Techniques for Spoofing and for Spoofing Mitigation - SIGNAV

Techniques for Spoofing and for
Spoofing Mitigation
Mark L. Psiaki
Sibley S
Sibl
School
h l off M
Mechanical
h i l&A
Aerospace E
Engineering,
i
i
Cornell University, Ithaca, NY, USA
ENAC/SIGNAV Nav. & Timing Symposium, 17 Nov. 2015
The Problem: Surreptitious Receiver
Channel Capture & Consistent Drag-Off
Drag Off
Known
ENAC/SIGNAV Nov. ‘15
2 of 30
The Problem: Spoofer Field Tests &
All d “I
Alleged
“In-the-Wild”
h Wild” Spy
S Drone
D
Capture
C
Drone Hack: Spoofing Attack
Demonstration on a Civilian Unmanned
Aerial Vehicle (GPS World 1 Aug. 2012)
Exclusive: Iran hijacked US drone,
says Iranian engineer (CS Monitor 15 Dec 2011)
GPS Spoofing Experiment Knocks
Shi off
Ship
ff Course:
C
U i
University
it off T
Texas att
Austin team repeats spoofing
demonstration with a superyacht.
(Inside GNSS 31 July 2013)
ENAC/SIGNAV Nov. ‘15
3 of 30
Presentation Outline
I.
Potential spoofing attack strategies
II. Effective spoofing
p
g detection methods
III. Ranking of attack & detection “costs” and
identification of appropriate detection
methods for given attack strategies
IV. Re-acquisition of true signals & navigation
capability
bilit after
ft attack
tt k detection
d t ti
V. Recommendations for COTS GNSS
receiver spoofing defenses
ENAC/SIGNAV Nov. ‘15
4 of 30
Open-Loop Signal Simulator Attack

Initially jam receiver to unlock tracking loops
from true signals
Jammer
Signal

Generate consistent spoofer signals using
GNSS signal simulator & broadcast
overpowered versions
Spoofer
Signal
ENAC/SIGNAV Nov. ‘15
5 of 30
Receiver/Spoofer with Known Geometry
Relative to Victim (as already shown)
Known
Receiver tracking points
Total signal
Spoofer signal
Completed drag-off
ENAC/SIGNAV Nov. ‘15
6 of 30
Meaconing Attack
GNSS
Satellite j
GNSS
Satellite j-1
...
Meacon’s
Meacon s small
phased array
of GPS receiver
antennas
GNSS
Satellite
j+1
...
Meacon/spoofer
signal (has
(
correct
versions of all
encryptions)
Meacon (i.e., replay-with-delay) signal processer
w/independently steerable channel reception gain
patterns replay delays
patterns,
delays, & replay gains
ENAC/SIGNAV Nov. ‘15
7 of 30
True-Signal Nulling Attack
Known
Total signal
Receiver tracking points
Nulling signal
Completed drag-off
Spoofer signal
Cancellation of true & nulling signals
ENAC/SIGNAV Nov. ‘15
8 of 30
Multi-Transmitter Attack
GNSS
Satellite j-1
GNSS
Satellite j
...
Single-channel
Si l h
l
receiver/spoofers
(possibly carried
on air vehicles)
GNSS
Satellite
j+1
...
Spoofed signals
of individual
satellites
t llit with
ith
realistic directionof-arrival diversity
ENAC/SIGNAV Nov. ‘15
9 of 30
Received Power Monitoring (RPM)
ENAC/SIGNAV Nov. ‘15
10 of 30
Jump in [I;Q] Accumulation Phasor
10
8
1
0.5
Sudden [I;Q] jump at onset
of spoofing attack
0
-0.5
-1
1
8
10
0
-1
1
193 5
193.5
194
194.5
ENAC/SIGNAV Nov. ‘15
195
195.5
196
196.5
11 of 30
Sudden Jump in Doppler Rate of Change
2260
Doppler Shiftt (Hz)
2240
2220
Onset of spoofing attack
2200
Onset of drag-off
(sudden 0.02 g increment
in carrier acceleration/
Doppler rate)
2180
2160
2140
2120
0
50
100
150
200
250
300
350
400
450
Time (sec)
ENAC/SIGNAV Nov. ‘15
12 of 30
500
Distortion of Complex Correlations
1.2
No apparent
spoofed
1 distortion in
correlation
magnitude
vs. code
0.8
offset
Non-Spoofed
Spoofed Drag-Off
0.6
0.4
0.2
0
-2
Telltale spoofer/true-signal
interaction distortion: complex
autocorrelation is non-planar
1
In-Pha
ase Accum
mulation
In-Pha
ase Accum
mulation
1.2
0.8
0.6
0.4
0.2
-1
0
1
2
0
-0.6
Code O
Offset
se (c
(chips)
ps)
-0.4
-0.2
0
0.2
0.4
Quadrature
Quad
a u e Accumulation
ccu u a o
ENAC/SIGNAV Nov. ‘15
13 of 30
Encryption-Based Defenses




Symmetric key encryption, e.g., GPS P(Y) & M
codes
Cross-correlation of unknown symmetric key
codes between a secured reference receiver & a
potential victim
Navigation Message Authentication (NMA):
digitally signed unpredictable navigation bits
Spread Spectrum Security Code (SSSC):
Short encrypted segments received, stored, & checked
against a digitally signed key that is broadcast later
ENAC/SIGNAV Nov. ‘15
14 of 30
Spoofing Detection via Inter-Receiver
Correlation of Unknown P(Y) Code
GPS Satellite
Broadcast segments
y , digitallyg
y
of delayed,
signed P(Y) features
GEO “bent-pipe”
transceiver
Secure uplink of
delayed, digitallysigned P(Y) features
Transmitter
T
itt off delayed,
d l
d
digitally-signed P(Y)
features
UE with
- receiver for delayed,
digitally-signed P(Y)
features
- delayed processing
t detect
to
d t t spoofing
fi
via P(Y) feature
correlation
Secure antenna/receiver
S
t
/
i
w/processing to estimate
P(Y) features (or a single
antenna or a distributed
set of single-antennas)
ENAC/SIGNAV Nov. ‘15
15 of 30
Semi-Codeless Spoofing Detection using Unknown
P(Y) code Receiver Cross-Correlation
Cross Correlation
400
gamma detection statistic
predicted gamma mean
spoofing detection threshold
a priori predicted gamma mean
a priori spoofing detection threshold
Onset of spoofing attack
350
300
gammas
250
200
150
100
50
0
-50
0
Successful
S
f l detection
d t ti off spoofing
fi
when dashed green threshold crosses
above solid blue detection statistic
50
Build-up of significant spoofed
C/A code-phase error
100
150
Receiver A Time (sec)
ENAC/SIGNAV Nov. ‘15
200
250
16 of 30
Drift-Based Defenses



Monitor drift of computed receiver clock offset
& compare with known oscillator stability
Monitor nav. solution motion using an inertial
measurement unit
Declare a spoofing alert if either clock drift or
nav. solution acceleration are physically
p y
y
unreasonable based on a priori knowledge or
independent sensor data
ENAC/SIGNAV Nov. ‘15
17 of 30
DOA/Interferometric Methods,
Non-Spoofed
S
f d Case
GNSS
Satellite j
GNSS
Satellite jj-1
1
GNSS
Satellite
j+1
ρ̂ j
...
ρˆ j +1
...
Alternate system
w/partial DOA
determination:
Antenna A Antenna B
ρˆ j −1
bBA
Antenna D
Antenna A
bDA
bCA
bBA
Antenna C
Antenna B
ENAC/SIGNAV Nov. ‘15
18 of 30
DOA/Interferometric Methods,
S
Spoofed
f d Case
Single-transmit-antenna spoofer that
sends
d ffalse
l signals
i
l ffor GNSS satellites
t llit
…, j-1, j, j+1, …
sp
ρ̂ to4
antsys
sp
ρ̂ to2
antsys
Antenna A
Alternate system
w/full
/f ll DOA
determination:
Antenna B
bBA
Antenna D
Antenna A
ENAC/SIGNAV Nov. ‘15
bDA
bCA
bBA
Antenna C
Antenna B
19 of 30
Test of 2-Antenna Defense Against Live
Spoofing Attack on White Rose of Drachs
Receiver/
spoofer
signal
processor
amidships
Spoofer
reception
antenna
att stern
t
of yacht
2-antenna
spoofing
detector
near bow
Spoofer
transmission
antenna
ENAC/SIGNAV Nov. ‘15
20 of 30
Single-Differenced Carrier Phase Responses to
Spoofing Attack against Dual-Antenna System
0.6
Initial Attack
Fractional P
Part of ΔφBA (cycles)
0.4
Code Drag-Off
0.2
0
PRN02
PRN12
PRN14
PRN21
PRN25
PRN29
PRN31
Initial Attack
Drag Off
-0.2
0.2
-0.4
-0.6
-0.8
0
200
400
600
800
Receiver Clock Time (sec)
ENAC/SIGNAV Nov. ‘15
1000
1200
21 of 30
Complementary Detection Strategy Examples

Power/signal-distortion/drift



NMA/SCER-detection/clock-drift
NMA/SCER
detection/clock drift




Distortion less obvious w/high-power spoofer or rapid drag-off
P
Power
& drift
d if monitors
i
constrain
i spoofer
f to allow
ll
recognizable
i bl
signal distortion during a long drag-off phase
NMA forces Security Code Estimation & Replay attack
Clock drift monitoring constrains initial spoofed signal delays
Constrained delays force spoofer to fake early parts of NMA
bits; faked initial bit portions are detectable
DOA/continual signal re
re-acquisition
acquisition


Re-acquisition finds multiple copies of same signal
DOA distinguishes
g
true & spoofed
p
versions of same signal
g
ENAC/SIGNAV Nov. ‘15
22 of 30
Relative “Cost” Ranking of Attack Strategies








Meaconing, single RCVR ant, single TRANS ant
Jammer/open-loop signal
g
simulator
RCVR/SPFR, 1 TRANS ant
Meaconing,
g, multi RCVR ants,, 1 TRANS ant
Nulling RCVR/SPFR, 1 TRANS ant
RCVR/SPFR, multi TRANS ants
Meaconing, multi RCVR ants, multi TRANS ant
Nulling RCVR/SPFR
RCVR/SPFR, multi TRANS ants
ENAC/SIGNAV Nov. ‘15
23 of 30
Relative “Cost” Ranking of Detection Strategies








Observables & received power monitoring (RPM)
Correlation function distortion monitoring
Drift monitoring (clock offset, IMU/position)
Observables, RPM, distortion, & drift monitoring
NMA or Delayed symmetric-key SSSC
NMA,, SCER detection,, RPM,, & drift monitoring
g
Dual-RCVR keyless correlation of unknown
SSSC codes
Symmetric-key SSSC, e.g., P(Y) or equivalent
ENAC/SIGNAV Nov. ‘15
24 of 30
Ineffective Defense/Attack Paring Examples

Pseudorange based RAIM defense:
Pseudorange-based


RPM & observables monitoring


Any type of meaconing
Correlation function distortion monitoring


Receiver/spoofer w/1 TRANS ant -- if designed carefully
NMA ((w/o
/o o
or w/SCER
/SC
detection),
detect o ), dual-receiver
dua ece e
keyless correlation of unknown SSSC, or
symmetric-key SSSC


Ineffective against all reported attack strategies
Any type of signal-nulling attack
DOA-based methods

M th d using
Methods
i multiple
lti l spoofer
f ttransmission
i i antennas
t
ENAC/SIGNAV Nov. ‘15
25 of 30
Effective Defense/Attack Paring Examples

RPM w/monitoring of observables, drift, &
correlation function distortion


DOA-based methods


Any spoofing
A
fi method
th d w/o
/ signal
i
l nulling
lli – if caught
ht att
onset
All spoofing methods with a single transmission antenna
NMA, dual
NMA
dual-receiver
receiver keyless correlation of unknown
SSSC, or symmetric-key SSSC

All non-meaconing/non-SCER
g
spoofing
p
g methods
ENAC/SIGNAV Nov. ‘15
26 of 30
Cost-Ranked GNSS Attack/Detection Matrix
Psiaki & Humphreys, “GNSS Spoofing and Detection,” IEEE Proc. (invited), submitted for review
ENAC/SIGNAV Nov. ‘15
27 of 30
Navigation Recovery after Attack Detection





Bulk of research to date concentrates on detection
Need to go beyond “Warning: Spoofing Attack;
GNSS navigation fix unreliable”, to “Authentic
GNSS signals recovered; navigation fix reliable”
Problem involves seeking, re-acquiring, &
authenticating true signals
H
Hampered
d by
b spoofer
f strength
t
th (acts
( t as a jammer)
j
)
Weak-signal techniques useable if spoofer
t
transmits
it authentic
th ti navigation
i ti bit
bits – enables
bl very
long coherent integration intervals for authentic
signals
ENAC/SIGNAV Nov. ‘15
28 of 30
Authentic Signal Re-Acquisition “During”
the
h Whi
White R
Rose off D
Drachs
h Lib
Libya A
Attackk
ENAC/SIGNAV Nov. ‘15
29 of 30
Recommendations to COTS Receiver Mfg’s.

Implement something beyond simple pseudorange-based
RAIM detection methods


Implement simplest detection methods first, ones that require
mostly firmware upgrades




Monitoring of received power (needs AGC gain input if not available)
available),
observables anomalies, correlation function distortion, & clock drift.
Implement stronger detection methods as time, money, &
market/percei ed threat allow
market/perceived
allo or demand


Apparently no COTS receivers defend against current threats
Existing multi-antenna systems could implement DOA methods via
firmware upgrades
Constellations should add NMA or SSSC segs w/delayed keys
Use hypothesis testing machinery in detection tests
E bl re-acquisition
Enable
i iti off authentic
th ti signals/navigation
i
l /
i ti capability
bilit
ENAC/SIGNAV Nov. ‘15
30 of 30