Mario Čagalj University of Split 2013/2014. Fundamental Vulnerabilities of GPS.

Mario Čagalj

University of Split

2013/2014.

Fundamental Vulnerabilities of GPS

MotivationOur society depends on the efficient working of

power generation and distribution systemsinformation and communications technologiestelecommunications banking systems transportation

These critical infrastructures are heavily and increasingly dependent upon positioning, navigation and timing (PNT) systemsPNT through GPS has become ubiquitous and essentialGPS and Galileo (in future) form the cornerstone future PNT

2

Distributing synchronization in packet networks

3Synchronization and precise timing in packet networks, TRANSPACKET, 2011.

http://nextgenerationoptical.com/wp-content/uploads/2012/06/white_paper_packet_Synch_100612.pdf

Primary reference source (PRC)

MotivationGreatest positioning, navigation and timing concerns

Crashing of telecommunications, power, and computer networks (time)

Truck hijacking & cargo security (time & position)Vehicle theft (position)Attacks on security & industrial systems (time)Financial transactions (time)Other attacks on computers (time)Tampering with aviation & maritime navigation (time &

position)General nuisance jamming

4`Think GPS Offers High Security? Think Again!’ Roger G. Johnston and Jon S. Warner, 2004

What happens when critical infrastructure fails?The loss of accurate timing within broadband networks

degraded timing performance leads to an increase in transmission errors between networks, slowing data transfer

then as timing synchronization breaks down altogether, failures of entire networks can occur

Study of the impact of internet outages in SwitzerlandDDoS likely to cause the following negative economic impacts

310 million CHF for an outage of 24 hours5.8 billion CHF for an outage of one week

scaling the results to several countries 24 hours internet outage in Denmark, France, Germany, Netherlands,

Norway and UK might be as high as €3.4 billion 5

`eLoran’ the European eLoran Forum, April 2008

http://www.cvt-dallas.org/Bregni_Nov04.pdf

What happens when critical infrastructure fails?Accurate timing information is critical in electricity

distribution networks to control the efficiency of supplies and to help diagnose faults

http://www.faqs.org/docs/electric/AC/AC_2.html http://www.wisegeek.com/what-is-a-phasor-measurement-unit.htm

Loss of power systemAugust 14, 2003: large portions of the Midwest and Northeast

United States and Ontario, Canada, experienced power blackout50 million people affectedestimated cost is US between US$4 billion and US$10 billion

6`eLoran’ the European eLoran Forum, April 2008

What happens when critical infrastructure fails?Loss of a major sea portFailure in marine navigation

oil spillsgroundingscollisions

7`eLoran’ the European eLoran Forum, April 2008

GPS Basics

Spread Spectrum Applications. by J. Meel http://sss-mag.com/pdf/Ss_jme_denayer_appl_print.pdf

Global Positioning SystemSatellite-based navigation system

developed by the U.S. Department of Defense (DoD) in early 1970sinitially a military system, later made available to civilians

Provides continuous positioning and timing informationit is a one-way-ranging (passive) system – users only receive

GPS system consists of three segments:the Space Segmentthe User Segmentthe Control Segment

9

GPS: Space SegmentConsists, nominally, of a constellation of 24 operational satellites

satellites orbit at about 20,200km above the Earth’s surfacethere are 6 orbital planes with nominally 4 satellites in each4 to 12 useable satellites 'in view' at any timeonly 4 satellites needed to provide

the location and timing information

Each satellite transmits a complex signal2 sine (carrier) waves2 digital pseudorandom (PN) codesa navigation message

satellite’s position, a unique satellite ID number, etc.transmissions are controlled by an atomic clock (very high precision)

10

http://accessscience.com

GPS: Control SegmentConsists of a worldwide system of tracking and monitoring

stations Master Control Station (MCS) located in Colorado Springsmonitor stations measure signals from the GPS satellites and relay the

information they collect to the MCSMCS uses this data to compute precise orbital models the GPS constellation

satellite positions, the satellite clock parameters, atmospheric data, etc. this information is then formatted into updated navigation messages for each satellite

11http://www.kowoma.de/en/gps/control_segment.htm

GPS: User SegmentConsists of the GPS receivers, processors and antennas

that convert satellite signals into position, velicity and time estimates by measuring the distance to a group of satellites in space the user's receiver measures the time delay for the signal to reach the receiver by knowing the distance to four points in space, the GPS receiver is able to

triangulate a three-dimensional positionPrecise Positioning System (PPS)

uses authentic, confidential P(Y) signal for authorized (military) users (a cryptographic key required)

Standard Positioning System (SPS) uses public free C/A signal for civilian use

12P-code (precision code), C/A –code (coarse acquisition)

GPS signal structure (till 2005)Spread spectrum modulationAs of 2005, GPS satellites transmit on two radio frequencies

in the L-band (1 GHz–2 GHz)Link 1 (L1) and Link 2 (L2) signals

L1: 1575.42 MHz L2: 1227.60 MHz

Two signals are transmitted on L1 one for the civil users - C/A one for the US military users - P(Y)

The signal on L2 reserved for militaryL2 signals measure ionospheric delayas of 2005 more signals adedd

C/A to L2 + a new military M-code 13

http://accessscience.com

GPS signal structureConsists of three components:

the radio-frequency (RF) carrier the ranging code C/A or P(Y)navigation data (NAV)

Each satellite repeates its own unique C/A code every 1ms

14http://accessscience.com

GPS signal structure GPS signal structure for L1

15Understanding GPS: Principles and Applications. edited by Elliott D. Kaplan and Christopher J. Hegarty

GPS code mixing with data

16Understanding GPS: Principles and Applications. edited by Elliott D. Kaplan and Christopher J. Hegarty

GPS signal structure (till 2005)Satellite codes

C/A is a 1023 chips code (repeats every 1 ms), modulates L1 carrierthere is a different C/A PN code for each satellite (satellite ID)code-division-multiplexing used to be able to identify each satellite’s signal

they all transmit at the same time and at the same frequency

P-code (precise) modulatesboth L1 and L2 carrier very long (7-days period) in the anti-spoofing mode

P-code encrypted into Y-code yielding P(Y) code

NAV data 50 bps signal consisting of data bits that describe the satellite system params

(satellite position, timing info, satellite health status, etc.) 17

GPS signal structurePower spectral densities of legacy and modern GPS signals

18

Legacy GPS signals

Modernized GPS signals

For more details please check: http://www.kemt.fei.tuke.sk/predmety/KEMT559_SK/GPS/GPS_Tutorial_2.pdf

Code Division MultiplexingMultiplexing users by distinct (orthogonal) PN codes

Transmitters use low correlation PN codesUse the same RF bandwidthTransmit simultaneously

19http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf

Code Division MultiplexingCorrelation of the received baseband spread spectrum signal

with PN code of user 1 only despreads the signal of user 1PN have impuls like autocorrelationLow crosscorrelation

20http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf

GPS PositioningThe GPS concept of operation is based on satellite ranging

satellites are in synch and transmit ranging signals at the same time user’s receiver measures the distance to a group of satellites in space receiver measures the time delay for the GPS signal to reach the receiver by knowing the distance to four satellites in space, the receiver is able to

triangulate a three-dimensional position

21

Measuring the distance to a satelliteEarth-centered Earth-fixed system User’s position unknown vector u =( xu , yu , zu )Satellite’s position known s =( xs , ys , zs ) this position present in NAV data The satellite-to-user vector known r = s − u the distance to the user r = |r| = |s − u|

The distance r is computed by measuring the propagation time ∆t required for a satelliteranging signal to transit from the satellite to the user receiver antenna 22

Propagation time (∆t) measurement

23

Assume for the moment that the receiver is perfectly synchronized with the satellite.

Measuring the distance to a satelliteEarth-centered Earth-fixed system User’s position unknown vector u =( xu , yu , zu )

Satellite’s position known s =( xs , ys , zs ) this position present in NAV data The satellite-to-user vector known r = s − u the distance to the user r = |r| = |s − u|

The distance to satellite r = ∆t x c

24

Determining the user’s position (u) User’s position unknown

vector u =( xu , yu , zu )

Assume that user receives ranging signalsfrom 3 satellites; we know from NAVss1 =( x1 , y1 , z1 )

s2 =( x2 , y2 , z2 )

s3 =( x3 , y3 , z3 )

We measure 3 satellite-to-user distancesr1 = ∆t1 x cr2 = ∆t2 x cr3 = ∆t3 x c

Assuming perfectly synchronized satellites anduser’s clock, we can formulate 3 equations in 3 unknowns

25

Determining the user’s position (u)User’s position unknown

vector u =( xu , yu , zu )

3 equations(r1 )2 = (x1 - xu ) 2 + (y1 - yu ) 2 + (z1 - zu ) 2

(r2 )2 = (x2 - xu ) 2 + (y2 - yu ) 2 + (z2 - zu ) 2

(r3 )2 = (x3 - xu ) 2 + (y3 - yu ) 2 + (z3 - zu ) 2

A unique solution is the user’s position

In reality, satellites user high precisionatomic clocks, whereas GPS receivers have cheap clocks – time offset to 26

Pseudorange PositioningThe user’s time offset (to)

causes ranging errorsThe receiver can only

calculate pseudoranges pri

imperfect receiver measures delay ri /c + to

from which infers the pseudorangepri = (ri /c + to )x c = ri + to x c

3 satellites are not sufficientnow we have 4 unkownstherefore, at least 4 satellites

required for the user’s position 27

pseudorange pr

Pseudorange PositioningUser’s position u =( xu , yu , zu ) and time offset to both unknown With 4 pseudoranges to 4 different satellites we have

(satellites are in synch and transmit at the same time (atomic clocks) )

(pr1 - to x c)2 = (x1 - xu ) 2 + (y1 - yu ) 2 + (z1 - zu ) 2




A unique solution is the user’s position (navigation) and the correct time offset (synchronization)!

28

Pseudorange Positioning

29

GPS Vulnerabilities

Attacking GPSJamming

easy to build a noisy RF transmittertargets civilian (unauthenticated) GPS (C/A code)

Spoofing generate fake satellite signals; stealthy & surprisingly easy for even

unsophisticated attackerstargets civilian (unauthenticated) GPS (C/A code)

Meaconing (replay) attacksthe attacker does not syntesize its transmission, but “re-uses”

(replays part of) legitimate GPS transmissionstargets both civilian and military GPS

31

Jamming GPSAttacker transmits with high power in the GPS frequency band

the interference forces receivers to “unlock”, i.e. loose contact with the otherwise visible satellite signals

GPS signal strength reaching the Earth is about -160dBW (10-16 W)roughly equivalent to viewing a 25W light bulb in Japan from Los Anglesthis weak signal can be jammed by a signal of the same frequency, but

greater strength

For example, a 1-Watt GPS-Like signal can prevent C/A code acquisition to more than 35 km (or as limited by the line of sight to the horizon)!

32

Jamming GPSMilitary GPS is “safe” from jamming

spred-spectrum techniqueunkonwn (encrypted) spreading code P(Y) used to form ranging

signals and spread navigation dataprocessing gain approx. 50dBlow probability of interception – 7-days long spreading code

33

Jamming GPS2009. godine inženjeri aerodroma u New Jersey-u primjetili

su sporadične prekide GPS signala u navigacijskom sustavuNakon 2 mjeseca istrage otkrili su da je uzrok prekida rada

navigacijskog sustava bio vozač kamiona koji je prolazio kraj aerodroma imao ugrađen uređaj za ometanje GPS signala

::34::© economist.com

Jamming GPS2007. godine dva broda US ratne mornarice u blizini luke u San

Diegu testirali su rad komunikacijskih sustava u uvjetima ometanja signalaOmetali su između ostalih i GSM signale

Kao posljedica testova došlo je do ozbiljnog poremećaja određenih civilnih kritičnih sustavaSustav za navigaciju zračne kontrole na aerodromu nije radioU obližnjem mornaričkom medicinskom centru pager-i za hitne slučajeve

nisu radiliSustavi za navođenje brodova u luci nisu radiliMobilna mreža nije radila Čak nisu funkcionirali niti neki bankomatiCijeli incident je trajao puna 2 sata

::35::

Jamming GPS

::36::

GPS Spoofing AttacksIn this attack, an adversary replaces the true satellite signal from

space with a fake signal Spoofing is a much more elegant attack than either blocking or

jamming because it is surreptitious (stealthy)

Spoofing signals can be generated by satellite simulatorsequipment which is available today the received power of the spoofing signal should exceed that of the

legitimate signal (overshadowing)the receiver then operates with the forged signal as input and

computes the location induced by the “spoofer”

37

GPS Spoofing AttacksWhen attacking civilian GPS attacker can falsify the content of NAV

messages (as they are not authenticated) can impose a wrong satellite constellation by setting fake satellite positions

can also influence the receiver’s clock (de-synchronization)

Defense measuresauthentication of NAV messages using public key cryptography (why public?)GALILEO will implement Navigation Message AuthenticationUnfortunatelly, this doesn’t prevent replay attacks 38



(pr3 - to x c)2 = (x3 - xu ) 2 + (y3 - yu ) 2 + (z3 - zu ) 2 (pr4 - to x c)2 = (x4 - xu ) 2 + (y4 - yu ) 2 + (z4 - zu ) 2

GPS Replay AttacksImplemented message authentication can guarantee the integrity

of transmitted NAV data, but this alone is not sufficientThe security-critical aspects of navigation signals lies not only in

the data they carry, but also in their exact relative arrival times at the receiver

The adversary can receive legitimate GPS signals, record them, and transmit them at a later point in time and at a different point in space

39

GPS Replay Attacks Attacker starts recording the GPS frequency band after the beginning of the

navigation message is detected detection of the first bit at the bitrate 50bps takes 20ms (T)

After that can start replaying with any additional delay (treplay) chosen

40

pseudorange

GPS Replay Attacks: Affecting PseudorangesThe user’s time offset (to)

causes ranging errorsThe receiver calculates

wrong pseudoranges pri

receiver measures delay (ri /c + to)+tdelay

from which infers the pseudorange

pri = (ri + to x c) + tdelay x c = pri + tdelay x c

41

GPS Replay AttacksThrough delay treplay the attacker “shifts” the user location

Actually it affects the estimated pseudoranges at the receiver1ns translates to 30cm satellite-user distance offset

The attacker can have the choice of which ranging signal (from which satellite) to replay and the choice of a value treplay for each ranging signal

This attack affects even military GPS signals (but hard to mount) 42



(pr3 - to x c)2 = (x3 - xu ) 2 + (y3 - yu ) 2 + (z3 - zu ) 2 (pr4 - to x c)2 = (x4 - xu ) 2 + (y4 - yu ) 2 + (z4 - zu ) 2

GPS Replay Attacks: ExampleMobile receiverAttacker adds same delay of treplay = 20ms to all replayed signalsSimulation time 300s

43

Mario Čagalj University of Split 2013/2014. Fundamental Vulnerabilities of GPS.

Documents

Transcript of Mario Čagalj University of Split 2013/2014. Fundamental Vulnerabilities of GPS.