An approach for ground vehicles using carrier-phase and inertial measurement data
The combination of easily accessible low-cost GNSS spoofers and the emergence of increasingly automated GNSS-reliant ground vehicles prompts a need for fast and reliable GNSS spoofing detection. To underscore this point, Regulus Cyber, an Israeli cybersecurity company, recently spoofed a Tesla Model 3 on autopilot mode, causing the vehicle to suddenly slow and unexpectedly veer off the main road.
Among GNSS signal authentication techniques, signal-quality monitoring (SQM) and multi-antenna could be considered for implementation on ground vehicles. However, SQM tends to perform poorly on dynamic platforms in urban areas where strong multipath and in-band noise are common, and multi-antenna spoofing detection techniques, while effective, are disfavored by automotive manufacturers seeking to reduce vehicle cost and aerodynamic drag. Thus, there is a need for a single-antenna GNSS spoofing detection technique that performs well on ground vehicles, despite the adverse signal-propagation conditions in an urban environment.
In a concurrent trend, increasingly automated ground vehicles demand ever-stricter lateral positioning to ensure safety of operation. An influential study calls for lateral positioning better than 20 centimeters on freeways and better than 10 centimeters on local streets (both at a 95% probability level). Such stringent requirements can be met by referencing lidar and camera measurements to a local high-definition map, but poor weather (heavy rain, dense fog or snowy whiteout) can render this technique unavailable.
On the other hand, progress in precise (decimeter-level) GNSS-based ground vehicle positioning, which is impervious to poor weather, has demonstrated surprisingly high (above 97%) solution availability in urban areas. This technique is based on carrier-phase differential GNSS (CDGNSS) positioning, which exploits GNSS carrier-phase measurements having millimeter-level precision but integer-wavelength ambiguities.
Key to our promising results is the tight coupling of CDGNSS and inertial measurement unit (IMU) data, without which high-accuracy CDGNSS solution availability is significantly reduced due to pervasive signal blockage and multipath in urban areas. Tight coupling brings millimeter-precise GNSS carrier-phase measurements into correspondence with high-sensitivity and high-frequency inertial sensing. Our particular estimation architecture incorporates inertial sensing via model replacement, in which the estimator’s propagation step relies on bias-compensated acceleration and angular rate measurements from the IMU instead of a vehicle dynamics model.
As a consequence, at each measurement update, an a priori antenna position is available whose delta from the previous measurement update accounts for all vehicle motion sensed by the IMU, including small-amplitude high-frequency motion caused by road irregularities. Remarkably, when tracking authentic GNSS signals in a clean (open-sky) environment, the GNSS carrier-phase predicted by the a priori antenna position and the actual measured carrier phase agree to within millimeters.
The research described in this article pursues a novel GNSS spoofing-detection technique based on a simple but consequential observation: it is practically impossible for a spoofer to create a false ensemble of GNSS signals whose carrier-phase variations, when received through the antenna of a target ground vehicle, track the phase values predicted by inertial sensing. In other words, antenna motion caused by factors such as road irregularities or rapid braking or steering is sensed with high fidelity by an onboard IMU but is unpredictable at the sub-centimeter-level by a would-be spoofer.
Therefore, the differences between IMU-predicted and measured carrier-phase values offer the basis for an exquisitely sensitive GNSS spoofing-detection statistic. What is more, such carrier-phase fixed-ambiguity residual cost is generated as a byproduct of tightly coupled inertial-CDGNSS vehicle position estimation.
Two difficulties complicate the use of fixed-ambiguity residual cost for spoofing detection. First is the integer-ambiguous nature of the carrier-phase measurement, which causes the post-integer-fix residual cost to equal not the difference between the measured and predicted carrier phases (as would be the case for a typical residual), but rather modulo an integer number of carrier wavelengths. Such integer folding complicates development of a probability distribution for a detection test statistic based on carrier-phase fixed-ambiguity residual cost.
Second, the severe signal multipath conditions in urban areas create thick tails in any detection statistic based on carrier-phase measurements. Setting a detection threshold high enough to avoid false spoofing alarms caused by mere multipath could render the detection test insensitive to dangerous forms of spoofing. Reducing false alarms by accurately modeling the effect of a particular urban multipath environment on the detection statistic would be a Sisyphean undertaking, requiring exceptionally accurate up-to-date 3D models of the urban landscape, including materials properties.
Our work takes an empirical approach to these difficulties. It does not attempt to develop a theoretical model to delineate the effects of integer folding or multipath on its proposed carrier-phase fixed-ambiguity residual cost-based detection statistic. Rather, it develops null-hypothesis empirical distributions for the statistic in both shallow and deep urban areas, and uses these distributions to demonstrate that high-sensitivity spoofing detection is possible despite integer folding and urban multipath.
In June 2019, Regulus Cyber’s experts successfully spoofed the GPS-based navigation system of a Tesla Model 3 vehicle. This experiment provided an important warning for all companies using GNSS location and timing: these technologies, on which they depend, are highly vulnerable to spoofing attacks. In the two years since the experiment, companies and governments have continued to research the potential harm that can be caused by spoofing attacks and are learning more about how to defend themselves from them.
The Tesla experiment was groundbreaking because it was the first time that a level 2.5 autonomous vehicle was exposed to a sophisticated GPS spoofing attack and its behavior recorded.
We chose Tesla’s Model 3 because it had the most sophisticated advanced driver assistance system (ADAS) at the time, called Navigate on Autopilot (abbreviated NOA or Autopilot), which uses GPS to make several driving decisions. However, this experiment exposed several cybersecurity issues potentially affecting all vehicles relying on GPS as part of their sensor fusion for autonomous decision making.
NOA makes lane changes and takes interchange exits once a destination is determined, without requiring any confirmation by the driver. Its several other features include autonomous deceleration and acceleration according to the speed limit, autonomous lane changing, and adaptive cruise control.
These features use a variety of sensors, including cameras, radar, speedometers and more. The researchers wanted to test the extent to which the Model 3 relied on its GNSS receiver to make these driving decisions and how it behaved when receiving contradicting information from its GNSS receiver and its other sensors.
The researchers used hardware and software purchased online to mimic the tools potential hackers would use. The experiment involved two software-defined radio (SDR) devices purchased online, one to spoof GPS and one to jam all other constellations, connected to an external antenna to simulate an external attack. The software used to simulate the GPS signal was downloaded from an online source, available for free.
The test included three scenarios the researchers assumed would involve usage of GNSS, each one using a different spoofing pattern:
Scenario 1. Exiting the highway at the wrong location
Scenario 2. Enforcing an incorrect speed limit
Scenario 3. Turning into incoming traffic
A Tesla Model 3 was remotely hacked in a test of a GPS spoofing attack. (Photo: Regulus Cyber)
Scenario 1: Exiting the Highway at the Wrong Location
The car was driving normally at a constant speed of 95 KPH with NOA enabled. The destination determined for this ride was a town nearby and the car designated a certain interchange as the destination for an autonomous exit maneuver. The experiment began 2.5 km before the vehicle reached that interchange; however, the researchers’ fake GPS signal resulted in coordinates of a location on the same highway but only 150 m before the exit.
As soon as its GNSS receiver was spoofed, the car assumed that it had reached the correct exit and began to maneuver to the right, activating the blinker, slowing down, turning the wheel, and crossing a dotted white line to its right side, exiting to an emergency pit-stop, confusing it with the exit 2.5 km ahead.
To be clear, this would not have happened at any location along the highway, because sensor fusion with the radar and the camera enables the car to avoid physical obstacles and ensures that it does not cross a solid white line that makes a turn illegal.
The spoofing attack succeeded, in that it enabled the attacker to remotely manipulate the car’s sensor fusion and make it exit the highway at the wrong location.
Scenario 2: Enforcing an Incorrect Speed Limit
The car was driving to a random city far away on a highway, at a constant speed of 90 KPH, which was 10 KPH below the highway’s speed limit, with NOA enabled. The researchers generated a fake GPS signal, with the coordinates of a nearby town road that has a speed limit of 33 KPH. Shortly thereafter, the vehicle assumed the speed limit had just changed to 33 KPH and instantly began decelerating. Each time the driver attempted to accelerate using the gas pedal, as soon as he lifted his foot off the pedal the car engaged in heavy braking to quickly decelerate back to 33 KPH.
To be clear, this would not have happened if NOA had been turned off. The cruise mode can be disabled by either using the touch screen or by pressing the brakes, which would allow the driver to regain full manual control over the vehicle’s speed.
Again, the spoofing attack succeeded, in that it allowed the attacker to remotely manipulate the car’s speed and made it enforce a speed limit much lower than the actual one on the highway.
Scenario 3: Turning into Incoming Traffic
The car was being driven manually on a two-lane road with one lane in each direction, the type of road on which NOA cannot be used. The researchers generated a fake GPS signal, with coordinates of a nearby three-lane highway, with all lanes in the same direction. Furthermore, the spoofed location was 150 m from a designated exit that the vehicle’s navigation system was programmed to take, requiring a left turn.
Shortly after the car’s GNSS receiver was spoofed, the vehicle assumed it was on a highway and engaged NOA. Next, it triggered the exit maneuver, which began with activating the left blinker, followed by turning the wheel to the left. The driver had to quickly grab the wheel and manually drive the car back to its lane to avoid a collision with oncoming traffic.
To be clear, this kind of scenario would not be possible without the driver enabling the NOA. Once a Tesla driver enables NOA, it automatically turns on once the vehicle is on the highway with a set destination. This is why the researchers assumed that NOA would be turned on by default, and as long as NOA is activated, the vehicle is susceptible to the attacks mentioned in the experiment.
Once again, the spoofing attack was successful in that it enabled the attacker to remotely steer the vehicle into the opposing lane, placing it on a direct collision course with oncoming traffic. Out of the three scenarios described, this one proved that GNSS spoofing can endanger lives.
The hardware used for the GPS spoofing test. (Photo: Regulus Cyber)
GPS Cybersecurity for Automotive Applications
The NOA system in the Tesla Model 3, being an ADAS, allows drivers to rely on the car and its sensors for basic driving functions. Therefore, it enables drivers to briefly take their hands off the wheel and reduces the number of actions they are required to take. Nevertheless, drivers are still required to be fully attentive to the road so that they can take control of the vehicle at any time.
However, since this spoofing attack had such a sudden and instant impact on the car’s driving behavior, a driver who is not fully attentive and aware would not be prepared to quickly take control and prevent an accident. By the time the driver notices that something is wrong and reacts, it might be too late to prevent an accident. Already drivers have been found sleeping at the wheel, driving under the influence of alcohol, and doing other inappropriate tasks with NOA engaged.
Furthermore, this situation assumes a level 2.5 autonomous vehicle as was tested. But what happens in level 3 vehicles, in which driver engagement is limited, or level 4 and 5, in which driver response is non-existent? This research provides us with a glimpse into the crucial importance of sensor cybersecurity and particularly of GNSS cybersecurity.
The Tesla hack experiment and its results were eye-opening for the autonomous vehicles sector – the danger is real and rising as more and more vehicles are depending on GNSS technology as part of their sensors for assisted or automated driving. Up to 97% of new vehicles since 2019 incorporate GNSS receivers and most if not all are still vulnerable to the same spoofing attacks presented in this research.
In January 2021, the UN’s World Forum for Harmonization of Vehicle Regulations (WP.29) issued Regulation No. 155, which sets guidelines for cybersecurity in the automotive industry with the goal of addressing every possible cyber threat that it might encounter. Annex 5 of the regulation defines cyber attacks and states that in order to get approvals in the future vehicle manufacturers will need to provide solid evidence that their vehicles are sufficiently protected against them.
Among the cyber threats mentioned in the Annex is spoofing of data received by the vehicle — both sybil spoofing attacks and spoofing of messages. The Annex also lists the appropriate protection that vehicle manufacturers should implement and states that vehicle manufacturers will be required to provide evidence of the effectiveness of the mitigation measures they choose. These upcoming regulatory requirements can make the difference between life and death in situations caused by GNSS spoofing and ensure that only reliable and resilient positioning is used within vehicles, both today and in the future.
Please note: Tesla released a statement saying that it is “taking steps to introduce safeguards in the future which we believe will make our products more secure against these kinds of attacks.” Regulus Cyber researchers did not perform any further experiments with Tesla Model 3 since this research was published two years ago.
See the Tesla GPS spoofing experiment from the driver’s point of view:
GPS technology is doing far more than helping us navigate or receive accurate time. It is now being used to fight the spread of the global COVID-19 pandemic.
Global navigation satellite systems are being used to collect big data on travel and contact, but they are also being used in more unconventional ways: for example, quarantine enforcement and sanitation technology.
Read on to learn about a few recent developments in the world of GNSS/GPS that are bolstering the battle against the novel coronavirus.
Electronic monitoring enforces quarantine
There is a surge of applying ankle monitors to track sick individuals and deter them from spreading the virus further. According to BloombergBusinessweek, one business is thriving because of it: providers of electronic ankle monitors.
Kentucky courts are requiring GPS ankle monitors for people who test positive for COVID-19 and refuse to self-quarantine. Kentucky couple Elizabeth and Isaiah Linscott were two of a growing number of people placed under house arrest after Elizabeth tested positive for COVID-19 and denied signing the Self-isolation and Controlled Movement Agreed Order, a health department document promising she would stay home.
Photo: Regulus Cyber
Elizabeth told Louisville television station WAVE 3 News that she did not sign because she disagreed with the wording of the document. She said that she was concerned about having to contact the health department before traveling, even in the case of an emergency.
“My part was if I have to go to the ER, if I have to go to the hospital, I’m not going to wait to get the approval to go,” she said.
A few days after Elizabeth refused to sign the paperwork, her husband opened their door to an entourage of law enforcement officers serving them with a Health Department order to wear ankle monitors.
“I open up the door, and there’s like eight different people, five different cars, and I’m like ‘what the heck’s going on?’ This guy’s in a suit with a mask. It’s the Health Department guy, and they have three papers for us. For me, her and my daughter,” Isaiah said.
The Linville family is now confined to a 200-foot radius. If they leave their designated quarantine area, their ankle monitors will alert law enforcement.
Alternative to prison
The number of people on house arrest in the United States and across the world has surged as corrections departments struggle to slow the spread of the coronavirus within prisons. An estimated 25 to 30 percent more people are wearing ankle monitors in comparison with a few months ago, according to Bloomberg Businessweek. The U.S. Federal Bureau of Prisons reported a 160 percent increase in home confinement from late March to July. European corrections departments have similarly put thousands of inmates on house arrest in the last few months.
“Demand has spiked everywhere,” BI Inc. monitoring equipment executive Robert Murnock said to Bloomberg. “We’re getting calls from different jurisdictions and other countries we’ve never worked with.”
Efforts to reduce crowding in prisons mean that the electronic monitoring industry is one of very few industries benefiting financially from the coronavirus pandemic.
“Coronavirus gives electronic monitoring companies an opportunity like they’ve never had before to expand,” parole reform expert James Kilgore said.
On Aug. 3, Singapore announced the rollout of electronic tracking devices to enforce quarantine. Travelers will be required to wear GPS and Bluetooth-powered tracking devices that notify authorities if quarantine is broken or the device is tampered with. The rule went into effect on Aug. 11 and applies to all incoming travelers — resident or nonresident — over the age of 12.
On Aug. 20, the premier of Western Australia, Mark McGowan , said his government could soon force people in hotel quarantine to wear electronic monitoring equipment if they are deemed a risk. “If we identify people who are potential flight risks or who might have a criminal history, we are looking at applying monitoring bracelets to them,” he said.
An estimated 25 percent to 30 percent more prisoners are wearing bracelets now compared to the pre-outbreak period. In the U.S., the Federal Bureau of Prisons has placed about 4,600 inmates in home confinement, a 160 percent increase since the end of March.
“Demand has spiked everywhere,” said Robert Murnock, vice president for partnership development at BI Inc., a provider of EM technology.
The emergency shift to electronic monitoring spurred by COVID-19 may foretell a long-term shift toward use as an alternative to prison time, reducing clutter and the risk of the virus spreading among inmates.
Photo: LeoPatrizi/E+/Getty Images
Contact tracing via mobile phones
Israel is using covert mobile phone data to track the spread of COVID-19. On July 1, the Knesset approved a bill temporarily reauthorizing mass surveillance of coronavirus-infected citizens by the Shin Bet, Israel’s internal security service. The original program lasted from mid-March to June 9.
The contact-tracing program works like this. When a patient is diagnosed with COVID-19, the Israeli Health Ministry provides their personal information — including their mobile number — to the Shin Bet. The Shin Bet then consults a classified database of every person who uses Israeli telecom services to determine who came into contact with the infected individual for more than 15 minutes at a time. After the Shin Bet sends information back to the Health Ministry, the Health Ministry notifies those people via text and tells them to self-quarantine.
The Shin Bet’s newfound role in public health enforcement is quite different from its usual focus. Former Shin Bet agents say the COVID-19 mobile phone tracking technology was originally developed as a counterterrorism measure, and the tracking system being used on Israeli civilians is almost identical to that used for suspected terrorists.
“It’s the same system, the same methods,” retired Shin Bet agent Arik Brabbing said to BBC. “We know that someone was here in the park. We can get from the [mobile phone] company all the details about the hour, the place, exactly the place… and we can understand who else was around.”
Supporters of the mass surveillance program, including Prime Minister Benjamin Netanyahu, argue that reduced privacy is necessary to curb the spread of the virus. However, the Israeli government has come under fire by opponents who claim that the program is intrusive and undemocratic.
Israel’s contact tracing procedures are more secretive than those of South Korea and Taiwan, other countries that mandate central mass surveillance. South Korea and Taiwan both enforce quarantines with mobile-phone tracking, and both have built publicly available COVID-19 data platforms.
The South Korean government has disseminated detailed — but anonymized — information about COVID-19 carriers, including their travel routes and treatment facilities. Citizens broadly support these measures — a testament to collectivism in Korean culture.
Civic engagement and enthusiasm for fighting the pandemic is also remarkable in Taiwan, where the public has been collaborating with the government on a town hall-style website called vTaiwan. Citizen-led initiatives, like a GPS-powered tool for tracking face mask supplies, have been applied nationwide.
Meanwhile in Europe, eight major telecom companies, including Vodafone and Orange, have been supplying anonymized metadata to the European Commission to model and predict the spread of the virus. In the United States, the Centers for Disease Control and Prevention is soliciting GPS data from mobile advertising companies rather than carriers themselves.
The two tech giants, Apple and Google, made it easier for health agencies to join its coronavirus exposure notification system, creating a new built-in app within iOS and Android. The app provides real-time notification to users when they are exposed to a sick person.
Virus-killing robots may roam the streets
GPS-based robots, drones and autonomous cars are being deployed to sanitize outdoor spaces, transport medical equipment, and announce safety information to the public.
Robots began rolling around the streets of Wuhan, the original epicenter of the coronavirus outbreak, as early as January. China was the first to deploy robots of this type, but India, Spain, France and other countries have followed in their footsteps. In addition to the chemical-spray approach, some companies are pioneering mobile disinfection robots armed with large ultraviolet-C germicidal lights.
Apollo, the autonomous vehicle company of multinational internet giant Baidu, has partnered with Chinese self-driving startup Neolix to transport food and supplies to Beijing Haidian Hospital. Every morning at 10:30 a.m, an unmanned car delivers meals to about 100 frontline workers. The process eliminates direct contact, protecting the safety of food service workers, hospital staff, and patients.
Zhangjiang Artificial Intelligence Island
A fleet of Apollo and Neolix’s unmanned cars is also responsible for disinfecting all roads on Zhangjiang Artificial Intelligence Island, an 100,000-square-meter industrial complex in Shanghai. The vehicles are loaded with up to 160 liters of spray disinfectant and can cover the island’s entire road system in about half an hour.
The vehicles at Zhangjiang AI double as nighttime surveillance bots. They patrol the island and make sure that guests are adhering to coronavirus protocols, alerting security personnel if they note suspicious activity.
In addition to using drones to spray disinfectant, South Korea’s government has leveraged the technology for public announcements. On July 4, 300 drones lit the sky above Seoul in a show of appreciation for frontline workers. The drones executed a 10-minute synchronized show that included images of face masks, hand washing, and social distancing.
Summary
As COVID-19 continues to ravage the globe, governments rely on GPS to track the virus, contain it, and fight against it. The battle against coronavirus is still being waged on a global scale, utilizing GPS as a weapon along with many other existing technologies.
The pandemic changed the world forever, and it also highlighted the power of tracking and monitoring location of people and machines. It is another testament to the immense reliance on GPS technology in our modern world.
The increased deployment of these technologies necessitates increased security measures, especially when public health is on the line. Regulus Cyber offers GPS Cybersecurity software. To read more about it, visit www.regulus.com.
Regulus Cyber, creator of what it calls “anti-virus” software to protect GPS navigation and timing across a wide range of applications, is collaborating with Harman, a connected-car company.
The software-based cybersecurity solution will be part of Harman Shield, the company’s risk-management offering for vehicle manufacturers and mobility companies.
“We are looking forward to joining forces with Harman, a Tier 1 supplier to the automotive industry, a trusted partner to more than 50 global vehicle manufacturers. Coming together with Harman is a great testament to the necessity of GPS protection measures in our industry,” said Yonatan Zur, CEO of Regulus Cyber.
“We’re seeing our OEM customers expand into the digital and mobility spaces, offering added-value services to consumers by leveraging connectivity and mobile applications,” said Asaf Atzmon, vice president and general manager, Automotive Cybersecurity at Harman. “Through Harman Shield, we offer full visibility, analytics and risk management capabilities into cyber threats, and Regulus Pyramid GNSS solution complements our offering with another layer of protection against GPS hacking. We’re excited about the possibilities of this new collaboration with Regulus.”
The Regulus Pyramid GNSS is a software solution that uses machine learning to detect spoofing and defend any GNSS receiver, device or chipset against it — ensuring the security and reliability that are essential to safe and accurate navigation. GPS spoofing attacks are becoming more common and are often difficult to detect and protect against.
Pyramid GNSS uses a combination of patented algorithms, developed over years of spoofing experiments to protect against attacks at the firmware, operating system, or application level. This deal is further proof of the market demand for resilient navigation and positioning at a time when GPS hacking is a growing concern.
Autopilot Navigation Steers Car off Road, Research from Regulus Cyber Shows
The Tesla Model S and Model 3 — electric cars built for speed and safety — are vulnerable to cyberattacks aimed at their navigation systems, according to recent research from Regulus Cyber.
During a test drive using Tesla’s Navigate on Autopilot feature, a staged attack caused the car to suddenly slow down and unexpectedly veer off the main road. Regulus Cyber, the first company to deal with smart-sensor security across a wide range of applications including automotive, mobile, and critical infrastructure, initially discovered the Tesla vulnerability during its ongoing study of the threat that easily accessible spoofing technology poses to GNSS receivers.
The Regulus Cyber researchers found that spoofing attacks on the Tesla GNSS receiver could easily be carried out wirelessly and remotely, exploiting security vulnerabilities in mission-critical telematics, sensor fusion, and navigation capabilities.
Regulus Cyber experts traveled to Europe last week to test-drive the Tesla Model 3 using Navigate on Autopilot. An active guidance feature for its Enhanced Autopilot platform, it’s meant to make following the route to a destination easier, which includes suggesting and making lane changes and taking interchange exits, all with driver supervision.
While it initially required drivers to confirm lane changes using the turn signals before the car moved into an adjacent lane, current versions of Navigate on Autopilot allow drivers to waive the confirmation requirement if they choose, meaning the car can activate the turn signal and start turning on its own. Tesla emphasizes that “in both of these scenarios until truly driverless cars are validated and approved by regulators, drivers are responsible for and must remain ready to take manual control of their car at all times.”
Designed to reveal how the semi-autonomous Model S and Model 3 would react to a spoofing attack, the Regulus Cyber test began with the car driving normally and the autopilot navigation feature activated, maintaining a constant speed and position in the middle of the lane.
Although the car was three miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away — abruptly slowing down, activating the right turn signal, and making a sharp turn off the main road. The driver immediately took manual control but couldn’t stop the car from leaving the road.
The testing revealed another unexpected finding that significantly amplified the threat—a link between the car’s navigation and air suspension systems. This resulted in the height of the car changing unexpectedly while moving because the suspension system “thought” it was driving through various locations during the test, either on smooth roadways, when the car was lowered for greater aerodynamics, or “off-road” streets, which would activate the car elevating its undercarriage to avoid any obstacles on the road.
Yoav Zangvil, Regulus Cyber CTO and co-founder, explains that GNSS spoofing is a growing threat to ADAS and autonomous vehicles. “Until now, awareness of cybersecurity issues with GNSS and sensors has been limited in the automotive industry. But as dependency on GNSS is on the rise, there’s a real need to bridge the gap between its tremendous inherent benefits and its potential hazards. It’s crucial today for the automotive industry to adopt a proactive approach towards cybersecurity.”
The Regulus Cyber testing is designed to assess the impact of spoofing with low-cost, open source hardware and software, the same kind of technology that is accessible to anyone via e-commerce websites and open source projects on GitHub. Taking control of Tesla’s GPS with off-the-shelf tools took less than one minute.
The researchers were able to remotely affect various aspects of the driving experience, including navigation, mapping, power calculations, and the suspension system. Under attack, the GNSS system displayed incorrect positions on the maps, making it impossible to plot an accurate route to the destination.
Tesla’s response on Model S
Prior to the Model 3 road test, Regulus Cyber provided its Model S research results to the Tesla Vulnerability Reporting Team, which responded with the following points at that time:
Any product or service that uses the public GPS broadcast system can be affected by GPS spoofing, which is why this kind of attack is considered a federal crime. Even though this research doesn’t demonstrate any Tesla-specific vulnerabilities, that hasn’t stopped us from taking steps to introduce safeguards in the future which we believe will make our products more secure against these kinds of attacks.
The effect of GPS spoofing on Tesla cars is minimal and does not pose a safety risk, given that it would at most slightly raise or lower the vehicle’s air suspension system, which is not unsafe to do during regular driving or potentially route a driver to an incorrect location during manual driving.
While these researchers did not test the effects of GPS spoofing when Autopilot or Navigate on Autopilot was in use, we know that drivers using those features must still be responsible for the car at all times and can easily override Autopilot and Navigate on Autopilot at any time by using the steering wheel or brakes, and should always be prepared to do so.
“This is a distressing answer by a car manufacturer that is the self-proclaimed leader in the autonomous vehicle race,” Zangvil commented. “As drivers and safety/security experts, we’re not comforted by vague hints towards future safeguards and statements that dismiss the threats of GPS attacks.”
He offers the following counterpoints in response:
Attacks against any GPS system are indeed considered a crime because their effects are dangerous, as we’ve shown, yet the same devices we used to simulate the attacks are legally accessible to any person, online via e-commerce sites.
Taking steps to “introduce safeguards for the future” indicates that spoofing is, in fact, a major issue for Tesla, which relies heavily on GNSS.
In the case of cars, a spoofing attack is confusing in the best case, and a threat to safety in more severe scenarios.
The more GPS data is leveraged in automated driver assistance systems, the stronger and more unpredictable the effects of spoofing becomes.
The fact that spoofing causes unforeseen results like unintentional acceleration and deceleration, as we’ve shown, clearly demonstrates that GNSS spoofing raises a safety issue that must be addressed.
In addition, the spoofing attack made the car engage in a physical maneuver off the road, providing a dire glimpse into the troubled future of autonomous cars that would have to rely on unsecure GNSS for navigation and decision-making.
Given that the trust of the public still has to be earned as the automotive industry moves towards autonomy, the leading players are accountable for a responsible deployment of new technology.
As Tesla clearly stated, drivers are responsible for overriding autopilot under a spoofing attack, so it appears its auto pilot system can’t be trusted to function safely under a spoofing attack.
Because every GNSS/GPS broadcast system can be affected by GNSS/GPS spoofing, the issue is everyone’s problem and shouldn’t be ignored; furthermore, governments and regulators that have a mandate to protect the public’s safety must engage in proactive measures to ensure only safe GNSS receivers are used in cars.
“According to Tesla, they’ll soon be releasing completely autonomous cars utilizing GNSS, which means that, in theory, an attacker could remotely control the car’s route planning and navigation,” Zangvil said. “We’re obligated to ask what steps they’re taking to address this threat, and whether new safeguards will be implemented in its next generation of entirely autonomous cars.”
Although Regulus Cyber researchers tested only the Model S and Model 3, they concluded that the “disturbing vulnerability” of Tesla’s GNSS system is most likely company-wide, as the same chipsets are used across the Tesla fleet.
“Just a few months ago we saw that during a spoofing incident in a car show in Geneva, seven different car manufacturers complained that their cars were being spoofed. This incident proves that many other automotive companies that are working on the next generation of autonomous cars are also vulnerable to these attacks. As an industry, to win public trust and succeed, every car manufacturer should be proactive and prepare against these threats,” Zangvil said.
Regulus Cyber is showcasing its anti-spoofing GNSS receiver at the Consumer Electronics Show, being held Jan. 8-11 in Las Vegas.
Previously introduced in our Launchpad feature, the Regulus Cyber solves GNSS spoofing attacks that threaten the automotive, aviation, maritime and mobile industries with a unique technology applicable both as a fortified GNSS receiver, capable of detecting spoofing attacks, and at the chip level, allowing mobile phones, cars and internet of things (IoT) devices to receive GNSS spoofing protection for the first time, the company said.
The company was able to miniaturize its technology into a form factor that provides customers more flexibility with integration.
The Regulus Pyramid GNSS Receiver is a fully functional GNSS receiver, fortified with the spoofing detection capability. The receiver contains patented technology that enables it to differentiate between real GNSS signals and fake ones generated by an attacker.
The Pyramid GNSS receiver is a direct replacement to any automotive GNSS receiver. The upcoming chip-level technology offers both spoofing detection and spoofing mitigation to any GNSS-based device, including mobile phones, the company added.
The Spoofing Problem. Any vehicle guided by a GNSS system can be spoofed using open-source software and a software defined radio (SDR) legally purchased from Amazon for under $300. A spoofer can generate and transmit fake GNSS signals that can be used by the vehicle’s navigation system to calculate a false destination, directing the vehicle to an entirely different location, a potentially life-threatening hazard.
In addition, spoofing is a growing concern to any application or device that uses satellite positioning, navigation or time. While real attacks are expanding, anti-spoofing solutions remain a luxury that only high-end, defense markets can afford.
While current solutions are big, heavy and expensive, Pyramid GNSS offers industry-standard size and price. Industries such as automotive, aviation, maritime, and mobile phones can defend themselves against this sophisticated emerging threat, at an affordable price and relevant size, power consumption and weight, the company said.
“We designed our product to be a fraction of the size that is currently available on the market so that all types of companies – whether it is a car manufacturer or telecom provider relying on GNSS – can integrate it seamlessly,” said Yonatan Zur, CEO of Regulus Cyber. “GNSS spoofing will need to be a major security focus during 2019 since it leaves so many industries vulnerable to attacks.”
To meet Regulus Cyber at CES, visit booth #2602 at the Westgate.
