Coherent Navigation

Candidate Non-Cryptographic GNSS Spoofing Detection

Techniques

Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen,

Coherent Navigation, Inc.

GNSS Security Splinter Meeting, Portland, OR

23 September 2010

*Adjunct Professor at Virginia Tech

Coherent Navigation

Protecting Civil GPS Receivers Critical infrastructure relies on civil GPS navigation and

timing Electrical grid timing and control Banking/financial transactions Commercial aircraft guidance and landing Communication systems (cellular) Public transportation Asset tracking Commercial fishing monitoring Vehicle mileage taxation Monitoring criminals

Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers

Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers

9/23/2010

Coherent Navigation

Goal and Motivation

Goal Illustrate six candidate non-cryptographic spoofing detection techniques

Motivation Non-cryptographic spoofing detection techniques could be implemented

today Non-cryptographic defenses are needed if one is concerned with encryption

or authentication key security breaches

9/23/2010

Coherent Navigation

The Sinister Threat: A Portable Receiver-Spoofer

Humphreys et al., 2008 and Montgomery et al., 2009 described development and testing of portable GPS L1 C/A code receiver-spoofer

GPS signal simulators, RF playback systems, and GPS repeaters are also a threat

GPS signal simulators, RF playback systems, and GPS repeaters are also a threat

Coherent Navigation

Spoofing Attack Demonstration

Tracking Peak

9/23/2010

Coherent Navigation

Candidate Spoofing Defenses/Detection Techniques1 Standalone Receiver-Based

Monitor the relative GPS signal strength Monitor satellite identification codes and the number of

satellite signals received Check the time intervals Do a time comparison (look at code phase jitter) Monitor the absolute GPS signal strength Data bit latency detection Vestigial signal detection Signal quality monitoring Employ two antennas; check relative phase against

know satellite directions Extended RAIM

2 External-Aiding Perform a sanity check with relative position estimate

(compare with IMU) Compare with independent absolute position or time-

bearing information (e.g., Galileo and GLONASS)

3 Cryptographic Encrypt navigation message Spreading code authentication

Defenses suggested by Dept.of HomelandSecurity (2003) in italics

9/23/2010

Coherent Navigation

Data Bit Latency Detection (1/6)

Hard to retransmit data bits with < 1ms latency

Detection Technique: Modify PLL to look for

inconsistencies in data bits on the order of 1 ms out of 20 ms data bit interval

Spoofer could employ data bit prediction

Defense: External input of

authenticated GPS data bits

GPS data bit time history

Humphreys et al., 20089/23/2010

Coherent Navigation

Vestigial Signal Detection (2/6)

Hard to conceal telltale counterfeit peak in autocorrelation function

Detection Technique: Search for vestigial

signals Monitor AGC for

suspicious increases in noise level

Great for detecting ongoing attack

Vestigial signal detection

Vestigial Signal

Humphreys et al., 20089/23/2010

Coherent Navigation

Vestigial Signal Detection Cont’d Utilize standard techniques for GPS signal acquisition,

tracking, and data decoding Acquisition: Standard frequency-domain and time-domain acquisition Tracking: Standard code (DLL) and carrier (PLL) tracking loops Data decoding: Standard data decoding with parity checking

Coherent Navigation

Extended Receiver Autonomous Integrity Monitoring (RAIM) (3/6)

RAIM provides statistical method to detect signal with unacceptable pseudorange error and remove it from navigation solution

Vestigial signals could appear at an erroneous pseudorange or carrier Doppler shift frequency

Extend RAIM to include carrier Doppler shift frequency

Create single test statistic based on pseudorange and carrier Doppler shift frequency measurements

Test statistic is normalized chi-square random variable with 2*N – 8 degrees of freedom, where N is number of tracking signals

Provides statistical hypothesis test to throw out at least 1 signal

Ledvina et al., ION NTM 2010

Coherent Navigation

GNSS Signal Quality Monitoring (4/6) Signal Quality Monitoring (SQM) designed to identify satellite anomalies or faults

Goal: Can we leverage SQM for spoofing detection?

Two test statistics considered Delta Test: Detects asymmetries in the correlation functions

(assumes carrier tracking loop phase lock, Q ≈ 0)

Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation peaks

Ledvina et al., ION NTM 2010

Coherent Navigation

Testing SQM: Two Spoofing Signal Alignment TechniquesTwo ways a counterfeit signal interacts with authentic signal

1. Counterfeit signal marches into code phase alignment with authentic signal

2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude

Do not necessarily assume carrier phase alignment Requires cm-level knowledge of 3-D vector between spoofer and

target receiver

Assume spoofer has a priori knowledge of 12.5-minute GPS navigation message

9/23/2010

Coherent Navigation

Case 1: Counterfeit Signal Marching In+3dB counterfeit signal with two extremes of carrier phase

alignmentPerfect carrier phase alignment 180 degrees out of phase

9/23/2010

Coherent Navigation

Multi-Antenna Differential-Carrier-Phase Spoofing (5/6)

14Montgomery et al., ION ITM 20099/23/2010

Coherent Navigation

External Aiding: High-Quality Frequency Reference (6/6)

Time and Frequency Synchronization via GPS Receivers70% of GPS receivers are utilized for timing applications providing time and frequency reference sources

GPS timing receivers Implemented with a high-quality crystal oscillator, a coupled GPS receiver, and control logic

Control logic cross-checks with high-quality oscillator providing some protection against GPS time spoofing attacks

•Control logic implementation and oscillator quality primarily dictate rate at which time spoofing attack can be successfully carried out

9/23/2010Symmetricom XL-GPS Time and Frequency Receiver

Coherent Navigation

ConclusionsDescribed six candidate spoofing detection techniques

Spoofing detection Simple software-based solutions provide some protection Multi-antenna differential carrier phase and external aiding

provide more protection

Strength of each detection scheme needs to be mathematically defined and tested to understand protection level

Best Non-Cryptographic Spoofing Detection TechniqueMulti-Antenna Differential Carrier Phase Spoofing Detection Technique

Coherent Navigation

Back-Up Slides

9/23/2010

Coherent Navigation

Additional Observations Relevant to Signal Quality Monitoring

Counterfeit signal +1dB above an authentic signal can cause successful lift-off

+3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference

Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected

Code tracking loop bandwidth becomes important for fast attacks

Data bit latency or data bit errors causes deconstructive interference, thereby improving detection

9/23/2010

Coherent Navigation

In-Line GPS Anti-Spoofing Module Architecture – Adding Anti-Spoofing Defenses to Legacy GPS Receivers

The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the

equipment

The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the

equipment

19

Coherent Navigation

Case 2: Counterfeit Signal Growing in AmplitudeMaximum +3dB counterfeit signal with two extremes of

carrier phase alignmentPerfect carrier phase alignment 180 degrees out of phase

9/23/2010

Coherent Navigation

Phasor Interpretation of ObservationsBaseband phasors in the complex plane can explain observations