Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Tippenhauer et al., 2011. On the Requirements for Successful GPS Spoofing Attacks

Tippenhauer et al., 2011. On the Requirements for Successful GPS Spoofing Attacks

Ratings: (0)|Views: 103 |Likes:
---
---

More info:

Categories:Types, Research
Published by: Foro Militar General on Dec 23, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/21/2013

pdf

text

original

 
On the Requirements for Successful GPS Spoofing Attacks
Nils Ole Tippenhauer
Dept. of Computer ScienceETH Zurich, Switzerland
tinils@inf.ethz.chChristina Pöpper
Dept. of Computer ScienceETH Zurich, Switzerland
poepperc@inf.ethz.chKasper B. Rasmussen
Computer Science Dept.UCI, Irvine, CA
kbrasmus@ics.uci.eduSrdjanˇCapkun
Dept. of Computer ScienceETH Zurich, Switzerland
capkuns@inf.ethz.ch
ABSTRACT
An increasing number of wireless applications rely on GPS signalsfor localization, navigation, and time synchronization. However,civilian GPS signals are known to be susceptible to spoofing at-tacks which make GPS receivers in range believe that they resideat locations different than their real physical locations. In this pa-per, we investigate the requirements for successful GPS spoofingattacks on individuals and groups of victims with civilian or mili-tary GPS receivers. In particular, we are interested in identifyingfrom which locations and with which precision the attacker needsto generate its signals in order to successfully spoof the receivers.We will show, for example, that any number of receivers caneasily be spoofed to one arbitrary location; however, the attacker isrestricted to only few transmission locations when spoofing a groupof receivers while preserving their constellation.In addition, we investigate the practical aspects of a satellite-lock takeover, in which a victim receives spoofed signals after firstbeing locked on to legitimate GPS signals. Using a civilian GPSsignal generator, we perform a set of experiments and find the min-imal precision of the attacker’s spoofing signals required for covertsatellite-lock takeover.
Categories and Subject Descriptors
C.2.1 [
Computer Systems Organization
]: Computer-Communication Networks—
 Network Architecture and Design
General Terms
Security, Experimentation
1. INTRODUCTION
The Global Positioning System (GPS), originally introduced bythe US military, has become an essential component for numerouscivilian applications. Unlike military GPS signals, civilian GPSsignals are not encrypted or authenticated and were never intendedfor safety- and security-critical applications. Nevertheless, GPS-provided locations are being used in applications such as vehicu-lar navigation and aviation, asset monitoring (e.g., cargo tracking),
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.
CCS’11,
October 17–21, 2011, Chicago, Illinois, USA.Copyright 2011 ACM 978-1-4503-0948-6/11/10 ...$10.00.
and location-based services (e.g., routing) [23]. The use of theGPS system also includes time synchronization; examples are timestamping in security videos and critical time synchronization in fi-nancial, telecommunications and computer networks. Users highlyrely on the precision and correctness of GPS location and time:transport companies track trucks, cargoes, and goods under GPSsurveillance, and courts rely on criminals being correctly trackedby GPS-based ankle monitors.This heavy reliance on civilian GPS—following the discontinu-ation of the selective availability feature of GPS in the year 2000—motivated a number of investigations on the security of GPS. Theseinvestigations found that civilian GPS is susceptible to jammingand spoofing attacks [9, 11, 16, 19]. Successful spoofing experi-ments on standard receivers have been reported [7, 24], showingthat commercial-off-the-shelf receivers do not detect such attacks.The increased availability of programmable radio platforms such asUSRPs [5] leads to a reduced cost of attacks on GPS. However, therequirements for GPS spoofing were so far not analyzed systemati-cally and many of the previously proposed countermeasures [8,16]assume a weak attacker that is, e.g., not able to generate signalswith sufficient precision.In this work, we investigate spoofing attacks on civilian and mil-itary GPS and analyze the requirements for their success as well astheir limitations in practice. We divide the problem of GPS spoof-ing into the following two problems: (i) sending the correct spoof-ing signals such that they reach the receiver with the right timing,and (ii) getting a victim that is already synchronized to the legiti-mate GPS service to lock onto the attacker’s spoofing signal. Re-garding the first problem, we analyze the effects of GPS spoofingsignals on multiple receivers and analyze under which conditions a
group
of victims can be spoofed such that, e.g., their mutual dis-tances are preserved. Our analysis shows that, in order to spoof agroup of victims while preserving the mutual distances, the attackercan only transmit from a restricted set of locations. To the best of our knowledge, such an analysis has not been done before. Thesecond problem of taking over the satellite lock is relevant for per-forming attacks in real-world situations. In most cases, the victimwill have been receiving legitimate GPS signals when the spoofingattack starts. It is thus important to know the required
precision
of the spoofing signal such that the victim seamlessly (i.e., with-out detection) switches lock from the legitimate GPS signal to theattacker’s spoofing signal. We explore the influence of imperfec-tions (in different aspects of signal power and timing) in a series of experiments and discuss the findings.The structure of the paper is as follows. We give backgroundinformation on GPS positioning and discuss related work on GPSspoofing in Section 2. We introduce the GPS spoofing problemand our system and attacker models in Section 3. In Section 4,
 
we analyze under which conditions GPS spoofing attacks are suc-cessful on single victims and groups of victims. The results of ourexperimental evaluation are presented in Section 5. In Section 6,we introduce a novel countermeasure which is based on multiplereceivers. We conclude the paper in Section 7.
2. BACKGROUND
In this section, we introduce the fundamental concepts of GPS(based on [11]) which are necessary for this work. We also sum-marize related work on the security of GPS.
2.1 The Global Positioning System
The Global Positioning System (GPS) uses a number of satel-lite transmitters
i
located at known locations
L
Si
R
3
. Eachtransmitter is equipped with a synchronized clock with no clock offset to the exact system time
t
S
and broadcasts a carefully cho-sen navigation signal
s
i
(
t
)
(low auto-/cross-correlation
1
, includingtimestamps and information on the satellites’ deviation from thepredicted trajectories). The signal propagates with speed
c
(seeFigure 1).A receiver
located at the coordinates
L
R
3
(to be deter-mined) and using an omnidirectional antenna will receive the com-bined signal of all satellites in range:
g
(
L,t
) =
i
A
i
s
i
t
|
L
Si
L
|
c
+
n
(
L,t
)
(1)where
A
i
is the attenuation that the signal suffers on its way from
L
Si
to
L
,
|
L
Si
L
|
denotes the Euclidean distance between
L
Si
and
L
, and
n
(
L,t
)
is background noise.Due to the properties of the signals
s
i
(
t
)
, the receiver can sepa-rate the individual terms of this sum and extract the relative spread-ing code phase, satellite ID, and data content using a replica of theused spreading code. Given the data and relative phase offsets, thereceiver can identify the time delay
|
L
Si
L
|
/c
for each satelliteand from that infer the “ranges”
d
i
=
|
L
Si
L
|
.
(2)With three known ranges
d
i
to known transmitter positions
L
Si
,three equations (2) can be solved unambiguously for
L
(unless allthree
i
are located on a line). Since highly stable clocks (e.g.,cesium oscillators) are costly and GPS receivers cannot participatein two-way clock synchronization, in practice,
will have a clock offset
δ
to the exact system time:
t
=
t
S
+
δ
. With this, Eq. 1 canbe rewritten:
g
(
L,t
S
) =
i
A
i
s
i
t
d
i
c
δ
+
n
(
L,t
S
)
(3)where the receiver can only infer the “pseudoranges”
R
i
from thedelays
d
i
/c
+
δ
:
R
i
=
d
i
+
c
·
δ.
(4)The clock offset
δ
adds a fourth unknown scalar. With pseudo-range measurements to at least four transmitters
i
, the resultingsystem of equations (4) can be solved for both
L
and
δ
, providingboth the exact position and time, without requiring a precise localclock. Given
L
Si
= (
x
Si
,y
Si
,z
Si
)
,
L
= (
x,y,z
)
, and
∆ =
c
·
δ
, wecan transform (4) into the following set of equations [1]:
(
x
x
Si
)
2
+ (
y
y
Si
)
2
+ (
z
z
Si
)
2
= (
R
i
∆)
2
i
(5)
1
In civilian GPS, the signals are spread using publicly knownspreading codes. The codes used for military GPS are kept secret;they serve for signal hiding and authentication.
Figure 1: A GPS receiver
works by observing the signalsfrom a set of satellites. The relative delays of the signals
s
i
(
t
)
can be used to solve four equations which determine the 3-dimensional position
L
and the time offset
δ
of the receiver
.
Geometrically, givena
, each
i
’sequationtranslatesintoaspherewith
L
Si
being the center. The set of equations (5) is overdeter-mined for more than four satellites and generally does not have aunique solution for
L
because of data noise. It can be solved by nu-mericalmethodssuchasaleast-mean-squareapproachorNewton’smethod [1].
2.2 Related Work
In 2001, the Volpe report [8] identified that (malicious) interfer-ence with the civilian GPS signal is a serious problem. Startingwith this report, practical spoofing attacks were discussed in sev-eral publications. In [24], the authors use a WelNavigate GS720satellite simulator mounted in a truck to attack a target receiver ina second truck. The authors succeeded in taking over the victim’ssatellite lock by manually placing an antenna close to the victim’sreceiver. After the victim was locked onto the attacker’s signalthe spoofing signal could be sent from a larger distance. Insteadof using a GPS simulator, the authors of [7] create GPS spoofingsignals by decoding legitimate GPS signals and generating time-shifted copies which are then transmitted with higher energy toovershadow the original signals; a similar approach is also usedin [14]. This approach requires less expensive equipment but intro-duces considerable delays between the legitimate and the spoofedsignals. GPS spoofing attacks are discussed analytically in [11],showing that an attacker can manipulate the arrival times of mil-itary and civilian GPS signals by pulse-delaying or replaying (in-dividual) navigation signals with a delay. We note that there is nounique attacker model used for spoofing attacks, and thus the as-sumptions on the attacker’s capabilities vary between these works.Given the lack of attacker models, the proposed countermeasuresrange from simple measures to constant monitoring of the channel.In [8], consistency checks based on inertial sensors, cryptographicauthentication, and discrimination based on signal strength, time-of-arrival, polarization, and angle-of-arrival are proposed. The au-thors of [16,17,25] propose countermeasures based on detectingthe side effects of a (not seamless) hostile satellite-lock takeover,e.g., by monitoring the local clock and Doppler shift of the sig-nals. Kuhn proposes an asymmetric scheme in [11], based on thedelayed disclosure of the spreading code and timing information.In general, countermeasures that rely on modifications of the GPSsatellite signals or the infrastructure (such as [11] and certain pro-posals in [8]) are unlikely to be implemented in the near future dueto long procurement and deployment cycles. At the same time,countermeasures based on lock interrupts or signal jumps do notdetect seamless satellite-lock takeovers.Few publications [3,12–14] present experimental data on the ef-fects seen by the victim during a spoofing attack. The authors
 
Figure 2: Basic attack scenario. (a) Visualization of the setup.The victim uses a GPS-based localization system and is syn-chronized to the legitimate satellites. (b) Abstract representa-tion of the scene. (c) The attacker starts sending own spoofingand jamming signals. (d) The victim synchronizes to the at-tacker’s signals.
of [13] use a setup based on two antennas to measure the phasedifference for each satellite to detect the lock takeover. [3] and [14]analyze the spoofing effect on the carrier and code level. The au-thors of [12] present a device that prevents spoofing by monitor-ing and potentially suppressing the received signals before they areprocessed by the GPS receiver.All works above only consider attacks on single GPS receiversbut not on groups of receivers. In addition, none of them inves-tigated the requirements for successful attacks on public GPS re-ceivers, such as required precision of the attacker’s spoofing sig-nals. Although we expect that more works on GPS spoofing andanti-spoofing countermeasures were performed in classified (mili-tary) settings, they are not accessible to the public.
3. PROBLEM FORMULATION
In order to give an intuition of the problem, we present our moti-vation and an exemplary use case. Then, we define our system andattacker models and formulate the GPS spoofing problem.
3.1 Motivation
The fundamental reasons why GPS spoofing works have beendiscussed in the literature before, and spoofing attacks have beendemonstrated on single receivers experimentally. In this work, weshow under which conditions the attacker can establish the cor-rect parameters to launch a successful spoofing attack on one ormore victims, and later in the experiments, how inaccuracies inthese parameters influence the lock takeover during the attack. Thisanalysis enables us to identify which attacks are theoretically pos-sible and which attacks would be noticeable as (potentially non-malicious) signal loss at the GPS receivers. This is important forproposing effective receiver-based countermeasures, which are notimplemented yet in current standard GPS receivers.Our work is further motivated by the real-life spoofing attacks,e.g.theonereportedin[24]. Inthisscenario, acargotruck(thevic-tim), had a GPS unit that was housed in a tamper-proof casing andwas sending cryptographically authenticated status updates with afixed rate to a monitoring center. The attacker planned to steal thetruck to get access to its loaded goods at a remote place. He gotclose to the victim and started transmitting forged (spoofed) sig-nals in order to modify the location computed by the receiver (seeFigure 2). In this setting, if the attacker can influence the local-ization process, he can make the victim report any position to the
i
i
-th satellite
A
i
i
-th attacker unit
L
Si
coordinates of 
i
Ai
physical coordinates of 
A
i
s
i
signal sent by
i
L
Ai
claimed coordinates of 
A
i
j
j
-th victim (receiver)
s
Ai
signal sent by
A
i
L
j
GPS coordinates of 
j
δ
Ai
time offset of 
s
Ai
L
j
spoofed coordinates of 
j
δ
j
GPS clock offset of 
j
j
physical coordinates of 
j
δ
j
spoofed clock offset of 
j
R
ij
j
’s calculated PR to
i
c
signal propagation speed
R
Aij
j
’s spoofed PR (by
A
i
)
j
=
δ
j
·
c
Table 1: Summary of notations (
PR = pseudorange).monitoring center and thus steal the truck without raising suspicionor revealing the truck’s real location.
3.2 System Model
Our system consists of a set of legitimate GPS satellites and aset
of victims (see Table 1 for notations used). Each victim isequipped with a GPS receiver that can compute the current positionand time as described in Section 2. We assume that each receiver
j
is able to receive wireless GPS signals, compute its po-sition, and store its position/time-tuples. If several GPS receiversbelong to a common group (e.g., they are mounted on the samevehicle), we assume that they can communicate to exchange theircomputed locations or are aware of the group’s (fixed) formation.The GPS location of each individual victim
j
is given byits coordinates
L
j
R
3
in space and the victim’s clock offset
δ
j
with respect to the GPS system time
t
S
. We note that the computedGPS coordinates
L
j
and clock offset
δ
j
do not necessarily corre-spond to the true (physical) coordinates
j
R
3
and time.
2
Wedefine the local time of 
j
as
t
j
=
t
S
+
δ
j
, i.e.,
δ
j
<
0
refers toan internal clock that lags behind. We use
L
to denote the set of GPS locations of the victims in
. A GPS spoofing attack may ma-nipulate a receiver’s coordinates in space and/or its local time. Wedenote a victim’s spoofed coordinates by
L
j
R
3
and the spoofedtime offset by
δ
j
. We use
L
for the set of spoofed victim locations.In our analysis in Section 4, we distinguish between
civilianGPS
, which uses the public C/A codes so that each satellite sig-nal
s
i
contains only public information, and
military GPS
, whichprovides authentic, confidential signals using the secret P(Y) codes.In the experimental evaluation in Section 5, we use a satellite signalgenerator for civilian GPS.
3.3 Attacker Model
GPS signals can be trivially spoofed under a Dolev-Yao [4]-likeattacker that is able to fully control the wireless traffic by inter-cepting, injecting, modifying, replaying, delaying, and blockingmessages without temporal constraints
for individual receivers
, seeFigure 3(b). If the attacker has full control over the input to eachindividual receiver antenna, he can send the signals as they wouldbe received at any location
L
j
. This would, however, require theattacker to either be very close to each receiver or to use directionalantennas with narrow beam widths and shielding to prevent that thesignals intended for one victim are also received by another victim;in both cases, the number of required attacker antennas would belinear in the number of victims. In this work we assume that thesignals sent by the attacker are transmitted wirelessly and that theywill be received by all victims in
, see Figure 3(a).The attacker controls a set of wireless transmitters that he canmove and position independently. We denote by
Ai
R
3
the
2
Typically, the difference
|
L
|
is less than a few meters [22].

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->