 Hello, I'm Harshad Sathayer from Northeastern University, Boston. Today, we are going to look at some basic attacks on GPS. This talk is adopted from a wireless security course taught by Professor Anjan Randhanathan at Northeastern University and similar courses taught at ETH Zurich and EPFL. In 2011, Iran became the first country officially to announce GPS spoofing capability as they hijacked a US drone operating along the borders. Soon after that, Professor Humphries from University of Texas, Austin demonstrated a similar attack. There are several reports of GPS spoofing including an incident where two naval ships were being steered off course. There have been instances of appearance of intriguing crop circles and ghost ships in Shanghai. GPS issues not only for navigation and positioning, but also for precise timing and synchronization. A paper published in 2012 evaluated the effects of GPS spoofing on power grids and concluded that they are extremely vulnerable to timing attacks. In today's world, the use of GPS can be encountered everywhere including critical cyber physical systems like power grids, autonomous vehicles and avionics. Wide spread availability of open source tools and cheap off-the-shelf equipment has made GPS attacks quite trivial. GPS is a satellite-based navigation system which contains about 31 satellites orbiting the Earth. Each satellite transmits navigation messages which contain its location and precise timing information. Each satellite uses a unique pseudo-random code for importing the messages. The receiver on-ground measures the time of arrival of these messages and estimates the distance to the respective satellite. These estimates or the pseudo ranges are used for computing the location. GPS is made up of three segments. First is the space segment. It consists of satellites that transmit the essential information required to calculate the location. The user segment which uses the information transmitted by the satellites to compute its location. And the control segment which is used for making time and ephemeris corrections. The orbits of the satellites are programmed such that at any time at least four satellites are visible and can provide location services. These orbits are controlled by the control segment on-ground. There are primarily four signals available for civilian use. L1CA, L2C, L5 and L1C. L1CA is a legacy signal which is broadcasted by every satellite. The rest are modernized signals. There are also some special restricted and encrypted signals which offer better precision. However, these are reserved for military and its interests. Here we will be mainly focusing on civilian GPS L1CA signal. The carrier frequency is set at 1.57542 GHz. Data is modulated on the carrier using binary phase shift keying technique. In VPSK, carrier space is switched by 180 degrees to present a 1 and a 0. Bandwidth of civilian GPS is about 2 MHz. Civilian GPS uses 1023 bits core acquisition spreading codes sampled at 1.023 MHz. Each satellite transmits at about 43.4 dBm. As a result of spreading and long distance, signal strength at the receiver can be as low as minus 130 dBm, which is fairly below the nice floor. However, the implementation of a 43 dB processing in after the signal is processed by the receiver. This can be increased by use of directional and smart antennas. The transmitter first generates a baseband signal sampled at 50 BPS, which is combined with a CA code sampled at 1 Mbps. This spread message is then modulated on the carrier before transmitting. Let's take a look at the navigation message. Each navigation message has 25 frames. It takes 12.5 minutes for transmission of entire message. A frame has 1500 bits and takes about 30 seconds. It is divided into 5 subframes each with 300 bits. Start of a subframe is marked by a telemetry word which has an 8-bit preamble which marks the beginning of the subframe and handover word each of 30 bits. Time of week marks the week number since the epoch and is used for timing information. Now let's look at the receiver design. RF front end converts analog signal to discrete samples which can then be processed by the subsequent modules. In a software implementation, each satellite is assigned a channel which can also be considered as hardware pipeline. Each channel performs similar operations. Acquisition block performs a two-dimensional search for a valid satellite signal by correlating the received signal with a local replica of each satellite CA code. This search is performed in time domain as well as frequency domain. It is essential to search for the signal in frequency domain to account for Doppler shifts. If this search results in a correlation peak above a certain threshold, the receiver then switches to tracking and demodulating the signal. Tracking module is responsible for following the Doppler shift and code phase supplied by the acquisition module so that it can demodulate the signal. Optane raw navigation bits are passed over to the PVT module. If at any given point the tracking loops loses a lock, the whole process is repeated. The PVT module is responsible for calculating position, velocity and timing information. Common reception time technique provides pseudo range to the satellite which is a rough estimate of the distance between the receiver and the satellite. A common reception time is set across all the channels for calculating the pseudo ranges. This time is maintained by sample counters implemented in the receiver. As a distance of the satellites from the receiver varies, the difference in time of arrival of messages from each satellite is used to calculate the relative range from the receiver to that satellite. Propagation time for the closest satellite is considered to be roughly 68 milliseconds, which is the approximate propagation time. In this case, message from satellite 3 arrives first and it is considered as a reference time which is set across all the channels. Thus propagation time for other satellites is calculated as TRX, which is a reference time plus delta TN. This is a very elegant way of determining pseudo range. However, this gives rise to a major security concern. An attacker can fabricate signals with delayed messages as required. These measurements and the contents of the received messages are used to calculate the receiver's location. GPS position is determined by solving these equations for X, Y and Z. Pseudo ranges determined using the common reception technique are a key in location determination. Given the speed of flight, a delay of one nanosecond can lead to errors of up to 30 centimeters. There are two primary types of GPS attacks. Jamming attacks where the attacker transmits high-powered noise, which causes a denial of service attack, and spoofing attacks where the attacker transmits a signal such that the receiver calculates a false location. In this demonstration, we are going to take a deeper look at GPS spoofing attacks. An attacker transmits specially crafted signals which are identical to the legitimate signals except they are transmitted at a higher power and result in calculation of a false PVT solution or calculation of false time as GPS is also used for precise timing and synchronization. An attacker can fake locations by either modifying the navigation messages or by manipulating the time of arrival of these messages. GPS is a simple system, hence conventional security techniques which require a handshake do not work here as the receiver has no way of interacting with the satellites. This makes it trivial for an attacker to generate fake signals or replay a previously recorded signal to fool a receiver. An attacker modifies the navigation message content such that the receiver uses altered satellite positions for calculation of the PVT solution. Such an attack can be easily detected using external sources as it is trivial to verify the validity of the received navigation messages. In the second method, the attacker keeps the message contents identical and instead manipulates the time of arrival of the messages such that the pseudo-range calculations are altered. Such an attack is hard to retake. However, it requires access to real-time satellite FMIS data. Let's take a look at one of the most sophisticated GPS attacks. In a seamless takeover attack, the attacker starts transmitting with lower power than the legitimate signal. It is important to note that the adversarial signals are tightly synchronized with the legitimate signals in time domain as well as frequency domain. Later, the attacker slowly starts increasing the power and overshadows the legitimate signal while maintaining synchronization. As a result, the receiver starts tracking the adversarial signals instead of the legitimate signals. Since the attacker's signal is stronger, the noise floor rises and the tracking loops are thrown off. Thus, the receiver breaks a lock. However, if the signals are synchronized, the lock is simply transferred as for the receiver, the two signals are identical. Thus, the switch of lock is near seamless and the receiver doesn't experience any kind of loss of lock. By nature, every receiver will lock on to the stronger signal. Once the lock is transferred, which happens instantaneously, the attacker starts introducing offsets which takes the target off course. Increasing popularity of inexpensive software defined radios has made executing GPS spoofing attacks quite straightforward. To execute a GPS spoofing attack, we need a baseband signal generator which can generate GPS messages, perform spread spectrum operations and modulation. It relies on broadcast fmrs data of satellites and a set of coordinates to generate spoofing signals. Finally, we need a software defined radio front end which can transmit data on 1.57542 gigahertz, which is the L1 carrier frequency. The demonstration setup includes a control unit which runs the GPS baseband generator software. A USRP B210 is used to simulate legitimate and malicious satellites. This particular USRP supports simultaneous transmissions on two channels. The spoofer has power advantage of about 10 dB. This is achieved by setting appropriate RF gain on the spoofer transmission channel. The signals from these channels are combined using a signal combiner and are fed to a mu-block GPS receiver which is connected to a Raspberry Pi. Foxtrot GPS with open street maps is used as a mapping and navigation software on the Raspberry Pi. Make sure that all the RF instruments are hardwired. USRP B210 is a fairly powerful transmitter. Since legitimate GPS signals are very weak, it can affect GPS services over quite a wide area. Hence, it is essential to ensure that there are no signal leakages. The first step is to generate a set of GPS coordinates which will be used to generate GPS baseband signal. This can be achieved in multiple ways. In this case, we will plot the path using Google Earth and then use SADGEN trajectory generation application to generate the trajectory which will be interpreted by the GPS simulator. Let's mark the path by using the add path tool. In this scenario, let's just take the receiver around the block and bring it back to its original location. Once you are done adding the path, just save it, just give it some name. Now we need to convert the path and store it as a KML file. Alright, there we go. Now, in the second part, we have to generate NMEA data. For this, load this path. As you can see, it shows the displacement in terms of latitude and longitude in meters. Now, you can keep these dynamic setting parameters as default. Just make sure that you have a suitable stationary period. And once you're done, just click on generate NMEA and you can store your data as .NMEA file. Alright, that's it. Now over to step two. In the second step, we'll be using GPSSDRSIM for generating GPS baseband data. We need to provide the simulator with the dynamic motion file, which is sampled at 10 Hz. A GPS broadcast FMR is data. The sampling rate, which is 2 MHz in this case, as this is the lowest that can be used for GPS. And then we have to provide the name of the output file. Now it will take some time to generate the baseband data. As you can see, this shows the list of satellites that are visible from this location, their azimuth, and the pseudo range to that particular satellite. Alright, now we have our GPS baseband data. Now over to step three. In step two, we generated a GPS baseband signal. In step three, we will be using a software-defined radio to transmit this signal. We have a simple GNU radio flow graph for transmission. This flow graph reads samples from a file source, converts it into GR complex, and sends the samples to a USRP sync. In this case, I'm using a USRP B210 for transmission. It supports transmission on two channels. The first channel transmits the legitimate signal, and second channel transmits a spoofing signal. This sync can be replaced by a software-defined radio of your choice. The only requirement is that it should be able to transmit at two mega-samples on 1.57 GHz. Now let's turn on the spoofer and observe what happens. Now as soon as the spoofer is turned on, we will observe two things. First, the receiver will show some random motion as the signals interfere unpredictably, which results in a fake or garbage location. And second, there's a total loss of lock. One of the reasons being, whenever a receiver loses or isn't able to track a signal, it loses a lock and it takes some time for it to reacquire signals. Now as soon as the signals are reacquired, you can see that the receiver starts following the spoof path that we generated in step one. GPS is a broadcast system, which means that it is unidirectional. It's a simplex system. There is no way for a receiver to interact or talk back to the satellites. Secure positioning and communication requires bi-directional communication for a secure handshake and for a secure exchange of information. And it's also important to protect time of arrival of messages, which in this case is very challenging. Now there are two types of spoofing detection and mitigation techniques for GPS. The first is infrastructure countermeasures where you need to change the entire infrastructure, which includes cryptographic solutions. And there are receiver-end countermeasures where it's enough just to modify the receiver. Let's look at these one by one. A secure GPS proposed by Marcus Kuhn uses asymmetric keys and hidden markers. Public keys of satellites are stored on the devices. The broadband receivers receive the entire band of signal. It is important to do so because the receiver isn't aware of the de-spreading codes just yet. The transmitter discloses the spreading code at a later time, which is signed by its private key. The receiver then verifies the signature and uses the received code to de-spread the previous signal. Such a solution prevents generation of peak signals. However, there are issues with efficiency and precise timing. Moreover, it is a logistical nightmare to deploy such a solution as such a solution will require a complete overall of the entire GPS ecosystem. Researchers have proposed the use of multiple receivers for collective detection of spoofing. In this scheme, a constellation of receivers is observed. For successful spoofing, the attacker will have to spoof such that the constellation of receivers is maintained. This includes spoofing the receivers individually. Group spoofing is a known challenge associated with GPS spoofing because let's say a spoofer starts transmitting and as a result of a single point of transmission, all the receivers will collapse into one point and thus it will be very easy for the receivers to detect that there's something malicious going on. Moreover, even though this solution is quite reliable and has is efficient in detecting spoofing, there's a major drawback is that such a solution is not feasible for smaller vehicles. Signal characteristics can also be leveraged to efficiently detect spoofing which are considered to be unique to a transmitter given the geographical placement of the transmitter. This can be used to distinguish between signals from a point transmitter like a spoofer and a satellite, which is 20,000 kilometers away. A high power transmission increases the noise floor substantially. A sensitive receiver can easily detect sudden changes in noise floors. These variations can be attributed to a spoofing or a jamming attack. Recall the function of acquisition module. A correlation peak is formed for every occurrence of the CA code in the received signal. A receiver proposed in spree looks out for such peaks and based on separation between these peaks, it can detect spoofing. Even though it can detect a strong seamless takeover attack, it can only do so if the auxiliary peaks are visible. For example, if the attacker is very powerful, then the legitimate signals are buried under noise floor introduced by the adversarial signals, as is in this case where the second peak, Martin Green, is barely visible. Here, the attacker has about 10 dB of power advantage. Here are some other spoofing detection techniques. Inertial sensors can track physical movements of a vehicle. However, they are notorious for drifts and biases, which can introduce significant errors. Researchers have proposed various implementations involving extended Calvin filters where IMU sensors are combined with GPS. Inertial measurements are used to track and validate the derived PVT solutions. This correlation between unknown encrypted GPS signals on L1 carrier and known open source GPS signals can lead to effective spoofing detection strategy. Another simple spoofing detection strategy involves comparison of PVT solution obtained from GPS with PVT solution obtained from other satellite navigation systems like GLONASS, Galileo or Baidu. However, an attacker can simply spoof other systems as well as these systems are also vulnerable to similar attacks. Receiver Autonomous Integrity Monitoring, or RIM, is a spoofing detection technique that is very popular in aviation. Almost every commercial aviation GPS receiver implements it. It works on detecting outlier satellites. These satellites are excluded from PVT calculation. Thus, it requires six or more visible satellites. Several of the countermeasures that we discussed are effective. However, they aren't perfect. We all know that a perfect security solution just doesn't exist. In case of crypto solutions, they are vulnerable to re-blad attacks. Consider a scenario where a spoofer has a receiver in location 1 and a transmitter in location 2. There is a medium available where such that the receiver can transmit raw RF samples to the transmitter. Here, the transmitter simply transmits or replays the received samples in location 2. Now, any receiver in location 2, if starts receiving GPS signals, then the calculated solution will reflect location 1 instead of location 2. Since GPS is a simplex and a unidirectional system, such attacks cannot be prevented by crypto. Moreover, it's virtually impossible to protect a physical characteristic of a signal like the time of arrival. There are solutions which couple INS or inertial navigation systems with GPS. However, there is recently two years ago there was work which involves integrated GNS and INS pooping. In this work, the authors were able to spoof and take the vehicle, of course, by about 10 kilometers. In our experimentations, we found that throttling GPS pooping offsets can also lead to pooling extended talmone filters. The inertial sensors are prone to errors and biases. We exploit these errors and we throttle our attacks such that the extended talmone filter adapts to our spoofing coordinates. Thus, such attacks can go undetected even in a tightly coupled INS and GPS system. Now, as you have seen the countermeasures and how trivial it is to spoof GPS, it's important to note that GPS being a unidirectional system, it is not trivial to come up with solutions which can secure or safeguard GPS against a plethora of these spoofing attacks. Thank you.