Shinan Liu,Xiang Cheng,Hanchao Yang,Yuanchao Shu,Xiaoran Weng,Ping Guo,Kexiong (Curtis) Zeng,Gang Wang,Yaling Yang

2021-01-01

Abstract:The GPS has empowered billions of users and various critical infrastructures with its positioning and time services. However, GPS spoofing attacks also become a growing threat to GPS-dependent systems. Existing detection methods either require expensive hardware modifications to current GPS devices or lack the basic robustness against sophisticated attacks, hurting their adoption and usage in practice. In this paper, we propose a novel GPS spoofing detection framework that works with off-the-shelf GPS chipsets. Our basic idea is to rotate a one-side-blocked GPS receiver to derive the angle-of-arrival (AoAs) of received signals and compare them with the GPS constellation (consists of tens of GPS satellites). We first demonstrate the effectiveness of this idea by implementing a smartphone prototype and evaluating it against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%-100%) in 5 seconds. Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method and actively modulates the spoofing signals accordingly. We study this adaptive attack and propose enhancement methods (using the rotation speed as the "secret key") to fortify the defense. Further experiments are conducted to validate the effectiveness of the enhanced defense.

Maryam Motallebighomi,Harshad Sathaye,Mridula Singh,Aanjhan Ranganathan

DOI: https://doi.org/10.48550/arXiv.2204.11641

2022-11-02

Abstract:Civilian-GNSS is vulnerable to signal spoofing attacks, and countermeasures based on cryptographic authentication are being proposed to protect against these attacks. Both Galileo and GPS are currently testing broadcast authentication techniques based on the delayed key disclosure to validate the integrity of navigation messages. These authentication mechanisms have proven secure against record now and replay later attacks, as navigation messages become invalid after keys are released. This work analyzes the security guarantees of cryptographically protected GNSS signals and shows the possibility of spoofing a receiver to an arbitrary location without breaking any cryptographic operation. In contrast to prior work, we demonstrate the ability of an attacker to receive signals close to the victim receiver and generate spoofing signals for a different target location without modifying the navigation message contents. Our strategy exploits the essential common reception and transmission time method used to estimate pseudorange in GNSS receivers, thereby rendering any cryptographic authentication useless. We evaluate our attack on a commercial receiver (ublox M9N) and a software-defined GNSS receiver (GNSS-SDR) using a combination of open-source tools, commercial GNSS signal generators, and software-defined radio hardware platforms. Our results show that it is possible to spoof a victim receiver to locations around 4000 km away from the true location without requiring any high-speed communication networks or modifying the message contents. Through this work, we further highlight the fundamental limitations in securing a broadcast signaling-based localization system even if all communications are cryptographically protected.

Cryptography and Security

Yuqing Zhao,Feng Shen,Dingjie Xu,Zhen Meng

DOI: https://doi.org/10.1109/icemi59194.2023.10270233

2023-01-01

Abstract:A novel antenna array-based spoofing defense scheme for the Global Navigation Satellite System (GNSS) is developed in this paper. The basis of the proposed approach is the spatial processing, which can be divided into two successive steps. In the first step, to identify and suppress the spoofing under the noise level, we build a cyclic correlation matrix to provide the direction of arrival (DOA) of the incoming signals. A robust adaptive beamforming process based on eigenspace projection is then designed to eliminate the spoofing in the second step. In particular, the proposed technique is capable of adaptively eliminating spoofing while providing protection to the desired navigation signals. By exploiting the digitised baseband signals, our framework avoids acquiring and tracking all arriving signals, reducing the receiver's computational load. The effectiveness of our anti-spoofing strategy is illustrated by the simulation experiments.

Gonzalo Seco-Granados,David Gomez-Casco,Jose A. Lopez-Salcedo,Ignacio Fernandez-Hernandez

DOI: https://doi.org/10.1007/s10291-020-01049-z

2020-11-07

Abstract:Intentional interference, and in particular GNSS spoofing, is currently one of the most significant concerns of the Positioning, Navigation and Timing (PNT) community. With the adoption of Open Service Navigation Message Authentication (OSNMA) in Galileo, the E1B signal component will continuously broadcast unpredictable cryptographic data. This allows GNSS receivers not only to ensure the authenticity of data origin but also to detect replay spoofing attacks for receivers already tracking real signals with relatively good visibility conditions. Since the spoofer needs to estimate the unpredictable bits introduced by OSNMA with almost zero delay in order to perform a Security Code Estimation and Replay (SCER) attack, the spoofer unavoidably introduces a slight distortion into the signal, which can be the basis of a spoofing detector. In this work, we propose five detectors based on partial correlations of GNSS signals obtained over predictable and unpredictable parts of the signals. We evaluate them in a wide set of test cases, including different types of receiver and spoofing conditions. The results show that one of the detectors is consistently superior to the others, and it is able to detect SCER attacks with a high probability even in favorable conditions for the spoofer. Finally, we discuss some practical considerations for implementing the proposed detector in receivers, in particular when the Galileo OSNMA message structure is used.

Cryptography and Security,Signal Processing

Zhijun Wu,Cheng Liang,Yuan Zhang

DOI: https://doi.org/10.1109/taes.2023.3241041

IF: 3.491

2023-01-01

IEEE Transactions on Aerospace and Electronic Systems

Abstract:The Civil Navigation Message (CNAV) of the Global Navigation Satellite System (GNSS) is transmitted in an open channel without authentication and integrity protection mechanism. Therefore, the CNAV is facing the threat of interception and tampering, and it is vulnerable to spoofing attacks. To guarantee the authenticity and integrity of CNAV, we propose a cryptographic anti-spoofing scheme of CNAV in GNSS based on consortium blockchain using domestic cryptographic algorithms. In this scheme, we design a CNAV authentication model based on satellites, ground stations and key management center. And implement the authentication protocol to achieve the purpose of preventing CNAV in GNSS from being tampered with. On the basis of the authentication of the entities, the scheme further realizes the functions of information source authentication and integrity protection of the legitimate senders. And on the basis of satisfying security, the protocol has lower computing and communication cost, simplifies the process of re-authentication of information source, and has great practicability for receivers that use civil navigation message to achieve navigation and positioning functions.

telecommunications,engineering, electrical & electronic, aerospace

Francisco Gallardo,Antonio Pérez-Yuste,Andriy Konovaltsev

DOI: https://doi.org/10.3390/s24237698

IF: 3.9

2024-12-02

Sensors

Abstract:Spoofing attacks pose a significant security risk for organizations and systems relying on global navigation satellite systems (GNSS) for their operations. While the existing spoofing detection methods have shown some effectiveness, these can be vulnerable to certain attacks, such as secure code estimation and replay (SCER) attacks, among others.This paper analyzes the potential of satellite fingerprinting methods for GNSS spoofing detection and benchmarks their performance using real (in realistic scenarios by using GPS and Galileo signals generated and recorded in the advanced GNSS simulation facility of DLR) GNSS signals and scenarios. Our results show that our proposed fingerprinting methods can improve the detection accuracy of the existing methods and can be coupled with other techniques to enhance the overall performance of the detection systems, all based on relatively simple metrics. In this paper, we compare the performance of several fingerprinting methods, including those from the existing literature (based on signal Gaussian properties of the signal complex envelope, energy and in-phase symbol dispersion) and one proposed in this paper, based on the satellite instrumental delay. The innovation of this work is a new jamming and spoofing complementary detection technique, based on fingerprinting and machine learning, including a new fingerprinting metric (based on the satellite instrumental delay).

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Francesco Ardizzon,Laura Crosara,Stefano Tomasin,Nicola Laurenti

DOI: https://doi.org/10.1109/TIFS.2024.3381473

2023-04-06

Abstract:Global navigation satellite systems (GNSSs) are implementing security mechanisms: examples are Galileo open service navigation message authentication (OS-NMA) and GPS chips-message robust authentication (CHIMERA). Each of these mechanisms operates in a single band. However, nowadays, even commercial GNSS receivers typically compute the position, velocity, and time (PVT) solution using multiple constellations and signals from multiple bands at once, significantly improving both accuracy and availability. Hence, cross-authentication checks have been proposed, based on the PVT obtained from the mixture of authenticated and non-authenticated signals. In this paper, first, we formalize the models for the cross-authentication checks. Next, we describe, for each check, a spoofing attack to generate a fake signal leading the victim to a target PVT without notice. We analytically relate the degrees of the freedom of the attacker in manipulating the victim's solution to both the employed security checks and the number of open signals that can be tampered with by the attacker. We test the performance of the considered attack strategies on an experimental dataset. Lastly, we show the limits of the PVT-based GNSS cross-authentication checks, where both authenticated and non-authenticated signals are used.

Cryptography and Security,Signal Processing

Xiao Chen,Ruidan Luo,Ting Liu,Hong Yuan,Haitao Wu

DOI: https://doi.org/10.3390/rs15051462

IF: 5

2023-03-06

Remote Sensing

Abstract:As the Global Navigation Satellite System (GNSS) is widely used in all walks of life, the signal structure of satellite navigation is open, and the vulnerability to spoofing attacks is also becoming increasingly prominent, which will seriously affect the credibility of navigation, positioning, and timing (PNT) services. Satellite navigation signal authentication technology is an emerging technical means of improving civil signal anti-spoofing on the satellite navigation system side, and it is also an important development direction and research focus of the GNSS. China plans to carry out the design and development of the next-generation Beidou navigation satellite system (BDS), and one of its core goals is to provide more secure and credible PNT services. This paper first expounds on the principles and technical architecture of satellite navigation signal authentication, then clarifies the development history of satellite navigation signal authentication, and finally proposes the BDS authentication service system architecture. It will provide technical support for the construction and development of the follow-up Beidou authentication service.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Qing-Yi Fu,Yue-Hua Feng,Hui-Ming Wang,Peng Liu

DOI: https://doi.org/10.1109/lwc.2020.3035811

IF: 6.3

2021-03-01

IEEE Wireless Communications Letters

Abstract:The future mobile system shall be able to support satellite access to provide an ubiquitous wireless connection service. Satellite communication is vulnerable to spoofing attacks due to the open nature of wireless channels, especially for the downlink satellite system information signalling (SIS) which has not been authenticated yet before initial access. SIS spoofing attacks would cause interferences as well as access failures or even denial of services (DoS) to the legitimate users. Thanks to the knowledge of satellite ephemeris as well as the global navigation satellite system (GNSS), Doppler frequency shift as an available physical attribute can be exploited to identify the source of SIS before the random access procedure. A physical layer authentication (PLA) approach based on Doppler frequency shift is proposed to determine whether the received SIS is from the legitimate communication satellite. Simulations show that the performance of the proposed method outperforms the channel state information (CSI) based PLA scheme.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kyle D. Wesson,Jason N. Gross,Todd E. Humphreys,Brian L. Evans

DOI: https://doi.org/10.1109/TAES.2017.2765258

2020-03-27

Abstract:We propose a simple low-cost technique that enables civil Global Positioning System (GPS) receivers and other civil global navigation satellite system (GNSS) receivers to reliably detect carry-off spoofing and jamming. The technique, which we call the Power-Distortion detector, classifies received signals as interference-free, multipath-afflicted, spoofed, or jammed according to observations of received power and correlation function distortion. It does not depend on external hardware or a network connection and can be readily implemented on many receivers via a firmware update. Crucially, the detector can with high probability distinguish low-power spoofing from ordinary multipath. In testing against over 25 high-quality empirical data sets yielding over 900,000 separate detection tests, the detector correctly alarms on all malicious spoofing or jamming attacks while maintaining a <0.6% single-channel false alarm rate.

Cryptography and Security

Yuqing Zhao,Feng Shen,Guanghui Xu,Guochen Wang

DOI: https://doi.org/10.3390/s21030929

2021-01-01

Abstract:The presence of spoofing signals poses a significant threat to global navigation satellite system (GNSS)-based positioning applications, as it could cause a malfunction of the positioning service. Therefore, the main objective of this paper is to present a spatial-temporal technique that enables GNSS receivers to reliably detect and suppress spoofing. The technique, which is based on antenna array, can be divided into two consecutive stages. In the first stage, an improved eigen space spectrum is constructed for direction of arrival (DOA) estimation. To this end, a signal preprocessing scheme is provided to solve the signal model mismatch in the DOA estimation for navigation signals. In the second stage, we design an optimization problem for power estimation with the estimated DOA as support information. After that, the spoofing detection is achieved by combining power comparison and cross-correlation monitoring. Finally, we enhance the genuine signals by beamforming while the subspace oblique projection is used to suppress spoofing. The proposed technique does not depend on external hardware and can be readily implemented on raw digital baseband signal before the despreading of GNSS receivers. Crucially, the low-power spoofing attack and multipath can be distinguished and mitigated by this technique. The estimated DOA and power are both beneficial for subsequent spoofing localization. The simulation results demonstrate the effectiveness of our method.

Seongkyun Jeong

DOI: https://doi.org/10.1371/journal.pone.0237146

IF: 3.7

2020-08-28

PLoS ONE

Abstract:The Global Navigation Satellite System is vulnerable to interference signals that can potentially disable the system, because the signal strength tends to be very weak. Interference such as jamming, which disables the receiver via excessively high signal strength in the satellite navigation frequency band, and spoofing, which induces the receiver to output erroneous position and time data via signals similar to actual navigation signals, disrupt satellite navigation systems. As the threat of interference is increasing, considerable research effort has been expended in an attempt to deal with it in various ways. Spoofing attacks are especially difficult to detect. This paper deals with a technique to detect a spoofing signal and to mitigate attacks on satellite navigation systems. The satellite navigation signal is influenced by the navigation satellite itself and errors due to environmental factors, and spoofing signal detection should be well reflected in the navigation signal. Especially, in the case of mobile receivers, it is not easy to detect a spoofing signal because the exact position of the receiver cannot be known. To detect a spoofing signal, additional hardware may be required; in some cases, heterogeneous sensors, such as inertial sensors, may be used. The technique introduced in this paper effectively discriminates spoofing signals based only on receiver measurements, without the need for additional devices. It generates test statistics based on the pseudorange, which is the measured value of the receiver position, and detects spoofing signals by setting the monitoring interval according to a "sliding window". Because the proposed method uses output data and measurements obtained from the receiver, it can be applied to general receivers at low cost.

Jianfeng Li,Hong Li,Fei Wang,Hang Ruan,ZhongXiao Wang,Mingquan Lu

DOI: https://doi.org/10.33012/2018.15587

2018-01-01

Abstract:Global Navigation Satellite System (GNSS) is widely applied to our daily life with its stable service. The GNSS control segment routinely generates navigation message based on a prediction model and the measurements from global monitor stations. Navigation message includes each satellite's clock correction, ephemeris, and almanac which are stable and change by certain rules. The paper analyzes these parameters of Global Positioning System (GPS) and BeiDou System (BDS). Based on different changing rules of parameters, the paper divides all parameters into four categories and briefly discusses their applications in anomaly detection and anti-spoofing. Further, the computed satellite position deviations by ephemerides and almanacs of different time are researched and relevant mathematical model is established. Also, the computed clock deviations are discussed. With the increasing use of GNSS, its vulnerability has caused much concern. In general, there are many spoofing methods. In order to deceive a victim receiver to a predetermined position or time, some spoofers may change navigation message. The above analysis results can be applied to check such spoofing attacks. So two threshold models are established and their advantages and disadvantages are discussed. Combining two threshold models, the paper proposes a method to effectively utilize navigation message for anti-spoofing. Finally, the method is implemented on GPS/BDS receivers and the relevant experimental results show that it is feasible and effective in different deception scenarios where navigation message is tampered.

Haiyang Wang,Yuanyu Zhang,Yulong Shen,Junming Zhu,Chuancun Yin,Xiaohong Jiang

DOI: https://doi.org/10.33012/2023.19397

2023-01-01

Abstract:Open Service Navigation Message Authentication (OSNMA) serves as a critical security mechanism for the Galileo global navigation satellite system. At the core of OSNMA is a Timed Efficient Stream Loss-tolerant Authentication (TESLA) scheme, which generates a tag for each navigation message using a secret key and later discloses the key to receivers for authenticating the message-tag pair. Despite its great effectiveness against spoofing attacks, OSNMA’s ability to resist replay attacks is questionable since the replayed signals containing authentic messages and tags may bypass the authentication under certain circumstances. This paper, for the first time, reveals two serious vulnerabilities of OSNMA: time synchronization (TS) and non-continuous message authentication (NCMA). TS is a mandatory requirement that specifies that the difference between a receiver’s local reference time and the Galileo System Time (GST) extracted from Galileo signals does not exceed a given threshold. Exploiting this vulnerability, we propose a pre-startup replay (PreRep) attack, where Galileo signals are continuously recorded and replayed to a victim receiver before it starts up such that the TS requirement is satisfied and the receiver is locked to the replayed signals. NCMA means that OSNMA temporarily suspends the authentication process probably due to the reception of a broken message, tag or key, and restores the authentication after receiving a later-disclosed valid message-tag-key pair. Based on this vulnerability, we propose a post-startup replay (PosRep) attack, which conducts the replay attack after the victim receiver starts up such that the replayed signals break the currently receiving message-tag-key pair, deliberately suspending the authentication process, while subsequently-replayed signals can pass the authentication successfully as the message-tag-key pairs inside are valid. Finally, we conducted extensive experiments based on real-world OSNMA-integrated receivers and two software-defined radio (SDR) devices to demonstrate the feasibility of the proposed attacks.

M. Lenhart,M. Spanghero,P. Papadimitratos

DOI: https://doi.org/10.48550/arXiv.2202.11341

2022-02-23

Cryptography and Security

Abstract:With the introduction of Navigation Message Authentication (NMA), future Global Navigation Satellite Systems (GNSSs) prevent spoofing by simulation, i.e., the generation of forged satellite signals based on public information. However, authentication does not prevent record-and-replay attacks, commonly termed as meaconing. These attacks are less powerful in terms of adversarial control over the victim receiver location and time, but by acting at the signal level, they are not thwarted by NMA. This makes replaying/relaying attacks a significant threat for GNSS. While there are numerous investigations on meaconing, the majority does not rely on actual implementation and experimental evaluation in real-world settings. In this work, we contribute to the improvement of the experimental understanding of meaconing attacks. We design and implement a system capable of real-time, distributed, and mobile meaconing, built with off-the-shelf hardware. We extend from basic distributed attacks, with signals from different locations relayed over the Internet and replayed within range of the victim receiver(s): this has high bandwidth requirements and thus depends on the quality of service of the available network to work. To overcome this limitation, we propose to replay on message level, including the authentication part of the payload. The resultant reduced bandwidth enables the attacker to operate in mobile scenarios, as well as to replay signals from multiple GNSS constellations and/or bands simultaneously. Additionally, the attacker can delay individually selected satellite signals to potentially influence the victim position and time solution in a more fine-grained manner. Our versatile test-bench, enabling different types of replaying/relaying attacks, facilitates testing realistic scenarios towards new and improved replaying/relaying-focused countermeasures in GNSS receivers.

Jiaqi Zhang,Xiaowei Cui,Chenxi Peng,Mingquan Lu

DOI: https://doi.org/10.33012/2019.17063

2019-01-01

Abstract:In recent research, spatial processing technique based on antenna array has been considered as one of the most effective anti-spoofing methods. This paper provides a novel spoofing suppression scheme based on the Cyclic Multiple Signal Classification (MUSIC) algorithm. In this method, the cyclostationarity of navigation signals are fully excavated to estimate the spatial power spectrum before the despreading process of the receiver. Then, based on the assumption that the spoofing signals with different spurious pseudo random noise (PRN) codes come from one single-antenna source, the spoofing attack can be detected if the power of a certain direction is significantly larger than other directions. Finally, the subspace projection is adopted to eliminate the spoofing signals and beamforming for each satellite ensures that the power of the authentic signals is not attenuated. The proposed technique has lower computational complexity than the post-despreading methods because all the operations are performed on the digitized baseband samples without any modification to the receiver. In addition, different with other pre-despreading methods, this method can accurately estimate the DOAs of the spoofing and authentic signals, which can not only provide higher gain for the authentic signals but also be helpful for the interference source positioning in some applications.

Fei Wang,Hong Li,Mingquan Lu

DOI: https://doi.org/10.1109/access.2017.2698070

IF: 3.9

2017-01-01

IEEE Access

Abstract:Security of global navigation satellite systems (GNSS) is important since the navigation capability provided by the GNSS is a key enabler for many civilian and military applications. Spoofing attacks threaten the GNSS security and have caught much attention recently. The spatial processing method is one of the most robust GNSS spoofing countermeasures, which detects spoofing signals with a moving antenna or multi-antenna, but it cannot work in a static single-antenna receiver. In this paper, we propose a spoofing countermeasure based on the power measurements of a single rotating antenna, which can be implemented in a static receiver. The method takes advantages of the anisotropy of the antenna's gain pattern to detect spoofing signals. When the antenna is rotating, the power measurements of the spoofing signals coming from the same direction change similarly and the correlation coefficients between them are close to 1, but the power measurements of the authentic signals are uncorrelated. Since it is not easy to evaluate the anti-spoofing performance of the correlation coefficient, another metric named phase difference of power measurements is proposed. Its theoretical performance is derived based on generalized likelihood ratio test and validated with simulations. Actual experiments indicate that both the simulated and meaconing spoofing signals can be distinguished from the authentic ones, and the method can be implemented in a static or low dynamic conventional receiver, only with an additional low-cost rotary table.

He Li,Li Hong,Lu Mingquan

DOI: https://doi.org/10.1049/iet-rsn.2019.0058

2019-01-01

IET Radar, Sonar & Navigation

Abstract:The menace of spoofing is overshadowing the civilian use of the global satellite navigation system. Many anti-spoofing approaches have been intensively researched in the literature, among which the spoofing-detection ones are the most thoroughly investigated. In this study, the authors propose a novel spoofing-detection method, which jointly utilises the carrier Doppler frequency caused by the vertical reciprocating motion of the receiving antenna and the navigational information conveyed by the received signals. This specific motion pattern would make the Doppler measurement of each signal fluctuate like water ripples, of which the amplitude should be proportional to the sine of the corresponding satellite's elevation. Singular value decomposition is deployed to simultaneously estimate the speed variation of the receiving antenna and the relative amplitudes of the Doppler fluctuations. Then, the proportionality between relative amplitudes and the elevation sines is checked to detect the spoofing signal, which would probably break the proportionality. The proposed method is experimentally verified and validated. They also analyse the detection performance both theoretically and numerically. Moreover, several motion deviations are assessed both theoretically and practically.

Linling Cheng,Zhenzhen Gao

DOI: https://doi.org/10.1109/iccc55456.2022.9880830

2022-01-01

Abstract:In this paper, a physical layer anti-eavesdropping scheme for the uplink OFDM transmission of mobile satellite communication systems is proposed. To deal with the correlation of the legitimate satellite link and the eavesdropping satellite link, artificial noise (AN) is introduced when designing the precoding among the subcarriers at the terrestrial transmitter. The AN-based precoding scheme can prevent the blind decoding at the eavesdropper and deteriorate the eavesdropper's BER. Meanwhile, the AN can be eliminated at the satellite receiver and a 2nd-order diversity can be achieved. The secrecy performance of the proposed scheme is evaluated through bit error rate (BER). The numerical results show that for both stationary and moving terrestrial users, the BER at the eavesdropper is always worse than 0.2 even she knows the encoding rule and has correlated channels with correlation coefficient 0.8.

Junzhi Li,Xiangwei Zhu,Mingjun Ouyang,Dan Shen,Zhengkun Chen,Zhiqiang Dai,ZHiqiang Dai

DOI: https://doi.org/10.1088/1361-6501/ac672a

IF: 2.398

2022-04-13

Measurement Science and Technology

Abstract:Abstract Global Navigation Satellite System (GNSS) spoofing interference poses a great threat to the security of end users. Based on the same propagation path characteristics of the spoofing signals transmitted by a single antenna spoofing device, this paper proposes a method against single antenna spoofing jamming utilizing the Fréchet distance of Doppler frequency difference. When the receiver moves, the Doppler data in a window are fitted via the leastsquares method, and the Fréchet distance between the two satellite signals is calculated to obtain the similarity evaluation value between them. The detection of spoofing signal is carried out based on the evaluation value. We use real data to verify the detection performance of the method, and the experimental results show that the method can effectively distinguish the spoofing signal from the authentic signal. In addition, the method has low computational complexity and requires less additional information, which makes it possible to apply it in the anti-spoofing module of a GNSS receiver.

engineering, multidisciplinary,instruments & instrumentation