Candidate Non-Cryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010 *Adjunct Professor at Virginia Tech

Protecting Civil GPS Receivers Critical infrastructure relies on civil GPS navigation and timing Electrical grid timing and control Banking/financial transactions Commercial aircraft guidance and landing Communication systems (cellular) Public transportation Asset tracking Commercial fishing monitoring Vehicle mileage taxation Monitoring criminals Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers 9/23/2010

Goal and Motivation Goal Motivation Illustrate six candidate non-cryptographic spoofing detection techniques Motivation Non-cryptographic spoofing detection techniques could be implemented today Non-cryptographic defenses are needed if one is concerned with encryption or authentication key security breaches 9/23/2010

The Sinister Threat: A Portable Receiver-Spoofer Humphreys et al., 2008 and Montgomery et al., 2009 described development and testing of portable GPS L1 C/A code receiver-spoofer Contrast with signal simulator By the way, we aren’t the first to recognize the threat posed by an attack of this type (Logan Scott mentioned it), but, as far as we know, we are the first to actually build a receiver spoofer, test it out, and report on it publicly. Put the Volpe report notes here, or just paraphrase them. Can’t use RAIM because all the spoofing signals are orchestrated to move together just like they would if your receiver were actually moving off of its actual path. I don’t want you to be alarmed by what I’m about to say, and I want you all to understand that my colleagues and I are well aware of the risks involved. The fact is that my colleagues and I are well on our way to completing a fully functioning portable GPS spoofer. It’s based on the software receiver platform that I introduced before. I know this might sound dangerous to you, dangerous and subversive. Building a civilian GPS spoofer. I don’t disagree. At a recent Cornell Faculty dinner one of the Aerospace faculty members called me a “hacker with a Ph D.” My colleagues and I are cognizant of the risks, but we’re also convinced that this is, in fact, the responsible thing to do, and the only way forward if we want to prepare for this threat. To get an idea of why we believe this, consider the following list provided by the dept. of homeland security. GPS signal simulators, RF playback systems, and GPS repeaters are also a threat

Spoofing Attack Demonstration Tracking Peak 9/23/2010

Candidate Spoofing Defenses/Detection Techniques Standalone Receiver-Based Monitor the relative GPS signal strength Monitor satellite identification codes and the number of satellite signals received Check the time intervals Do a time comparison (look at code phase jitter) Monitor the absolute GPS signal strength Data bit latency detection Vestigial signal detection Signal quality monitoring Employ two antennas; check relative phase against know satellite directions Extended RAIM External-Aiding Perform a sanity check with relative position estimate (compare with IMU) Compare with independent absolute position or time-bearing information (e.g., Galileo and GLONASS) Cryptographic Encrypt navigation message Spreading code authentication Defenses suggested by Dept.of Homeland Security (2003) in italics 2. Explain each defense with one sentence 3. Explain why red-line ones can be easily be defeated 4. Highlight data bit latency defense and vestigial signal defense. 5. Group defenses by type: standalone software-only, external PVT aiding, cryptographic defenses Some of the reluctance to taking spoofing seriously was based on the notion that a spoofing attack would be difficult to mount and easy to detect. Most analysts had in mind an adversary with a 200 k signal simulator and they noted the expense and the difficulty synchronizing such a simulator with the GPS constellation. This is too traditional a mentality. It’s naïve to assume that malefactors are any less clever than we are. 9/23/2010

Data Bit Latency Detection (1/6) Hard to retransmit data bits with < 1ms latency Detection Technique: Modify PLL to look for inconsistencies in data bits on the order of 1 ms out of 20 ms data bit interval Spoofer could employ data bit prediction Defense: External input of authenticated GPS data bits GPS data bit time history Make sure that this is explained well. Maybe a cartoon? Humphreys et al., 2008 9/23/2010

Vestigial Signal Detection (2/6) Hard to conceal telltale counterfeit peak in autocorrelation function Detection Technique: Search for vestigial signals Monitor AGC for suspicious increases in noise level Great for detecting ongoing attack Vestigial signal detection Explain the observables. Works best wit signals far from authentic correlation peak Vestigial Signal Humphreys et al., 2008 9/23/2010

Vestigial Signal Detection Cont’d Utilize standard techniques for GPS signal acquisition, tracking, and data decoding Acquisition: Standard frequency-domain and time-domain acquisition Tracking: Standard code (DLL) and carrier (PLL) tracking loops Data decoding: Standard data decoding with parity checking Standard techniques for signal acquisition, track, and possibly data decoding can be used to determine if one or more vestigial signals exists

Extended Receiver Autonomous Integrity Monitoring (RAIM) (3/6) RAIM provides statistical method to detect signal with unacceptable pseudorange error and remove it from navigation solution Vestigial signals could appear at an erroneous pseudorange or carrier Doppler shift frequency Extend RAIM to include carrier Doppler shift frequency Create single test statistic based on pseudorange and carrier Doppler shift frequency measurements Test statistic is normalized chi-square random variable with 2*N – 8 degrees of freedom, where N is number of tracking signals Provides statistical hypothesis test to throw out at least 1 signal Ledvina et al., ION NTM 2010

GNSS Signal Quality Monitoring (4/6) Signal Quality Monitoring (SQM) designed to identify satellite anomalies or faults Goal: Can we leverage SQM for spoofing detection? Two test statistics considered Delta Test: Detects asymmetries in the correlation functions (assumes carrier tracking loop phase lock, Q ≈ 0) Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation peaks Assume phase-locked GPS receiver, where qPrompt, qEarly, and qLate are approximately equal to 0. Delta: (iEarly – iLate)/(2 * iPrompt) Ratio: (iEarly + iLate)/(2 * iPrompt) Add phelts citations. Ledvina et al., ION NTM 2010

Testing SQM: Two Spoofing Signal Alignment Techniques Two ways a counterfeit signal interacts with authentic signal 1. Counterfeit signal marches into code phase alignment with authentic signal 2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude Do not necessarily assume carrier phase alignment Requires cm-level knowledge of 3-D vector between spoofer and target receiver Assume spoofer has a priori knowledge of 12.5-minute GPS navigation message 1. Show simple cartoons of counterfeit signals in both cases 9/23/2010

Case 1: Counterfeit Signal Marching In +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase Insert 2 figures shows C/N0, carrier Doppler shift, delta test, and ratio test 9/23/2010

Multi-Antenna Differential-Carrier-Phase Spoofing (5/6) 13 Montgomery et al., ION ITM 2009 9/23/2010

External Aiding: High-Quality Frequency Reference (6/6) Time and Frequency Synchronization via GPS Receivers 70% of GPS receivers are utilized for timing applications providing time and frequency reference sources GPS timing receivers Implemented with a high-quality crystal oscillator, a coupled GPS receiver, and control logic Control logic cross-checks with high-quality oscillator providing some protection against GPS time spoofing attacks Control logic implementation and oscillator quality primarily dictate rate at which time spoofing attack can be successfully carried out Symmetricom XL-GPS Time and Frequency Receiver 9/23/2010

Conclusions Described six candidate spoofing detection techniques Simple software-based solutions provide some protection Multi-antenna differential carrier phase and external aiding provide more protection Strength of each detection scheme needs to be mathematically defined and tested to understand protection level Best Non-Cryptographic Spoofing Detection Technique 1. Value in a proof that a counterfeit signal is indistinguishable from an authentic signal. Multi-Antenna Differential Carrier Phase Spoofing Detection Technique

Back-Up Slides 9/23/2010

Additional Observations Relevant to Signal Quality Monitoring Counterfeit signal +1dB above an authentic signal can cause successful lift-off +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected Code tracking loop bandwidth becomes important for fast attacks Data bit latency or data bit errors causes deconstructive interference, thereby improving detection 9/23/2010

In-Line GPS Anti-Spoofing Module Architecture – Adding Anti-Spoofing Defenses to Legacy GPS Receivers The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the equipment 18

Case 2: Counterfeit Signal Growing in Amplitude Maximum +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase Insert 2 figures shows C/N0, carrier Doppler shift, delta test, and ratio test 9/23/2010

Phasor Interpretation of Observations Baseband phasors in the complex plane can explain observations Add two smaller figures showing deconstructive and constructive interference Additional points to consider mentioning 1. Counterfeit signal +1dB above an authentic signal can cause successful lift-off 2. +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference 3. Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected A. Code tracking loop bandwidth becomes important for fast attacks 4. Data bit latency or data bit errors causes deconstructive interference, thereby improving detection