Download presentation
Presentation is loading. Please wait.
1
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation in Wireless Networks
2
Secowinet 2009/20102 Outline GNSS Threat model Distance-decreasing attack Performance Discussion Conclusion
3
Secowinet 2009/20103 INTRO GNSS Global Navigation Satellite Systems Road toll collection Position-based insurance Air traffic control Resource access control Security sensitive applications GPS GLONASS Compass Galieleo GPS GLONASS Compass Galileo
4
Secowinet 2009/20104 Security in GNSS Integrity Authentication Privacy SPOOFING
5
Secowinet 2009/20105 GNSS
6
Secowinet 2009/20106 Spoofing Attack actually implemented by O’Hanlon et al. at Cornell Univ. Software-defined receiver/spoofer Cost :1500$ O’ Hanlon, B. et al., January 1 2009, Assessing the Spoofing Threat, GPS World, http://www.gpsworld.com/defense/security-surveillance/assessing-spoofing-threat-3171 http://www.gpsworld.com/defense/security-surveillance/assessing-spoofing-threat-3171
7
Secowinet 2009/20107 Solutions Signal Authentication through Spread Spectrum Security Codes (SSSC) Signal Authentication through Spreading Code Encryption (SCE) Non cryptographic methods Navigation Message Encryption Navigation Message Authentication –D–Digital signature included in the messages –P–Public/private key pairs for each satellite O. Pozzobon et al. 2004, Secure Tracking using Trusted GNSS Receivers and Galileo Authentication Services, Journal of Global Positioning Systems, Vol. 3, No. 1-2: 200-207. G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS.
8
Secowinet 2009/20108 Relay attack G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS. The relay retransmits the messages bit by bit introducing a certain delay for each message of S i Relay
9
Secowinet 2009/20109 Mistaken GNSS Clock Offset Test Papadimitatos, P., Jovanovic, A., Global Navigation Satellite Systems (GNSS) - Attacks and Countermeasures, in IEEE Military Communications Conference (IEEE MILCOM), p. 1-7
10
Secowinet 2009/201010 DD-attack Distance-decreasing attacks proposed by Clulow et al. in 2006 in the context of distance bounding protocols. Same configuration that the relay attack. “Reduce” the actual propagation delay. J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore So near and yet so far: Distance-bounding attacks in wireless networks., In ESAS, 2006.So near and yet so far: Distance-bounding attacks in wireless networks.
11
Secowinet 2009/201011 DD-attack bit T LC T relay Satellite Relay R x Relay T x GPS time bit T ED bit TbTb distance
12
Secowinet 2009/201012 Early detection Know the value of the bit, before the bit is completely transmitted. bit Satellite Relay R x bit T ED TbTb
13
Secowinet 2009/201013 Late commit Start transmitting something (e.g. noise) Then, transmit something else so the receiver still decode the bit correctly. bit T LC Relay T x GPS bit
14
Secowinet 2009/201014 DD-attack GPS bit T LC T relay Satellite Relay R x Relay T x time bit T ED bit TbTb distance
15
Secowinet 2009/201015 GPS Modulation (L1) Bit sequence Code CDMA sequence DSSS Direct-sequence spread spectrum - CDMA Data rate 50 bps Sequence or Spreading code (Pseudorandom) –Rate 1.023 MHz, period of 1023 chips BPSK
16
Secowinet 2009/201016 GPS Receiver Down- converter Antenna A/D Converter Digital IF X X Carrier Replica COS P X X Code Generator Q I PS Q PS P SIN IIPIP QPQP Demodulation
17
Secowinet 2009/201017 ED and LC ED LC –First phase: Signal constant during T S but average 0 –Second phase: Signal corresponding to ED’s result
18
Secowinet 2009/201018 Performance Metric: BER estimated by theoretical P e –P e probability of error per bit Parameters –C/N 0 Carrier-to-noise Density –T ED –T relay
19
Secowinet 2009/201019 DD-attack bit T LC T relay Satellite Relay R x Relay T x GPS time bit T ED bit TbTb distance
20
Secowinet 2009/201020 Performance ED LC Normal Detector
21
Secowinet 2009/201021 BER for ED
22
Secowinet 2009/201022 BER for LC
23
Secowinet 2009/201023 DD-attack performance T LC = 2ms T LC = 4ms T LC = 6ms T LC = 8ms T LC = 10ms T LC = 12ms T LC = 14ms T LC = 16ms T LC = 18ms
24
Secowinet 2009/201024 Compact presentation
25
Secowinet 2009/201025 Discussion Feasibility –O’Hanlon et al. device is a perfect platform for DD-Attack –By increasing the Tx power of the relay, we can achieve any performance. –T relay = 1ms => already 300Km in range error. –Performance increased by bit prediction
26
Secowinet 2009/201026 Discussion Countermeasures –Non cryptographic countermeasures Inertial Tests, Doppler Shift, Angle of arrival –Clock Offset Test non effective! –Analysis of the samples at the receiver To be further developed
27
Secowinet 2009/201027 Conclusion Distance-decreasing attack is feasible in GPS L1 carrier. A considerable error in position estimation can be introduced by with practically no lose of performance. DD-attacks are specific to coding and modulation scheme. Analysis for other signals to be done (e.g. GPS L2 and L5, Galileo L5). Designers of security sensitive devices must be warned about these kind of attacks.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.