Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.

Published byNathalie Wilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012."— Presentation transcript:

1 Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012

2 University of Texas Radionavigation Lab graduate students Jahshan Bhatti, Kyle Wesson, Ken Pesyna, Zak Kassas, and Daniel Shepard Mark Psiaki, Brady O’Hanlon, Ryan Mitch (Cornell) Acknowledgements

3 GPS Jammers

4 University of Texas Emitter-Localization Network (Coherent Navigation and University of Texas) Fixed EMLOC Sensor Mobile EMLOC Sensor CSR ARL MBL

5 GPS Spoofer

6

7

8

9

10

11

12 University of Texas Spoofing Testbed

13

14 Internet or LAN Receive AntennaExternal Reference Clock Control Computer GPS Spoofer UAV coordinates from tracking system Transmit Antenna Spoofed Signals as a “Virtual Tractor Beam” Target UAV Commandeering a UAV via GPS Spoofing

15 UAV Video

16 RAIM was helpful for spoofing: we couldn’t spoof all signals seen by UAV due to our reference antenna placement, but the Hornet Mini’s uBlox receiver rejected observables from authentic signals, presumably via RAIM. Overwhelming power is required for clean capture: A matched-power takeover leads to large (50-100 m) multipath-type errors as the authentic and counterfeit signals interact. The UAV’s heavy reliance on altimeter for vertical position was easily overcome by a large vertical GPS velocity. Observations (1/2)

17 GPS capture breaks flight controller’s feedback loop; now spoofer must play the role formerly assumed by GPS. Implication: Fine control of UAV requires accurate radar or LIDAR UAV tracking system. Seamless capture (no code or carrier phase unlock) requires target position knowledge to within ~50 m and velocity knowledge better than ~2 m/s. This is quite challenging for small UAV targets at long stand- off ranges (e.g., several km). Compensating for all system and geometric delays to achieve meter-level alignment is challenging but quite possible. Observations (2/2)

18 Require navigation systems for UAVs above 18 lbs to be certified “spoof-resistant” Require navigation and timing systems in critical infrastructure to be certified “spoof- resistant” “Spoof resistant” defined by ability to withstand or detect civil GPS spoofing in a battery of tests performed in a spoofing testbed (e.g., TEXBAT) Recommendations From testimony to House Committee on Homeland Security, July 19, 2012

19 Spoofing Defenses Cryptographic Non-Cryptographic Stand-Alone Networked J/N Sensing (Ward, Scott, Calgary) SSSC or NMA on WAAS (Scott, UT) Single-Antenna Spatial Correlation (Cornell, Calgary) SSSC on L1C (Scott) Correlation Anomaly Defense (TENCAP, Ledvina, Torino, UT) Sensor Diversity Defense (DARPA, BAE, UT) NMA on L2C, L5, or L1C (MITRE, Scott, UT) P(Y) Cross-Correlation (Stanford, Cornell) Multi-Element Antenna Defense (Keys, Montgomery, DLR, Stanford)

20 Navigation signal authentication is hard. Nothing is foolproof. There are no guarantees. But simple measures can vastly decrease the probability of a successful attack. Probability is the language of anti- spoofing. Symmetric-key systems (e.g., SAASM) offer short time to authenticate but require key management and tamper-proof hardware: more costly, less convenient. SAASM and M-code will never be a solution for a wide swath of applications (e.g., civil aviation, low-cost location and time authentication). Observations on Defenses (1/3)

21 Asymmetric-key (public-private key) systems have an unavoidable delay (e.g., 40 seconds between authentication of any signal) but delay can be accepted in many applications; also, for non-complicit spoofing there is no need to tamper-proof the receiver: cheaper, more convenient. Proof of location (proving to you where I am) is emerging as a vital security feature. It’s not easy: non-crypto approaches require elaborate tamper proofing; crypto approaches require high-rate security code. Beware black-market vendors with high-gain antennas who will sell an authenticated location. Observations on Defenses (2/3)

22 Crypto defenses not a panacea: Ineffective against near-zero-delay replay (entire band record and playback) attacks. Non-crypto defenses not so elegant mathematically, but can be quite effective. Observations on Defenses (3/3)

23 Cornell Moving-Antenna Spoofing Detection Range & direction of 1-D antenna phase center articulation motion Cantilevered beam String to initiate damped oscillations Cantilevered beam base attachment point Articulating GPS patch antenna Non-spoofed carrier-phase oscillation diversity Spoofed carrier-phase oscillation uniformity Antenna oscillation induces carrier-phase oscillation Successful spoofing detection hypothesis test at WSMR Reliable detection achievable with 1/4-wave oscillations (< 5 cm p-p)  Not spoofedSpoofed  Detection statistic for an actual spoofing attack

24 Crypto defenses not a panacea: Ineffective against near-zero-delay meaconing (entire band record and playback) attacks. Non-crypto defenses not so elegant mathematically, but can be quite effective. Best shield: a coupled crypto-non-crypto defense. When implemented properly, navigation message authentication (NMA) authenticates not only the data message but also the underlying signal. It is surprisingly effective. Observations on Defenses (3/3)

25 Enemy of NMA: Security Code Estimation and Replay Inside the Spoofer: Security Code Chip Estimation Inside the Defender: Detection Statistic Based on Specialized Correlations

26 NMA-Based Signal Authentication: Receiver Perspective Code Origin Authentication Code Timing Authentication Wesson, K., Rothlisberger, M., and Humphreys, T. E., “Practical Cryptographic Civil GPS Signal Authentication,” NAVIGATION: The Journal of the Institute of Navigation, fall 2012.

27 Security Code Estimation and Replay Detection: Live Signal Demonstration Humphreys, T. E., “Detection Strategy for Cryptographic GNSS Anti-Spoofing,” IEEE Transactions on Aerospace and Electronic Systems, to be published.

28 Operational Definition of GNSS Signal Authentication GNSS signal is declared authentic if in the time elapsed since some trusted initialization event: 1.the logical output S has remained low, and 2.the logical output H 1 has remained low, and 3.the output P D has remained above an acceptable threshold

29 Key Ingredients for Developing and Evaluating GNSS Signal Authentication Techniques: 1.Visibility 2.Testability

30 The Texas Spoofing Test Battery (TEXBAT) 6 high-fidelity recordings of live spoofing attacks 20-MHz bandwidth 16-bit quantization Each recording ~7 min. long; ~40 GB Can be replayed into any GNSS receiver

31 TEXBAT Recording Setup

32 Scenario 2: Static Overpowered Time Push

33 The University of Texas Radionavigation Lab and National Instruments jointly offer the Texas Spoofing Test Battery Request: todd.humphreys@mail.utexas.edu The Dynamic Matched-Power Position PushThe Dynamic Overpowered Time PushThe Static Matched-Power Position PushThe Static Matched-Power Time PushThe Static Overpowered Time PushThe Static Switch

34 radionavlab.ae.utexas.edu

Download ppt "Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012."

Similar presentations

Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.

Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.
Digital FX Correlator Nimish Sane Center for Solar-Terrestrial Research New Jersey Institute of Technology, Newark, NJ EOVSA Technical Design Meeting.

Digital FX Correlator Nimish Sane Center for Solar-Terrestrial Research New Jersey Institute of Technology, Newark, NJ EOVSA Technical Design Meeting.
Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Protecting Civil GPS Receivers

Protecting Civil GPS Receivers
GPS Spoofing & Implications for Telecom Kyle Wesson The University of Texas at Austin Sprint Synchronization Conference | September 18, 2013.

GPS Spoofing & Implications for Telecom Kyle Wesson The University of Texas at Austin Sprint Synchronization Conference | September 18, 2013.
ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.

ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.
GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014.

GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014.
STRIDE Introduction Increasing use for PNT applications:  Positioning  Navigation  Timing.

STRIDE Introduction Increasing use for PNT applications:  Positioning  Navigation  Timing.
Imbedded SSR Mode-S Logic Control Unit University of Stellenbosch Department of Electrical & Electronic Engineering K. Gastrow 4 December 2009.

Imbedded SSR Mode-S Logic Control Unit University of Stellenbosch Department of Electrical & Electronic Engineering K. Gastrow 4 December 2009.
Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.

Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.
Volkan Cevher, Marco F. Duarte, and Richard G. Baraniuk European Signal Processing Conference 2008.

Volkan Cevher, Marco F. Duarte, and Richard G. Baraniuk European Signal Processing Conference 2008.
Distributed Systems Fall 2010 Time and synchronization.

Distributed Systems Fall 2010 Time and synchronization.
Global Navigation Satellite Systems Research efforts in Luleå Staffan Backén, LTU Dr. Dennis M. Akos, LTU.

Global Navigation Satellite Systems Research efforts in Luleå Staffan Backén, LTU Dr. Dennis M. Akos, LTU.
Workshop EGNOS KRAKÓW 2004 1 GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.

Workshop EGNOS KRAKÓW GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.
14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.

14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.
A SINGLE FREQUENCY GPS SOFTWARE RECEIVER

A SINGLE FREQUENCY GPS SOFTWARE RECEIVER
GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis

GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
UAV Integration: Privacy and Security Hurdles Todd Humphreys | Aerospace Engineering The University of Texas at Austin Royal Institute of Navigation UAV.

UAV Integration: Privacy and Security Hurdles Todd Humphreys | Aerospace Engineering The University of Texas at Austin Royal Institute of Navigation UAV.

Similar presentations

Ads by Google