Coherent Navigation
Candidate NonCryptographic GNSS
Spoofing Detection
Techniques
Brent Ledvina*, Isaac Miller, Bryan Galusha,
William Bencze, and Clark Cohen,
Coherent Navigation, Inc.
GNSS Security Splinter Meeting, Portland, OR
23 September 2010
*Adjunct Professor at Virginia Tech
Coherent Navigation
Protecting Civil GPS Receivers
 Critical infrastructure relies on civil GPS navigation and
timing
 Electrical grid timing and control
 Banking/financial transactions
 Commercial aircraft guidance and landing
 Communication systems (cellular)
 Public transportation
 Asset tracking
 Commercial fishing monitoring
 Vehicle mileage taxation
 Monitoring criminals
Non-cryptographic spoofing defenses provide some protection to civil
GNSS receivers
9/23/2010
Coherent Navigation
Goal and Motivation
 Goal
 Illustrate six candidate non-cryptographic spoofing detection techniques
 Motivation
 Non-cryptographic spoofing detection techniques could be implemented
today
 Non-cryptographic defenses are needed if one is concerned with encryption
or authentication key security breaches
9/23/2010
Coherent Navigation
The Sinister Threat: A Portable Receiver-Spoofer
Humphreys et al., 2008 and Montgomery et al.,
2009 described development and testing of
portable GPS L1 C/A code receiver-spoofer
GPS signal simulators, RF playback systems, and GPS repeaters are
also a threat
Coherent Navigation
Spoofing Attack Demonstration
Tracking Peak
9/23/2010
Coherent Navigation
Candidate Spoofing Defenses/Detection Techniques
1
Standalone Receiver-Based










2
Monitor the relative GPS signal strength
Monitor satellite identification codes and the number of satellite signals received
Check the time intervals
Do a time comparison (look at code phase jitter)
Monitor the absolute GPS signal strength
Data bit latency detection
Vestigial signal detection
Signal quality monitoring
Employ two antennas; check relative phase against know satellite
directions
Extended RAIM
External-Aiding


3
Perform a sanity check with relative position estimate (compare with IMU)
Compare with independent absolute position or time-bearing
information (e.g., Galileo and GLONASS)
Cryptographic


9/23/2010
Encrypt navigation message
Spreading code authentication
Defenses suggested by
Dept.of Homeland
Security (2003) in italics
Coherent Navigation
Data Bit Latency Detection (1/6)


GPS data bit time history


9/23/2010
Hard to retransmit data bits with
< 1ms latency
Detection Technique:

Modify PLL to look for
inconsistencies in data bits
on the order of 1 ms out of
20 ms data bit interval
Spoofer could employ data bit
prediction
Defense:

External input of
authenticated GPS data bits
Humphreys et al., 2008
Coherent Navigation
Vestigial Signal Detection (2/6)

Vestigial signal detection

Hard to conceal telltale counterfeit
peak in autocorrelation function
Detection Technique:

Search for vestigial signals

Monitor AGC for suspicious
increases in noise level

Great for detecting ongoing
attack
Vestigial Signal
9/23/2010
Humphreys et al., 2008
Coherent Navigation
Vestigial Signal Detection Cont’d
 Utilize standard techniques for GPS signal acquisition,
tracking, and data decoding
 Acquisition: Standard frequency-domain and time-domain acquisition
 Tracking: Standard code (DLL) and carrier (PLL) tracking loops
 Data decoding: Standard data decoding with parity checking
Coherent Navigation
Extended Receiver Autonomous Integrity
Monitoring (RAIM) (3/6)
 RAIM provides statistical method to detect signal with unacceptable
pseudorange error and remove it from navigation solution
 Vestigial signals could appear at an erroneous pseudorange or carrier
Doppler shift frequency
 Extend RAIM to include carrier Doppler shift frequency
 Create single test statistic based on pseudorange and carrier Doppler shift frequency
measurements
 Test statistic is normalized chi-square random variable with 2*N – 8 degrees of
freedom, where N is number of tracking signals
 Provides statistical hypothesis test to throw out at least 1 signal
Ledvina et al., ION NTM 2010
Coherent Navigation
GNSS Signal Quality Monitoring (4/6)
 Signal Quality Monitoring (SQM) designed to identify satellite
anomalies or faults
 Goal: Can we leverage SQM for spoofing detection?
 Two test statistics considered
 Delta Test: Detects asymmetries in the correlation functions (assumes carrier tracking
loop phase lock, Q ≈ 0)
 Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation
peaks
Ledvina et al., ION NTM 2010
Coherent Navigation
Testing SQM: Two Spoofing Signal Alignment
Techniques
 Two ways a counterfeit signal interacts with authentic signal
 1. Counterfeit signal marches into code phase alignment with authentic signal
 2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude
 Do not necessarily assume carrier phase alignment
 Requires cm-level knowledge of 3-D vector between spoofer and target receiver
 Assume spoofer has a priori knowledge of 12.5-minute GPS
navigation message
9/23/2010
Coherent Navigation
Case 1: Counterfeit Signal Marching In
 +3dB counterfeit signal with two extremes of carrier phase
alignment
Perfect carrier phase alignment
9/23/2010
180 degrees out of phase
Coherent Navigation
Multi-Antenna Differential-Carrier-Phase
Spoofing (5/6)
13
9/23/2010
Montgomery et al., ION ITM 2009
Coherent Navigation
External Aiding: High-Quality Frequency Reference
(6/6)
Time and Frequency Synchronization via GPS Receivers
70% of GPS receivers are utilized for timing applications
providing time and frequency reference sources
GPS timing receivers
 Implemented with a high-quality crystal oscillator, a coupled GPS
receiver, and control logic
 Control logic cross-checks with high-quality oscillator providing some
protection against GPS time spoofing attacks
• Control logic implementation and oscillator quality primarily dictate rate at
which time spoofing attack can be successfully carried out
Symmetricom XL-GPS Time and Frequency Receiver
9/23/2010
Coherent Navigation
Conclusions
 Described six candidate spoofing detection techniques
 Spoofing detection
 Simple software-based solutions provide some protection
 Multi-antenna differential carrier phase and external aiding provide more protection
 Strength of each detection scheme needs to be mathematically
defined and tested to understand protection level
 Best Non-Cryptographic Spoofing Detection Technique
Multi-Antenna Differential Carrier Phase Spoofing Detection Technique
Coherent Navigation
Back-Up Slides
9/23/2010
Coherent Navigation
Additional Observations Relevant to Signal Quality
Monitoring
 Counterfeit signal +1dB above an authentic signal can cause
successful lift-off
 +3 dB counterfeit signal up to 30 degrees out-of-phase causes
detectable deconstructive interference
 Time rate of attack shortens deconstructive interference period, and
thus shortens time in which an attack can be detected
 Code tracking loop bandwidth becomes important for fast attacks
 Data bit latency or data bit errors causes deconstructive interference,
thereby improving detection
9/23/2010
Coherent Navigation
In-Line GPS Anti-Spoofing Module Architecture –
Adding Anti-Spoofing Defenses to Legacy GPS
Receivers
The GPS anti-spoofing module makes existing GPS equipment resistant
to spoofing without requiring hardware or software changes to the
equipment
18
Coherent Navigation
Case 2: Counterfeit Signal Growing in Amplitude
 Maximum +3dB counterfeit signal with two extremes of
carrier phase alignment
Perfect carrier phase alignment
9/23/2010
180 degrees out of phase
Coherent Navigation
Phasor Interpretation of Observations
 Baseband phasors in the complex plane can explain
observations