Assessing the Civil GPS Spoofing Threat Todd Humphreys, Jahshan Bhatti, University of Texas at Austin Brent Ledvina, Virginia Tech/Coherent Navigation Mark Psiaki, Brady O’ Hanlon, Paul Kintner, Cornell University Paul Montgomery, Novariant
Spoofing Threat Overview “As GPS further penetrates into the civil infrastructure, it becomes a tempting target that could be exploited by individuals, groups, or countries hostile to the U.S.” -- 2001 DOT Volpe Report “There also is no open information on ... the expected capabilities of spoofing systems made from commercial components.” “Information on the capabilities, limitations, and operational procedures [of spoofers] would help identify vulnerable areas and detection strategies.” -- 2001 DOT Volpe Report Logan Scott, “Anti-Spoofing & Authenticated Signal Architectures for Civil Navigation Systems,” ION GNSS 2003. “A gathering threat …” -- Logan Scott, “Location Assurance,” GPS World, July 2007 “Signal definition intertia is enormous.” -- T. Stansell, “Location Assurance Commentary,” GPS World, July 2007 September 2008: Humphreys, Ledvina et al. present work on civil spoofer. December 2009: Civilian GPS receivers as vulnerable as ever.
GPS: Dependency Begets Vulnerability Banking and Finance Communications Energy Transportation From Dane Egli, IDA Banking and Finance Communications Energy Transportation Banking and Finance Communications Energy Transportation From Dane Egli, IDA Over the last decade, GPS has woven its way into the fabric of our national infrastructure. Major portions of the power grid are phase-synchronized with GPS, the banking and finance sector depends on GPS to time-stamp transactions, and communication and transportation networks rely on GPS for synchronization and self-organization. In some of these applications, GPS has displaced a legacy technique which is still used as a backup. But GPS has proven so convenient and reliable that backup synchronization and positioning techniques are increasingly being discarded. Such dependency begets vulnerability. From Dane Egli, IDA
Suggested Spoofing Countermeasures Monitor the relative GPS signal strength Monitor satellite identification codes and the number of satellite signals received Check the time intervals Do a time comparison (look at code phase jitter) Perform a sanity check (compare with IMU) Monitor the absolute GPS signal strength Suggested by Dept.of Homeland Security Warner and Johnston, “GPS Spoofing Countermeasures,” 2003 http:/www.homelandsecurity.org/bulletin/Dual%20Benefit/warner_gps_spoofing.html Other Suggested Techniques Some of the reluctance to taking spoofing seriously was based on the notion that a spoofing attack would be difficult to mount and easy to detect. Most analysts had in mind an adversary with a 200 k signal simulator and they noted the expense and the difficulty synchronizing such a simulator with the GPS constellation. This is too traditional a mentality. It’s naïve to assume that malefactors are any less clever than we are. Employ two antennas; check relative phase against known satellite directions Cryptographic methods: Encrypt navigation data bits Spreading code authentication To accurately assess the spoofing threat and to design effective practical countermeasures, we concluded that it was necessary to go through the exercise of building a civilian GPS spoofer
Goals Assess the spoofing threat: Build a civilian GPS spoofer Q: How hard is it to mount a spoofing attack? Q: How easy is it to detect a spoofing attack? Investigate spoofing countermeasures: Stand-alone receiver-based defenses More exotic defenses Despite the alarm raised by the DOT and their pleas for more research to be done, civil spoofing has not been the focus of much research in the open literature. There may be classified civil spoofing research being done, but none of it seems to be finding its way into receivers. People are simply not worried about the threat. That’s not irrational – the risk of a spoofing attack is probably low. But how low? For years it was claimed that there is no reason to worry because mounting a spoofing attack is too hard. It’s much easier to interfere with GPS via jamming. But as I mentioned before, spoofing is of a different nature from interference. You know you’re being jammed – or at least that your GPS receiver isn’t working. With spoofing, you don’t know anything is wrong until it’s too late. Hence, hence there are reasons for malefactors to prefer spoofing over jamming. And that leads us back to our question about risk: Is spoofing really so unlikely? Our experience building a spoofer has led us to conclude the following: spoofing is hard just as chess is hard. If you’re playing against an 8-year-old cub scount, you can’t help but pull it off. If you’re going against Gary Kasparov, it’s hopeless. A civil receiver with no spoofing defenses is like the cub scout. A civil receiver with cryptographic authentication is like Kasparov. The trouble is, they’re all cub scouts.
Spoofing Threat Continuum Simplistic Intermediate Sophisticated To further refine the threat assessment, we considered three different classes of spoofer. Commercial signal simulator Portable software radio Coordinated attack by multiple phase-locked spoofers
The Most Likely Threat: A Portable Receiver-Spoofer By the way, we aren’t the first to recognize the threat posed by an attack of this type (Logan Scott mentioned it), but, as far as we know, we are the first to actually build a receiver spoofer, test it out, and report on it publicly. Put the Volpe report notes here, or just paraphrase them. Can’t use RAIM because all the spoofing signals are orchestrated to move together just like they would if your receiver were actually moving off of its actual path. I don’t want you to be alarmed by what I’m about to say, and I want you all to understand that my colleagues and I are well aware of the risks involved. The fact is that my colleagues and I have completed a functioning portable GPS spoofer. I know this might sound dangerous to you, dangerous and subversive. Building a civilian GPS spoofer. I don’t disagree. At a recent Cornell Faculty dinner one of the Aerospace faculty members called me a “hacker with a Ph D.” My colleagues and I are cognizant of the risks, but we’re also convinced that this is, in fact, the responsible thing to do, and the only way forward if we want to prepare for this threat. The portable receiver-spoofer architecture simplifies a spoofing attack
Receiver-Spoofer Architecture D/A, Mixing, Amplification sign clk Cornell “GRID” Software-Defined GPS Receiver Texas Instruments DSP sign FFT-based Acquisition Tracking Loops, Data Decoding, Observables Calculations mag GP2015 RF Front End clk Spoofer Module Software Correlators
Signal Correlation Techniques (1/2)
Signal Correlation Techniques (2/2)
Details of Receiver-Spoofer Red denotes challenging parts.
Receiver-Spoofer Hardware – DSP Box GRID: Dual-Frequency Software-Defined GPS Receiver All digital signal processing implemented in C++ on a high-end DSP Marginal computational demands: Tracking: ~1.2% of DSP per channel Spoofing: ~4% of DSP per channel
Spoofer RF Transmission Hardware
Full Receiver-Spoofer Full capability: 12 L1 C/A & 10 L2C tracking channels 10 L1 C/A simulation channels 1 Hz navigation solution Acquisition in background This GPS Assimilator prototype had been implemented on a software-defined GNSS radio platform that Dr. Humphreys pioneered at Cornell University and continues to develop in the UT Radionavigation Laboratory. The flexibility that software-defined radio affords is key to cutting-edge GNSS research. By swapping in different versions of the operating software, the platform seen above can be made by turns into a dual-frequency GPS receiver, a jammer locator, a receiver-spoofer, and a GPS Assimilator.
Spoofing Attack Demonstration (offline)
Spoofing Attack Demonstration (real-time, over-the-air)
Countermeasures (1/5) Data bit latency defense Hard to retransmit data bits with < 1ms latency Jam first, then spoof Jam-then-spoof attack may raise alarm Predict data bits Hard to predict data bits during protected words and at ephemeris update boundaries Arbitrarily populate protected words, continue across ephemeris boundary with old data No stand-alone countermeasure – must appeal to data bit aiding Data bit latency defense
Countermeasures (2/5) Vestigial signal defense Hard to conceal telltale peak in autocorrelation function Masquerade as multipath Limits perturbation to < 1 chip Suppress authentic peak Requires phase alignment for each signal at target antenna Vestigial signal defense
Countermeasures (3/5) Multi-antenna defense 2/11/09 Proprietary 19
Countermeasures (4/5) Assimilative defense This slide shows a novel application that we consider a real breakthrough for modernizing and robustifying GNSS receivers: the GPS Assimilator. The Assimilator can be used to upgrade existing Global Navigation Satellite System (GNSS) user equipment, without requiring hardware or software modifications to the equipment, to improve the equipment's position, velocity, and time (PVT) accuracy, to increase its PVT robustness in weak-signal or jammed environments, and to protect the equipment from counterfeit GNSS signals (GNSS spoofing). The Assimilator couples to the radio frequency (RF) input of existing GNSS equipment, such as a GPS receiver. It extracts navigation and timing information from RF signals in its environment---including non-GNSS signals---and from direct baseband aiding provided, for example, by an inertial navigation system, a frequency reference, or the GNSS user. It then optimally fuses the collective navigation and timing information to produce a PVT solution which, by virtue of the diverse navigation and timing sources on which it is based, is highly accurate and inherently robust to GNSS signal obstruction and jamming. The Assimilator embeds the PVT solution in a synthesized set of GNSS signals and injects these into the RF input of a target GNSS receiver for which an accurate and robust PVT solution is desired. The code and carrier phases of the synthesized GNSS signals can be aligned with those of the actual GNSS signals at the input to the target receiver. Such phase alignment implies that the synthesized signals appear exactly as the authentic signals to the target receiver, which enables a user to ``hot plug'' the Assimilator into a target receiver with no interruption in PVT. Besides improving the PVT accuracy and robustness of the target receiver, the Assimilator also protects the target receiver from GNSS spoofing by continuously scanning incoming GNSS signals for signs of spoofing, and, to the extent possible, eliminating spoofing effects from the GNSS signals it synthesizes. The GPS Assimilator modernizes and makes existing GPS equipment resistant to jamming and spoofing without requiring hardware or software changes to the equipment
Countermeasures (5/5) Cryptographic defense based on estimation of W-bits GPS transmitter UE receiver w/semi-codeless processing High-gain ground-based antenna array Public key encryptor Secure uplink GEO “bent-pipe” broadcast transceiver UE receiver for truth W-bit data Integrate-and-dump register Public key decryptor Spoofing detector L1 C/A & P(Y) Wtrue West User Equipment New Infrastructure
Findings (1/2) Bad news: Good news: It’s straighforward to mount an intermediate-level spoofing attack Good news: It’s hard to mount a sophisticated spoofing attack, and there appear to be inexpensive defenses against lesser attacks There is no defense short of embedding cryptographic signatures in the spreading codes that will defeat a sophisticated spoofing attack
Findings (2/2) Good news: Bad news: More bad news: With the addition of each new modernized GNSS signal, the cost of mounting a spoofing attack rises markedly Bad news: FPGAs or faster DSPs would make multi-signal attacks possible More bad news: There will remain many single-frequency L1 C/A code receivers in critical applications in the years ahead
Are We Safe Yet? No. There is much much work to be done: Characterization of spoofing signatures in full RF attack Development and testing of more effective countermeasures, including stand-alone countermeasures and and network-based cryptographic countermeasures Encourage commercial receiver manufacturers to adopt spoofing countermeasures