Security of Global Navigation Satellite Systems (GNSS) GPS Fundamentals GPS Signal Spoofing Attack Spoofing Detection Techniques
Global Navigation Satellite Systems (GNSS) Umbrella term for navigation systems using satellite data for their operation Major systems GPS (USA) Galileo (Europe) GLONASS (Russia) Differs in carrier frequency and data modulation methods. Navigation solution estimation methods are similar. 2
Time-of-flight (ToF) based Distance Estimation Transmitted signal t t Received signal t t D D = c t, where c is the speed of light (3x1 8 m/s) The clocks at both the transmitter and receiver needs to tightly in sync. Sync error of 1us between the Tx and Rx results in distance estimation error of ~3 m. * Adapted from ublox GPS manual 3
2D Trilateration User location determined based on distances Not to be confused with triangulation (which involves measurement of angles) y (x sati,y sati ) t i Known transmitter locations Signal transit times (x sat1,y sat1 ) (x sat2,y sat2 ) t 1 t 2 R i = c (x, y) t i Distance from the transmitter Receiver location t 3 (x sat3,y sat3 ) R 1 = p (x sat1 x) 2 +(y sat1 y) 2 R 2 = p (x sat2 x) 2 +(y sat2 y) 2 R 3 = p (x sat3 x) 2 +(y sat3 y) 2 x 4
Trilateration in GPS 3 spheres intersect at 2 distinct points. One of the points is usually discarded since it will be far away from earth. But, we require four satellites to determine an user s location. Why? Hint: Time Satellites have atomic clocks on-board and hence, the time of transmission of the GPS signal is known precisely. The receiver clocks are not atomic and not tightly synced to that on the satellites which introduces error in the TOA measurement at the receiver. ² 1 us à 3 m error in position estimation Hence, a fourth pseudorange (truerange+clock error) measurement is used to determine the correct user location. 5
GPS: Estimating Position Sat1 Sat2 t 1 t 2 Sat3 t 3 t 4 Sat4 (x sati,y sati,z sati ) (x, y, z) t i Receiver clock error Known satellite coordinates User co-ordinates Signal transit times PSR 1 = p (x sat1 x) 2 +(y sat1 y)+(z sat1 z) 2 + c PSR 2 = p (x sat2 x) 2 +(y sat2 y)+(z sat2 z) 2 + c PSR 3 = p (x sat3 x) 2 +(y sat3 y)+(z sat3 z) 2 + c PSR 4 = p (x sat4 x) 2 +(y sat4 y)+(z sat4 z) 2 + c (x, y, z) is determined by solving the above equations using Taylor series linearization and simplification 6
Global Positioning System (GPS) Space Segment 32 satellites transmitting radio signals from about 2,2 Km above Coded ranging signals, satellite position information, almanac, atmospheric error correction factors Atmospheric data, clock error correction, orbit corrections User Segment Control Segment 7
GPS Satellite Signal Structure and Generation Carrier frequency generator 1575.42 MHz PRN code generator 1.23 MHz Data generator (C/A code) 5 Bit/sec Data 1 1 L1 carrier C/A code Data Multiplier Exclusive-or Transmitted satellite signal (BPSK) Civilian GPS data is transmitted on the 1575.42 MHz carrier. Each satellite uses a unique pseudorandom code (C/A code) to spread its data (DSSS). Each civilian C/A code is 1,23 bits long and is public. Military uses 767,25 bits long secret pseudorandom code for spreading. Data is transmitted at 5 bps and contains information such as orbital data for all satellites (ephemeris and almanac), atmospheric error correction factors, satellite health 8
Typical GPS Receiver Signal IN RF frontend Reference oscilator Correlator, DSP Processor Output (NMEA, UBX..) The GPS signal travels ~2, Km. Typical received signal power is -13 dbm (1x1-18 Watts). RF Frontend: Pre-amplification, filtering, intermediate frequency conversion. Correlating the received signal with each of the pseudorandom (PRN) code ascertains the signal transit time. Correlation additionally improves the signal to noise ratio ( amplifies ) the signal above the standard noise level. Processor calculates the position and time and outputs the information in different formats (NMEA, UBX,SiRF etc.) 9
Physical-layer Security of GPS Systems 1
Security of GPS Systems The pseudo code used by the satellites to transmit data are public. No means of authenticating GPS signal. Galileo offers authentication to premium users Commercial GPS signal simulators are available. Typically used for development and testing of GPS modules Capable of record and replay, real time GPS signal generation for static and dynamic (route simulation) scenarios, configurable power levels and so on.. 11
Signal Spoofing Attack on GPS Attacker We attack here GPS Receiver Output (NMEA, UBX..) GPS signal spoofing Attack is at the physical layer (not a software/application layer attack). Fake GPS signals are transmitted at a higher power. The signals are crafted such that they are identical to the satellite signals potentially received at the spoofed location. The GPS receiver processes the spoofed signals and computes the location (which will result in a new spoofed location different from the actual location of the receiver. 12
GPS Spoofing Detection Methods RF IN GPS Receiver Output data interface Common receiver observables based Standardized data exchange format (e.g., NMEA) outputs information such as geographic position (lat, long, alt), #visible satellites, time and date, received signal strength from each of the visible satellite etc. Several detection schemes based on the above have been proposed. No modifications to the receiver required. RF signal physical characteristics based Estimating Angle of arrival, carrier phase based detection (introducing random antenna motion) Requires modification to the receiver signal processing hardware. 13
Receiver Observables Based Spoofing Detection Schemes AGC value (%) 45 4 35 3 25 2 15 1 Variation of AGC values due to GPS spoofing Spoofer ON Automatic Gain Controller* varies the gain of the internal amplifier so as to account for the dynamic nature of GPS input signal. Gain is increased for weak input signals and reduced for stronger signals (to prevent saturation) 5 2 4 6 8 1 12 14 16 18 Time samples 2 Variation of noise values due to GPS spoofing 18 dbm 16 14 12 1 Typical noise floor level is around -12 dbm. Presence of a nearby spoofer could cause distinct changes to the observed noise level. 8 6 4 2 4 6 8 1 12 14 16 18 Time samples * Who s Afraid of the Spoofer? GPS/GNSS Spoofing Detection via Automatic Gain Control (AGC), Dennis M Akos., Journal of Navigation. 14
Receiver Observables Based Spoofing Detection Schemes Spoofing detection based on # visible satellites 16 No. of visible satellites 14 12 1 8 6 4 During spoofing, the number of visible satellites can increase beyond a certain threshold. Typically, 4-8 satellites are visible. 2 2 4 6 8 1 12 14 16 18 Time samples Is GPS spoofing still a threat? Drawbacks? 15
GPS Spoofing: Dynamic Scenario Previous Experimental Setup Receiver was static (no movement) No external interference Little disturbance from the environment In a real-world dynamic scenario 84 Bracelet AGC values without spoofing 82 AGC value (%) 8 78 76 74 Multipath reflections, other radio interferences, weather changes (cloudy vs clear skies) 72 7 5 1 15 2 25 Time samples 16
Angle of Arrival based GPS Spoofing Detection Src Sat1 Sat2 Sat3 Sat4 1 2 3 4 = f(,d) D receiver receiver Angle of arrival is a function of the measured signal phase difference (Φ) at both the antennas and their separation D. 17 Spoofed scenario: 1 2 3 4 Phase measurement is computationally expensive and requires receiver hardware modifications. Montgomery, P.Y., T.E. Humphreys, B.M. Ledvina, "A Multi-Antenna Defense Receiver-Autonomous GPS Spoofing Detection," InsideGNSS, 29.
A Multi-Receiver Approach t 2 t 3 t 1 t 2 t 3 t 4 t t 4 1 t 4 t 1 t 2 t 3 R 1 R 2 L 1 R 1 R 1 L i V t i V Signal transit times Receiver locations Spoofed location L 1 V L 2 Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, Srdjan Capkun, On the Requirements for Successful GPS Spoofing Attacks, In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 211 18
Group Spoofing Problem The GPS Group Spoofing Problem is the problem of finding combinations of GPS signals (sent by the attacker), transmission times (when the spoofing signals are sent), and physical transmission locations (from where the attacker transmits) such that the location or time of each victim is spoofed to the desired location. R 1 L 1 R 2 L 2 R 1 L 1 R 2 L 2 R 3 L 3 R 3 L 3 L I are spoofed locations 19
Group Spoofing: Possible Attacker Positions z 15 1 5 5 1 15 4 2 y 2 4 2 (a) 2 receivers 16 12 8 x 4 z 15 1 5 5 1 15 4 2 y 2 4 2 (b) 3 receivers 16 12 8 x 4 z 15 1 5 5 1 15 4 2 y 2 4 2 (c) 4 receivers 16 12 8 x 4 Spoofing to Spoofing to multiple e 5: Visualization of possible attacker placements. For (a) two victims, all points on the hyperboloid are viable solutions; for (b one location locations (preserved formation) victims the solutions lie on a curve (red/white intersection); and (c) for four victims only two points are viable solutions (white. n Civ. & Mil. GPS Civilian GPS Military GPS 1 Pi A 2 R 3 - - 2 Pi A 2 R 3 set of hyperboloids one hyperboloid A 3 =( 2, 2, ) for the claimed satellite 3 positions Pi A 2 Rin 3 the GPS set of intersections Result 5. intersection In a GPS of group spoofing attack on four victims V 1,...,V ges. This determines three hyperboloids relative to P 1 of and two hyperboloids to specific two locations hyperboloids L j and time offsets j, there are at most two sed on b 112, b 212, and b 312. 4 Pi A 2 R 3 set of 2 points possible placements 2 points for Pi A to impersonate a satellite at L A i. These 5 Pi A 2 R 3 set of pointsare the intersection 1 point points of three hyperboloids defined by b i12 lt 3. A necessary condition for a successful GPS group spooftack is2 that 8V j,v k, 8s i, b ijk apple P j P k. b i13,b i14. As previously, to show this, we consider each signal s A i sepa
Multi-receiver Spoofing Countermeasure The GPS receivers are setup on a cargo ship with a known formation and the receivers exchange their location information between them. If the reported individual locations do not match the known formation then a possible spoofing attack can de detected. GPS Receivers 21
Ongoing Work Effectiveness of the multi-receiver countermeasure in real-world high multipath environment. Feasibility of group spoofing using multiple spoofers Effectiveness of receiver observable based spoofing detection schemes in various environmental conditions. Generalization of the group spoofing problem for n receivers. 22