techniques for spoofing and for spoofing...
TRANSCRIPT
Techniques for Spoofing and for Spoofing Mitigation
Mark L. PsiakiSibl S h l f M h i l & A E i iSibley School of Mechanical & Aerospace Engineering,Cornell University, Ithaca, NY, USA
ENAC/SIGNAV Nav. & Timing Symposium, 17 Nov. 2015
The Problem: Surreptitious Receiver Channel Capture & Consistent Drag Off
Known
Channel Capture & Consistent Drag-Off
ENAC/SIGNAV Nov. ‘15 2 of 30
The Problem: Spoofer Field Tests & All d “I h Wild” S D CAlleged “In-the-Wild” Spy Drone Capture
Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle (GPS World 1 Aug. 2012)
Exclusive: Iran hijacked US drone, says Iranian engineer (CS Monitor 15 Dec 2011)says Iranian engineer (CS Monitor 15 Dec 2011)
GPS Spoofing Experiment Knocks Shi ff C U i it f T tShip off Course: University of Texas at Austin team repeats spoofing demonstration with a superyacht.(Inside GNSS 31 July 2013)
ENAC/SIGNAV Nov. ‘15 3 of 30
Presentation OutlineI. Potential spoofing attack strategiesII. Effective spoofing detection methodsp gIII. Ranking of attack & detection “costs” and
identification of appropriate detection methods for given attack strategies
IV. Re-acquisition of true signals & navigation bilit ft tt k d t ticapability after attack detection
V. Recommendations for COTS GNSS receiver spoofing defensesreceiver spoofing defenses
ENAC/SIGNAV Nov. ‘15 4 of 30
Open-Loop Signal Simulator Attack Initially jam receiver to unlock tracking loops
from true signalsJammerSignal
Generate consistent spoofer signals using GNSS signal simulator & broadcastGNSS signal simulator & broadcast overpowered versions
SpooferSignal
ENAC/SIGNAV Nov. ‘15 5 of 30
Receiver/Spoofer with Known Geometry Relative to Victim (as already shown)
Known
Relative to Victim (as already shown)
Receiver tracking points
Total signal
Receiver tracking points
Spoofer signal
Completed drag-off
ENAC/SIGNAV Nov. ‘15 6 of 30
Meaconing AttackGNSS
Satellitej+1GNSS
GNSSSatellite j
...GNSS
Satellite j-1
... Meacon/spoofer(
Meacon’s small
signal (has correct versions of allencryptions)
Meacon s smallphased array
of GPS receiverantennas
Meacon (i.e., replay-with-delay) signal processer w/independently steerable channel reception gain
patterns replay delays & replay gainspatterns, replay delays, & replay gains
ENAC/SIGNAV Nov. ‘15 7 of 30
True-Signal Nulling AttackKnown
Total signal Receiver tracking points
Spoofer signalNulling signal
Completed drag-off Cancellation of true & nulling signals
ENAC/SIGNAV Nov. ‘15 8 of 30
Multi-Transmitter AttackGNSS
Satellitej+1
GNSS Satellite j-1
GNSSSatellite j
......
Si l h lSingle-channelreceiver/spoofers(possibly carriedon air vehicles)
Spoofed signalsof individual
t llit ithon air vehicles) satellites withrealistic direction-of-arrival diversity
ENAC/SIGNAV Nov. ‘15 9 of 30
Received Power Monitoring (RPM)
ENAC/SIGNAV Nov. ‘15 10 of 30
Jump in [I;Q] Accumulation Phasor8
1108
0.5
0Sudden [I;Q] jump at onset
of spoofing attack
-0.5
196.5196195.5195194.5194193 5-10108
-11
ENAC/SIGNAV Nov. ‘15 11 of 30
194193.51
Sudden Jump in Doppler Rate of Change
2240
2260
t (H
z)
2200
2220
Onset of spoofing attack
pple
r Shi
ft
2180
2200
Onset of drag-off(sudden 0.02 g increment
in carrier acceleration/
Do
2140
2160in carrier acceleration/
Doppler rate)
0 50 100 150 200 250 300 350 400 450 5002120
2140
ENAC/SIGNAV Nov. ‘15 12 of 30
Time (sec)
Distortion of Complex Correlations1.2
Non-SpoofedSpoofed Drag-Off
1.2No apparent
spoofeddistortion in
Telltale spoofer/true-signalinteraction distortion: complexautocorrelation is non-planar
mul
atio
n
0.8
1
mul
atio
n
0.8
1distortion incorrelationmagnitudevs. code
offset
ase
Acc
um
0.6
ase
Acc
um
0.6
In-P
ha
0.2
0.4
In-P
ha0.2
0.4
Code Offset (chips)-2 -1 0 1 2
0
Quadrature Accumulation-0.6 -0.4 -0.2 0 0.2 0.40
ENAC/SIGNAV Nov. ‘15 13 of 30
Code O se (c ps) Quad a u e ccu u a o
Encryption-Based Defenses Symmetric key encryption, e.g., GPS P(Y) & M
codes Cross-correlation of unknown symmetric key
codes between a secured reference receiver & a potential victim
Navigation Message Authentication (NMA): digitally signed unpredictable navigation bits
Spread Spectrum Security Code (SSSC):Short encrypted segments received, stored, & checked against a digitally signed key that is broadcast later
ENAC/SIGNAV Nov. ‘15 14 of 30
Spoofing Detection via Inter-Receiver Correlation of Unknown P(Y) CodeCorrelation of Unknown P(Y) Code
GPS Satellite GEO “bent-pipe”transceiver
Broadcast segments of delayed, digitally-
T itt f d l d
y , g ysigned P(Y) features Secure uplink of
delayed, digitally-signed P(Y) features
UE with - receiver for delayed,
S t / i
Transmitter of delayed, digitally-signed P(Y)
features
digitally-signed P(Y) features
- delayed processing t d t t fi
Secure antenna/receiver w/processing to estimate P(Y) features (or a single antenna or a distributed
to detect spoofing via P(Y) feature correlation
set of single-antennas)
ENAC/SIGNAV Nov. ‘15 15 of 30
Semi-Codeless Spoofing Detection using Unknown P(Y) code Receiver Cross Correlation
350
400
gamma detection statisticpredicted gamma meanspoofing detection thresholdapriori predictedgammamean
Onset of spoofing attack
P(Y) code Receiver Cross-Correlation
250
300
a priori predicted gamma meana priori spoofing detection threshold
150
200
gam
ma s
50
100
S f l d t ti f fi
0 50 100 150 200 250-50
0
Successful detection of spoofingwhen dashed green threshold crossesabove solid blue detection statistic
Build-up of significant spoofedC/A code-phase error
Receiver A Time (sec)
ENAC/SIGNAV Nov. ‘15 16 of 30
Drift-Based Defenses Monitor drift of computed receiver clock offset
& compare with known oscillator stability& compare with known oscillator stability Monitor nav. solution motion using an inertial
measurement unitmeasurement unit Declare a spoofing alert if either clock drift or
nav. solution acceleration are physically p y yunreasonable based on a priori knowledge or independent sensor data
ENAC/SIGNAV Nov. ‘15 17 of 30
DOA/Interferometric Methods,S f dNon-Spoofed Case
GNSSGNSS
Satellite j GNSSSatellite
j+1GNSS
Satellite j-1
Satellite j
...
jρ̂
1ˆ +jρ
Alternate systemw/partial DOAdetermination:
Satellite j 1
...
1ˆ −jρ
ρAntenna A Antenna B
BAb
Antenna AAntenna D Antenna C
Antenna B
DAb CAb
b
BAb
ENAC/SIGNAV Nov. ‘15 18 of 30
Antenna BBAb
DOA/Interferometric Methods, S f dSpoofed Case
Single-transmit-antenna spoofer that d f l i l f GNSS t llitsends false signals for GNSS satellites
…, j-1, j, j+1, …
spantsysto2ρ̂ Alternate system
/f ll DOA
spantsysto4ρ̂
DAb CAbAntenna A Antenna B
w/full DOAdetermination:
Antenna AAntenna D Antenna C
Antenna B
DA CAb
BAbBAb
ENAC/SIGNAV Nov. ‘15 19 of 30
Test of 2-Antenna Defense Against Live Spoofing Attack on White Rose of DrachsSpoofing Attack on White Rose of Drachs
Receiver/spoofersignal
Spooferreceptionantenna
t t
signalprocessoramidships
at sternof yacht
2-antennaspoofingdetectornear bow
Spoofer
near bow
Spoofertransmission
antenna
ENAC/SIGNAV Nov. ‘15 20 of 30
Single-Differenced Carrier Phase Responses to Spoofing Attack against Dual-Antenna SystemSpoofing Attack against Dual-Antenna System
0.6
PRN02PRN12Initial Attack
0.2
0.4
(cyc
les)
PRN14PRN21PRN25PRN29PRN31
Code Drag-Off
-0.2
0
Part
of Δ
φ BA PRN31
Initial AttackDrag Off
-0.4
0.2
Frac
tiona
l P
0 200 400 600 800 1000 1200-0.8
-0.6
Receiver Clock Time (sec)
ENAC/SIGNAV Nov. ‘15 21 of 30
Complementary Detection Strategy Examples Power/signal-distortion/drift
Distortion less obvious w/high-power spoofer or rapid drag-offP & d if i i f ll i bl Power & drift monitors constrain spoofer to allow recognizable signal distortion during a long drag-off phase
NMA/SCER-detection/clock-drift NMA/SCER detection/clock drift NMA forces Security Code Estimation & Replay attack Clock drift monitoring constrains initial spoofed signal delays Constrained delays force spoofer to fake early parts of NMA
bits; faked initial bit portions are detectable
DOA/continual signal re acquisition DOA/continual signal re-acquisition Re-acquisition finds multiple copies of same signal DOA distinguishes true & spoofed versions of same signalg p g
ENAC/SIGNAV Nov. ‘15 22 of 30
Relative “Cost” Ranking of Attack Strategies Meaconing, single RCVR ant, single TRANS ant Jammer/open-loop signal simulatorg RCVR/SPFR, 1 TRANS ant Meaconing, multi RCVR ants, 1 TRANS antg, , Nulling RCVR/SPFR, 1 TRANS ant RCVR/SPFR, multi TRANS ants RCVR/SPFR, multi TRANS ants Meaconing, multi RCVR ants, multi TRANS ant Nulling RCVR/SPFR multi TRANS ants Nulling RCVR/SPFR, multi TRANS ants
ENAC/SIGNAV Nov. ‘15 23 of 30
Relative “Cost” Ranking of Detection Strategies Observables & received power monitoring (RPM) Correlation function distortion monitoring Drift monitoring (clock offset, IMU/position) Observables, RPM, distortion, & drift monitoring NMA or Delayed symmetric-key SSSC NMA, SCER detection, RPM, & drift monitoring, , , g Dual-RCVR keyless correlation of unknown
SSSC codes Symmetric-key SSSC, e.g., P(Y) or equivalent
ENAC/SIGNAV Nov. ‘15 24 of 30
Ineffective Defense/Attack Paring Examples Pseudorange based RAIM defense: Pseudorange-based RAIM defense:
Ineffective against all reported attack strategies
RPM & observables monitoring RPM & observables monitoring Receiver/spoofer w/1 TRANS ant -- if designed carefully
NMA (w/o or w/SCER detection), dual-receiver ( /o o /SC detect o ), dua ece ekeyless correlation of unknown SSSC, or symmetric-key SSSC Any type of meaconing
Correlation function distortion monitoring Any type of signal-nulling attack
DOA-based methodsM th d i lti l f t i i t Methods using multiple spoofer transmission antennas
ENAC/SIGNAV Nov. ‘15 25 of 30
Effective Defense/Attack Paring Examples RPM w/monitoring of observables, drift, &
correlation function distortionA fi th d / i l lli if ht t Any spoofing method w/o signal nulling – if caught at onset
DOA-based methods DOA-based methods All spoofing methods with a single transmission antenna
NMA dual-receiver keyless correlation of unknown NMA, dual receiver keyless correlation of unknown SSSC, or symmetric-key SSSC All non-meaconing/non-SCER spoofing methodsg p g
ENAC/SIGNAV Nov. ‘15 26 of 30
Cost-Ranked GNSS Attack/Detection Matrix
Psiaki & Humphreys, “GNSS Spoofing and Detection,” IEEE Proc. (invited), submitted for review
ENAC/SIGNAV Nov. ‘15 27 of 30
Navigation Recovery after Attack Detection Bulk of research to date concentrates on detection Need to go beyond “Warning: Spoofing Attack;
GNSS navigation fix unreliable”, to “Authentic GNSS signals recovered; navigation fix reliable”
Problem involves seeking, re-acquiring, & authenticating true signalsH d b f t th ( t j ) Hampered by spoofer strength (acts as a jammer)
Weak-signal techniques useable if spoofer t it th ti i ti bit bltransmits authentic navigation bits – enables very long coherent integration intervals for authentic signalssignals
ENAC/SIGNAV Nov. ‘15 28 of 30
Authentic Signal Re-Acquisition “During” h Whi R f D h Lib A kthe White Rose of Drachs Libya Attack
ENAC/SIGNAV Nov. ‘15 29 of 30
Recommendations to COTS Receiver Mfg’s. Implement something beyond simple pseudorange-based Implement something beyond simple pseudorange-based
RAIM detection methods Apparently no COTS receivers defend against current threats
Implement simplest detection methods first, ones that require mostly firmware upgrades Monitoring of received power (needs AGC gain input if not available) Monitoring of received power (needs AGC gain input if not available),
observables anomalies, correlation function distortion, & clock drift.
Implement stronger detection methods as time, money, & market/percei ed threat allo or demandmarket/perceived threat allow or demand Existing multi-antenna systems could implement DOA methods via
firmware upgrades
Constellations should add NMA or SSSC segs w/delayed keys Use hypothesis testing machinery in detection tests
E bl i iti f th ti i l / i ti bilit Enable re-acquisition of authentic signals/navigation capability
ENAC/SIGNAV Nov. ‘15 30 of 30