Characterization of Receiver Response to a Spoofing Attack

Slides:

Advertisements

Similar presentations

International Civil Aviation Organization

Advertisements

KEB COMBIVERT F5-M Exercises.

Operating the Harmonizer

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.

STRIDE Introduction Increasing use for PNT applications:  Positioning  Navigation  Timing.

4.2 Digital Transmission Pulse Modulation (Part 2.1)

1 Fox Valley Fire & Safety’s Wireless Radio Network Our customers experience reduced monitoring costs; normally 25% or more. Eliminates expensive phone.

Collaboration FST-ULCO 1. Context and objective of the work  Water level : ECEF Localization of the water surface in order to get a referenced water.

08/16/01. Link Budgets for Cellular Networks Presented by Eric Johnson.

1 Chapter 6 Low-Noise Design Methodology. 2 Low-noise design from the system designer’s viewpoint is concerned with the following problem: Given a sensor.

14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.

PEG Breakout Mike, Sarah, Thomas, Rob S., Joe, Paul, Luca, Bruno, Alec.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

EE311: Junior EE Lab Phase Locked Loop J. Carroll 9/3/02.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Punjab EDUSAT Society (PES) Contact info: Phone: Oct,

Probability and Statistics in Engineering Philip Bedient, Ph.D.

Characterization of Receiver Response to a Spoofing Attack Daniel Shepard DHS visit to UT Radionavigation Lab 3/10/2011.

Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.

CHAPTER 5 - OSCILLATORS.

GPS MAPS BY ETHAN HARGARTHER. HISTORY OF GPS & SATELLITE NAVIGATION Sputnik 1 launched in 1957 by the USSR Learned by manipulating satellite orbit that.

Kyle Wesson, Mark Rothlisberger, and Todd Humphreys

SCADA and Telemetry Presented By:.

August 21, Mobile Computing COE 446 IS-95 Tarek Sheltami KFUPM CCSE COE Principles of Wireless Networks.

Moonlight reflecting off ice crystals in cirrostratus clouds can cause a halo to appear around the moon. Such a halo often indicates that precipitation.

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.

Synchrophasor: Implementation,Testing & Operational Experience

Multimedia Databases (MMDB)

Secure Cell Relay Routing Protocol for Sensor Networks Xiaojiang Du, Fengiing Lin Department of Computer Science North Dakota State University 24th IEEE.

Namaste Project 3.4 GHz Interference Study Preliminary document - Work in Progress updated The intent of this study is to collect data which may.

Analyzing Ionospheric Effects on WWV Timing Signals Shad Nygren Datron World Communications February 7 th 2008.

How Does GPS Work ?. Objectives To Describe: The 3 components of the Global Positioning System How position is obtaining from a radio timing signal Obtaining.

Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks D. P. Shepard, J. A. Bhatti, T. E. Humphreys, The University of Texas at.

SMART SENSORS FOR A SMARTER GRID BY KAILASH.K AND LAKSHMI NARAYAN.N.

Lecturer: Jinglin Wang Student name: Hao Li Student ID:

An Evaluation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing Kyle Wesson, Daniel Shepard, Jahshan Bhatti, and Todd Humphreys Presentation.

Riding out the Rough Spots: Scintillation-Robust GNSS Carrier Tracking Dr. Todd E. Humphreys Radionavigation Laboratory University of Texas at Austin.

10. Satellite Communication & Radar Sensors

Hao Yang, Fan Ye, Yuan Yuan, Songwu Lu, William Arbaugh (UCLA, IBM, U. Maryland) MobiHoc 2005 Toward Resilient Security in Wireless Sensor Networks.

By Andrew Y.T. Kudowor, Ph.D. Lecture Presented at San Jacinto College.

CASE STUDY Disturbance event comparing PMU and SE voltage angle difference in ERCOT Prakash Shrestha Operations Engineer Advanced Network Application.

Aditya Wagh.  Importance of Evidence Collection  Present Systems are inadequate ◦ Closed Circuit TV  Scalability issues + Centralized operation  Untapped.

Codan 5700 Series C-Band Transceiver Technical Overview.

Calibration of geodetic (dual frequency) GPS receivers Implications for TAI and for the IGS G. Petit.

11/25/2015 Wireless Sensor Networks COE 499 Localization Tarek Sheltami KFUPM CCSE COE 1.

VARIABILITY OF TOTAL ELECTRON CONTENT AT EUROPEAN LATITUDES A. Krankowski(1), L. W. Baran(1), W. Kosek (2), I. I. Shagimuratov(3), M. Kalarus (2) (1) Institute.

Time This powerpoint presentation has been adapted from: 1) sApr20.ppt.

Tightly-Coupled Opportunistic Navigation for Deep Urban and Indoor Positioning Ken Pesyna, Zak Kassas, Jahshan Bhatti, and Todd Humphreys Presentation.

GPS Spoofing Detection System Mark Psiaki & Brady O’Hanlon, Cornell Univ., Todd Humphreys & Jahshan Bhatti, Univ. of Texas at Austin Abstract: A real-time.

1 SVY 207: Lecture 12 Modes of GPS Positioning Aim of this lecture: –To review and compare methods of static positioning, and introduce methods for kinematic.

SVN-49 / PRN-01 Lessons Learned International Committee on GNSS (ICG-4) Working Group A Saint Petersburg, Russia 15 September 2009 Colonel David B. Goldstein,

Secure Civil Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin MITRE | July 20, 2012.

Detection, Classification and Tracking in Distributed Sensor Networks D. Li, K. Wong, Y. Hu and A. M. Sayeed Dept. of Electrical & Computer Engineering.

Characterization of Receiver Response to a Spoofing Attack Daniel Shepard Honors Thesis Symposium 4/21/2011.

Principles of the Global Positioning System Lecture 08 Prof. Thomas Herring Room ;

11. FM Receiver Circuits. FM Reception RF Amplifiers Limiters

Assessing the Civil GPS Spoofing Threat

High precision phase monitoring Alexandra Andersson, CERN Jonathan Sladen, CERN This work is supported by the Commission of the European Communities under.

Chapter 19 Alternating Current Circuits and Electromagnetic Waves.

RF Calibration Introduction

NATIONAL INSTITUTE FOR SPACE RESEARCH – INPE/MCT SOUTHERN REGIONAL SPACE RESEARCH CENTER – CRS/CCR/INPE – MCT FEDERAL UNIVERSITY OF SANTA MARIA - UFSM.

Younis H. Karim, AbidYahya School of Computer University Malaysia Perlis 1.

Structure and Behavior of Dynamic Systems

GPS, GNSS, and Space Weather A Look Into the Future Paul Kintner and Brady O’Hanlon Cornell University Todd Humphreys UT-Austin

Application Solution: 3D Inspection Automation with SA

Counter-UAV Challenges: Is GNSS Spoofing Effective?

Michiel W.H. Remme, Máté Lengyel, Boris S. Gutkin Neuron

8.5 Modulation of Signals basic idea and goals

Presentation transcript:

Characterization of Receiver Response to a Spoofing Attack Daniel Shepard and Todd Humphreys Presentation at ION 2011| September 22, 2011

Overview Anatomy of a Spoofing Attack Questions to answer Test Procedure Test Results Summary of Findings

Anatomy of a Civil GPS Spoofing Attack A spoofer seeks to alter a target receiver’s Position-Velocity-Time (PVT) solution by transmitting fictitious GPS signals Attacks considered Proximity Spoofing Attacks which were first envisioned by Logan Scott in 2003 A typical spoofing attack involves: 1) alignment, 2) increase power, 3) carry receiver off

GPS Dependency Begets Vulnerability Telecommunications Network Smart Grid: Synchrophasor Measurement Units (SMUs)

Zhang Paper on Synchrophasor Spoofing Considers the effects of a Spoofing Attack or Time Stamp Attack on fault location using SMUs However, these results failed to consider any limits on spoofer induced dynamics

Research Questions to Assess Critical Infrastructure Vulnerability Would a jamming-power-to-noise-power (J/N) type jamming detector trigger on a spoofing attack? How aggressively can receiver dynamics be manipulated by a spoofing attack?

Would a J/N-type jamming detector trigger on a spoofing attack? Power ratio (η): Ratio of spoofing signal power to authentic signal power A power ratio above 3 would cause input power to exceed 95% of natural variation  J/N-type jamming detector would trigger What power ratio is required for reliable spoofing? Pspoof Pauth

How Aggressively can Receivers be Manipulated? We would like to know: How quickly could a timing or position bias be introduced? What kinds of oscillations could a spoofer cause in a receiver’s position and timing? How different are receiver responses to spoofing? Approach: Determine maximum velocity at which a receiver can be spoofed over a range of accelerations without: Causing loss of lock of satellites Raising alarms v t a

How Aggressively can Receivers be Manipulated? (cont.) These are some potential shapes for the velocity-acceleration curves Green: represents the region where a spoofer can operate without being detected Red represents the region where a spoofer might be unsuccessful

Tested Receivers Science receiver: CASES receiver Developed for Ionosphere monitoring Telecommunications Network Time Reference Receiver: HP 58503B Commonly used in cell phone base stations (Symmetricom predecessor) High quality Ovenized Crystal Oscillator (OCXO) steered by the GPS time solution

Tested Receivers (cont.) Power Grid Time Reference Receiver: SEL-2401 Provides timing for power grid Synchrophasor Measurement Units (SMUs) Low quality Temperature Controlled Oscillator (TCXO) slaved to the GPS time solution Name brand receiver: Trimble Juno SB

The Civil GPS Spoofer Introduced in 2008 by Humphreys Improved Spoofer capable of: Tracking all L1C/A & L1C signals Producing up to 10 L1C/A spoofed signals Precise code phase alignment and frequency lock Data bit prediction Remote control of spoofer suggested position, velocity, and acceleration and signal power via internet

Test Setup RFSA A National Instruments Radio Frequency Signal Generator (RFSG) produced 6 GPS signals at constant power The spoofed signals were summed with the RFSG signals This combination was fed to: the target receiver a National Instruments Radio Frequency Signal Analyzer (RFSA) used for visualization RFSG Signal Conditioning Control / Feedback Computer Target Receiver Spoofer

Procedure Power Ratio Spoofed Velocity and Acceleration 1. Power Adv. = x dB 2. Attempt Carry-off 3. Check for Success (Remove Authentic Signal) 4. Measure the Power 1 m/s SV 1 5 12 C/N0 50 21 1. Acceleration = a m/s2 2. Velocity = v m/s 3. Check for Success (watch for alarms) 4. Iterate until a maximum velocity is found vmax found? v t a no yes

Results: Power Ratio A power ratio of about 1.1 or greater is needed to capture a target receiver with high confidence This increase in absolute received power is well below the natural variations due to solar activity Implications: A spoofing attack would easily evade detection by a J/N sensor: J/N sensors are necessary, but not sufficient Downstream signal processing is crucial for reliable spoofing detection

Results: Spoofed Velocity and Acceleration The data points collected for each receiver were fit to an exponential curve of the form: This curve fit: Defines the upper bound in the velocity-acceleration plane below which a sophisticated spoofer can successfully spoof that particular receiver Can be used to assess the security implications of a spoofing attack

Results: Spoofed Velocity and Acceleration of Science Receiver Notice the asymptote at 5 m/s2 acceleration Maximum speed is only limited by the doppler frequency range to around 1300 m/s (4.3 μs/s) Implications: Acceleration limited to 2 m/s2 due to phase trauma No limitation on velocity up until the receiver is unable to track the signal

Results: Spoofed Velocity and Acceleration for Telecommunications Network Time Reference Receiver Due to this receiver placing trust in the frequency stability of its oscillator, it cannot be moved very quickly Maximum achievable speed in time is 2 m/s (6.67 ns/s) Implications: Can still be carried 10 μs off in time in around 35 min, which would disrupt call hand-off

Results: Spoofed Velocity and Acceleration for Power Grid Time Reference Receiver Can be easily manipulated by the spoofer Corresponding induced phase angle rate is shown for a 60 Hz phasor Implications Can reach a maximum speed of 400 m/s resulting in a phase angle rate of 1.73o/min Oscillations are not possible due to the low acceleration capability of spoofer

Results: Spoofed Velocity and Acceleration for Name Brand Receiver Most easily manipulated receiver tested to date Can be accelerated continuously at about 25 m/s2 until the doppler frequency range is reach at a velocity of about 1300 m/s Implications Large accelerations and velocities may be possible in many name brand receivers

Trimble Resolution SMT Suggested to be unspoofable based on tests performed at White Sands Myth Busted Quite Spoofable

Summary of Findings We’ve never met a civil receiver we couldn’t spoof J/N-type jamming detector won’t catch a spoofer, but does restrict it There are vast differences in the dynamic response to spoofing between receivers Large oscillations in position and timing are difficult to induce due to low acceleration capability of the spoofer Areas of vulnerability exist in CDMA cell phone networks and the power grid