Mario Čagalj University of Split 2013/2014. Human-Computer Interaction (HCI)
Mario Čagalj University of Split 2013/2014. Fundamental Vulnerabilities of GPS.
-
Upload
christine-dean -
Category
Documents
-
view
215 -
download
1
Transcript of Mario Čagalj University of Split 2013/2014. Fundamental Vulnerabilities of GPS.
Mario Čagalj
University of Split
2013/2014.
Fundamental Vulnerabilities of GPS
MotivationOur society depends on the efficient working of
power generation and distribution systemsinformation and communications technologiestelecommunications banking systems transportation
These critical infrastructures are heavily and increasingly dependent upon positioning, navigation and timing (PNT) systemsPNT through GPS has become ubiquitous and essentialGPS and Galileo (in future) form the cornerstone future PNT
2
Distributing synchronization in packet networks
3Synchronization and precise timing in packet networks, TRANSPACKET, 2011.
http://nextgenerationoptical.com/wp-content/uploads/2012/06/white_paper_packet_Synch_100612.pdf
Primary reference source (PRC)
MotivationGreatest positioning, navigation and timing concerns
Crashing of telecommunications, power, and computer networks (time)
Truck hijacking & cargo security (time & position)Vehicle theft (position)Attacks on security & industrial systems (time)Financial transactions (time)Other attacks on computers (time)Tampering with aviation & maritime navigation (time &
position)General nuisance jamming
4`Think GPS Offers High Security? Think Again!’ Roger G. Johnston and Jon S. Warner, 2004
What happens when critical infrastructure fails?The loss of accurate timing within broadband networks
degraded timing performance leads to an increase in transmission errors between networks, slowing data transfer
then as timing synchronization breaks down altogether, failures of entire networks can occur
Study of the impact of internet outages in SwitzerlandDDoS likely to cause the following negative economic impacts
310 million CHF for an outage of 24 hours5.8 billion CHF for an outage of one week
scaling the results to several countries 24 hours internet outage in Denmark, France, Germany, Netherlands,
Norway and UK might be as high as €3.4 billion 5
`eLoran’ the European eLoran Forum, April 2008
http://www.cvt-dallas.org/Bregni_Nov04.pdf
What happens when critical infrastructure fails?Accurate timing information is critical in electricity
distribution networks to control the efficiency of supplies and to help diagnose faults
http://www.faqs.org/docs/electric/AC/AC_2.html http://www.wisegeek.com/what-is-a-phasor-measurement-unit.htm
Loss of power systemAugust 14, 2003: large portions of the Midwest and Northeast
United States and Ontario, Canada, experienced power blackout50 million people affectedestimated cost is US between US$4 billion and US$10 billion
6`eLoran’ the European eLoran Forum, April 2008
What happens when critical infrastructure fails?Loss of a major sea portFailure in marine navigation
oil spillsgroundingscollisions
7`eLoran’ the European eLoran Forum, April 2008
GPS Basics
Spread Spectrum Applications. by J. Meel http://sss-mag.com/pdf/Ss_jme_denayer_appl_print.pdf
Global Positioning SystemSatellite-based navigation system
developed by the U.S. Department of Defense (DoD) in early 1970sinitially a military system, later made available to civilians
Provides continuous positioning and timing informationit is a one-way-ranging (passive) system – users only receive
GPS system consists of three segments:the Space Segmentthe User Segmentthe Control Segment
9
GPS: Space SegmentConsists, nominally, of a constellation of 24 operational satellites
satellites orbit at about 20,200km above the Earth’s surfacethere are 6 orbital planes with nominally 4 satellites in each4 to 12 useable satellites 'in view' at any timeonly 4 satellites needed to provide
the location and timing information
Each satellite transmits a complex signal2 sine (carrier) waves2 digital pseudorandom (PN) codesa navigation message
satellite’s position, a unique satellite ID number, etc.transmissions are controlled by an atomic clock (very high precision)
10
http://accessscience.com
GPS: Control SegmentConsists of a worldwide system of tracking and monitoring
stations Master Control Station (MCS) located in Colorado Springsmonitor stations measure signals from the GPS satellites and relay the
information they collect to the MCSMCS uses this data to compute precise orbital models the GPS constellation
satellite positions, the satellite clock parameters, atmospheric data, etc. this information is then formatted into updated navigation messages for each satellite
11http://www.kowoma.de/en/gps/control_segment.htm
GPS: User SegmentConsists of the GPS receivers, processors and antennas
that convert satellite signals into position, velicity and time estimates by measuring the distance to a group of satellites in space the user's receiver measures the time delay for the signal to reach the receiver by knowing the distance to four points in space, the GPS receiver is able to
triangulate a three-dimensional positionPrecise Positioning System (PPS)
uses authentic, confidential P(Y) signal for authorized (military) users (a cryptographic key required)
Standard Positioning System (SPS) uses public free C/A signal for civilian use
12P-code (precision code), C/A –code (coarse acquisition)
GPS signal structure (till 2005)Spread spectrum modulationAs of 2005, GPS satellites transmit on two radio frequencies
in the L-band (1 GHz–2 GHz)Link 1 (L1) and Link 2 (L2) signals
L1: 1575.42 MHz L2: 1227.60 MHz
Two signals are transmitted on L1 one for the civil users - C/A one for the US military users - P(Y)
The signal on L2 reserved for militaryL2 signals measure ionospheric delayas of 2005 more signals adedd
C/A to L2 + a new military M-code 13
http://accessscience.com
GPS signal structureConsists of three components:
the radio-frequency (RF) carrier the ranging code C/A or P(Y)navigation data (NAV)
Each satellite repeates its own unique C/A code every 1ms
14http://accessscience.com
GPS signal structure GPS signal structure for L1
15Understanding GPS: Principles and Applications. edited by Elliott D. Kaplan and Christopher J. Hegarty
GPS code mixing with data
16Understanding GPS: Principles and Applications. edited by Elliott D. Kaplan and Christopher J. Hegarty
GPS signal structure (till 2005)Satellite codes
C/A is a 1023 chips code (repeats every 1 ms), modulates L1 carrierthere is a different C/A PN code for each satellite (satellite ID)code-division-multiplexing used to be able to identify each satellite’s signal
they all transmit at the same time and at the same frequency
P-code (precise) modulatesboth L1 and L2 carrier very long (7-days period) in the anti-spoofing mode
P-code encrypted into Y-code yielding P(Y) code
NAV data 50 bps signal consisting of data bits that describe the satellite system params
(satellite position, timing info, satellite health status, etc.) 17
GPS signal structurePower spectral densities of legacy and modern GPS signals
18
Legacy GPS signals
Modernized GPS signals
For more details please check: http://www.kemt.fei.tuke.sk/predmety/KEMT559_SK/GPS/GPS_Tutorial_2.pdf
Code Division MultiplexingMultiplexing users by distinct (orthogonal) PN codes
Transmitters use low correlation PN codesUse the same RF bandwidthTransmit simultaneously
19http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf
Code Division MultiplexingCorrelation of the received baseband spread spectrum signal
with PN code of user 1 only despreads the signal of user 1PN have impuls like autocorrelationLow crosscorrelation
20http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf
GPS PositioningThe GPS concept of operation is based on satellite ranging
satellites are in synch and transmit ranging signals at the same time user’s receiver measures the distance to a group of satellites in space receiver measures the time delay for the GPS signal to reach the receiver by knowing the distance to four satellites in space, the receiver is able to
triangulate a three-dimensional position
21
Measuring the distance to a satelliteEarth-centered Earth-fixed system User’s position unknown vector u =( xu , yu , zu )Satellite’s position known s =( xs , ys , zs ) this position present in NAV data The satellite-to-user vector known r = s − u the distance to the user r = |r| = |s − u|
The distance r is computed by measuring the propagation time ∆t required for a satelliteranging signal to transit from the satellite to the user receiver antenna 22
Propagation time (∆t) measurement
23
Assume for the moment that the receiver is perfectly synchronized with the satellite.
Measuring the distance to a satelliteEarth-centered Earth-fixed system User’s position unknown vector u =( xu , yu , zu )
Satellite’s position known s =( xs , ys , zs ) this position present in NAV data The satellite-to-user vector known r = s − u the distance to the user r = |r| = |s − u|
The distance to satellite r = ∆t x c
24
Determining the user’s position (u) User’s position unknown
vector u =( xu , yu , zu )
Assume that user receives ranging signalsfrom 3 satellites; we know from NAVss1 =( x1 , y1 , z1 )
s2 =( x2 , y2 , z2 )
s3 =( x3 , y3 , z3 )
We measure 3 satellite-to-user distancesr1 = ∆t1 x cr2 = ∆t2 x cr3 = ∆t3 x c
Assuming perfectly synchronized satellites anduser’s clock, we can formulate 3 equations in 3 unknowns
25
Determining the user’s position (u)User’s position unknown
vector u =( xu , yu , zu )
3 equations(r1 )2 = (x1 - xu ) 2 + (y1 - yu ) 2 + (z1 - zu ) 2
(r2 )2 = (x2 - xu ) 2 + (y2 - yu ) 2 + (z2 - zu ) 2
(r3 )2 = (x3 - xu ) 2 + (y3 - yu ) 2 + (z3 - zu ) 2
A unique solution is the user’s position
In reality, satellites user high precisionatomic clocks, whereas GPS receivers have cheap clocks – time offset to 26
Pseudorange PositioningThe user’s time offset (to)
causes ranging errorsThe receiver can only
calculate pseudoranges pri
imperfect receiver measures delay ri /c + to
from which infers the pseudorangepri = (ri /c + to )x c = ri + to x c
3 satellites are not sufficientnow we have 4 unkownstherefore, at least 4 satellites
required for the user’s position 27
pseudorange pr
Pseudorange PositioningUser’s position u =( xu , yu , zu ) and time offset to both unknown With 4 pseudoranges to 4 different satellites we have
(satellites are in synch and transmit at the same time (atomic clocks) )
(pr1 - to x c)2 = (x1 - xu ) 2 + (y1 - yu ) 2 + (z1 - zu ) 2
(pr2 - to x c)2 = (x2 - xu ) 2 + (y2 - yu ) 2 + (z2 - zu ) 2
(pr3 - to x c)2 = (x3 - xu ) 2 + (y3 - yu ) 2 + (z3 - zu ) 2
(pr4 - to x c)2 = (x4 - xu ) 2 + (y4 - yu ) 2 + (z4 - zu ) 2
A unique solution is the user’s position (navigation) and the correct time offset (synchronization)!
28
Pseudorange Positioning
29
GPS Vulnerabilities
Attacking GPSJamming
easy to build a noisy RF transmittertargets civilian (unauthenticated) GPS (C/A code)
Spoofing generate fake satellite signals; stealthy & surprisingly easy for even
unsophisticated attackerstargets civilian (unauthenticated) GPS (C/A code)
Meaconing (replay) attacksthe attacker does not syntesize its transmission, but “re-uses”
(replays part of) legitimate GPS transmissionstargets both civilian and military GPS
31
Jamming GPSAttacker transmits with high power in the GPS frequency band
the interference forces receivers to “unlock”, i.e. loose contact with the otherwise visible satellite signals
GPS signal strength reaching the Earth is about -160dBW (10-16 W)roughly equivalent to viewing a 25W light bulb in Japan from Los Anglesthis weak signal can be jammed by a signal of the same frequency, but
greater strength
For example, a 1-Watt GPS-Like signal can prevent C/A code acquisition to more than 35 km (or as limited by the line of sight to the horizon)!
32
Jamming GPSMilitary GPS is “safe” from jamming
spred-spectrum techniqueunkonwn (encrypted) spreading code P(Y) used to form ranging
signals and spread navigation dataprocessing gain approx. 50dBlow probability of interception – 7-days long spreading code
33
Jamming GPS2009. godine inženjeri aerodroma u New Jersey-u primjetili
su sporadične prekide GPS signala u navigacijskom sustavuNakon 2 mjeseca istrage otkrili su da je uzrok prekida rada
navigacijskog sustava bio vozač kamiona koji je prolazio kraj aerodroma imao ugrađen uređaj za ometanje GPS signala
::34::© economist.com
Jamming GPS2007. godine dva broda US ratne mornarice u blizini luke u San
Diegu testirali su rad komunikacijskih sustava u uvjetima ometanja signalaOmetali su između ostalih i GSM signale
Kao posljedica testova došlo je do ozbiljnog poremećaja određenih civilnih kritičnih sustavaSustav za navigaciju zračne kontrole na aerodromu nije radioU obližnjem mornaričkom medicinskom centru pager-i za hitne slučajeve
nisu radiliSustavi za navođenje brodova u luci nisu radiliMobilna mreža nije radila Čak nisu funkcionirali niti neki bankomatiCijeli incident je trajao puna 2 sata
::35::
Jamming GPS
::36::
GPS Spoofing AttacksIn this attack, an adversary replaces the true satellite signal from
space with a fake signal Spoofing is a much more elegant attack than either blocking or
jamming because it is surreptitious (stealthy)
Spoofing signals can be generated by satellite simulatorsequipment which is available today the received power of the spoofing signal should exceed that of the
legitimate signal (overshadowing)the receiver then operates with the forged signal as input and
computes the location induced by the “spoofer”
37
GPS Spoofing AttacksWhen attacking civilian GPS attacker can falsify the content of NAV
messages (as they are not authenticated) can impose a wrong satellite constellation by setting fake satellite positions
can also influence the receiver’s clock (de-synchronization)
Defense measuresauthentication of NAV messages using public key cryptography (why public?)GALILEO will implement Navigation Message AuthenticationUnfortunatelly, this doesn’t prevent replay attacks 38
(pr1 - to x c)2 = (x1 - xu ) 2 + (y1 - yu ) 2 + (z1 - zu ) 2
(pr2 - to x c)2 = (x2 - xu ) 2 + (y2 - yu ) 2 + (z2 - zu ) 2
(pr3 - to x c)2 = (x3 - xu ) 2 + (y3 - yu ) 2 + (z3 - zu ) 2 (pr4 - to x c)2 = (x4 - xu ) 2 + (y4 - yu ) 2 + (z4 - zu ) 2
GPS Replay AttacksImplemented message authentication can guarantee the integrity
of transmitted NAV data, but this alone is not sufficientThe security-critical aspects of navigation signals lies not only in
the data they carry, but also in their exact relative arrival times at the receiver
The adversary can receive legitimate GPS signals, record them, and transmit them at a later point in time and at a different point in space
39
GPS Replay Attacks Attacker starts recording the GPS frequency band after the beginning of the
navigation message is detected detection of the first bit at the bitrate 50bps takes 20ms (T)
After that can start replaying with any additional delay (treplay) chosen
40
pseudorange
GPS Replay Attacks: Affecting PseudorangesThe user’s time offset (to)
causes ranging errorsThe receiver calculates
wrong pseudoranges pri
receiver measures delay (ri /c + to)+tdelay
from which infers the pseudorange
pri = (ri + to x c) + tdelay x c = pri + tdelay x c
41
GPS Replay AttacksThrough delay treplay the attacker “shifts” the user location
Actually it affects the estimated pseudoranges at the receiver1ns translates to 30cm satellite-user distance offset
The attacker can have the choice of which ranging signal (from which satellite) to replay and the choice of a value treplay for each ranging signal
This attack affects even military GPS signals (but hard to mount) 42
(pr1 - to x c)2 = (x1 - xu ) 2 + (y1 - yu ) 2 + (z1 - zu ) 2
(pr2 - to x c)2 = (x2 - xu ) 2 + (y2 - yu ) 2 + (z2 - zu ) 2
(pr3 - to x c)2 = (x3 - xu ) 2 + (y3 - yu ) 2 + (z3 - zu ) 2 (pr4 - to x c)2 = (x4 - xu ) 2 + (y4 - yu ) 2 + (z4 - zu ) 2
GPS Replay Attacks: ExampleMobile receiverAttacker adds same delay of treplay = 20ms to all replayed signalsSimulation time 300s
43