Coherent Navigation Candidate NonCryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010 *Adjunct Professor at Virginia Tech Coherent Navigation Protecting Civil GPS Receivers Critical infrastructure relies on civil GPS navigation and timing Electrical grid timing and control Banking/financial transactions Commercial aircraft guidance and landing Communication systems (cellular) Public transportation Asset tracking Commercial fishing monitoring Vehicle mileage taxation Monitoring criminals Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers 9/23/2010 Coherent Navigation Goal and Motivation Goal Illustrate six candidate non-cryptographic spoofing detection techniques Motivation Non-cryptographic spoofing detection techniques could be implemented today Non-cryptographic defenses are needed if one is concerned with encryption or authentication key security breaches 9/23/2010 Coherent Navigation The Sinister Threat: A Portable Receiver-Spoofer Humphreys et al., 2008 and Montgomery et al., 2009 described development and testing of portable GPS L1 C/A code receiver-spoofer GPS signal simulators, RF playback systems, and GPS repeaters are also a threat Coherent Navigation Spoofing Attack Demonstration Tracking Peak 9/23/2010 Coherent Navigation Candidate Spoofing Defenses/Detection Techniques 1 Standalone Receiver-Based 2 Monitor the relative GPS signal strength Monitor satellite identification codes and the number of satellite signals received Check the time intervals Do a time comparison (look at code phase jitter) Monitor the absolute GPS signal strength Data bit latency detection Vestigial signal detection Signal quality monitoring Employ two antennas; check relative phase against know satellite directions Extended RAIM External-Aiding 3 Perform a sanity check with relative position estimate (compare with IMU) Compare with independent absolute position or time-bearing information (e.g., Galileo and GLONASS) Cryptographic 9/23/2010 Encrypt navigation message Spreading code authentication Defenses suggested by Dept.of Homeland Security (2003) in italics Coherent Navigation Data Bit Latency Detection (1/6) GPS data bit time history 9/23/2010 Hard to retransmit data bits with < 1ms latency Detection Technique: Modify PLL to look for inconsistencies in data bits on the order of 1 ms out of 20 ms data bit interval Spoofer could employ data bit prediction Defense: External input of authenticated GPS data bits Humphreys et al., 2008 Coherent Navigation Vestigial Signal Detection (2/6) Vestigial signal detection Hard to conceal telltale counterfeit peak in autocorrelation function Detection Technique: Search for vestigial signals Monitor AGC for suspicious increases in noise level Great for detecting ongoing attack Vestigial Signal 9/23/2010 Humphreys et al., 2008 Coherent Navigation Vestigial Signal Detection Cont’d Utilize standard techniques for GPS signal acquisition, tracking, and data decoding Acquisition: Standard frequency-domain and time-domain acquisition Tracking: Standard code (DLL) and carrier (PLL) tracking loops Data decoding: Standard data decoding with parity checking Coherent Navigation Extended Receiver Autonomous Integrity Monitoring (RAIM) (3/6) RAIM provides statistical method to detect signal with unacceptable pseudorange error and remove it from navigation solution Vestigial signals could appear at an erroneous pseudorange or carrier Doppler shift frequency Extend RAIM to include carrier Doppler shift frequency Create single test statistic based on pseudorange and carrier Doppler shift frequency measurements Test statistic is normalized chi-square random variable with 2*N – 8 degrees of freedom, where N is number of tracking signals Provides statistical hypothesis test to throw out at least 1 signal Ledvina et al., ION NTM 2010 Coherent Navigation GNSS Signal Quality Monitoring (4/6) Signal Quality Monitoring (SQM) designed to identify satellite anomalies or faults Goal: Can we leverage SQM for spoofing detection? Two test statistics considered Delta Test: Detects asymmetries in the correlation functions (assumes carrier tracking loop phase lock, Q ≈ 0) Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation peaks Ledvina et al., ION NTM 2010 Coherent Navigation Testing SQM: Two Spoofing Signal Alignment Techniques Two ways a counterfeit signal interacts with authentic signal 1. Counterfeit signal marches into code phase alignment with authentic signal 2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude Do not necessarily assume carrier phase alignment Requires cm-level knowledge of 3-D vector between spoofer and target receiver Assume spoofer has a priori knowledge of 12.5-minute GPS navigation message 9/23/2010 Coherent Navigation Case 1: Counterfeit Signal Marching In +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 9/23/2010 180 degrees out of phase Coherent Navigation Multi-Antenna Differential-Carrier-Phase Spoofing (5/6) 13 9/23/2010 Montgomery et al., ION ITM 2009 Coherent Navigation External Aiding: High-Quality Frequency Reference (6/6) Time and Frequency Synchronization via GPS Receivers 70% of GPS receivers are utilized for timing applications providing time and frequency reference sources GPS timing receivers Implemented with a high-quality crystal oscillator, a coupled GPS receiver, and control logic Control logic cross-checks with high-quality oscillator providing some protection against GPS time spoofing attacks • Control logic implementation and oscillator quality primarily dictate rate at which time spoofing attack can be successfully carried out Symmetricom XL-GPS Time and Frequency Receiver 9/23/2010 Coherent Navigation Conclusions Described six candidate spoofing detection techniques Spoofing detection Simple software-based solutions provide some protection Multi-antenna differential carrier phase and external aiding provide more protection Strength of each detection scheme needs to be mathematically defined and tested to understand protection level Best Non-Cryptographic Spoofing Detection Technique Multi-Antenna Differential Carrier Phase Spoofing Detection Technique Coherent Navigation Back-Up Slides 9/23/2010 Coherent Navigation Additional Observations Relevant to Signal Quality Monitoring Counterfeit signal +1dB above an authentic signal can cause successful lift-off +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected Code tracking loop bandwidth becomes important for fast attacks Data bit latency or data bit errors causes deconstructive interference, thereby improving detection 9/23/2010 Coherent Navigation In-Line GPS Anti-Spoofing Module Architecture – Adding Anti-Spoofing Defenses to Legacy GPS Receivers The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the equipment 18 Coherent Navigation Case 2: Counterfeit Signal Growing in Amplitude Maximum +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 9/23/2010 180 degrees out of phase Coherent Navigation Phasor Interpretation of Observations Baseband phasors in the complex plane can explain observations