Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Civil GPS Receivers

Published byKorey Sisley Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting Civil GPS Receivers"— Presentation transcript:

0 Candidate Non-Cryptographic GNSS Spoofing Detection Techniques
Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010 *Adjunct Professor at Virginia Tech

1 Protecting Civil GPS Receivers
Critical infrastructure relies on civil GPS navigation and timing Electrical grid timing and control Banking/financial transactions Commercial aircraft guidance and landing Communication systems (cellular) Public transportation Asset tracking Commercial fishing monitoring Vehicle mileage taxation Monitoring criminals Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers 9/23/2010

2 Goal and Motivation Goal Motivation
Illustrate six candidate non-cryptographic spoofing detection techniques Motivation Non-cryptographic spoofing detection techniques could be implemented today Non-cryptographic defenses are needed if one is concerned with encryption or authentication key security breaches 9/23/2010

3 The Sinister Threat: A Portable Receiver-Spoofer
Humphreys et al., 2008 and Montgomery et al., 2009 described development and testing of portable GPS L1 C/A code receiver-spoofer Contrast with signal simulator By the way, we aren’t the first to recognize the threat posed by an attack of this type (Logan Scott mentioned it), but, as far as we know, we are the first to actually build a receiver spoofer, test it out, and report on it publicly. Put the Volpe report notes here, or just paraphrase them. Can’t use RAIM because all the spoofing signals are orchestrated to move together just like they would if your receiver were actually moving off of its actual path. I don’t want you to be alarmed by what I’m about to say, and I want you all to understand that my colleagues and I are well aware of the risks involved. The fact is that my colleagues and I are well on our way to completing a fully functioning portable GPS spoofer. It’s based on the software receiver platform that I introduced before. I know this might sound dangerous to you, dangerous and subversive. Building a civilian GPS spoofer. I don’t disagree. At a recent Cornell Faculty dinner one of the Aerospace faculty members called me a “hacker with a Ph D.” My colleagues and I are cognizant of the risks, but we’re also convinced that this is, in fact, the responsible thing to do, and the only way forward if we want to prepare for this threat. To get an idea of why we believe this, consider the following list provided by the dept. of homeland security. GPS signal simulators, RF playback systems, and GPS repeaters are also a threat

4 Spoofing Attack Demonstration
Tracking Peak 9/23/2010

5 Candidate Spoofing Defenses/Detection Techniques
Standalone Receiver-Based Monitor the relative GPS signal strength Monitor satellite identification codes and the number of satellite signals received Check the time intervals Do a time comparison (look at code phase jitter) Monitor the absolute GPS signal strength Data bit latency detection Vestigial signal detection Signal quality monitoring Employ two antennas; check relative phase against know satellite directions Extended RAIM External-Aiding Perform a sanity check with relative position estimate (compare with IMU) Compare with independent absolute position or time-bearing information (e.g., Galileo and GLONASS) Cryptographic Encrypt navigation message Spreading code authentication Defenses suggested by Dept.of Homeland Security (2003) in italics 2. Explain each defense with one sentence 3. Explain why red-line ones can be easily be defeated 4. Highlight data bit latency defense and vestigial signal defense. 5. Group defenses by type: standalone software-only, external PVT aiding, cryptographic defenses Some of the reluctance to taking spoofing seriously was based on the notion that a spoofing attack would be difficult to mount and easy to detect. Most analysts had in mind an adversary with a 200 k signal simulator and they noted the expense and the difficulty synchronizing such a simulator with the GPS constellation. This is too traditional a mentality. It’s naïve to assume that malefactors are any less clever than we are. 9/23/2010

6 Data Bit Latency Detection (1/6)
Hard to retransmit data bits with < 1ms latency Detection Technique: Modify PLL to look for inconsistencies in data bits on the order of 1 ms out of 20 ms data bit interval Spoofer could employ data bit prediction Defense: External input of authenticated GPS data bits GPS data bit time history Make sure that this is explained well. Maybe a cartoon? Humphreys et al., 2008 9/23/2010

7 Vestigial Signal Detection (2/6)
Hard to conceal telltale counterfeit peak in autocorrelation function Detection Technique: Search for vestigial signals Monitor AGC for suspicious increases in noise level Great for detecting ongoing attack Vestigial signal detection Explain the observables. Works best wit signals far from authentic correlation peak Vestigial Signal Humphreys et al., 2008 9/23/2010

8 Vestigial Signal Detection Cont’d
Utilize standard techniques for GPS signal acquisition, tracking, and data decoding Acquisition: Standard frequency-domain and time-domain acquisition Tracking: Standard code (DLL) and carrier (PLL) tracking loops Data decoding: Standard data decoding with parity checking Standard techniques for signal acquisition, track, and possibly data decoding can be used to determine if one or more vestigial signals exists

9 Extended Receiver Autonomous Integrity Monitoring (RAIM) (3/6)
RAIM provides statistical method to detect signal with unacceptable pseudorange error and remove it from navigation solution Vestigial signals could appear at an erroneous pseudorange or carrier Doppler shift frequency Extend RAIM to include carrier Doppler shift frequency Create single test statistic based on pseudorange and carrier Doppler shift frequency measurements Test statistic is normalized chi-square random variable with 2*N – 8 degrees of freedom, where N is number of tracking signals Provides statistical hypothesis test to throw out at least 1 signal Ledvina et al., ION NTM 2010

10 GNSS Signal Quality Monitoring (4/6)
Signal Quality Monitoring (SQM) designed to identify satellite anomalies or faults Goal: Can we leverage SQM for spoofing detection? Two test statistics considered Delta Test: Detects asymmetries in the correlation functions (assumes carrier tracking loop phase lock, Q ≈ 0) Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation peaks Assume phase-locked GPS receiver, where qPrompt, qEarly, and qLate are approximately equal to 0. Delta: (iEarly – iLate)/(2 * iPrompt) Ratio: (iEarly + iLate)/(2 * iPrompt) Add phelts citations. Ledvina et al., ION NTM 2010

11 Testing SQM: Two Spoofing Signal Alignment Techniques
Two ways a counterfeit signal interacts with authentic signal 1. Counterfeit signal marches into code phase alignment with authentic signal 2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude Do not necessarily assume carrier phase alignment Requires cm-level knowledge of 3-D vector between spoofer and target receiver Assume spoofer has a priori knowledge of 12.5-minute GPS navigation message 1. Show simple cartoons of counterfeit signals in both cases 9/23/2010

12 Case 1: Counterfeit Signal Marching In
+3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment degrees out of phase Insert 2 figures shows C/N0, carrier Doppler shift, delta test, and ratio test 9/23/2010

13 Multi-Antenna Differential-Carrier-Phase Spoofing (5/6)
13 Montgomery et al., ION ITM 2009 9/23/2010

14 External Aiding: High-Quality Frequency Reference (6/6)
Time and Frequency Synchronization via GPS Receivers 70% of GPS receivers are utilized for timing applications providing time and frequency reference sources GPS timing receivers Implemented with a high-quality crystal oscillator, a coupled GPS receiver, and control logic Control logic cross-checks with high-quality oscillator providing some protection against GPS time spoofing attacks Control logic implementation and oscillator quality primarily dictate rate at which time spoofing attack can be successfully carried out Symmetricom XL-GPS Time and Frequency Receiver 9/23/2010

15 Conclusions Described six candidate spoofing detection techniques
Simple software-based solutions provide some protection Multi-antenna differential carrier phase and external aiding provide more protection Strength of each detection scheme needs to be mathematically defined and tested to understand protection level Best Non-Cryptographic Spoofing Detection Technique 1. Value in a proof that a counterfeit signal is indistinguishable from an authentic signal. Multi-Antenna Differential Carrier Phase Spoofing Detection Technique

16 Back-Up Slides 9/23/2010

17 Additional Observations Relevant to Signal Quality Monitoring
Counterfeit signal +1dB above an authentic signal can cause successful lift-off +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected Code tracking loop bandwidth becomes important for fast attacks Data bit latency or data bit errors causes deconstructive interference, thereby improving detection 9/23/2010

18 In-Line GPS Anti-Spoofing Module Architecture – Adding Anti-Spoofing Defenses to Legacy GPS Receivers The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the equipment 18

19 Case 2: Counterfeit Signal Growing in Amplitude
Maximum +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment degrees out of phase Insert 2 figures shows C/N0, carrier Doppler shift, delta test, and ratio test 9/23/2010

20 Phasor Interpretation of Observations
Baseband phasors in the complex plane can explain observations Add two smaller figures showing deconstructive and constructive interference Additional points to consider mentioning 1. Counterfeit signal +1dB above an authentic signal can cause successful lift-off 2. +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference 3. Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected A. Code tracking loop bandwidth becomes important for fast attacks 4. Data bit latency or data bit errors causes deconstructive interference, thereby improving detection

Download ppt "Protecting Civil GPS Receivers"

Similar presentations

International Civil Aviation Organization

International Civil Aviation Organization
Pirazzi Gabriele Intecs S.p.A Bruxelles, 10/04/2008 “Study of an SDR GNSS receiver” Chapter of Rome M.Sc. In Advanced Communication and Navigation Satellite.

Pirazzi Gabriele Intecs S.p.A Bruxelles, 10/04/2008 “Study of an SDR GNSS receiver” Chapter of Rome M.Sc. In Advanced Communication and Navigation Satellite.
GPS Signal Structure Sources: –GPS Satellite Surveying, Leick –Kristine Larson Lecture Notes 4519/asen4519.html.

GPS Signal Structure Sources: –GPS Satellite Surveying, Leick –Kristine Larson Lecture Notes 4519/asen4519.html.
University of Malta ICECS 2010 Terence Zarb, Ivan Grech, Edward Gatt, Owen Casha, Joseph Micallef Presented by: Terence Zarb Department of Microelectronics.

University of Malta ICECS 2010 Terence Zarb, Ivan Grech, Edward Gatt, Owen Casha, Joseph Micallef Presented by: Terence Zarb Department of Microelectronics.
Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.
Www.nottingham.ac.uk/iessg The Implementation of the Cornell Ionospheric Scintillation Model into the Spirent GNSS Simulator Marcio Aquino, Zeynep Elmas,

The Implementation of the Cornell Ionospheric Scintillation Model into the Spirent GNSS Simulator Marcio Aquino, Zeynep Elmas,
Chapter 2 Fundamentals of Data and Signals

Chapter 2 Fundamentals of Data and Signals
ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.

ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.
Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.

Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.
Jie Liu Microsoft Research Redmond, WA 98052 GPS Fundamentals Mobile Location Sensing Tutorial at MobiSys 2013.

Jie Liu Microsoft Research Redmond, WA GPS Fundamentals Mobile Location Sensing Tutorial at MobiSys 2013.
Channel Estimation for Mobile OFDM

Channel Estimation for Mobile OFDM
Collaboration FST-ULCO 1. Context and objective of the work  Water level : ECEF Localization of the water surface in order to get a referenced water.

Collaboration FST-ULCO 1. Context and objective of the work  Water level : ECEF Localization of the water surface in order to get a referenced water.
Communication Systems Simulation - I Harri Saarnisaari Part of Simulations and Tools for Telecommunication Course.

Communication Systems Simulation - I Harri Saarnisaari Part of Simulations and Tools for Telecommunication Course.
Workshop EGNOS KRAKÓW 2004 1 GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.

Workshop EGNOS KRAKÓW GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.
14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.

14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.
Spread Spectrum Steganography Nick Sterling Sarah Wahl Sarah Summers.

Spread Spectrum Steganography Nick Sterling Sarah Wahl Sarah Summers.
A SINGLE FREQUENCY GPS SOFTWARE RECEIVER

A SINGLE FREQUENCY GPS SOFTWARE RECEIVER
GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis

GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
EE 3220: Digital Communication Dr Hassan Yousif 1 Dr. Hassan Yousif Ahmed Department of Electrical Engineering College of Engineering at Wadi Aldwasser.

EE 3220: Digital Communication Dr Hassan Yousif 1 Dr. Hassan Yousif Ahmed Department of Electrical Engineering College of Engineering at Wadi Aldwasser.

Similar presentations

Ads by Google