A Testbed for Developing and Evaluating GNSS Signal Authentication Techniques

An experimental testbed has been created for developing and evaluating Global Navigation Satellite System (GNSS) signal authentication techniques. The testbed advances the state of the art in GNSS signal authentication by subjecting candidate techniques to the strongest publicly-acknowledged GNSS spoofing attacks. The testbed consists of a real-time phase-coherent GNSS signal simulator that acts as spoofer, a real-time softwaredefined GNSS receiver that plays the role of defender, and post-processing versions of both the spoofer and defender. Two recently-proposed authentication techniques are analytically and experimentally evaluated: (1) a defense based on anomalous received power in a GNSS band, and (2) a cryptographic defense against estimation-and-replay-type spoofing attacks. The evaluation reveals weaknesses in both techniques; nonetheless, both significantly complicate a successful GNSS spoofing attackAerospace Engineering and Engineering Mechanic

GNSS Spoofing Detection via Opportunistic IRIDIUM Signals

In this paper, we study the privately-own IRIDIUM satellite constellation, to provide a location service that is independent of the GNSS. In particular, we apply our findings to propose a new GNSS spoofing detection solution, exploiting unencrypted IRIDIUM Ring Alert (IRA) messages that are broadcast by IRIDIUM satellites. We firstly reverse-engineer many parameters of the IRIDIUM satellite constellation, such as the satellites speed, packet interarrival times, maximum satellite coverage, satellite pass duration, and the satellite beam constellation, to name a few. Later, we adopt the aforementioned statistics to create a detailed model of the satellite network. Subsequently, we propose a solution to detect unintended deviations of a target user from his path, due to GNSS spoofing attacks. We show that our solution can be used efficiently and effectively to verify the position estimated from standard GNSS satellite constellation, and we provide constraints and parameters to fit several application scenarios. All the results reported in this paper, while showing the quality and viability of our proposal, are supported by real data. In particular, we have collected and analyzed hundreds of thousands of IRA messages, thanks to a measurement campaign lasting several days. All the collected data ($1000+$ hours) have been made available to the research community. Our solution is particularly suitable for unattended scenarios such as deserts, rural areas, or open seas, where standard spoofing detection techniques resorting to crowd-sourcing cannot be used due to deployment limitations. Moreover, contrary to competing solutions, our approach does not resort to physical-layer information, dedicated hardware, or multiple receiving stations, while exploiting only a single receiving antenna and publicly-available IRIDIUM transmissions. Finally, novel research directions are also highlighted.Comment: Accepted for the 13th Conference on Security and Privacy in Wireless and Mobile Networks (WISEC), 202

Signal processing techniques for GNSS anti-spoofing algorithms

The Global Navigation Satellite Systems (GNSS) usage is growing at a very high rate, and more applications are relying on GNSS for correct functioning. With the introduction of new GNSSs, like the European Galileo and the Chinese Beidou, in addition to the existing ones, the United States Global Positioning System (GPS) and the Russian GLONASS, the applications, accuracy of the position and usage of the signals are increasing by the day. Given that GNSS signals are received with very low power, they are prone to interference events that may reduce the usage or decrease the accuracy. From these interference, the spoofing attack is the one that has drawn major concerns in the GNSS community. A spoofing attack consist on the transmission of GNSS-like signals, with the goal of taking control of the receiver and make it compute an erroneous position and time solution. In the thesis, we focus on the design and validation of different signal processing techniques, that aim at detection and mitigation of the spoofing attack effects. These are standalone techniques, working at the receiver’s level and providing discrimination of spoofing events without the need of external hardware or communication links. Four different techniques are explored, each of them with its unique sets of advantages and disadvantages, and a unique approach to spoofing detection. For these techniques, a spoofing detection algorithm is designed and implemented, and its capabilities are validated by means of a set of datasets containing spoofing signals. The thesis focuses on two different aspects of the techniques, divided as per detection and mitigation capabilities. Both detection techniques are complementary, their joint use is explored and experimental results are shown that demonstrate the advantages. In addition, each mitigation technique is analyzed separately as they require specialized receiver architecture in order to achieve spoofing detection and mitigation. These techniques are able to decrease the effects of the spoofing attacks, to the point of removing the spoofing signal from the receiver and compute navigation solutions that are not controlled by the spoofer and lead in more accurate end results. The main contributions of this thesis are: the description of a multidimensional ratio metric test for distinction between spoofing and multipath effects; the introduction of a cross-check between automatic gain control measurements and the carrier to noise density ratio, for distinction between spoofing attacks and other interference events; the description of a novel signal processing method for detection and mitigation of spoofing effects, based on the use of linear regression algorithms; and the description of a spoofing detection algorithm based on a feedback tracking architecture

Joint Antenna Array Attitude Tracking and Spoofing Detection Based on Phase Difference Measurements

Spoofing attacks are a serious problem for civil GNSS applications with safety content, such as airplane landing or maritime navigation in harbors. Also many strategically important infrastructures, such as electric power grids or mobile communications networks, are becoming increasingly dependent on GNSS services. Military GNSS users solve that problem by signal encryption at chip level. This reduces the threat to only allow for meaconing, i.e. retransmitting the GNSS signals from a certain location, since the exact waveform is unpredictable. Civil users cannot rely on encryption at the moment and most likely in the near future. They must be protected by additional techniques, which are able to detect and mitigate spoofing attacks. A number of receiver-autonomous solutions for the spoofing problem have been proposed in the last decade. For single antenna receivers the detection of spoofing attacks can rely on the observation of the time evolution of different signal parameters such as power and Doppler frequency shift, the PRN code delay and its rates, the correlation function shape as well as the cross-correlation of the signal components at different carrier frequencies. However, the most advanced protection against the sophisticated spoofing attacks can be provided by utilizing the spatial domain for signal processing available by using antenna arrays ([1], [2], [3], [4], [5]). A GNSS receiver with an antenna array is able to estimate the directions of arrival of the impinging waveforms and so to discriminate between the authentic and counterfeit signals. Moreover the malicious signals can be mitigated by generating a spatial zero into the array antenna reception pattern in the direction of the spoofing source(s). The use of the array-aided joint estimation of the array attitude and spoofing detection was investigated by the authors in [1], [3], [5]. A post-correlation estimation of the signal direction of arrival (DOA) was utilized as the first step of the corresponding signal processing chain. This approach however still suffers from the effects of short-term distortions in the receiver tracking loops and the resulting unavailability of the DOA estimations during the spoofing attack. Two approaches have been identified to overcome this effect. On the one hand, a more accurate direction of arrival detection and antenna calibration can be used. On the other hand, the attitude estimation can be made more robust by skipping the DOA estimation step and using instead directly the post-correlation array outputs in the underlining measurement model, similar to method 2 in [6]. The latter possibility will be exploited throughout the current paper. One of the main challenges here is to design robust and computationally effective attitude estimation when the post-correlation array outputs consist of the superposition of the authentic and counterfeit signals. This problem, for example, is not adequately handled in [6] and [7]. In the aforementioned approaches, the estimation of the actual direction of arrival in terms of (antenna local) azimuth and elevation was done explicitly before the attitude was estimated. The approach presented in the paper will avoid this (computationally expensive) step, by introducing an adequate measurement model. This model connects the measured relative phases between the antennas elements (spatial signature) to the ones expected from the almanac. This interconnection involves the receiver attitude, which is the state to be estimated. In a second step, the model fit (i.e. residuals of least square fit) is used to detect anomalies. Further processing is done by comparing the spatial signature for different satellites. Contrary to using the cyclic nature of PRN codes to detect the direction in the pre-correlation domain as described in [2], the spatial signature in the post-correlation domain is used. If one dominant direction is present, the likelihood of spoofing or meaconing is considered high. If detected, a second processing stage is triggered, capable of spatially filtering out the spoofers signature (post-correlation nulling). Finally a second run of the aforementioned procedure is done to estimate the antennas attitude using a spatially filtered signal. Theoretical results as well as hardware simulations ([8]) show, that if a GPS/CA or Galileo receiver already tracks a certain PRN, the likelihood of success is very low for an unsynchronized spoofer. In this context (un)synchronized is related to the PRNs current frequency shift (caused by the Doppler Effect), as well as code delay. The code delay error should not be larger than one chip in general. The tolerable frequency mismatch however, highly depends on the receivers implementation (i.e. FLL and PLL parameters and stages), but should not be bigger than a few multiples of 50 Hz. A synchronized spoofer or meaconing signal which is turned on when the receiver already tracks the corresponding PRN will be considered in the context of the paper. The described methods will be evaluated using software simulations. Scenarios without spoofing or meaconing are used to demonstrate the attitude estimation. Scenarios with repeaters will be used to demonstrate the two-stage approach with spatial filtering. [1] M. Meurer, A. Konovaltsev, M. Cuntz, and C. Hättich, “Robust Joint Multi-Antenna Spoofing Detection and Attitude Estimation using Direction Assisted Multiple Hypotheses RAIM,” in Proceedings of the 25th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2012), September 2012, Nashville, TN, USA., 2012. [2] S. Daneshmand, A. Jafarnia-Jahromi, A. Broumandon, and G. Lachapelle, “A low-complexity GPS anti-spoofing method using a multi-antenna array,” in Proc. ION GNSS 2012, 2012, pp. 1233–1243. [3] A. Konovaltsev, M. Cuntz, C. Haettich, and M. Meurer, “Autonomous Spoofing Detection and Mitigation in a GNSS Receiver with an Adaptive Antenna Array,” in Proc. ION GNSS+ 2013, 2013, p. 12. [4] M. Appel, A. Konovaltsev, and M. Meurer, “Robust Spoofing Detection and Mitigation based on Direction of Arrival Estimation,” in Proc. ION GNSS+ 2015, 2015, pp. 3335–3344. [5] M. Meurer, A. Konovaltsev, M. Appel, M. Cuntz, E. M. Meurer, A. Konovaltsev, M. Appel, and M. C. De, “Direction-of-Arrival Assisted Sequential Spoofing Detection and Mitigation,” in ION ITM 2016, 2016. [6] M. Markel, E. Sutton, and H. Zmuda, “An antenna array-based approach to attitude determination in a jammed environment,” in Proceedings of the 14th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 2001), 2001, pp. 2914–2926. [7] S. Daneshmand, N. Sokhandan, and G. Lachapelle, “Precise GNSS Attitude Determination Based on Antenna Array Processing,” in Proceedings of the 27th International Technical Meeting of the Satellite Division of The Institute of Navigation, ION GNSS+ 2014, Tampa, Florida, September 8-12, 2014, 2014. [8] M. Appel, A. Hornbostel, and C. Haettich, “Impact of meaconing and spoofing on galileo receiver performance,” 7th ESA Workshop on Satellite Navigation Technologies NAVITEC, 2014

GNSS Vulnerabilities and Existing Solutions:A Review of the Literature

This literature review paper focuses on existing vulnerabilities associated with global navigation satellite systems (GNSSs). With respect to the civilian/non encrypted GNSSs, they are employed for proving positioning, navigation and timing (PNT) solutions across a wide range of industries. Some of these include electric power grids, stock exchange systems, cellular communications, agriculture, unmanned aerial systems and intelligent transportation systems. In this survey paper, physical degradations, existing threats and solutions adopted in academia and industry are presented. In regards to GNSS threats, jamming and spoofing attacks as well as detection techniques adopted in the literature are surveyed and summarized. Also discussed are multipath propagation in GNSS and non line-of-sight (NLoS) detection techniques. The review also identifies and discusses open research areas and techniques which can be investigated for the purpose of enhancing the robustness of GNSS

Security of GPS/INS based On-road Location Tracking Systems

Location information is critical to a wide-variety of navigation and tracking applications. Today, GPS is the de-facto outdoor localization system but has been shown to be vulnerable to signal spoofing attacks. Inertial Navigation Systems (INS) are emerging as a popular complementary system, especially in road transportation systems as they enable improved navigation and tracking as well as offer resilience to wireless signals spoofing, and jamming attacks. In this paper, we evaluate the security guarantees of INS-aided GPS tracking and navigation for road transportation systems. We consider an adversary required to travel from a source location to a destination, and monitored by a INS-aided GPS system. The goal of the adversary is to travel to alternate locations without being detected. We developed and evaluated algorithms that achieve such goal, providing the adversary significant latitude. Our algorithms build a graph model for a given road network and enable us to derive potential destinations an attacker can reach without raising alarms even with the INS-aided GPS tracking and navigation system. The algorithms render the gyroscope and accelerometer sensors useless as they generate road trajectories indistinguishable from plausible paths (both in terms of turn angles and roads curvature). We also designed, built, and demonstrated that the magnetometer can be actively spoofed using a combination of carefully controlled coils. We implemented and evaluated the impact of the attack using both real-world and simulated driving traces in more than 10 cities located around the world. Our evaluations show that it is possible for an attacker to reach destinations that are as far as 30 km away from the true destination without being detected. We also show that it is possible for the adversary to reach almost 60-80% of possible points within the target region in some cities