GPS World

Tag: spoofing attack

  • GNSS Spoofing Detection: Guard against automated ground vehicle attacks

    GNSS Spoofing Detection: Guard against automated ground vehicle attacks

    Read Richard Langley’s introduction column, Innovation Insights: What is a carrier phase?

    An approach for ground vehicles using carrier-phase and inertial measurement data

    The combination of easily accessible low-cost GNSS spoofers and the emergence of increasingly automated GNSS-reliant ground vehicles prompts a need for fast and reliable GNSS spoofing detection. To underscore this point, Regulus Cyber, an Israeli cybersecurity company, recently spoofed a Tesla Model 3 on autopilot mode, causing the vehicle to suddenly slow and unexpectedly veer off the main road.

    Among GNSS signal authentication techniques, signal-quality monitoring (SQM) and multi-antenna could be considered for implementation on ground vehicles. However, SQM tends to perform poorly on dynamic platforms in urban areas where strong multipath and in-band noise are common, and multi-antenna spoofing detection techniques, while effective, are disfavored by automotive manufacturers seeking to reduce vehicle cost and aerodynamic drag. Thus, there is a need for a single-antenna GNSS spoofing detection technique that performs well on ground vehicles, despite the adverse signal-propagation conditions in an urban environment.

    In a concurrent trend, increasingly automated ground vehicles demand ever-stricter lateral positioning to ensure safety of operation. An influential study calls for lateral positioning better than 20 centimeters on freeways and better than 10 centimeters on local streets (both at a 95% probability level). Such stringent requirements can be met by referencing lidar and camera measurements to a local high-definition map, but poor weather (heavy rain, dense fog or snowy whiteout) can render this technique unavailable.

    On the other hand, progress in precise (decimeter-level) GNSS-based ground vehicle positioning, which is impervious to poor weather, has demonstrated surprisingly high (above 97%) solution availability in urban areas. This technique is based on carrier-phase differential GNSS (CDGNSS) positioning, which exploits GNSS carrier-phase measurements having millimeter-level precision but integer-wavelength ambiguities.

    Key to our promising results is the tight coupling of CDGNSS and inertial measurement unit (IMU) data, without which high-accuracy CDGNSS solution availability is significantly reduced due to pervasive signal blockage and multipath in urban areas. Tight coupling brings millimeter-precise GNSS carrier-phase measurements into correspondence with high-sensitivity and high-frequency inertial sensing. Our particular estimation architecture incorporates inertial sensing via model replacement, in which the estimator’s propagation step relies on bias-compensated acceleration and angular rate measurements from the IMU instead of a vehicle dynamics model.

    As a consequence, at each measurement update, an a priori antenna position is available whose delta from the previous measurement update accounts for all vehicle motion sensed by the IMU, including small-amplitude high-frequency motion caused by road irregularities. Remarkably, when tracking authentic GNSS signals in a clean (open-sky) environment, the GNSS carrier-phase predicted by the a priori antenna position and the actual measured carrier phase agree to within millimeters.

    The research described in this article pursues a novel GNSS spoofing-detection technique based on a simple but consequential observation: it is practically impossible for a spoofer to create a false ensemble of GNSS signals whose carrier-phase variations, when received through the antenna of a target ground vehicle, track the phase values predicted by inertial sensing. In other words, antenna motion caused by factors such as road irregularities or rapid braking or steering is sensed with high fidelity by an onboard IMU but is unpredictable at the sub-centimeter-level by a would-be spoofer.

    Therefore, the differences between IMU-predicted and measured carrier-phase values offer the basis for an exquisitely sensitive GNSS spoofing-detection statistic. What is more, such carrier-phase fixed-ambiguity residual cost is generated as a byproduct of tightly coupled inertial-CDGNSS vehicle position estimation.

    Two difficulties complicate the use of fixed-ambiguity residual cost for spoofing detection. First is the integer-ambiguous nature of the carrier-phase measurement, which causes the post-integer-fix residual cost to equal not the difference between the measured and predicted carrier phases (as would be the case for a typical residual), but rather modulo an integer number of carrier wavelengths. Such integer folding complicates development of a probability distribution for a detection test statistic based on carrier-phase fixed-ambiguity residual cost.

    Second, the severe signal multipath conditions in urban areas create thick tails in any detection statistic based on carrier-phase measurements. Setting a detection threshold high enough to avoid false spoofing alarms caused by mere multipath could render the detection test insensitive to dangerous forms of spoofing. Reducing false alarms by accurately modeling the effect of a particular urban multipath environment on the detection statistic would be a Sisyphean undertaking, requiring exceptionally accurate up-to-date 3D models of the urban landscape, including materials properties.

    Our work takes an empirical approach to these difficulties. It does not attempt to develop a theoretical model to delineate the effects of integer folding or multipath on its proposed carrier-phase fixed-ambiguity residual cost-based detection statistic. Rather, it develops null-hypothesis empirical distributions for the statistic in both shallow and deep urban areas, and uses these distributions to demonstrate that high-sensitivity spoofing detection is possible despite integer folding and urban multipath.

  • OSNMA anti-spoofing tech now on PolaRx5 GNSS reference receivers

    OSNMA anti-spoofing tech now on PolaRx5 GNSS reference receivers

    The Septentrio PolaRX5. (Photo: Septentrio)
    The PolaRX5 GNSS reference receiver. (Photo: Septentrio)

    Septentrio, a leader in high-precision GNSS positioning solutions, has launched Open Service Navigation Message Authentication (OSNMA) on its high-end PolaRx5 reference receiver series.

    OSNMA offers end-to-end authentication on Galileo’s civilian signals, protecting receivers from GNSS spoofing attacks. OSNMA adds another layer of security to Septentrio’s existing AIM+ anti-jamming and anti-spoofing technology.

    This high level of resilience is especially important for reference receivers in applications that require assured PNT as well as in stationary critical infrastructure, which is especially vulnerable to GPS spoofing.

    The Septentrio PolaRx5 receiver with OSNMA technology will be showcased in booth 220 at the ION Joint Navigation Conference, taking place June 6-9 in San Diego.

    “We are excited to offer OSNMA anti-spoofing technology now in our scientific and reference GNSS receivers,” said François Freulon, head of product management at Septentrio. “The addition of OSNMA to Septentrio’s already strong anti-jamming and anti-spoofing technology takes our receivers to a new level as resilient positioning and timing solutions for industrial applications and critical infrastructure.”

    Septentrio has also updated the PolaRx5 product range with the latest RINEX format to support version 3.05 as well as version 4.0. With these updates, PolaRx5 becomes a leading scientific and reference receiver family supporting all of the new GNSS technologies introduced in 2022, Freulon said.

    The OSNMA authentication mechanism is also available on the mosaic GNSS module family and on Septentrio’s latest OEM boards.

  • Two years since the Tesla GPS hack

    Two years since the Tesla GPS hack

    Photo: Roi Mitt
    Photo: Roi Mitt

    In June 2019, Regulus Cyber’s experts successfully spoofed the GPS-based navigation system of a Tesla Model 3 vehicle. This experiment provided an important warning for all companies using GNSS location and timing: these technologies, on which they depend, are highly vulnerable to spoofing attacks. In the two years since the experiment, companies and governments have continued to research the potential harm that can be caused by spoofing attacks and are learning more about how to defend themselves from them.

    The Tesla experiment was groundbreaking because it was the first time that a level 2.5 autonomous vehicle was exposed to a sophisticated GPS spoofing attack and its behavior recorded.

    We chose Tesla’s Model 3 because it had the most sophisticated advanced driver assistance system (ADAS) at the time, called Navigate on Autopilot (abbreviated NOA or Autopilot), which uses GPS to make several driving decisions. However, this experiment exposed several cybersecurity issues potentially affecting all vehicles relying on GPS as part of their sensor fusion for autonomous decision making.

    NOA makes lane changes and takes interchange exits once a destination is determined, without requiring any confirmation by the driver. Its several other features include autonomous deceleration and acceleration according to the speed limit, autonomous lane changing, and adaptive cruise control.

    These features use a variety of sensors, including cameras, radar, speedometers and more. The researchers wanted to test the extent to which the Model 3 relied on its GNSS receiver to make these driving decisions and how it behaved when receiving contradicting information from its GNSS receiver and its other sensors.

    The researchers used hardware and software purchased online to mimic the tools potential hackers would use. The experiment involved two software-defined radio (SDR) devices purchased online, one to spoof GPS and one to jam all other constellations, connected to an external antenna to simulate an external attack. The software used to simulate the GPS signal was downloaded from an online source, available for free.

    The test included three scenarios the researchers assumed would involve usage of GNSS, each one using a different spoofing pattern:

    Scenario 1. Exiting the highway at the wrong location

    Scenario 2. Enforcing an incorrect speed limit

    Scenario 3. Turning into incoming traffic

    A Tesla Model 3 was remotely hacked in a test of a GPS spoofing attack. (Photo: Regulus Cyber)
    A Tesla Model 3 was remotely hacked in a test of a GPS spoofing attack. (Photo: Regulus Cyber)

    Scenario 1: Exiting the Highway at the Wrong Location

    The car was driving normally at a constant speed of 95 KPH with NOA enabled. The destination determined for this ride was a town nearby and the car designated a certain interchange as the destination for an autonomous exit maneuver. The experiment began 2.5 km before the vehicle reached that interchange; however, the researchers’ fake GPS signal resulted in coordinates of a location on the same highway but only 150 m before the exit.

    As soon as its GNSS receiver was spoofed, the car assumed that it had reached the correct exit and began to maneuver to the right, activating the blinker, slowing down, turning the wheel, and crossing a dotted white line to its right side, exiting to an emergency pit-stop, confusing it with the exit 2.5 km ahead.

    To be clear, this would not have happened at any location along the highway, because sensor fusion with the radar and the camera enables the car to avoid physical obstacles and ensures that it does not cross a solid white line that makes a turn illegal.

    The spoofing attack succeeded, in that it enabled the attacker to remotely manipulate the car’s sensor fusion and make it exit the highway at the wrong location.

     

    Scenario 2: Enforcing an Incorrect Speed Limit

    The car was driving to a random city far away on a highway, at a constant speed of 90 KPH, which was 10 KPH below the highway’s speed limit, with NOA enabled. The researchers generated a fake GPS signal, with the coordinates of a nearby town road that has a speed limit of 33 KPH. Shortly thereafter, the vehicle assumed the speed limit had just changed to 33 KPH and instantly began decelerating. Each time the driver attempted to accelerate using the gas pedal, as soon as he lifted his foot off the pedal the car engaged in heavy braking to quickly decelerate back to 33 KPH.

    To be clear, this would not have happened if NOA had been turned off. The cruise mode can be disabled by either using the touch screen or by pressing the brakes, which would allow the driver to regain full manual control over the vehicle’s speed.

    Again, the spoofing attack succeeded, in that it allowed the attacker to remotely manipulate the car’s speed and made it enforce a speed limit much lower than the actual one on the highway.

    Scenario 3: Turning into Incoming Traffic

    The car was being driven manually on a two-lane road with one lane in each direction, the type of road on which NOA cannot be used. The researchers generated a fake GPS signal, with coordinates of a nearby three-lane highway, with all lanes in the same direction. Furthermore, the spoofed location was 150 m from a designated exit that the vehicle’s navigation system was programmed to take, requiring a left turn.

    Shortly after the car’s GNSS receiver was spoofed, the vehicle assumed it was on a highway and engaged NOA. Next, it triggered the exit maneuver, which began with activating the left blinker, followed by turning the wheel to the left. The driver had to quickly grab the wheel and manually drive the car back to its lane to avoid a collision with oncoming traffic.

    To be clear, this kind of scenario would not be possible without the driver enabling the NOA. Once a Tesla driver enables NOA, it automatically turns on once the vehicle is on the highway with a set destination. This is why the researchers assumed that NOA would be turned on by default, and as long as NOA is activated, the vehicle is susceptible to the attacks mentioned in the experiment.

    Once again, the spoofing attack was successful in that it enabled the attacker to remotely steer the vehicle into the opposing lane, placing it on a direct collision course with oncoming traffic. Out of the three scenarios described, this one proved that GNSS spoofing can endanger lives.

    The hardware used for the GPS spoofing test. (Photo: Regulus Cyber)
    The hardware used for the GPS spoofing test. (Photo: Regulus Cyber)

    GPS Cybersecurity for Automotive Applications

    The NOA system in the Tesla Model 3, being an ADAS, allows drivers to rely on the car and its sensors for basic driving functions. Therefore, it enables drivers to briefly take their hands off the wheel and reduces the number of actions they are required to take. Nevertheless, drivers are still required to be fully attentive to the road so that they can take control of the vehicle at any time.

    However, since this spoofing attack had such a sudden and instant impact on the car’s driving behavior, a driver who is not fully attentive and aware would not be prepared to quickly take control and prevent an accident. By the time the driver notices that something is wrong and reacts, it might be too late to prevent an accident. Already drivers have been found sleeping at the wheel, driving under the influence of alcohol, and doing other inappropriate tasks with NOA engaged.

    Furthermore, this situation assumes a level 2.5 autonomous vehicle as was tested. But what happens in level 3 vehicles, in which driver engagement is limited, or level 4 and 5, in which driver response is non-existent? This research provides us with a glimpse into the crucial importance of sensor cybersecurity and particularly of GNSS cybersecurity.

    The Tesla hack experiment and its results were eye-opening for the autonomous vehicles sector – the danger is real and rising as more and more vehicles are depending on GNSS technology as part of their sensors for assisted or automated driving. Up to 97% of new vehicles since 2019 incorporate GNSS receivers and most if not all are still vulnerable to the same spoofing attacks presented in this research.

    In January 2021, the UN’s World Forum for Harmonization of Vehicle Regulations (WP.29) issued Regulation No. 155, which sets guidelines for cybersecurity in the automotive industry with the goal of addressing every possible cyber threat that it might encounter. Annex 5 of the regulation defines cyber attacks and states that in order to get approvals in the future vehicle manufacturers will need to provide solid evidence that their vehicles are sufficiently protected against them.

    Among the cyber threats mentioned in the Annex is spoofing of data received by the vehicle — both sybil spoofing attacks and spoofing of messages. The Annex also lists the appropriate protection that vehicle manufacturers should implement and states that vehicle manufacturers will be required to provide evidence of the effectiveness of the mitigation measures they choose. These upcoming regulatory requirements can make the difference between life and death in situations caused by GNSS spoofing and ensure that only reliable and resilient positioning is used within vehicles, both today and in the future.

    Please note: Tesla released a statement saying that it is “taking steps to introduce safeguards in the future which we believe will make our products more secure against these kinds of attacks.” Regulus Cyber researchers did not perform any further experiments with Tesla Model 3 since this research was published two years ago.

    See the Tesla GPS spoofing experiment from the driver’s point of view:

  • Research Online: Monitoring of wide-area oscillations in presence of GPS spoofing attacks

    By Yongqiang Wang and Aranya Chakrabortty, Clemson University /
    IEEE Power and Energy Society General Meeting, September 2017

    Phasor Measurement Units (PMU) are playing an increasingly important role in wide-area monitoring and control of power systems. PMUs allow synchronous real-time measurements of voltage, phase angle and frequency from multiple remote locations in the grid, enabled by their ability to align to GPS clocks. Given that this ability is vulnerable to GPS spoofing attacks, which have been confirmed easy to launch, this paper proposes a distributed real-time wide-area oscillation estimation approach that is robust to GPS spoofing on PMUs and their associated Phasor Data Concentrators (PDCs). The approach employs the idea of checking update consistency across distributed nodes and can tolerate up to one third of compromised nodes. Numerical simulations confirmed the effectiveness of the proposed approach.

    The lead author, an assistant professor of electrical and computer engineering at Clemson, leads a team that received $1 million from the National Science Foundation to fortify computers and devices against cyberattacks associated with timekeeping. “We want to provide secure timing solutions by securing the two most commonly used time distribution approaches,GPS receivers and NTP.”

  • PNT Roundup: Telecoms cite GNSS vulnerabilities

    In a technical report titled GPS Vulnerability released Sept. 15, the Alliance for Telecommunications Industry Standards (ATIS) renewed its call for an eLoran system to support telecom and other critical infrastructure in the United States.

    As part of its “Recommendations to Assure Time for Telecom” the report says:

    “An eLoran system (or equivalent) should be developed and implemented in the U.S. to provide a near-term alternative to GPS for the telecom system and other critical infrastructure. The physical and cyber security of eLoran transmission stations should be a consideration in their operation.”

    ATIS termed its report “a major resource to help better understand and address a formidable telecommunications industry challenge: the vulnerabilities in the Global Positioning System (GPS).”

    Requirements for precise time delivery have driven the industry toward the increased use of GPS and GPS-dependent technologies, it says. Yet this dependency has left the industry vulnerable to disruptions and manipulations of the GPS signal.

    GPS Vulnerability (ATIS-0900005) provides insight into the sources of the most common problems with GPS and their impacts. The report also covers several mature proposed solutions that would satisfy telecommunications sector timing requirements.

    “GPS disruptions have economic, financial and service impacts to carrier network operators, suppliers, cellular services as well as adjacent industries and government agencies that depend on a functioning wireless communications sector,” said ATIS President and CEO Susan Miller. “We believe that our report on this topic will contribute to solutions to help secure the delivery of time — a function critical to many sectors in our economy.”

    Known vulnerabilities to deliver GPS time to a system include environmental phenomena, malicious interference and spoofing, incidental interference, adjacent band interference, poor antenna installations and rare but present GPS segment errors.

    GPS Vulnerability discusses techniques to address these vulnerabilities as well as alternatives to GPS timing, with the goal of mitigating GPS vulnerabilities for the timing receivers used in the critical infrastructure.

    Alternatives covered in the report include Navigational Message Authentication on modernized GPS civil signals, atomic clock time holdover, sync over fiber, eLoran, WWVB, terrestrial beacons and more.

    Putin shows taste for spoofing

    For several days in June, more than 20 ships reported problems with GPS reception in the Black Sea (see Expert Opinion column, August GPS World). Experts concluded the problems were probably the result of a spoofing attack in the area.

    Norwegian journalist Henrik Lied of NRKbeta compared this with accounts of similar episodes near the Kremlin complex in Moscow, where tourists have reported their smartphones showing them at an airport outside the city.

    Lied interviewed University of Texas professor Todd Humphreys about his theory that this is an effort to keep drones from flying in the area: “Several of us [researchers in GNSS] have concluded the Kremlin spoofing was likely trying to trigger UAV geo-fencing, which prevents UAVs from flying near airports,” Humphreys said.

    A Moscow correspondent for the Norwegian Broadcasting Company reports that these GPS problems only tend to occur when President Vladimir Putin is in town.

    Several of the ships spoofed in the Black Sea were sailing in the vicinity of the Russian premier’s Black Sea vacation home. Putin was actually in the area when the incidents occurred. This may indicate that Russian authorities are spoofing wherever the Russian president is located.

    Humphreys said, “It’s long been assumed that Russia, China and other nations (including the U.S.) have the technology to carry out a spoofing attack. What’s surprising is Russia’s willingness to use it openly and somewhat indiscriminately. It does fit nicely into what has been called Russian disinformation technology.”

  • Expert Opinion: Spoofing attack reveals GPS vulnerability

    Expert Opinion: Spoofing attack reveals GPS vulnerability

    Dana Goward
    President, Resilient Navigation and Timing (RNT) Foundation

    An apparent mass GPS spoofing attack in June involved more than 20 vessels in the Black Sea and suggests that Russia may be aggressively experimenting with signal disruption and spurious substitution.

    On June 22, a vessel reported to the U.S. Coast Guard Navigation Center:

    “GPS equipment unable to obtain GPS signal intermittently since nearing coast of Novorossiysk, Russia. Now displays HDOP 0.8 accuracy within 100m, but given location is actually 25 nautical miles off…”

    Subsequent dialog with the ship’s master and examination of various documents and screen grabs he furnished enabled navigation experts to conclude this was a fairly clear case of spoofing: sending false signals to cause a receiver to provide false information. Other vessels in the vicinity experienced the same problem.

    The RNT Foundation has received numerous anecdotal reports of maritime problems with the automatic identification system (AIS), a tracking system used for collision avoidance on ships, and with GPS in Russian waters, though this is the first well-documented public account.

    Russia has very advanced capabilities to disrupt GPS. More than 250,000 cell towers in Russia have been equipped with GPS jamming devices as a defense against attack by U.S. missiles. And there have been press reports of Russian GPS jamming in both Moscow and the Ukraine. In fact, Russia has boasted that its capabilities “make aircraft carriers useless.”

    The U.S. director of National Intelligence issued a report on May 11 that states that Russia and other actors are focusing on improving their capability to jam U.S. satellite systems.

    Assuming Russia is behind this, why would they do such a thing? Possibly to encourage use of GLONASS or their terrestrial loran system, Chayka, instead of GPS. Possibly for some security reason known only to them.

    Whatever the reason, it reminds us of the vulnerability of GPS signals, and of the plethora of motives that “bad actors” — governmental or private criminal interests — may have to disrupt and deceive GNSS users.

    And of the U.S. Coast Guard’s advice about GPS and all satnav: “Trust But Verify.”

    Dana Goward is president of the Resilient Navigation and Timing Foundation. He is the proprietor at Maritime Governance LLC. In August 2013, he retired from the federal Senior Executive Service, having served as the maritime navigation authority for the United States. As director of Marine Transportation Systems for the U.S. Coast Guard, he led 12 different navigation-related business lines budgeted at more than $1.3 billion per year. He has represented the U.S. at IMO, IALA, the UN anti-piracy working group and other international forums. A licensed helicopter and fixed-wing pilot, he has also served as a navigator at sea and is a retired Coast Guard Captain.