Shinan Liu,Xiang Cheng,Hanchao Yang,Yuanchao Shu,Xiaoran Weng,Ping Guo,Kexiong (Curtis) Zeng,Gang Wang,Yaling Yang

2021-01-01

Abstract:The GPS has empowered billions of users and various critical infrastructures with its positioning and time services. However, GPS spoofing attacks also become a growing threat to GPS-dependent systems. Existing detection methods either require expensive hardware modifications to current GPS devices or lack the basic robustness against sophisticated attacks, hurting their adoption and usage in practice. In this paper, we propose a novel GPS spoofing detection framework that works with off-the-shelf GPS chipsets. Our basic idea is to rotate a one-side-blocked GPS receiver to derive the angle-of-arrival (AoAs) of received signals and compare them with the GPS constellation (consists of tens of GPS satellites). We first demonstrate the effectiveness of this idea by implementing a smartphone prototype and evaluating it against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%-100%) in 5 seconds. Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method and actively modulates the spoofing signals accordingly. We study this adaptive attack and propose enhancement methods (using the rotation speed as the "secret key") to fortify the defense. Further experiments are conducted to validate the effectiveness of the enhanced defense.

Kexiong (Curtis) Zeng,Yuanchao Shu,Shinan Liu,Yanzhi Dou,Yaling Yang

DOI: https://doi.org/10.1145/3032970.3032983

2017-01-01

Abstract:High value of GPS location information and easy availability of portable GPS signal spoofing devices incentivize attackers to launch GPS spoofing attacks against location-based applications. In this paper, we propose an attack model in road navigation scenario, and develop a complete framework to analyze, simulate and evaluate the spoofing attacks under practical constraints. To launch an attack, the framework first constructs a road network, and then searches for an attack route that smoothly diverts a victim without his awareness. In extensive data-driven simulations in College Point, New York City, we managed to navigate a victim to locations 1km away from his original destination.

Kexiong (Curtis) Zeng,Shinan Liu,Yuanchao Shu,Dong Wang,Haoyu Li,Yanzhi Dou,Gang Wang,Yaling Yang

2018-01-01

Abstract:Mobile navigation services are used by billions of users around globe today. While GPS spoofing is a known threat, it is not yet clear if spoofing attacks can truly manipulate road navigation systems. Existing works primarily focus on simple attacks by randomly setting user locations, which can easily trigger a routing instruction that contradicts with the physical road condition (i.e., easily noticeable). In this paper, we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed. Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions. To demonstrate the feasibility, we first perform controlled measurements by implementing a portable GPS spoofer and testing on real cars. Then, we design a searching algorithm to compute the GPS shift and the victim routes in real time. We perform extensive evaluations using a trace-driven simulation (600 taxi traces in Manhattan and Boston), and then validate the complete attack via real-world driving tests (attacking our own car). Finally, we conduct deceptive user studies using a driving simulator in both the US and China. We show that 95% of the participants follow the navigation to the wrong destination without recognizing the attack. We use the results to discuss countermeasures moving forward.

Zhenghao Zhang,Matthew Trinkle,Aleksandar D. Dimitrovski,Husheng Li

DOI: https://doi.org/10.48550/arXiv.1204.0462

2012-04-02

Cryptography and Security

Abstract:A novel time synchronization attack (TSA) on wide area monitoring systems in smart grid has been identified in the first part of this paper. A cross layer detection mechanism is proposed to combat TSA in part II of this paper. In the physical layer, we propose a GPS carrier signal noise ratio (C/No) based spoofing detection technique. In addition, a patch-monopole hybrid antenna is applied to receive GPS signal. By computing the standard deviation of the C/No difference from two GPS receivers, a priori probability of spoofing detection is fed to the upper layer, where power system state is estimated and controlled. A trustworthiness based evaluation method is applied to identify the PMU being under TSA. Both the physical layer and upper layer algorithms are integrated to detect the TSA, thus forming a cross layer mechanism. Experiment is carried out to verify the effectiveness of the proposed TSA detection algorithm.

Weiyu Gao,Hong Li,Minghan Zhong,Mingquan Lu

DOI: https://doi.org/10.1109/tsg.2023.3258963

IF: 10.275

2023-01-01

IEEE Transactions on Smart Grid

Abstract:For cybersecurity concerns in smart girds, this paper has focused on the vulnerability analysis and defense technique against the Time Synchronization Attack (TSA). This kind of attack can spoof satellite-signal-based time synchronization processes that are widely utilized in modern power systems. A quick-impact TSA experiment is presented in this paper, based on live satellite signals and a commercial time server used in current smart grids. Experiment results are alarming. Intolerable timing errors have been imposed on the server within a few tens of seconds, and it hasn’t reported any alarms. So a new cybersecurity concern for distributed power systems is revealed: stealthy TSAs must be detected at the early stage due to their quick impacts, yet current studies have underestimated this problem. In response to this potential threat, a fast-triggered detection method is proposed in this paper. It is named the Rapid Detection of Signal Distortions (RDSD) and can detect early stage signal distortions caused by TSAs at the beginning. Apart from this ability, we have also verified, via simulations and real-world comparative experiments, that the proposed method can provide improved detection and false alarm rejection capacity compared with existing methods of this type. Overall, this paper can raise attention to the cybersecurity problem caused by TSAs and facilitate the defense against them in modern smart grids.

Fakhri Saadedeen,Anamitra Pal

DOI: https://doi.org/10.48550/arXiv.2110.03447

2021-10-06

Abstract:Prior research has demonstrated that global positioning system (GPS) spoofing attacks on phasor measurement units (PMUs) can cripple power system operation. This paper provides an experimental evidence of the feasibility of such an attack using commonly available digital radios known as software defined radio (SDR). It also introduces a novel countermeasure against such attacks using GPS signal redundancy and low power long range (LoRa) spread spectrum modulation technique. The proposed approach checks the integrity of the GPS signal at remote locations and compares the data with the PMUs current output. This countermeasure is a ready-to-deploy system that can provide an instant solution to the GPS spoofing detection problem for PMUs.

Cryptography and Security

K.Zhang,M. Spanghero,P. Papadimitratos

DOI: https://doi.org/10.1109/PLANS46316.2020.9110224

2022-02-22

Abstract:Global navigation satellite systems (GNSS) provide pervasive accurate positioning and timing services for a large gamut of applications, from Time based One-Time Passwords (TOPT), to power grid and cellular systems. However, there can be security concerns for the applications due to the vulnerability of GNSS. It is important to observe that GNSS receivers are components of platforms, in principle having rich connectivity to different network infrastructures. Of particular interest is the access to a variety of timing sources, as those can be used to validate GNSS-provided location and time. Therefore, we consider off-the-shelf platforms and how to detect if the GNSS receiver is attacked or not, by cross-checking the GNSS time and time from other available sources. First, we survey different technologies to analyze their availability, accuracy, and trustworthiness for time synchronization. Then, we propose a validation approach for absolute and relative time. Moreover, we design a framework and experimental setup for the evaluation of the results. Attacks can be detected based on WiFi supplied time when the adversary shifts the GNSS provided time, more than 23.942us; with Network Time Protocol (NTP) supplied time when the adversary-induced shift is more than 2.046ms. Consequently, the proposal significantly limits the capability of an adversary to manipulate the victim GNSS receiver.

Cryptography and Security

Imtiaj Khan,Virgilio Centeno

2023-09-13

Abstract:The Phasor Measurement Unit (PMU) is an important metering device for smart grid. Like any other Intelligent Electronic Device (IED), PMUs are prone to various types of cyberattacks. However, one form of attack is unique to the PMU, the GPS-spoofing attack, where the time and /or the one second pulse (1 PPS) that enables time synchronization are modified and the measurements are computed using the modified time reference. This article exploits the vulnerability of PMUs in their GPS time synchronization signal. At first, the paper proposes an undetectable gradual GPS-spoofing attack with small incremental angle deviation over time. The angle deviation changes power flow calculation through the branches of the grids, without alerting the System Operator (SO) during off-peak hour. The attacker keeps instigating slow incremental variation in power flow calculation caused by GPS-spoofing relentlessly over a long period of time, with a goal of causing the power flow calculation breach the MVA limit of the branch at peak-hour. The attack is applied by solving a convex optimization criterion at regular time interval, so that after a specific time period the attack vector incurs a significant change in the angle measurements transmitted by the PMU. Secondly, while the attack modifies the angle measurements with GPS-spoofing attack, it ensures the undetectibility of phase angle variation by keeping the attack vector less than attack detection threshold. The proposed attack model is tested with Weighted Least Squared Error (WLSE), Kalman Filtering, and Hankel-matrix based GPS-spoofing attack detection models. Finally, we have proposed a gradient of low-rank approximation of Hankel-matrix based detection method to detect such relentless small incremental GPS-spoofing attack.

Systems and Control

Weiyu Gao,Hong Li,Jianfeng Li,Mingquan Lu

DOI: https://doi.org/10.33012/2020.17721

2020-01-01

Abstract:The Global Navigation Satellite System (GNSS) serves people as an essential precise time synchronization source. However, to provide public services on a global scale, GNSS civil signals need to have open structures. And their power is much lower than thermal noises at the receiver end. These make spoofing a major threat and GNSS timing users are easy to be deceived by a kind of spoofing known as the Time Synchronization Attack (TSA). The real-world damage of TSA is proved by researchers and demands of TSA defense methods emerge. Typical anti-spoofing methods can bring some degrees of security, but they mainly focus on physical parameters that do not affect timing solutions. So attackers always have possibilities to cheat these methods. A more robust way is to directly monitor key timing results, like clock biases and clock drifts. Researchers have come up with several methods of this kind, but their requirements of complex computations and incessant mitigations may bring difficulties to actual usages. To complement these deficiencies, this paper proposes a TSA detection and discrimination method based on the abnormal similarity between signals from different satellites. Specifically, we calculate clock drifts from each satellite signal separately and monitor the correlation values of different clock drifts time-differenced sequences. As TSA signals need to avoid sudden changes in timing results and keep actual position solutions, spoofing is ought to maintain a same changing rate of pseudorange differences among all spoofing-authentic signal pairs. This additional similarity will greatly enlarge the correlation value, thus, TSA is revealed. After detected and discriminated by the proposed method, spoofing affects will be much easier to erase. We achieve this method by monitoring timing results only and requiring few complex computations, so it will be a sufficient complement to off-the-shelf real-world TSA defenses. Our motivations and method effects are verified on an open test-bed.

Weiyu Gao,Hong Li,Minghan Zhong,Mingquan Lu

DOI: https://doi.org/10.1109/tie.2022.3194578

IF: 7.7

2022-01-01

IEEE Transactions on Industrial Electronics

Abstract:This article is concerned with the security problem of industrial networks. Smart grids, telecommunications, and many other wide-area networks heavily depend on the time synchronization service of the global navigation satellite system (GNSS). This service is exposed to the time synchronization attack (TSA) which can spoof GNSS timing results and bring serious consequences. Therefore, to improve the time security of networks, a novel TSA detection method named the separate clock drift matched filter (SCD-MF) is introduced. It aims at concealed TSA signals that would not bring conspicuous abnormalities in positioning or timing solutions. This method works by monitoring the synchronicity of signal pseudorange measurements, which are expected to be synchronously changed by concealed TSA signals. This article also presents real-world experiment results. TSA detection experiments are done on a self-developed testbed that contains a real-time TSA spoofer. Compared with two benchmark methods, the SCD-MF shows better detection abilities in different conditions. Moreover, the detection performance of the SCD-MF method is analyzed both theoretically and experimentally.

Taimin Zhang,Yinan Wang,Xiao Liang,Zhou Zhuang,Wenyuan Xu

DOI: https://doi.org/10.1109/ccdc.2017.7978413

2017-01-01

Abstract:With the integration of computing, communication, and physical processes, the modern power grid is becoming a large and complex cyber physical power system (CPPS). This trend is intended to modernize and improve the efficiency of the power grid, yet it makes the CPPS vulnerable to potential cascading failures caused by cyber-attacks, e.g., the attacks that are originated by the cyber network of CPPS. To prevent these risks, it is essential to analyze how cyber-attacks can be conducted against the CPPS and how they can affect the power systems. In light of that General Packet Radio Service (GPRS) has been widely used in CPPS, this paper provides a case study by examining possible cyber-attacks against the cyber-physical power systems with GPRS-based SCADA system. We analyze the vulnerabilities of GPRS-based SCADA systems and focus on DoS attacks and message spoofing attacks. Furthermore, we show the consequence of these attacks against power systems by a simulation using the IEEE 9-node system, and the results show the validity of cascading failures propagated through the systems under our proposed attacks.

Sriramya Bhamidipati,Kyeong Jin Kim,Hongbo Sun,Philip Orlik

DOI: https://doi.org/10.1109/sahcn.2019.8824812

2019-01-01

Abstract:A wide-area time authentication algorithm is proposed to compute the Global Positioning System (GPS) timing that is resilient against spoofing attacks. The considered wide-area network consists of multiple GPS receiving systems, each comprising of the innovative distributed multiple directional antennas (DMDA) setup triggered via a common clock.Based on the communication infrastructure of the grid, the single-difference pseudorange residuals across the antennas are processed using the wide-area belief propagation-based extended Kalman filter (BP-EKF) algorithm in a distributed manner. To detect spoofing, a KL-divergence-based threshold is used to estimate the dissimilarity in the antenna-specific timing errors. Thereafter, the pseudoranges are corrected using the BP estimates of timing error and processed via adaptive EKF to compute the GPS timing, which is given to the phasor measurement units (PMUs). We have demonstrated the successfully detection and mitigation of the external timing attack, by subjecting one receiving system to a simulated meaconing attack that induces a 60 micro second time delay. Thereafter, by analyzing the voltage stability index of a critical node in the simulated grid, we have also validated the compliance of the proposed wide-area BP-EKF estimated timing with the IEEE-C37.118 standards.

Qian Wang,Zhaojun Lu,Mingze Gao,Gang Qu

DOI: https://doi.org/10.1109/icdsp.2018.8631600

2018-01-01

Abstract:Civilian GPS signals are becoming essential for the navigation systems in many applicators such as vehicles and smart phones. However, from a security perspective, GPS signals are vulnerable to the spoofing attacks. Several spoofing detection methods have been proposed, but most of them require extensive signal processing capabilities and additional equipment such as receivers. These add-ons may not be available for vehicles and smart phones. In this paper, we propose a novel edge computing based approach to reconstruct the lost GPS signal. The basic idea is to collect information at the edge nodes and use them to cross-validate the GPS signals received from the satellite. If there is any evidence of spoofing attacks, our method can reconstruct the GPS signal when the signal is unavailable or not trustworthy. Thus, this method could serve as a backup plan to cope with the failure of GPS for the navigation system. Based on real driving data, we can reconstruct the driving routes with an average error of 10 meters and 6 meters by two different methods. This is sufficiently accurate to detect all the simulated GPS spoofing attacks.

Jack Burbank,Trevor Greene,Naima Kaabouch

DOI: https://doi.org/10.3390/s24175529

IF: 3.9

2024-08-28

Sensors

Abstract:Modern systems and devices, including unmanned aerial systems (UASs), autonomous vehicles, and other unmanned and autonomous systems, commonly rely on the Global Positioning System (GPS) for positioning, navigation, and timing (PNT). Cellular mobile devices rely on GPS for PNT and location-based services. Many of these systems cannot function correctly without GPS; however, GPS signals are susceptible to a wide variety of signal-related disruptions and cyberattacks. GPS threat detection and mitigation have received significant attention recently. There are many surveys and systematic reviews in the literature related to GPS security; however, many existing reviews only briefly discuss GPS security within a larger discussion of cybersecurity. Other reviews focus on niche topics related to GPS security. There are no existing comprehensive reviews of GPS security issues in the literature. This paper fills that gap by providing a comprehensive treatment of GPS security, with an emphasis on UAS applications. This paper provides an overview of the threats to GPS and the state-of-the-art techniques for attack detection and countermeasures. Detection and mitigation approaches are categorized, and the strengths and weaknesses of existing approaches are identified. This paper also provides a comprehensive overview of the state-of-the-art on alternative positioning and navigation techniques in GPS-disrupted environments, discussing the strengths and weaknesses of existing approaches. Finally, this paper identifies gaps in existing research and future research directions.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ying Zhang,Jianhui Wang,Jianzhe Liu

DOI: https://doi.org/10.1109/TSG.2019.2937554

2020-02-25

Abstract:Due to the vulnerability of civilian global positioning system (GPS) signals, the accuracy of phasor measurement units (PMUs) can be greatly compromised by GPS spoofing attacks (GSAs), which introduce phase shifts into true phase angle measurements. Focusing on simultaneous GSAs for multiple PMU locations, this paper proposes a novel identification and correction algorithm in distribution systems. A sensitivity analysis of state estimation residuals on a single GSA phase angle is firstly implemented. An identification algorithm using a probing technique is proposed to determine the locations of spoofed PMUs and the ranges of GSA phase shifts. Based on the identification results, these GSA phase shifts are determined via an estimation algorithm that minimizes the mismatch between measurements and system states. Further, with the attacked PMU data corrected, the system states are recovered. Simulations in unbalanced IEEE 34-bus and 123-bus distribution systems demonstrates the efficiency and accuracy of the proposed method.

Systems and Control

Sriramya Bhamidipati,Kyeong Jin Kim,Hongbo Sun,Philip V. Orlik

DOI: https://doi.org/10.1109/icc.2019.8761208

2019-01-01

Abstract:In power distribution networks, microgrids utilize Phasor Measurement Units (PMUs), to assess the voltage stability at critical nodes in the network. PMUs rely on precise time-keeping sources, such as GPS, to obtain synchronization. However, GPS signals are vulnerable to external spoofing attacks due to their unencrypted signal structure and low received power. To detect the spoofing-induced timing anomaly, an innovative geographically Distributed Multiple Directional Antennas (DMDA) setup is proposed, which is triggered using a common clock. Utilizing the configuration of the proposed DMDA, a Belief-Propagation (BP)-based Extended Kalman Filter (EKF) algorithm is developed to estimate the timing errors caused by spoofing. The BP-EKF algorithm analyzes the single difference pseudorange residuals across each pair of antennas in a probabilistic graphical framework not only to detect the spoofed antennas in the DMDA setup but also to estimate the timing errors associated with the spoofed antennas. Based on the BP estimate of timing error at each antenna and the known baseline distances across antennas, the pseudoranges are corrected, and then adaptive EKF is employed to estimate the GPS timing. The performance of the BP-EKF algorithm is assessed by subjecting the simulated authentic GPS signals to a simulated meaconing attack, which induces a time delay of 60 μs. Both successful detection of meaconing, and also accurate estimation of GPS timing that complies with the IEEE-C37.118 standards, is validated using the experimental results. At a critical node in the simulated microgrid, as compared to scalar tracking, an increased voltage stability is demonstrated using the BP-EKF by assessing a metric, namely, voltage stability index.

HUANG Xiang,JIANG Daozhuo

2010-01-01

Abstract:The high accuracy time synchronization signal based on global positioning system(GPS)is widely used in many fields like wide area measurement system(WAMS),but in actual applications some problems such as losing satellite lock will lead to synchronous clock signals getting out of sync.A high accuracy time keeping scheme by presetting time difference compensation is proposed.A high accuracy time keeping GPS timing system prototype based on GPS receiver and complex programmable logic device(CPLD)is developed.Comparative tests are made between the time keeping scheme proposed and the other two time keeping schemes,i.e.rising-edge time synchronization scheme and time difference feedback adjusting scheme.Test results show that when using the time keeping scheme proposed,the PPS(pulse per second)signal reaches an accuracy of ±300 ns under normal conditions and will ensure an accuracy of ±20 μs when losing satellite lock within 24 hours,which is obviously better than the other two schemes.

Ryan D. Restivo,Laurel C. Dodson,Jian Wang,Wenkai Tan,Yongxin Liu,Huihui Wang,Houbing Song

DOI: https://doi.org/10.1109/infocomwkshps57453.2023.10225980

2023-01-01

Abstract:With the development of the Internet of Things (IoT) and Cyber-Physical System (CPS), Unmanned Aerial Vehicles (UAVs) are deployed in various implementations which improve the performance of the IoT and reduce labor consumption significantly. As the core of UAV, Global Positioning System (GPS) is essential to provide the navigation information for UAVs to finish missions. GPS receives satellite signals and calculated localization so UAVs can recognize their positions. However, malicious attackers leverage the mechanism to generate forged GPS signals that can spoof UAV that has wrong positions. The wrong positions can lead to missions' failure and threaten public safety and private security. In this paper, we investigated the overview of GPS spoofing and explored the development of GPS spoofing on UAVs. This work can provide researchers with state-of-the-art GPS spoofing development on UAVs and inspiration for new directions in this field.

Qing Lu,Xuzhe Feng,Chao Zhou

DOI: https://doi.org/10.1109/jsen.2021.3088138

IF: 4.3

2021-09-01

IEEE Sensors Journal

Abstract:In human society, the normal operation of important infrastructures, such as the power system, communication system, and computer network depend on the precise time provided by stationary satellite timing receivers, which are vulnerable to a kind of spoofing interference called time-synchronization attack. The aim of the attacks is to change the time provided by receivers to other systems, resulting in system disorders. This paper presents a time-synchronization attack detection and weakening method to solve this problem. The proposed method can estimate the binomial model parameters of receiver clock bias and the clock bias attack values at all observation instants by solving an optimization problem. Once the existence of the attacks is detected, the estimated clock bias attack values are used to correct the clock bias, so as to weaken the time-synchronization attacks. According to the numerical simulation results and analysis, we find that the proposed method outperforms other algorithms mentioned in this paper. Because it can not only realize real-time detection, but also greatly weaken the impact of time-synchronization attacks, making the attacks almost invalid.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Junhwan Lee,Ahmad F. Taha,Nikolaos Gatsis,David Akopian

DOI: https://doi.org/10.48550/arXiv.1906.03928

2019-06-10

Abstract:The operation of critical infrastructures such as the electrical power grid, cellphone towers, and financial institutions relies on precise timing provided by stationary GPS receivers. These GPS devices are vulnerable to a type of spoofing called Time Synchronization Attack (TSA), whose objective is to maliciously alter the timing provided by the GPS receiver. The objective of this paper is to design a tuning-free, low memory robust estimator to mitigate such spoofing attacks. The contribution is that the proposed method dispenses with several limitations found in the existing state-of-the-art methods in the literature that require parameter tuning, availability of the statistical distributions of noise, real-time optimization, or heavy computations. Specifically, we (i) utilize an observer design for linear systems under unknown inputs, (ii) adjust it to include a state-correction algorithm, (iii) design a realistic experimental setup with real GPS data and sensible spoofing attacks, and (iv) showcase how the proposed tuning-free, low memory robust estimator can combat TSAs. Numerical tests with real GPS data demonstrate that accurate time can be provided to the user under various attack conditions.

Systems and Control,Optimization and Control