 Okay, Jean-Michel is now going to talk to us about spoofing GPS. Okay, thanks for attending the presentation about GPS spoofing. So actually, when I submitted the talk, I knew we could spoof GPS, but I didn't know whether we could detect GPS spoofing. So there is a sequel to the presentation, which is GPS spoofing detection. So that just worked on Monday, so it's quite fresh. So we're doing this work with Gwen, who's over there. He's going to run the demo while I'm talking. And my colleague from the Byzantium Observatory, we're doing this for fun and actually we're being paid for doing this for fun. This is a project funded by the French National Research Agency and that's a nice thing, which university you get paid to have fun. So it's what you're doing here. So just as a quick reminder, what is GPS? GPS started as the NAFTA project, of course DARPA project started in 1973. Satellite started launching in 1978. And I don't think there's been much public exposure, as initially it was mostly a military service, until Bill Clinton removed selective availability, or decided to have selective availability removed in 2000, and then the resolution dropped from 45 meters more or less to 35 meters. And then your GPS becomes usable. So I think this is when GPS has become ubiquitous to most of our daily activities from getting to the right place to geolocating multiple activities on our mobile phones. The basic principle, and this will be the core topic of my, the core discussion of my presentation, is that GPS is basically a set of space-borne atomic clocks that generate high-stability reference signals. If you were here in 2015, I presented how to synchronize oscillators and how to use data from GPS to collect, using SDR, the GPS signals. And you use triteration, which means you look at the time of flight of the signal from all these satellites in space, and by looking at the intersection of a hyperbola, you end up finding where you're located on the Earth. Now, this was all pretty fancy for the common public until software-defined radio grew impressively, and not only can you now receive data signals, but you can also synthesize signals. So we're going to run the demo on the Pluto SDR. And nowadays, GPS poofing has become a sub-hundred euro activity. Of course, jamming has no interest. I mean, jamming is just sending a powerful signal. Poofing is much more interesting. So why are we paid to do work on this? It's not the most attractive reason, but that's actually the people who are paying for it. One of the reasons people are interested in using GPS is how to synchronize clocks located in different places in space. One of the people who are interested in this is traders. When you have trading centers, where did you buy the share first? Is it in New York, in Frankfurter, in Paris? These people, they want to know accurately the timing of their transactions. So if you look at this paper here, it's from the New York Times, so it's a general public journal you can trust, or not trust the content, but it just illustrates why we're working on this. There is a new regulation that states that all trade financial institutions synchronize time-to-time trades with microsecond accuracy. Now remember, light travels 300 meters per microsecond. Frankfurt is more than 300 meters from Paris. So how do you synchronize two clocks in Paris and in Frankfurt when they are more than 300 meter away? And well, what we say here is Google would later use this method to synchronize computer-based on GPS data. Thank you, Google. So people have been doing this for like 20, 30 years now, but GPS is accepted as one of the usual means of synchronizing specially distributed data. So my talk here is can you trust the time that you distribute with GPS? So just as a quick, very brief summary of what GPS looks like, GPS is actually a constellation of satellites, so atomic clocks, rubidium clocks, and hydrogen maser embedded on space vehicles, and these atomic clocks send a code at one megabit per second which you receive on ground, and by using, by calculating the solar range, the solar range defined as the time it took for a signal to go from satellite J down to ground divided by sea velocity of light, you get estimates of, by trilateration, of the position of, of when you're on the ground. Now this, you're used to doing this real time, but most professional users will be post-processing their GPS data because these space vehicle positions are estimated when you send the navigation data from the satellite, they estimate for the next day where the satellite should be. Of course, estimation has some error, and if you go for submitter positioning, which is what you do for geodetic analysis, where for geophysical measurements, well, you need to get better accuracy. Imagine you want to be located on the ground with submitter resolution. It means you need to know where your space vehicle is with submitter resolution, and this you usually do with post-processing. So what you can find on the internet is a set of files that will not only give you satellite in the future, but also the past measurements. These are caused, or the format for sharing this data are the Renex files. These will be our input data. We will be able to prove GPS by using the Renex files and generate a virtual constellation of data based on this data. So you get these Renex files of the observation of the navigation data of the satellite, and by doing this you can collect where the satellite should be. So what will be our spoofing technique? Spoofing technique will be the Pluto SDR. GPS is one megabit per second, so you need a two-megahertz bandwidth. Pluto SDR has more than two-megahertz bandwidth, so perfect. We can generate the data on the Pluto SDR. We did try to embed the software that we're using, which is the excellent software here, Pluto GPS SIM. On the zinc of the Pluto SDR, I think either this software was not optimized enough because it's very readable, but if it's readable it's not necessarily very optimized. So we did try to embed the software on the zinc. You'd get this continuous data stream. So you still need, at the moment, we still need to run this on the PC and to stream the IQ coefficients to the Pluto SDR, which is what Gwen is doing at the moment. And actually, as I'm talking, if you want to check on your mobile phone, it could be that you're somewhere in the sea at the moment. So... We are streaming this data, and you see here the spectrum, so you start with that. So if you have a starting point of this real DBM, I just need quickly a calculation to estimate the range of the attack. Of course, I don't want to move all of Brussels into the sea now. I just want to move this room into the sea. So if you do a quick calculation here, the standard of GPS, the definition of GPS published by the US Air Force, states that on a receiver, you should have something like minus 130 dBm. Let's take a 6 dB safety range. So it means that if we transmit minus 30 dBm, because the Pluto SDR is designed to power 0 dBm, check if it's on the carrier, and because you spread the spectrum over 1 megahertz, in seconds, you drop 30 dB. So that's just your spectrum spreading over 1 megahertz. And because we're spreading the spectrum, we have transmitted power of minus 30 dBm, free space propagation loss at 1.57 gigahertz is this equation. And if you do the maths, you end up finding that if you emit 0 dBm, your range of your spoofing range is 800 meter. Just to give you a range, you're not going to attack a whole country by doing this. You're just going to attack a local area. Here we're sparring with minus 20 dBm. So we drop the power. We have a range, free space range about 80 meter. This we checked on our parking lot. It matches. We were more or less at 50 meter when we attacked. So just to tell you that we try to be knowledgeable about what we're doing here, not just sending power everywhere. Okay, so some of you might, has anyone been spoofed in the room? Yeah, good. Well, it's working very well. Good. So you see here that, so we moved most of you in the sea. So what Gwen did just before coming here, he collected on the internet the current renex file that give you that in the last hour, the measured position of the satellites. And in this case, this is what we did in the lab. You see here one Samsung mobile phone that was not spoofed. It was still in Besançon, east of France, 47 degree north. And in this example, this was south of France, 42 degree north. So two of the mobile phone, one Sony, one Samsung, were south of France. One was still in Besançon. Good. That works. Well, that works most of the time. It works very well with mobile phones. And as I can see all these hands raised in the room. However, does it work on UAVs? So all these little drones that you're buying for a few hundred euro. So on DGI drones, you have these Ublocks receivers. Ublocks is a Swiss company selling, I would say, high grade low cost GPS receivers. And the nice thing with Ublocks is when you're looking on your mobile phone, well, you get spoofed, but you don't know what happened. What is the quantity that might have protected the spoofing? What's nice with the Ublocks is that you got the raw data. So Ublocks will give you the total range. They will give you the Doppler shift. And they will give you some indicator, spoofing, and jamming indicator. So you run this in the proprietary Ublocks center software, which runs on the wine. And if you have an accurate source, so what we did here is the clock that's provided with the Pluto SDR is a 40 megahertz temperature compensated crystal oscillator. I'll show you a bit later but it can be off by a few ppm. So a natomic clock will never be off by a few ppm, by a few ppb at most, part per billion. So what we did here is we removed the quartz from the Pluto SDR, and we fed it with a hydrogen laser, so basically a very high stability clock. And if you see here that we clocked the Pluto SDR with a hydrogen laser controlled source, well, we get nice Doppler shifts. If you do the calculation, if you do the maths, you will find out that due to the orbit of the GPS satellite, you defined the period, 12 hours, and if you know the velocity of the satellite, which is the radius of the circumference of its orbit divided by the time, and you do the Doppler shift conversion from velocity to Doppler, you find that GPS can never be offset by more than plus or minus five kilohertz. And here it matches two kilohertz, three kilohertz, minus one kilohertz, so you see all green with spoofed Ublocks receivers. However, if we offset on purpose by 200 hertz, our 40 megahertz synthesizer, you see that the Dopplers become unrealistic. We have 10 kilohertz. Physically, it's impossible to have a GPS offset by 10 kilohertz. So indeed, the Ublocks has identified that some of these satellite signals are not genuine because there is a spoofing indicator. Well, maybe it's my mistake not to have activated all the security facilities of the Ublocks, but at least this one was still giving us position, the wrong position. It knew it was wrong, but it was still giving the position. So what can we do to improve this? Well, not everyone has a hydrogen laser at home, and we wanted to spoof cars, and cars were resistant, so I believe that cars do have these kinds of spoofing capability protection. So what we wanted to do here is to try to, well, first of all, we tested that indeed the reason why cars had to be spoofed was because of our excessive frequency offset between local oscillator and expected oscillator. So we did the attack with our hydrogen laser controlled local oscillator, and indeed the car located in Besançon, east of France, had their wheels in the sea somewhere near Brittany, so that worked. So indeed the problem is local oscillator. So you might have seen me setting up a temperature controlled crystal oscillator, so that's an O6O. You can buy them for 100 euro on eBay. This particular one was salvaged from a broken frequency counter, so you go at your university, you look at the trash, you find all frequency counters, Shulet Packard frequency counter. Shulet Packard is obviously the best oscillator manufacturer. So you get one of these old synthesizers, you take the O6O off, and you see here it's a 24 volt, 500 milliamp oven voltage supply and 12 volt negligible current to run the oscillator. So basically this runs on battery, and it means you have a mobile attack. You don't need to stay in the lab as I'm demonstrating here. So what is the consequence, actually, because I'm coming from a laboratory dedicated to time and frequency. So what is the consequence of replacing the crystal oscillator? Wrong. What is the consequence? Just to introduce to you a little bit, and then I will go to the detection. So what is the consequence of replacing the oscillator? I'm putting this graph here because I haven't seen these on any of analog devices, datasheet or any information. So this is the stability of a temperature control crystal oscillator. So you see here for three days the crystal oscillator was running. You are sold a 40 millihertz oscillator, but a crystal oscillator, a temperature compensator crystal oscillator is only passively compensated, meaning if the room temperature changes, well it will shift a little bit. You see here it's moving by plus minus 10 hertz. It might not sound much. 10 hertz over 40 megahertz is not much. Well, that's about 5, 10 to the minus 8. That's awful for an oscillator. I mean for a clock, if you say that GPS is made of atomic clocks, that's infinite. So what we did here is replace it with the OCXO, which is a blue line here. Since you have a one pixel wide blue line, what I did is I magnified the blue line into this one here. Notice that there is a thousand fold scale increase from this scale for the TCXO to the OCXO. So what we did by replacing the TCXO with the OCXO, the temperature control with the oven control crystal oscillator is we improved four orders of magnitude of stability. So you see here we go from about few 10 to the minus 8 to few 10 to the minus 13. That's a very good packet oscillator. And that explains to you why now it's working. However, this is a trade-off. This is the long-term stability, but there is another parameter that we are very much obsessed in, especially for radar application. And that's short-term stability. So when you think of short-term sub-second stability, you generally don't think about time but frequency, the inverse of time. So if you look at phase noise, phase noise is how much your oscillator fluctuates in a given, well, rate, which is inverse of time. And what I find interesting is that this is the curve. The black curve here is the onboard RACON 40 megahertz TCXO provided by analog devices. And you see that on the long, sorry, on the short-term, so large frequency, large offset frequency, we have excellent stability. They really choose a very good oscillator. However, well, it's only a TCXO. So when you go at longer duration, so frequency closer to the carrier, that's 10 milliseconds, 100 milliseconds, one second from the carrier, you see that, of course, it diverges. Well, it's a TCXO. It moves with temperature. With the OCXO, we've solved the problem, but what you see here is that if you, so the PlutoSDR you can find on the analog website, you don't need to clock 40 megahertz, and actually most OCXO will be 10 megahertz. The standard is 10 megahertz. So what I did here is I configured, or we configured with Gwenn, the local oscillator to be 10, 20, 30, 40 megahertz. And what you see actually is that the PLL of the PlutoSDR is really not working very well at 10 megahertz. At 10 megahertz you have, this is a very good clock, but still the PLL internal to the PlutoSDR exhibits a high phase noise, 20 megahertz will be there, and only above 30 megahertz can you get the expected phase noise quality. So what would have been nice is to take the OCXO, clock a DDS to generate the 40 megahertz, and feed the PlutoSDR with the 40 megahertz locked on the OCXO. We didn't have time to do this. So just to introduce to you what is the data, why does it have a consequence. Now if you think this is 10 dB, what is 10 dB, why does the PlutoSDR care about 10 dB? Remember that all this yellow vest movement in France where you forgot all these stripes and riots, is a 0.8 dB rise in oil price, in gasoline price. So imagine how unhappy the PlutoSDR is when you see this local oscillator. And I trust the time that is transmitted between trade centers using GPS. Now my colleague, François Meier tells me never ever tune an atomic clock. An atomic clock might drift a little bit due to aging, due to pressure change, due to environmental change, but it's very deterministic changes. So you never ever tune an atomic clock. You measure the drift, and when you measure the drift, you inform the user of this drift, but you don't try tuning the atomic clock. So this is exactly what's done on GPS. On GPS, the time offset between the onboard atomic clocks and the ground atomic clocks at the USNO are measured, and we don't tune the oscillators above the satellite. We just inform the user of frequency offset, linear drift, and my colleague François tells me that a quadratic offset is actually always to 0. So this is actually what you find on the spoofing software. You see indeed that the clock is A of 0 plus time times A of 1 plus times times, so times square times A of 2 plus the relativistic correction plus the group delay between frequency 1 and frequency 2, the two carriers of GPS. So indeed, and you have the first derivative here. So you see that indeed A of 0, A of 1, A of 2 determine the time, and what you can do here is you send this time in the navigation frames of your GPS signal. So what Gwen did here is, so Gwen is going to jail and not me, so what you see here is what we did is we introduced 5, 10 to the minus 6, so 5 microseconds in the A of 0 offset here, and indeed when you measure the 1PPS output of your UBlock GPS, you see that every two minutes time is shifted by 5 microseconds. So you can spoof time using this. Now the question was, if you spoof time do you move in space? Well, no because the whole constellation is jumping over time. So it means that the relative position of the satellite are still the same. It's just the time that has shifted. So if you look at the position that was sent by the UBlocks, we haven't moved. If you move by 10 microseconds, you expect to move by 3 kilometers, which is obviously not the case. You see that there's a little bit of jump here, but we obviously did not move by the time introduced by the jump of the time offset. So that demonstrates to you that, well, I wouldn't say it's an easy attack. I don't think it's a representative attack in real life, but I just wanted to make you think about is such information reliable? It's been a long time that DARPA is no longer relying on GPS. Now they have their own ground-based locating system. But for civilian use, this has huge... So it does have implications, in my opinion, about the trust we can have in GPS. Now, and this is where I have to... Okay. So now I would like to imagine what can I do to detect spoofing? Again, jamming is stupid. I mean, you take a spectrum analyzer, you look at your spectrum and you see jamming. That's easy enough. How can you protect from spoofing? We've seen that there is a Doppler. Well, Doppler, if you have a good enough local oscillator, you can simulate Doppler. There is power. Well, power is, again, you can tune power so that the receiver believes that you're in the right power range. So I wouldn't consider these anti-spoofing techniques as reliable because you can adapt someone powerful enough and adapt power, can adapt frequency. I think there is one quantity that cannot be spoofed and it's the fact that GPS is a constellation of satellites all over the sky due to spoofing attack with all of the spoofing antennas synchronized to sub-microseconds, which is a whole topic that we're discussing here. So in my opinion, looking at the angle of arrival of a signal is, I cannot imagine, of a way of countering this kind of detection. And of course, if you look at the proceeding of IEEE, a special issue in 2016 about GNSS sensitivity to attacks, you see that quite a few authors were interested in multi-antenna arrays and detecting angle of arrival. So I will not get into the maths. I'm running out of time. But just imagine that if you have a source which is very far away, these are the conditions of far away. GPS is more than six meters away from the receiver of the GPS satellite. So far field conditions are met. And then you have, between multiple antenna, a phase offset which is only dependent on azimuth and elevation of your antenna. And this is an example of this paper here, which is cited in this paper, where the authors, you might have seen this. It was a yacht. They were trying to simulate how you could take a yacht in a wrong position. So they spoofed their GPS from one constellation, which is a genuine constellation, and they moved the yacht in the wrong place, which is just what we did a few minutes ago. And what these authors say, say, look at the phase between antennas. They have all collapsed in one value, of course, because your emitter is located one place. The power has jumped. That's just because they didn't tune their power well enough. And the Doppler shift has changed shape. Well, that's just because they don't have a good local oscillator. But in my opinion, this is really the important part. Now, the problem for me is when I read the paper, I just don't understand anything about what they did. I mean, they demonstrated that they go into tuning their PLL that locks on the phase copy on the DLL. I just cannot understand. So what I would like to show you thanks to Paul Boven's presentation, so the next presenter's presentation in 2013, is what I think I devised, a very simple means of detecting in a very computationally efficient way of doing this. Now, what I'm demonstrating here is a B210. The B210 here is connected through Bios-T to two GPS antennas. You see the two GPS antennas on the top floor of our laboratory. Here, the B210 is collecting the two data streams. So I'm just saving on the computer over IQ coefficients. Now, your usual way of detecting GPS is to say, let's plot the Doppler shift for each satellite. We cross-correlate the goal code for each Doppler shift, Doppler offset. And if there is the right Doppler offset, you see a little peak in the cross-correlation, which tells you this satellite is visible. That's the acquisition phase of GPS. And this is on both antennas. So both antennas are seeing the same satellites. Good. They're facing the same place. Now, what Paul told us in 2013 is that your GPS signal is proportional. There's a magnitude we don't care about. It's proportional to the Doppler shift, the BPSK phase, spectrum spreading, and the geometrical phase between the two antennas. Now, the problem, the challenge that was demonstrated by Paul is that, or shown by Paul, is that because of spectrum spreading, your GPS signal is below thermal noise level. At room temperature, your thermal noise on the bandwidth of two megahertz is minus 11 dBm. And your GPS signal by the standard is around minus 130 dBm. So you cannot detect GPS just by looking at a spectrum analyzer unless you have the fine radio telescope that he's going to talk to us about. Now, what Paul told us is if you want to get rid of the BPSK to collapse the spectrum, all you need to do is to square the signal because by squaring the signal, BPSK is zero pi phase. So if you square the signal, you double the argument. And by doubling the argument, you have zero or two pi and two pi equals zero. So you collapse the spectrum. And all this energy that is spread over two megahertz is now concentrated in one peak that has raised by 30 dB. If you raise by 30 dB, a signal that is better than minus 130 dBm, you go above the minus 11 dB and you can see your signal. And surely enough, if you do this, you get your peaks here with a frequency offset which is given by delta omega, the frequency shift. You've removed the BPSK modulation and you're only left with the geometrical phase. Is this true? Well, if I now look at this flow graph where I do this just to save space, I run the file source or the USRP source. I run this in the multiplier to square the data. Once I've squared the data, I've collapsed the spectrum and I can just plot this. So this is live measurements on the B210. So you see all your satellites here. And surely enough, if I plot the phases of the spoofing signal, so you see this is quite recent. This was 30th of January. So the spoofing signal, all the phases of all the satellites, each column here is a different satellite. They're all the same. That's not possible. All the satellites cannot be located the same place. Now, there is a bit of a question where I might want to discuss with the guys of interest because I'm not really clear why the phases change from one acquisition to another. But if you look inside one data set, so these are 10 second measurements. If I look from various chunks of data, you have always the same phase. Somehow, when I stopped the Pluto and I restarted five minutes later, it was a bit offset. I don't know exactly why. And if you look at the genuine GPS constellation, all your satellites will exhibit different phases. So meaning all the satellites are at different locations. So you see you have a very computationally efficient solution because you just have to square your signal, look at the phase at the abscissa of each one of your peaks, and you get the phase of your signal. So as a conclusion, I want to show you that spoofing GPS is a good opportunity to demonstrate detailed understanding of GPS signals. It's really easy to implement on the Pluto SDR, as you can see here on the desk. A B210 SDR can allow you to detect. I don't claim to be doing a full GPS receiver as the guy from GNSS SDR doing in Barcelona. I just claim to be running a very stupid script, very computationally efficient script, on the B210 to measure direction of arrival and detect where from the signal is coming from. And so I consider this as a good dual approach. Either you can have the full GNSS SDR running on the B210, on the IQ coefficients, or to have a real GPS receiver and my little approach here to detect spoofing. If you want to see a promotional video about what real people can do about spoofing GPS, if you think this is just a toy, and you have 40k euro to spare, you can see what Rodege-Fars is doing and they will spoof any signal that you want. So what I'm thinking here is if you have enough money, what I'm showing here is realistic. For the French-speaking audience, all this is detailed in the current MISC issue whose article is translated on the FOSDM webpage of our English-speaking audience. The article that's in there has been translated for you to English. So you can have a look at these documents. And with that, I thank you for your attention.