Security of GPS/INS based On-road Location Tracking Systems

Location information is critical to a wide-variety of navigation and tracking applications. Today, GPS is the de-facto outdoor localization system but has been shown to be vulnerable to signal spoofing attacks. Inertial Navigation Systems (INS) are emerging as a popular complementary system, especially in road transportation systems as they enable improved navigation and tracking as well as offer resilience to wireless signals spoofing, and jamming attacks. In this paper, we evaluate the security guarantees of INS-aided GPS tracking and navigation for road transportation systems. We consider an adversary required to travel from a source location to a destination, and monitored by a INS-aided GPS system. The goal of the adversary is to travel to alternate locations without being detected. We developed and evaluated algorithms that achieve such goal, providing the adversary significant latitude. Our algorithms build a graph model for a given road network and enable us to derive potential destinations an attacker can reach without raising alarms even with the INS-aided GPS tracking and navigation system. The algorithms render the gyroscope and accelerometer sensors useless as they generate road trajectories indistinguishable from plausible paths (both in terms of turn angles and roads curvature). We also designed, built, and demonstrated that the magnetometer can be actively spoofed using a combination of carefully controlled coils. We implemented and evaluated the impact of the attack using both real-world and simulated driving traces in more than 10 cities located around the world. Our evaluations show that it is possible for an attacker to reach destinations that are as far as 30 km away from the true destination without being detected. We also show that it is possible for the adversary to reach almost 60-80% of possible points within the target region in some cities

Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer

A portable civilian GPS spoofer is implemented on a digital signal processor and used to characterize spoofing effects and develop defenses against civilian spoofing. This work is intended to equip GNSS users and receiver manufacturers with authentication methods that are effective against unsophisticated spoofing attacks. The work also serves to refine the civilian spoofing threat assessment by demonstrating the challenges involved in mounting a spoofing attack.Aerospace Engineering and Engineering Mechanic

Secure Trajectory Planning Against Undetectable Spoofing Attacks

This paper studies, for the first time, the trajectory planning problem in adversarial environments, where the objective is to design the trajectory of a robot to reach a desired final state despite the unknown and arbitrary action of an attacker. In particular, we consider a robot moving in a two-dimensional space and equipped with two sensors, namely, a Global Navigation Satellite System (GNSS) sensor and a Radio Signal Strength Indicator (RSSI) sensor. The attacker can arbitrarily spoof the readings of the GNSS sensor and the robot control input so as to maximally deviate his trajectory from the nominal precomputed path. We derive explicit and constructive conditions for the existence of undetectable attacks, through which the attacker deviates the robot trajectory in a stealthy way. Conversely, we characterize the existence of secure trajectories, which guarantee that the robot either moves along the nominal trajectory or that the attack remains detectable. We show that secure trajectories can only exist between a subset of states, and provide a numerical mechanism to compute them. We illustrate our findings through several numerical studies, and discuss that our methods are applicable to different models of robot dynamics, including unicycles. More generally, our results show how control design affects security in systems with nonlinear dynamics.Comment: Accepted for publication in Automatic

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Civilian-GNSS is vulnerable to signal spoofing attacks, and countermeasures based on cryptographic authentication are being proposed to protect against these attacks. Both Galileo and GPS are currently testing broadcast authentication techniques based on the delayed key disclosure to validate the integrity of navigation messages. These authentication mechanisms have proven secure against record now and replay later attacks, as navigation messages become invalid after keys are released. This work analyzes the security guarantees of cryptographically protected GNSS signals and shows the possibility of spoofing a receiver to an arbitrary location without breaking any cryptographic operation. In contrast to prior work, we demonstrate the ability of an attacker to receive signals close to the victim receiver and generate spoofing signals for a different target location without modifying the navigation message contents. Our strategy exploits the essential common reception and transmission time method used to estimate pseudorange in GNSS receivers, thereby rendering any cryptographic authentication useless. We evaluate our attack on a commercial receiver (ublox M9N) and a software-defined GNSS receiver (GNSS-SDR) using a combination of open-source tools, commercial GNSS signal generators, and software-defined radio hardware platforms. Our results show that it is possible to spoof a victim receiver to locations around 4000 km away from the true location without requiring any high-speed communication networks or modifying the message contents. Through this work, we further highlight the fundamental limitations in securing a broadcast signaling-based localization system even if all communications are cryptographically protected

GNSS Spoof Detection Using Shipboard IMU Measurements

A variety of approaches have been proposed in the literature to detect spooing of Global Navigation Satellite Systems (GNSS). These approaches vary widely based upon the assumed capabilities and a priori knowledge of the spoofer. This paper considers a method to detect spoofing based on comparing the relative (not absolute) platform trajectory estimated by the GNSS receiver to the relative trajectory developed from IMU measurements (specifically pitch and roll from a gyro compass). The primary contribution of this paper is the development and analysis of a GNSS spoofing detection algorithm that exploits the unknown (to the spoofer) “high” frequency pitch/roll motion of the ship as seen by a commercial-off-the-shelf (COTS) receiver and an inertial measurement unit (IMU) that may already be in use onboard ships. We focus on generalized likelihood ratio tests using simple models of the GNSS and gyro measurements. Further, we avoid using a navigation filter, such as the extended Kalman filter, on the measurements; instead, the algorithm directly employs the instantaneous trajectories. Experimental results are shown using a commercial GNSS receiver with data from a GNSS simulator with IMU capability. The length of time and amount of motion required to achieve low probabilities of false alarm and missed detection are analyzed

Location-independent GNSS Relay Attacks: A Lazy Attacker’s Guide to Bypassing Navigation Message Authentication

In this work, we demonstrate the possibility of spoofing a GNSS receiver to arbitrary locations without modifying the navigation messages. Due to increasing spoofing threats, Galileo and GPS are evaluating broadcast authentication techniques to validate the integrity of navigation messages. Prior work required an adversary to record the GNSS signals at the intended spoofed location and relay them to the victim receiver. Our attack demonstrates the ability of an adversary to receive signals close to the victim receiver and in real-time generate spoofing signals for an arbitrary location without modifying the navigation message contents.We exploit the essential common reception and transmission time method used to estimate pseudorange in GNSS receivers, thereby potentially rendering any cryptographic authentication useless. We build a proof-of-concept real-time spoofer capable of receiving authenticated GNSS signals and generating spoofing signals for any arbitrary location and motion without requiring any high-speed communication networks or modifying the message contents. Our evaluations show that it is possible to spoof a victim receiver to locations as far as 4000 km away from the actual location and with any dynamic motion path. This work further highlights the fundamental limitations in securing a broadcast signaling-based localization system even if all communications are cryptographically protected

Quantum Geo-Encryption

In this work we introduce the concept of quantum geo-encryption - a protocol that invokes direct quantum encryption of messages coupled to quantum location monitoring of the intended receiver. By obfuscating the quantum information required by both the decrypting process and the location verification process, a communication channel is created in which the encrypted data can only be decrypted at a specific geographic locale. Classical wireless communications can be invoked to unlock the quantum encryption process thereby allowing for any deployment scenario regardless of the channel conditions. Quantum geo-encryption can also be used to realize quantum-computing instructions that can only be implemented at a specific location, and allow for a specified geographical data-route through a distributed network. Here we consider the operational aspects of quantum geo-encryption in generic Rician channels, demonstrating that the likelihood of a successful spoofing attack approaches zero as the adversary moves away from the allowed decrypting location. The work introduced here resolves a long-standing quest to directly deliver information which can only be decrypted at a given location free of assumptions on the physical security of a receiver.Comment: 3 Figure