic optimization using partially homo-
morphic encryption. In: 2016 IEEE 55th Conference on Decision and Control
(CDC), pp. 5053–5058. doi:10.1109/CDC.2016.7799042.
Singelee, D., Preneel, B., 2005. Location verification using secure distance bounding
protocols. In: IEEE International Conference on Mobile Adhoc and Sensor Sys-
tems Conference, 2005, pp. 7–840. doi:10.1109/MAHSS.2005.1542879.
Singh, M., Khilar, P.M., 2017. A range free geometric technique for localization
of wireless sensor network (WSN) based on controlled communication range.
Wirel. Pers. Commun. 94 (3), 1359–1385. doi:10.1007/s11277- 016- 3686- x.
Singh, M., Leu, P., Capkun, S., 2017. UWB with pulse reordering: securing rang-
ing against relay and physical-layer attacks. Cryptology ePrint Archive, Paper
2017/1240. 10.14722/ndss.2019.23109
Speciale, P., Schönberger, J.L., Kang, S.B., Sinha, S.N., Pollefeys, M., 2019a. Privacy pre-
serving image-based localization. In: 2019 IEEE/CVF Conference on Computer
Vision and Pattern Recognition (CVPR), pp. 5488–5498. doi:10.1109/CVPR.2019.
00564.
Speciale, P., Schönberger, J.L., Sinha, S., Pollefeys, M., 2019b. Privacy preserving im-
age queries for camera localization. In: 2019 IEEE/CVF International Conference
on Computer Vision (ICCV), pp. 1486–1496. doi:10.1109/ICCV.2019.00157.
Stocker, M., Großwindhager, B., Boano, C.A., Römer, K., 2020. Towards secure and
scalable UWB-based positioning systems. In: 2020 IEEE 17th International Con-
ference on Mobile Ad Hoc and Sensor Systems (MASS), pp. 247–255. doi:10.
1109/MASS50613.2020.0 0 039.
Subedi, S., Pyun, J.-Y., 2017. Practical fingerprinting localization for indoor position-
ing system by using beacons. J. Sens. 2017, 9742170. doi:10.1155/2017/9742170.
Subedi, S., Pyun, J.-Y., 2020. A survey of smartphone-based indoor positioning
system using RF-based wireless technologies. Sensors 20 (24). doi:10.3390/
s20247230.
Sun, Y., Sun, Q., Chang, K., 2017. The application of indoor localization systems based
on the improved Kalman filtering algorithm. In: 2017 4th International Confer-
ence on Systems and Informatics (ICSAI), pp. 768–772. doi:10.1109/ICSAI.2017.
8248389.
Tang, Q., 2020. Privacy-preserving contact tracing: current solutions and open ques-
tions. 10.48550/ARXIV.2004.06818
Thanigaivelan, N.K., Nigussie, E., Kanth, R.K., Virtanen, S., Isoaho, J., 2016. Distributed
internal anomaly detection system for Internet-of-Things. In: 2016 13th IEEE
Annual Consumer Communications Networking Conference (CCNC), pp. 319–
320. doi:10.1109/CCNC.2016.7444797.
Tiemann, J., Fuhr, O., Wietfeld, C., 2020. CELIDON: supporting first responders
through 3D AoA-based UWB ad-hoc localization. In: 2020 16th International
Conference on Wireless and Mobile Computing, Networking and Communica-
tions (WiMob), pp. 20–25. doi:10.1109/WiMob50308.2020.9253377.
Tiku, S., Pasricha, S., 2019. Overcoming security vulnerabilities in deep learning–
based indoor localization frameworks on mobile devices. ACM Trans. Embed.
Comput. Syst. 18 (6). doi:10.1145/3362036.
Tippenhauer, N.O., Luecken, H., Kuhn, M., Capkun, S., 2015. UWB rapid-bit-exchange
system for distance bounding. In: Proceedings of the 8th ACM Conference on
Security & Privacy in Wireless and Mobile Networks. Association for Computing
Machinery, New York, NY, USA doi:10.1145/2766498.2766504.
Tu, Y.-J., Piramuthu, S., 2020. On addressing RFID/NFC-based relay attacks: an
overview. Decis. Support Syst. 129, 113194. doi:10.1016/j.dss.2019.113194.
Uphaus, P., Beringer, B., Siemens, K., Ehlers, A., Rau, H., 2021. Location-based services
– the market: success factors and emerging trends from an exploratory ap-
proach. J. Locat. Based Serv. 15 (1), 1–26. doi:10.1080/17489725.2020.1868587.
Vaghefi, R.M., Buehrer, R.M., 2015. Cooperative localization in NLOS environments
using semidefinite programming. IEEE Commun. Lett. 19 (8), 1382–1385. doi:10.
1109/LCOMM.2015.2442580.
Vaudenay, S., 2020b. Centralized or decentralized? The contact tracing dilemma.
Cryptology ePrint Archive, Paper 2020/531. https://eprint.iacr.org/2020/531.
Vaudenay, S., 2020a. Analysis of DP3T - Between Scylla and Charybdis. Cryptology
ePrint Archive, Paper 2020/399. https://eprint.iacr.org/2020/399.
Wang, W., Gong, Z., Zhang, J., Lu, H., Ku, W.-S., 2019b. On location privacy in
fingerprinting-based indoor positioning system: An encryption approach. In:
Proceedings of the 27th ACM SIGSPATIAL International Conference on Advances
in Geographic Information Systems. Association for Computing Machinery, New
York, NY, USA, pp. 289–298. doi:10.1145/3347146.3359081.
Y. Sartayeva and H.C. B. Chan
Wang, J., Lounis, K., Zulkernine, M., 2019a. Security features for proximity verifica-
tion. In: 2019 IEEE 43rd Annual Computer Software and Applications Conference
(COMPSAC), vol. 2, pp. 592–597. doi:10.1109/COMPSAC.2019.10272.
Wang, C., Luo, J., Liu, X., He, X., 2021. Secure and reliable indoor localization
based on multi-task collaborative learning for large-scale buildings. IEEE Inter-
net Things J. 1. doi:10.1109/JIOT.2021.3079151.
Ward, J.R., Younis, M., 2019. Cross-layer traffic analysis countermeasures against
adaptive attackers of wireless sensor networks. Wirel. Netw. 25 (5), 2869–2887.
doi:10.1007/s11276- 019- 02003- 9.
White, L., van Basshuysen, P., 2021. Privacy versus public health? A reassessment of
centralised and decentralised digital contact tracing. Sci. Eng. Ethics 27 (2), 23.
doi:10.1007/s11948- 021- 00301- 0.
Williams, S.N., Armitage, C.J., Tampe, T., Dienes, K., 2021. Public attitudes towards
COVID-19 contact tracing apps: a UK-based focus group study. Health Expect.
24 (2), 377–385. doi:10.1111/hex.13179.
Wu, J., Nan, Y., Kumar, V., Payer, M., Xu, D., 2020a. BlueShield: detecting spoofing
attacks in Bluetooth Low Energy networks. In: 23rd International Symposium
on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Associ-
ation, San Sebastian, pp. 397–411. https://www.usenix.org/conference/raid2020/
presentation/wu
Wu, P., Su, S., Zuo, Z., Guo, X., Sun, B., Wen, X., 2019. Time difference of arrival
(TDOA) localization combining weighted least squares and firefly algorithm.
Sensors 19 (11). doi:10.3390/s19112554.
Wu, W., Fu, S., Luo, Y., 2020b. Practical privacy protection scheme in WiFi
fingerprint-based localization. Proceedings - 2020 IEEE 7th International Con-
ference on Data Science and Advanced Analytics, DSAA 2020b. pp. 699–708.
doi:10.1109/DSAA49011.2020.0 0 080.
Yang, Z., Järvinen, K., 2018a. Modeling privacy in WiFi fingerprinting indoor local-
ization. In: Baek, J., Susilo, W., Kim, J. (Eds.), Provable Security. Springer Interna-
tional Publishing, Cham, pp. 329–346. doi:10.1007/978- 3- 030- 01446- 9_19.
Yang, Z., Järvinen, K., 2018b. The death and rebirth of privacy-preserving WiFi
fingerprint localization with Paillier encryption. In: IEEE INFOCOM 2018 -
IEEE Conference on Computer Communications, pp. 1223–1231. doi:10.1109/
INFOCOM.2018.8486221.
Yaseen, Q., Aldwairi, M., Jararweh, Y., Al-Ayyoub, M., Gupta, B., 2018. Collusion at-
tacks mitigation in Internet of Things: a fog based model. Multimed. Tools Appl.
77 (14), 18249–18268. doi:10.1007/s11042- 017- 5288- 3.
Ye, A., Chen, Q., Xu, L., Wu, W., 2018. The flexible and privacy-preserving proximity
detection in mobile social network. Future Gener. Comput. Syst. 79, 271–283.
doi:10.1016/j.future.2016.12.012.
Yessembayev, A., Sarkar, D., Sikder, F., 2018. Detection of good and bad sensor nodes
in the presence of malicious attacks and its application to data aggregation. IEEE
Trans. Signal Inf. Process. Netw. 4 (3), 549–563. doi:10.1109/TSIPN.2018.2790164.
Yin, F., Lin, Z., Kong, Q., Xu, Y., Li, D., Theodoridis, S., Cui, S.R., 2020. Fedloc: fed-
erated learning framework for data-driven cooperative localization and location
data processing. IEEE Open J. Signal Process. 1, 187–215. doi:10.1109/OJSP.2020.
3036276.
Yonetani, R., Boddeti, V.N., Kitani, K.M., Sato, Y., 2017. Privacy-preserving visual
learning using doubly permuted homomorphic encryption. In: 2017 IEEE In-
ternational Conference on Computer Vision (ICCV), pp. 2059–2069. doi:10.1109/
ICCV.2017.225.
Yoo, S.G., Barriga, J.J., 2017. Privacy-aware authentication for Wi-Fi based indoor
positioning systems. In: Batten, L., Kim, D.S., Zhang, X., Li, G. (Eds.), Applica-
tions and Techniques in Information Security. Springer Singapore, Singapore,
pp. 201–213.
Yu, N., Zhao, S., Ma, X., Wu, Y., Feng, R., 2019. Effective fingerprint extraction and
positioning method based on crowdsourcing. IEEE Access 7, 162639–162651.
doi:10.1109/ACCESS.2019.2951406.
Yuan, L., Hu, Y., Li, Y., Zhang, R., Zhang, Y., Hedgpeth, T., 2018. Secure RSS-
fingerprint-based indoor positioning: attacks and countermeasures. In: 2018
IEEE Conference on Communications and Network Security (CNS), pp. 1–9.
doi:10.1109/CNS.2018.8433131.
32
Computers & Security 131 (2023) 103293
Zafari, F., Gkelias, A., Leung, K.K., 2019. A survey of indoor localization systems and
technologies. IEEE Commun. Surv. Tutor. 21 (3), 2568–2599. doi:10.1109/COMST.
2019.2911558.
Zhang, Z., Guo, X., Lin, Y., 2018a. Trust management method of D2D communication
based on RF fingerprint identification. IEEE Access 6, 66082–66087. doi:10.1109/
ACCESS.2018.2878595.
Zhang, X., He, F., Chen, Q., Jiang, X., Bao, J., Ren, T., Du, X., 2022. A differentially
private indoor localization scheme with fusion of WiFi and Bluetooth finger-
prints in edge computing. Neural Comput. Appl. 34 (6), 4111–4132. doi:10.1007/
s00521-021-06815-9.
Zhang, Z., Mehmood, A., Shu, L., Huo, Z., Zhang, Y., Mukherjee, M., 2018b. A sur-
vey on fault diagnosis in wireless sensor networks. IEEE Access 6, 11349–11364.
doi:10.1109/ACCESS.2018.2794519.
Zhang, Y., Weng, J., Dey, R., Fu, X., 2020b. Bluetooth Low Energy (BLE) Security and
Privacy. Springer International Publishing, Cham, pp. 123–134.
Zhang, G., Zhang, A., Zhao, P., Sun, J., 2020a. Lightweight privacy-preserving scheme
in Wi-Fi fingerprint-based indoor localization. IEEE Syst. J. 14 (3), 4638–4647.
doi:10.1109/JSYST.2020.2977970.
Zhao, J., Frumkin, N., Konrad, J., Ishwar, P., 2018a. Privacy-preserving indoor local-
ization via active scene illumination. In: Proceedings of the IEEE Conference on
Computer Vision and Pattern Recognition (CVPR) Workshops.
Zhao, P., Jiang, H., Lui, J.C.S., Wang, C., Zeng, F., Xiao, F., Li, Z., 2018b. P3-
LOC: a privacy-preserving paradigm-driven framework for indoor localization.
IEEE/ACM Trans. Netw. 26 (6), 2856–2869. doi:10.1109/TNET.2018.2879967.
Zhao, W., Xu, L., Qi, B., Hu, J., Wang, T., Runge, T., 2020. Vivid: augmenting vision-
based indoor navigation system with edge computing. IEEE Access 8, 42909–
42923. doi:10.1109/ACCESS.2020.2978123.
Zhu, H., Wang, F., Lu, R., Liu, F., Fu, G., Li, H., 2018. Efficient and privacy-preserving
proximity detection schemes for social applications. IEEE Internet Things J. 5
(4), 2947–2957. doi:10.1109/JIOT.2017.2766701.
Zhuang, Y., Hua, L., Qi, L., Yang, J., Cao, P., Cao, Y., Wu, Y., Thompson, J., Haas, H.,
2018. A Survey of Positioning Systems Using Visible LED Lights. IEEE Commun.
Surv. Tutor. 20 (3), 1963–1988. doi:10.1109/COMST.2018.2806558.
Yerkezhan Sartayeva is a Ph.D. student at the Hong Kong Polytechnic University,
expected to graduate in 2025. She received her Bachelor of Science in Computing
(First Class Honours) from the Hong Kong Polytechnic University in 2020 and was
admitted into a Ph.D. program in Hong Kong a year later under the Hong Kong Ph.D.
Fellowship scheme. Her research focuses on indoor positioning, specifically on the
use of ultrawideband communication technology for collaborative indoor localisa-
tion using smartphones. Before she started her Ph.D., she worked as a software de-
veloper specialising in computer vision and a technical lead for a regulatory affairs
database management system at an oil company in Kazakhstan.
Henry C. B. Chan received his B.A. and M.A. degrees from the University of Cam-
bridge, and his Ph.D. degree from the University of British Columbia. He is cur-
rently an associate professor and associate head of the Department of Computing,
The Hong Kong Polytechnic University (PolyU). His research interests include net-
working/communications, Internet technologies, and computing education. He has
conducted various research projects and co-authored research papers published in
a variety of journals. He was the Chair (2012) of the IEEE Hong Kong Section and
the Chair (20 08-20 09) of the IEEE Hong Kong Section Computer Society Chapter.
He was the recipient of the 2022 IEEE Education Society William E. Sayle II Award
for Achievement in Education and of the 2015 IEEE Computer Society Computer
Science and Engineering Undergraduate Teaching Award. At PolyU, he has received
four President’s Awards and seven Faculty Awards. Under his supervision/guidance,
his students have received many awards.