Assessing the likelihood of GNSS spoofing attacks on RPAS

Similar documents
Systematical Methods to Counter Drones in Controlled Manners

TACOT Project. Trusted multi Application receiver for Trucks. Bordeaux, 4 June 2014

Resilient and Accurate Autonomous Vehicle Navigation via Signals of Opportunity

FLCS V2.1. AHRS, Autopilot, Gyro Stabilized Gimbals Control, Ground Control Station

GPS-Aided INS Datasheet Rev. 2.6

CENG 5931 HW 5 Mobile Robotics Due March 5. Sensors for Mobile Robots

Integrated Navigation System

GPS-Aided INS Datasheet Rev. 2.7

Heterogeneous Control of Small Size Unmanned Aerial Vehicles

GPS-Aided INS Datasheet Rev. 3.0

GPS-Aided INS Datasheet Rev. 2.3

Test Solutions for Simulating Realistic GNSS Scenarios

Satellite and Inertial Attitude. A presentation by Dan Monroe and Luke Pfister Advised by Drs. In Soo Ahn and Yufeng Lu

Mobile Security Fall 2015

Implementation and Performance Evaluation of a Fast Relocation Method in a GPS/SINS/CSAC Integrated Navigation System Hardware Prototype

Precision Estimation of GPS Devices in Static and Dynamic Modes

Module 2: Lecture 4 Flight Control System

Recent Progress in the Development of On-Board Electronics for Micro Air Vehicles

GPS Beamforming with Low-cost RTL-SDRs Wil Myrick, Ph.D.

Jamming and Spoofing of GNSS Signals An Underestimated Risk?!

08/10/2013. Marine Positioning Systems Surface and Underwater Positioning. egm502 seafloor mapping

FLIGHT DATA MONITORING

Primer on GPS Operations

Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

A Review of Vulnerabilities of ADS-B

ENHANCEMENTS IN UAV FLIGHT CONTROL AND SENSOR ORIENTATION

Ensuring Robust Precision Time: Hardened GNSS, Multiband, and Atomic Clocks. Lee Cosart WSTS 2018

Module 13 Aircraft Aerodynamics, Structures and Systems

COST Action: TU1302 Action Title: Satellite Positioning Performance Assessment for Road Transport SaPPART. STSM Scientific Report

Galileo Aktueller Stand der Entwicklung

Design and Implementation of Inertial Navigation System

S a t e l l i t e T i m e a n d L o c a t i o n. N o v e m b e r John Fischer VP Advanced R&D

Telemetry formats and equations of Painani-2 Satellite

The GLOBAL POSITIONING SYSTEM James R. Clynch February 2006

Hydroacoustic Aided Inertial Navigation System - HAIN A New Reference for DP

Utility of Sensor Fusion of GPS and Motion Sensor in Android Devices In GPS- Deprived Environment

SPAN Data Logging for Inertial Explorer

Bring satellites into your lab

IPRO 312: Unmanned Aerial Systems

Robust Positioning for Urban Traffic

Mitigate Effects of Multipath Interference at GPS Using Separate Antennas

Future Dual Systems for Landing. The DGNSS PALS opportunity Marco Donfrancesco Intelligence & Cyber EW Sales & Mktg

PB100 WeatherStation Technical Manual

Design of Accurate Navigation System by Integrating INS and GPS using Extended Kalman Filter

Testing Military Navigation Equipment

The Case for Recording IF Data for GNSS Signal Forensic Analysis Using a SDR

Bring satellites into your lab: GNSS simulators from the T&M expert.

Test Solutions for Simulating Realistic GNSS Scenarios

Worst-Case GPS Constellation for Testing Navigation at Geosynchronous Orbit for GOES-R

Cooperative localization (part I) Jouni Rantakokko

GEO 428: DEMs from GPS, Imagery, & Lidar Tuesday, September 11

Multi-Receiver Vector Tracking

F-104 Electronic Systems

Motion Reference Units

3DM-GX4-45 LORD DATASHEET. GPS-Aided Inertial Navigation System (GPS/INS) Product Highlights. Features and Benefits. Applications

Cooperative navigation (part II)

Introduction to Mobile Sensing Technology

HALS-H1 Ground Surveillance & Targeting Helicopter

Global Navigation Satellite Systems (GNSS)Part I EE 570: Location and Navigation

SPEEDBOX Technical Datasheet

Revision Date: 6/6/2013. Quick Start Guide

Integrating SAASM GPS and Inertial Navigation: What to Know

LOCALIZATION WITH GPS UNAVAILABLE

AIRCRAFT AVIONIC SYSTEMS

Digiflight II SERIES AUTOPILOTS

The Next Generation of Secure Position, Navigation and Timing Technology

APN-0046: Configure CAN for SPAN

Long Range Wireless OSD 5.8G FPV Transmitter

Hacking Sensors. Yongdae Kim

Advanced Technologies & Intelligent Autonomous Systems in Alberta. Ken Brizel CEO ACAMP

SERIES VECTORNAV TACTICAL SERIES VN-110 IMU/AHRS VN-210 GNSS/INS VN-310 DUAL GNSS/INS

Robust Position and Velocity Estimation Methods in Integrated Navigation Systems for Inland Water Applications

GEOMETRIC RECTIFICATION OF EUROPEAN HISTORICAL ARCHIVES OF LANDSAT 1-3 MSS IMAGERY

Operating Handbook For FD PILOT SERIES AUTOPILOTS

Localization: Algorithms and System

Intelligent Robotics Sensors and Actuators

Understanding GPS/GNSS

On Location at Stanford University

Sensor Fusion for Navigation in Degraded Environements

BROADSHIELD CAPABILITIES OVERVIEW. Beyond the Frontier

Automatic Dependent Surveillance -ADS-B

ASR-2300 Multichannel SDR Module for PNT and Mobile communications. Dr. Michael B. Mathews Loctronix, Corporation

GNSS simulation for Rohde & Schwarz signal generators Specifications

Simulation Results of Alternative Methods for Formation Separation Control

GPS and Recent Alternatives for Localisation. Dr. Thierry Peynot Australian Centre for Field Robotics The University of Sydney

GPS Flight Control in UAV Operations

U.S. Census Bureau Defense, Navigational and Aerospace Electronics MA334D(07) Issued June 2008

SPECTRACOM ecall Compliance Tool

EE 570: Location and Navigation

TACTICAL SERIES VECTORNAV INDUSTRIAL SERIES. Key Benefits Miniaturized surface mount & Rugged packaging. < 30 grams. Embedded Navigation Solutions

Digiflight II SERIES AUTOPILOTS

GPS Global Positioning System

Canadian Coast Guard Review to Implement a Resilient Position, Navigation and Timing Solution for Canada. Mariners Workshop January 31 st, 2018

Satellite Navigation (and positioning)

EL6483: Sensors and Actuators

SELECTING THE OPTIMAL MOTION TRACKER FOR MEDICAL TRAINING SIMULATORS

GPS/QZSS Signal Authentication Concept

Webinar. 9 things you should know about centimeter-level GNSS accuracy

CIS 700/002: Special Topics: Acoustic Injection Attacks on MEMS Accelerometers

Robust GPS-Based Timing for PMUs Based on Multi-Receiver Position-Information-Aided Vector Tracking

Transcription:

Assessing the likelihood of GNSS spoofing attacks on RPAS Mike Maarse UvA/NLR 30-06-2016 Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 1 / 25

Introduction Motivation/relevance Growing number of RPAS in professional use Many system configurations Numerous threats on wireless communications Notable recent efforts Iran spoofs US Lockheed Martin RQ-170 (2011) Maldrone: First backdoor for drones (Sasi, 2015) MiTM attack on RPAS telemetry link (Rodday, 2015) Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 2 / 25

Introduction Motivation/relevance Growing number of RPAS in professional use Many system configurations Numerous threats on wireless communications Notable recent efforts Iran spoofs US Lockheed Martin RQ-170 (2011) Maldrone: First backdoor for drones (Sasi, 2015) MiTM attack on RPAS telemetry link (Rodday, 2015) Growing number * many * numerous = a lot We need a systematic approach! Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 3 / 25

Introduction Research questions 1. How can we define a systematic approach to study and model attack paths of wireless attacks on an RPAS? 2. How can we apply the defined approach in a practical experiment using a GNSS receiver to establish the likelihood of such an attack? Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 4 / 25

Approach 1 Classify the target (sub-)system 2 Specify a systematic approach 3 Create threat model 4 Establish likelihood of GNSS receiver attacks...through practical experimentation 5 Evaluate the risk Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 5 / 25

Remotely Piloted Aircraft Systems Main components Remotely Piloted Aircraft (RPA) Remote Pilot Station (RPS) Command & Control link (C2) Figure 1: Operation within RLOS Figure 2: Long range operation Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 6 / 25

Remotely Piloted Aircraft Systems Example implementations Figure 3: DJI Phantom hardware Mike Maarse (UvA/NLR) Figure 4: NASA research Predator RP2 Presentation 30-06-2016 7 / 25

Remotely Piloted Aircraft Target system classification Level Sensor type Output I GNSS Latitude, longitude, altitude, time Pitot-static Altitude, airspeed, temperature, pressure II Magnetometer Heading Accelerometer Accelerations Gyroscope Pitch, roll, yaw angles Table 1: Target system s PNT capabilities Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 8 / 25

Remotely Piloted Aircraft How does it work? Figure 5: Component interaction Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 9 / 25

Attacking the RPAS Remote operation makes the system vulnerable What does the attacker want to achieve? Monitor/eavesdrop communications Influence system behaviour Gain trajectory control Permanently disable (part of) the system Proven methods Listening in on unencrypted video feed Attacking the C2/telemetry link Attacking the GNSS receiver Upload malware Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 10 / 25

Threat modelling Attack-Defence Trees Developed by University of Luxembourg Based on Attack Trees formalism (Schneier, 1999) Breaks down attack scenarios, include countermeasures Figure 6: Top level RPAS attacks Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 11 / 25

SPOOFING TIME! (literally) Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 12 / 25

Staging the attack Goal Control the RPA s trajectory by altering the perceived position and time. Related work/inspiration GPS-SDR-SIM (Ebinuma, 2015) What do we need to do? 1 Obtain GPS ephemeris data 2 Set target coordinates Fixed latitude, longitude, altitude Path in ECEF database Path in NMEA sentences 3 Generate I/Q samples binary Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 13 / 25

Staging the attack Lab setup Figure 7: Experiment setup Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 14 / 25

Execution Transmitting the samples Figure 8: Equipment in action Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 15 / 25

Execution What just happened? Figure 9: Recorded path and receiver output Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 16 / 25

Execution Observations Binary sample rate should match transmitter sample rate... Potential storage issues Large binary files (approx. 3GB for 5 min. of traffic) Underflow errors due to slow disk reads Matching NMEA input to NMEA output Single satellite signal affects receiver clock Timeframe Given the adversary is prepared, the position reported by the GPS receiver can be compromised in less than a minute. Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 17 / 25

Risk evaluation Chance of occurring Relatively easy to execute Less obvious than jamming Hardware is getting cheap Impact Reduced PNT capabilities Consequences depend on many factors Adversary s profile (e.g. resources, skill) Target system s PNT capabilities Implemented countermeasures Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 18 / 25

Future work Use results in full risk analysis Security analysis of GNSS augmentation systems More GNSS spoofing! Perform attack on live RPAS Multi-constellation GNSS receivers Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 19 / 25

Summary Conclusion It is possible to define a systematic approach......but needs to be kept up-to-date Refining threat models require expert knowledge Experiment shows GPS signal spoofing requires little effort Current GNSS implementations are vulnerable Use of unauthenticated and unencrypted signals Signals from space are easily overpowered Relatively cheap equipment Spoofing attacks are highly likely Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 20 / 25

Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 21 / 25

Appendix I - Target system classification Target system classification Level Sensor type Output I GNSS Latitude, longitude, altitude, time Pitot-static Altitude, airspeed, temperature, pressure II Magnetometer Heading Accelerometer Accelerations Gyroscope Pitch, roll, yaw angles III Radio altimeter Altitude Inertial Measurement Unit Angular rates, forces Attitude Heading Reference System Angular rates, forces, attitude, heading IV Radio navigation equipment Position fix Inertial Navigation System Position, orientation, velocity V RADAR, LiDAR, ground reference Full situational awareness Table 2: PNT capability levels Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 22 / 25

Appendix II - Attack execution How does this affect the RPAS? Figure 10: Compromised state Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 23 / 25

Appendix III - Risk evaluation But wait, there is a model for that! Figure 11: Bow tie model Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 24 / 25

Appendix IV - Spoofing mitigation Available techniques Monitor signal strength Encrypt the signal Monitor (calculated) drift Detect signal geometry Combination of the above Source: M. L. Psiaki and T. E. Humphreys, GNSS Spoofing and Detection, in Proceedings of the IEEE, vol. 104, no. 6, pp. 1258-1270, June 2016. Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 25 / 25

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback