19 research outputs found
Security of GPS/INS based On-road Location Tracking Systems
Location information is critical to a wide-variety of navigation and tracking
applications. Today, GPS is the de-facto outdoor localization system but has
been shown to be vulnerable to signal spoofing attacks. Inertial Navigation
Systems (INS) are emerging as a popular complementary system, especially in
road transportation systems as they enable improved navigation and tracking as
well as offer resilience to wireless signals spoofing, and jamming attacks. In
this paper, we evaluate the security guarantees of INS-aided GPS tracking and
navigation for road transportation systems. We consider an adversary required
to travel from a source location to a destination, and monitored by a INS-aided
GPS system. The goal of the adversary is to travel to alternate locations
without being detected. We developed and evaluated algorithms that achieve such
goal, providing the adversary significant latitude. Our algorithms build a
graph model for a given road network and enable us to derive potential
destinations an attacker can reach without raising alarms even with the
INS-aided GPS tracking and navigation system. The algorithms render the
gyroscope and accelerometer sensors useless as they generate road trajectories
indistinguishable from plausible paths (both in terms of turn angles and roads
curvature). We also designed, built, and demonstrated that the magnetometer can
be actively spoofed using a combination of carefully controlled coils. We
implemented and evaluated the impact of the attack using both real-world and
simulated driving traces in more than 10 cities located around the world. Our
evaluations show that it is possible for an attacker to reach destinations that
are as far as 30 km away from the true destination without being detected. We
also show that it is possible for the adversary to reach almost 60-80% of
possible points within the target region in some cities
Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings
Short Message Service (SMS) remains one of the most popular communication
channels since its introduction in 2G cellular networks. In this paper, we
demonstrate that merely receiving silent SMS messages regularly opens a
stealthy side-channel that allows other regular network users to infer the
whereabouts of the SMS recipient. The core idea is that receiving an SMS
inevitably generates Delivery Reports whose reception bestows a timing attack
vector at the sender. We conducted experiments across various countries,
operators, and devices to show that an attacker can deduce the location of an
SMS recipient by analyzing timing measurements from typical receiver locations.
Our results show that, after training an ML model, the SMS sender can
accurately determine multiple locations of the recipient. For example, our
model achieves up to 96% accuracy for locations across different countries, and
86% for two locations within Belgium. Due to the way cellular networks are
designed, it is difficult to prevent Delivery Reports from being returned to
the originator making it challenging to thwart this covert attack without
making fundamental changes to the network architecture
Experience Report on the Challenges and Opportunities in Securing Smartphones Against Zero-Click Attacks
Zero-click attacks require no user interaction and typically exploit zero-day
(i.e., unpatched) vulnerabilities in instant chat applications (such as
WhatsApp and iMessage) to gain root access to the victim's smartphone and
exfiltrate sensitive data. In this paper, we report our experiences in
attempting to secure smartphones against zero-click attacks. We approached the
problem by first enumerating several properties we believed were necessary to
prevent zero-click attacks against smartphones. Then, we created a security
design that satisfies all the identified properties, and attempted to build it
using off-the-shelf components. Our key idea was to shift the attack surface
from the user's smartphone to a sandboxed virtual smartphone ecosystem where
each chat application runs in isolation. Our performance and usability
evaluations of the system we built highlighted several shortcomings and the
fundamental challenges in securing modern smartphones against zero-click
attacks. In this experience report, we discuss the lessons we learned, and
share insights on the missing components necessary to achieve foolproof
security against zero-click attacks for modern mobile devices
Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals
Civilian-GNSS is vulnerable to signal spoofing attacks, and countermeasures
based on cryptographic authentication are being proposed to protect against
these attacks. Both Galileo and GPS are currently testing broadcast
authentication techniques based on the delayed key disclosure to validate the
integrity of navigation messages. These authentication mechanisms have proven
secure against record now and replay later attacks, as navigation messages
become invalid after keys are released. This work analyzes the security
guarantees of cryptographically protected GNSS signals and shows the
possibility of spoofing a receiver to an arbitrary location without breaking
any cryptographic operation. In contrast to prior work, we demonstrate the
ability of an attacker to receive signals close to the victim receiver and
generate spoofing signals for a different target location without modifying the
navigation message contents. Our strategy exploits the essential common
reception and transmission time method used to estimate pseudorange in GNSS
receivers, thereby rendering any cryptographic authentication useless. We
evaluate our attack on a commercial receiver (ublox M9N) and a software-defined
GNSS receiver (GNSS-SDR) using a combination of open-source tools, commercial
GNSS signal generators, and software-defined radio hardware platforms. Our
results show that it is possible to spoof a victim receiver to locations around
4000 km away from the true location without requiring any high-speed
communication networks or modifying the message contents. Through this work, we
further highlight the fundamental limitations in securing a broadcast
signaling-based localization system even if all communications are
cryptographically protected
V-Range: Enabling Secure Ranging in 5G Wireless Networks
A number of safety- and security-critical applications such as asset tracking, smart ecosystems, autonomous vehicles and driver assistance functions, etc., are expected to benefit from the position information available through 5G. Driven by the aim to support such a wide-array of location-aware services and applications, the current release of 5G seeks to explore ranging and positioning as an integral part of 5G technology. In recent years, many attacks on positioning and ranging systems have been demonstrated, and hence it is important to build 5G systems that are resilient to distance and location manipulation attacks. No existing proposal either by 3GPP or the research community addresses the challenges of secure position estimation in 5G. In this paper, we develop V-Range, the first secure ranging system that is fully compatible with 5G standards and can be implemented directly on top of existing 5G-NR transceivers. We design V-Range, a system capable of executing secure ranging operations resilient to both distance enlargement and reduction attacks. We experimentally verify that V-Range achieves high precision, low-latency, and can operate in both the sub-6GHz and mm-wave bands intended for 5G. Our results show that an attacker cannot reduce or increase the distance by more than the imprecision of the system, without being detected with high probability
Location-independent GNSS Relay Attacks: A Lazy Attacker’s Guide to Bypassing Navigation Message Authentication
In this work, we demonstrate the possibility of spoofing a GNSS receiver to arbitrary locations without modifying the navigation messages. Due to increasing spoofing threats, Galileo and GPS are evaluating broadcast authentication techniques to validate the integrity of navigation messages. Prior work required an adversary to record the GNSS signals at the intended spoofed location and relay them to the victim receiver. Our attack demonstrates the ability of an adversary to receive signals close to the victim receiver and in real-time generate spoofing signals for an arbitrary location without modifying the navigation message contents.We exploit the essential common reception and transmission time method used to estimate pseudorange in GNSS receivers, thereby potentially rendering any cryptographic authentication useless. We build a proof-of-concept real-time spoofer capable of receiving authenticated GNSS signals and generating spoofing signals for any arbitrary location and motion without requiring any high-speed communication networks or modifying the message contents. Our evaluations show that it is possible to spoof a victim receiver to locations as far as 4000 km away from the actual location and with any dynamic motion path. This work further highlights the fundamental limitations in securing a broadcast signaling-based localization system even if all communications are cryptographically protected