Conference PaperPDF Available

Abstract and Figures

All spoofer attacks have different requirements, impacts, success rates and objectives; therefore, to assess the threat and to develop appropriate counter measures, a clear classification is needed. Being aware of the different existing types of threats, allows an improved design of preventative measures to counter these attacks. This paper classifies spoofer attacks with a layered model. This allows assessing the risks and strategies of operational spoofers with the goal of prevention. The layered model consists of the deployment architectures, the take-over strategy, the control strategy and the application. The paper expands the strategies to manipulate a position of receiver, highlights operational difficulties and suitable counter measures. This emphasises that even if a signal is successfully spoofed, controlling a target receiver is not trivial. Additionally, the most probable spoofing attacks are presented and the applicable antispoofing methods are outlined.
No caption available
… 
Content may be subject to copyright.
Submitted version of: J. Rossouw van der Merwe, Xabier Zubizarreta,
Ivana Lukˇ
cin, Alexander R¨
ugamer and Wolfgang Felber, “Classifi-
cation of Spoofing Attack Types,” European Navigation Conference
(ENC) 2018, submitted on October 2017. accepted on May 2018.
c
May 2018 IEEE. Personal use of this material is permitted.
Permission from IEEE must be obtained for all other uses, in
any current or future media, including reprinting/republishing this
material for advertising or promotional purposes, creating new col-
lective works, for resale or redistribution to servers or lists, or
reuse of any copyrighted component of this work in other works.
Classification of Spoofing Attack Types
J. Rossouw van der Merwe, Xabier Zubizarreta, Ivana Lukˇ
cin, Alexander R¨
ugamer and Wolfgang Felber
Fraunhofer IIS
Nuremberg, Germany
johannes.roussouw.vandermerwe@iis.fraunhofer.de
Abstract— All spoofer attacks have different requirements,
impacts, success rates and objectives; therefore, to assess the
threat and to develop appropriate counter measures, a clear
classification is needed. Being aware of the different existing
types of threats, allows an improved design of preventative
measures to counter these attacks. This paper classifies spoofer
attacks with a layered model. This allows assessing the risks and
strategies of operational spoofers with the goal of prevention.
The layered model consists of the deployment architectures, the
take-over strategy, the control strategy and the application. The
paper expands the strategies to manipulate a position of receiver,
highlights operational difficulties and suitable counter measures.
This emphasises that even if a signal is successfully spoofed,
controlling a target receiver is not trivial. Additionally, the most
probable spoofing attacks are presented and the applicable anti-
spoofing methods are outlined.
Index Terms—Spoofing, global navigation satellite system
(GNSS), receiver design, receiver hardening, preventative engi-
neering.
I. INTRODUCTION
A spoofer falsifies global navigation satellite system
(GNSS) signals to attack a receiver, thereby altering the
receiver position, velocity, and time (PVT) solution [1], [2].
Spoofing is illegal, as it interferes with the primary user of
the spectrum, hence an attack is associated with criminal or
military activity. The spoofer transmits in the electromagnetic
spectrum (EMS); therefore, it is an electronic warfare (EW)
attack on the receiver [3]. Further, if the spoofer influences
the receiver’s PVT, then it is also an information warfare
(IW) attack: as unauthorised access on the receiver hardware
is achieved.
The spoofing goal may be to remove the navigation relia-
bility in a restricted area (denial of service), or to manipulate
the perceived location of the receiver (decoy). In both cases,
the receiver developer would like to detect the spoofing attack,
and (if it is possible) counter the attack to maintain navigation
capability and integrity. The literature focuses on these anti-
spoofing methods [2], [4]–[6]. However, there are limited
publications on the spoofing attack types. In order to develop
directed and applicable anti-spoofing methods, the spoofing
threat and capabilities should first be understood. This follows
the principle of adaptive engineering [7]: it is a professional
obligation to pro-actively assess, reflect upon and address a
larger problem for the welfare of society. The two key stages
of this approach are to asses and reflect upon the challenges,
before a directed and effective solutions can be obtained.
This paper places the spoofing threat into context, such
that directed anti-spoofing methods can be selected via Pareto
Deployment architectures
Single Tx Multiple Tx
Take-over strategy
Asynchronous Synchronous
Control strategy
Position
attack
Auto-pilot
control
Timing
attack
Application
Interface spoof
GNSS bypass
RF based
Interface based
Fig. 1. Spoofing classification layers
analysis in receiver design [8]. Pareto analysis focuses on the
most significant issues first, to eliminate the majority of prob-
lems efficiently. The more the threat is understood, the better
applicable preventative methods can be developed, according
to the principles of adaptive engineering. To empower that,
spoofing from an attack point of view is discussed. From
this perspective, it enables understanding what the natural
limits are and highlights which counter methods are required.
Spoofing attack types, methods and strategies have different
performances, requirements, countering potentials and success
rates. However, all these attacks are often grouped together
when discussed — resulting in confusion when addressing
the topic of spoofing. This is most evident in the media
exaggeration that a vehicle can be completely controlled [9],
[10].
An holistic approach is taken, from the equipment selection
all the way through to the strategic advantages of a falsified
PVT solution. The spoofing attacks are classified into four
layers (similar to the open systems interconnection (OSI)
model), as illustrated in Fig. 1.
At the base, the deployment of the transmitters for the
spoofing attack is considered. This includes how many trans-
mitters are used and where they are spatially deployed. The
second level is the take-over strategy, i.e. how the spoofer
can force a receiver to lock onto the fake signal. This is also
called the take-over. Once a receiver is captured (level three),
the strategic goal of the spoofer determines how the PVT
solution will be manipulated, i.e. the control strategy. These
three layers are connected as they form part of the design for a
radio frequency (RF) based attack. To simplify the interaction
between these three levels, the following three questions are
raised: “Where does the attacker install the antennas?”, “How
does the attacker intent to capture the receiver?”, and “What
does the attacker intent to do if successful?”. If the final system
can be spoofed without transmitting a signal (i.e. the GNSS
module is bypassed or falsified), an application level spoofer
is used (level four).
The contribution of this paper is twofold. First, classification
of spoofer attacks through a layered model (as presented
by Fig. 1), is used to place current spoofing attack types,
within the literature, into context. Second, the theory behind
the control strategies is expanded, including the differences
between position attacks and attacks which aim to control an
autonomous system.
Different single- and multi-transmitter deployment strate-
gies are discussed in Section II. The signal generation re-
quired for takeover and control of a spoofer is examined in
Section III. Assuming a successful take-over of a receiver,
the manipulation of the position and auto-pilot based attacks
are assessed in Section IV. Attacks based on timing are
discussed in Section V. Network and application level attacks
are assessed in Section VI.
II. DEPLOYMENT ARCHITECTURES
The operational deployment of a spoofer in the field deter-
mines the spatial performance of the spoofer and the spatial
mitigation capability of a receiver. As a spoofer transmits
an electromagnetic (EM) signal, all receivers which operate
in the spectrum of the same geographical region will be
affected1. If a single target is required to be spoofed, then
highly directional antennas should be used to limit unnecessary
spatial interference in other directions. If a larger area around
the spoofer should be affected, then omni-directional antennas
can be considered. However, it should be kept in mind that a
larger area can unnecessarily be affected. The terrain should
also be considered when selecting the deployment locations.
GNSS signals have low reception power (approximately
-155 dBW) due to the high propagation losses from the
satellites to the earth; hence, a spoofer does not require
much transmission power. A good strategy is to transmit the
minimum necessary power to achieve operational success, as
this naturally limits the area of effect (AOE). Through the use
of multiple synchronised spoofers, the transmission power can
also be reduced, because multiple signals can constructively
interfere to create a stronger signal at specific areas.
1Transmitting a signal in spectrum which is not allocated to the user is
illegal. Before deploying any system, adequate permission from the local
governing authority is required. Using a spoofer in the GNSS frequency bands
is, unless permission is granted, illegal, and therefore not encouraged by the
authors.
The physical deployment strategies of a spoofer system are
shown in Fig. 2: red crosses represent locations of spoofers;
red arrows are the transmission of the spoofing signals; the
location of the target receiver is marked with a green cross;
the actual GNSS signals are shown with blue arrows; and links
between spoofers are shown with purple ones.
antenna
(a) Cable inject (b) Meaconer attack
(c) Single transmitter
sync
(d) Time-synchronised single
transmitter
(e) Node-synchronised multiple
transmitter
sync
(f) GNSS-time-synchronised mul-
tiple transmitter
receiver spoofer meaconer satellite signal
Fig. 2. Comparison of physical configuration for spoofing attacks
The method requiring the least hardware is a cable in-
ject [5], as shown in Fig. 2(a). In this case, the spoofer does
not require a signal to be transmitted, as the signal is combined
with the receiver hardware. This is a common occurrence for
a cooperative spoofing attack, where the attacker chooses to
manipulate his own hardware. Such an attack occurs when a
spoofer is indented to misreport or camouflage the location of
a vehicle or a vessel.
Conceptually, the simplest spoofing attack is a meaconer
(Fig. 2(b)). A meaconer simply re-transmits received GNSS
signals. Therefore, the receiver PVT will be equal to the
transmitter PVT, with an added time delay. Such an attack
is simple, cheap and requires only a re-transmission of the
GNSS signals. An inherent property of a meaconer is that even
encrypted GNSS signals can be affected, and all receiver ef-
fects will be captured in the spoofing signal. The shortcoming
is that there is limited manipulation capability of the victim
receiver’s PVT, since the only manipulation opportunity is to
physically move the meaconer to the desired PVT. Further,
the time delay can result in a receiver detecting the spoofed
signal. This is due to the time divergence from the trusted
time, or the fact that there are multipath components before
the main peak: the line of sight (LOS) signal is always the
first received signal and all multipath signals should come
after a time-delay. As a meaconer has to receive and transmit,
some coupling and self-interference issues exist, resulting in
practical deployment challenges. An advanced meaconer can
use an array of antennas, to isolate different satellites spatially,
and then replay the signals with different delays. This allows
the PVT to be altered and changed — in principle, even for
encrypted signals.
Asingle transmitter is the simplest non-repeating spoofer
deployment (Fig. 2(c)), as limited hardware and synchronisa-
tion is required. The spoofer can do a time-synchronisation
to the GNSS signal (Fig. 2(d)), to improve certain spoofing
attacks, like a synchronous take-over. This will be discussed
in more detail in Section III.
A limiting factor of a single spoofer is that all signals have
the same angle of arrival (AOA). Therefore, the receiver can
use spatial filtering, like null-steering, to remove the spoofed
signals. This spoofing can also be detected by monitoring
the carrier-phase in a moving receiver, as all signals will
behave in the same manner [11]. The receiver can also detect
a spoofer, by estimating the AOAs through direction finding
(DF) techniques. The GNSS satellites tend to be scattered, and
will have different AOAs; as opposed to the spoofing signals,
where all will have the same AOAs. The drawback for the
receiver, is that either a moving antenna, multiple antennas
or an integrated navigation system (INS) is required — in all
cases the cost and complexity of the receiver increases.
Multiple transmitters potentially alter the AOAs of the
spoofed signals (Fig. 2(e) and II). Usually, the more transmit-
ters there are, the more precise the AOAs can be altered. As the
GNSS signals originate from any positive elevation angle, a
three dimensional (3-D) transmitter deployment scheme would
be required to fully deceive a receiver.
The transmitter nodes could be synchronised such that the
PVT solution of the receiver can be manipulated. The simplest
method to achieve this, would be to have one master node
(transmitter) that time-synchronises the other (slave) nodes
(Fig. 2(e)). This is often impractical as the transmitters should
be connected via some medium, whether it is a cable, radio
or optical link. The cost of the infrastructure and calibration
is challenging in such systems. An elegant solution would
be to use GNSS timing to synchronise the nodes (Fig. II);
however, some interference is expected as each node requires
a transmitter and a receiver.
If the transmitters surround the target, the transmission
beams may constructively interfere at a single location, thereby
achieving surgical spoofing2. As a consequence, lower trans-
mission power is required, therefore, the AOE is reduced. This
requires a high level of synchronisation (taking into account
the receiver’s carrier-phases) and accurate target tracking to
function, making it improbable. Given the fact that a receiver
may have spatial filtering capabilities, this method is less
effective against a high performance receiver.
III. SIGNAL GENERATION
This section discusses the different spoofing attacks from a
signal design perspective. To achieve spoofing, a signal which
is similar to the expected GNSS signals, would be generated.
A GNSS signal has three levels which are vulnerable to
spoofing [2]:
1) Signal processing level: The specifications related to the
signal polarisation, modulation type, carrier frequency,
signal bandwidth, pseudo random noise (PRN) sequences,
reception power and Doppler frequency-range are pub-
lished for most GNSS signals. A spoofer has to replicate
these specifications in order to capture a receiver.
2) Data bit level: The data bits of the navigation message
follow a defined frame-structure. This structure is also
published for most GNSS signals. The navigation mes-
sage contains the almanac, satellite ephemeris, telemetry
information, time and authentication keys (if any). Au-
thentication methods at this level have been suggested,
as means to verify that the received message originates
from a licit service provider [12]. The navigation message
could be implemented by the spoofer such that the
receiver would trust the signal. Further, the navigation
message provides the necessary information to compute
the PVT solution.
3) Navigation and position solution level: The pseudo-
ranges of the associated satellite could be manipulated
by altering the time-offsets of a signal. Consequently
the PVT of the receiver would also be manipulated. If
the resultant PVT is not valid, then the spoofer can be
detected. Therefore, a spoofer could adequately alter the
pseudoranges for the desired PVT.
The more thorough and realistic the spoofing signal is gener-
ated, the higher the likelihood is that the spoofing attack will
be successful and that the spoofer will be trusted. Inversely, to
detect a spoofer signal, all of these layers should be checked.
Here are some examples of what can be checked:
Are the signals received at an abnormally high power?
Are different signals from the same system received (e.g.
is L1 C/A and L2-C receivable)?
Is the bandwidth and centre frequencies of the signals as
expected?
Do the signals have similar Doppler and carrier-phase
movements?
2Surgical spoofing is similar to surgical jamming, where only a limited
(small) geographical area within a larger space is affected by the attack. It
is based on the interference between signals, but is not easy to achieve in a
real-world scenario.
Is there a sudden jump in the time?
Are all signals with the correct bandwidths present in the
spectrum?
Are some information of the navigation message missing?
Are atmospheric effects present between two frequency
bands?
Did the almanac and satellite ephemeris information
suddenly change from previously stored values?
Does the navigation message differ from any assistance
data?
Does the PVT solution suddenly jump or move irra-
tionally?
If the system uses authentication keys: are they authentic?
If a receiver is capable of using multiple signals or multiple
frequency bands, then all of the applicable signals are required
to be spoofed to ensure a take-over. If only a subset of the
signals are spoofed, then the receiver can receive contrasting
pseudoranges which result in an ambiguous PVT solution —
in many cases the receiver is unable to generate a PVT.
Signal design is the first line of defence against a spoofer,
and is considered a preventative measure. The use of encrypted
signals (e.g. GPS M-Code or Galileo public regulated ser-
vice (PRS)) [13], or signal authentication methods such as
navigation message authentication (NMA) [14], are strong
ways to validate the received signal. Adding unpredictable
features, making the navigation messages non-deterministic,
further complicates the spoofer design.
One-way keychain based NMA schemes, such as Time
Efficient Stream Loss-tolerant Authentication (TESLA), have
the highest acceptance and solve the issue of NMA [15]. With
a planned start in 2019, TESLA based Open Service Navi-
gation Message Authentication (OS-NMA) is to be broadcast
as a part of the Galileo satellite navigation system’s integrity
navigation message (INAV). Thereby providing message level
authentication to a broad user segment. The implementation of
the OS-NMA does not require any hardware modifications as it
is purely message-level based protocol. Therefore, it could be
implemented in most GNSS receivers with minimal software
or firmware updates [16]. NMA is a strong spoofing counter
measure and should be considered for receiver design.
A. Asynchronous spoofing attacks
An asynchronous spoofing attack (also known as a
power-take-over or hard-take-over) transmits a non-time-
synchronised signal. Time-synchronisation would imply that
the correlation peak of the spoofed signal is within the tracking
window of the receiver. Consequently, an asynchronous attack
is often rejected by the tracking channels, as the time and
Doppler offsets are likely incorrect. This attack is defined as
spoofing by non-coherent superposition by G¨
unther [5], and a
GPS signal simulator attack by Montgomery et al. [17], [2].
To successfully perform such an attack, the spoofing signal
would generate a higher power at the receiver than the GNSS
signals. This causes the tracking stage of the receiver to fail
and the receiver to try to re-acquire the signals. The increment
of power makes this attack simple to detect — e.g. by using
the automatic gain control (AGC) stage of the receiver.
If a satellite is not yet acquired or if a tracking channel has
lost lock and is attempting to re-acquire the signal, then the
higher power will most likely cause the acquisition to be on
the spoofed correlation peak. If a satellite is already in track,
then the tracking channel could get broken. This could either
be achieved by transmitting significantly higher power, such
that the correlation noise exceeds the correct correlation peak,
or by utilising a jammer [18].
An asynchronous attack does not require the target receiver
position to be known, and is therefore considered a brute-force
attack. In some cases the use of a warm – or hot start for the
acquisition may still allow the lock onto the correct GNSS
signal. The limitations include the following: the higher power
or jamming signal is detectable, a jump in the PVT is observed,
it may come to the partial success (i.e. not all satellites are
successfully spoofed) that would result in an erroneous PVT.
Many of these limits result in simple detection of the spoofing
attack.
Meaconing and replay based attacks are considered asyn-
chronous, as an additional time delay between the actual
signals and the replayed signals exist. This delay is caused
by the processing latency of the replayer, as well as the travel
time between the meaconer and the target receiver. Although
a meaconing tends to be a simple replay, some more advanced
methods exist. If the message symbols are unpredictable, then
a security code estimation and replay (SCER) attack could be
carried out in estimating them [13]. This requires a replayer
to estimate the signal, before alterations to the signal can be
made. Isolating signals before adding individual time delays
would also have to be achieved. In this case a meaconer can
be classified as a synchronous attack.
B. Synchronous spoofing attacks
Synchronous spoofing attacks (also known as a smooth-
take-over or a soft-take-over) transmit spoofing signals which
have overlapping correlation peaks. To achieve this, the
spoofer would have some information about the location of the
receiver. Just by time-synchronised transmission at increased
power relative to the actual GNSS signals, the receiver would
most likely lock onto the spoofer. This could improve the
stealthiness of the attack, when the spoofer starts with low
power, and then gradually increases it until lock of the receiver
is achieved. This change in power could be estimated by the
spoofer, or be compared to the received power with a co-
operative receiver.
This attack is defined as spoofing by coherent superposition
by G¨
unther [5]. To achieve synchronisation, the spoofer would
most likely require a GNSS receiver as a reference. As such,
Humphreys et al. [19], [2] classifies this as a receiver-based
spoofer. If a multi-antenna configuration is used, this attack is
classified as a sophisticated receiver-based spoofer by Ledvina
et al. [20], [2].
These methods control the take-over and are less likely
to be detected by the receiver. No jamming or high power
transmission is required for these methods, hence the impact
on other GNSS receivers can be minimised. Each satellite in
the constellation, the spoofer location, the position of the target
receiver and the positions of all other receivers influence this
attack. If the time difference or the Doppler difference between
the spoofed signal and a GNSS signal is sufficiently high at
a non-target receiver, then the tracking channels will naturally
suppress the presence of the spoofing signal.
The impediment is that the position of the receiver and all
applicable delays have to be known. As a consequence, the
receiver location has to be tracked, using additional sensors
like radar, sonar, lidar, optical, etc. or be co-located. This
increases the design complexity and cost of the system. The
performance of the tracking is an additional source of system
degradation.
If the position is not known, the position could be guessed,
but this would have a doubtful probability of success [21].
None the less, it could be attempted.
The improved stealthiness and theoretical performance of
these spoofing attacks are therefore subject to the complexity
associated with them. In many cases, these type of attacks are
impractical and difficult to achieve.
A variation of synchronous spoofing attacks is to “null” the
GNSS signals. This is done by transmitting a signal which
is equal to the GNSS signal, but phase-inverted at the target
receiver relative to the GNSS signal. The nulling-signal will
destructively interfere (cancel out) the GNSS signal. As the
GNSS signal is no longer visible to the target receiver, a
spoofing signal can simply and uncontested take-over the
receiver.
This attack would require that the nulling-signal is exactly
phase inverted and amplitude matched to the correct signal,
thereby making this attack even more difficult to achieve than a
basic synchronous attack [4]. Experimental results have found
that the calibration requirements of this attack are difficult
to achieve. Theoretically, this attack should have superior
performance to a basic synchronous attack, if it is successful.
IV. POS ITI ON A LTE RI NG ST RATEG IE S
In this section it is assumed that the spoofing attack is
successful. The strategies to manipulate the PVT data of the
receiver in different scenarios are theoretically analysed. The
high level manipulation of the receiver position is considered.
Once a spoofer has captured the lock of the receiver, it can
manipulate the signals such that the receiver has the incorrect
time or position. The change in position and time would not
be done abruptly, as this would cause the receiver to loose lock
or to detect that the signals are false. Therefore, the spoofer
signals would change in such a way that the receiver believes
that the signal is real. As an example, if the spoofed position
moves faster than what is physically possible by a vehicle on
which the receiver is mounted, then it is easily detectable.
Therefore, in all of the attacks described in this section, the
physical limitations of the receiver would be considered.
A. No auto-pilot capability
Diagrams of the position based attacks are shown in Fig. 3.
Each diagram has three lines: the blue line is the physical
position of the receiver over time; the red line the spoofed
position; and the green the perceived position of the spoofer.
Note that the green line is drawn at an offset to ease the display
of the scenarios. The arrows indicate the movement direction.
A dot indicates the starting point (e.g. 3(b)), or a discrete
change in direction (e.g. 3(h)). Circles indicate that a position
is stationary (e.g. 3(b)), or becomes stationary ((e.g. 3(e)).
Lastly, a circle with a dotted line represents a jump in position
(e.g. 3(a)).
An asynchronous attack does not know the position of the
receiver, hence the spoofer would start at an arbitrary location
relative to the receiver’s position. If the attack is successful,
then the perceived location of the receiver will “jump” to the
new location, as shown in Fig. 3(a). This is a common attack
and has been demonstrated a number of times [22].
If the receiver is stationary, and a synchronous spoofing
take-over moves the perceived location away, then a static pull-
off is achieved (Fig. 3(b)). In the reversed scenario, the spoofer
stays stationary, while the receiver moves away (Fig. 3(c)).
This is a static lock. These two methods are simple dynamic
attacks.
If a spoofer has a static location, and the receiver happens
to move over the said location, the perceived receiver location
can be halted. Fig. 3(d) shows the static catch example. This
is unlikely to occur in practical systems. This strategy would
be improved if the spoofer initially follows the receiver before
halting, and causing a dynamic stop (Fig. 3(e)). This method
would also allow more time to achieve the take-over. In the
opposite scenario, the spoofer stops while the receiver persists
in a dynamic continue (Fig. 3(f)).
If the spoofer moves initially with the receiver, then at a
certain time it pulls away into a different direction, a dynamic
pull-off is achieved (Fig. 3(g)). This is what is traditionally
regarded as a spoofing attack. However, note that the spoofer
does not change the physical position of the target receiver,
only the perceived location. A more difficult version of this
attack is similar to the static-catch, but where the spoofer
immediately changes position once the receiver is caught
(Fig. 3(h)). With this strategy, the static pull-off, is difficult
to achieve, as there is little time to do the take-over.
Lastly, if a spoofer and the receiver cross paths at the same
time, then it is possible to catch the receiver on the transi-
tion stage (Fig. 3(i)). This paths crossing scenario is highly
unlikely, and, therefore, considered improbable to achieve.
B. Auto-pilot capability
In theory, a spoofed signal can control a vehicle. This is
often cited as the worst case scenario for an autonomous
vehicle, as it causes control-loss of the vehicle. In practice this
is not necessarily the case. Through the use of sensor fusion
with other navigational systems (including accelerometers,
gyroscopes, inertial measurement unit (IMU), radar, lidar, op-
tical tracking, sonar, altimeters, odometers, optical-navigation,
(a) Asynchronous attack
(b) Static pull-off
(c) Static lock
(d) Static catch
(e) Dynamic stop
(f) Dynamic continuous
(g) Dynamic pull-off
(h) Static pull-off
(i) Paths crossing
receiver location receiver perceptionspoofer location static / stop jump direction change
Fig. 3. Comparison of position attacks
compass, radio-telemetry, radio-navigation and magnetic nav-
igation), the autonomous vehicle can potentially disregard the
spoofed position and continue with valid navigation.
Further, to change the physical position of the receiver, the
spoofer should move inversely. For example, if the vehicle
should accelerate, then the spoofed position should move
slower. The speed control system of the vehicle will then try
to keep the required speed and accelerate the vehicle3. This
means that to successfully control an autonomous vehicle,
1) the position of the target receiver would have to be
known,
2) the auto-pilot path would have to be known,
3) any control systems of the target would have to be known
and modelled, and
4) the influence of other sensors would have to be limited.
If correct security precautions are implemented (e.g. keeping
the control system a black box or not revealing the auto-
pilot path), then it is possible to counter this type of attack.
This illustrates the difficulty to achieve an autonomous vehicle
“high-jack”. Despite this difficulty, there are some reports of
3In this example an odometer will most likely overwrite the speed control
system, rather than the GNSS receiver. Thereby also illustrating the sensor
fusion argument.
success in the literature — almost all of them in controlled
environments [23], [24].
For the remainder of this section, it is assumed that an auto-
pilot based attack is achieved as the receiver completely trusts
only the GNSS receiver location. Based on this assumption,
the strategies on how to manipulate the PVT are considered
and presented in the remainder of this section. Diagrams of
auto-pilot based attacks are shown in Fig. 4.
Each diagram has four lines: the blue the physical position
of the receiver over time; the red the spoofed position; the
green the perceived position of the spoofer; and the yellow
the path the auto-pilot is programmed to follow. Note that the
yellow (above) and green (below) lines are drawn at an offset
to ease the display of the scenarios.
The simplest attack against an auto-pilot would be a bearing
offset (Fig. 4(a)). This is the attack which is displayed in the
famous “high-seas” trials [24]. The spoofer starts synchronised
with the receiver position. At a point the spoofer slowly drifts
to one direction. The auto-pilot will notice that the vehicle is
off-course and will steer in the opposite direction. Note that
the longer the spoofer drifts off-course the more aggressive the
auto-pilot will respond, as the error according to the auto-pilot
is increasing. This results that the receiver path and the spoofer
path are not mirrors of each other, and consequently the auto-
(a) Bearing offset
(b) Parallel path
(c) U-turn
(d) Stop
(e) Change direction
(f) Overshoot
(g) Bearing jump
(h) Derail jump
accelerate
receiver perception
receiver location
auto-pilot track
spoofer location
change of direction
jump
static / stop
(i) Legend
Fig. 4. Comparison of auto-pilot based attacks
pilot with the dynamics of the vehicle under attack needs
to be accounted for and modelled in advance in a specific
attack. After some time, the spoofer would return to the path
of the auto-pilot, the auto-pilot would respond by staying on
the course it is currently on. As a result the vehicle would
move with a bearing offset (different direction).
If two successive bearing offsets are carried out, equal in
size but in opposite directions, then a parallel path could be
created (Fig. 4(b)). Hence the vehicle would move in the same
direction, but with an offset of the track. The time between
the two manoeuvres, would determine how large the offset
will be.
Alternatively, if the bearing offset is timed correctly, it
would be possible to reverse the direction of the vehicle in
aU-turn (Fig. 4(c)). It should be noted that the vehicle would
move back on an offset.
The speed of the vehicle could also be altered. If the
spoofer and the receiver are moving together, and the spoofer
starts to accelerate, then the auto-pilot would start to decrease
the speed until the vehicle stops completely (Fig. 4(d)). At
this point the spoofer would proceed to move on the correct
path. If the vehicle is capable of dual-direction moving, then
the same principle could be applied to force the vehicle to
change direction (Fig. 4(e)). The opposite method would be to
decelerate or stop the spoofer, hence the speed-control system
would start to accelerate and overshoot its target location
(Fig. 4(f)).
If the spoofer moves with the receiver and then drifts away
(similar to the bearing offset), but then “jumps” back to the
correct location, then a smoother bearing offset could be
achieved (Fig. 4(g)). This bearing jump is simpler to predict
the final bearing, but risks loosing lock of the receiver or to be
detected. Similarly, if the auto-pilot follows a complex path,
it is possible to just skip ahead during a manoeuvre of the
auto-pilot, thereby fooling location of the auto-pilot on the
pre-determined path (Fig. 4(h)). This would cause a natural
change of bearing, and is called a derail jump.
As seen from the different strategies, it is evident that
even if the spoofing take-over was successful, and if no other
navigational aids were used by the auto-pilot, it would still
be a difficult and tedious task to try to control the auto-pilot.
Knowledge of the vehicle, control systems used and the auto-
pilot path would be required, and complex manoeuvres with
many limitations would have to be made to enable position
manipulation. This shows that full vehicular manipulation
is highly improbable. Further, if the correct precautions are
taken, then the control of a vehicle can be denied to a spoofer
control. Considering all these effects, only an unprotected or
co-operative vehicle will be susceptible to a spoofer control
attack.
V. TIMING AND INFORMATION ALTERING ATTACKS
This section evaluates how the timing and symbol decoding
of a receiver could be manipulated using a spoofer. Many
systems rely on GNSS timing for operation [25]. If a spoofer
attacks a stationary target — like a measurement station —
there is little to be gained by spoofing the position. One
option would be to have the correct position for the spoofing
signals, and add the same pseudorange ramp to each signals.
As a result the position would remain constant, but the
time changes. This would cause timing instabilities in the
system. Alternatively, a pseudorange jitter could be applied
for small-scale timing instabilities. A side effect is that the
positioning precision would be reduced. A controlled version
of this attack is to create a position jitter, where the jitter
of the pseudoranges is an inter-dependant process. Lastly, the
pseudoranges could also be made unstable and jitter through
the addition of a jammer; however, this would be a relatively
small jitter error and will be easy to detect. Strictly per the
definition, this method should not be considered as a spoofer
attack, even though the intent is to alter the timing of the
receiver.
The spoofer could also transmit a signal which has the same
properties as the actual GNSS signal, with the only difference
being that the information encoded onto the signal is altered.
This could be done to create fake navigation messages of the
satellites, which are interpreted by the receiver. Falsifying the
ephemeris data to cause poor PVT solutions or to alter the
position is possible, but it is not simple to achieve. Altering
the time or other data in the messages could also influence the
receiver. Such an attack is considered an information based
attack, as the information of the GNSS signals is altered. As
such, this type of attack is more associated with IW. NMA
could provide an effective way to avoid such type of attacks.
The attacks discussed in this section are rarely reported, but
they can have the impact on a receiver. The strategic gain of
these attacks is low, especially considering the effort needed to
achieve the attack. It can therefore be concluded that timing
based attacks are currently considered as a low priority to
develop anti-spoofing methods for, and jeopardize the correct
operation of the system minimally.
VI. AP PLI CATI ON AN D NE TWORK L EV EL ATTACK S
In many cases, the PVT of a receiver can be altered after
the PVT has been calculated. It can be performed to overwrite
the GNSS interface of an integrated system with the desired
data. Such an attack has the property of only affecting the
targeted system, and does not require spoofing EM signals to
be transmitted. Therefore, only a single targeted device could
be attacked. In many cases the user aims to spoof his own
device.
To achieve this, the communication between the GNSS
localisation module and the application requiring a location
could be intercepted, falsified and attacked. This could be
carried out on hardware level [26] where a GNSS module
is bypassed and replaced with a GNSS module emulator; or
on software level where the data-interface is hacked [27].
The restriction of this method is that it is a network or
application level based attack, hence, an understanding of the
target device’s interfaces is required.
As an example, the location of a smart-phone could be
hacked such that targeted application has a false position.
This has been used to cheat on location based games such
as Pokemon-GO!.
It could also be possible to spoof correction data, like
the real time correction message (RTCM) or ionospheric
correction data. This would be a correction-based spoofing
attack and is aimed to reduce the PVT accuracy.
VII. CONCLUSION
This paper presents a layered classification of spoofing
attacks, to broaden the understanding on the types of attacks
that are possible and evaluate the spoofer probability. The
classifications include the deployment architectures (physical
locations), signal generation, position altering strategies, tim-
ing and information altering strategies and application and
network level attacks.
Viewing the attack from a spoofer’s point of view, the
strategic value of the attacks are exposed. This allows the
identification and targeted design of preventative measures
to counter spoofing. This follows the principle of adaptive
engineering — as reflecting upon the spoofer-attack allows
countering solutions to become evident. The low strategic
value of some attacks (e.g. pseudorange jitter), can thereby be
disregarded as a threat and consequently be ignored in receiver
hardening design. On the contrary, attacks with high strategic
value should be addressed with high priority.
It is found that many of the spoofing types are difficult,
impractical and too complex to achieve, or only achievable in
specific circumstances (e.g. auto-pilot based attack). There-
fore, it can be concluded that these types of attacks are
currently not a viable threat. In such cases, the development of
anti-spoofing methods are not as crucial; however, it is possible
that with the advancement of technology the status quo will
change. If this is the case, preventative development for future
threats is needed.
Some attacks present a clear threat and need to be ad-
dressed and considered in receiver design, for example an
asynchronous attack. The recent development of NMA algo-
rithms allows the authentication of signals, and is therefore an
effective system feature to counter spoofing attacks. A multi-
system, multi-signal approach provides a good counter mea-
sure to spoofing, as it is unlikely that all signals are spoofed
simultaneously (this forces the spoofer to be more complex).
As it is costly to have a multi-transmitter spoofer, it is advised
to use a multi-antenna receiver with AOA verification and
with spatial filtering, Lastly, integrating different sensors (e.g.
IMUs, proximity detectors, radar, cellular-positioning, active
transponders, etc.) will also reduce the impact of a spoofing
attack.
Understanding the spoofers goals and strategies allows the
spoofer threat to be exposed. Therefore, the directed and
efficient counter measures can be developed for the greater
well-being of society. Spoofing threats should not be under-
estimated and the already available anti-spoofing methods,
should be implemented on a broader scale.
REFERENCES
[1] John A. Volpe National Transportation Systems, “Vulnerability assess-
ment of the transport infrastructure relying on the global positioning
system,” U.S. DoT, 2001.
[2] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen, and G. Lachapelle,
“GPS vulnerability to spoofing threats and a review of antispoofing
techniques,” International Journal of Navigation and Observation, vol.
2012, pp. 1–16, 2012.
[3] C. M. Pereira, J. Rastegar, C. E. McLain, T. Alanson, C. McMullan,
and H. L. Nguyen, “Countering gps jamming and ew threat,” 2007.
[4] M. L. Psiaki and T. E. Humphreys, “GNSS Spoofing and Detection,”
Proceedings of the IEEE, vol. 104, no. 6, pp. 1258–1270, June 2016.
[5] C. G¨
unther, “A Survey of Spoofing and Counter-Measures,Navigation,
vol. 61, no. 3, pp. 159–177, 2014.
[6] A. R¨
ugamer and D. Kowalewski, “Jamming and Spoofing of GNSS
Signals ? An Underestimated Risk?!” in Proceddings, FIG Working Week
2015, May 17 - 21, 2015, Sofia, Bulgaria, 2015.
[7] J. VanderSteen, “Adaptive engineering,Bulletin of Science, Technology
& Society, vol. 31, no. 2, pp. 134–143, 2011.
[8] P. Ngatchou, A. Zarei, and A. El-Sharkawi, “Pareto multi objective
optimization,” in Proceedings of the 13th International Conference on,
Intelligent Systems Application to Power Systems, Nov 2005, pp. 84–91.
[9] M. Darwish. (2017) Did Russia make this ship disappear?
[Online]. Available: http://money.cnn.com/2017/11/03/technology/gps-
spoofing-russia/index.html
[10] D. Goward. (2017) GPS spoofing incident points to
fragility of navigation satellites. [Online]. Available:
http://www.nationaldefensemagazine.org/articles/2017/8/22/viewpoint-
gps-spoofing-incident-points-to-fragility-of-navigation-satellites
[11] M. Psiaki, S. Powell, and B. O’Hanlon, “Gnss spoofing detection using
high-frequency antenna motion and carrier-phase data,” in Proceedings
of the 26th International Technical Meeting of The Satellite Division of
the Institute of Navigation (ION GNSS+ 2013), 2013.
[12] G. Caparra, “Navigation message authentication schemes,” InsideGNSS,
October 2016.
[13] T. E. Humphreys, “Detection Strategy for Cryptographic GNSS Anti-
Spoofing,” IEEE Transactions on Aerospace and Electronic Systems,
vol. 49, no. 2, pp. 1073–1090, APRIL 2013.
[14] A. J. Kerns, K. D. Wesson, and T. E. Humphreys, “A blueprint for civil
GPS navigation message authentication,” in 2014 IEEE/ION Position,
Location and Navigation Symposium - PLANS 2014, May 2014, pp.
262–269.
[15] G. Caparra, “Evaluating the security of one-way key chains in tesla-
based gnss navigation message authentication schemes,” 2016 Interna-
tional Conference on Localization and GNSS (ICL-GNSS) in Barcelona,
2016.
[16] X. Zubizarreta, “Assesment of galileo open service navigation message
authentication,” Master’s thesis, 2017.
[17] P. Y Montgomery, T. E Humphreys, and B. M. Ledvina, “Receiver-
autonomous spoofing detection: Experimental results of a multi-antenna
receiver defense against a portable civil gps spoofer,” vol. 1, pp. 124–
130, 01 2009.
[18] R. H. Mitch, R. C. Dougherty, M. L. Psiaki, S. P. Powell, B. W.
O’Hanlona, J. A. Bhatti, and T. E. Humphreys, “Signal characteristics of
civil gps jammers,” in Proceedings of the 24th International Technical
Meeting of The Satellite Division of the Institute of Navigation (ION
GNSS 2011), 2011.
[19] T. E. Humphreys, B. M. Ledvina, M. Psiaki, B. W. O’Hanlon, and
J. P. M. Kintner, “Assessing the spoofing threat: Development of a
portable gps civilian spoofer,” pp. 2314–2325, 01 2008.
[20] B. Ledvina, W. Bencze, B. Galusha, and I. Miller, “An in-line anti-
spoofing device for legacy civil gps receivers,” pp. 698–712, 01 2010.
[21] N. O. Tippenhauer and C. Popper, “On the requirements for successful
gps spoofing attacks,” in CCS ’11 Proceedings of the 18th ACM
conference on Computer and communications security. Elsevier, 2000.
[22] W. De Wilde, J. Van Hees, G. Cuypers, J. Dumon, J.-M. Sleewaegen,
and B. Bougard, “Spoofing threats: Reality check, impact and cure,” in
Proceedings of the 30th International Technical Meeting of The Satellite
Division of the Institute of Navigation (ION GNSS+ 2017), 2017, pp.
1289–1327.
[23] A. J. Kerns, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys,
“Unmanned Aircraft Capture and Control Via GPS Spoofing,Journal
of Field Robotics, vol. 31, no. 4, pp. 617–636, 2014.
[24] J. Bhatti and T. E. Humphreys, “Hostile control of ships via false gps
signals: Demonstration and detection,” Navigation, vol. 64, no. 1, pp.
51–66, 2017, navi.183.
[25] D. P. Shepard, J. A. Bhatti, T. E. Humphreys, and A. A. Fansler,
“Evaluation of smart grid and civilian uav vulnerability to gps spoo?ng
attacks,” in In Proceedings of ION GNSS 2012, 2012, pp. 3591 – 3605.
[26] O. Pozzobon, C. Wullems, and M. Detratti, “Security considerations in
the design of tamper resistant gnss receivers,” in 2010 5th ESA Workshop
on Satellite Navigation Technologies and European Workshop on GNSS
Signals and Signal Processing (NAVITEC), Dec 2010, pp. 1–5.
[27] O. Pozzobon, C. Wullems, and K. Kubik, “Requirements for enhancing
trust, security and integrity of gnss location services,” in The 60th Annual
Meeting of the Institute of Navigation (ION). Dayton Marriott Hotel,
Dayton, OH: Institute of Navigation, 2004.
... Figure 2(a) illustrates a turn-by-turn attack in which the correct route from the origin to destination is shown in blue, the AV's ground truth route is shown in green, and the AV's perceived route, which matches with the original route turn-by-turn, is shown in red. Thus, compromising the GNSS, a spoofer creates a wrong route matching for the new route's number of turns and guides the vehicle to a wrong destination by compromising the AV's GNSS. Figure 2(b) shows an overshoot attack [7]. After taking over the GNSS receiver, the spoofer keeps sending the same location signal to the receiver. ...
... When a road split occurs at the green dot, the AV will be unable to identify the path to proceed. A stop attack [7] (Figure 2(c)) is the opposite of an overshoot attack. The spoofer takes over the receiver GNSS when the AV is stopped at a stop sign (green dot) and then transmits a synthetic signal so that the AV perceives that it is moving along the road (red route). ...
Preprint
Full-text available
In this study, a sensor fusion based GNSS spoofing attack detection framework is presented that consists of three concurrent strategies for an autonomous vehicle (AV): (i) prediction of location shift, (ii) detection of turns (left or right), and (iii) recognition of motion state (including standstill state). Data from multiple low-cost in-vehicle sensors (i.e., accelerometer, steering angle sensor, speed sensor, and GNSS) are fused and fed into a recurrent neural network model, which is a long short-term memory (LSTM) network for predicting the location shift, i.e., the distance that an AV travels between two consecutive timestamps. We have then combined k-Nearest Neighbors (k-NN) and Dynamic Time Warping (DTW) algorithms to detect turns using data from the steering angle sensor. In addition, data from an AV's speed sensor is used to recognize the AV's motion state including the standstill state. To prove the efficacy of the sensor fusion-based attack detection framework, attack datasets are created for three unique and sophisticated spoofing attacks turn by turn, overshoot, and stop using the publicly available real-world Honda Research Institute Driving Dataset (HDD). Our analysis reveals that the sensor fusion-based detection framework successfully detects all three types of spoofing attacks within the required computational latency threshold.
... Spoofers deployed in the environment either have single or multiple antennas [9]. The spoofers with multiple antennas are superior to the ones having a single antenna, because they can exploit spatial degrees of freedom. ...
... Time-synchronization refers to whether the correlation peak of the spoofed signal is in the tracking window of the receiver. Therefore the time-synchronous spoofing attack may be more dangerous than a time-asynchronous spoofing attack but the spoofer needs some prior knowledge such as the location of the receiver [9]. ...
Article
Full-text available
We consider Global Navigation Satellite Systems (GNSS) spoofing attacks and devise a countermeasure appropriate for mobile GNSS receivers. Our approach is to design detectors that, operating after the signal acquisition, enable the victim receiver to determine with high probability whether it is under a spoofing attack or not. Namely, the binary hypothesis is that either the GNSS receiver tracks legitimate satellite signals, H0, or spoofed signals, H1. We assume that there exists an unknown number of multiple spoofers in the environment and the attack strategy (which legitimate signals are spoofed by which spoofers) is not known to the receiver. Based on these assumptions, we propose an algorithm that identifies the number of spoofers and clusters the spoofing data by using Bayesian information criterion (BIC) rule. Depending on the estimated and clustered data we propose a detector, called as generalized likelihood ratio (GLRT)-like detector. We compare the performance of the GLRT-like detector with a genie-aided detector in which the attack strategy and the number of spoofers is known by the receiver. In addition to this, we extend the GLRT-like detector for the case where the noise variance is also unknown and present the performance results.
... Authenticity describes the ability of the wireless system to distinguish authorized nodes from malicious users (rogue nodes) by confirming the true identity of a network node [17]. The techniques to carry out the authentication process can be diverse, ranging from authentication at PHY and MAC layers to authentication at the corresponding upper levels of the OSI model (network, transport, and application) [116]. Spoofing is the term used to identify attacks that compromise authenticity, and it represents the case where a malicious node gets access to the network using different techniques at various OSI layers of the communication. ...
Article
Full-text available
The industrial environment poses strict requirements to the infrastructure of good and service production and delivery. Communications are not an exception. Wired systems currently dominate in factory premises for their robustness in complex and noisy propagation conditions. They also present ruggedness in front of malicious attackers aiming to bring the communication system down or take over the system under control. Unfortunately, wired systems have severe maintenance, scalability, and operational flexibility limitations. Wireless systems constitute a solution, but they show performance weaknesses in reliability and security. This paper analyzes the security challenges of radio-frequency wireless systems in industrial use cases and aligns different categorization efforts from various sources, focusing on the lower layers of the OSI model (PHY/MAC). The analysis includes a detailed taxonomy of attacks and PHY/MAC countermeasure techniques required to make security compatible with the system requirements of industrial applications. Among the different industrial applications, the focus of this work is directed towards Factory Automation. Finally, based on the wide range of existing attacks and techniques, we propose a methodology for dissecting attack scenarios and designing tailored protection techniques and architectures. A wide diversity of attack situations are described, and the corresponding countermeasures are discussed. Finally, we propose a methodology for dissecting attack scenarios and designing tailored protection techniques and architectures.
... The spoofer also tries to keep realistic values of the location shift, AV's speed, and distance between actual and spoofed routes to make it more believable. shows an overshoot attack (27). After taking over the AV's GNSS, the spoofer keeps sending the same location information. ...
Preprint
Full-text available
This paper presents a sensor fusion based Global Navigation Satellite System (GNSS) spoofing attack detection framework for autonomous vehicles (AV) that consists of two concurrent strategies: (i) detection of vehicle state using predicted location shift -- i.e., distance traveled between two consecutive timestamps -- and monitoring of vehicle motion state -- i.e., standstill/ in motion; and (ii) detection and classification of turns (i.e., left or right). Data from multiple low-cost in-vehicle sensors (i.e., accelerometer, steering angle sensor, speed sensor, and GNSS) are fused and fed into a recurrent neural network model, which is a long short-term memory (LSTM) network for predicting the location shift, i.e., the distance that an AV travels between two consecutive timestamps. This location shift is then compared with the GNSS-based location shift to detect an attack. We have then combined k-Nearest Neighbors (k-NN) and Dynamic Time Warping (DTW) algorithms to detect and classify left and right turns using data from the steering angle sensor. To prove the efficacy of the sensor fusion-based attack detection framework, attack datasets are created for four unique and sophisticated spoofing attacks-turn-by-turn, overshoot, wrong turn, and stop, using the publicly available real-world Honda Research Institute Driving Dataset (HDD). Our analysis reveals that the sensor fusion-based detection framework successfully detects all four types of spoofing attacks within the required computational latency threshold.
... distributed denial of service (DDoS) [5], Eclipse [6], [7], spoofing [8], and Sybil attacks [9]. ...
Article
Full-text available
Software-Defined Networking (SDN) brought a groundbreaking idea to facilitate network system management by decoupling and abstracting the Control plane and Data plane of traditional networks. The centralised control offers network administrators many benefits such as a global view of the network, programmability, dynamic updating of forwarding rules, and software-based traffic analysis. The SDN architecture has been applied a lot in practice, and especially in Internet of Things (IoT) platforms. With the superiority of SDN, IoT devices can be managed and configured much more easily when combined. However, SDN also raises many challenges in terms of scalability, reliability, and security. Blockchain is another promising solution for secure information storage and transmission technology that operates without a centralised authority. Applying Blockchain technology into SDN can address some of the current issues of SDN by providing decentralised methods to authenticate exchanged network information. This study provides a comprehensive survey on Blockchain technologies applied to SDN in both security and non-security fields. First, related studies and an overview of SDN and the background of Blockchain technology are presented. Then, the authors review how Blockchain technologies are applied in SDN from two perspectives: non-security and security-aware approaches. Finally, challenges and broader perspectives are discussed.
Article
Operation of modern power systems integrated by distributed energy resources is only possible if information/communication technologies are leveraged in the system. This results in cyber-physical power systems which are vulnerable to malicious cyberattacks. Hence, it is crucial to propose practical solutions to enhance the resilience of smart grids against cyberattacks. Targeting energy hubs integrated by distributed energy resources, a cyberattack based on min–max formulation is presented in this paper. A remedial action scheme, which changes status (i.e., connection/disconnection) of the energy hub components, is proposed to mitigate the economic effect of the aforementioned cyberattack. The electricity/heat demands of the energy hub are supplied by electricity/gas networks and the energy hub components including combined heat and power, wind turbine, electrical/thermal storages, boiler, and demand response. The attacker utilizes the energy hub components to increase the associated costs. However, the system operator controls the costs by changing the status of the energy hub devices. Obtained results verify that the proposed framework leads to an effective mechanism to proactively mitigate the economic-related consequences of cyberattacks on energy hubs. The simulation results demonstrate that: 1) disconnection of the energy hub from electricity networks under the cyberattack mitigates the increased cost by 40%, 2) disconnection of the energy hub from boiler and connection of thermal storage to the system under the experienced cyberattack reduce the imposed cost by 76%.
Presentation
Full-text available
A comprehensive understanding of GPS spoofing attack requirements, impacts, type of target, and success rates are required to develop anti-spoofing algorithms. This paper aims to provide an understanding regarding the selection of spoofer type, operating location of the spoofer, the impact of spoofing, spoofing techniques, and strategies for performing stealthy GPS spoofing for various applications.
Article
Full-text available
GNSS has become a mature technology yielding reliable position, navigation and timing solutions upon which many applications are built. Its widespread adoption has turned into an incentive for malicious actions that, by exploiting GNSS vulnerabilities, aim at either disrupting or precisely modifying the PNT computation. Authenticating the GNSS signal at both the ranging and data levels is a proper way to detect and/or mitigate such threats. This article discusses the design drivers for GNSS authentication, reviews the predominant navigation message authentication proposals for a GNSS open service, and proposes a novel scheme based on the amortization of digital signatures.
Article
An attacker's ability to control a maritime surface vessel by broadcasting counterfeit civil Global Positioning System (GPS) signals is analyzed and demonstrated. The aim of this work is to explore civil maritime transportation's vulnerability to deceptive GPS signals and to develop a detection technique that is compatible with sensors commonly available on modern ships. It is shown that despite access to a variety of high-quality navigation and surveillance sensors, modern maritime navigation depends crucially on satellite navigation and that a deception attack can be disguised as the effects of slowly-changing ocean currents. An innovations-based detection framework that optimally chooses the measurement sampling interval to minimize the probability of a ship exceeding its alert limits without detection is developed and analyzed. A field experiment confirms the vulnerability analysis by demonstrating hostile control of a 65-m yacht in the Mediterranean Sea. Copyright © 2017 Institute of Navigation
Conference Paper
In the proposals for Global Navigation Satellite Systems (GNSS) Navigation Message Authentication (NMA) that are based on adapting the Timed Efficient Stream Loss-Tolerant Authentication (TESLA) protocol, the length of the one-time keys is limited (e.g. to 80 bits) by the low transmission rate. As a consequence, the hash function that is used to build the one-way key chain is constructed having a longer, secure hash function (e.g. SHA-256), preceded by a time-varying yet deterministic padding of the input and followed by a truncation of the output. We evaluate the impact of this construction on the collision resistance of the resulting hash function and of the whole chain, and show that with current proposed parameters, combined with the use of efficient hashing hardware, it can lead to a feasible attack with significant collision probability. The collision can be leveraged to mount a long lasting spoofing attack, where the victim receiver accepts all the one time keys and the navigation messages transmitted by the attacker as authentic. We conclude by suggesting possible modifications to make TESLA-based NMA more robust to such attacks.
Article
Global navigation satellite signals can be spoofed by false signals, but special receivers can provide defenses against such attacks. The development of good spoofing defenses requires an understanding of the possible attack modes of a spoofer and the properties of those modes that can be exploited for defense purposes. Sets of attack methods and defense methods are described in detail. An attack/defense matrix is developed that documents which defense techniques are effective against the various attack techniques. Recommendations are generated to improve the offerings of commercial off-the-shelf receivers from the current situation, a complete lack of spoofing defenses, to a situation in which various levels of defense are present, some that add significant security for relatively little additional cost and others that add more security at costs that start to become appreciable.
Article
GPS IS AT WAR. It is a major asset for United States and allied military forces in a number of operating theaters around the world in both declared and undeclared conflicts. But GPS is at war on the domestic front, too - at war against a proliferation of jamming equipment being marketed to cause deliberate interference to GPS signals to prevent GPS receivers from computing positions to be locally stored or relayed via tracking networks. There have been many notable examples of deliberate jamming of GPS receivers. Many more likely go undetected each day. In 2009, outages of a Federal Aviation Administration reference receiver at Newark Liberty International Airport close to the New Jersey Turnpike were traced to a $33, 200 milliwatt GPS jammer in a truck that passed the airport each day. The driver was reportedly arrested and charged. In July 2010, two truck thieves in Britain were jailed for 16 years. They used GPS jammers to prevent the trucks from being tracked after the thefts. And in Germany, some truck drivers have been using jammers to evade the country's GPS-based road-toll system. The U.S. and some foreign governments have enacted laws to prohibit the importation, marketing, sale or operation of these so-called personal privacy devices. Nevertheless, a certain number of jammers are in the hands of individuals around the world and they continue to be available from manufacturers and suppliers in certain countries. So, GPS jamming is a continuing threat both at home and abroad and a detailed understanding of how the available jammers work is necessary to judge their effectiveness and limitations. This information will also help in developing countermeasures that could be incorporated into GPS receivers to limit the impact of jammers. Jammers constitute an enemy force, and as the Chinese General Sun Tzu stated in the Art of War more than 2,000 years ago, battles will be won by knowing your enemy. In the last verse of Chapter Three, he states: So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. In this month's column, a team of researchers from Cornell University and the University of Texas at Austin reports on their analyses of the signal properties of 18 commercially available GPS jammers. The enemy has been exposed.
Conference Paper
A proposal for civil GPS navigation message authentication (NMA) is presented with sufficient specificity to enable near-term implementation. Although previous work established the practicality and efficacy of NMA for civil GPS signal authentication, there remains a need for a detailed proposal that addresses several outstanding considerations regarding implementation. In particular, this paper (1) provides a definitive evaluation of the tradeoffs involved in the choice of cryptographic protocol, and (2) optimizes the placement of digital signature bits in the GPS CNAV message stream. By offering GPS engineers and policymakers a detailed blueprint for civil NMA, this work advances the possibility of NMA implementation on modernized civil GPS signals.
Article
The growing economic importance of Global Navigation Satellite Systems (GNSS) makes it rewarding for malevolent people to aim at misleading receivers in their position and time estimation. This can be achieved by replacing or superposing signals to the authentic GNSS satellite signals and is called spoofing. Most current receivers are not designed to detect spoofing. The present article aims at a systematic exposition of threats. In many cases, they can be addressed by comparing the received signals, the estimated states, and their respective dynamics against models. A cryptographic signature of the navigation message would furthermore improve the detectability of fake synthetic signals, and should be implemented in the definition of new GNSS signals. In general, the analysis of spoofing should receive the same attention as the analysis of natural impairments. We hope that the present paper will contribute to achieve this. Copyright © 2014 Institute of Navigation.