Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessing the Civil GPS Spoofing Threat

Published byVivian Thornton Modified over 8 years ago

Similar presentations

Presentation on theme: "Assessing the Civil GPS Spoofing Threat"— Presentation transcript:

1 Assessing the Civil GPS Spoofing Threat
Todd Humphreys, Jahshan Bhatti, University of Texas at Austin Brent Ledvina, Virginia Tech/Coherent Navigation Mark Psiaki, Brady O’ Hanlon, Paul Kintner, Cornell University Paul Montgomery, Novariant

2 Spoofing Threat Overview
“As GPS further penetrates into the civil infrastructure, it becomes a tempting target that could be exploited by individuals, groups, or countries hostile to the U.S.” DOT Volpe Report “There also is no open information on ... the expected capabilities of spoofing systems made from commercial components.” “Information on the capabilities, limitations, and operational procedures [of spoofers] would help identify vulnerable areas and detection strategies.” DOT Volpe Report Logan Scott, “Anti-Spoofing & Authenticated Signal Architectures for Civil Navigation Systems,” ION GNSS 2003. “A gathering threat …” -- Logan Scott, “Location Assurance,” GPS World, July 2007 “Signal definition intertia is enormous.” -- T. Stansell, “Location Assurance Commentary,” GPS World, July 2007 September 2008: Humphreys, Ledvina et al. present work on civil spoofer. December 2009: Civilian GPS receivers as vulnerable as ever.

3 GPS: Dependency Begets Vulnerability
Banking and Finance Communications Energy Transportation From Dane Egli, IDA Banking and Finance Communications Energy Transportation Banking and Finance Communications Energy Transportation From Dane Egli, IDA Over the last decade, GPS has woven its way into the fabric of our national infrastructure. Major portions of the power grid are phase-synchronized with GPS, the banking and finance sector depends on GPS to time-stamp transactions, and communication and transportation networks rely on GPS for synchronization and self-organization. In some of these applications, GPS has displaced a legacy technique which is still used as a backup. But GPS has proven so convenient and reliable that backup synchronization and positioning techniques are increasingly being discarded. Such dependency begets vulnerability. From Dane Egli, IDA

4 Suggested Spoofing Countermeasures
Monitor the relative GPS signal strength Monitor satellite identification codes and the number of satellite signals received Check the time intervals Do a time comparison (look at code phase jitter) Perform a sanity check (compare with IMU) Monitor the absolute GPS signal strength Suggested by Dept.of Homeland Security Warner and Johnston, “GPS Spoofing Countermeasures,” 2003 Other Suggested Techniques Some of the reluctance to taking spoofing seriously was based on the notion that a spoofing attack would be difficult to mount and easy to detect. Most analysts had in mind an adversary with a 200 k signal simulator and they noted the expense and the difficulty synchronizing such a simulator with the GPS constellation. This is too traditional a mentality. It’s naïve to assume that malefactors are any less clever than we are. Employ two antennas; check relative phase against known satellite directions Cryptographic methods: Encrypt navigation data bits Spreading code authentication To accurately assess the spoofing threat and to design effective practical countermeasures, we concluded that it was necessary to go through the exercise of building a civilian GPS spoofer

5 Goals Assess the spoofing threat:
Build a civilian GPS spoofer Q: How hard is it to mount a spoofing attack? Q: How easy is it to detect a spoofing attack? Investigate spoofing countermeasures: Stand-alone receiver-based defenses More exotic defenses Despite the alarm raised by the DOT and their pleas for more research to be done, civil spoofing has not been the focus of much research in the open literature. There may be classified civil spoofing research being done, but none of it seems to be finding its way into receivers. People are simply not worried about the threat. That’s not irrational – the risk of a spoofing attack is probably low. But how low? For years it was claimed that there is no reason to worry because mounting a spoofing attack is too hard. It’s much easier to interfere with GPS via jamming. But as I mentioned before, spoofing is of a different nature from interference. You know you’re being jammed – or at least that your GPS receiver isn’t working. With spoofing, you don’t know anything is wrong until it’s too late. Hence, hence there are reasons for malefactors to prefer spoofing over jamming. And that leads us back to our question about risk: Is spoofing really so unlikely? Our experience building a spoofer has led us to conclude the following: spoofing is hard just as chess is hard. If you’re playing against an 8-year-old cub scount, you can’t help but pull it off. If you’re going against Gary Kasparov, it’s hopeless. A civil receiver with no spoofing defenses is like the cub scout. A civil receiver with cryptographic authentication is like Kasparov. The trouble is, they’re all cub scouts.

6 Spoofing Threat Continuum
Simplistic Intermediate Sophisticated To further refine the threat assessment, we considered three different classes of spoofer. Commercial signal simulator Portable software radio Coordinated attack by multiple phase-locked spoofers

7 The Most Likely Threat: A Portable Receiver-Spoofer
By the way, we aren’t the first to recognize the threat posed by an attack of this type (Logan Scott mentioned it), but, as far as we know, we are the first to actually build a receiver spoofer, test it out, and report on it publicly. Put the Volpe report notes here, or just paraphrase them. Can’t use RAIM because all the spoofing signals are orchestrated to move together just like they would if your receiver were actually moving off of its actual path. I don’t want you to be alarmed by what I’m about to say, and I want you all to understand that my colleagues and I are well aware of the risks involved. The fact is that my colleagues and I have completed a functioning portable GPS spoofer. I know this might sound dangerous to you, dangerous and subversive. Building a civilian GPS spoofer. I don’t disagree. At a recent Cornell Faculty dinner one of the Aerospace faculty members called me a “hacker with a Ph D.” My colleagues and I are cognizant of the risks, but we’re also convinced that this is, in fact, the responsible thing to do, and the only way forward if we want to prepare for this threat. The portable receiver-spoofer architecture simplifies a spoofing attack

8 Receiver-Spoofer Architecture
D/A, Mixing, Amplification sign clk Cornell “GRID” Software-Defined GPS Receiver Texas Instruments DSP sign FFT-based Acquisition Tracking Loops, Data Decoding, Observables Calculations mag GP2015 RF Front End clk Spoofer Module Software Correlators

9 Signal Correlation Techniques (1/2)

10 Signal Correlation Techniques (2/2)

11 Details of Receiver-Spoofer
Red denotes challenging parts.

12 Receiver-Spoofer Hardware – DSP Box
GRID: Dual-Frequency Software-Defined GPS Receiver All digital signal processing implemented in C++ on a high-end DSP Marginal computational demands: Tracking: ~1.2% of DSP per channel Spoofing: ~4% of DSP per channel

13 Spoofer RF Transmission Hardware

14 Full Receiver-Spoofer
Full capability: 12 L1 C/A & 10 L2C tracking channels 10 L1 C/A simulation channels 1 Hz navigation solution Acquisition in background This GPS Assimilator prototype had been implemented on a software-defined GNSS radio platform that Dr. Humphreys pioneered at Cornell University and continues to develop in the UT Radionavigation Laboratory. The flexibility that software-defined radio affords is key to cutting-edge GNSS research. By swapping in different versions of the operating software, the platform seen above can be made by turns into a dual-frequency GPS receiver, a jammer locator, a receiver-spoofer, and a GPS Assimilator.

15 Spoofing Attack Demonstration (offline)

16 Spoofing Attack Demonstration (real-time, over-the-air)

17 Countermeasures (1/5) Data bit latency defense
Hard to retransmit data bits with < 1ms latency Jam first, then spoof Jam-then-spoof attack may raise alarm Predict data bits Hard to predict data bits during protected words and at ephemeris update boundaries Arbitrarily populate protected words, continue across ephemeris boundary with old data No stand-alone countermeasure – must appeal to data bit aiding Data bit latency defense

18 Countermeasures (2/5) Vestigial signal defense
Hard to conceal telltale peak in autocorrelation function Masquerade as multipath Limits perturbation to < 1 chip Suppress authentic peak Requires phase alignment for each signal at target antenna Vestigial signal defense

19 Countermeasures (3/5) Multi-antenna defense 2/11/09 Proprietary 19

20 Countermeasures (4/5) Assimilative defense
This slide shows a novel application that we consider a real breakthrough for modernizing and robustifying GNSS receivers: the GPS Assimilator. The Assimilator can be used to upgrade existing Global Navigation Satellite System (GNSS) user equipment, without requiring hardware or software modifications to the equipment, to improve the equipment's position, velocity, and time (PVT) accuracy, to increase its PVT robustness in weak-signal or jammed environments, and to protect the equipment from counterfeit GNSS signals (GNSS spoofing). The Assimilator couples to the radio frequency (RF) input of existing GNSS equipment, such as a GPS receiver. It extracts navigation and timing information from RF signals in its environment---including non-GNSS signals---and from direct baseband aiding provided, for example, by an inertial navigation system, a frequency reference, or the GNSS user. It then optimally fuses the collective navigation and timing information to produce a PVT solution which, by virtue of the diverse navigation and timing sources on which it is based, is highly accurate and inherently robust to GNSS signal obstruction and jamming. The Assimilator embeds the PVT solution in a synthesized set of GNSS signals and injects these into the RF input of a target GNSS receiver for which an accurate and robust PVT solution is desired. The code and carrier phases of the synthesized GNSS signals can be aligned with those of the actual GNSS signals at the input to the target receiver. Such phase alignment implies that the synthesized signals appear exactly as the authentic signals to the target receiver, which enables a user to ``hot plug'' the Assimilator into a target receiver with no interruption in PVT. Besides improving the PVT accuracy and robustness of the target receiver, the Assimilator also protects the target receiver from GNSS spoofing by continuously scanning incoming GNSS signals for signs of spoofing, and, to the extent possible, eliminating spoofing effects from the GNSS signals it synthesizes. The GPS Assimilator modernizes and makes existing GPS equipment resistant to jamming and spoofing without requiring hardware or software changes to the equipment

21 Countermeasures (5/5) Cryptographic defense based on estimation of W-bits GPS transmitter UE receiver w/semi-codeless processing High-gain ground-based antenna array Public key encryptor Secure uplink GEO “bent-pipe” broadcast transceiver UE receiver for truth W-bit data Integrate-and-dump register Public key decryptor Spoofing detector L1 C/A & P(Y) Wtrue West User Equipment New Infrastructure

22 Findings (1/2) Bad news: Good news:
It’s straighforward to mount an intermediate-level spoofing attack Good news: It’s hard to mount a sophisticated spoofing attack, and there appear to be inexpensive defenses against lesser attacks There is no defense short of embedding cryptographic signatures in the spreading codes that will defeat a sophisticated spoofing attack

23 Findings (2/2) Good news: Bad news: More bad news:
With the addition of each new modernized GNSS signal, the cost of mounting a spoofing attack rises markedly Bad news: FPGAs or faster DSPs would make multi-signal attacks possible More bad news: There will remain many single-frequency L1 C/A code receivers in critical applications in the years ahead

24 Are We Safe Yet? No. There is much much work to be done:
Characterization of spoofing signatures in full RF attack Development and testing of more effective countermeasures, including stand-alone countermeasures and and network-based cryptographic countermeasures Encourage commercial receiver manufacturers to adopt spoofing countermeasures

Download ppt "Assessing the Civil GPS Spoofing Threat"

Similar presentations

International Civil Aviation Organization

International Civil Aviation Organization
Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.

Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.
GPS Signal Structure Sources: –GPS Satellite Surveying, Leick –Kristine Larson Lecture Notes 4519/asen4519.html.

GPS Signal Structure Sources: –GPS Satellite Surveying, Leick –Kristine Larson Lecture Notes 4519/asen4519.html.
Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.
Protecting Civil GPS Receivers

Protecting Civil GPS Receivers
ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.

ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.
GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014.

GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014.
Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.

Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.
STRIDE Introduction Increasing use for PNT applications:  Positioning  Navigation  Timing.

STRIDE Introduction Increasing use for PNT applications:  Positioning  Navigation  Timing.
COIN-GPS: Indoor Localization from Direct GPS Receiving.

COIN-GPS: Indoor Localization from Direct GPS Receiving.
Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.

Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.
The facts about GPS/GSM Jamming. Jamming and Stolen Vehicle Recovery Any radio based system is susceptible to attack through jamming but GPS and GSM are.

The facts about GPS/GSM Jamming. Jamming and Stolen Vehicle Recovery Any radio based system is susceptible to attack through jamming but GPS and GSM are.
Yvon Feaster Cody Gentry Matt Rardon CPSC 420.  History of Global Positioning System (GPS)  We will define spoofing and the different types.  Why would.

Yvon Feaster Cody Gentry Matt Rardon CPSC 420.  History of Global Positioning System (GPS)  We will define spoofing and the different types.  Why would.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.

Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.
Charles Tytler  Pseudo-satellites:  Ground-based transmitters of GPS signals  Augment GPS  Applications:  Indoor GPS  Mining, Caves  Underground/Underwater.

Charles Tytler  Pseudo-satellites:  Ground-based transmitters of GPS signals  Augment GPS  Applications:  Indoor GPS  Mining, Caves  Underground/Underwater.
Smart Grid Projects Andrew Bui.

Smart Grid Projects Andrew Bui.
Workshop EGNOS KRAKÓW 2004 1 GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.

Workshop EGNOS KRAKÓW GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.
14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.

14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.
A SINGLE FREQUENCY GPS SOFTWARE RECEIVER

A SINGLE FREQUENCY GPS SOFTWARE RECEIVER

Similar presentations

Ads by Google