Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September 23, 2010
Emerging Threat: Civil GPS Spoofing
Civil GPS Spoofing Testbed at UT Austin Data bit latency defense Phase trauma monitoring Dual-frequency tracking SpooferDefender
Video Demonstration of Spoofing Attack (not embedded; see posted video)
Thoughts on the Way Forward for Civil GNSS Authentication More signals means more inherent security, but probably insufficient Some civil cryptographic authentication scheme is likely required “Signal definition inertia is enormous” – Tom Stansell Navigation message authentication (NMA) appears to be best, practical option (advocated by Logan Scott in 2003, others since) Goal of cryptographic authentication: force adversary to use directional antennas in a replay attack Preliminary evaluation of NMA for L2C suggests optimism, but strategy is not water-tight Cryptography is the easy part
Hard Part: Defend Against Security Code Replay Attack >500 MHz FPGAs enable near-zero-delay replay attack Soft W-bit Estimation Hard W-bit Estimation
Effect on Target Receiver C/No Soft W-bit Estimation Hard W-bit Estimation
Spoofing Detection as a Hypothesis Testing Problem (Soft W Estimation) Spoofing detection depends critically on good estimates of nominal (C/No)s and (C/No)r
Final Observations Must defend against following spoofing strategy: (1) soften up target with low-grade jamming, (2) begin soft- estimate replay attack, (3) transition to hard-estimate replay attack A J/N meter is indispensable in spoofing detection to eliminate the possibility that the receiver’s estimate of its own nominal C/No (in the absence of spoofing) has been altered Solar radio bursts, unintentional/intentional jamming will tend to trigger spoofing alarms Spoofing detection is challenging for dynamic platforms because of the volatility in the nominal C/No