GPS World

Tag: surveillance

  • ITT Exelis Completes Signal Sentry 1000 Product Integration

    An ITT Exelis product that detects and locates GPS interference sources in 3-D by using longitude, latitude and altitude has successfully completed a significant integration milestone.

    Signal Sentry 1000, formerly known as GPS Interference, Detection and Geolocation, may now be deployed to collect actionable intelligence for law enforcement, such as tracking high-value targets and protecting critical infrastructure.

    Signal Sentry 1000 is a proprietary product that leverages GNSS signal domain knowledge; it is based upon patented technology developed by Exelis through many years of designing and fielding electronic intelligence systems, ITT Exelis said.

    “Exelis developed Signal Sentry 1000 to help protect critical infrastructure and to deliver intelligence to law enforcement operations that depend upon GPS availability,” said Kevin Farrell, positioning, navigation and timing general manager for Exelis Geospatial Systems. “Jamming devices can transmit signals capable of disrupting the synchronization of critical infrastructure, such as utility power grids, and timing information of financial transactions. This is why we are continually making improvements in our technology, and the latest milestone achievement is a testament to our goal to deliver actionable interference intelligence to agencies that rely upon GPS operational availability.”

    Signal Sentry 1000 technology is a network of threat-detection sensors, which are part of a centralized server executing Exelis‐developed proprietary location algorithms. These sensors can be strategically located around areas of critical infrastructure, such as shipping ports, utilities and government facilities to automatically sense and locate any intentional or unintentional GPS jamming source. Should a threat be detected, users would receive accurate location information and actionable intelligence in order to determine an interference-mitigation plan.

    “Signal Sentry 1000 builds upon Exelis expertise in the field of GPS and positioning, navigation and timing. Exelis payloads and payload components have been on board every GPS satellite for nearly 40 years,” said Farrell.  “Today, Exelis is involved in GPS modernization initiatives, building tomorrow’s GPS III satellite constellation by developing and integrating the navigation payloads. Exelis is also providing navigation processing components, precision monitor station receivers, and key components of the system security design for the GPS Operational Control System, also known as OCX.”

  • ITT Exelis Offers Signal Sentry to Detect Jamming Sources

    ITT Exelis Offers Signal Sentry to Detect Jamming Sources

    ITT Exelis is offering the Signal Sentry 1000, a proprietary product  that detects, geolocates, and characterizes sources of intentional and unintentional interference to the U.S. GPS signals, and provides actionable intelligence to the user.

    The system leverages GNSS signal domain knowledge, and is based upon patented technology developed through the company’s history of designing and fielding electronic intelligence systems, ITT Exelis said.

    Leveraging Exelis GNSS signal domain knowledge, the system is implemented using commercially available GPS receiver and computer server/data technology. Actionable intelligence is available in the form of pin mapping of interference sources in addition to longitude/latitude/altitude data, all available through a web-enabled graphical user interface.

    Signal Sentry 1000 can assist efforts to ensure GPS spectrum integrity and aid in law enforcement operations that require GPS availability. Benefits for users include:

    • Instantaneous identification and geolocation of jamming sources, improving situational awareness.
    • Detect multiple jamming occurrences, geolocate multiple jammers simultaneously in harsh electromagnetic environments.
    • Defend against disruption of GPS guidance, traffic and asset control systems.
    • Protect against interference of GPS tracking of high-value assets.
    • Quickly identify jamming sources in open forums and emergencies, detecting disruption of critical  communications.
  • Making Europe’s Seaways Safe for eNavigation

    Making Europe’s Seaways Safe for eNavigation

    eLORAN Initial Operational Capability at the Port of Dover

    An overview of the work of the General Lighthouse Authorities of the United Kingdom and Ireland on the implementation of Enhanced Loran Initial Operational Capability (IOC) in the waters around Great Britain. eLoran is the latest in the longstanding and proven series of low-frequency, LOng-RAnge Navigation systems. It evolved from Loran-C in response to the 2001 Volpe Report on GPS vulnerability. It vastly improves upon previous Loran systems with updated equipment, signals, and operating procedures.

    By Paul Williams and Chris Hargreaves

    GPS/GNSS is everywhere! It is used in many ship’s systems (Figure 1), but it is vulnerable to interference both intentional and unintentional.

    Its output is displayed on the  electronic chart display and information system; is transmitted to other vessels using the Automatic Identification System (AIS); is used to calibrate the gyro compass; is used in the radar; is connected to the digital selective calling, its reported position transmitted at the push of the emergency button for search-and-rescue; is in the vessel data recorder, the dynamic positioning system, surveying equipment, the ship’s entertainment system for aiming the satellite dish; and it even synchronizes the ship’s clocks!

    28 days worth of ship-traffic data for the Strait of Dover.
    28 days worth of ship-traffic data for the Strait of Dover.

    GNSS is also used in marine Aids-to-Navigation (AtoN) provision, for deploying buoys and lights, AIS transponders, and AtoN position monitoring, and its precise timing capabilities are used to synchronise the lights along an approach channel to improve conspicuity.

    GNSS (effectively GPS) has become the primary Aid-to-Navigation (AtoN) used by all professional and most other mariners. The vulnerability of GNSS to space weather and interference (unintentional and criminal jamming) means that a backup system is needed to achieve resilient Position, Navigation, and Timing (PNT) for e-Navigation. Though the probability of losing GNSS may be low, the consequential impact could be very high, and maintaining an appropriate balance of physical and radionavigation AtoNs is vital for e-Navigation.

    Figure 1. GPS is used in many ship’s systems.
    Figure 1. GPS is used in many ship’s systems.

    The International Maritime Organisation seeks to develop a strategic vision for e-Navigation, integrating existing and new navigational tools in an all-embracing system, contributing to enhanced navigational safety and environmental protection, while reducing the burden on the navigator. One of IMO’s requirements for e-Navigation is that it should be resilient — robust, reliable and dependable.

    The General Lighthouse Authorities of the United Kingdom and Ireland (GLAs) have the statutory responsibility to provide marine AtoNs around the coast of England, Wales, Ireland, and Scotland. It has become clear over recent years that if the GLA chose to implement eLoran, it could rationalize its physical AtoN infrastructure, removing some lights and other physical aids, and on balance actually reduce costs by implementing eLoran. Indeed, compared to other possible resilient PNT options such as GNSS hardening, radar absolute positioning, increasing physical AtoN provision, eLoran would save the GLAs £25.6M over a nominal system lifespan of 10 years from the introduction of e-Navigation services in 2018 to 2028.

    Not So Old-Fashioned. How does the new eLoran differ from the old, outdated, Loran-C system? The core signal of eLoran is pretty much the same as Loran-C, but tolerances have been tightened up. Things like carrier zero crossing points, half-cycle peaks, ECDs, transmission timing, signal power, signal availability, power supply resilience have all been upgraded, taking advantage of improvements in technology allowing us to better appease the so-called four horsemen of navigation: accuracy, availability, continuity, and integrity.

    SAM control is a thing of the past, and eLoran transmitters are synchronised directly to UTC. This means that their times of transmission can be predicted. Having stations independently synchronised to UTC means that the mariner no longer has to rely on old-fashioned hyperbolic navigation. Charts with hyperbolic lines of position on them are also a thing of the past. A modern eLoran receiver works just like a GPS receiver, employing signals from all available transmitters in its position solution. With GPS those transmitters are moving in space; in eLoran the transmitters are fixed onto the surface of the Earth.

    Reelektronika LORADD receiver, only 3 centimeters tall.
    Reelektronika LORADD receiver, only 3 centimeters tall.

    Modern receivers are small (photo). They use off-the-shelf, high-performance processors, and the receiver is written in software, allowing a lot of flexibility.

    Three transmitters are sufficient to give you position; four or preferably five signals are better for integrity. But for timing and frequency applications you only need one transmitter. The Anthorn station in the UK can cover the entire UK and Ireland with a radio signal that has stability enough to satisfy the Stratum 1 frequency source requirement for steering the clocks of telecom networks, and Anthorn has not even been upgraded to full eLoran standard yet!

    One of the big differences between Loran-C and eLoran is that eLoran now has a data channel. Some of the Loran pulses of each pulse group are modulated so that data can be sent over the 100kHz signal. This allows service providers to send integrity alerts, and application-specific data, like UTC time, and differential-Loran (DLoran) and DGPS corrections. In Europe this is implemented by the already internationally standardised Eurofix system.

    A parallel can be drawn with GPS signals, which contain a navigation component (pseudorandom noise code and/or carrier phase) and modulated data. Some options for data channel technology are still evolving with 1500 bits per second demonstrated, and 3000 bps possible. That may not sound very much to salt-of-the-earth communications engineers, but for Loran it’s pretty impressive, especially when you consider prototype attempts at Loran data communications in the past have been limited to 30 to 250 bps.

    Maritime Applications Services

    How do we apply eLoran to something like the maritime application of port approach? It is important to remember that the receiver operates by measuring how long it takes a groundwave radio signal to travel over the surface of the earth. An eLoran receiver assumes that the world is made entirely of seawater, for which it has a very accurate propagation model built in. The receiver does not, and indeed cannot, know about any land along the propagation path; and land slows the signal down, perhaps by as much as a few microseconds, over typical propagation distances.

    So the service provider must survey the effects of the land masses in the area of coverage. The Additional Secondary Factors (ASFs) of all the stations across the proposed service area are therefore mapped. The ASF survey is a once-and-for-all task, but it needs to be done and the ASFs published. In the old days, hyperbolic lines would be “grid warped,” or tables would be published on paper for the navigator to enter values manually. But with modern eLoran receivers containing large amounts of memory, quite detailed ASF maps can be stored in the mariner’s receiver.

    ASFs depend on the electrical conductivity of the surface over which the eLoran signal travels. The conductivity changes with the constitution and moisture content of the earth. This means that the ASF along a path varies over a period of time —perhaps by as much as a few hundred nanoseconds over a year. Because the ASFs in a receiver are fixed, a method is needed to correct for this temporal ASF variation. In order to monitor this variation, a reference station is installed close to the harbor or point of use of the eLoran service. This DLoran reference station measures the temporal changes in the signals’ arrival times due to changing ASFs, transmitter variations, and weather effects.

    The phrase “reference station” conjures up images of expensive buildings, amenities, and hordes of personnel and associated support services. However, a DLoran reference station is a small box sitting in the corner of a room connected to a small eLoran receive antenna on the roof, and to the Internet. It sends differential corrections over the Internet to an eLoran transmitter, which then broadcasts them to the mariner’s receiver over the Loran Data Channel, for example Eurofix.

    Note that a DLoran reference station does not transmit a radio signal. It does not need a transmitter itself; it uses the Internet and the eLoran signal to disseminate its real time data. The mariner uses the same eLoran receiver to receive both the navigation signal AND the differential corrections.

    So the process is: map ASFs once; run a reference station; and broadcast corrections. That’s it! With good signal-to-noise ratio and transmitter geometry, 10-meter or better accuracy can be obtained.

    Measuring ASFs

    The GLA have had the ability to measure ASFs for several years, using a combination of commercial hardware and proprietary software (Figure 2).

    Figure 2. GLA-produced software for ASF survey, processing, and validation.
    Figure 2. GLA-produced software for ASF survey, processing, and validation.

    The software, written in Matlab, shows a real-time plot of the survey as it progresses. The ASF values are color-coded according to magnitude. The software can also process the ASF data once it has been measured, to get the best performance out of it. The real-time capabilities of the software allow the determination of the quality of the data while aboard the ship, rather than having to wait until back in the laboratory. Statistical analysis of the data can also show where the ship should go to gather more data in a particular area.

    Once the survey is complete, the software can be used to generate interpolated grids of ASF data — the most convenient and accurate form of ASF data storage.

    It is important with any scientific or engineering measurement to establish the error on that measurement. The same can be said of ASFs, and so the software can calculate the error bounds on ASF measurements. This “ASF error” data can again be published in grid form alongside the ASF database. This allows it to be used as one component of an Integrity Equation, implemented within the mariner’s receiver, to calculate Horizontal Protection Level (HPL).

    After processing, the ASF data should be validated by performing a harbor approach or other maneuver that requires a particular positioning accuracy. For this, the software can be switched to “Validation” mode. Once the validation is successful, the data can be output in a publication format (RTCM SC-127 format for example).

    The plot in Figure 2 shows part of an ASF database for Harwich and Felixstowe, major ports on the east coast of the UK. Using this data and DLoran in the Harwich and Felixstowe approach provides 10-meter (95 percent) positioning accuracy.

    UK eLoran Prototype

    This prototype eLoran system works alongside GPS. It has been in operation 24 hours a day since May 2010. It is “prototype” because it demonstrates the concept of eLoran using signals from existing Loran-C stations in Norway, the Faroe Islands, Germany, and France plus the UK’s station at Anthorn; see Figure 3.

    Figure 3. Relevant European Loran-C stations for prototype eLoran.
    Figure 3. Relevant European Loran-C stations for prototype eLoran.

    These stations, together with ASF measurements and DLoran, can deliver a high-precision eLoran service in ports where 10-20 meter accuracy is needed, across the area enclosed by the green contour in Figure 4.

    Figure 4. Coverage of prototype eLoran over the UK and Ireland.
    Figure 4. Coverage of prototype eLoran over the UK and Ireland.

    It is very impressive, yet the full availability and accuracy benefits of eLoran are still to come as these stations are eventually upgraded to full eLoran capability. And for the last year or so, the GLA have begun to move beyond the confines of the Harwich and Felixstowe approaches and implement initial eLoran services in other regions around the GLA service area.

    The GLA aim to do this in two stages. In the first stage Initial Operational Capability (IOC) service will be installed by mid-2014, with the second stage Full Operational Capability (FOC) service covering all major ports in the UK and Ireland, plus Traffic Separation Schemes, installed by 2019 or so in time for e-Navigation.

    Initial Operational Capability

    IOC involves upgrading the installation at Harwich and Felixstowe and new installations in the approaches to another six of the busiest ports in the UK: Aberdeen, Grangemouth, Middlesbrough, Immingham, Tilbury, and Dover. For each of these areas an ASF survey and a DLoran reference station will be required.

    The corrections for these reference stations will be broadcast using the Anthorn Loran Data Channel. There is also the need for a Monitoring and Control System for the network of DLoran Reference Stations, and it is envisaged that this will be based in Harwich. Figure 5 illustrates the architecture of the Initial Operational Capability system. The diagram shows the major components: eLoran transmitter, DLoran reference station network, monitor, and control system. Also shown are the interfaces between the components, which provide not only operational data but also include the ability to monitor the integrity of the system. Also note that the Loran Data Channel is capable of supporting third-party messaging applications using a client “logon” facility. This is already being done at Anthorn.

    Figure 5. The architecture of the UK GLA’s eLoran Initial Operational Capability.
    Figure 5. The architecture of the UK GLA’s eLoran Initial Operational Capability.

    The European tender process for seven operational reference stations and the control system is almost complete.

    The aim of IOC is to provide areas for demonstrations and trials, so that the mariner can gain experience of the system and its capabilities and provide feedback to the GLA on its performance.

    eLoran at the Port of Dover

    In the absence of the final operational reference stations, the GLA decided to perform an early implementation using prototype equipment that was already available at the GLA.   The choice for this implementation was obvious: the iconic Port of Dover, a major port on the southeast coast of the UK and the Dover Strait, one of the busiest seaways in the world. Some 500-plus vessels travel through the Strait each day on their way to or from the North Sea region; see Opening Figure.

    The GLA have, with the agreement of Port of Dover Operations, installed a prototype DLoran Reference Station within the port’s Terminal Control building. The roof of the building is an ideal location for the reference station receiver antenna as the location demonstrates low noise in the eLoran band and has easy access to mains power, cable runs, antenna mounts, and Internet access.

    The ASF survey took place in March 2012, and covers the area outlined by the yellow polygon in Figure 6.

    Figure 6. Area of March 2012 ASF survey.
    Figure 6. Area of March 2012 ASF survey.

    Accuracy Performance Validation

    Once the ASFs had been measured and the prototype reference station installed, the performance needed to be tested. This was accomplished through a validation run of the vessel through the area.

    Figure 7 shows a screenshot of the GLA ASF measurement software running in validation mode. The colored track shows the path of the vessel, with the color indicating the positioning error compared to differential GPS. The vessel travels through an area of extrapolated and interpolated ASF data, so the positioning error at the northern end of the track is higher than the lower end of the track.

    Figure 7. Screenshot of GLA ASF measurement software running in validation mode.
    Figure 7. Screenshot of GLA ASF measurement software running in validation mode.

    Figure 8 shows a comparison of eLoran positioning against DGPS positioning along the route as a scatter plot. The associated Cumulative Distribution Function (CDF) is shown on the right of the diagram. From this it can be seen that the positioning accuracy obtained along this particular route was 12.5 meters (95 percent).

    Figure 8. eLoran positioning accuracy scatter plot and cumulative distribution function of positioning error. Accuracy: 12.5 m (95%)
    Figure 8. eLoran positioning accuracy scatter plot and cumulative distribution function of positioning error. Accuracy: 12.5 m (95%)

    Dover to Calais Ferry Installation. Further validation and demonstrations will take place aboard a cross-Channel ferry. P&O Ferries in the UK has installed a receiver aboard their vessel, The Spirit of Britain. This relatively new vessel is one of the largest passenger ships to operate along the iconic Dover to Calais route. Data will be collected and feedback obtained on the eLoran service’s performance over the coming months.

    Other Areas

    The GLA continue their work towards IOC-level eLoran. Dover was the first port of call for the GLA eLoran Initial Operational Capability — the ASFs have been mapped and a prototype DLoran reference station has been installed.  The final operational DLoran reference stations should be available this time next year.

    The next area the GLA have concentrated upon is the Thames Estuary up to Tilbury. Although the GLA have not yet installed a permanent DLoran reference station, the ASF survey was performed in November 2012 using a temporary reference station installed at Medway. Along the route shown in Figure 9, a validation trial demonstrated 8.3 meters (95 percent) accuracy (Figure 10). The GLA have also recently surveyed the River Humber, including its approaches, up to the port of Hull. The data is currently in the process of being validated.

    Figure 9. ASF map validation route from the port of Medway heading out of the River Thames estuary.
    Figure 9. ASF map validation route from the port of Medway heading out of the River Thames estuary.
    Figure 10. eLoran positioning accuracy scatter plot and cumulative distribution function of positioning error. Accuracy: 8.3 m (95%).
    Figure 10. eLoran positioning accuracy scatter plot and cumulative distribution function of positioning error. Accuracy: 8.3 m (95%).

    Status and Next Steps

    The next steps are to continue the implementation of IOC eLoran at the remaining port approaches for this phase. It is the aim that all ASF surveys will have been performed by the middle of 2014 in readiness for the installation of the operational DLoran reference stations at each candidate port. Licence agreements are being established with the various port authorities involved in order to allow this.

    All ports that have been approached are positive and are keen to assist in the GLA eLoran implementations. eLoran noise surveys have been performed at all ports and locations for all DLoran reference stations have been found.

    The Port of Dover has prototype eLoran up and running and has demonstrated 12.5-meter (95 percent) accuracy during the limited validation performed so far; however, further validation continues aboard the Spirit of Britain ferry.

    The Thames Estuary ASF Survey has been performed, and 8-meter (95 percent) accuracy has been demonstrated in the area. The River Humber and its approaches have also been surveyed with validation in progress.

    IOC-level DLoran reference stations should be available mid-2014, ready for installation.

    The methods and processes employed during this work will be proposed for inclusion within the next version of the eLoran receiver Minimum Performance Specification as determined by Radio Technical Commission for Maritime Services (RTCM) Special Committee 27.  These include techniques and algorithms used for ASF measurement processing, the preferred ASF file format, guidelines on the usage of ASF data, and integrity computation.

    Acknowledgments

    The GLA acknowledge the assistance of the crew of THV Alert, the Dover Harbour Board, Peel Ports (Medway), Associated British Ports (Humber), Aberdeen Harbour Authority, Forth Ports, PD Ports (Middlesbrough).

    This article is based on a presentation made at the Institute of Navigation International Technical Meeting, January 2013, in San Diego, California.

    Paul Williams is a principal development engineer with the Research and Radionavigation Directorate of the GLA, and technical lead of the GLA’s eLoran Work Programme, responsible for the ongoing roll-out of the GLA’s eLoran Initial Operational Capability (IOC). He holds a Ph.D. in electronic engineering from the University of Wales.

    Chris Hargreaves is is a research and development engineer with the Research and Radionavigation Directorate Directorate of the GLA. His work focuses on eLoran in measurement trials, software development, and data analysis. He holds a masters’ degrees in mathematics and physics from the University of Durham and in navigation technology from the University of Nottingham.

  • Cambridge Consultants Unveils Indoor Locator System

    Cambridge Consultants Unveils Indoor Locator System

    Tracking_O

    New technology from product development firm Cambridge Consultants can accurately detect someone’s location indoors when GPS drops out. A number of sensors and a custom algorithm determine the location, with an accuracy of within approximately 1 percent of the distance traveled.

    Close_up-WThe technology uses low-power, low-cost sensors and the device concept is small enough to clip on a belt. It also doesn’t need any existing internal infrastructure.

    “We are excited about the many possibilities this cutting-edge technology opens up and the impact it can have in many different situations,” said Geoff Smithson, technology director, sensing systems, at Cambridge Consultants. “It could be used to help locate firefighters in smoke-filled buildings, for example, or to pinpoint the closest doctor in a hospital during an emergency — or to track offenders during home curfews. We are just starting to see the potential of this approach and the diverse demand for this type of low-energy, highly accurate system.”

    Indoor tracking systems, which process data from one or more sources of location information to estimate where a person or object is located, are not new. But they often rely on RF signals from Wi-Fi access points or custom infrastructure, poor-quality GPS signals or expensive, high-quality sensors. The availability of low-cost smartphone components — including accelerometers, gyroscopes, magnetometers and pressure sensors — has enabled a new generation of location devices and applications, when combined with a tailored Bayesian algorithm to fuse the information.

    Handset-WThe new technology platform can be embedded in an existing design or operate as a stand-alone unit, with options to compute the location locally or transmit the information to a remote system that can process the data before visualizing it on a smartphone app.

    “Our biggest challenges were developing an algorithm which optimally combines the data from GPS and the other sensors, and overcoming the issues of using such low-cost sensors in a system without any absolute location reference,” said Smithson.

    Cambridge Consultants specializes in developing low-cost, low-power connected devices for clients with a team of experts with sensing, wireless and software  engineering expertise. The latest technology builds on the company’s tracking and location systems experience in a variety of market sectors ranging from defense and security to consumer, industrial, and oil and gas.

  • Spirent Technical Interchange Features Hands-on Demonstrations

    Next month Spirent is hosting a meeting with hands-on training sessions on GNSS simulation equipment led by Spirent engineers. The 2013 Spirent Federal 2013 GNSS Technical Interchange Meeting will be held March 19-21 at the DoubleTree Hotel Anaheim-Orange County, in Orange, California.

    March 19 and 20 are for general participation. The third day, March 21, features FOUO (For Official Use Only) sessions for U.S. citizens only.

    Topics covered include:

    • SVN49 anomaly simulation
    • Utilizing Remote Control and Motion
    • Advanced Modeling and Simulation Techniques
    • Differential GPS and Augmentation Systems
    • Multi-GNSS constellation testing
    • Integrated GPS/inertial testing (FOUO Session)
    • M-code simulation (FOUO Session)
    • CRPA testing (FOUO Session)

    View the tentative schedule. (PDF)

    The registration rate of $125 covers all meals and parking for three days.

  • UK Switches on eLoran for Backup in the English Channel

    The General Lighthouse Authorities of the UK and Ireland (GLA) have announced that ships in the Port of Dover, its approaches and part of the Dover Strait can now use eLoran radio navigation technology as a backup to satnav systems like GPS and Galileo. What is considered the world’s busiest shipping route is the first to deploy eLoran to counter jammers and space weather, the GLA said in a statement.

    The ground-based eLoran system provides alternative position and timing signals for improved navigational safety. The Dover area, the world’s busiest shipping lane, is the first in the world to achieve this initial operational capability (IOC) for shipping companies operating both passenger and cargo services.

    Today’s announcement represents the first of up to seven eLoran installations to be implemented along the East Coast of the United Kingdom. The Thames Estuary and approaches up to Tilbury, the Humber Estuary and approaches, and the ports of Middlesbrough, Grangemouth and Aberdeen will all benefit from new installations, and the prototype service at Harwich and Felixstowe will be upgraded, the GLA said.

    Although primarily intended as a maritime aid to navigation, eLoran could become a cost-effective backup for a wide range of applications that are becoming increasingly reliant on the position and timing information provided by satellite systems.

    “Our primary concern at the GLA is for the safety of mariners,” said Captain Ian McNaught, Chief Executive of Trinity House. “But signals from eLoran transmitters could also provide essential backup to telecommunications, smart grid and high frequency trading systems vulnerable to jamming by natural or deliberate means. We encourage ship owners and mariners to assess eLoran in this region and provide feedback to the GLA on its performance.”

    P&O Ferries has installed an eLoran receiver on its new vessel Spirit of Britain. She will be based at Dover and is one of the largest passenger ships the busy Dover/Calais route has ever seen.

    “Accurate real-time positional information is essential for the safe navigation of ships with modern electronic charts,” Captain Simon Richardson, head of Safety Management at P&O Ferries, said. “Satellite navigation systems are vulnerable to degradation of signal strength and our ships have also experienced occasional loss of signal. We welcome the development of a robust alternative to provide redundancy in real-time positional information and we see eLoran as the most effective solution to countering the problem.”

    Commenting on the announcement Stephen Hammond, Minister for Shipping, said, “I congratulate the General Lighthouse Authorities on this initiative that seeks to improve navigational safety in what is the busiest shipping channel in the world, through the development and deployment of technology. I look forward to receiving reports of its effectiveness.”

  • LandAirSea Systems Trackers Announce Redesigned Online Store

    Vehicle-Tracking.com has been redesigned. Vehicle-Tracking.com is the official online e-commerce site of LandAirSea Systems, a provider of consumer and business-to-business GPS tracking devices since 1994.

    Vehicle-Tracking.com provides passive and real-time GPS tracking devices and systems designed for a wide-range of applications, including fleet management, law enforcement surveillance, asset monitoring and personal vehicle tracking. Vehicle-Tracking also offers the full-line of accessories, replacement parts, services and software for all of LandAirSea’s tracking systems.

    With more than 15 years of experience in the field of GPS tracking, LandAirSea’s support staff is available 24 hours a day, seven days a week, to assess and assist with any questions or purchases made from Vehicle-Tracking.com.

  • Directions 2013: The Future of GNSS Security

    Threat Development Parallels Information/Communication Technology
    Headshot: Oscar Pozzobon

    By Oscar Pozzobon

    The GNSS interference session this year at the ION-GNSS conference in Nashville was one of the most crowded, confirming the need of all sectors of the community to understand the threats in GNSS and how they can be mitigated. In that context I received one of the most challenging questions of my career: “Can we predict the future of GNSS security?” What is the status of civil and commercial GNSS security today? Which are the threats and risks and how they are mitigated? Where are we going and what shall we expect from the future?

    I decided to tackle this topic carefully, using as a basis and inspiration the history of information and communication technology (ICT) security: from the first threats and attacks of the 1980s to a glance at what technology offers today.

    Secondly, to obtain different perspectives — and shift the blame to someone else if one day these predictions should prove to be wrong — I solicited the opinions of three other experts and colleagues in the domain of GNSS and security: Logan Scott, Todd Humphreys, and David Last.

    Snapshots from History

    The Internet was officially born in 1969 when the U.S. Defense Advanced Research Projects Agency (DARPA) crated the Advanced Research Projects Agency Network (ARPANET). A short 11 years later, the 414 Gang, a computer-hacking organization (the term hacking was coined at the Massachusetts Institute of Technology as early as the 1960s) performed one of the first attacks and frauds upon computer systems. In 1983 the first computer virus was discovered. In 1988 the Computer Emergency Response Team (CERT) was created to report and disseminate information on the threats, and AT&T Bell Labs created the first concept of firewalls. Some readers may recall the 1983 movie War Games, which found Hollywood hard at work on cyber-attacks, denial, and deception to computer systems at a time when we had only six GPS satellites in orbit. One year later, Steven M. Bellovin published a paper on the possibility of performing a transmission control protocol/internet protocol (TCP/IP) Spoofing attack.

    Six years after that paper, in 1995, the Computer Incident Advisory Committee (CIAC) reported the first TCP/IP spoofing attack to a system. In another four years, the first denial of service (DoS) attack to computer networks was reported by the CERT. A DoS attack consists of several computer systems sending unsolicited requests to the target, causing a saturation of network and computer resources. In terms of objectives, it could be compared to what jamming causes in GNSS systems.

    Between 1984 and 1986, Dorothy Denning and Peter Neumann researched and developed the first model of a real-time intrusion detection system (IDS). This prototype was initially a rule-based expert system trained to detect known malicious activity. I like to think that this could be compared to today’s jamming detection and localization systems.

    In the 1990s, the need for guidelines to provide general outlines as well as specific techniques for implementing security became a pressing one for all organizations. The first standard, originally published by the British Standards Institution (BSI) in 1995 was the BS 7799, was later adopted by the International Organization for Standardization (ISO) as the ISO/International Electrotechnical Commission (IEC) 27000 series.

    Information technology today can be security-evaluated via the Common Criteria (CC) standard (ISO/IEC 15408), which allows computer-systems certification. CC is a framework in which computer system users can specify their security functional and assurance requirements. The Federal Information Processing Standard (FIPS) 140 is an alternative standard for cryptographic modules, developed by the U.S. Federal Information Processing Standards.

    The Nessus Project, started by Renaud Deraison in 1998, set as its objective the provision of an open-source vulnerability-assessment tool. Since 2000, Nessus has become one of most popular tools for computer-network security and vulnerability assessment, used by more than 75,000 organizations worldwide.

    ICT security today is assured in a lifecycle composed by CERT managing the threats notifications, ISO/IEC 27000 managing the processes, and CC/FIPS 140 defining the security requirements for the system and vulnerability assessment tools to certify the robustness.

    Now, Where Are We in GNSS?

    Radio-frequency interferences (RFI) or jamming cases can hardly be tracked, as they are difficult to detect and have a long history in the military domain. Recent incidents such the one at Newark International Airport show that the threat is increasing and demonstrate the need for mitigation strategies. GNSS signal falsification frauds, or spoofing, seems to as yet have no evident cases in the civil domain.

    The Volpe Report of September 10, 2001 is one of the first government public announcements of GNSS threats, including jamming and spoofing. More than 10 years, later the unmanned aerial vehicle (UAV) experiment coordinated by Todd Humphreys at the University of Texas proved that such attacks are feasible.

    In GNSS, jamming detection (and sometime mitigation) are nowadays commercial options for some professional and mass-market GNSS receivers. Spoofing detection has been available in commercial prototype receivers since 2008 (among others, the Trusted GNSS Receiver (TIGER) funded by the European GNSS Agency. In 2012 we have seen the presentation of the first civil GNSS security testbed. For examples of the latter, see the University of Texas TEXBAT initiative, mentioned on page 37, and the GNSS Authentication and User Protection System Simulator (GAUPSS) project, which involved the development of software and algorithms that were integrated and tested in the radio navigation laboratory of the European Space Agency/ European Space Research and Technology Centre (ESA/ESTEC) in Noordwijk, the Netherlands.

    I will make the assertion that compared to ICT security, civil GNSS security seems to be reliving the early days of the 1980s: first publication of attack concepts, first publicly known attacks, no standards, and only prototype mitigation strategies. With a gap of almost 30 years, at least four mid-Earth orbit GNSS systems becoming operational in the next few years, and an annual 10 percent growth rate of GNSS applications, the era of civil GNSS security begins now.

    The Question Why

    Logan Scott is a consultant specializing in radio-frequency signal processing and waveform design for communications, navigation, radar, and emitter location. His opinion on the future threat leaves no doubts:

    “In assessing security threats, an important starting question is ‘Why would someone do that?’ If there is no motivation, chances are, there won’t be an attack. Over the last five years or so, the combination of ubiquitous, low-cost communications systems and satellite navigation has moved civil GNSS positioning and timing into use domains where there are stronger motivations for an attack. Specifically, widespread use in asset monitoring and tracking encourages jamming attacks and so, we are seeing more such attack. As GNSS becomes more deeply embedded into societal infrastructure, we can expect to see more attacks of increasing sophistication. Motivation will be there.”

    David Last is a consultant engineer and expert witness specializing in radio-navigation and communications systems. He operates in the domain of covert tracking and law enforcement,, an area where interference can be tempting. As expert in the field, and to the best of his knowledge, he believes that “although there are some cases of jamming, we have seen no events of spoofing — so far. To date, all we have seen from criminals are crude jamming attacks. Attacks by technically sophisticated aggressors who understand GNSS vulnerability have yet to start. They will be much more serious.

    “Furthermore, when the receiver stops receiving data in a court case, we can’t say it’s jamming: we can mention that is one of the things that stops the signal. Law enforcement is now beginning to use receivers that can perform jamming detection.”

    David Last’s opinion on the issue of potential low-cost spoofers appearing in the near future was also provocative: “Criminals don’t buy things, they steal them.”

    The Time is Right, Now

    An ICT security standard arrived about 10 years after the first publication and case reports of attacks. Are we at the right time, now, to consider security certification of GNSS receivers?

    Logan Scott’s opinion is that receivers should be certified in order to provide awareness of the attacks:

    “Today, essentially all houses and buildings have smoke alarms. Smoke alarms don’t put out fires but they do alert the occupants to the probability that there is a problem. Similarly, GNSS receiver situation awareness regarding jamming and spoofing is a first step towards militating against attacks on GNSS components. As civil receivers stand today, many don’t discriminate between loss of lock due to signal attenuation and loss of lock due to jamming. This needs to change.

    “Fairly simple algorithms can detect most types of jamming and spoofing. Jammers and simple spoofers almost invariably affect automatic gain control gain settings. They are easy to detect. More sophisticated spoofers have difficulty covering apparent direction of arrival and can be detected using some simple antenna techniques.

    “The problem for the user community at large is in knowing whether or not a receiver maintains adequate situational awareness. This is where test-based receiver certification can play a role.”

    Awareness is indeed needed to notify to the application the security and authentication state. GNSS authentication integrated in the system still lies far off.

    Not only is implementing authentication without compromising user cost and simplicity challenging, but the impact on the ground and space segment in GNSS to maintain legacy signals compatibility is also considerable.

    We believe that user-based authentication will be the Plan B for the next 5–10 years. This requires the development of receiver techniques and the use of security testbeds as the baseline for vulnerability assessment, in the same way the Nessus tool was used in the 1990s for computer network assessment.
    On the test approach, Logan Scott stresses that “Using a series of canned scenarios, GNSS receivers can be tested to determine how well they maintain situational awareness. Do well enough, and the receiver can be stamped as certified, much like an Underwriters Laboratory (UL) label. The test process can be automated and conducted by an independent third party, similar to the way cellular equipment is certified.

    “Additional certifications might include cyber security aspects such as accepting only digitally-signed software updates and maps, providing attestation capabilities, and use of authenticatable GNSS signals.

    “The benefit for the non-expert user community is that they have a basis for selecting GNSS receivers, secure in the knowledge that they meet minimum performance standards.”

    Testing, Testing

    Ringing in my third fellow expert, I asked Todd Humphreys, assistant professor in the Department of Aerospace Engineering at the University of Texas at Austin, for his opinion regarding the future of GNSS security testing.

    “A testbed capable of simulating realistic spoofing attacks is needed so that the efficacy of proposed civil GPS signal authentication techniques can be experimentally evaluated. A generic testbed capable of evaluating all known authentication techniques would be prohibitively expensive; for example, it would require a large anechoic chamber for evaluating receiver-autonomous antenna-oriented techniques. But if the scope of evaluation is limited to receiver-autonomous signal-processing-oriented techniques and networked techniques, then it is possible not only to develop an inexpensive testbed but to share the testbed’s data component so that the tests can be replicated in laboratories across the globe.

    “In October, we released the Texas Spoofing Test Battery (TEXBAT), a set of six high-fidelity digital recordings of live static and dynamic GPS L1 C/A spoofing tests conducted by the Radionavigation Laboratory of the University of Texas at Austin. National Instruments is hosting TEXBAT on cloud servers so that anyone can download it.

    “The battery can be considered the data component of an evolving standard meant to define the notion of spoof resistance for civil GPS receivers. According to this standard, successful detection of or imperviousness to all spoofing attacks in TEXBAT, or a future version thereof, could be considered sufficient to certify a civil GPS receiver as spoof-resistant.

    “This is a spoofing-specific version of the ‘not stupid’ certification that Logan Scott has suggested for GNSS receivers. In my July congressional testimony, I advocated requiring a ‘spoof resistance’ certification for GNSS devices that are used in critical infrastructure.”

    Looking into the Future

    Now I turn and attempt to answer the final question: Can we predict the future of civil GNSS security?

    I believe that we can predict that, unfortunately, attacks will increase, and new attacks will be discovered. For example, we have been talking about deception jammers (also known as intelligent, PRN, or gold code jammers) only in the last few years, as an emerging threat. We will see certification and standards for security in GNSS, and we expect them to come in the next five years. Tools for GNSS security testing are already available commercially, for example the Qascom GNSS Security testbed (GST). As ICT has CERT for notification of threat, we will also see the raising of a GNSS emergency response team — possibly called a GERT.

    In conclusion, whether my predictions turn out to be correct or not, the good news is that GNSS security also has a history in Hollywood’s annals: the 1997 James Bond movie Tomorrow Never Dies narrates a spoofing attack on the GPS navigation system of a submarine, performed via a GPS encoder that modifies the time.

    Again, 007 anticipated the future, and he did it 15 years before a handful of world renowned GNSS security experts.

    I have not yet seen the 2012 James Bond film Skyfall. I wonder what it portends?

    Oscar Pozzobon is the director and co-founder of Qascom S.r.l., based in Bassano del Grappa, Italy. He received a Masters degree in telecommunication engineering from the University of Queensland, Australia, and is the Italian contact for the Civil Global Positioning System Service Interface Committee (CGSIC).

  • Tip Line Encourages Public Participation in the Fight Against GPS Jammers

    Washington, D.C. — The Federal Communications Commission’s Enforcement Bureau today launched a dedicated jammer tip line – 1-855-55-NOJAM (or 1-855-556-6526) – to make it easier for the public to report the use or sale of illegal GPS, cell phone or other signal jammers. It is against the law for consumers to use, import, advertise, sell or ship a GPS or cell jammer or any other type of device that blocks, jams or interferes with authorized communications, whether on private or public property.

    The FCC asks people to call the toll-free Jammer Tip Line immediately if:

    • you are aware of the ongoing use of a cell, GPS, or other signal jammer;
    • your employer operates a jammer in your workplace;
    • you observe a jammer in operation at your school or college;
    • you observe an advertisement for a jammer at a local store; or
    • you observe a jammer being operated on your local bus, train or other mass transit system.

    “We need consumers to be our eyes and ears. Jammers do not just weed out noisy or annoying conversations and disable unwanted GPS tracking, they can prevent 9-1-1 and other emergency phone calls from getting through in a time of need,” Michele Ellison, chief of the Enforcement Bureau, said.

    Calls to the Jammer Tip Line will be handled by experienced Enforcement Bureau staff. Callers are encouraged to provide as much detail as possible, including the time and location of the incident, a description of the jamming device (if available), and the name and contact information of the individual or business using or selling the device.

    While callers may remain anonymous, the bureau urges callers to provide a contact phone number in case additional information is needed. “Every tip can make a difference,” Ellison said. “While our agents are actively pursuing these violations online and on the street, you can help. We encourage concerned parents, commuters, employees, and anyone else with credible information to tip us off. Working together, we can stop the spread of illegal jammers.

    For more information, Frequently Asked Questions about cell, GPS, and Wi-Fi jammers are available at www.fcc.gov/jammers, or email [email protected].

  • ITT Exelis Announces New Capability in GPS Interference, Detection and Geolocation

    ITT Exelis has announced what it calls a significant development in the field of GPS technology. Exelis GPS Interference, Detection and Geolocation (IDG) will provide near real-time geolocation of intentional and unintentional GPS jamming sources through a network of sensors and advanced geolocation technology, the company announced at ION-GNSS, being held this week in Nashville, Tennessee.

    “From security to transportation and almost every sector of the economy, the world relies on receiving precise GPS timing and positioning data,” said Mark Pisani, vice president and general manager, Precision Instruments and Positioning, Navigation and Timing (PNT) Systems, ITT Exelis Geospatial Systems. “As GPS jamming devices become cheaper and more accessible, there is a greater need to protect military, commercial and industrial systems from a diverse range of threats. This technology is a major step forward in delivering actionable interference intelligence to an array of GPS users.”

    IDG technology is based upon a network of threat detection sensors that are networked to a centralized server running Exelis-developed geolocation algorithms. These sensors would be strategically located around high-risk areas, such as airports or utility grids, to instantaneously sense and triangulate the location of the jamming source. Should a threat be detected, users would receive pin-point geolocation information and actionable intelligence in order to respond.

    The Exelis solution would benefit a broad range of GPS customers and users. Jamming devices can send out signals capable of disrupting the synchronization of a utility power grid and creating significant infrastructure and economic damage. In each of these scenarios, IDG would detect, analyze and geolocate the hostile signal, sending the intelligence through a secure network in order for the user to mitigate the threat.

    Exelis payloads and payload components have been aboard every GPS satellite for almost 40 years. Today, Exelis is involved in developing and integrating the navigation payloads for GPS III. Exelis is also providing navigation processing components, precision monitor station receivers, and key components of the system security design for the GPS Operational Control System, also known as GPS OCX.

  • Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle

    By Daniel Shepard, Jahshan A. Bhatti, and Todd E. Humphreys

    
    Unmanned aerial vehicle (uav) used in the spoofing tests; owned by the University of Texas.

     A radio signal sent from a half-mile away deceived the GPS receiver of a UAV into thinking that it was rising straight up. In this way, the UAV’s dependence on civil GPS allowed the spoofer operator to force the UAV vertically downward in dramatic fashion as part of multiple capture demonstrations.

    In December 2011, Iran captured a U.S. Central Intelligence Agency (CIA) surveillance drone with only minor damage to the undercarriage of the drone, likely due to a rough landing when captured. An Iranian engineer claimed in an interview that “Iran managed to jam the drone’s communication links to American operators” causing the drone to shift into an autopilot mode that relies solely on GPS to guide itself back to its home base in Afghanistan. With the drone in this state, the Iranian engineer claimed that “Iran spoofed the drone’s GPS system with false coordinates, fooling it into thinking it was close to home and landing into Iran’s clutches.”

    Although the Iranian claims are highly questionable, this incident left many unanswered questions as to the security of GPS systems on unmanned aerial vehicles (UAVs). The CIA drone should have been guiding itself based on the encrypted military GPS signals, which would be incredibly difficult to spoof. However, some experts have conjectured that simultaneous jamming of the military signals and spoofing of the civilian signals might have worked if the drone had been programmed to fall back on the civilian GPS signals in the event that the military signals were jammed. This raises the question: How difficult would it be to spoof a UAV guiding itself based on civilian GPS signals?

    FAA Modernization Act

    In February of this year, Congress passed the FAA Modernization and Reform Act of 2012. According to the Library of Congress summary, this act “requires the Secretary [of Transportation] to develop a plan to accelerate safely the integration by September 30, 2015, of civil unmanned aircraft systems (UASes, or drones) into the national airspace system … [and] determine if certain drones may operate safely in the national airspace system before completion of the plan.”

    Such civilian UAVs would be primarily guided by civil GPS, which has been shown to be readily spoofable in the lab. This would create a significant potential hazard in the national airspace if the problem of civil GPS spoofing is not fixed. Thousands of civilian UAVs (operated by postal services, police departments, research institutions, and others) could populate the skies in only a few years while still being vulnerable to remote hijacking via GPS spoofing. The passing of the FAA Modernization Act further emphasizes the need to examine the vulnerability of UAVs to GPS spoofing.

    Test

    On invitation of the Department of Homeland Security (DHS), unclassified spoofing tests against a UAV were performed at White Sands Missile Range (WSMR) on June 19, 2012 during the DHS GYPSY test exercise. These tests demonstrated the capability of a spoofer, built by the University of Texas (UT) Radionavigation Lab, to commandeer a civilian UAV by influencing the position-velocity-time (PVT) solution of the UAV’s GPS receiver.

    The Spoofer. The civil GPS spoofer used for these tests is an advanced version of the spoofer reported in “Assessing the Spoofing Threat,” GPS World, January 2009. A schematic representation of the spoofer is shown in Figure 1. It is the only spoofer reported in open literature to date that is capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with those of the authentic GPS signals. Such alignment capability allows the spoofer to carry out a sophisticated spoofing attack in which no obvious clues remain to suggest that an attack is underway.


    Figure 1. This spooler is capable of precisely aligning the spreading code and navigation data of its counterfeit signals with GPS signals.

    The spoofer is implemented on a portable software-defined radio platform with a digital signal processor (DSP) at its core. This platform comprises:

    • A radio frequency (RF) front-end that down-mixes and digitizes GPS L1 and L2 frequencies
    • A DSP board that performs acquisition and tracking of GPS L1 C/A, calculates a navigation solution, predicts the L1 C/A databits, and produces a consistent set of up to 14 spoofed GPS L1 C/A signals with a user-controlled fictitious implied navigation and timing solution.
    • An RF back-end with a digital attenuator that converts the digital samples of the spoofed signals from the DSP to analog output at the GPS L1 frequency with a user-controlled broadcast power.
    • A single-board computer that handles communication between the spoofer and a remote computer over the Internet.

    The spoofer works by first acquiring and tracking GPS L1 C/A and L2C signals to obtain a navigation solution. It then enters its “feedback” mode, in which it produces a counterfeit, data-free feedback GPS signal that is summed with its own antenna input. The feedback signal is tracked by the spoofer and used to calibrate the delay between production of the digitized spoofed signal and output of the analog spoofed signal. This is necessary because the delay is non-deterministic on start-up of the receiver, although it stays constant thereafter.

    After feedback calibration is complete and enough time has elapsed to build up a navigation data bit library, the spoofer is ready to begin an attack. Initially, it produces signals that are aligned to within a few meters with the authentic signals at the location of the target antenna but have low enough power that they remain far below the target receiver’s noise floor. The spoofer then raises the power of the spoofed signals slightly above that of the authentic signals. At this point, the spoofer has taken control of the victim receiver’s tracking loops and can slowly lead the spoofed signals away from the authentic signals, carrying the receiver’s tracking loops with it.  The target receiver can be considered completely captured when either of the following are true:

    • each spoofed signal has shifted by 2 µs relative to the authentic signals, or
    • each spoofed signal is at least 10 dB more powerful than the corresponding authentic signal.

    The latter option ensures that there is no significant interaction between authentic and spoofed signals by simultaneously jamming and spoofing.
    The UT spoofer and attack strategy have been tested against a wide variety of civil GPS receivers and have always been successful in commandeering the target receiver.

    Test UAV.  The spoofing tests targeted a University-of-Texas-owned Hornet Mini UAV supplied by Adaptive Flight, which is shown in the  opening photo. The Hornet Mini is roughly five feet long and weighs about 10 pounds when fully loaded. The Mini’s sophisticated avionics package loosely couples an altimeter, magnetometer, and a MEMS IMU package to a GPS receiver via an extended Kalman filter.

    The Hornet Mini is representative of UAVs used by law enforcement. Thus, the results of the spoofing tests with the Mini also apply to other similarly-designed UAVs, including those used in most civil applications, whose navigation systems are centered on civil GPS. It should be noted that no special alterations were made to the Hornet Mini for this test – it was in its “as sold” or “stock” configuration.

    Setup. A schematic of the setup used for the spoofing tests against the civil UAV at WSMR appears in Figure 2. The spoofer was located on a hilltop with the receive antenna on the far side of the hilltop from the transmit antenna as shown in Figure 3. The UAV site was located in a sandy basin approximately 620 meters from the transmit antenna.


    Figure 2. Schematic of the test setup.


    Figure 3. Aerial view of the test site showing the spoofer location on a hilltop and the UAV site 0.62 kilometers away.

    Procedure. The UAV was commanded by its ground controller to hover approximately 60 feet above ground level at the UAV site. After the initial ground control command was sent, the UAV maintained its hovering position automatically based on the navigation solution of its extended Kalman filter, which is based in part on GPS. At this point in the test procedure, the spoofed signals were not being broadcast: the UAV was only under the influence of the authentic GPS signals.

    The spoofer was then commanded to begin transmitting spoofed signals. To ensure seamless capture of the UAV’s GPS unit, the code phases of the spoofed signals were aligned to within meters of the authentic signals at the location of the UAV’s GPS antenna. The spoofed signals overpowered their authentic counterparts and instantly captured the tracking loops within the UAV’s GPS receiver.

    Immediately after capture, the spoofer induced a false velocity and corresponding position change in the UAV’s GPS receiver, drawing the position reported by the UAV’s extended Kalman filter away from the UAV’s commanded hover position. To compensate, the UAV’s flight controller responded by moving in the opposite direction. A safety pilot was on hand to prevent the UAV from drifting out of control.  This was necessary because by commandeering the UAV’s GPS receiver, the spoofer operator effectively breaks the UAV autopilot’s feedback control loop. The spoofer operator must now act as an operator-in-the-loop, which requires real-time, meter-level knowledge of the UAV’s true location.

    Results. Between tests WSMR and UT, the spoofer demonstrated short-term 3-dimensional control of the UAV. Thus, we conclude that it is indeed possible to hijack a civil UAV — in this case, a fairly sophisticated one — by civil GPS spoofing.

    Interestingly, the Hornet Mini relies only on its altimeter for direct measurements of its vertical position; the GPS-measured vertical position is ignored. This can be done with reasonable accuracy because of the Hornet Mini’s short flight endurance (~20 minutes). However, the GPS vertical velocity does affect the extended Kalman filter’s vertical coordinate estimate because the filter propagates GPS velocity measurements through a UAV dynamics model to form an a priori vertical estimate that gets updated with the altimeter measurements. This dependence on GPS velocity allowed the spoofer operator to force the UAV vertically downward in dramatic fashion in the final three capture demonstrations.

    Developing a full spoofer-based control system for a UAV is a difficult problem that, in addition to the requirement for real-time true position feedback, requires the spoofer to model the UAV’s feedback control behavior and to estimate the UAV’s desired path. Causing a UAV to spin out of control and crash is not difficult with a spoofer, but fine-grained control certainly is.

    Implications

    These tests have demonstrated that civilian UAVs will be vulnerable to control by malefactors with a civil GPS spoofer looking to hijack or crash these UAVs unless their vulnerability to GPS spoofing is addressed. There are several reasons why someone may want to spoof a drone including fear over drones invading people’s privacy. This poses a significant safety concern that could result in mid-air collisions with other aerial vehicles or buildings, not to mention loss of property.

    Constructing from scratch a sophisticated GPS spoofer like the one developed by UT is not easy, nor is it within the capability of the average anonymous hacker. It is orders of magnitude harder than developing a GNSS jammer. Nonetheless, the trend toward software-defined GNSS receivers for research and development, where receiver functionality is defined entirely in software downstream of the A/D converter, has significantly lowered the bar to spoofer development in recent years.

    As a point of reference, we estimate that there are more than 100 researchers in universities around the globe who are well-enough versed in software-defined GPS that they could develop a sophisticated spoofer from scratch with a year of dedicated effort. More worrisome is the fact that one does not have to build a sophisticated spoofer like ours, capable of aligning its signals precisely with authentic signals at the location of a chosen target, to spoof a civil GPS receiver. A low-cost off-the-shelf GPS signal simulator would not permit the kind of seamless attack we carried out, but would be adequate to confuse and disrupt the navigation system of a commercial UAV.

    Fixing the Problem

    There is no quick, easy, and cheap fix for the civil GPS spoofing problem. Moreover, not even the most effective GPS spoofing defenses are foolproof. Nonetheless, there are many possible remedies to the spoofing problem that, while not foolproof, would vastly improve civil GPS security. These defenses can be broken up into two categories: cryptographic and non-cryptographic defenses.

    Cryptographic defenses come primarily in two forms, spread-spectrum security codes (SSSC) and navigation message authentication (NMA), depending on whether the unpredictable digital signature is placed on the spread-spectrum code or the navigation data. These cryptographic signatures could be placed on WAAS signals or existing or future GPS signals to provide authentication of the source of the WAAS or GPS signals. A cryptographic defense implemented with appropriate checks to protect against certain variants of spoofing attacks, described in “Straight Talk on Anti-Spoofing,” GPS World, January 2012, would significantly raise the bar for a would-be spoofer. Several proposals for cryptographic methods are currently on the table including a proposal by Logan Scott to place SSSC signatures on GPS L1C signals that will be broadcast by GPS Block III satellites. However, the current proposals for civil GPS cryptographic authentication schemes are still at least several years away from implementation and have a 5-minute window between authentications of each individual GPS signal. These proposals have currently gained no ground in being implemented because of a lack of dedicated funds for development and implementation.

    There are also a number of promising non-cryptographic techniques for civil GPS spoofing detection that include jamming-to-noise power detectors (J/N meters), correlation profile anomaly defenses, and antenna-based defenses. J/N meters are simple and easily-implementable and would prevent a spoofer from simultaneous jamming and spoofing. However, a J/N sensor will not typically detect a spoofing attack in which the spoofed signals are only slightly more powerful than their authentic counterparts. The inclusion of a J/N meter does ensure that the authentic signals will also be visible as a corruption to the correlation curve during a spoofing attack, due to the difficulty of nulling out the authentic signal. This allows correlation profile anomaly defenses to be viable. However, these methods suffer from the difficulty of distinguishing multipath effects from a spoofing attack, particularly in mobile receivers. Antenna-based defenses also present an attractive option for anti-spoofing, but most of these methods require additional hardware (multiple antennas) and cost. One promising new antenna-based defense is currently under development at Cornell University that does not require multiple antennas. This defense involves an extension of the signal spatial correlation technque developed by the University of Calgary PLAN group. However, this technique is still under development, and receivers implementing this technique would likely be several times more expensive than current receivers.

    For details on potential spoofing defenses, see Todd Humphrey’s congressional testimony in “The System.”

    Recommendations

    We recommend that for non-recreational operation in the national airspace, civil UAVs exceeding 18 pounds be required to employ navigation systems that are spoof-resistant. Spoof resistance will be defined through a series of four canned attack scenarios that can be recreated in a laboratory setting. A navigation system is declared spoof-resistant if, for each attack scenario, the system is either unaffected by or able to detect the spoofing attack. Spoofing detection combined with an appropriate GPS-denied mode for the UAV to fall back on will significantly increase the difficulty of mounting a successful spoofing attack.

    Additionally, civil GPS receivers in many critical infrastructures (communications networks, financial trade centers, and the power grid) are also vulnerable to civil GPS spoofing. These critical infrastructures primarily rely on GPS for timing, which is also susceptible to manipulation with varying consequences depending on the application. A discussion of power grid vulnerabilities to GPS spoofing is given in “Going Up Against Time” in this issue of the magazine on page 34. We also recommend that GPS-based timing or navigation systems having a non-trivial role in systems designated by DHS as national critical infrastructure be required to be spoof-resistant.

    Finally, we recommend that funding be committed for development and implementation of a cryptographic authentication signature in one of the existing or forthcoming civil GPS signals. The signature should at minimum take the form of a digital signature interleaved into the navigation message stream of the WAAS signals. A better plan would be to interleave the signature into the CNAV or CNAV2 GPS navigation message stream. The best plan for implementing a cryptographic authentication signature would be to implement the signature as an SSSC interleaved into the spreading code of the L1C data channel. Inclusion of a cryptographic signature would greatly aid manufacturers in developing receivers that are spoof-resistant.

    Manufacturers

    The Hornet Mini UAV carries a µ-blox GPS receiver.

    Daniel P. Shepard is pursuing M.S. and Ph.D. degrees in aerospace engineering at the University of Texas (UT) at Austin. He is a member of the Radionavigation Laboratory.

    Jahshan A. Bhatti is pursuing a Ph.D. in aerospace engineering and engineering mechanics at UT and is a member of the Radionavigation Laboratory.

    Todd E. Humphreys is an assistant professor of aerospace engineering and engineering mechanics at UT and director of the Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.

     

  • Polaris Wireless Announces Contract in Europe-Middle East-Africa (EMEA) Region

    Polaris Wireless, maker of high-accuracy, software-based wireless location solutions, today announced a significant customer contract for a multi-million dollar deployment of the Polaris Wireless Altus and OmniLocate location surveillance product suite in the Europe-Middle East-Africa (EMEA) region. Polaris Wireless said it could not disclose the customer’s name at this time.

    The deal represents a major increase in Polaris Wireless business, and is the 14th deployment of the Polaris Wireless high-accuracy wireless location surveillance solution outside the U.S. and 38th globally. Polaris Wireless high-accuracy location solutions are a tool used to combat crime and terrorism, and have been extensively deployed since 2003 for public safety applications in the U.S. market.

    “We are very pleased to have achieved such a significant company milestone for high-accuracy wireless location surveillance solutions,” said Manlio Allegra, Polaris Wireless CEO and co-founder. “Our momentum is directly attributed to our unmatched ability to consistently deliver a 2G/3G-compatible (and very soon 4G) high-accuracy, highly-scalable, software-based location solution for public safety and surveillance.”

    The Polaris Wireless Altus application suite is a software-based surveillance solution that enables accurate mass location — providing users the ability to simultaneously locate all subscribers in a wireless network in real time and on a historical basis. This unique capability enables functions, such as target identification, tracking via geo-fence, and post-event analytics, which are vital to the anti-crime and anti-terrorism surveillance efforts of Polaris Wireless customers around the world, the company said.

    “This deal has contributed to the highest revenue-earning year in Polaris Wireless history,” continued Allegra. “We are exploring several additional opportunities in the international marketplace, and plan to increase our workforce in order to meet the growing demand.”

    To maximize its accuracy location performance, the Altus application suite is being deployed with the OmniLocate platform powered by Polaris Wireless Location Signatures (WLS), a software-based location method for dense urban and indoor environments. Polaris WLS is capable of locating a wireless device to within 40 meters for the majority of the calls and helps customers avoid the costly and time-consuming deployment and maintenance associated with hardware-based location solutions, the company said.