Techniques for Spoofing and for Spoofing Mitigation - SIGNAV
Transcription
Techniques for Spoofing and for Spoofing Mitigation - SIGNAV
Techniques for Spoofing and for Spoofing Mitigation Mark L. Psiaki Sibley S Sibl School h l off M Mechanical h i l&A Aerospace E Engineering, i i Cornell University, Ithaca, NY, USA ENAC/SIGNAV Nav. & Timing Symposium, 17 Nov. 2015 The Problem: Surreptitious Receiver Channel Capture & Consistent Drag-Off Drag Off Known ENAC/SIGNAV Nov. ‘15 2 of 30 The Problem: Spoofer Field Tests & All d “I Alleged “In-the-Wild” h Wild” Spy S Drone D Capture C Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle (GPS World 1 Aug. 2012) Exclusive: Iran hijacked US drone, says Iranian engineer (CS Monitor 15 Dec 2011) GPS Spoofing Experiment Knocks Shi off Ship ff Course: C U i University it off T Texas att Austin team repeats spoofing demonstration with a superyacht. (Inside GNSS 31 July 2013) ENAC/SIGNAV Nov. ‘15 3 of 30 Presentation Outline I. Potential spoofing attack strategies II. Effective spoofing p g detection methods III. Ranking of attack & detection “costs” and identification of appropriate detection methods for given attack strategies IV. Re-acquisition of true signals & navigation capability bilit after ft attack tt k detection d t ti V. Recommendations for COTS GNSS receiver spoofing defenses ENAC/SIGNAV Nov. ‘15 4 of 30 Open-Loop Signal Simulator Attack Initially jam receiver to unlock tracking loops from true signals Jammer Signal Generate consistent spoofer signals using GNSS signal simulator & broadcast overpowered versions Spoofer Signal ENAC/SIGNAV Nov. ‘15 5 of 30 Receiver/Spoofer with Known Geometry Relative to Victim (as already shown) Known Receiver tracking points Total signal Spoofer signal Completed drag-off ENAC/SIGNAV Nov. ‘15 6 of 30 Meaconing Attack GNSS Satellite j GNSS Satellite j-1 ... Meacon’s Meacon s small phased array of GPS receiver antennas GNSS Satellite j+1 ... Meacon/spoofer signal (has ( correct versions of all encryptions) Meacon (i.e., replay-with-delay) signal processer w/independently steerable channel reception gain patterns replay delays patterns, delays, & replay gains ENAC/SIGNAV Nov. ‘15 7 of 30 True-Signal Nulling Attack Known Total signal Receiver tracking points Nulling signal Completed drag-off Spoofer signal Cancellation of true & nulling signals ENAC/SIGNAV Nov. ‘15 8 of 30 Multi-Transmitter Attack GNSS Satellite j-1 GNSS Satellite j ... Single-channel Si l h l receiver/spoofers (possibly carried on air vehicles) GNSS Satellite j+1 ... Spoofed signals of individual satellites t llit with ith realistic directionof-arrival diversity ENAC/SIGNAV Nov. ‘15 9 of 30 Received Power Monitoring (RPM) ENAC/SIGNAV Nov. ‘15 10 of 30 Jump in [I;Q] Accumulation Phasor 10 8 1 0.5 Sudden [I;Q] jump at onset of spoofing attack 0 -0.5 -1 1 8 10 0 -1 1 193 5 193.5 194 194.5 ENAC/SIGNAV Nov. ‘15 195 195.5 196 196.5 11 of 30 Sudden Jump in Doppler Rate of Change 2260 Doppler Shiftt (Hz) 2240 2220 Onset of spoofing attack 2200 Onset of drag-off (sudden 0.02 g increment in carrier acceleration/ Doppler rate) 2180 2160 2140 2120 0 50 100 150 200 250 300 350 400 450 Time (sec) ENAC/SIGNAV Nov. ‘15 12 of 30 500 Distortion of Complex Correlations 1.2 No apparent spoofed 1 distortion in correlation magnitude vs. code 0.8 offset Non-Spoofed Spoofed Drag-Off 0.6 0.4 0.2 0 -2 Telltale spoofer/true-signal interaction distortion: complex autocorrelation is non-planar 1 In-Pha ase Accum mulation In-Pha ase Accum mulation 1.2 0.8 0.6 0.4 0.2 -1 0 1 2 0 -0.6 Code O Offset se (c (chips) ps) -0.4 -0.2 0 0.2 0.4 Quadrature Quad a u e Accumulation ccu u a o ENAC/SIGNAV Nov. ‘15 13 of 30 Encryption-Based Defenses Symmetric key encryption, e.g., GPS P(Y) & M codes Cross-correlation of unknown symmetric key codes between a secured reference receiver & a potential victim Navigation Message Authentication (NMA): digitally signed unpredictable navigation bits Spread Spectrum Security Code (SSSC): Short encrypted segments received, stored, & checked against a digitally signed key that is broadcast later ENAC/SIGNAV Nov. ‘15 14 of 30 Spoofing Detection via Inter-Receiver Correlation of Unknown P(Y) Code GPS Satellite Broadcast segments y , digitallyg y of delayed, signed P(Y) features GEO “bent-pipe” transceiver Secure uplink of delayed, digitallysigned P(Y) features Transmitter T itt off delayed, d l d digitally-signed P(Y) features UE with - receiver for delayed, digitally-signed P(Y) features - delayed processing t detect to d t t spoofing fi via P(Y) feature correlation Secure antenna/receiver S t / i w/processing to estimate P(Y) features (or a single antenna or a distributed set of single-antennas) ENAC/SIGNAV Nov. ‘15 15 of 30 Semi-Codeless Spoofing Detection using Unknown P(Y) code Receiver Cross-Correlation Cross Correlation 400 gamma detection statistic predicted gamma mean spoofing detection threshold a priori predicted gamma mean a priori spoofing detection threshold Onset of spoofing attack 350 300 gammas 250 200 150 100 50 0 -50 0 Successful S f l detection d t ti off spoofing fi when dashed green threshold crosses above solid blue detection statistic 50 Build-up of significant spoofed C/A code-phase error 100 150 Receiver A Time (sec) ENAC/SIGNAV Nov. ‘15 200 250 16 of 30 Drift-Based Defenses Monitor drift of computed receiver clock offset & compare with known oscillator stability Monitor nav. solution motion using an inertial measurement unit Declare a spoofing alert if either clock drift or nav. solution acceleration are physically p y y unreasonable based on a priori knowledge or independent sensor data ENAC/SIGNAV Nov. ‘15 17 of 30 DOA/Interferometric Methods, Non-Spoofed S f d Case GNSS Satellite j GNSS Satellite jj-1 1 GNSS Satellite j+1 ρ̂ j ... ρˆ j +1 ... Alternate system w/partial DOA determination: Antenna A Antenna B ρˆ j −1 bBA Antenna D Antenna A bDA bCA bBA Antenna C Antenna B ENAC/SIGNAV Nov. ‘15 18 of 30 DOA/Interferometric Methods, S Spoofed f d Case Single-transmit-antenna spoofer that sends d ffalse l signals i l ffor GNSS satellites t llit …, j-1, j, j+1, … sp ρ̂ to4 antsys sp ρ̂ to2 antsys Antenna A Alternate system w/full /f ll DOA determination: Antenna B bBA Antenna D Antenna A ENAC/SIGNAV Nov. ‘15 bDA bCA bBA Antenna C Antenna B 19 of 30 Test of 2-Antenna Defense Against Live Spoofing Attack on White Rose of Drachs Receiver/ spoofer signal processor amidships Spoofer reception antenna att stern t of yacht 2-antenna spoofing detector near bow Spoofer transmission antenna ENAC/SIGNAV Nov. ‘15 20 of 30 Single-Differenced Carrier Phase Responses to Spoofing Attack against Dual-Antenna System 0.6 Initial Attack Fractional P Part of ΔφBA (cycles) 0.4 Code Drag-Off 0.2 0 PRN02 PRN12 PRN14 PRN21 PRN25 PRN29 PRN31 Initial Attack Drag Off -0.2 0.2 -0.4 -0.6 -0.8 0 200 400 600 800 Receiver Clock Time (sec) ENAC/SIGNAV Nov. ‘15 1000 1200 21 of 30 Complementary Detection Strategy Examples Power/signal-distortion/drift NMA/SCER-detection/clock-drift NMA/SCER detection/clock drift Distortion less obvious w/high-power spoofer or rapid drag-off P Power & drift d if monitors i constrain i spoofer f to allow ll recognizable i bl signal distortion during a long drag-off phase NMA forces Security Code Estimation & Replay attack Clock drift monitoring constrains initial spoofed signal delays Constrained delays force spoofer to fake early parts of NMA bits; faked initial bit portions are detectable DOA/continual signal re re-acquisition acquisition Re-acquisition finds multiple copies of same signal DOA distinguishes g true & spoofed p versions of same signal g ENAC/SIGNAV Nov. ‘15 22 of 30 Relative “Cost” Ranking of Attack Strategies Meaconing, single RCVR ant, single TRANS ant Jammer/open-loop signal g simulator RCVR/SPFR, 1 TRANS ant Meaconing, g, multi RCVR ants,, 1 TRANS ant Nulling RCVR/SPFR, 1 TRANS ant RCVR/SPFR, multi TRANS ants Meaconing, multi RCVR ants, multi TRANS ant Nulling RCVR/SPFR RCVR/SPFR, multi TRANS ants ENAC/SIGNAV Nov. ‘15 23 of 30 Relative “Cost” Ranking of Detection Strategies Observables & received power monitoring (RPM) Correlation function distortion monitoring Drift monitoring (clock offset, IMU/position) Observables, RPM, distortion, & drift monitoring NMA or Delayed symmetric-key SSSC NMA,, SCER detection,, RPM,, & drift monitoring g Dual-RCVR keyless correlation of unknown SSSC codes Symmetric-key SSSC, e.g., P(Y) or equivalent ENAC/SIGNAV Nov. ‘15 24 of 30 Ineffective Defense/Attack Paring Examples Pseudorange based RAIM defense: Pseudorange-based RPM & observables monitoring Any type of meaconing Correlation function distortion monitoring Receiver/spoofer w/1 TRANS ant -- if designed carefully NMA ((w/o /o o or w/SCER /SC detection), detect o ), dual-receiver dua ece e keyless correlation of unknown SSSC, or symmetric-key SSSC Ineffective against all reported attack strategies Any type of signal-nulling attack DOA-based methods M th d using Methods i multiple lti l spoofer f ttransmission i i antennas t ENAC/SIGNAV Nov. ‘15 25 of 30 Effective Defense/Attack Paring Examples RPM w/monitoring of observables, drift, & correlation function distortion DOA-based methods Any spoofing A fi method th d w/o / signal i l nulling lli – if caught ht att onset All spoofing methods with a single transmission antenna NMA, dual NMA dual-receiver receiver keyless correlation of unknown SSSC, or symmetric-key SSSC All non-meaconing/non-SCER g spoofing p g methods ENAC/SIGNAV Nov. ‘15 26 of 30 Cost-Ranked GNSS Attack/Detection Matrix Psiaki & Humphreys, “GNSS Spoofing and Detection,” IEEE Proc. (invited), submitted for review ENAC/SIGNAV Nov. ‘15 27 of 30 Navigation Recovery after Attack Detection Bulk of research to date concentrates on detection Need to go beyond “Warning: Spoofing Attack; GNSS navigation fix unreliable”, to “Authentic GNSS signals recovered; navigation fix reliable” Problem involves seeking, re-acquiring, & authenticating true signals H Hampered d by b spoofer f strength t th (acts ( t as a jammer) j ) Weak-signal techniques useable if spoofer t transmits it authentic th ti navigation i ti bit bits – enables bl very long coherent integration intervals for authentic signals ENAC/SIGNAV Nov. ‘15 28 of 30 Authentic Signal Re-Acquisition “During” the h Whi White R Rose off D Drachs h Lib Libya A Attackk ENAC/SIGNAV Nov. ‘15 29 of 30 Recommendations to COTS Receiver Mfg’s. Implement something beyond simple pseudorange-based RAIM detection methods Implement simplest detection methods first, ones that require mostly firmware upgrades Monitoring of received power (needs AGC gain input if not available) available), observables anomalies, correlation function distortion, & clock drift. Implement stronger detection methods as time, money, & market/percei ed threat allow market/perceived allo or demand Apparently no COTS receivers defend against current threats Existing multi-antenna systems could implement DOA methods via firmware upgrades Constellations should add NMA or SSSC segs w/delayed keys Use hypothesis testing machinery in detection tests E bl re-acquisition Enable i iti off authentic th ti signals/navigation i l / i ti capability bilit ENAC/SIGNAV Nov. ‘15 30 of 30