Author: GPS World Staff

  • L-3 Demonstrates TruTrak Evolution Type II SAASM GPS Receiver

     

    L-3 Interstate Electronics Corporation (IEC) conducted an operational demonstration of its new TruTrak Evolution (TTE) Type II Selective Availability Anti-Spoofing Module (SAASM) GPS receiver at AUVSI’s Unmanned Systems North America 2012 conference, held last week in Las Vegas. The demonstration highlighted the new TruTrak receiver’s multi-use capabilities as a high-performing Ground-Based GPS Receiver Applications Module (GB-GRAM) for use on UAS platforms and precision weapons.

    The TTE offers native Inertial Measurement Unit (IMU) and external oscillator interfaces, user processor, reconfigurable input/output (I/O) and front end, and easy roadmap migration from SAASM to NextGen GPS YMCA modernized technology. Its TTE Type II architecture supports the integration of multiple sensors to simplify all-source navigation solutions for GPS-denied environments. The adaptable architecture allows developers to quickly integrate new sensors without a hardware change, while providing industry-leading core GPS receiver performance and easy migration to NextGen modernized GPS.

    “The TTE Type II highlights L-3 IEC’s integrated SAASM/NextGen GPS M-Code roadmap, providing another innovative path in the development of a Common GPS Module,” said Ric Pozo, general manager and vice president of navigation systems at L-3 IEC. “It allows SAASM- based P(Y) and modernized YMCA multichip modules to share a common circuit card assembly, making this a very flexible solution for drop-in GPS receiver replacement and low-risk integration.”

    L-3’s TTE Type II provides features required by multiple applications, including a small form factor, high performance, and both passive and active antennas. The TTE Type II adopts the common GB-GRAM Type II electrical and physical interfaces, but with expandable I/O to support a wide range of requirements for ground, air, weapon, and projectile needs.

  • Trimble Launches AP20-C GNSS Inertial OEM Module with MEMS Inertial Sensors

    Trimble AP series module

    Trimble has introduced the AP20-C, the latest addition to its AP Series of embedded GNSS-Inertial OEM boards plus Inertial Measurement Unit (IMU). Using a compact, custom-built IMU based on commercial Micro Electromechanical Machined (MEMS) inertial sensors, the AP20-C enables system integrators to achieve high-rate position and orientation measurements with exceptional accuracy, Trimble said.

    The announcement was made at AUVSI’s Unmanned Systems North America 2012 Conference and Exhibition being held this week in Las Vegas.

    Featuring proven Applanix IN-Fusion GNSS-Inertial integration technology, the AP20-C is an embedded GNSS-Inertial OEM board set plus IMU designed for continuous mobile positioning in poor signal environments and high-accuracy direct georeferencing of imaging sensors. The AP20-C delivers full, high-rate position and orientation measurements at 200 Hz, ensuring it can be used in the most demanding mobile environments without sacrificing performance. It is fully compatible with the industry-leading Applanix POSPac MMS office software for enhanced accuracy using network differential GNSS.

    “Compact in form and low in power consumption, the AP20-C can provide cost-effective, accurate, reliable and robust position and orientation measurements suitable for a broad range of survey and mapping applications, including airborne, terrestrial, and marine mapping as well as guidance for unmanned vehicle applications,” said Joe Hutton, director of Inertial Technology and Airborne Products at Applanix, a Trimble Company.

  • Next Galileo Satellite Reaches French Guiana Launch Site

    The third Galileo In-Orbit Validation flight model satellite being unloaded from its Antonov 124-100 transport aircraft at Cayenne Airport in French Guiana on August 7.
    The third Galileo In-Orbit Validation flight model satellite being unloaded from its Antonov 124-100 transport aircraft at Cayenne Airport in French Guiana on August 7.

    The next Galileo navigation satellite has touched down at Europe’s Spaceport in French Guiana, to begin preparations for its launch in October, reports the European Space Agency. Cocooned within a protective, air-conditioned container, the satellite left the Thales Alenia Space Italy plant in Rome on Monday evening for nearby Fiumicino Airport.

    At 23:15 CEST it boarded an Antonov 124-100 aircraft for its overnight flight across the Atlantic, stopping in Tenerife at 03:50 CEST for refuelling.
    The satellite touched down on Tuesday, August 7, in French Guiana’s Cayenne Airport at 07:55 local time (12:55 CEST). It was accompanied by a four-person team from Thales, plus one representative each from Astrium and ESA, as well as all the specialized test and support equipment that will be needed during the launch preparations. The satellite was then moved onto a lorry for transport to the Guiana Space Centre, for subsequent removal from its container.

    These third and fourth Galileo In-Orbit Validation (IOV) satellites are due to be launched aboard a Soyuz ST-B vehicle in October. These new satellites will join the first two Galileo satellites — launched last year — in medium-Earth orbit at 23,222 kilometer. This will mark a significant step in Europe’s program because it will complete the deployment of infrastructure required for the IOV phase and will allow for the first time a computation of on-ground position based solely on Galileo satellites, ESA said.

    The IOV phase is being followed by the deployment of additional satellites and ground segment as required to achieve the Full Operational Capability, leading to provision of services. 
The first 22 of these Final Operational Capability satellites are being built by OHB in Germany, responsible for the platforms and final satellite integration, and UK-based Surrey Satellite Technology Ltd., producing the payloads.

    The first four Galileo IOV satellites have been built by a consortium led by EADS Astrium, Germany, with Astrium producing the platforms and Astrium UK responsible for the payloads.

  • CGSIC Subcommittee to Hold Meeting August 14

    The CGSIC States and Local Government Subcommittee, chaired by the Federal Highway Administration, is conducting a meeting in downtown Seattle on August 14. CGSIC is chartered to be an information portal direct from the U.S. government’s GPS program to (and from) the world’s civil users of GPS.

    The Coast Guard’s Navigation Center is assigned responsibility as the operational arm and executive secretariat for the committee and assists the States and Local Government Subcommittee to bring this information to state government and private personnel in regional areas of the United States. View an agenda and directions to the meeting on the Navigation Center’s website.

    CGSIC meetings are free and open to all and present an opportunity to personally interact directly with the people that manage the GPS program. For more information, call CGSIC Executive Secretariat Rick Hamilton at 703-313-5930.

  • ABI Research: In-Car Nav Market Bottoms out at $22 Billion, New Services Key to Rebound

    ​The total in-car navigation market has been in continual decline for the last three years, but ABI Research believes it has now reached its lowest ebb. While pure navigation is unlikely to reach the highs of 2008 again, the overall market is reaching a revenue plateau, creating a solid platform on which connected in-car services can bring a new generation of revenue growth, the market research firm concluded.

    Senior analyst Patrick Connolly stated,” When we look at the decline from 2008 to 2011, there is a perfect storm of economic conditions, low-cost/free smartphone navigation, the decline of PNDs, and falling car sales. The market is forecast to reach a low of $22 billion this year, before fluctuating around the $22-$24 billion mark, as a new period of growth for factory-fitted solutions, coupled with smartphone solutions, will take in-car navigation towards saturation point in many regions by 2017.”

    Factory-fitted solutions will bring new revenue opportunities, especially for PND manufacturers, ABI Research said. But the real growth opportunity will be the additional revenues that in-car connectivity will bring. Companies are fighting for a near-30 million connected car platform market in 2017, with many of the winners and losers decided over the next two years.

    Practice director Dominique Bonte added, “The opportunity is there to leverage navigation, to bring a host of new services around driver performance, infotainment, car diagnostics, and insurance.”

    These findings are part of ABI Research’s GPS & GNSS Research Service, which includes additional Competitive Analyses, Vendor Matrices, Market Data, and Insights. In ABI Research’s quarterly service, “GPS&GNSS”, all forms of in-car navigation are considered, including factory fitted, aftermarket, PNDs, and smartphones.

  • NVS Technologies Selected by Advanced Navigation for Spatial Miniature GNSS/INS System

    Advanced Navigation, a developer of 3D navigation technologies, has launched its Spatial product series, featuring NVS Technologies AG’s NV08C-MCM high-performance multiple GNSS-constellation receiver.

    The Spatial is a ruggedized miniature GNSS/INS & AHRS system that provides accurate position, velocity, acceleration and orientation under demanding conditions. It combines temperature calibrated accelerometers, gyroscopes, magnetometers and a pressure sensor with an advanced GNSS receiver. These are coupled in a sophisticated fusion algorithm to deliver accurate and reliable navigation and orientation, Advanced Navigation said.

    The Spatial product line takes advantage of the NV08C-MCM’s multi GNSS constellation support, ensuring high availability of navigation signals, high sensitivity, providing reliability, accuracy and performance.

    Advanced Navigation is a privately owned Australian company that specializes in the development of 3D navigation technologies. The company’s engineers come from a background in mission critical robotics built to military specifications.

     

  • Chronos Welcomes Ofcom Licensing for GPS/GNSS Repeaters in the UK

    Chronos Technology, supplier of GNSS (GPS, GLONASS, and Galileo) products and services, welcomes the decision by the UK regulator Ofcom on June 20 to implement a licensing regime for the use of GNSS repeaters in the UK. Chronos Technology has been at the forefront of GNSS repeater technology for many years and is one of the largest suppliers of this technology to the military in Europe.

    GNSS repeaters provide coverage for the use and testing of GNSS technology inside buildings where the GNSS signals do not normally reach. Until the recent decision by Ofcom, the use of this repeater technology in the UK was not permitted except in specialized (normally military) situations.  Large numbers of consumer and industrial products use GNSS technology for positioning and timing applications including smartphones, telematics equipment, avionics and emergency service applications. GNSS technology can also be used for resource management, civil engineering and military applications.

    The Ofcom consultation prior to this decision highlighted concerns about potential interference to applications by the use of GNSS repeaters; however, the conclusion was that a properly installed repeater system, conforming to the ETSI harmonized Standard for GNSS repeaters, should have no impact beyond 10 meters. This decision enables the use of GNSS repeaters in many applications and will provide significant benefits and cost savings to organizations wanting to develop, test, integrate and manufacture products and systems that use GNSS technology, Chronos said.

    Chronos has installed repeater and other general GNSS infrastructure in more than 50 countries over 15 years.

  • Resource Industry to Mine Data Faster with Actian and Geological Data Design

    Actian Corporation has announced that Geological Data Design (GDD), a specialist in the collection, management and analysis of exploration and mining data, has selected the analytical database Vectorwise to power its Field Data Integrator. GDD’s Field Data Integrator is an end-to-end mining and exploration solution that makes working with large volumes of resource data, including GPS, faster and simpler, Actian said.
     
    GDD’s Field Data Integrator automatically synchronizes sample data from GPS, various field instruments, and cameras onto a "tough" tablet using Bluetooth. Geologists enter notes directly onto the tablet using on-screen or wireless keyboards, enabling all data on samples to be collected automatically into a single source. The tablet then automatically synchronises with a master database running Vectorwise whenever in mobile range, saving geologists time in manual data entry.

    The end-to-end solution enables geologists to collect samples in shorter time frames, and then quickly analyze large volumes of sample data for complex scenarios such as such as project timings, cash flows, and profitability with greater sensitivity levels.
     
    “For the last 25 years GDD has been helping companies in the resource sector collect, manage, and analyze their data. Today’s technology enables us to do this more quickly and effectively,” said Tony Shellshear, principal and founder of GDD. “Geologists traditionally carry a lot of different field equipment to explore, record observations and take samples. They make notes and drawings, record coordinates, take photos, videos, or perhaps audio recordings. Collating this data can be very time consuming, and geologists can spend up to 1-2 hours a day manually entering these different information types into the database. GDD’s Field Data Integrator does all this automatically by synchronizing information from the various devices to the tablet computer, which then uploads the data to the main Vectorwise database when in reach of a wireless signal. This means geologists can spend more time collecting samples, or analysing the data, rather than being tied to the clerical work.”
     
    While the field data collected during the day is not always large, this data often integrates into a very large database, in some cases hundreds of millions or even billions of records. GDD chose the Vectorwise database for its ability to deliver significantly faster analysis of this data on commodity hardware, Actian said.
     

  • Update on EGNOS and GAGAN SBAS Satellites

    Source: GPS
    The shipping container that protected GSAT-10 during its travels from India to French Guiana is removed inside the Spaceport’s S5 payload preparation facility, revealing the spacecraft.

     

    News courtesy of CANSPACE Listserv.

    UPDATE: According to an Arianespace press release issued Thursday, the launch of the GSAT-10 and Astra 2F satellites is now scheduled for September 21.
    SES-5. The SES-5 geostationary communications satellite (also known as Sirius 5 and Astra 4B), which was launched on July 9, 2012, arrived at its orbital slot of 5 degrees east longitude on or about July 19. The current position is actually about 5.2 degrees.

    The satellite carries L1 and L5 transponders for the European Geostationary Navigation Overlay Service (EGNOS) satellite-based augmentation system. According to a spokesperson from the Space and Missile Systems Center, the Global Positioning Systems Directorate has assigned C/A PRN code 136 and L5 PRN code 136 for use by the satellite.

    GSAT-10. The Indian Space Research Organisation’s GSAT-10 geostationary communications satellite has arrived at the European spaceport in Kourou, French Guiana. The satellite carries a transponder for the GPS and GEO Augmented Navigation (GAGAN) satellite-based augmentation system.

    GSAT-10 will be launched together with the Astro 2F satellite by an Ariane 5 rocket on September 21. GSAT-10 is expected to be positioned at 83 degrees east longitude and use PRN code 128. It will join the first GAGAN-equipped satellite, GSAT-8, which is at 55 degrees east longitude and is transmitting test signals on the L1 frequency using C/A PRN code 127.

    Although GSAT-8 reportedly carries a dual-frequency transponder, no L5 signals from this satellite have yet been detected by International GNSS Service tracking stations.

  • Second Russian SBAS Satellite Prepared for Launch

    News courtesy of CANSPACE Listserv.

     

    Luch-5B, the second of a set of three geostationary satellites being launched to reactivate Roscosmos’s Luch Multifunctional Space Relay System, has been delivered to the Baikonur Cosmodrome. It arrived together with the Yamal-300K satellite in a single shipping container aboard an Antanov An-124-100 Ruslan flight from Krasnoyarsk.

    This marked the first time that Information Satellite Systems – Reshetnev has used the special container, which is large enough to carry two middle-class spacecraft at one time. According to the company, sophisticated equipment fitted with a control system that helps monitor the environment inside the container helps avoid any chances of external damage or unwanted environmental impact during transportation.

    Luch-5B is now undergoing preparations for launch.

    The Luch system will be used to relay communications and telemetry between low-Earth-orbiting spacecraft, such as the the Russian segment of International Space Station, and Russian ground facilities.

    The system’s satellites also carry transponders for the System for Differential Correction and Monitoring (SDCM), Russia’s satellite-based augmentation system. The transponders will broadcast GNSS corrections on the standard GPS L1 frequency using C/A PRN codes assigned by DoD’s Global Positioning Systems Directorate.

    As previously reported, Luch-5A, which was launched on 11 December 2011, has been placed in an orbital slot at 95 degrees east longitude. It began transmitting corrections on July 12, 2012, using PRN code 140.

    Luch-5B, scheduled for launch on September 7, 2012, will be positioned at 16 degrees west longitude.


    Satellite Luch-5B in an anechoic chamber at ISS-Reshetnev.

  • Second Russian SBAS Satellite Prepared for Launch

    News courtesy of CANSPACE Listserv.

    Luch-5B, the second of a set of three geostationary satellites being launched to reactivate Roscosmos’s Luch Multifunctional Space Relay System, has been delivered to the Baikonur Cosmodrome. It arrived together with the Yamal-300K satellite in a single shipping container aboard an Antanov An-124-100 Ruslan flight from Krasnoyarsk.

    This marked the first time that Information Satellite Systems – Reshetnev has used the special container, which is large enough to carry two middle-class spacecraft at one time. According to the company, sophisticated equipment fitted with a control system that helps monitor the environment inside the container helps avoid any chances of external damage or unwanted environmental impact during transportation.

    Luch-5B is now undergoing preparations for launch.

    The Luch system will be used to relay communications and telemetry between low-Earth-orbiting spacecraft, such as the the Russian segment of International Space Station, and Russian ground facilities.

    The system’s satellites also carry transponders for the System for Differential Correction and Monitoring (SDCM), Russia’s satellite-based augmentation system. The transponders will broadcast GNSS corrections on the standard GPS L1 frequency using C/A PRN codes assigned by DoD’s Global Positioning Systems Directorate.

    As previously reported, Luch-5A, which was launched on 11 December 2011, has been placed in an orbital slot at 95 degrees east longitude. It began transmitting corrections on July 12, 2012, using PRN code 140.

    Luch-5B, scheduled for launch on September 7, 2012, will be positioned at 16 degrees west longitude.


    Satellite Luch-5B in an anechoic chamber at ISS-Reshetnev.

  • Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle

    By Daniel Shepard, Jahshan A. Bhatti, and Todd E. Humphreys

    
    Unmanned aerial vehicle (uav) used in the spoofing tests; owned by the University of Texas.

     A radio signal sent from a half-mile away deceived the GPS receiver of a UAV into thinking that it was rising straight up. In this way, the UAV’s dependence on civil GPS allowed the spoofer operator to force the UAV vertically downward in dramatic fashion as part of multiple capture demonstrations.

    In December 2011, Iran captured a U.S. Central Intelligence Agency (CIA) surveillance drone with only minor damage to the undercarriage of the drone, likely due to a rough landing when captured. An Iranian engineer claimed in an interview that “Iran managed to jam the drone’s communication links to American operators” causing the drone to shift into an autopilot mode that relies solely on GPS to guide itself back to its home base in Afghanistan. With the drone in this state, the Iranian engineer claimed that “Iran spoofed the drone’s GPS system with false coordinates, fooling it into thinking it was close to home and landing into Iran’s clutches.”

    Although the Iranian claims are highly questionable, this incident left many unanswered questions as to the security of GPS systems on unmanned aerial vehicles (UAVs). The CIA drone should have been guiding itself based on the encrypted military GPS signals, which would be incredibly difficult to spoof. However, some experts have conjectured that simultaneous jamming of the military signals and spoofing of the civilian signals might have worked if the drone had been programmed to fall back on the civilian GPS signals in the event that the military signals were jammed. This raises the question: How difficult would it be to spoof a UAV guiding itself based on civilian GPS signals?

    FAA Modernization Act

    In February of this year, Congress passed the FAA Modernization and Reform Act of 2012. According to the Library of Congress summary, this act “requires the Secretary [of Transportation] to develop a plan to accelerate safely the integration by September 30, 2015, of civil unmanned aircraft systems (UASes, or drones) into the national airspace system … [and] determine if certain drones may operate safely in the national airspace system before completion of the plan.”

    Such civilian UAVs would be primarily guided by civil GPS, which has been shown to be readily spoofable in the lab. This would create a significant potential hazard in the national airspace if the problem of civil GPS spoofing is not fixed. Thousands of civilian UAVs (operated by postal services, police departments, research institutions, and others) could populate the skies in only a few years while still being vulnerable to remote hijacking via GPS spoofing. The passing of the FAA Modernization Act further emphasizes the need to examine the vulnerability of UAVs to GPS spoofing.

    Test

    On invitation of the Department of Homeland Security (DHS), unclassified spoofing tests against a UAV were performed at White Sands Missile Range (WSMR) on June 19, 2012 during the DHS GYPSY test exercise. These tests demonstrated the capability of a spoofer, built by the University of Texas (UT) Radionavigation Lab, to commandeer a civilian UAV by influencing the position-velocity-time (PVT) solution of the UAV’s GPS receiver.

    The Spoofer. The civil GPS spoofer used for these tests is an advanced version of the spoofer reported in “Assessing the Spoofing Threat,” GPS World, January 2009. A schematic representation of the spoofer is shown in Figure 1. It is the only spoofer reported in open literature to date that is capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with those of the authentic GPS signals. Such alignment capability allows the spoofer to carry out a sophisticated spoofing attack in which no obvious clues remain to suggest that an attack is underway.


    Figure 1. This spooler is capable of precisely aligning the spreading code and navigation data of its counterfeit signals with GPS signals.

    The spoofer is implemented on a portable software-defined radio platform with a digital signal processor (DSP) at its core. This platform comprises:

    • A radio frequency (RF) front-end that down-mixes and digitizes GPS L1 and L2 frequencies
    • A DSP board that performs acquisition and tracking of GPS L1 C/A, calculates a navigation solution, predicts the L1 C/A databits, and produces a consistent set of up to 14 spoofed GPS L1 C/A signals with a user-controlled fictitious implied navigation and timing solution.
    • An RF back-end with a digital attenuator that converts the digital samples of the spoofed signals from the DSP to analog output at the GPS L1 frequency with a user-controlled broadcast power.
    • A single-board computer that handles communication between the spoofer and a remote computer over the Internet.

    The spoofer works by first acquiring and tracking GPS L1 C/A and L2C signals to obtain a navigation solution. It then enters its “feedback” mode, in which it produces a counterfeit, data-free feedback GPS signal that is summed with its own antenna input. The feedback signal is tracked by the spoofer and used to calibrate the delay between production of the digitized spoofed signal and output of the analog spoofed signal. This is necessary because the delay is non-deterministic on start-up of the receiver, although it stays constant thereafter.

    After feedback calibration is complete and enough time has elapsed to build up a navigation data bit library, the spoofer is ready to begin an attack. Initially, it produces signals that are aligned to within a few meters with the authentic signals at the location of the target antenna but have low enough power that they remain far below the target receiver’s noise floor. The spoofer then raises the power of the spoofed signals slightly above that of the authentic signals. At this point, the spoofer has taken control of the victim receiver’s tracking loops and can slowly lead the spoofed signals away from the authentic signals, carrying the receiver’s tracking loops with it.  The target receiver can be considered completely captured when either of the following are true:

    • each spoofed signal has shifted by 2 µs relative to the authentic signals, or
    • each spoofed signal is at least 10 dB more powerful than the corresponding authentic signal.

    The latter option ensures that there is no significant interaction between authentic and spoofed signals by simultaneously jamming and spoofing.
    The UT spoofer and attack strategy have been tested against a wide variety of civil GPS receivers and have always been successful in commandeering the target receiver.

    Test UAV.  The spoofing tests targeted a University-of-Texas-owned Hornet Mini UAV supplied by Adaptive Flight, which is shown in the  opening photo. The Hornet Mini is roughly five feet long and weighs about 10 pounds when fully loaded. The Mini’s sophisticated avionics package loosely couples an altimeter, magnetometer, and a MEMS IMU package to a GPS receiver via an extended Kalman filter.

    The Hornet Mini is representative of UAVs used by law enforcement. Thus, the results of the spoofing tests with the Mini also apply to other similarly-designed UAVs, including those used in most civil applications, whose navigation systems are centered on civil GPS. It should be noted that no special alterations were made to the Hornet Mini for this test – it was in its “as sold” or “stock” configuration.

    Setup. A schematic of the setup used for the spoofing tests against the civil UAV at WSMR appears in Figure 2. The spoofer was located on a hilltop with the receive antenna on the far side of the hilltop from the transmit antenna as shown in Figure 3. The UAV site was located in a sandy basin approximately 620 meters from the transmit antenna.


    Figure 2. Schematic of the test setup.


    Figure 3. Aerial view of the test site showing the spoofer location on a hilltop and the UAV site 0.62 kilometers away.

    Procedure. The UAV was commanded by its ground controller to hover approximately 60 feet above ground level at the UAV site. After the initial ground control command was sent, the UAV maintained its hovering position automatically based on the navigation solution of its extended Kalman filter, which is based in part on GPS. At this point in the test procedure, the spoofed signals were not being broadcast: the UAV was only under the influence of the authentic GPS signals.

    The spoofer was then commanded to begin transmitting spoofed signals. To ensure seamless capture of the UAV’s GPS unit, the code phases of the spoofed signals were aligned to within meters of the authentic signals at the location of the UAV’s GPS antenna. The spoofed signals overpowered their authentic counterparts and instantly captured the tracking loops within the UAV’s GPS receiver.

    Immediately after capture, the spoofer induced a false velocity and corresponding position change in the UAV’s GPS receiver, drawing the position reported by the UAV’s extended Kalman filter away from the UAV’s commanded hover position. To compensate, the UAV’s flight controller responded by moving in the opposite direction. A safety pilot was on hand to prevent the UAV from drifting out of control.  This was necessary because by commandeering the UAV’s GPS receiver, the spoofer operator effectively breaks the UAV autopilot’s feedback control loop. The spoofer operator must now act as an operator-in-the-loop, which requires real-time, meter-level knowledge of the UAV’s true location.

    Results. Between tests WSMR and UT, the spoofer demonstrated short-term 3-dimensional control of the UAV. Thus, we conclude that it is indeed possible to hijack a civil UAV — in this case, a fairly sophisticated one — by civil GPS spoofing.

    Interestingly, the Hornet Mini relies only on its altimeter for direct measurements of its vertical position; the GPS-measured vertical position is ignored. This can be done with reasonable accuracy because of the Hornet Mini’s short flight endurance (~20 minutes). However, the GPS vertical velocity does affect the extended Kalman filter’s vertical coordinate estimate because the filter propagates GPS velocity measurements through a UAV dynamics model to form an a priori vertical estimate that gets updated with the altimeter measurements. This dependence on GPS velocity allowed the spoofer operator to force the UAV vertically downward in dramatic fashion in the final three capture demonstrations.

    Developing a full spoofer-based control system for a UAV is a difficult problem that, in addition to the requirement for real-time true position feedback, requires the spoofer to model the UAV’s feedback control behavior and to estimate the UAV’s desired path. Causing a UAV to spin out of control and crash is not difficult with a spoofer, but fine-grained control certainly is.

    Implications

    These tests have demonstrated that civilian UAVs will be vulnerable to control by malefactors with a civil GPS spoofer looking to hijack or crash these UAVs unless their vulnerability to GPS spoofing is addressed. There are several reasons why someone may want to spoof a drone including fear over drones invading people’s privacy. This poses a significant safety concern that could result in mid-air collisions with other aerial vehicles or buildings, not to mention loss of property.

    Constructing from scratch a sophisticated GPS spoofer like the one developed by UT is not easy, nor is it within the capability of the average anonymous hacker. It is orders of magnitude harder than developing a GNSS jammer. Nonetheless, the trend toward software-defined GNSS receivers for research and development, where receiver functionality is defined entirely in software downstream of the A/D converter, has significantly lowered the bar to spoofer development in recent years.

    As a point of reference, we estimate that there are more than 100 researchers in universities around the globe who are well-enough versed in software-defined GPS that they could develop a sophisticated spoofer from scratch with a year of dedicated effort. More worrisome is the fact that one does not have to build a sophisticated spoofer like ours, capable of aligning its signals precisely with authentic signals at the location of a chosen target, to spoof a civil GPS receiver. A low-cost off-the-shelf GPS signal simulator would not permit the kind of seamless attack we carried out, but would be adequate to confuse and disrupt the navigation system of a commercial UAV.

    Fixing the Problem

    There is no quick, easy, and cheap fix for the civil GPS spoofing problem. Moreover, not even the most effective GPS spoofing defenses are foolproof. Nonetheless, there are many possible remedies to the spoofing problem that, while not foolproof, would vastly improve civil GPS security. These defenses can be broken up into two categories: cryptographic and non-cryptographic defenses.

    Cryptographic defenses come primarily in two forms, spread-spectrum security codes (SSSC) and navigation message authentication (NMA), depending on whether the unpredictable digital signature is placed on the spread-spectrum code or the navigation data. These cryptographic signatures could be placed on WAAS signals or existing or future GPS signals to provide authentication of the source of the WAAS or GPS signals. A cryptographic defense implemented with appropriate checks to protect against certain variants of spoofing attacks, described in “Straight Talk on Anti-Spoofing,” GPS World, January 2012, would significantly raise the bar for a would-be spoofer. Several proposals for cryptographic methods are currently on the table including a proposal by Logan Scott to place SSSC signatures on GPS L1C signals that will be broadcast by GPS Block III satellites. However, the current proposals for civil GPS cryptographic authentication schemes are still at least several years away from implementation and have a 5-minute window between authentications of each individual GPS signal. These proposals have currently gained no ground in being implemented because of a lack of dedicated funds for development and implementation.

    There are also a number of promising non-cryptographic techniques for civil GPS spoofing detection that include jamming-to-noise power detectors (J/N meters), correlation profile anomaly defenses, and antenna-based defenses. J/N meters are simple and easily-implementable and would prevent a spoofer from simultaneous jamming and spoofing. However, a J/N sensor will not typically detect a spoofing attack in which the spoofed signals are only slightly more powerful than their authentic counterparts. The inclusion of a J/N meter does ensure that the authentic signals will also be visible as a corruption to the correlation curve during a spoofing attack, due to the difficulty of nulling out the authentic signal. This allows correlation profile anomaly defenses to be viable. However, these methods suffer from the difficulty of distinguishing multipath effects from a spoofing attack, particularly in mobile receivers. Antenna-based defenses also present an attractive option for anti-spoofing, but most of these methods require additional hardware (multiple antennas) and cost. One promising new antenna-based defense is currently under development at Cornell University that does not require multiple antennas. This defense involves an extension of the signal spatial correlation technque developed by the University of Calgary PLAN group. However, this technique is still under development, and receivers implementing this technique would likely be several times more expensive than current receivers.

    For details on potential spoofing defenses, see Todd Humphrey’s congressional testimony in “The System.”

    Recommendations

    We recommend that for non-recreational operation in the national airspace, civil UAVs exceeding 18 pounds be required to employ navigation systems that are spoof-resistant. Spoof resistance will be defined through a series of four canned attack scenarios that can be recreated in a laboratory setting. A navigation system is declared spoof-resistant if, for each attack scenario, the system is either unaffected by or able to detect the spoofing attack. Spoofing detection combined with an appropriate GPS-denied mode for the UAV to fall back on will significantly increase the difficulty of mounting a successful spoofing attack.

    Additionally, civil GPS receivers in many critical infrastructures (communications networks, financial trade centers, and the power grid) are also vulnerable to civil GPS spoofing. These critical infrastructures primarily rely on GPS for timing, which is also susceptible to manipulation with varying consequences depending on the application. A discussion of power grid vulnerabilities to GPS spoofing is given in “Going Up Against Time” in this issue of the magazine on page 34. We also recommend that GPS-based timing or navigation systems having a non-trivial role in systems designated by DHS as national critical infrastructure be required to be spoof-resistant.

    Finally, we recommend that funding be committed for development and implementation of a cryptographic authentication signature in one of the existing or forthcoming civil GPS signals. The signature should at minimum take the form of a digital signature interleaved into the navigation message stream of the WAAS signals. A better plan would be to interleave the signature into the CNAV or CNAV2 GPS navigation message stream. The best plan for implementing a cryptographic authentication signature would be to implement the signature as an SSSC interleaved into the spreading code of the L1C data channel. Inclusion of a cryptographic signature would greatly aid manufacturers in developing receivers that are spoof-resistant.

    Manufacturers

    The Hornet Mini UAV carries a µ-blox GPS receiver.


    Daniel P. Shepard is pursuing M.S. and Ph.D. degrees in aerospace engineering at the University of Texas (UT) at Austin. He is a member of the Radionavigation Laboratory.

    Jahshan A. Bhatti is pursuing a Ph.D. in aerospace engineering and engineering mechanics at UT and is a member of the Radionavigation Laboratory.

    Todd E. Humphreys is an assistant professor of aerospace engineering and engineering mechanics at UT and director of the Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.