GPS World

Tag: Daniel Shepard

  • Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle

    By Daniel Shepard, Jahshan A. Bhatti, and Todd E. Humphreys

    
    Unmanned aerial vehicle (uav) used in the spoofing tests; owned by the University of Texas.

     A radio signal sent from a half-mile away deceived the GPS receiver of a UAV into thinking that it was rising straight up. In this way, the UAV’s dependence on civil GPS allowed the spoofer operator to force the UAV vertically downward in dramatic fashion as part of multiple capture demonstrations.

    In December 2011, Iran captured a U.S. Central Intelligence Agency (CIA) surveillance drone with only minor damage to the undercarriage of the drone, likely due to a rough landing when captured. An Iranian engineer claimed in an interview that “Iran managed to jam the drone’s communication links to American operators” causing the drone to shift into an autopilot mode that relies solely on GPS to guide itself back to its home base in Afghanistan. With the drone in this state, the Iranian engineer claimed that “Iran spoofed the drone’s GPS system with false coordinates, fooling it into thinking it was close to home and landing into Iran’s clutches.”

    Although the Iranian claims are highly questionable, this incident left many unanswered questions as to the security of GPS systems on unmanned aerial vehicles (UAVs). The CIA drone should have been guiding itself based on the encrypted military GPS signals, which would be incredibly difficult to spoof. However, some experts have conjectured that simultaneous jamming of the military signals and spoofing of the civilian signals might have worked if the drone had been programmed to fall back on the civilian GPS signals in the event that the military signals were jammed. This raises the question: How difficult would it be to spoof a UAV guiding itself based on civilian GPS signals?

    FAA Modernization Act

    In February of this year, Congress passed the FAA Modernization and Reform Act of 2012. According to the Library of Congress summary, this act “requires the Secretary [of Transportation] to develop a plan to accelerate safely the integration by September 30, 2015, of civil unmanned aircraft systems (UASes, or drones) into the national airspace system … [and] determine if certain drones may operate safely in the national airspace system before completion of the plan.”

    Such civilian UAVs would be primarily guided by civil GPS, which has been shown to be readily spoofable in the lab. This would create a significant potential hazard in the national airspace if the problem of civil GPS spoofing is not fixed. Thousands of civilian UAVs (operated by postal services, police departments, research institutions, and others) could populate the skies in only a few years while still being vulnerable to remote hijacking via GPS spoofing. The passing of the FAA Modernization Act further emphasizes the need to examine the vulnerability of UAVs to GPS spoofing.

    Test

    On invitation of the Department of Homeland Security (DHS), unclassified spoofing tests against a UAV were performed at White Sands Missile Range (WSMR) on June 19, 2012 during the DHS GYPSY test exercise. These tests demonstrated the capability of a spoofer, built by the University of Texas (UT) Radionavigation Lab, to commandeer a civilian UAV by influencing the position-velocity-time (PVT) solution of the UAV’s GPS receiver.

    The Spoofer. The civil GPS spoofer used for these tests is an advanced version of the spoofer reported in “Assessing the Spoofing Threat,” GPS World, January 2009. A schematic representation of the spoofer is shown in Figure 1. It is the only spoofer reported in open literature to date that is capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with those of the authentic GPS signals. Such alignment capability allows the spoofer to carry out a sophisticated spoofing attack in which no obvious clues remain to suggest that an attack is underway.


    Figure 1. This spooler is capable of precisely aligning the spreading code and navigation data of its counterfeit signals with GPS signals.

    The spoofer is implemented on a portable software-defined radio platform with a digital signal processor (DSP) at its core. This platform comprises:

    • A radio frequency (RF) front-end that down-mixes and digitizes GPS L1 and L2 frequencies
    • A DSP board that performs acquisition and tracking of GPS L1 C/A, calculates a navigation solution, predicts the L1 C/A databits, and produces a consistent set of up to 14 spoofed GPS L1 C/A signals with a user-controlled fictitious implied navigation and timing solution.
    • An RF back-end with a digital attenuator that converts the digital samples of the spoofed signals from the DSP to analog output at the GPS L1 frequency with a user-controlled broadcast power.
    • A single-board computer that handles communication between the spoofer and a remote computer over the Internet.

    The spoofer works by first acquiring and tracking GPS L1 C/A and L2C signals to obtain a navigation solution. It then enters its “feedback” mode, in which it produces a counterfeit, data-free feedback GPS signal that is summed with its own antenna input. The feedback signal is tracked by the spoofer and used to calibrate the delay between production of the digitized spoofed signal and output of the analog spoofed signal. This is necessary because the delay is non-deterministic on start-up of the receiver, although it stays constant thereafter.

    After feedback calibration is complete and enough time has elapsed to build up a navigation data bit library, the spoofer is ready to begin an attack. Initially, it produces signals that are aligned to within a few meters with the authentic signals at the location of the target antenna but have low enough power that they remain far below the target receiver’s noise floor. The spoofer then raises the power of the spoofed signals slightly above that of the authentic signals. At this point, the spoofer has taken control of the victim receiver’s tracking loops and can slowly lead the spoofed signals away from the authentic signals, carrying the receiver’s tracking loops with it.  The target receiver can be considered completely captured when either of the following are true:

    • each spoofed signal has shifted by 2 µs relative to the authentic signals, or
    • each spoofed signal is at least 10 dB more powerful than the corresponding authentic signal.

    The latter option ensures that there is no significant interaction between authentic and spoofed signals by simultaneously jamming and spoofing.
    The UT spoofer and attack strategy have been tested against a wide variety of civil GPS receivers and have always been successful in commandeering the target receiver.

    Test UAV.  The spoofing tests targeted a University-of-Texas-owned Hornet Mini UAV supplied by Adaptive Flight, which is shown in the  opening photo. The Hornet Mini is roughly five feet long and weighs about 10 pounds when fully loaded. The Mini’s sophisticated avionics package loosely couples an altimeter, magnetometer, and a MEMS IMU package to a GPS receiver via an extended Kalman filter.

    The Hornet Mini is representative of UAVs used by law enforcement. Thus, the results of the spoofing tests with the Mini also apply to other similarly-designed UAVs, including those used in most civil applications, whose navigation systems are centered on civil GPS. It should be noted that no special alterations were made to the Hornet Mini for this test – it was in its “as sold” or “stock” configuration.

    Setup. A schematic of the setup used for the spoofing tests against the civil UAV at WSMR appears in Figure 2. The spoofer was located on a hilltop with the receive antenna on the far side of the hilltop from the transmit antenna as shown in Figure 3. The UAV site was located in a sandy basin approximately 620 meters from the transmit antenna.


    Figure 2. Schematic of the test setup.


    Figure 3. Aerial view of the test site showing the spoofer location on a hilltop and the UAV site 0.62 kilometers away.

    Procedure. The UAV was commanded by its ground controller to hover approximately 60 feet above ground level at the UAV site. After the initial ground control command was sent, the UAV maintained its hovering position automatically based on the navigation solution of its extended Kalman filter, which is based in part on GPS. At this point in the test procedure, the spoofed signals were not being broadcast: the UAV was only under the influence of the authentic GPS signals.

    The spoofer was then commanded to begin transmitting spoofed signals. To ensure seamless capture of the UAV’s GPS unit, the code phases of the spoofed signals were aligned to within meters of the authentic signals at the location of the UAV’s GPS antenna. The spoofed signals overpowered their authentic counterparts and instantly captured the tracking loops within the UAV’s GPS receiver.

    Immediately after capture, the spoofer induced a false velocity and corresponding position change in the UAV’s GPS receiver, drawing the position reported by the UAV’s extended Kalman filter away from the UAV’s commanded hover position. To compensate, the UAV’s flight controller responded by moving in the opposite direction. A safety pilot was on hand to prevent the UAV from drifting out of control.  This was necessary because by commandeering the UAV’s GPS receiver, the spoofer operator effectively breaks the UAV autopilot’s feedback control loop. The spoofer operator must now act as an operator-in-the-loop, which requires real-time, meter-level knowledge of the UAV’s true location.

    Results. Between tests WSMR and UT, the spoofer demonstrated short-term 3-dimensional control of the UAV. Thus, we conclude that it is indeed possible to hijack a civil UAV — in this case, a fairly sophisticated one — by civil GPS spoofing.

    Interestingly, the Hornet Mini relies only on its altimeter for direct measurements of its vertical position; the GPS-measured vertical position is ignored. This can be done with reasonable accuracy because of the Hornet Mini’s short flight endurance (~20 minutes). However, the GPS vertical velocity does affect the extended Kalman filter’s vertical coordinate estimate because the filter propagates GPS velocity measurements through a UAV dynamics model to form an a priori vertical estimate that gets updated with the altimeter measurements. This dependence on GPS velocity allowed the spoofer operator to force the UAV vertically downward in dramatic fashion in the final three capture demonstrations.

    Developing a full spoofer-based control system for a UAV is a difficult problem that, in addition to the requirement for real-time true position feedback, requires the spoofer to model the UAV’s feedback control behavior and to estimate the UAV’s desired path. Causing a UAV to spin out of control and crash is not difficult with a spoofer, but fine-grained control certainly is.

    Implications

    These tests have demonstrated that civilian UAVs will be vulnerable to control by malefactors with a civil GPS spoofer looking to hijack or crash these UAVs unless their vulnerability to GPS spoofing is addressed. There are several reasons why someone may want to spoof a drone including fear over drones invading people’s privacy. This poses a significant safety concern that could result in mid-air collisions with other aerial vehicles or buildings, not to mention loss of property.

    Constructing from scratch a sophisticated GPS spoofer like the one developed by UT is not easy, nor is it within the capability of the average anonymous hacker. It is orders of magnitude harder than developing a GNSS jammer. Nonetheless, the trend toward software-defined GNSS receivers for research and development, where receiver functionality is defined entirely in software downstream of the A/D converter, has significantly lowered the bar to spoofer development in recent years.

    As a point of reference, we estimate that there are more than 100 researchers in universities around the globe who are well-enough versed in software-defined GPS that they could develop a sophisticated spoofer from scratch with a year of dedicated effort. More worrisome is the fact that one does not have to build a sophisticated spoofer like ours, capable of aligning its signals precisely with authentic signals at the location of a chosen target, to spoof a civil GPS receiver. A low-cost off-the-shelf GPS signal simulator would not permit the kind of seamless attack we carried out, but would be adequate to confuse and disrupt the navigation system of a commercial UAV.

    Fixing the Problem

    There is no quick, easy, and cheap fix for the civil GPS spoofing problem. Moreover, not even the most effective GPS spoofing defenses are foolproof. Nonetheless, there are many possible remedies to the spoofing problem that, while not foolproof, would vastly improve civil GPS security. These defenses can be broken up into two categories: cryptographic and non-cryptographic defenses.

    Cryptographic defenses come primarily in two forms, spread-spectrum security codes (SSSC) and navigation message authentication (NMA), depending on whether the unpredictable digital signature is placed on the spread-spectrum code or the navigation data. These cryptographic signatures could be placed on WAAS signals or existing or future GPS signals to provide authentication of the source of the WAAS or GPS signals. A cryptographic defense implemented with appropriate checks to protect against certain variants of spoofing attacks, described in “Straight Talk on Anti-Spoofing,” GPS World, January 2012, would significantly raise the bar for a would-be spoofer. Several proposals for cryptographic methods are currently on the table including a proposal by Logan Scott to place SSSC signatures on GPS L1C signals that will be broadcast by GPS Block III satellites. However, the current proposals for civil GPS cryptographic authentication schemes are still at least several years away from implementation and have a 5-minute window between authentications of each individual GPS signal. These proposals have currently gained no ground in being implemented because of a lack of dedicated funds for development and implementation.

    There are also a number of promising non-cryptographic techniques for civil GPS spoofing detection that include jamming-to-noise power detectors (J/N meters), correlation profile anomaly defenses, and antenna-based defenses. J/N meters are simple and easily-implementable and would prevent a spoofer from simultaneous jamming and spoofing. However, a J/N sensor will not typically detect a spoofing attack in which the spoofed signals are only slightly more powerful than their authentic counterparts. The inclusion of a J/N meter does ensure that the authentic signals will also be visible as a corruption to the correlation curve during a spoofing attack, due to the difficulty of nulling out the authentic signal. This allows correlation profile anomaly defenses to be viable. However, these methods suffer from the difficulty of distinguishing multipath effects from a spoofing attack, particularly in mobile receivers. Antenna-based defenses also present an attractive option for anti-spoofing, but most of these methods require additional hardware (multiple antennas) and cost. One promising new antenna-based defense is currently under development at Cornell University that does not require multiple antennas. This defense involves an extension of the signal spatial correlation technque developed by the University of Calgary PLAN group. However, this technique is still under development, and receivers implementing this technique would likely be several times more expensive than current receivers.

    For details on potential spoofing defenses, see Todd Humphrey’s congressional testimony in “The System.”

    Recommendations

    We recommend that for non-recreational operation in the national airspace, civil UAVs exceeding 18 pounds be required to employ navigation systems that are spoof-resistant. Spoof resistance will be defined through a series of four canned attack scenarios that can be recreated in a laboratory setting. A navigation system is declared spoof-resistant if, for each attack scenario, the system is either unaffected by or able to detect the spoofing attack. Spoofing detection combined with an appropriate GPS-denied mode for the UAV to fall back on will significantly increase the difficulty of mounting a successful spoofing attack.

    Additionally, civil GPS receivers in many critical infrastructures (communications networks, financial trade centers, and the power grid) are also vulnerable to civil GPS spoofing. These critical infrastructures primarily rely on GPS for timing, which is also susceptible to manipulation with varying consequences depending on the application. A discussion of power grid vulnerabilities to GPS spoofing is given in “Going Up Against Time” in this issue of the magazine on page 34. We also recommend that GPS-based timing or navigation systems having a non-trivial role in systems designated by DHS as national critical infrastructure be required to be spoof-resistant.

    Finally, we recommend that funding be committed for development and implementation of a cryptographic authentication signature in one of the existing or forthcoming civil GPS signals. The signature should at minimum take the form of a digital signature interleaved into the navigation message stream of the WAAS signals. A better plan would be to interleave the signature into the CNAV or CNAV2 GPS navigation message stream. The best plan for implementing a cryptographic authentication signature would be to implement the signature as an SSSC interleaved into the spreading code of the L1C data channel. Inclusion of a cryptographic signature would greatly aid manufacturers in developing receivers that are spoof-resistant.

    Manufacturers

    The Hornet Mini UAV carries a µ-blox GPS receiver.

    Daniel P. Shepard is pursuing M.S. and Ph.D. degrees in aerospace engineering at the University of Texas (UT) at Austin. He is a member of the Radionavigation Laboratory.

    Jahshan A. Bhatti is pursuing a Ph.D. in aerospace engineering and engineering mechanics at UT and is a member of the Radionavigation Laboratory.

    Todd E. Humphreys is an assistant professor of aerospace engineering and engineering mechanics at UT and director of the Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.

     

  • Straight Talk on Anti-Spoofing: Securing the Future of PNT

    By Kyle Wesson, Daniel Shepard, and Todd Humphreys

    Disruption created by intentional generation of fake GPS signals could have serious economic consequences. This article discusses how typical civil GPS receivers respond to an advanced civil GPS spoofing attack, and four techniques to counter such attacks: spread-spectrum security codes, navigation message authentication, dual-receiver correlation of military signals, and vestigial signal defense. Unfortunately, any kind of anti-spoofing, however necessary, is a tough sell.

    GPS spoofing has become a hot topic. At the 2011 Institute of Navigation (ION) GNSS conference, 18 papers discussed spoofing, compared with the same number over the past decade. ION-GNSS also featured its first panel session on anti-spoofing, called “Improving Security of GNSS Receivers,” which offered six security experts a forum to debate the most promising anti-spoofing technologies.

    The spoofing threat has also drawn renewed U.S. government scrutiny since the initial findings of the 2001 Volpe Report. In November 2010, the U.S. Position Navigation and Timing National Executive Committee requested that the U.S. Department of Homeland Security (DHS) conduct a comprehensive risk assessment on the use of civil GPS. In February 2011, the DHS Homeland Infrastructure Threat and Risk Analysis Center began its investigation in conjunction with subject-matter experts in academia, finance, power, and telecommunications, among others. Their findings will be summarized in two forthcoming reports, one on the spoofing and jamming threat and the other on possible mitigation techniques. The reports are anticipated to show that GPS disruption due to spoofing or jamming could have serious economic consequences.

    Effective techniques exist to defend receivers against spoofing attacks. This article summarizes state-of-the-art anti-spoofing techniques and suggests a path forward to equip civil GPS receivers with these defenses. We start with an analysis of a typical civil GPS receiver’s response to our laboratory’s powerful spoofing device. This will illustrate the range of freedom a spoofer has when commandeering a victim receiver’s tracking loops. We will then provide an overview of promising cryptographic and non-cryptographic anti-spoofing techniques and highlight the obstacles that impede their widespread adoption.

    The Spoofing Threat

    Spoofing is the transmission of matched-GPS-signal-structure interference in an attempt to commandeer the tracking loops of a victim receiver and thereby manipulate the receiver’s timing or navigation solution. A spoofer can transmit its counterfeit signals from a stand-off distance of several hundred meters or it can be co-located with its victim.

    Spoofing attacks can be classified as simple, intermediate, or sophisticated in terms of their effectiveness and subtlety. In 2003, the Vulnerability Assessment Team at Argonne National Laboratory carried off a successful simple attack in which they programmed a GPS signal simulator to broadcast high-powered counterfeit GPS signals toward a victim receiver. Although such a simple attack is easy to mount, the equipment is expensive, and the attack is readily detected because the counterfeit signals are not synchronized to their authentic counterparts.

    In an intermediate spoofing attack, a spoofer synchronizes its counterfeit signals with the authentic GPS signals so they are code-phase-aligned at the target receiver. This method requires a spoofer to determine the position and velocity of the victim receiver, but it affords the spoofer a serious advantage: the attack is difficult to detect and mitigate.

    The sophisticated attack involves a network of coordinated intermediate-type spoofers that replicate not only the content and mutual alignment of visible GPS signals but also their spatial distribution, thus fooling even multi-antenna spoofing defenses.

    Table1 . Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Table 1. Comparison of anti-spoofing techniques discussed in this article.

    Lab Attack. So far, no open literature has reported development or research into the sophisticated attack. This is likely because of the success of the intermediate-type attack: to date, no civil GPS receiver tested in our laboratory has fended off an intermediate-type spoofing attack. The spoofing attacks, which are always conducted via coaxial cable or in radio-frequency test enclosures, are performed with our laboratory’s receiver-spoofer, an advanced version of the one introduced at the 2008 ION-GNSS conference (see “Assessing the Spoofing Threat,” GPS World, January 2009).

    To commence the attack, the spoofer transmits its counterfeit signals in code-phase alignment with the authentic signals but at power level below the noise floor. The spoofer then increases the power of the spoofed signals so that they are slightly greater than the power of the authentic signals. At this point, the spoofer has taken control of the victim receiver’s tracking loops and can slowly lead the spoofed signals away from the authentic signals, carrying the receiver’s tracking loops with it. Once the spoofed signals have moved more than 600 meters in position or 2 microseconds in time away from the authentic signals, the receiver can be considered completely owned by the spoofer.

    Spoofing testbed at the University of Texas Radionavigation Laboratory, an advanced and powerful suite for anti-spoofing research. On the right are several of the civil GPS receivers tested and the radio-frequency test enclosure, and on the left are the phasor measurement unit and the civil GPS spoofer. Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Spoofing testbed at the University of Texas Radionavigation Laboratory, an advanced and powerful suite for anti-spoofing research. On the right are several of the civil GPS receivers tested and the radio-frequency test enclosure, and on the left are the phasor measurement unit and the civil GPS spoofer.

    Although our spoofer fooled all of the receivers tested in our laboratory, there are significant differences between receivers’ dynamic responses to spoofing attacks. It is important to understand the types of dynamics that a spoofer can induce in a target receiver to gain insight into the actual dangers that a spoofing attack poses rather than rely on unrealistic assumptions or models of a spoofing attack. For example, a recent paper on time-stamp manipulation of the U.S. power grid assumed that there was no limit to the rate of change that a spoofer could impose on a victim receiver’s position and timing solution, which led to unrealistic conclusions.

    Experiments performed in our laboratory sought to answer three specific questions regarding spoofer-induced dynamics:

    • How quickly can a timing or position bias be introduced?
    • What kinds of oscillations can a spoofer cause in a receiver’s position and timing?
    • How different are receiver responses to spoofing?

    These questions were answered by determining the maximum spoofer-induced pseudorange acceleration that can be used to reach a certain final velocity when starting from a velocity of zero, without raising any alarms or causing the target receiver to lose satellite lock. The curve in the velocity-acceleration plane created by connecting these points defines the upper bound of a region within which the spoofer can safely manipulate the target receiver. These data points can be obtained empirically and fit to an exponential curve. Alarms on the receiver may cause some deviations from this curve depending on the particular receiver.

    Figure 1 shows an example of the velocity-acceleration curve for a high-quality handheld receiver, whose position and timing solution can be manipulated quite aggressively during a spoofing attack. These results suggest that the receiver’s robustness — its ability to provide navigation and timing solutions despite extreme signal dynamics — is actually a liability in regard to spoofing. The receiver’s ability to track high accelerations and velocities allows a spoofer to aggressively manipulate its navigation solution.

    Figure 1. Theoretical and experimental test results for a high-quality handheld receiver's dynamic response to a spoofing attack. Although not shown here, the maximum attainable velocity is around 1,300 meters/second. Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Figure 1. Theoretical and experimental test results for a high-quality handheld receiver’s dynamic response to a spoofing attack. Although not shown here, the maximum attainable velocity is around 1,300 meters/second.

    The relative ease with which a spoofer can manipulate some GPS receivers suggests that GPS-dependent infrastructure is vulnerable. For example, the telecommunications network and the power grid both rely on GPS time-reference receivers for accurate timing. Our laboratory has performed tests on such receivers to determine the disruptions that a successful spoofing attack could cause. The remainder of this section highlights threats to these two sectors of critical national infrastructure.

    Cell-Phone Vulnerability. Code division multiple access (CDMA) cell-phone towers rely on GPS timing for tower-to-tower synchronization. Synchronization prevents towers from interfering with one another and enables call hand-off between towers. If a particular tower’s time estimate deviates more than 10 microseconds from GPS time, hand-off to and from that tower is disrupted. Our tests indicate that a spoofer could induce a 10-microsecond time deviation within about 30 minutes for a typical CDMA tower setup. A spoofer, or spoofer network, could also cause multiple neighboring towers to interfere with one another. This is possible because CDMA cell-phone towers all use the same spreading code and distinguish themselves only by the phasing (that is, time offset) of their spreading codes. Furthermore, it appears that a spoofer could impair CDMA-based E911 user-location.

    Power-Grid Vulnerability. Like the cellular network, the power grid of the future will rely on accurate GPS time-stamps. The efficiency of power distribution across the grid can be improved with real-time measurements of the voltage and current phasors. Phasor measurement units (PMUs) have been proposed as a smart-grid technology for precisely this purpose. PMUs rely on GPS to time-stamp their measurements, which are sent back to a central monitoring station for processing. Currently, PMUs are used for closed-loop grid control in only a few applications, but power-grid modernization efforts will likely rely more heavily on PMUs for control. If a spoofer manipulates a PMU’s time stamps, it could cause spurious variations in measured phase angles. These variations could distort power flow or stability estimates in such a way that grid operators would take incorrect or unnecessary control actions including powering up or shutting down generators, potentially causing blackouts or damage to power-grid equipment.

    Under normal circumstances, a changing separation in the phase angle between two PMUs indicates changes in power flow between the regions measured by each PMU. Tests demonstrate that a spoofer could cause variations in a PMU’s measured voltage phase angle at a rate of 1.73 degrees per minute. Thus, a spoofing attack could create the false indications of power flow across the grid. The tests results also reveal, however, that it is impossible for a spoofer to cause changes in small-signal grid stability estimates, which would require the spoofer to induce rapid (for example, 0.1–3 Hz) microsecond-amplitude oscillations in timing. Such oscillations correspond to spoofing dynamics well outside the region of freedom of all receivers we have tested. A spoofer might also be able to affect fault-location estimates obtained through time-difference-of-arrival techniques using PMU measurements. This could cause large errors in fault-location estimates and hamper repair efforts.

    What Can Be Done? Despite the success of the intermediate-type spoofing attack against a wide variety of civil GPS receivers and the known vulnerabilities of GPS-dependent critical infrastructure to spoofing attacks, anti-spoofing techniques exist that would enable receivers to successfully defend themselves against such attacks. We now turn to four promising anti-spoofing techniques.

    Cryptographic Methods

    These techniques enable a receiver to differentiate authentic GPS signals from counterfeit signals with high likelihood. Cryptographic strategies rely on the unpredictability of so-called security codes that modulate the GPS signal. An unpredictable code forces a spoofer who wishes to mount a successful spoofing attack to either

    • estimate the unpredictable chips on-the-fly, or
    • record and play back authentic GPS spectrum (a meaconing attack).

    To avoid unrealistic expectations, it should be noted that no anti-spoofing technique is completely impervious to spoofing. GPS signal authentication is inherently probabilistic, even when rooted in cryptography. Many separate detectors and cross-checks, each with its own probability of false alarm, are involved in cryptographic spoofing detection. Figure 2 illustrates how the jammer-to-noise ratio detector, timing consistency check, security-code estimation and replay attack (SCER) detector, and cryptographic verification block all work together. This hybrid combination of statistical hypothesis tests and Boolean logic demonstrates the complexities and subtleties behind a comprehensive, probabilistic GPS signal authentication strategy for security-enhanced signals.

    Figure 2. GNSS receiver components required for GNSS signal authentication. Components that support code origin authentication are outlined in bold and have a gray fill, whereas components that support code timing authentication are outlined in bold and have no fill. The schematic assumes a security code based on navigation message authentication. Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Figure 2. GNSS receiver components required for GNSS signal authentication. Components that support code origin authentication are outlined in bold and have a gray fill, whereas components that support code timing authentication are outlined in bold and have no fill. The schematic assumes a security code based on navigation message authentication.

    Spread Spectrum Security Codes. In 2003, Logan Scott proposed a cryptographic anti-spoofing technique based on spread spectrum security codes (SSSCs). The most recent proposed version of this technique targets the L1C signal, which will be broadcast on GPS Block III satellites, because the L1C waveform is not yet finalized. Unpredictable SSSCs could be interleaved with the L1C spreading code on the L1C data channel, as illustrated in Figure 3. Since L1C acquisition and tracking occurs on the pilot channel, the presence of the SSSCs has negligible impact on receivers. Once tracking L1C, a receiver can predict when the next SSSC will be broadcast but not its exact sequence. Upon reception of an SSSC, the receiver stores the front-end samples corresponding to the SSSC interval in memory. Sometime later, the cryptographic digital key that generated the SSSC is transmitted over the navigation message. With knowledge of the digital key, the receiver generates a copy of the actual transmitted SSSC and correlates it with the previously-recorded digital samples. Spoofing is declared if the correlation power falls below a pre-determined threshold.

    Figure 3. Placement of the periodically unpredictable spread spectrum security codes in the GPS L1C data channel spreading sequence. Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Figure 3. Placement of the periodically unpredictable spread spectrum security codes in the GPS L1C data channel spreading sequence.

    When the security-code chip interval is short (high chipping rate), it is difficult for a spoofer to estimate and replay the security code in real time. Thus, the SSSC technique on L1C offers a strong spoofing defense since the L1C chipping rate is high (that is, 1.023 MChips/second). Furthermore, the SSSC technique does not rely on the receiver obtaining additional information from a side channel; all the relevant codes and keys are broadcast over the secured GPS signals. Of course a disadvantage for SSSC is that it requires a fairly fundamental change to the currently-proposed L1C definition: the L1C spreading codes must be altered.

    Implementation of the SSSC technique faces long odds, partly because it is late in the L1C planning schedule to introduce a change to the spreading codes. Nonetheless, in September 2011, Logan Scott and Phillip Ward advocated for SSSC at the Public Interface Control Working Group meeting, passing the first of many wickets. The proposal and associated Request for Change document will now proceed to the Lower Level GPS Engineering Requirements Branch for further technical review. If approved there, it passes to the Joint Change Review Board for additional review and, if again approved, to the Technical Interchange Meeting for further consideration. The chances that the SSSC proposal will survive this gauntlet would be much improved if some government agency made a formal request to the GPS Directorate to include SSSCs in L1C — and provided the funding to do so. The DHS seems to us a logical sponsoring agency.

    Navigation Message Authentication. If an L1C SSSC implementation proves unworkable, an alternative, less-invasive cryptographic authentication scheme based on navigation message authentication (NMA) represents a strong fall-back option. In the same 2003 ION-GNSS paper that he proposed SSSC, Logan Scott also proposed NMA. His paper was preceded by an internal study at MITRE and followed by other publications in the open literature, all of which found merit in the NMA approach. The NMA technique embeds public-key digital signatures into the flexible GPS civil navigation (CNAV) message, which offers a convenient conveyance for such signatures. The CNAV format was designed to be extensible so that new messages can be defined within the framework of the GPS Interference Specification (IS). The current GPS IS defines only 15 of 64 CNAV messages, reserving the undefined 49 CNAV messages for future use.

    Our lab recently demonstrated that NMA works to authenticate not only the navigation message but also the underlying signal. In other words, NMA can be the basis of comprehensive signal authentication. We have  proposed a specific implementation of NMA that is packaged for immediate adoption. Our proposal defines two new CNAV messages that deliver a standardized public-key elliptic-curve digital algorithm (ECDSA) signature via the message format in Figure 4.

    Figure 4. Format of the proposed CNAV ECDSA signature message, which delivers the first or second half of the 466-bit ECDSA signature and a 5-bit salt in the 238-bit payload field. Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Figure 4. Format of the proposed CNAV ECDSA signature message, which delivers the first or second half of the 466-bit ECDSA signature and a 5-bit salt in the 238-bit payload field.

    Although the CNAV message format is flexible, it is not without constraints. The shortest block of data in which a complete signature can be embedded is a 96-second signature block such as the one shown in Figure 5. In this structure, the two CNAV signature messages are interleaved between the ephemeris and clock data to meet the broadcast requirements.

    Figure 5. The shortest broadcast signature block that does not violate the CNAV ephemeris and timing broadcast requirements. To meet the required broadcast interval of 48 seconds for message types 10, 11, and one of 30–39, the ECDSA signature is broadcast over a 96-second signature block that is composed of eight CNAV messages. Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Figure 5. The shortest broadcast signature block that does not violate the CNAV ephemeris and timing broadcast requirements. To meet the required broadcast interval of 48 seconds for message types 10, 11, and one of 30–39, the ECDSA signature is broadcast over a 96-second signature block that is composed of eight CNAV messages.

    The choice of the duration between signature blocks is a tradeoff between offering frequent authentication and maintaining a low percentage of the CNAV message reserved for the digital signature. In our proposal, signature blocks are transmitted roughly every five minutes (Figure 6) so that only 7.5 percent of the navigation message is devoted to the digital signature. Across the GPS constellation, the signature block could be offset so that a receiver could authenticate at least one channel approximately every 30 seconds. Like SSSC, our proposed version of NMA does not require a receiver’s getting additional information from a side channel, provided the receiver obtains public key updates on a yearly basis.

    message_sig_block . Credit: Kyle Wesson, Daniel Shepard, and Todd Humphreys
    Figure 6. A signed 336-second broadcast. The proposed strategy signs every 28 CNAV messages with a signature broadcast over two CNAV messages on each broadcast channel.

    NMA is inherently less secure than SSSC. A NMA security code chip interval (that is, 20 milliseconds) is longer than a SSSC chip interval, thereby allowing the spoofer more time to estimate the digital signature on-the-fly. That is not to say, however, that NMA is ineffective. In fact, tests with our laboratory’s spoofing testbed demonstrated the NMA-based signal authentication structure described earlier offered a receiver a better-than 95 percent probability of detecting a spoofing attack for a 0.01 percent probability of false alarm under a challenging spoofing-attack scenario.

    NMA is best viewed as a hedge. If the SSSC approach does not gain traction, then NMA might, since it only requires defining two new CNAV messages in the GPS IS — a relatively minor modification. CNAV-based NMA could defend receivers tracking L2C and L5. A new CNAV2 message will eventually be broadcast on L1 via L1C, so a repackaged CNAV2-based NMA technique could offer even single-frequency L1 receivers a signal-side anti-spoofing defense.

    P(Y) Code Dual-Receiver Correlation. This approach avoids entirely the issue of GPS IS modifications. The technique correlates the unknown encrypted military P(Y) code between two civil GPS receivers, exploiting known carrier-phase and code-phase relationships. It is similar to the dual-frequency codeless and semi-codeless techniques that civil GPS receivers apply to track the P(Y) code on L2. Peter Levin and others filed a patent on the codeless-based signal authentication technique in 2008; Mark Psiaki extended the approach to semicodeless correlation and narrow-band receivers in a 2011 ION-GNSS paper.

    In the dual-receiver technique, one receiver, stationed in a secure location, tracks the authentic L1 C/A codes while receiving the encrypted P(Y) code. The secure receiver exploits the known timing and phase relationships between the C/A code and P(Y) code to isolate the P(Y) code, of which it sends raw samples (codeless technique) or estimates of the encrypting W-code chips (semi-codeless technique) over a secure network to the defending receiver. The defending receiver correlates its locally-extracted P(Y) with the samples or W-code estimates from the secure receiver. If a spoofing attack is underway, the correlation power will drop below a statistical threshold, thereby causing the defending receiver to declare a spoofing attack. Although the P(Y) code is 20 MHz wide, a narrowband civil GPS receiver with 2.6 MHz bandwidth can still perform the statistical hypothesis tests even with the resulting 5.5 dB attenuation of the P(Y) code. Because the dual-receiver method can run continuously in the background as part of a receiver’s standard GPS signal processing, it can declare a spoofing attack within seconds — a valuable feature for many applications.

    Two considerations about the dual-receiver technique are worth noting. First, the secure receiver must be protected from spoofing for the technique to succeed. Second, the technique requires a secure communication link between the two receivers. Although the first requirement is easily achieved by locating secure receivers in secure locations, the second requirement makes the technique impractical for some applications that cannot support a continuous communication link.

    Of all the proposed cryptographic anti-spoofing techniques, only the dual-receiver method could be implemented today. Unfortunately the P(Y) code will no longer exist after 2021, meaning that systems that make use of the P(Y)-based dual-receiver technique will be rendered unprotected, although a similar M-code-based technique could be an effective replacement. The dual-receiver method, therefore, is best thought of as a stop-gap: it can provide civil GPS receivers with an effective anti-spoofing technique today until a signal-side civil GPS authentication technique is approved and implemented in the future This sentiment was the consensus of the panel experts at the 2011 ION-GNSS session on civil GPS receiver security.

    Non-Cryptographic Methods

    Non-cryptographic techniques are enticing because they can be made receiver-autonomous, requiring neither security-enhanced civil GPS signals nor a side-channel communication link. The literature contains a number of proposed non-cryptographic anti-spoofing techniques. Frequently, however, these techniques rely on additional hardware, such as accelerometers or inertial measurements units, which may exceed the cost, size, or weight requirements in many applications. This motivates research to develop software-based, receiver-autonomous anti-spoofing methods.

    Vestigial Signal Defense (VSD). This software-based, receiver-autonomous anti-spoofing technique relies on the difficulty of suppressing the true GPS signal during a spoofing attack. Unless the spoofer generates a phase-aligned nulling signal at the phase center of the victim GPS receiver’s antenna, a vestige of the authentic signal remains and manifests as a distortion of the complex correlation function. VSD monitors distortion in the complex correlation domain to determine if a spoofing attack is underway.

    To be an effective defense, the VSD must overcome a significant challenge: it must distinguish between spoofing and multipath. The interaction of the authentic and spoofed GPS signals is similar to the interaction of direct-path and multipath GPS signals. Our most recent work on the VSD suggests that differentiating spoofing from multipath is enough of a challenge that the goal of the VSD should only be to reduce the degrees-of-freedom available to a spoofer, forcing the spoofer to act in a way that makes the spoofing signal or vestige of the authentic GPS signal mimic multipath. In other words, the VSD seeks to corner the spoofer and reduce its space of possible dynamics.

    Among other options, two potential effective VSD techniques are

    • a maximum-likelihood bistatic-radar-based approach and
    • a phase-pseudorange consistency check.

    The first approach examines the spatial and temporal consistency of the received signals to detect inconsistencies between the instantaneous received multipath and the typical multipath background environment. The second approach, which is similar to receiver autonomous integrity monitoring (RAIM) techniques, monitors phase and pseudorange observables to detect inconsistencies potentially caused by spoofing. Again, a spoofer can act like multipath to avoid detection, but this means that the VSD would have achieved its modest goal.

    Anti-Spoofing Reality Check

    Security is a tough sell. Although promising anti-spoofing techniques exist, the reality is that no anti-spoofing techniques currently defend civil GPS receivers. All anti-spoofing techniques face hurdles. A primary challenge for any technique that proposes modifying current or proposed GPS signals is the tremendous inertia behind GPS signal definitions. Given the several review boards whose approval an SSSC or NMA approach would have to gain, the most feasible near-term cryptographic anti-spoofing technique is the dual-receiver method. A receiver-autonomous, non-cryptographic approach, such as the VSD, also warrants further development. But ultimately, the SSSC or NMA techniques should be implemented: a signal-side civil GPS cryptographic anti-spoofing technique would be of great benefit in protecting civil GPS receivers from spoofing attacks.

    Manufacturers

    The high-quality handheld receiver cited in Figure 1 was a Trimble Juno SB. Testbed equipment shown: Schweitzer Engineering Laboratories SEL-421 synchrophasor measurement unit; Ramsey STE 3000 radio-frequency test chamber; Ettus Research USRP N200 universal software radio peripheral; Schweitzer SEL-2401 satellite-synchronized clock (blue); Trimble Resolution SMT receiver (silver); HP GPS time and frequency reference receiver.

    References, Further Information

    University of Texas Radionavigation Laboratory.

    Full results of Figure 1 experiment are given in Shepard, D.P. and T.E. Humphreys, “Characterization of Receiver Response to Spoofing Attacks,” Proceedings of ION-GNSS 2011.

    NMA can be the basis of comprehensive signal authentication: Wesson, K.D., M. Rothlisberger, T. E. Humphreys (2011), “Practical cryptographic civil GPS signal authentication,” Navigation, Journal of the ION, submitted for review.

    Humphreys, T.E, “Detection Strategy for Cryptographic GNSS Anti-Spoofing,” IEEE Transactions on Aerospace and Electronic Systems, 2011, submitted for review.

    Kyle Wesson is pursuing his M.S. and Ph.D. degrees in electrical and computer engineering at the University of Texas at Austin. He is a member of the Radionavigation Laboratory. He received his B.S. from Cornell University.

    Daniel Shepard is pursuing his M.S. and Ph.D. degrees in aerospace engineering at the University of Texas at Austin, where he also received his B.S. He is a member of the Radionavigation Laboratory.

    Todd Humphreys is an assistant professor in the department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin and director of the Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.