GPS World

Tag: GNSS security

  • How do we ensure GNSS security against spoofing?

    How do we ensure GNSS security against spoofing?

    By Maria Simsky
    Technical Writer, Septentrio

    As technological advances make GPS/GNSS devices more affordable, our lives are becoming increasingly dependent on precise positioning and timing. Industries such as survey, construction and logistics rely on precise positioning for automation, efficiency and safety.

    GNSS time provides the pulsating heartbeat for the backbone of our industry by synchronizing telecom networks, banks and the power grid. A single day of GNSS outage is estimated to cost $1 billion U.S. dollars alone.

    GNSS is a reliable system, and to keep it as such, professional GNSS receivers need to be wary of all possible vulnerabilities which could be exploited. Using GNSS receivers that are robust against jamming and spoofing is key for secure PNT (positioning, navigation and timing).

    What is GPS/GNSS spoofing?

    Radio interference can overpower weak GNSS signals, causing satellite signal loss and potentially loss of positioning. Spoofing, is an intelligent form of interference which makes the receiver believe it is at a false location. During a spoofing attack a radio transmitter located nearby sends fake GPS signals into the target receiver. For example, a cheap software-defined radio (SDR) can make a smartphone believe it’s on Mount Everest!

    Figure 1. A cheap SDR can overpower GNSS signals and spoofs a single-frequency smartphone GPS into believing it is on Mount Everest. (Image: Septentrio)
    Figure 1. A cheap SDR can overpower GNSS signals and spoofs a single-frequency smartphone GPS into believing it is on Mount Everest. (Image: Septentrio)

    Why GPS spoofing?

    Imagine a combat situation. Clearly, the side which uses GPS/GNSS technology would have an advantage over the side which does not. But what if one side could manipulate GPS receivers of their adversary? This could mean taking over control of autonomous vehicles and robotic devices which rely on GPS positioning.

    For example, in October 2018, Russia accused the U.S. of spoofing a drone and redirecting it to attack a Russian air base in Syria.

    Figure 2. GNSS spoofing could be used to manipulate movement of aerial drones. (Image: Septentrio)
    Figure 2. GNSS spoofing could be used to manipulate movement of aerial drones. (Image: Septentrio)

    In the last three years, more than 600 incidents of spoofing have been recorded in the seas near the Russian border. These ships appeared to be “transported” to nearby airports.

    This type of spoofing might have been introduced as a defense mechanism to ground spy drones. Most semi-professional drones on the market have a built-in geo-fencing mechanism that lands them automatically if they come close to airports or other restricted areas.

    Some of the most enthusiastic spoofers are Pokémon GO fans who use cheap SDRs to spoof their GPS position and catch elusive Pokémon without having to leave their room.

    Types of spoofing

    Spoofers overpower relatively weak GNSS signals with radio signals carrying false positioning information. There are two ways of spoofing:

    1. Rebroadcasting GNSS signals recorded at another place or time (so-called meaconing)
    2. Generating and transmitting modified satellite signals

    Spoof-proof: How can you protect your receiver against spoofing?

    To combat spoofing, GNSS receivers need to detect spoofed signals out of a mix of authentic and spoofed signals. Once a satellite signal is flagged as spoofed, it can be excluded from positioning calculation.

    GNSS receivers can offer various levels of spoofing protection. Let’s compare it to a house intrusion-detection system. You can have a simple entry alarm system or a more complex movement detection system. For added security you might install video image recognition, breaking-glass sound detection or a combination of the above.

    Like a house with an open door, an unprotected GNSS receiver is vulnerable to even the simplest forms of spoofing. Secured receivers, on the other hand, can detect spoofing by looking for signal anomalies, or by using signals designed to prevent spoofing such as Galileo OS-NMA and E6 or the GPS military code.

    Advanced interference mitigation technologies, such as the Septentrio AIM+, use signal-processing algorithms to flag spoofing by detecting various anomalies in the signal. For example, a spoofed signal is usually more powerful than an authentic GNSS signal.

    AIM+ won’t even be fooled by an advanced GNSS signal generator: Spirent GSS9000. With realistic power levels and with actual navigation data within the signal, AIM+ can identify it as a “non-authentic” signal.

    Other advanced anti-spoofing techniques such as using a dual-polarized antenna are being researched.

    Satellite navigation data authentication

    Various countries invest in spoofing resilience by building security directly into their GNSS satellites. With OS-NMA (Open Service Navigation Message Authentication), Galileo is the first satellite system to introduce an anti-spoofing service directly on a civil GNSS signal.

    OS-NMA is a free service on the Galileo E1 frequency. It enables authentication of the navigation data on Galileo and even GPS satellites. Such navigation data carries information about satellite location and if altered will result in wrong receiver positioning computation. While currently in development, OS-NMA is planned to become publicly available in the near future. Also GPS is experimenting with satellite based anti-spoofing for civil users with their recent Chimera authentication system.

    Figure 3. European Galileo satellites provide an open authentication service on the E1 signal and a commercial authentication service on the E6 signal. (Image: European Space Agency)
    Figure 3. European Galileo satellites provide an open authentication service on the E1 signal and a commercial authentication service on the E6 signal. (Image: European Space Agency)

    Recently, within the scope of the FANTASTIC project led by GSA, OS-NMA anti-spoofing protection was implemented on a Septentrio receiver.

    The strongest shield: signal-level GNSS authentication

    The Galileo system will be offering Commercial Authentication Service (CAS) on the E6 signal with the highest level of security for safety-critical applications such as autonomous vehicles. The signal level encryption will be based on similar techniques as the military GPS signals. Only the receivers who have the secret key are able to track such encrypted signals. The secret key is also needed to generate the signal making it impossible to fake. CAS authentication techniques are currently being prototyped at Septentrio in collaboration with the European Space Agency.

    Spoof-resilient GNSS means reliable precise positioning and timing, and a peace of mind for everyone touched by this indispensable technology.

    References

    1. Study finds that a GPS outage would cost $1 billion per day
    2. Russia Claims US Spoofed Drones to Attack Base
    3. Spoofing in the Black Sea: What really happened?
    4. Technical paper by Septentrio – Authentication by polarization: a powerful anti-spoofing method
    5. New Report Details GNSS Spoofing Including Denial-of-Service Attacks
  • Seen & Heard: April 2019

    Seen & Heard: April 2019

    Check out some GPS developments that have recently taken place around the world. (Click to enlarge; Map: iStock.com/nadla)

    Map: iStock.com/nadla

    1. A new use for GNSS satellites

    University of Padua researchers say GNSS satellites make possible global quantum communication, beaming information between a satellite and an Earth-based ground station. They exchanged a single photon over 20,000 kilometers to prove secure quantum communications can be implemented on a global scale using GNSS. Results show the first exchange of a few photons per pulse between two GLONASS satellites, using the passive retro-reflectors mounted on the satellites, and the Space Geodesy Centre of the Italian Space Agency. The results could provide solutions for GNSS security for satellite-to-ground and inter-satellite links by using quantum information protocols for quantum key distribution.

    GRITSS to improve reference frame University of Massachusetts Lowell researchers have received a two-year, $1.2 million grant from NASA’s Earth Science Division to develop a Geodetic Reference Instrument Transponder for Small Satellites (GRITSS) to significantly improve the accuracy of the International Terrestrial Reference Frame — the basis of GPS positioning and navigation. A virtual map of the Earth, the ITRF pinpoints specific geographic positions and describes Earth’s precise shape, physical topography, orientation and rotation with time based on a stationary, Earth-centered coordinate system.  The location of each GPS satellite is defined within the ITRF. (Photo: NASA)
    Click to enlarge. (Photo: NASA)

    2. GRITSS to improve reference frame

    University of Massachusetts Lowell researchers have received a two-year, $1.2 million grant from NASA’s Earth Science Division to develop a Geodetic Reference Instrument Transponder for Small Satellites (GRITSS) to significantly improve the accuracy of the International Terrestrial Reference Frame — the basis of GPS positioning and navigation. A virtual map of the Earth, the ITRF pinpoints specific geographic positions and describes Earth’s precise shape, physical topography, orientation and rotation with time based on a stationary, Earth-centered coordinate system.  The location of each GPS satellite is defined within the ITRF.

    Pigeon scientists Engineers from the University of Birmingham have developed a compact backpack to collect climate and pollution data. When the birds return to their lofts, the sensors are retrieved and the data downloaded, including GPS location, temperature, humidity, ambient light and air pressure. So far, scientists have been able to collect data from five birds — they made a total of 41 flights with a total length of about 1,000 kilometers. (Photo: Rick Thomas)
    Click to enlarge. (Photo: Rick Thomas)

    3. Pigeon scientists

    Engineers from the University of Birmingham have developed a compact backpack to collect climate and pollution data. When the birds return to their lofts, the sensors are retrieved and the data downloaded, including GPS location, temperature, humidity, ambient light and air pressure. So far, scientists have been able to collect data from five birds — they made a total of 41 flights with a total length of about 1,000 kilometers.

    China’s big brother program Evidence that China is tracking its Uyghur Muslim population in the Xinjiang region has been uncovered. A facial recognition database was left open on the internet for months, Dutch security researcher Victor Gevers told ZDNet. The database contains information on 2.5 million people, along with a stream of GPS coordinates. Data includes detailed and sensitive information: names, ID card data, addresses, photos and employers, as well as GPS coordinates where the user had been seen via public cameras labeled mosque, hotel, police station, internet cafe, restaurant and more. (Photo: Victor Gevers/ZDNet)
    Click to enlarge. (Photo: Victor Gevers/ZDNet)

    4. China’s big brother program

    Evidence that China is tracking its Uyghur Muslim population in the Xinjiang region has been uncovered. A facial recognition database was left open on the internet for months, Dutch security researcher Victor Gevers told ZDNet. The database contains information on 2.5 million people, along with a stream of GPS coordinates. Data includes detailed and sensitive information: names, ID card data, addresses, photos and employers, as well as GPS coordinates where the user had been seen via public cameras labeled mosque, hotel, police station, internet cafe, restaurant and more.

  • Spirent highlights GNSS threats at cybersecurity conference

    Spirent Communications plc will demonstrate its expanded focus on security at the cybersecurity RSA Conference 2017, held in the Moscone Center in San Francisco Feb. 13–17. In a classroom session, Spirent positioning security technologist Guy Buesnel will discuss deliberate threats to GNSS.

    Focusing on deliberate attacks against GNSS at the application layer and through RF channels, Buesnel will introduce session attendees to the vulnerabilities of satellite navigation and timing systems and how they have been exploited. Based on his experience in protecting GNSS receivers from emerging threats for nearly two decades, Buesnel’s session will address the evolution of deliberate GNSS threats and present the latest evidence of deliberate jammer use from a network of detector devices.

    “There are compelling parallels between the manner in which IP threats have developed on the internet and the evolution of both jamming and spoofing attacks against GNSS,” said Buesnel. “Once people understand that the evolution of GNSS threats not only has clear parallels with the way in which IP threats have evolved, but also that GNSS share many of the features of a connected network, they will see that many of the lessons learned by the information security community apply equally well to the GNSS community.”

    Part of the Mobile & IoT Security track, the Guy Buesnel classroom session (Session Code MBS-F01) will take place 9–9:45 a.m. on Friday, Feb. 17, on the second floor of the Moscone West hall, room 2002.

    Spirent will also preview new Cyberflood performance and security validation software at RSA.

    “With our expanded focus on security, Spirent is addressing the growing need in government, industry, health care and financial services for effective products and services to assess, validate and monitor the performance and security of their networks and applications,” said John Weinschenk, general manager of applications and security at Spirent. “We look forward to demonstrating at the RSA Conference how our industry-leading product and service offerings can meet today’s need for performance and security effectiveness under a wide range of real-world threat and attack scenarios.”

    Spirent representatives in the company’s booth (S2015 in the Moscone South hall) will be available during the show to speak with attendees about the Cyberflood software and many of its upcoming ease-of-use features and real-world threat and attack emulation capabilities. The new features will include a flexible advanced testing component for customized testing needs and extended fuzzing techniques that enable users to find more issues faster and understand them better than any competing product in the industry.

    Attendees will also be able to learn more about the scanning, penetration testing, monitoring and source-code-analysis security services available from Spirent Security Labs for networks, wireless infrastructures, websites, mobile applications and embedded devices.

     

  • Spirent security experts predict greater risk to GNSS in 2017

    Spirent Communications plc, provider of mobile network, application, services and device-test solutions, is warning of the increased likelihood of disruptions this year to a wide variety of civil and military applications relying on GNSS.

    The prediction of greater risk from hacking and location spoofing attacks by criminal, state-sponsored, and other adversaries is part of Spirent’s annual security forecast for 2017. The forecast also highlights the continued risk of distributed denial of service (DDoS) attacks on Internet of things (IoT) devices and industries, including health care and automotive, that Spirent believes are the prime targets for security threats in the near future.

    In 2016, Spirent’s predictions led off with a prescient warning about the increased risk of cyber espionage, which has since been borne out, most notably by news reports of suspected activities by the Russian government to influence the 2016 U.S. presidential election.

    Also as predicted, in 2016 threats from ransomware, malicious insiders and compromised IoT devices increased, as did attacks on industrial control systems. For example, FBI sources reported on CNN that losses attributed to ransomware in the U.S. were set to exceed $1 billion by the end of 2016. That number is expected to grow in 2017.

    In addition to an increased likelihood of GNSS interference, Spirent’s annual security forecast for 2017 predicts an expansion of risks from:

    • More frequent DDoS attacks against IoT devices, as evidenced in the last quarter of 2016, when multiple major DDoS attacks surfaced worldwide. The most disruptive attack employed Mirai malware covertly installed on a large number of IoT devices. A number of high-profile websites such as Netflix, AirBnB, Twitter, GitHub and others were rendered inaccessible. Spirent believes that perpetrators will continue to innovate and find new methods for improving and broadening these type of attacks.
    • Threats to IoT security, which are increasing as everything that is connected becomes a potential attack vector, including embedded devices, mobile devices, consumer electronics, connected medical devices, industrial control systems, smart home devices, and more.
    • Threats to medical applications, networks, and devices in the health care industry, both the back-office systems on which these facilities run and the medical instruments that provide care to patients. A ransomware infection or data breach could adversely affect patient health and privacy.
    • Threats to connected vehicles by malicious attackers, as a greater number of attack vectors are inadvertently created that enable remotely gaining control of critical operational components of the vehicle, including engine, steering, and braking functions in addition to other vehicle systems that communicate through the relatively insecure CAN bus infrastructure.

    “With the greater drive towards use of autonomous vehicles, which rely heavily on precision GPS positioning and timing, threats posed by signal spoofing, jamming, time tinkering, and more could result in serious disruptions and worse,” said Sameer Dixit, senior director of security consulting at Spirent. “The transportation industry is taking this very seriously and already looking at various ways to protect against these threats. Because of this, we see momentum towards improving GNSS security in 2017.”

    According to an article in Defense One, Timothy Bennett, a science-and-technology program manager at the Department of Homeland Security, has already reported the use of GPS spoofing and jamming equipment by Mexican drug cartels along the border to interfere with the U.S. Customs and Border Protection agency’s use of drones to patrol the area. Unlike the larger drones designed to military specifications, the smaller drones used for this purpose are more vulnerable to these kinds of attacks.

    Spirent’s global network of GPS interference detectors has recorded more than 15,000 interference events since it was deployed in 2015, including a surprisingly high number of unintentional events caused by various forms of interference in the GPS L1 frequency band. A significant number of these unintentional events, which often correlate with transmissions from nearby RF transmitters and telecom equipment, have the potential to interfere with GPS signal reception.

    Dixon noted one bright spot on the horizon: the increasing awareness up and down the technology food chain of the importance of security in these systems, and the entry of large, experienced, and security-conscious players into the IoT arena.

    For information on Spirent’s security solutions, visit https://www.spirent.com/Solutions/Security-Applications.