Security of Global Navigation Satellite Systems (GNSS) GPS Fundamentals GPS Signal Spoofing Attack Spoofing Detection Techniques

Similar documents
Mobile Security Fall 2015

Introduction to Global Navigation Satellite System (GNSS) Signal Structure

UNIT 1 - introduction to GPS

Using GPS in Embedded Applications Pascal Stang Stanford University - EE281 November 28, 2000

What is a GPS How does GPS work? GPS Segments GPS P osition Position Position Accuracy Accuracy Accuracy GPS A pplications Applications Applications

GPS Global Positioning System

GLOBAL POSITIONING SYSTEMS

GLOBAL POSITIONING SYSTEMS. Knowing where and when

Global Navigation Satellite Systems (GNSS)Part I EE 570: Location and Navigation

The Case for Recording IF Data for GNSS Signal Forensic Analysis Using a SDR

GNSS Technologies. GNSS Acquisition Dr. Zahidul Bhuiyan Finnish Geospatial Research Institute, National Land Survey

EE 570: Location and Navigation

Proceedings of Al-Azhar Engineering 7 th International Conference Cairo, April 7-10, 2003.

GLOBAL NAVIGATION SATELLITE SYSTEMS (GNSS) ECE 2526E Tuesday, 24 April 2018

t =1 Transmitter #2 Figure 1-1 One Way Ranging Schematic

GPS: The Basics. Darrell R. Dean, Jr. Civil and Environmental Engineering West Virginia University. Expected Learning Outcomes for GPS

King AbdulAziz University. Faculty of Environmental Design. Geomatics Department. Mobile GIS GEOM 427. Lecture 3

Development of Ultimate Seamless Positioning System for Global Cellular Phone Platform based on QZSS IMES

Global Positioning Systems (GPS) Trails: the achilles heel of mapping from the air / satellites

PRINCIPLES AND FUNCTIONING OF GPS/ DGPS /ETS ER A. K. ATABUDHI, ORSAC

LOW POWER GLOBAL NAVIGATION SATELLITE SYSTEM (GNSS) SIGNAL DETECTION AND PROCESSING

DESIGN AND IMPLEMENTATION OF INTEGRATED GLOBAL NAVIGATION SATELLITE SYSTEM (GNSS) RECEIVER. B.Tech Thesis Report

Satellite Navigation Principle and performance of GPS receivers

GNSS RFI/Spoofing: Detection, Localization, & Mitigation

Entity Tracking and Surveillance using the Modified Biometric System, GPS-3

S a t e l l i t e T i m e a n d L o c a t i o n. N o v e m b e r John Fischer VP Advanced R&D

GPS Tutorial Trimble Home > GPS Tutorial > How GPS works? > Triangulating

Principal Investigator Co-Principal Investigator Co-Principal Investigator Prof. Talat Ahmad Vice-Chancellor Jamia Millia Islamia Delhi

Introduction to NAVSTAR GPS

Introduction to the Global Positioning System

Global Navigation Satellite Systems II

Fundamentals of GPS Navigation

The last 25 years - GPS to multi-gnss: from a military tool to the most widely used civilian positioning solution

Surviving and Operating Through GPS Denial and Deception Attack. Nathan Shults Kiewit Engineering Group Aaron Fansler AMPEX Intelligent Systems

Introduction to the Global Positioning System

2 INTRODUCTION TO GNSS REFLECTOMERY

GPS (Introduction) References. Terms

Basics of Satellite Navigation an Elementary Introduction Prof. Dr. Bernhard Hofmann-Wellenhof Graz, University of Technology, Austria

What is GPS? GPS Position Accuracy. GPS Applications. What is a GPS. How does GPS work? GPS Segments

Challenges and Solutions for GPS Receiver Test

GPS (Introduction) References. Terms

Principles of. Principles of GPS 9/12/2011

Time Firewall: Securing the GNSS receivers against Spoofing/Jamming. Shemi Prazot AccuBeat

Analysis on GNSS Receiver with the Principles of Signal and Information

Primer on GPS Operations

ESTIMATION OF IONOSPHERIC DELAY FOR SINGLE AND DUAL FREQUENCY GPS RECEIVERS: A COMPARISON

An Experiment Study for Time Synchronization Utilizing USRP and GNU Radio

Analysis of Processing Parameters of GPS Signal Acquisition Scheme

THE DESIGN OF C/A CODE GLONASS RECEIVER

HOW TO RECEIVE UTC AND HOW TO PROVE ACCURACY

Introduction. Global Positioning System. GPS - Intro. Space Segment. GPS - Intro. Space Segment - Contd..

RF, HIL and Radar Test

Sources of Geographic Information

Modelling GPS Observables for Time Transfer

GPS/QZSS Signal Authentication Concept

Bernhard Hofnlann-Wellenhof Herbert Lichtenegger Elmar Wasle. GNSS - Global Navigation Satellite Systenls. GPS, GLONASS, Galileo, and nl0re

GNSS 5 click PID: MIKROE-2670

Basics of Satellite Navigation an Elementary Introduction Prof. Dr. Bernhard Hofmann-Wellenhof Graz, University of Technology, Austria

GE 113 REMOTE SENSING

TIME TRANSFER EXPERIMENT BY TCE ON THE ETS-VIII SATELLITE

Navigation für herausfordernde Anwendungen Robuste Satellitennavigation für sicherheitskritische Anwendungen

Jamming and Spoofing of GNSS Signals An Underestimated Risk?!

(In)security of smart transportation at sea

FieldGenius Technical Notes GPS Terminology

Global Positioning System: what it is and how we use it for measuring the earth s movement. May 5, 2009

The Global Positioning System

3D-Map Aided Multipath Mitigation for Urban GNSS Positioning

Design and Implementation of Global Navigation Satellite System (GNSS) Receiver. Final Presentation

Understanding GPS: Principles and Applications Second Edition

GPS Milestones, cont. GPS Milestones. The Global Positioning Sytem, Part 1 10/10/2017. M. Helper, GEO 327G/386G, UT Austin 1. US GPS Facts of Note

High Precision GNSS in Automotive

Developing a GNSS resiliency framework for timing receivers. By Guy Buesnel and Adam Price Spirent Communications, October 2017

Unconditionally Secure Authentication and Integrity Protection for the Galileo Open Service Signal

Integrated GPS/TOA Navigation using a Positioning and Communication Software Defined Radio

Introduction to Global Navigation Satellite System (GNSS) Module: 1

An ultra-low-cost antenna array frontend for GNSS application

The GLOBAL POSITIONING SYSTEM James R. Clynch February 2006

Future GNSS: Improved Signals and Constellations

Intro to GNSS & Teseo-LIV3F Module for IoT Positioning

Performance Analysis of Joint Multi-Antenna Spoofing Detection and Attitude Estimation

Benefits of amulti-gnss Receiver inaninterference Environment

ABSOLUTE CALIBRATION OF TIME RECEIVERS WITH DLR'S GPS/GALILEO HW SIMULATOR

Scalable Front-End Digital Signal Processing for a Phased Array Radar Demonstrator. International Radar Symposium 2012 Warsaw, 24 May 2012

Resection. We can measure direction in the real world! Lecture 10: Position Determination. Resection Example: Isola, Slovenia. Professor Keith Clarke

Global Positioning Systems -GPS

Current Challenges (and Solutions) in Satellite Navigation. Omar García Crespillo Institute of Communication and Navigation

Single Frequency Network Structural Aspects & Practical Field Considerations

DYNAMICALLY RECONFIGURABLE SOFTWARE DEFINED RADIO FOR GNSS APPLICATIONS

The topic we are going to see in this unit, the global positioning system, is not directly related with the computer networks we use everyday, but it

GPS and Recent Alternatives for Localisation. Dr. Thierry Peynot Australian Centre for Field Robotics The University of Sydney

GNSS for Landing Systems and Carrier Smoothing Techniques Christoph Günther, Patrick Henkel

Foreword by Glen Gibbons About this book Acknowledgments List of abbreviations and acronyms List of definitions

1 Interference Cancellation

Interference Detection and Localisation within GEMS II. Ediz Cetin, Ryan J. R. Thompson and Andrew G. Dempster

GNSS 5 click PID: MIKROE Weight: 30 g

ORBITAL NAVIGATION SYSTEMS PRESENT AND FUTURE TENDS

Wednesday AM: (Doug) 2. PS and Long Period Signals

Testing of the Interference Immunity of the GNSS Receiver for UAVs and Drones

Diplomarbeit. Adaptive Analog-to-Digital Conversion and pre-correlation Interference Mitigation Techniques in a GNSS receiver.

Mitigate Effects of Multipath Interference at GPS Using Separate Antennas

Transcription:

Security of Global Navigation Satellite Systems (GNSS) GPS Fundamentals GPS Signal Spoofing Attack Spoofing Detection Techniques

Global Navigation Satellite Systems (GNSS) Umbrella term for navigation systems using satellite data for their operation Major systems GPS (USA) Galileo (Europe) GLONASS (Russia) Differs in carrier frequency and data modulation methods. Navigation solution estimation methods are similar. 2

Time-of-flight (ToF) based Distance Estimation Transmitted signal t t Received signal t t D D = c t, where c is the speed of light (3x1 8 m/s) The clocks at both the transmitter and receiver needs to tightly in sync. Sync error of 1us between the Tx and Rx results in distance estimation error of ~3 m. * Adapted from ublox GPS manual 3

2D Trilateration User location determined based on distances Not to be confused with triangulation (which involves measurement of angles) y (x sati,y sati ) t i Known transmitter locations Signal transit times (x sat1,y sat1 ) (x sat2,y sat2 ) t 1 t 2 R i = c (x, y) t i Distance from the transmitter Receiver location t 3 (x sat3,y sat3 ) R 1 = p (x sat1 x) 2 +(y sat1 y) 2 R 2 = p (x sat2 x) 2 +(y sat2 y) 2 R 3 = p (x sat3 x) 2 +(y sat3 y) 2 x 4

Trilateration in GPS 3 spheres intersect at 2 distinct points. One of the points is usually discarded since it will be far away from earth. But, we require four satellites to determine an user s location. Why? Hint: Time Satellites have atomic clocks on-board and hence, the time of transmission of the GPS signal is known precisely. The receiver clocks are not atomic and not tightly synced to that on the satellites which introduces error in the TOA measurement at the receiver. ² 1 us à 3 m error in position estimation Hence, a fourth pseudorange (truerange+clock error) measurement is used to determine the correct user location. 5

GPS: Estimating Position Sat1 Sat2 t 1 t 2 Sat3 t 3 t 4 Sat4 (x sati,y sati,z sati ) (x, y, z) t i Receiver clock error Known satellite coordinates User co-ordinates Signal transit times PSR 1 = p (x sat1 x) 2 +(y sat1 y)+(z sat1 z) 2 + c PSR 2 = p (x sat2 x) 2 +(y sat2 y)+(z sat2 z) 2 + c PSR 3 = p (x sat3 x) 2 +(y sat3 y)+(z sat3 z) 2 + c PSR 4 = p (x sat4 x) 2 +(y sat4 y)+(z sat4 z) 2 + c (x, y, z) is determined by solving the above equations using Taylor series linearization and simplification 6

Global Positioning System (GPS) Space Segment 32 satellites transmitting radio signals from about 2,2 Km above Coded ranging signals, satellite position information, almanac, atmospheric error correction factors Atmospheric data, clock error correction, orbit corrections User Segment Control Segment 7

GPS Satellite Signal Structure and Generation Carrier frequency generator 1575.42 MHz PRN code generator 1.23 MHz Data generator (C/A code) 5 Bit/sec Data 1 1 L1 carrier C/A code Data Multiplier Exclusive-or Transmitted satellite signal (BPSK) Civilian GPS data is transmitted on the 1575.42 MHz carrier. Each satellite uses a unique pseudorandom code (C/A code) to spread its data (DSSS). Each civilian C/A code is 1,23 bits long and is public. Military uses 767,25 bits long secret pseudorandom code for spreading. Data is transmitted at 5 bps and contains information such as orbital data for all satellites (ephemeris and almanac), atmospheric error correction factors, satellite health 8

Typical GPS Receiver Signal IN RF frontend Reference oscilator Correlator, DSP Processor Output (NMEA, UBX..) The GPS signal travels ~2, Km. Typical received signal power is -13 dbm (1x1-18 Watts). RF Frontend: Pre-amplification, filtering, intermediate frequency conversion. Correlating the received signal with each of the pseudorandom (PRN) code ascertains the signal transit time. Correlation additionally improves the signal to noise ratio ( amplifies ) the signal above the standard noise level. Processor calculates the position and time and outputs the information in different formats (NMEA, UBX,SiRF etc.) 9

Physical-layer Security of GPS Systems 1

Security of GPS Systems The pseudo code used by the satellites to transmit data are public. No means of authenticating GPS signal. Galileo offers authentication to premium users Commercial GPS signal simulators are available. Typically used for development and testing of GPS modules Capable of record and replay, real time GPS signal generation for static and dynamic (route simulation) scenarios, configurable power levels and so on.. 11

Signal Spoofing Attack on GPS Attacker We attack here GPS Receiver Output (NMEA, UBX..) GPS signal spoofing Attack is at the physical layer (not a software/application layer attack). Fake GPS signals are transmitted at a higher power. The signals are crafted such that they are identical to the satellite signals potentially received at the spoofed location. The GPS receiver processes the spoofed signals and computes the location (which will result in a new spoofed location different from the actual location of the receiver. 12

GPS Spoofing Detection Methods RF IN GPS Receiver Output data interface Common receiver observables based Standardized data exchange format (e.g., NMEA) outputs information such as geographic position (lat, long, alt), #visible satellites, time and date, received signal strength from each of the visible satellite etc. Several detection schemes based on the above have been proposed. No modifications to the receiver required. RF signal physical characteristics based Estimating Angle of arrival, carrier phase based detection (introducing random antenna motion) Requires modification to the receiver signal processing hardware. 13

Receiver Observables Based Spoofing Detection Schemes AGC value (%) 45 4 35 3 25 2 15 1 Variation of AGC values due to GPS spoofing Spoofer ON Automatic Gain Controller* varies the gain of the internal amplifier so as to account for the dynamic nature of GPS input signal. Gain is increased for weak input signals and reduced for stronger signals (to prevent saturation) 5 2 4 6 8 1 12 14 16 18 Time samples 2 Variation of noise values due to GPS spoofing 18 dbm 16 14 12 1 Typical noise floor level is around -12 dbm. Presence of a nearby spoofer could cause distinct changes to the observed noise level. 8 6 4 2 4 6 8 1 12 14 16 18 Time samples * Who s Afraid of the Spoofer? GPS/GNSS Spoofing Detection via Automatic Gain Control (AGC), Dennis M Akos., Journal of Navigation. 14

Receiver Observables Based Spoofing Detection Schemes Spoofing detection based on # visible satellites 16 No. of visible satellites 14 12 1 8 6 4 During spoofing, the number of visible satellites can increase beyond a certain threshold. Typically, 4-8 satellites are visible. 2 2 4 6 8 1 12 14 16 18 Time samples Is GPS spoofing still a threat? Drawbacks? 15

GPS Spoofing: Dynamic Scenario Previous Experimental Setup Receiver was static (no movement) No external interference Little disturbance from the environment In a real-world dynamic scenario 84 Bracelet AGC values without spoofing 82 AGC value (%) 8 78 76 74 Multipath reflections, other radio interferences, weather changes (cloudy vs clear skies) 72 7 5 1 15 2 25 Time samples 16

Angle of Arrival based GPS Spoofing Detection Src Sat1 Sat2 Sat3 Sat4 1 2 3 4 = f(,d) D receiver receiver Angle of arrival is a function of the measured signal phase difference (Φ) at both the antennas and their separation D. 17 Spoofed scenario: 1 2 3 4 Phase measurement is computationally expensive and requires receiver hardware modifications. Montgomery, P.Y., T.E. Humphreys, B.M. Ledvina, "A Multi-Antenna Defense Receiver-Autonomous GPS Spoofing Detection," InsideGNSS, 29.

A Multi-Receiver Approach t 2 t 3 t 1 t 2 t 3 t 4 t t 4 1 t 4 t 1 t 2 t 3 R 1 R 2 L 1 R 1 R 1 L i V t i V Signal transit times Receiver locations Spoofed location L 1 V L 2 Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, Srdjan Capkun, On the Requirements for Successful GPS Spoofing Attacks, In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 211 18

Group Spoofing Problem The GPS Group Spoofing Problem is the problem of finding combinations of GPS signals (sent by the attacker), transmission times (when the spoofing signals are sent), and physical transmission locations (from where the attacker transmits) such that the location or time of each victim is spoofed to the desired location. R 1 L 1 R 2 L 2 R 1 L 1 R 2 L 2 R 3 L 3 R 3 L 3 L I are spoofed locations 19

Group Spoofing: Possible Attacker Positions z 15 1 5 5 1 15 4 2 y 2 4 2 (a) 2 receivers 16 12 8 x 4 z 15 1 5 5 1 15 4 2 y 2 4 2 (b) 3 receivers 16 12 8 x 4 z 15 1 5 5 1 15 4 2 y 2 4 2 (c) 4 receivers 16 12 8 x 4 Spoofing to Spoofing to multiple e 5: Visualization of possible attacker placements. For (a) two victims, all points on the hyperboloid are viable solutions; for (b one location locations (preserved formation) victims the solutions lie on a curve (red/white intersection); and (c) for four victims only two points are viable solutions (white. n Civ. & Mil. GPS Civilian GPS Military GPS 1 Pi A 2 R 3 - - 2 Pi A 2 R 3 set of hyperboloids one hyperboloid A 3 =( 2, 2, ) for the claimed satellite 3 positions Pi A 2 Rin 3 the GPS set of intersections Result 5. intersection In a GPS of group spoofing attack on four victims V 1,...,V ges. This determines three hyperboloids relative to P 1 of and two hyperboloids to specific two locations hyperboloids L j and time offsets j, there are at most two sed on b 112, b 212, and b 312. 4 Pi A 2 R 3 set of 2 points possible placements 2 points for Pi A to impersonate a satellite at L A i. These 5 Pi A 2 R 3 set of pointsare the intersection 1 point points of three hyperboloids defined by b i12 lt 3. A necessary condition for a successful GPS group spooftack is2 that 8V j,v k, 8s i, b ijk apple P j P k. b i13,b i14. As previously, to show this, we consider each signal s A i sepa

Multi-receiver Spoofing Countermeasure The GPS receivers are setup on a cargo ship with a known formation and the receivers exchange their location information between them. If the reported individual locations do not match the known formation then a possible spoofing attack can de detected. GPS Receivers 21

Ongoing Work Effectiveness of the multi-receiver countermeasure in real-world high multipath environment. Feasibility of group spoofing using multiple spoofers Effectiveness of receiver observable based spoofing detection schemes in various environmental conditions. Generalization of the group spoofing problem for n receivers. 22

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback